Using JAMF Helper for policies

Jamf Pro has a couple of triggers, events that cause that computer to check-in with the Jamf Pro server to run policies. Those include: Startup, Login, Logout, Network State Change, Enrollment Complete, Recurring Check-in, and Custom. You can read the description for each of those triggers by creating a new policy (you don’t have to save it) and read the descriptions for each of them in the General policy payload.

Recently, I had a situation where we wanted to run an update that’s pretty big on logout. This has the benefit of ensuring the software isn’t running. There are pros and cons to this trigger which I won’t get into here. However, one thing that I’ve always found unacceptable is the JAMF Helper HUD dialog in the bottom right corner that shows up.

Screen Shot 2017-04-27 at 2.07.18 PM.png

I’ve submitted a feature request on JAMF Nation to improve this functionality: https://www.jamf.com/jamf-nation/feature-requests/5980/login-and-logout-policies-should-have-a-more-descriptive-message

The Jamf Pro administrator will know what the dialog means, but end users will be clueless. It’s not descriptive and quite confusing. You can try to educate your end-users on what this means, but you shouldn’t have to and naturally many of them may not remember.

Continue reading Using JAMF Helper for policies

JSS Parameters

JSS script parameters are a great feature that allow you to create scripts that can be flexible in the values that are gathered. I’m not sure how often they are used but suffice to say they can be very useful when you have scenarios where common commands are used repeatedly and just need variables changed. Parameter labels can also be assigned to JSS parameters as shown in Rich Trouton’s blog post. Parameter labels can also be set by going to Settings > Computer Management > Scripts > clicking on the script and selecting the Options tab. This allows you to go from the generic Parameter 4, Parameter 5, etc. and have something more descriptive like “Free Space Required” or “Custom Trigger”.

However, JSS parameters have a few limitations. Below I’ll go over some of those limitations and the associated feature requests that would address them.

Continue reading JSS Parameters

Ensuring SIP is enabled

It has been reported that some of the new MacBook Pros (Late 2016) have been shipping with System Integrity Protection (SIP) disabled. Apple has addressed this with the 10.12.2 update release. You can read about SIP on Rich Trouton’s blog.

There is one obvious question that comes to mind, do you trust the computers have not been compromised in shipping, especially with SIP disabled? Perhaps SIP doesn’t play as much into this question if your organization works off the assumption that you cannot trust any bits that come on the drive on new computers and they must all be wiped. After all, if someone intercepts a computer during shipping, it would be just as easy for them to disable and re-enable SIP as needed.

One thing to note here is that if you wipe and image new computers, that alone won’t re-enable SIP as that information is stored in memory. If you don’t wipe and image and instead rely on something like DEP or another no-imaging workflow, you still need to report on SIP’s status and somehow take action against computers that have it disabled to re-enable SIP.

Two ways of re-enabling SIP that come to mind: 1) boot into the Recovery Partition and re-enable SIP and 2) reset the NVRAM. The first you cannot really automate much short of asking all  techs to reset PRAM on every computer coming in. The second can be done manually or via the command line. Our interest will be in doing this via the command line in order to automate this.

Continue reading Ensuring SIP is enabled

Cables, Adapters, Devices For A Brave New Mac World

The announcement of the new MacBook Pros which only have USB-C ports will begin a frustrating, but needed transition to new devices that are USB-C capable. There’s a lot that USB-C can do, but it won’t be covered here. Here is one article I did find insightful by Stephen Foskett. I won’t try to guess how long this transition will take, but the prospect of having to only use one cable for connecting and powering devices is really exciting even if there is some initial confusion.

The purpose of this post is to get you to think about what you might need to transition with a spreadsheet linked at the end with links to the cables, adapters, and devices in question. Just note, that I have not tested and may not get to test all the devices I’ve linked in the spreadsheet. Prices may vary as well. The goal was to try and get the best value for functionality. I am also not affiliated with any of the vendors and sellers that I’ve linked to. With that all said, let’s get to the questions you should be thinking about.

Continue reading Cables, Adapters, Devices For A Brave New Mac World

Launchctl 2.0 Syntax

The other day I found myself looking to learn how to load and unload launch agents and launch daemons in OS X 10.11. I found myself on the MacAdmins Slack asking the syntax launchctl in OS X 10.11. And searching online just led me to this discussion on GitHub. The documentation for launchctl left a lot to be desired and it wasn’t very clear how to use it so I was encouraged to join the exciting world of blogging.

Before getting into the syntax, some basic understanding is probably appropriate. Starting with OS X 10.10, Apple re-wrote launchd and added new sub-commands and deprecated some familiar ones that we’ve come to trust over the years. In short, at some point Apple may break the use of the deprecated commands forcing you to use the new syntax. A good read up on launchd 2.0 can be found by Jonathan Levin’s presentation at MacSysAdmin in 2014.

With that out the way, lets get into the syntax.

Continue reading Launchctl 2.0 Syntax