Replacing a macOS NetBoot Server with a Linux Server Running BSDPY

“If it ain’t broke, don’t fix it.”  But not all things have to be broken to know they could be better …

In a spree of watching past Mac Admin presentations from various conferences not too long ago, I learned about BSDPY: a replacement to the one thing that many environments loath having to have run on Mac hardware in production – a NetBoot server.  A Mac NetBoot server allows IT administrators to run a fully-functional Mac operating system on a Mac from over the network.  This is frequently used for imaging Macs, as it does not require local storage.  Mac NetBoot servers can also be used to deploy network-based macOS installers (NetInstall) as well as run Apple-provided troubleshooting tools with Apple Service Toolkit (AST).

The problem with the macOS NetBoot Server is that it is entirely dependent on Mac hardware running macOS and the macOS Server application.  As a result, many environments begrudgingly deploy Mac Minis (or Mac Pros) as servers in production in order to utilize this functionality.

Having personally started down the road of Linux administration, I took it upon myself to move everything currently on our Mac mini – our JSS, file distribution point, and NetBoot server – all to an enterprise-grade server.  BSDPY proved easy to get going by comparison once I found the right guide (thanks to @bruienne – who is also the creator of BSDPY – over on the #bspdy MacAdmins Slack channel!) .

See below the jump for how to do this.

Read More

Update – CasperCheck & enrollmentComplete Jamf Policies

In a previous post I went through my process for editing the postinstall script of a Jamf QuickAdd package for use with Rich Trouton’s CasperCheck tool so that it does not trigger any enrollmentComplete policies you may have.

Recently I completed an upgrade of our production JSS (Jamf Pro) and found that since version 9.82 Jamf has changed this postinstall script slightly.  The process itself hasn’t changed, but the line in the script you comment out to prevent enrollmentComplete policies from running is different.

Screen Shot 2017-07-21 at 8.47.17 AM.png

Notice now that the enroll -invitation command in line 40 now by default includes the -noPolicy flag.  Only after confirming that this enroll command completes successfully does it run a policy -event enrollmentComplete.

The only other notable change is line 30 where it creates the jamf config file (/Library/Preferences/com.jamfsoftware.jamf.plist).  You’ll notice the new -verifySSLCert flag.  This is what determines whether or not the client will verify the SSL certificate on the JSS.  There are 3 options here:

  • always (default) – this should be used unless you are using a cert using the built-in Certificate Authority.
  • always_except_during_enrollment – this is the option we use, and is recommended for those using the built-in Certificate Authority in your JSS.
  • never – does not check the certificate on the JSS.

Make sure then that you build your QuickAdd package after you configure this on your JSS to ensure the proper value is applied to your machines should CasperCheck run.

Process for Configuring & Managing Macs for Exams

Working for a school, historically we’ve had students with computer accommodations conduct written portions of exams on Windows laptops.  This is because by default Microsoft’s built-in Notepad application does not offer any spelling or grammar features and therefore requires very little configuration or hands-on time in order to be exam-ready.

Recently however, I ran into some issues with a student taking a language exam on a PC as this required the student to use accented letters (é, ñ, etc.) using the Windows alt codes.  Unfortunately, because the exam was taken on a laptop we had difficulties using the Windows alt codes on PCs without a NumPad requiring us then to use the character map, which isn’t great for test-taking.

characterMap2.png

Since accented letters are a bit easier to enter on Mac – and don’t require you to memorize or reference a series of alt codes – I started down the path of how to configure our Macs for taking either written or auditory exams.

Below are the list of things I wanted to accomplish:

  • Setup a separate testing user
    • Since our students have network folders, we don’t want them signing in with their own credentials on the machine and accessing these resources.
  • Disable Internet connectivity
    • Since most exams involving a computer don’t require an Internet connection, we want to disable the network service entirely so there isn’t a risk of Wi-Fi being turned back on.  That being said, I also want to do this in a way that for me and my team is quick and easy to both turn on & off as needed without having to connect to our network.
  • Determine the application for written exams & lock it down
    • While Microsoft Word is the more widely used word processor on the Mac, many of its settings (at least as of this writing) are not manageable.  Microsoft Office 2016 versions 15.33-36 have started to add additional managed preferences (see this Google Doc for a complete list), but as of yet don’t meet our needs here.  TextEdit then is the logical choice, but offers spelling and grammar checking, which we need to disable.
  • Have audio output to multiple sources for auditory exams
    • In the case of language exams, we need to be able to have both the student and the proctor hear the same audio.  Thankfully, the Mac natively allows you to output audio to multiple sources, but takes a bit of configuration.
  • Prevent access to Spotlight
    • While a really handy tool for finding files, performing calculations, and defining words, we don’t want students to utilize this functionality during exams.  So how do we lock down something embedded in macOS that can’t really be turned off?

Click below for more details.

Read More

Packaging & Deploying the TI-SmartView CE 84 Emulator

This is based on a post I made on Jamfnation back in March.

I recently started testing some of our existing software on the latest version of macOS Sierra (10.12.5) and ran into an issue with the TI-SmartView CE emulator software for Mac when trying to activate with our institution’s license that was a result of a change Texas Instruments had made to the software installer that wasn’t communicated and is somewhat buried line in their software installation and activation knowledge base article.

See the details below.

Read More

Logging & Retrieving Imaging Configurations with Jamf

While there have been many write-ups and presentations on the impending doom of imaging, it’s not quite dead yet …

NotDeadYet

If you’re still an imaging shop, you may know that of all the wonderful things that jamf logs during the imaging process, the actual imaging configuration that is used during imaging is not one of them.

This has been a feature request on Jamfnation since 2012.  Though as of this writing the feature is listed as “Planned”, there’s no reason you couldn’t implement a workflow that accomplishes this right now.

There are two methods:

  1. A script that runs in an imaging configuration workflow
  2. A policy that runs following imaging & enrollment

There are likely other workflows already out there that accomplish this in a similar way, but this is the process I’ve come up with for my environment.  At the very least, I hope this gives you something to work from in developing your own solution.

I also have a couple optional additions that I include at the end as part of this larger solution, which you can choose to incorporate if you wish.  This includes:

  • A modified script that runs during an imaging workflow that includes writing additional User & Location data to a local PLIST for inventory collection.
  • An inventory collection policy that runs a custom command in order to automate the collection of User & Location data (user, department, building, and room) in the JSS.
  • A couple of scripts to calculate the total time (hours:minutes:seconds) it takes to image a machine.

Click below for more details.

Read More

CasperCheck & enrollmentComplete Jamf Policies

This post covers how to configure CasperCheck in order to avoid potential issues rerunning policies you may have configured in your JSS / jamf pro with the enrollmentComplete policy trigger.

Know that I do not cover all the ins and outs of configuring CasperCheck here.  Go on over to the CasperCheck Github repo for that.

I welcome your comments and feedback, so if this guide helped you or you’re having issues, feel free to post a comment.  You can also hit me up on the MacAdmins Slack group.  If you’re not already a member, you can sign up here.

The Problem

CasperCheck requires a QuickAdd package in order to automatically reenroll a Mac that either no longer has the jamf binary or can no longer run policies.

In our environment we utilize the enrollmentComplete policy trigger to run several policies post-enrollment that install our local admin account, run a script, install our Wi-Fi profile, and a few other things we need to configure.

The problem arises with the default QuickAdd package postinstall script, as it runs the below command:

########################################
## Run enroll
####################################################
$jamfCLIPath enroll -invitation XXXXXXXXXXXXXXXXXXXXXXXXXX

This reenrolls the Mac with the invitation (which does not expire) and checks for polices with the enrollmentComplete trigger.  If you have policies that use this trigger and computers are still in the scope, this will cause them to rerun when CasperCheck reenrolls them using the standard QuickAdd package, potentially producing issues you would really like to avoid.

The Solution

Edit your QuickAdd package’s postinstall script for use with CasperCheck by including the -noPolicy flag to the enroll command to prevent triggering your enrollmentComplete policies.

See more details below.

Read More