It’s that time of year again. You and your team have finished or are about to finish all the big summer projects, but what might you have missed in the shuffle? Here are a few things we re-check at Brewster just before students arrive for the winter term.    Certificates Certificates are something you should have well handled and probably on a team calendar for renewals. After all, there are plenty of them across many services, and missing one could have dramatic consequences, especially at the beginning of the school year. So double-check even if you’re sure you’re all set. Apple Certificates such as Developer and Deployment ID certificates - require yearly renewal. In JAMF Pro, double-check your Push Certificates, PKI Certificates,

A Read-only Friday post by William Smith If the thought of standing up in front of an audience makes your skin crawl, trust me when I say every new presenter gets that feeling. Conference season for Mac Admins starts this year in late March and lasts through October. Locales range from Australia to Great Britain to Sweden to Canada to the United States. And despite the tragic wartime circumstances in Ukraine, the MacAdminsUA free online conference carried on for its second year in 2022. The fact this conference exists shows our Apple Admins community may be small and spread across the globe, but it’s tightly knit. A conference is where community comes together Yuri Vlasyuk, the organizer of MacAdmins

Local Admin Password Solution (LAPS) addresses security vulnerabilities of common admin workflows by supporting a unique and randomized local account password per device, that rotates after viewing, and that is accessible to a subset of authorized users. This security feature ensures an organization can maintain control over end user privacy and sensitive data. LAPS is an automated approach that allows IT administrators to maintain security, comply with regulations, improve efficiency, and maintain accountability by knowing who accessed the password and when.   With Jamf Pro 10.46.0, Jamf introduced LAPS support as an API-first solution for better securing shared IT admin accounts on computers. This implementation was specific to the admin account created during Automated Device Enrollment using a PreStage enrollment.   Jamf Pro 10.49.0, as part of User-Initiated Enrollment settings, Jamf expands LAPS support spec

A Read-only Friday post by William Smith “I’m not a terrible procrastinator. I’m a great procrastinator!” It’s Monday morning. You’ve tumbled out of bed and stumbled to the kitchen and poured yourself a cup of ambition. You sit down to check email and in your inbox is a message: Dear <insert your name here>, Congratulations! We are excited to inform you that the following session (or sessions) identified below have been accepted for presentation at this year’s <insert conference name here>. 😳 It’s been weeks (maybe months) since you submitted your session proposal and, frankly, you’d

Happy birthday, Jamf! On June 10th you turned 21! But it’s not just your birthday this month. It’s also Charlie Root’s 30th birthday today! If it weren’t for Charlie, probably none of us would be here right now. Who’s Charlie Root?   Digital spelunking I consider myself an amateur digital spelunker and enjoy digging around the visible and hidden files of macOS to see what I can find. Apple has hidden some iconic Easter eggs in macOS over the years. Some are well-known. Easter eggs are those delightful undocumented software features that you might stumble upon accidentally or if you’re paying a little extra attention. They’ve come and gone over different versions of macOS, but Ventura still has a few to uncover.

Working in end-user device management, focusing on onboarding, configuration, security, and updates, is easy. After all, getting everyone working is critical! But what happens at the end of a school year or employment contract? What about managing the sudden departure of a staff member or student with a BYO device? Do you have an end-user device offboarding process in place? Do you have licensed software to recover? Configurations to remove and permissions to reset or restore? What about the removal of the framework itself? In this article, I’ll guide you through the basics to complete these tasks and let those devices go with comfort and ease and, most importantly, satisfied end users.   In most circumstances, our users initiate device offboarding via Self Service. The policy becomes available when their computer record is scoped to our voluntary offboarding department. All institutionally licensed software and confi

In this blog we will assume you have Jamf Pro, Jamf Connect, and Jamf Protect or a combination of those and look at it through the lens of Microsoft and Jamf Device Compliance, but the exact same workflows can be achieved with the integration between Jamf and Google BeyondCorp, which was added in

Knowledge sharing is the most rewarding experience any of us can have. As technology professionals, we have all likely had an occasion or two where we shared something we know with someone who could benefit from the information. Many of us create videos and keynotes to train and conduct presentations. As a Learning Experience Designer within Jamf’s Customer Education department, I make a lot of videos and keynotes. I’ve found that great keynotes focus on graphics over text to aid in visual storytelling. Consistent spacing, easy-to-read font, and clean animations also add to a fantastic keynote. When delivering your keynote, make sure to bring energy and passion to excite your participants and energize them to learn. To help you create a great future video or presentation, here are six resources I frequently use to design and deliver amazing content. Keynote

Working with Internal Services and Jamf Safe Internet Earlier in the year, we released our education-focused security tool, Jamf Safe Internet, which focuses on keeping students and teachers safe online. As the adoption of Jamf Safe Internet increases, so do the use cases. A common use case that has become clear in the months since release is the ability to connect to internal services, such as file servers (for storing data), web servers (for platforms like Moodle) as well as a host of others.  Due to the way that Jamf Safe Internet is designed to push all DNS requests to the DoH Gateway in our Security Cloud to evaluate domains against allow/block & security policies (fig1), education institutes aren’t able to access internal services without some advanced configuration.

 A massive thank you to all our Tech Thoughts authors! Every week we get submissions on outstanding technical topics for our community members to read, and it does not go unnoticed that this is a huge effort on the authors' part. So @tom_koehler and I wanted to take a moment to reward our authors for their published posts with a gift card to a popular online store that offers anywhere from a trombone to a last-minute gift for your dog's birthday.   Congratulations, @jflanakin, author of Certificates, SCEP, and 802.1x: What are they? What do they do? Let’s find out! (Part One) and&n

Recently, a customer inquired about whether macOS can block AirPrint via a configuration profile. Unfortunately for the customer, the allowAirPrint restriction is iOS only (https://jamf.it/jpRgP). Because it can't be blocked, I decided to look into how to Jamf Protect could be used to report on print usage in macOS.    Jamf Protect Jamf Protect offers the following for generating alerts on a macOS endpoint: Threat Prevention Analytics

Customer Education has long pursued the goal of meeting you where you are. We create learning experiences for aspiring technicians and seasoned admins looking to expand their knowledge and better understand the tools available to them. We aim to provide context, use-cases, and additional resources to help you in your journey to support users. We created the Jamf 170 Course to respect the importance of keeping devices secure, remediating threats, and fostering a general understanding of attack vectors that malicious actors may leverage against your environment. I began at Jamf as a trainer delivering the Jamf 200 Course (and for you grizzled veterans, the CCT). The 200 covered everything from turning on your Mac for the first time to writing a custom script and deploying it with a policy. For new Mac users, this resulted in a deluge of information in a short amount of time. F

A Read-only Friday post by William Smith Only those in IT would ever get it. My dad loved listening to a radio broadcaster named Paul Harvey. Wow could that man tell a story! (I’m referring to the radio broadcaster, but my dad knew how to draw a crowd of listeners too.) Paul Harvey ended his daily broadcasts with a segment called “The Rest of the Story”. He would generally start with a seemingly simple and banal story about something or someone. But as he told the story, the details would take on some life, and the tale would grow bigger until he revealed the one key element he’d been holding back that tied everything together. A really weak glue was of no use at all ‘til an office secretary found a use for it… “And that’s how Post-It Notes were invented!” Or an author was shaving one morning and thought of a story but for yea

A Read-only Friday post by William Smith Every word is precious. You shouldn’t waste them. Let’s keep this one short and sweet to let you get on with your homework. A few Apple admins conferences, including the Jamf Nation User Conference (JNUC), have already opened their calls for proposals. Each conference may go by a slightly different name for submissions, but they’re all asking you for the same thing. They want to hear about your story. By now, you should have a good idea if your story fits with the theme of the conference or conferences you’ve chosen. Remember, all you need to do is go watch some of the videos they’ve posted online from past conferences to see if your idea fits. If you’re in the Apple management or security space, you’re going to fit just fine. What you’re going to submit is commonly known as an elevator pitc

In large enterprises and organizations with thousands of computers, it’s often necessary to break up software deployments into more manageable groups. Need to push a configuration profile out to 5,000 devices? You might want to break that into chunks of 1,000, so you don’t hammer your Jamf Pro server. When I was a customer, we had over 17,000 devices in each of our Jamf Pro instances, and we often wanted to deploy software in stages. Right now, there is no built-in method to do this in Jamf Pro. So, I came up with a way to generate semi-randomized Smart Groups by utilizing the UDID of the device. The UDID is a 32-character identifier (Unique Device ID) that all devices have and is what Jamf Pro uses to uniquely identify all devices. You can view a device’s UDID by navigating to the device’s inventory record and selecting Hardware from the sidebar. Each UDID contains

With Apple devices continuing to gain major prevalence within both educational institutions and businesses of all sizes, it’s becoming increasingly important for organizations to manage not only their devices but also the Apple ID that the user signs-in with. This is where Managed Apple IDs come in. While you can restrict the ability to sign-in to an Apple ID using an MDM solution (or our team can do this for members of our own managed service offerings), in doing so you are denying users key functionality and features, such as iWork collaboration and iCloud Backup. This article aims to highlight these benefits and discuss how to leverage your organization’s existing Microsoft 365 accounts as Managed Apple IDs to give your users one fewer log-in to remember. That said, it should be pointed out that it remains best practice to disable signing-in to any Apple ID on devices that aren’t permanently assigned to an individual user and Shared iPad isn’t being used. This is mo

Certificates and the technologies surrounding them can be a difficult topic to understand. In this series, we’re going to break down the underlying concepts around these technologies in a straightforward, easy-to-understand way. In our first part we will cover the basics of certificates and how they work, and in the future we’ll talk about SCEP, AD CS, 802.1x, and more. What is a certificate? A certificate is a unique, digitally signed document which authoritatively identifies the identity of an individual or organization. What makes up a certificate? A signed digital certificate contains the owner’s distinguished name, the owner’s public key, the certificate authority’s (issuer’s) distinguished name, and the signature of the certificate authority over these fields. There are often other fields, such as Country, State/Province, City, Organi

Welcome to Part 2 of our discussion of Certificates, SCEP, and 802.1x. In our first post we took a look at what certificates are and how they work. Today we will take a look at Active Directory and Active Directory Certificate Services. What is Active Directory? Active Directory (AD) is a set of roles and features which run on Windows Server. In essence, it is a database and set of services that connect users with the network resources they need to get their work done. Active Directory is often used as a broad term to describe several concepts and services. There is much, much more to AD but this isn’t a Microsoft AD course, so we’ll only cover what we need to know here. What does Active Directory do? At its core, AD helps administrators manage permissions and c

Easily allowing your end-users to opt-in or opt-out of your internal beta program is the first step to building your user-base of “trusted testers.” Let's take a closer look at how we implemented this via Self Service, and how we utilized the combination of an Extension Attribute and Inventory Update to populate our testing group, rather than the Jamf Pro API. This type of workflow can be used for implementing your own beta test group, or it can be used in conjunction with other workflows where you want users to self-report. This workflow was originally posted to my personal blog, which you can find by following this link. Additionally, I've documented some related workflows and spoken about our beta test program at JNUC. Feel free to take a look at the links below if you would like to learn more:

What are Extension Attributes? Why were they added to Jamf Pro and why do they matter? These questions, and others, will be answered in this short post. Extension Attributes can be a powerful tool in the tool belt of the Jamf Pro admin, and we will dive into them a little deeper in this post. At the end, you should have a working knowledge of Extension Attributes, a few workflow ideas, and some further resources to continue on in your journey to become an Extension Attribute guru. So buckle up and let’s go on a journey!   What Are Extension Attributes? Introduced in the Casper Suite days, Extension Atributes are a method for extending the data stored in Jamf Pro for an object (computer, mobile device, or user). From our developer documentation: Extension attributes allow Jamf Pro to store additional inventory information

Originally this article was posted on Jamf Nation here, prior to the launch of Tech Thoughts. tl;dr - Getting an "MDM-enabled user" and user channel for configuration profiles has become unobtanium.  Pretend that macOS is like iOS or iPadOS, where all configuration profiles and certificates are scoped to the whole machine. "Managed Users" A user who is "MDM-capable," "MDM-enabled," or in the Apple MDM spec a "managed user," can be achieved in a few ways: First user created by Setup Assistant when machine is first set up via Automated Device Enrollment A user with administrator rights initiates a user enrollment via an enrollment URL or renewing the Automated Device Enrollment with a profiles command Mobile accounts (aka bound to a directory service) where during lo

First, let me start off by saying you should never use basic auth for anything, anywhere, at any time.   Next, let me tell you why you need basic auth or “Resource Owner Password Grant” or “Resource

Maintaining user accounts in Jamf Pro can be daunting if you work in Education. Depending on the size of your district, you may have over a thousand staff and students enter and exit within a three-month span each school year. If your district is one-to-one, that’s a thousand new user accounts getting created each year. If you aren’t doing user-based app assignments, maintaining users may not even occur to you, but there are benefits to cleaning up user accounts in your Jamf instance. If your Jamf instance is on-premise, you know an integral part of the instance is the database. If your instance is in the cloud, you may not be aware of the significance of the database. With any database, it’s important to keep it healthy. By healthy, I mean stable, efficient, and secure. Bad data in a database can lead to inaccurate reports or, in the case of user base app assignments, wasted app licenses. Bloated databases can result in poor performance or the need to continually tune your J

I originally posted this article on the Apple@CVTC blog, and you can find out more about JPS API Wrapper on our GitLab project. As a developer or anyone that writes code, managing APIs can be a time-consuming task. You need to a lot of time figuring out how to send requests, retrieve data, and process responses. In this context, API wrappers come to the rescue. An API wrapper is a package that simplifies the use of APIs by providing a unified interface for sending and receiving data. In this article, we will be discussing jps-api-wrapper, a Python pac

Happy 2023 from Jamf's Tech Thoughts team! We launched Tech Thoughts just a few months ago, and so far the response from the community has been incredible. We took a short hiatus over the holidays, but we're glad to be back and ready to kick off the new year with some new and interesting posts that we think you will enjoy. To kick things off, we wanted to take a look at where we've been and where we are going with Tech Thoughts. First of all, thank you to all of the Jamf employees and community members that have submitted posts, given us feedback, and helped to spread the word. We started this project with the idea to create a collaborative space where everyone can share ideas with the community, and we wouldn't be able to create that space without your help. We have some ideas for what types of topics and information that we might want to cover in the future, but we also want to hear from you about what you'd like to read about. Is ther