Recently, a customer inquired about whether macOS can block AirPrint via a configuration profile. Unfortunately for the customer, the allowAirPrint restriction is iOS only (https://jamf.it/jpRgP). Because it can't be blocked, I decided to look into how to Jamf Protect could be used to report on print usage in macOS.    Jamf Protect Jamf Protect offers the following for generating alerts on a macOS endpoint: Threat Prevention Analytics Unified Logs Telemetry Device Controls Threat Prevention and Device Controls are out of scope for this use case, so let’s take a look at Telemetry, Unified Logs, and Analytics.    Jamf Protect Telemetry Telemetry is a new feature in Jamf Protect that allows customers to send audit events generated on their macOS devices to their SIEM of choice. Telemetry currently uses the BSM implementation in macOS, so I can use the pre-existing binaries that I would normally use to analyze the logs locally.    Running sudo praudit -sx /d

Customer Education has long pursued the goal of meeting you where you are. We create learning experiences for aspiring technicians and seasoned admins looking to expand their knowledge and better understand the tools available to them. We aim to provide context, use-cases, and additional resources to help you in your journey to support users. We created the Jamf 170 Course to respect the importance of keeping devices secure, remediating threats, and fostering a general understanding of attack vectors that malicious actors may leverage against your environment. I began at Jamf as a trainer delivering the Jamf 200 Course (and for you grizzled veterans, the CCT). The 200 covered everything from turning on your Mac for the first time to writing a custom script and deploying it with a policy. For new Mac users, this resulted in a deluge of information in a short amount of time. For Mac aficionados, much of the elementary subject matter felt irrelevant. Over time, the Customer Education team

A Read-only Friday post by William Smith Only those in IT would ever get it. My dad loved listening to a radio broadcaster named Paul Harvey. Wow could that man tell a story! (I’m referring to the radio broadcaster, but my dad knew how to draw a crowd of listeners too.) Paul Harvey ended his daily broadcasts with a segment called “The Rest of the Story”. He would generally start with a seemingly simple and banal story about something or someone. But as he told the story, the details would take on some life, and the tale would grow bigger until he revealed the one key element he’d been holding back that tied everything together. A really weak glue was of no use at all ‘til an office secretary found a use for it… “And that’s how Post-It Notes were invented!” Or an author was shaving one morning and thought of a story but for years no one would buy it… “Until one day Frank Capra decided to produce it as It’s a Wonderful Life.” Harvey would end every one of these stories with his signature

A Read-only Friday post by William Smith Every word is precious. You shouldn’t waste them. Let’s keep this one short and sweet to let you get on with your homework. A few Apple admins conferences, including the Jamf Nation User Conference (JNUC), have already opened their calls for proposals. Each conference may go by a slightly different name for submissions, but they’re all asking you for the same thing. They want to hear about your story. By now, you should have a good idea if your story fits with the theme of the conference or conferences you’ve chosen. Remember, all you need to do is go watch some of the videos they’ve posted online from past conferences to see if your idea fits. If you’re in the Apple management or security space, you’re going to fit just fine. What you’re going to submit is commonly known as an elevator pitch. Imagine you have this great idea and just so happen run into the decisionmaker on an elevator in a tall building. It’s now or never. As you ascend the bui

In large enterprises and organizations with thousands of computers, it’s often necessary to break up software deployments into more manageable groups. Need to push a configuration profile out to 5,000 devices? You might want to break that into chunks of 1,000, so you don’t hammer your Jamf Pro server. When I was a customer, we had over 17,000 devices in each of our Jamf Pro instances, and we often wanted to deploy software in stages. Right now, there is no built-in method to do this in Jamf Pro. So, I came up with a way to generate semi-randomized Smart Groups by utilizing the UDID of the device. The UDID is a 32-character identifier (Unique Device ID) that all devices have and is what Jamf Pro uses to uniquely identify all devices. You can view a device’s UDID by navigating to the device’s inventory record and selecting Hardware from the sidebar. Each UDID contains HEX characters, which means 0 through 9 and A through F. Using a little bit of REGEX-fu, you can create a Smart Group th

With Apple devices continuing to gain major prevalence within both educational institutions and businesses of all sizes, it’s becoming increasingly important for organizations to manage not only their devices but also the Apple ID that the user signs-in with. This is where Managed Apple IDs come in. While you can restrict the ability to sign-in to an Apple ID using an MDM solution (or our team can do this for members of our own managed service offerings), in doing so you are denying users key functionality and features, such as iWork collaboration and iCloud Backup. This article aims to highlight these benefits and discuss how to leverage your organization’s existing Microsoft 365 accounts as Managed Apple IDs to give your users one fewer log-in to remember. That said, it should be pointed out that it remains best practice to disable signing-in to any Apple ID on devices that aren’t permanently assigned to an individual user and Shared iPad isn’t being used. This is most common in smal

Certificates and the technologies surrounding them can be a difficult topic to understand. In this series, we’re going to break down the underlying concepts around these technologies in a straightforward, easy-to-understand way. In our first part we will cover the basics of certificates and how they work, and in the future we’ll talk about SCEP, AD CS, 802.1x, and more. What is a certificate? A certificate is a unique, digitally signed document which authoritatively identifies the identity of an individual or organization. What makes up a certificate? A signed digital certificate contains the owner’s distinguished name, the owner’s public key, the certificate authority’s (issuer’s) distinguished name, and the signature of the certificate authority over these fields. There are often other fields, such as Country, State/Province, City, Organization, Department, and more which can more accurately identify the certificate or the object which the certificate identifies. These fields aren

Welcome to Part 2 of our discussion of Certificates, SCEP, and 802.1x. In our first post we took a look at what certificates are and how they work. Today we will take a look at Active Directory and Active Directory Certificate Services. What is Active Directory? Active Directory (AD) is a set of roles and features which run on Windows Server. In essence, it is a database and set of services that connect users with the network resources they need to get their work done. Active Directory is often used as a broad term to describe several concepts and services. There is much, much more to AD but this isn’t a Microsoft AD course, so we’ll only cover what we need to know here. What does Active Directory do? At its core, AD helps administrators manage permissions and control access to network resources. AD uses several directory objects to do so: Users Groups Computers Security Policies (Group Policy Objects) Active Directory manages the security policies applied to its many moving parts

Easily allowing your end-users to opt-in or opt-out of your internal beta program is the first step to building your user-base of “trusted testers.” Let's take a closer look at how we implemented this via Self Service, and how we utilized the combination of an Extension Attribute and Inventory Update to populate our testing group, rather than the Jamf Pro API. This type of workflow can be used for implementing your own beta test group, or it can be used in conjunction with other workflows where you want users to self-report. This workflow was originally posted to my personal blog, which you can find by following this link. Additionally, I've documented some related workflows and spoken about our beta test program at JNUC. Feel free to take a look at the links below if you would like to learn more:Dan K. Snelson Blog - Your Internal Beta Test Program: Opt-in / Opt-out via Self Service (sans Jamf Pro API) Dan K. Snelson Blog - Invitation Only Betas JNUC 2019 - Your Internal Bet

What are Extension Attributes? Why were they added to Jamf Pro and why do they matter? These questions, and others, will be answered in this short post. Extension Attributes can be a powerful tool in the tool belt of the Jamf Pro admin, and we will dive into them a little deeper in this post. At the end, you should have a working knowledge of Extension Attributes, a few workflow ideas, and some further resources to continue on in your journey to become an Extension Attribute guru. So buckle up and let’s go on a journey!   What Are Extension Attributes? Introduced in the Casper Suite days, Extension Atributes are a method for extending the data stored in Jamf Pro for an object (computer, mobile device, or user). From our developer documentation: Extension attributes allow Jamf Pro to store additional inventory information about a device beyond what is collected by default. Their values can be set via API call, or through the Jamf Pro console itself. While Jamf Pro is designed to co

Originally this article was posted on Jamf Nation here, prior to the launch of Tech Thoughts. tl;dr - Getting an "MDM-enabled user" and user channel for configuration profiles has become unobtanium.  Pretend that macOS is like iOS or iPadOS, where all configuration profiles and certificates are scoped to the whole machine. "Managed Users" A user who is "MDM-capable," "MDM-enabled," or in the Apple MDM spec a "managed user," can be achieved in a few ways: First user created by Setup Assistant when machine is first set up via Automated Device Enrollment A user with administrator rights initiates a user enrollment via an enrollment URL or renewing the Automated Device Enrollment with a profiles command Mobile accounts (aka bound to a directory service) where during login there is a token registration with the MDM. For reference, see Enabling MDM for Local User Accounts and from apple.com Prepare for changes to kernel extensions in macOS High Sierra For a configuratio

First, let me start off by saying you should never use basic auth for anything, anywhere, at any time.   Next, let me tell you why you need basic auth or “Resource Owner Password Grant” or “Resource Owner Password Claim” (if you speak Microsoft) or “Resource Owner Password” (if you speak Okta) or just plain old “password” (if you read the ancient runes of the .well-known/openid-configuration endpoints).  I promise you it’s a good reason.   What is ROPG The basic password flow used by Resource Owner Password Grant (ROPG) is literally an endpoint receiving a user name and a password and returning something to say the password is good, bad, or other. curl 'https://login.microsoftonline.com/12345678-9abc-def1-0000-000000000000/oauth2/v2.0/token' \\ -X POST \\ -H 'Host: login.microsoftonline.com' \\ -H 'Accept: */*' \\ -H 'Connection: keep-alive' \\ -H 'Accept-Language: en-US,en;q=0.9' \\ -H 'Content-Length: 295' \\ -H 'User-Agent: Jamf%20Connect%20Configuration/2606 CFNetw

Maintaining user accounts in Jamf Pro can be daunting if you work in Education. Depending on the size of your district, you may have over a thousand staff and students enter and exit within a three-month span each school year. If your district is one-to-one, that’s a thousand new user accounts getting created each year. If you aren’t doing user-based app assignments, maintaining users may not even occur to you, but there are benefits to cleaning up user accounts in your Jamf instance. If your Jamf instance is on-premise, you know an integral part of the instance is the database. If your instance is in the cloud, you may not be aware of the significance of the database. With any database, it’s important to keep it healthy. By healthy, I mean stable, efficient, and secure. Bad data in a database can lead to inaccurate reports or, in the case of user base app assignments, wasted app licenses. Bloated databases can result in poor performance or the need to continually tune your Jamf instan

I originally posted this article on the Apple@CVTC blog, and you can find out more about JPS API Wrapper on our GitLab project. As a developer or anyone that writes code, managing APIs can be a time-consuming task. You need to a lot of time figuring out how to send requests, retrieve data, and process responses. In this context, API wrappers come to the rescue. An API wrapper is a package that simplifies the use of APIs by providing a unified interface for sending and receiving data. In this article, we will be discussing jps-api-wrapper, a Python package for the Jamf Classic API and Jamf Pro API. What is JPS (Jamf Pro Server) API Wrapper? JPS API Wrapper is a Python package that simplifies the use of the Jamf Classic API and Jamf Pro API. It provides a unified interface for sending and receiving data, making it easier for developers to interact with the Jamf APIs. With JPS API Wrapper you can easily retrieve data on devices, software, and other assets managed by Jamf, and even pe

Happy 2023 from Jamf's Tech Thoughts team! We launched Tech Thoughts just a few months ago, and so far the response from the community has been incredible. We took a short hiatus over the holidays, but we're glad to be back and ready to kick off the new year with some new and interesting posts that we think you will enjoy. To kick things off, we wanted to take a look at where we've been and where we are going with Tech Thoughts. First of all, thank you to all of the Jamf employees and community members that have submitted posts, given us feedback, and helped to spread the word. We started this project with the idea to create a collaborative space where everyone can share ideas with the community, and we wouldn't be able to create that space without your help. We have some ideas for what types of topics and information that we might want to cover in the future, but we also want to hear from you about what you'd like to read about. Is there a particular theme, topic, or technology that y

Earlier this year a small group of passionate Mac Admins community members announced the formation of a new 501(c)(3) non-profit organization called the Mac Admins Foundation. You may have heard of it thanks to sessions at the PSU Mac Admins conference, the mention by Jamf CIO Linh Lam in the JNUC keynote this year, the MacSysAdmin conference session, in the Mac Admins Slack, or maybe even from seeing our popular VoiceOver shirt.   It’s been a fun journey getting the Mac Admins Foundation built and shared with the community, and we’re actively looking for ways to share what’s happening at the MAF. Conference presentations, social media outreach, and posts like this are just a few of the ways we want to stay connected with y’all. This week Co-Chair Tom Bridge posted our first quarterly update which provides news on the Training Scholarship program we’re working on (with the support of Apple and Pearson), the expansion of the board of directors, and upcoming initiatives for 2023 and

If we want to use Jamf’s built-in Patch Management notifications to let clients know about new patches as they become available in Self Service, they will receive a notification for each patch title as their Macs come into scope for each patch policy. That’s not really a big deal if we only push out one or two patches at a time, but say after Patch Tuesday… yikes! That can easily result in a string of notifications which can get pretty annoying. Additionally, there may be situations where notifications do not behave as we would expect, such as with PI104511, which can result in Self Service notifications not consistently appearing in the Notification Center when they are scheduled to do so, resulting in unpatched apps quitting unexpectedly when they reach their install deadline. This is where we found ourselves and why we built our own patch notification workflow. It leverages jamfHelper and a Smart Computer Group to send our clients one notification each day while patches are availabl

Safe and secure Mac management worldwide The world has changed during COVID times. Nearly all of us work at remote locations for multiple days a week. Our devices travel along and pop up at any location anywhere on earth. And also, because of the general availability of the internet, this behavior is now generally accepted. As Apple admins, we must think about managing Macs and rethink which switches to flip. We have already covered a lot of security policies: our devices are registered in Apple Business Manager, they are managed in a device management server, we implemented security policies based on CIS benchmarks, and we enforce FileVault encryption — just to name a few steps we already have taken to increase the level of management and security. Apple admins need to keep all devices as secure as possible, so next, we decided to rethink those local admin accounts. No account, no risk These are accounts on the Macs with a — hopefully — secure password and administrative acce

Over the years, you, our Jamf Nation members, have given us feedback around how we could improve your community experience. And for that, we’re so grateful! It led to the remodeling of this very community last summer and allowed us to create more meaningful spaces for you to connect and learn from each other. But you want more, and we want to give you more! You (singly and collectively) communicated that you want a space within Jamf Nation where you can share deeper, more detailed technical thoughts. You want to hear more creative and common ways to use Apple and Jamf to achieve success in your environments. You want a technical blog space to share these ideas and workflows. Well, folks, we’re happy to announce we heard you, and we’re making it happen! We’re excited to introduce Tech Thoughts, a technical blog that’s dedicated to serving as a space where Jamfs and Jamf Nation members alike can share their expertise on important, time-sensitive technical topics. You are all a wealth of