Blog Center
Recently active
You can manage so many more settings than Apple documents. Apple’s list of supported management keys for configuration profiles is slowly growing, though some listed on their own support site no longer apply or work for current versions of macOS. If you want the official Apple documented supported settings for configuration profiles there’s two places, Apple’s developer documentation and an Apple support page https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys https://support.apple.com/guide/mdm/complete-payload-list-mdm5370d089/1/web/1.0 The developer documentation is nice because it lets you know what keys have been updated and changed. The complete payload support page is nice because it gives a little more description about each setting. But…But…But…there’s so much more, so many more settings you can manage with a configuration profile! So, what if you want to manage settings not listed in those documents…there’s a
For several years now, Apple has highlighted the important role that partners and Admins play in testing beta versions of their upcoming operating systems and submitting feedback for any issues that can (and do, particularly in the early versions) appear. They also provide some great tools that make it easy for this to be done, but those tools are only half of the story. The other half is an effective testing strategy that, when executed properly, will both provide Apple’s engineers with invaluable data for resolving unforeseen issues prior to public release and also give you ample opportunity to ensure your readiness (and confidence!) to deploy the latest OS version upon public release. This benefits your organisation and users alike by offering the latest software features to enhance workflows and maintaining security standards across your Apple fleet. This post aims to provide an overview of the tools Apple provides to Admins for beta testing at scale, as well as highlighting best p
Comic Sans is just my type.Not really. You’ve got a story! You know what you want to say. How do you say it? Your presentation deck is how you turn your ideas into something visual for your audience. It’s going to complement what you’re there to say. You as the speaker are not there to complement your presentation deck. com·ple·ment | kämpləmənt | verb to complete or bring to perfection In other words, what you say is more important than what you show, but what you show can help you with what you’re saying. Apple Keynote, Google Slides, and Microsoft PowerPoint are the three big presentation tools. If you choose to use Google Slides, make sure you install the Google Docs Offline extension in Google Chrome or Microsoft Edge and then turn on “Available offline”. Always assume you can’t rely on conference Wi-Fi. Stick with one of these. You could create your presentation in something else and then create a PDF, but you’ll really limit yourself later when we discuss animations. And
Hello, Jamf Nation! The Jamf ID update is now complete. Your name, email, phone number, language and email opt-out status have been migrated. Please reset your Jamf ID password and re-enroll in Multi-factor Authentication (MFA), if applicable. Your time zone will be set automatically to the browser time zone when logging in for the first time with your new password. Action Required: Reset Your Password Please reset your password by following these simple steps: Visit Jamf Account: Head over to account.jamf.com. Click on ‘Continue with Jamf ID’: This button will display if you've logged in recently. Enter your Email Address Click ‘Log in using Jamf ID’: This enables you to continue with your Jamf ID credentials, as opposed to utilizing SSO if it has been enabled for your organization. Click on 'Reset Password': You'll find this option on the login page. Click on it to initiate the password reset process. Enter Your Email: Provide the email address as
This post was originally posted to my personal blog, which you can find by following this link. With Jamf Pro 10.49 admins can now use OAuth client credentials flow for authenticating to the product's APIs. The documentation for the new API Roles and Clients can be found here. The implementation is straightforward: Go to Settings > System > API Roles and Clients Create an API Role Select all of the applicable Jamf Pro API role privileges it should grant. Create an API Client. Select one or more API Roles to assign to it. Enable the API Client. Generate the Client Secret. You can now use the client ID and secret to obtain access tokens. This shell example below is taken from Jamf's developer docs. curl --request POST "${url}/api/oauth/token" \\ --header "Content-Type: application/x-www-form-urlencoded" \\ --data-urlencode "grant_type=client_credentials" \\ --data-urlencode "client_id=${client_
Welcome to Part 3 of our discussion of Certificates, SCEP, and 802.1x. In our previous post we took a look at how Active Directory Certificate Services works. In our final part in this series, we will explore SCEP and 802.1x. What is SCEP? SCEP = Simple Certificate Enrollment Protocol What does SCEP do? SCEP is a certificate management protocol that helps IT administrators issue certificates automatically. SCEP is used by a Windows Server Role called NDES or offered as a service by a third-party Certification Authority (CA). What is NDES? NDES = Network Device Enrollment Service NDES is a Windows Server Role Service which works with the Active Directory Certificate Services Role to distribute certificates via SCEP. What does NDES do? NDES allows software on routers and other network devices (e.g., Macs and iPads) running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP). How does NDES work? NDES uses the Micr
Introduction Migrating from an on-premises Jamf Pro environment to Jamf Cloud offers numerous benefits, including increased scalability, simplified maintenance, and enhanced security. However, the migration process requires careful planning and coordination to ensure a seamless transition. In this article, we will explore the steps involved in migrating from on-premises Jamf Pro to Jamf Cloud, along with key considerations and tips for a successful migration. Preparation Before initiating the migration process, several prerequisites must be fulfilled. Firstly, it is important to update your on-premises Jamf instance to the latest version. Jamf Cloud instances are automatically upgraded and kept up to date, so making sure your on-premise version is in sync with Jamf Cloud will ensure compatibility. Upgrading to the latest version also ensures that you have access to the latest features and enhancements available in Jamf Pro. For more information, see Jamf's documentation on Prepa
Additional information about Microsoft's Conditional Access filters for apps is available here. What is a “Custom Security Attribute” Simply, the custom security attribute lets you stick a Post-It Note with anything you want written on it onto an Enterprise app, a user, or any other Azure or Azure AD resources. Once you’ve tagged it, you can use that tag for things like applying conditional access policies or exempting apps or users from the policy. How are Custom Security Attributes used with Azure Active Directory Conditional Access policies Custom security attributes allow an administrator to tag an application or web service with a special flag. This flag could be used like a group membership for applications, or it can be used to apply policies to an application which would not normally be subject to conditional access rules like native/mobile App registrations like those used with Jamf Connect. In these examples, we will: Use a custom security attrib
A Little Background In 2017, Jamf released an integration with Microsoft Endpoint Manager’s (formerly Intune) Partner Device Management (PDM) API. This API allows Jamf Pro to send inventory data for managed computers to Microsoft Endpoint Manager, where compliance is then calculated using Microsoft Endpoint Manager’s Compliance Policies. In order for Jamf Pro to send data to Microsoft Endpoint Manager, computers must be registered to Azure AD using Company Portal, and a jamf agent (JamfAAD) must collect and maintain an active user session token. Organizations seeking to use the PDM integration must guide end users through this registration flow. The following document addresses best practices for registration, including configuration of the JamfAAD agent, Azure AD SSO Extension, using policies to guide the user, and tracking registrations via Extension Attributes. Configuring the JamfAAD agent UseWKWebView JamfAAD must prompt the user to sign in with their Azure AD crede
It’s that time of year again. You and your team have finished or are about to finish all the big summer projects, but what might you have missed in the shuffle? Here are a few things we re-check at Brewster just before students arrive for the winter term. Certificates Certificates are something you should have well handled and probably on a team calendar for renewals. After all, there are plenty of them across many services, and missing one could have dramatic consequences, especially at the beginning of the school year. So double-check even if you’re sure you’re all set. Apple Certificates such as Developer and Deployment ID certificates - require yearly renewal. In JAMF Pro, double-check your Push Certificates, PKI Certificates, and your Apple School Manager/DEP integration to make sure everything is syncing properly. Software Updates It’s nearly universal that educational software developers have this tendency to release new major updates in the weeks leadin
A Read-only Friday post by William Smith If the thought of standing up in front of an audience makes your skin crawl, trust me when I say every new presenter gets that feeling. Conference season for Mac Admins starts this year in late March and lasts through October. Locales range from Australia to Great Britain to Sweden to Canada to the United States. And despite the tragic wartime circumstances in Ukraine, the MacAdminsUA free online conference carried on for its second year in 2022. The fact this conference exists shows our Apple Admins community may be small and spread across the globe, but it’s tightly knit. A conference is where community comes together Yuri Vlasyuk, the organizer of MacAdminsUA, brought his story to the January 9 Mac Admins Podcast where he said (paraphrased): “In these conditions, I have a strong belief any community needs to talk more and maybe closer about topics they are working on, because there’s a lot of stress, a lot of depression, and community needs t
Local Admin Password Solution (LAPS) addresses security vulnerabilities of common admin workflows by supporting a unique and randomized local account password per device, that rotates after viewing, and that is accessible to a subset of authorized users. This security feature ensures an organization can maintain control over end user privacy and sensitive data. LAPS is an automated approach that allows IT administrators to maintain security, comply with regulations, improve efficiency, and maintain accountability by knowing who accessed the password and when. With Jamf Pro 10.46.0, Jamf introduced LAPS support as an API-first solution for better securing shared IT admin accounts on computers. This implementation was specific to the admin account created during Automated Device Enrollment using a PreStage enrollment. Jamf Pro 10.49.0, as part of User-Initiated Enrollment settings, Jamf expands LAPS support specifically for the Jamf Management Account specified. This soluti
A Read-only Friday post by William Smith “I’m not a terrible procrastinator. I’m a great procrastinator!” It’s Monday morning. You’ve tumbled out of bed and stumbled to the kitchen and poured yourself a cup of ambition. You sit down to check email and in your inbox is a message: Dear <insert your name here>, Congratulations! We are excited to inform you that the following session (or sessions) identified below have been accepted for presentation at this year’s <insert conference name here>. 😳 It’s been weeks (maybe months) since you submitted your session proposal and, frankly, you’d forgotten all about it. Are you excited? Terrified? You need more caffeine to process what you’re reading. The first thing you should do is fist pump the air. Yes! The second is go to your manager, tell them your proposal was accepted, and get the go-ahead to attend. Remember, conference speakers usually get conference costs waived. That can be a few hundred to a thousand dollars o
Happy birthday, Jamf! On June 10th you turned 21! But it’s not just your birthday this month. It’s also Charlie Root’s 30th birthday today! If it weren’t for Charlie, probably none of us would be here right now. Who’s Charlie Root? Digital spelunking I consider myself an amateur digital spelunker and enjoy digging around the visible and hidden files of macOS to see what I can find. Apple has hidden some iconic Easter eggs in macOS over the years. Some are well-known. Easter eggs are those delightful undocumented software features that you might stumble upon accidentally or if you’re paying a little extra attention. They’ve come and gone over different versions of macOS, but Ventura still has a few to uncover. Look closely at the Maps icon and you’ll find the intersection of the 280 freeway and North Wolfe Road in Cupertino. In the upper right corner is Apple’s headquarters, the ring-shaped Apple Park. Navigate to System > Library > CoreServices. Right-click CoreT
Working in end-user device management, focusing on onboarding, configuration, security, and updates, is easy. After all, getting everyone working is critical! But what happens at the end of a school year or employment contract? What about managing the sudden departure of a staff member or student with a BYO device? Do you have an end-user device offboarding process in place? Do you have licensed software to recover? Configurations to remove and permissions to reset or restore? What about the removal of the framework itself? In this article, I’ll guide you through the basics to complete these tasks and let those devices go with comfort and ease and, most importantly, satisfied end users. In most circumstances, our users initiate device offboarding via Self Service. The policy becomes available when their computer record is scoped to our voluntary offboarding department. All institutionally licensed software and configurations are removed. Local student user accounts are elevated
In this blog we will assume you have Jamf Pro, Jamf Connect, and Jamf Protect or a combination of those and look at it through the lens of Microsoft and Jamf Device Compliance, but the exact same workflows can be achieved with the integration between Jamf and Google BeyondCorp, which was added in Jamf Pro 10.45! For several years now, Jamf Pro has allowed organizations to integrate with Microsoft Azure AD and Microsoft Endpoint Manager to provide Conditional Access to Apple endpoints; initially it was only available for macOS using the Conditional Access feature in Jamf Pro, but Device Compliance for iOS was then added some time later. Recently we received the deprecation notice for Conditional Access for macOS; Jamf now offers an alternative solution with macOS added as a supported platform to Device Compliance in Jamf Pro, which is good news! With Conditional Access for macOS, Jamf Pro offered basic information like the state of FileVault, the firewall, a
Knowledge sharing is the most rewarding experience any of us can have. As technology professionals, we have all likely had an occasion or two where we shared something we know with someone who could benefit from the information. Many of us create videos and keynotes to train and conduct presentations. As a Learning Experience Designer within Jamf’s Customer Education department, I make a lot of videos and keynotes. I’ve found that great keynotes focus on graphics over text to aid in visual storytelling. Consistent spacing, easy-to-read font, and clean animations also add to a fantastic keynote. When delivering your keynote, make sure to bring energy and passion to excite your participants and energize them to learn. To help you create a great future video or presentation, here are six resources I frequently use to design and deliver amazing content. Keynote Apple’s Keynote app is a mainstay in the presentation landscape. Keynote is well-known for its stunn
Working with Internal Services and Jamf Safe Internet Earlier in the year, we released our education-focused security tool, Jamf Safe Internet, which focuses on keeping students and teachers safe online. As the adoption of Jamf Safe Internet increases, so do the use cases. A common use case that has become clear in the months since release is the ability to connect to internal services, such as file servers (for storing data), web servers (for platforms like Moodle) as well as a host of others. Due to the way that Jamf Safe Internet is designed to push all DNS requests to the DoH Gateway in our Security Cloud to evaluate domains against allow/block & security policies (fig1), education institutes aren’t able to access internal services without some advanced configuration. fig 1 - basic diagram of Jamf Safe Internet flow In order to better understand why we need to add the advanced configuration to our Jamf Safe Internet deployment, you will require a basic knowledge of
A massive thank you to all our Tech Thoughts authors! Every week we get submissions on outstanding technical topics for our community members to read, and it does not go unnoticed that this is a huge effort on the authors' part. So @tom_koehler and I wanted to take a moment to reward our authors for their published posts with a gift card to a popular online store that offers anywhere from a trombone to a last-minute gift for your dog's birthday. Congratulations, @jflanakin, author of Certificates, SCEP, and 802.1x: What are they? What do they do? Let’s find out! (Part One) and @bweber26, author of Introduction to JPS API Wrapper: All-in-one package for using the Jamf Pro Server API! Thank you again to all our authors! And for those who did not win today or have yet to publish a post, do not worry; there will be more opportunities to win in the future. The first step is to submit your Tech Thoughts post!
Recently, a customer inquired about whether macOS can block AirPrint via a configuration profile. Unfortunately for the customer, the allowAirPrint restriction is iOS only (https://jamf.it/jpRgP). Because it can't be blocked, I decided to look into how to Jamf Protect could be used to report on print usage in macOS. Jamf Protect Jamf Protect offers the following for generating alerts on a macOS endpoint: Threat Prevention Analytics Unified Logs Telemetry Device Controls Threat Prevention and Device Controls are out of scope for this use case, so let’s take a look at Telemetry, Unified Logs, and Analytics. Jamf Protect Telemetry Telemetry is a new feature in Jamf Protect that allows customers to send audit events generated on their macOS devices to their SIEM of choice. Telemetry currently uses the BSM implementation in macOS, so I can use the pre-existing binaries that I would normally use to analyze the logs locally. Running sudo praudit -sx /d
Customer Education has long pursued the goal of meeting you where you are. We create learning experiences for aspiring technicians and seasoned admins looking to expand their knowledge and better understand the tools available to them. We aim to provide context, use-cases, and additional resources to help you in your journey to support users. We created the Jamf 170 Course to respect the importance of keeping devices secure, remediating threats, and fostering a general understanding of attack vectors that malicious actors may leverage against your environment. I began at Jamf as a trainer delivering the Jamf 200 Course (and for you grizzled veterans, the CCT). The 200 covered everything from turning on your Mac for the first time to writing a custom script and deploying it with a policy. For new Mac users, this resulted in a deluge of information in a short amount of time. For Mac aficionados, much of the elementary subject matter felt irrelevant. Over time, the Customer Education team
A Read-only Friday post by William Smith Every word is precious. You shouldn’t waste them. Let’s keep this one short and sweet to let you get on with your homework. A few Apple admins conferences, including the Jamf Nation User Conference (JNUC), have already opened their calls for proposals. Each conference may go by a slightly different name for submissions, but they’re all asking you for the same thing. They want to hear about your story. By now, you should have a good idea if your story fits with the theme of the conference or conferences you’ve chosen. Remember, all you need to do is go watch some of the videos they’ve posted online from past conferences to see if your idea fits. If you’re in the Apple management or security space, you’re going to fit just fine. What you’re going to submit is commonly known as an elevator pitch. Imagine you have this great idea and just so happen run into the decisionmaker on an elevator in a tall building. It’s now or never. As you ascend the bui
In large enterprises and organizations with thousands of computers, it’s often necessary to break up software deployments into more manageable groups. Need to push a configuration profile out to 5,000 devices? You might want to break that into chunks of 1,000, so you don’t hammer your Jamf Pro server. When I was a customer, we had over 17,000 devices in each of our Jamf Pro instances, and we often wanted to deploy software in stages. Right now, there is no built-in method to do this in Jamf Pro. So, I came up with a way to generate semi-randomized Smart Groups by utilizing the UDID of the device. The UDID is a 32-character identifier (Unique Device ID) that all devices have and is what Jamf Pro uses to uniquely identify all devices. You can view a device’s UDID by navigating to the device’s inventory record and selecting Hardware from the sidebar. Each UDID contains HEX characters, which means 0 through 9 and A through F. Using a little bit of REGEX-fu, you can create a Smart Group th
With Apple devices continuing to gain major prevalence within both educational institutions and businesses of all sizes, it’s becoming increasingly important for organizations to manage not only their devices but also the Apple ID that the user signs-in with. This is where Managed Apple IDs come in. While you can restrict the ability to sign-in to an Apple ID using an MDM solution (or our team can do this for members of our own managed service offerings), in doing so you are denying users key functionality and features, such as iWork collaboration and iCloud Backup. This article aims to highlight these benefits and discuss how to leverage your organization’s existing Microsoft 365 accounts as Managed Apple IDs to give your users one fewer log-in to remember. That said, it should be pointed out that it remains best practice to disable signing-in to any Apple ID on devices that aren’t permanently assigned to an individual user and Shared iPad isn’t being used. This is most common in smal
Certificates and the technologies surrounding them can be a difficult topic to understand. In this series, we’re going to break down the underlying concepts around these technologies in a straightforward, easy-to-understand way. In our first part we will cover the basics of certificates and how they work, and in the future we’ll talk about SCEP, AD CS, 802.1x, and more. What is a certificate? A certificate is a unique, digitally signed document which authoritatively identifies the identity of an individual or organization. What makes up a certificate? A signed digital certificate contains the owner’s distinguished name, the owner’s public key, the certificate authority’s (issuer’s) distinguished name, and the signature of the certificate authority over these fields. There are often other fields, such as Country, State/Province, City, Organization, Department, and more which can more accurately identify the certificate or the object which the certificate identifies. These fields aren
Earn a cool badge and Jamf Nation Reward Bytes for your published articles. We’re looking forward to your submissions!