Blog Center
Recently active
Welcome to Part 2 of our discussion of Certificates, SCEP, and 802.1x. In our first post we took a look at what certificates are and how they work. Today we will take a look at Active Directory and Active Directory Certificate Services. What is Active Directory? Active Directory (AD) is a set of roles and features which run on Windows Server. In essence, it is a database and set of services that connect users with the network resources they need to get their work done. Active Directory is often used as a broad term to describe several concepts and services. There is much, much more to AD but this isn’t a Microsoft AD course, so we’ll only cover what we need to know here. What does Active Directory do? At its core, AD helps administrators manage permissions and control access to network resources. AD uses several directory objects to do so: Users Groups Computers Security Policies (Group Policy Objects) Active Directory manages the security policies applied to its many moving parts
Easily allowing your end-users to opt-in or opt-out of your internal beta program is the first step to building your user-base of “trusted testers.” Let's take a closer look at how we implemented this via Self Service, and how we utilized the combination of an Extension Attribute and Inventory Update to populate our testing group, rather than the Jamf Pro API. This type of workflow can be used for implementing your own beta test group, or it can be used in conjunction with other workflows where you want users to self-report. This workflow was originally posted to my personal blog, which you can find by following this link. Additionally, I've documented some related workflows and spoken about our beta test program at JNUC. Feel free to take a look at the links below if you would like to learn more:Dan K. Snelson Blog - Your Internal Beta Test Program: Opt-in / Opt-out via Self Service (sans Jamf Pro API) Dan K. Snelson Blog - Invitation Only Betas JNUC 2019 - Your Internal Bet
What are Extension Attributes? Why were they added to Jamf Pro and why do they matter? These questions, and others, will be answered in this short post. Extension Attributes can be a powerful tool in the tool belt of the Jamf Pro admin, and we will dive into them a little deeper in this post. At the end, you should have a working knowledge of Extension Attributes, a few workflow ideas, and some further resources to continue on in your journey to become an Extension Attribute guru. So buckle up and let’s go on a journey! What Are Extension Attributes? Introduced in the Casper Suite days, Extension Atributes are a method for extending the data stored in Jamf Pro for an object (computer, mobile device, or user). From our developer documentation: Extension attributes allow Jamf Pro to store additional inventory information about a device beyond what is collected by default. Their values can be set via API call, or through the Jamf Pro console itself. While Jamf Pro is designed to co
Originally this article was posted on Jamf Nation here, prior to the launch of Tech Thoughts. tl;dr - Getting an "MDM-enabled user" and user channel for configuration profiles has become unobtanium. Pretend that macOS is like iOS or iPadOS, where all configuration profiles and certificates are scoped to the whole machine. "Managed Users" A user who is "MDM-capable," "MDM-enabled," or in the Apple MDM spec a "managed user," can be achieved in a few ways: First user created by Setup Assistant when machine is first set up via Automated Device Enrollment A user with administrator rights initiates a user enrollment via an enrollment URL or renewing the Automated Device Enrollment with a profiles command Mobile accounts (aka bound to a directory service) where during login there is a token registration with the MDM. For reference, see Enabling MDM for Local User Accounts and from apple.com Prepare for changes to kernel extensions in macOS High Sierra For a configuratio
First, let me start off by saying you should never use basic auth for anything, anywhere, at any time. Next, let me tell you why you need basic auth or “Resource Owner Password Grant” or “Resource Owner Password Claim” (if you speak Microsoft) or “Resource Owner Password” (if you speak Okta) or just plain old “password” (if you read the ancient runes of the .well-known/openid-configuration endpoints). I promise you it’s a good reason. What is ROPG The basic password flow used by Resource Owner Password Grant (ROPG) is literally an endpoint receiving a user name and a password and returning something to say the password is good, bad, or other. curl 'https://login.microsoftonline.com/12345678-9abc-def1-0000-000000000000/oauth2/v2.0/token' \\ -X POST \\ -H 'Host: login.microsoftonline.com' \\ -H 'Accept: */*' \\ -H 'Connection: keep-alive' \\ -H 'Accept-Language: en-US,en;q=0.9' \\ -H 'Content-Length: 295' \\ -H 'User-Agent: Jamf%20Connect%20Configuration/2606 CFNetw
Maintaining user accounts in Jamf Pro can be daunting if you work in Education. Depending on the size of your district, you may have over a thousand staff and students enter and exit within a three-month span each school year. If your district is one-to-one, that’s a thousand new user accounts getting created each year. If you aren’t doing user-based app assignments, maintaining users may not even occur to you, but there are benefits to cleaning up user accounts in your Jamf instance. If your Jamf instance is on-premise, you know an integral part of the instance is the database. If your instance is in the cloud, you may not be aware of the significance of the database. With any database, it’s important to keep it healthy. By healthy, I mean stable, efficient, and secure. Bad data in a database can lead to inaccurate reports or, in the case of user base app assignments, wasted app licenses. Bloated databases can result in poor performance or the need to continually tune your Jamf instan
I originally posted this article on the Apple@CVTC blog, and you can find out more about JPS API Wrapper on our GitLab project. As a developer or anyone that writes code, managing APIs can be a time-consuming task. You need to a lot of time figuring out how to send requests, retrieve data, and process responses. In this context, API wrappers come to the rescue. An API wrapper is a package that simplifies the use of APIs by providing a unified interface for sending and receiving data. In this article, we will be discussing jps-api-wrapper, a Python package for the Jamf Classic API and Jamf Pro API. What is JPS (Jamf Pro Server) API Wrapper? JPS API Wrapper is a Python package that simplifies the use of the Jamf Classic API and Jamf Pro API. It provides a unified interface for sending and receiving data, making it easier for developers to interact with the Jamf APIs. With JPS API Wrapper you can easily retrieve data on devices, software, and other assets managed by Jamf, and even pe
Happy 2023 from Jamf's Tech Thoughts team! We launched Tech Thoughts just a few months ago, and so far the response from the community has been incredible. We took a short hiatus over the holidays, but we're glad to be back and ready to kick off the new year with some new and interesting posts that we think you will enjoy. To kick things off, we wanted to take a look at where we've been and where we are going with Tech Thoughts. First of all, thank you to all of the Jamf employees and community members that have submitted posts, given us feedback, and helped to spread the word. We started this project with the idea to create a collaborative space where everyone can share ideas with the community, and we wouldn't be able to create that space without your help. We have some ideas for what types of topics and information that we might want to cover in the future, but we also want to hear from you about what you'd like to read about. Is there a particular theme, topic, or technology that y
Earlier this year a small group of passionate Mac Admins community members announced the formation of a new 501(c)(3) non-profit organization called the Mac Admins Foundation. You may have heard of it thanks to sessions at the PSU Mac Admins conference, the mention by Jamf CIO Linh Lam in the JNUC keynote this year, the MacSysAdmin conference session, in the Mac Admins Slack, or maybe even from seeing our popular VoiceOver shirt. It’s been a fun journey getting the Mac Admins Foundation built and shared with the community, and we’re actively looking for ways to share what’s happening at the MAF. Conference presentations, social media outreach, and posts like this are just a few of the ways we want to stay connected with y’all. This week Co-Chair Tom Bridge posted our first quarterly update which provides news on the Training Scholarship program we’re working on (with the support of Apple and Pearson), the expansion of the board of directors, and upcoming initiatives for 2023 and
If we want to use Jamf’s built-in Patch Management notifications to let clients know about new patches as they become available in Self Service, they will receive a notification for each patch title as their Macs come into scope for each patch policy. That’s not really a big deal if we only push out one or two patches at a time, but say after Patch Tuesday… yikes! That can easily result in a string of notifications which can get pretty annoying. Additionally, there may be situations where notifications do not behave as we would expect, such as with PI104511, which can result in Self Service notifications not consistently appearing in the Notification Center when they are scheduled to do so, resulting in unpatched apps quitting unexpectedly when they reach their install deadline. This is where we found ourselves and why we built our own patch notification workflow. It leverages jamfHelper and a Smart Computer Group to send our clients one notification each day while patches are availabl
Safe and secure Mac management worldwide The world has changed during COVID times. Nearly all of us work at remote locations for multiple days a week. Our devices travel along and pop up at any location anywhere on earth. And also, because of the general availability of the internet, this behavior is now generally accepted. As Apple admins, we must think about managing Macs and rethink which switches to flip. We have already covered a lot of security policies: our devices are registered in Apple Business Manager, they are managed in a device management server, we implemented security policies based on CIS benchmarks, and we enforce FileVault encryption — just to name a few steps we already have taken to increase the level of management and security. Apple admins need to keep all devices as secure as possible, so next, we decided to rethink those local admin accounts. No account, no risk These are accounts on the Macs with a — hopefully — secure password and administrative acce
Over the years, you, our Jamf Nation members, have given us feedback around how we could improve your community experience. And for that, we’re so grateful! It led to the remodeling of this very community last summer and allowed us to create more meaningful spaces for you to connect and learn from each other. But you want more, and we want to give you more! You (singly and collectively) communicated that you want a space within Jamf Nation where you can share deeper, more detailed technical thoughts. You want to hear more creative and common ways to use Apple and Jamf to achieve success in your environments. You want a technical blog space to share these ideas and workflows. Well, folks, we’re happy to announce we heard you, and we’re making it happen! We’re excited to introduce Tech Thoughts, a technical blog that’s dedicated to serving as a space where Jamfs and Jamf Nation members alike can share their expertise on important, time-sensitive technical topics. You are all a wealth of
Earn a cool badge and Jamf Nation Reward Bytes for your published articles. We’re looking forward to your submissions!