Posted on 09-25-2015 11:43 AM
Warning this is a rant.
Does anyone else the general feeling that both convergence and idempotence as strong features in most configuration management products (Chef, CFEngine, etc.) being a giant weakness in the JAMF suite of products at the moment?
For those who don't know, convergence is the idea that you say something should be a specific state (let's say Flash Player a specific version), and the configuration management system then tries to get a system to that state.
So in the Flash Player example, a Mac might test to see what version is installed and then restore the Mac to that state by re-installing Flash Player, upgrading, etc.
Idempotence is the important concept (in this context) that doing something multiple times doesn't yield side effects. This is to say that in the process of converging back to a known state a Mac won't do something as a side effect on multiple runs.
I've managed Casper for several years, and my fear at the moment is that we've all come up with solutions using many different tools (smart groups, policies, scripts, etc.), but these other configuration management systems have been done at such a large scale that those communities have an agreed upon language that is typically easy to version control and test.
We've all seen JAMF administrators get great things done with their own scripts, but there's a lot of re-inventing the wheel going on. I'll probably end up with the cfengine for configuration management with Casper for MDM, VPP, Self-service. But I'm curious if anyone things JAMF is going to head into a direction that more fully embraces the general configuration management wave of DevOps in the industry right now.
Casper as a thing over ARD was a huge leap, but the core product paradigms feel a decade old at this point.
END RANT
Posted on 09-25-2015 12:07 PM
I'm waiting to see what Patch Management functionality makes it into a future version of the Casper Suite. That would be a huge manual labor time saver. AutoCasperNBI and JSSImporter go a long way towards solving this, but...
Something like Munki may also be a better solution for what you are looking to accomplish...
Posted on 09-25-2015 12:10 PM
Why not both?
Configuration management is great. It is also a lot of work, and has a tendency to be designed with servers in mind, not clients. That being said, there are teams of people that use config management very successfully on Mac endpoints.
I'd probably not use CfEngine when Puppet exists, especially because there is a significant amount of work that has gone into making modules for OS X management in Puppet.
The Puppet Munki/Simian Autopkgr combo is very powerful, if you have the resources to dedicate.
Posted on 09-25-2015 12:23 PM
No argument against a configuration management product (cfengine/chef/puppet) + munki/casper (which is exactly where I'm going). It's just at a certain point you start ticking boxes that were core reasons to use Casper with other products. 6 or 7 years ago this wouldn't be the case.
So assuming that trajectory, where do we see Casper in 5 years? The super polished inventory web interface that has MDM? Or do we see JAMF filling out into the areas that used to be core competencies (imaging, software deployment) to grow into configuration management land. Maybe it's just we as a sysadmins grew to expect more, but I've very curious what large Mac deployments are doing as new releases add more and more features on top of the existing methodology that's old old old.
Posted on 09-25-2015 12:38 PM
Well, my complaint has been in areas such as Imaging and deployment (Patch Management), JAMF has barely been keeping up. Casper Imaging needs a rewrite and new UI, still waiting to see PM and JDS 2.0. Then I could see them branching into configuration management. Or at least getting back to asking customers what their pain points are, and trying to find ways to make the Casper Suite resolve them/make them easier. To be fair, their growth, plus the architectural changes for v9, have been significant challenges for them...
Posted on 09-25-2015 01:59 PM
Does anyone else the general feeling that both convergence and idempotence as strong features in most configuration management products (Chef, CFEngine, etc.) being a giant weakness in the JAMF suite of products at the moment?
We've all seen JAMF administrators get great things done with their own scripts, but there's a lot of re-inventing the wheel going on.
Yes and Yes! Well said.
Posted on 09-25-2015 03:58 PM
ok,
I would say that, there has alway been overlap between Jamf and the "other" players.. I think there will alway be, each solution offering different specialties...
I can see big orgs with resources using open source systems.. but most orgs don't have the resources or the time to care and feed the those systems....
I don't think that it's true "these other configuration management systems have been done at such a large scale that those communities have an agreed upon language that is typically easy to version control and test."
It might be in 5 years but I don't think so ... those " large scale source systems" are mostly org dependent and highly specialized for that org.
An example, Google using Puppet, Facebook using Chef and IBM using Jamf... All three ( in fact all of us) going toward the same goal (securing Macs) but driving 3 different cars on three different roads.
I also don't think that
"Does anyone else the general feeling that both convergence and idempotence as strong features in most configuration management products (Chef, CFEngine, etc.) being a giant weakness"
is true...
"at the moment" might be true but from what I can see it's just trade offs right now... yep that might be better than this but define better?
I think convergence and idempotence are just changing "objects" that admins have "watch/check/test/verify/manage/control" and I bet/know some people are using Casper to work in that mode already...
We are in the middle of a change in the definition of security... many people trying to "watch/check/test/verify/manage/control" different things to secure everything...and it's not going to work....
We are changing AV vendors here and I have started asking why do Macs need AV? and the standard answer is Mac get virus too...sounds simple, but what the standard answer is really saying this that Sophos, McAfee, Symantec and "pick you AV vendor" can secure the Mac better than Apple..well obviously said like that the standard answer sounds really stupid and is not true... "We are in the middle of a change in the definition of security" what does a secure Mac look like and how do you get there? I don't know but what I do know is that the old methods didn't/don't work and we need Apple to do the heavy lifting.
On of my fav, Apple sayings "that isn't an IT issue, that is an HR issue" in the past most orgs refused/or didn't have the resources to teach their managers and HR staff how to handle situations and then IT/Microsoft came along and says "oh we can "watch/check/test/verify/manage/control" that"..... well Microsoft isn't around anymore and Apple is saying do it our way or the highway... but "admins/IT management/Corp management/security" still think we can "watch/check/test/verify/manage/control" everything..hardware/software/users... well we can't and the sooner we understand that the better... iOS proves that we don't' have to "watch/check/test/verify/manage/control" everything..
Apple is the only one who really gets to control it, we are lying to ourselves if we think otherwise. We spend a lot of time and resources lying to ourselves that should be spent on real issues, We want the sidebar to have X or the desktop pix must be X instead how to better secure the Mac. Using any product is like being married to the vendor and usually the vendor dictates terms.
In less than five years, Apple will have it's act together and the need for anything more than an generic MDM will be an outlier 1% case... We are almost there now, is managing the top 20 Apps is easy? I think so.... With MS office coming to the Apps store there is almost case to made to lockdown 'gatekeeper" and ask user why they would want to use software that isn't in the apps store?
Jamf is old and in this space it might be the oldest... but... it's defiantly the best off the shelf solution you can buy and get real support. I would guess that for most orgs the support is the "Killer app"... (I wont' get started on how great the support is but I like to say Jamf support is more Apple than Apple)
Come on guys.......
Can the Jamf tools be better, yes and they know that and are working on it and we all know they are working on it!!!!!! Can anybody name a major software vendor that lets users post feature requests on it's web site, vote them up and down and then give the users feedback on that feature requests? I don't know any...
We all forget that a few years ago, Apple and Jamf were small companies and over night one became the largest in the world and the other is doing it's best to keep up...
C
PS for me imaging, deployment and patch management are perfect I am a little worried that the coming changes to Casper Imaging are going to bork my no-touch workflow. :)
PSS I am not sure it's re-inventing the wheel, in my case over the past 7 years it's been more like clone the wheel from Jamf nation, github and the internet and add my own tire.