Jamf Pro Archives - Mr. Macintosh

Big Sur Beta 1 & Jamf Pro = Enrollment Problems + Workaround

MrMacintosh.com - Big Sur Beta 1 Jamf Enrollment Problems — The Jamf Enrollment process is having issues on macOS Big Sur Beta 1

Time to Start Testing Big Sur Beta Against Your MDM Workflows!

By now, you have already heard the news, the annual macOS release is here! The new OS is called Big Sur and is now macOS 11! That’s neat and all, but it’s time to start testing workflows. Time is of the essence, we only have about 10 or so beta releases before Big Sur is production ready.

Every year I put together a “Need to Know” article on all the latest macOS Beta changes. You can check out the post below, I will keep it updated new information comes out.

mrmacintosh.com/macos-big-sur-11-0-updated-index-of-need-to-know-changes-links/

Jamf Pro & Big Sur

Big Sur enrollment using Jamf Pro is currently Broken. If you attempt to take Big Sur Beta 1 through DEP/Automated Enrollment it will fail. Behind the scenes, the jamf binary is not installing properly. A quick workaround is to build out a 10.15.5 Mac, then enroll it in to Jamf Pro. Run the Big Sur Upgrade and your Mac will be fully working with Jamf Pro.

@franton gives a great overview of why Jamf Pro is having enrollment issues on Big Sur. jamf.com/jamf-nation/feature-requests/9531/jamf-enrollment-improvement-suggestion

As far as I can tell, the enrollment process is InstallApplication a zero payload pkg which then curls down the jamf binary. The binary is then trying to install the JSS communication certificate via the profiles command and this doesn’t work with Big Sur. The end result is I have a mac with the binary but no way for it to “phone home”.
franton

Fresh Big Sur Install Workaround

You just finished installing Big Sur, and don’t want to waste time erasing the drive + reinstalling the OS two times! There has to be a better way.

The workaround is pretty simple if your Mac serial number is in DEP.

1. Build out fresh Big Sur Beta 1 Mac
2. You are now at the Setup Assistant
2. Do not connect the Mac to WiFi or Ethernet
4. Create Local Account
5. Connect to network
6. Run sudo profiles renew -type enrollment
7. You will see an enrollment notification in the upper right corner.
8. The enrollment will fail.
9. Use Recon.app to create QuickAdd.pkg Or use the quickadd enrollment URL = https://your.jps.com/enroll?type=QuickAdd
10. Copy QuickAdd.pkg to Target Mac & Install Or run QuickAdd.pkg from downloads.

That’s it! You are now enrolled into Jamf Pro. Tomorrow I will try with the https://casperserverhere.domain.com:8443/enroll method to see if can figure out . This would be for any mac that is not enrolled into DEP.

Hat Tip goes out to MacAdmin @kennyb for testing this method. I was able to verify the method this afternoon.

Jamf fix Coming in the Next Beta Release

Jamf said just today, that they found the enrollment issue last week and a fix is coming in the next beta release!

Non DEP Mac Enrollment

MacAdmin @aaronpolley put together instructions for enrolling a device that is not in DEP. In his example, he is pulling directly from his Jamf Cloud instance and manually creating a Jamf configuration file.

Aaron’s instructions start below.

If anyone is testing macOS 11 Beta and using Jamf Pro as your MDM, the jamf binary fails to install and complete the enrolment (as some mentioned here already)I am putting together some notes to submit in the correct places….. however for the short term here are the steps to get the Binary installed and complete the enrolment (for either DEP or UIE)

sudo -i

mkdir -p /usr/local/bin/
mkdir -p /usr/local/jamf/bin/
cd /usr/local/jamf/bin/

rm ./jamf.gz

curl "https://yoururl.jamfcloud.com/bin/level1/jamf.gz" -o ./jamf.gz

rm ./jamf

gunzip ./jamf.gz

chmod 755 ./jamf

chown root:wheel ./jamf 

./jamf createConf -server https://yoururl.jamfcloud.com

defaults write /Library/Preferences/com.jamfsoftware.jamf.plist jss_url "https://yoururl.jamfcloud.com/"

defaults read /Library/Preferences/com.jamfsoftware.jamf.plist

ln -s /usr/local/jamf/bin/jamf /usr/local/bin/

./jamf enroll -prompt -verbose

You will need to trust the CA cert using your admin password via UI password prompt rather than it passing through via CLI when rootas in the pastAlso as shared previously this gives some greate debugging feedback WHILE the initial MDM enrolment is occuring, so best run whilst doing a DEP Nag enrolment (profiles renew -type enrollment) or via UIE:

log stream --info --debug --predicate 'processImagePath contains "mdmclient" OR processImagePath contains "storedownloadd"

NOTE: Please keep in mind, the instructions in this article are for testing only and are not for a production Mac

Big Sur Jamf Enrollment

How To Regenerate a New FileVault 2 Personal Recovery Key (PRK)

MrMacintosh.com - How To regenerate a FileVault 2 Personal Recovery Key. — How To reissue a FileVault 2 Personal Recovery Key

It’s good practice to have a backup of important things in your life. You wouldn’t only keep one set of keys to your house or car. The same goes for your FV2 Encrypted Mac. The FileVault Personal Recovery Key is your backup key to your Mac. If your account password is not working or if you can’t remember the password, the Recovery Key will be the only way to get to your data.

Two Different Types of FileVault 2 Recovery Keys

When encrypting your Mac, you have two different types recovery key options.

(PRK) Personal Recovery Key – Every Mac has a unique Recovery Key.
(IRK) Institutional Recovery Key – One Recovery Key for every Mac

While it may be convenient to have one key for every Mac, having a Institutional Recovery Key is like having a Master Key to an Apartment Complex. If that key is stolen or lost, the bad guy has a key to every single apartment unit. The same thing goes for the (IRK) if one user has the key, it’s known for every single Mac.

The PRK is the way to go, as each Mac has a unique key.

I previously wrote about how to use the PRK to recover data from a Mac using Target Disk Mode.

https://mrmacintosh.com/filevault-2-target-disk-mode-unlock-using-the-personal-recovery-key/

Why Would Would I Need to Change my Personal Recovery Key?

Here are a few reasons why you might need to reissue or generate a new FileVault 2 Personal Recovery Key.

1. The Computer Record was deleted from your MDM.
2. The MDM Recovery Key Entry is corrupted.
3. The Recovery Key is not working.
4. The PRK is given to a user and you want to cycle and protect it.
5. The PRK user is missing, or the ? mark is not showing at FV2 login.
6. If you need to reenroll a Mac into a different MDM.

A good example of #2 is when Jamf Pro 10.7.1 screwed up the recovery key display in every computer record. This defect was fixed in Jamf Pro 10.10.

https://www.jamf.com/jamf-nation/discussions/31910/filevault-2-personal-recovery-key-issue

Reissue the FileVault 2 Recovery Key with FV2 Enabled Username and Password

To generate a new FileVault 2 Personal Recovery Key we will be using the fdesetup binary.

First you can check to see if your Mac is using a PRK or IRK.

sudo fdesetup haspersonalrecoverykey = true or false

sudo fdesetup hasinstitutionalrecoverykey= true or false

Now we can change the recovery key using username and password.

sudo fdesetup changerecovery -personal

Enter the user name:mrmacintosh

Enter the password for user 'mrmacintosh':

New personal recovery key = 'Z5V7-K464-PEVT-09OX-Q2EW-8FO8'

This works for 10.13 – 10.15

Reissue the FileVault 2 Recovery Key using the Current Personal Recovery Key (PRK)

Staring in 10.14, you can now use the current Personal Recovery Key to generate a new PRK.

You will be using the UUID of the Personal Recovery User and the current PRK as the password.

Find the UUID of the Personal Recovery Key User

sudo fdesetup list -extended

ESCROW UUID TYPE USER

0A1BCDC3-49BD-4E00-B741-813E143AD1E2 OS User mrmacintosh

EBC6C064-0000-11AA-AA11-00306543ECAC Personal Recovery Record

Note: The UUID of the Personal Recovery User is the same very every FV2 Encrypted Mac.

Let’s change it.

sudo fdesetup changerecovery -personal

Enter the user name:EBC6C064-0000-11AA-AA11-00306543ECAC

Enter the password for user 'EBC6C064-0000-11AA-AA11-00306543ECAC':

New personal recovery key = 'Z5V7-K464-PEVT-09OX-Q2EW-8FO8'

For the password field, all we need to do is enter in the current FV2 PRK.

NOTE: If you want to send the Recovery Key to Jamf Pro, you need to run Recon twice.

Running commands are great for 1 or 2 Macs, but what if I have to fix more than that?

The guys at HCS Technology Group wrote up an excellent article showing us how to create a policy for this. The policy will search for all Macs that do not have a valid recovery key and will remediate with a script kicked off by a Jamf Policy.

https://hcsonline.com/images/PDFs/Jamf_Recovery_key_Filevault.pdf

Credits

Hat Tip goes out to Johan McGwire aka yohan on #MacAdmins. He brought up the 2nd way to reissue the Personal Recovery Key with the current PRK. Johan the expert behind the following projects. Check them out!

Also HCS Technology Group, I can’t say enough about these guys. They have written some of the best MacAdmins guides available today!

Get the full list HCS White Papers, visit this link.

http://hcsonline.com/support/white-papers.

Follow them on Twitter! https://twitter.com/HCSTechnology

How to Manage Catalina’s New Application Notifications with a Profile

This article will show you how to Manage Catalina’s New Application Notification Preferences with a Config Profile.

Now that Catalina is live, MacAdmins have many questions. The top 3 questions I have seen so far are;

1. How do I block macOS Catalina from my users?
2. How do I Manage macOS Catalina Application Notifications?
3. What are the new Screen Recording and Input Monitoring or Keystroke Receiving TCC Settings? (more on that in a new article.)

Catalina Application Notifications Index

1. Should I manage Application Notifications?
2. How do I reset or clear out previous Notification Settings?
3. How can I test the Notifications Profile?
4. Find Previous Bundle ID or App Domains from past Prompts
5. Manage Notifications with a Profile.
6. Notifications Profile with Profile Creator.
7. Notifications Profile with Manage App Notifications.bash
8. Credits

1. Should I manage Application Notifications?

This is a question you should ask yourself. Keep in mind, once you mange a profile setting it can not be changed by the user. Managing certain application notifications from Jamf Self Service is one example. You WANT the user to be able to see the notifications that it sends out. The user may miss something important, if they previously clicked DENY. For other applications, you might want to leave Notification decisions to the user.

2. How do I reset or clear out previous Notification Settings?

How do you reset Catalina’s Application Notifications if you clicked Allow or Deny already?

The settings are stored in a plist in the users /Library/Preferences folder.

com.apple.ncprefs.plist

To reset all Notification Alerts, you can delete the plist and then restart. Once you get back to the desktop all your notifications will start popping up again.

3. How can I test the Notifications Profile?

After you create the profile and install it, any open notifications will immediately disappear! The best way to test your new profile is to delete ncprefs.plist, then restart. Then you can leave any open notifications up on your desktop. Install the profile , then all the notifications that you manage should disappear.

4. Find Previous Bundle ID or Application Domains from past Prompts

If you want to see previous prompts that you have already answered try this command.

sqlite3 "$(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/db2/db" "select * from app;"

4. Manage Notifications with a Profile.

The easiest way to manage Notification is with a Configuration Profile.

NOTE: If you use Jamf Pro, Notifications is not an option yet in 10.15.1.

I will show you two ways to create a Notifications Profile.

1. Erik Berglund’s – Profile Creator Application.
2. William Smith’s (talkingmoose) –Manage App Notifications.bash

5. Notifications Profile with Profile Creator.

Erik Berglund‘s Profile Creator Application.

Creating Profiles is easy with Profile Creator! The version that we will be using is v0.3.2 which has Catalina Options built right in. After installing you will see the welcome screen.

Profile Creator’s Welcome Screen.

You can start by filling out the General Settings. Set the Name of the profile, Description, Company Name and Payload Scope. For the Payload Scope select System if you want the settings to be for all users. You can add Prevent users from removing this profile (Supervised)

Profile Creator’s General Settings.

Once you have the General Settings set you can add a new profile payload. Scroll down on the left hand side until you see macOS. You will then see Notifications.

Profile Creator Notifications Payload.

To start you will need to add the Notifications Payload Key. Click the + button on the left hand side of Notification Settings.

Profile Creator’s Notifications Payload Settings.

Now that Notifications Settings is active you can add new keys. Click the + button to add a new Key.

Profile Creator’s Notifications Key

Now you can view the different settings you can set.

1. Enable Notifications
2. Bundle Identifier for the target app
3. Show app in Notifications Center
4. Show Notifications at the Lock Screen
5. Notification Sounds Allowed
6. Allow Badges
7. Alert Type – None, Banners, Alerts
8. Enable Critical – If the banner can pass through DND

The option that you will need to find is the Application Bundle Identifier. An example would be Microsoft Outlook. The Bundle ID for Outlook is com.microsoft.outlook. How do you find the Bundle ID ?

You can find many ways to find the Application Bundle ID. I will show you 3 different ways to do this. One of the best ways is to look directly at the application info.plist. Run the following all on one line. Let’s check to see what Safari’s Bundle ID is.

1. PlistBuddy

/usr/libexec/PlistBuddy -c 'Print CFBundleIdentifier' /Applications/Safari.app/Contents/Info.plist

com.apple.Safari

2. lsappinfo

lsappinfo info -only bundleid Google\ Chrome

"CFBundleIdentifier"="com.google.Chrome"

3. mdls

mdls -name kMDItemCFBundleIdentifier -r /Applications/Remote\ Desktop.app

com.apple.RemoteDesktop

Now that you have the Bundle ID, plug it into the 2nd box in the key options.

Profile Creator’s Notifications Key Application Bundle ID

You can now add as many keys as you want!

Profile Creator’s Notifications 2nd Key Application Bundle ID

Once you have finished adding all the Bundle ID’s you are ready to Add this payload to the main Profile and save it. Click the Add Button in the upper right hand corner.

Profile Creator’s Notifications Add NotificationsSettings to the main Profile.

You should now see this in the upper left hand corner.

Profile ready to save!

Now click on the upload button on the right hand side of the + button to save your new profile.

Profile Creator’s Save Menu

This is the save menu. Check over the settings to verify everything is correct.

NOTE: Just as the note says at the bottom. If you use Jamf Pro you need to Sign the profile with your Apple Developer ID. If you use any other MDM you do not have to do this.

You will now have a file called 10.15 Notifications.mobileconfig

You can now upload it to your MDM Server.

After installing the profile you can go into system preferences > Profiles and view the new profile. It will look something like this.

Notifications Profile Settings.

You can then scroll down to verify all the macOS Catalina Application Notifications settings.

6. Notifications Profile with Manage App Notifications.bash

William Smith aka (talkingmoose) just wrote an amazing bash script that will generate a Notifications.mobileconfig

You can find the script on William’s Github

All you have to do is run the script. You will be prompted at each step.

Drag and drop the app into Terminal (will auto fill the bundle ID info!)
Allow Notifications
Show Notifications on the Lock Screen
Show In Notification Center
Badge App Icon
Play Sound
Critical Alerts (Past DND)
Upload to Jamf Pro or Save to Desktop
Would you like to View the Profile.

MrMacintosh.com - Manage App Notifications.bash — How easy is this??? Picture via > https://gist.github.com/talkingmoose/9faf50deaaefafa9a147e48ba39bb4b0

The only limiting part of this script is that you can only set one application per profile. William has mentioned that he might look into adding the ability to add multiple application notification settings into one profile. If you would like this, please send him this feedback!

7. Credits

A big Thank You goes out to the following MacAdmins.

@stevemasser – For finding the Notifications Preference plist Location.
@roberthammen & @emily for Confirming that current notifications will disappear immediately when the profile is installed.
@eholtam for finding the neat sqlite3 trick for showing previously answered notifications.

If you have any questions or comments on macOS Catalina Application Notifications, please don’t hesitate to Contact Me!

3 Undocumented macOS Mojave 10.14 Enterprise Fixes

In this article, I will talk a little bit about the current state of Apple’s Documentation. After that, I will show you 3 Undocumented 10.14 Mojave fixes that can help you as a MacAdmin.

Documentation, Documentation, and Documentation. Say it three times fast! MacAdmins just want Apple to provide proper documentation for features, controls and security settings and Enterprise Fixes. In some cases, Apple provides excellent documentation. An example of this would be the T2 Security Chip Security Overview released in October of last year. In other cases when it comes to binaries like sysadminctl not so much.

I tried to searching for something that specifically mentions SecureToken or sysadminctl and came up empty.

The best that I could find was a document called “If you see authentication server errors when turning FileVault on in macOS High Sierra“. This article does not even mention SecureToken. You can get a few nuggets of information by checking the sysadminctl binary options but sysadminctl doesn’t have a man page. I even performed a search on developer.apple.com/documentation as you can see in the picture above. I will be writing about sysadminctl next week. Maybe I can create a MacAdmins version of a sysadmincatl man page! Yet when I search for “SmartCard” three documents show up. SmartCard support is a small piece in the overall macOS pie, yet has multiple documents! Side Note: Shout out to all my peeps in the MacAdmins.slack.com #SmartCard channel (about 5 people) 🙂

Documentation is getting better.

If you have been keeping track, Apple documentation is getting better. If you look at the “What’s new in the updates for macOS Mojave” page you will see a large number of fixes. Eagle eye MacAdmins will be first to spot “Enterprise Content”, this is the stuff MacAdmins are interested in.

10.14.2

10.14.3

10.14.4

Check out that first one under 10.14.4! As noted in my previous article, I fought to get that one fixed since 10.14.0. It’s really great to see that fix get mentioned in the Enterprise Content area.

What do you mean undocumented fixes ?

Apple is constantly fixing things behind the scenes. MacAdmins continue to file radars, call Apple Care, test beta releases, submit feedback and submit Apple Enterprise Support tickets. Defects and bugs ARE getting fixed but are not listed in Apple’s Enterprise Content listing. I am not totally sure why certain fixes do not make the list.

Maybe Apple wants to keep the list short while focusing on the major fixes. I wish Apple would list more of them, even if they posted them in an enterprise only area. An example of this would be AppleSeed for IT. If you are part of an Enterprise or School you can be selected to join the program. I highly recommend joining if you are not a member already. You can read the FAQ about joining eligibility here. Inside you will find links to macOS beta downloads and beta documentation. Each beta release (Sometimes up to 6 releases per combo update) will show what has been fixed between updates. This is great information for any MacAdmin to have so you can stay on top of what’s going on.

3 Apple Enterprise fixes included in 10.14.0 – 10.14.4

1. macOS 10.14 Mojave can now provide FV2 Authenticated Restarts for Combo and startOSinstalls.

In 10.14 macOS Updates and Upgrades are now able to perform Authorized Restarts. This feature was not an option in previous releases. This is a pretty big deal, especially for #MacEDU and Enterprise customers who have computer labs.

Previously if you installed a macOS update and the system was FV2 encrypted it would restart but STOP at the FV2 unlock screen. If you performed this update remotely you would lose control of the machine. Things get worse at FV2 login window because firmware will shut the Mac down after 5 minutes of inactivity. The same problem will happen when you start a macOS Upgrade. You will be disappointed after returning from lunch thinking the update is complete only to find the Mac turned OFF. You then power the Mac back on only to find the installer has just started with 40 minutes remaining. With 10.14 if you kick off a combo update or macOS upgrade the installer will perform an Authorized Restart and you will never get stuck at the FV2 prompt again!

For startosinstall you just have to store the mojave.app in a folder like /Users/Shared. Then kick it off with this command – sudo /Users/Shared/Install\ macOS\ Mojave.app/Contents/Resources/startosinstall –nointeraction The –nointeraction option will prevent license agreement message.

2. Installing software updates using the -R restart option at the login window now properly restarts the Mac to the installer. (10.14.4)

When Apple released the T2 security chip they also added additional options to the softwareudpate binary so it could handle BridgeOS updates. Installing a combo update on a T2 Mac is now a multi-step process. Using softareupdate step one remains unchanged, it will download the combo update from Apple which in turn stores in /Library/Updates. For step two, the Mac reaches out to Apple’s personalization service (gs.apple.com) verify the BridgeOS and combo update. When the verification is complete you will have a new folder in /Library/Updates called PersonalizedManifest.

You are automate the entire process by using sudo softwareupdate -iaR. Options -i will install the update, -a will download all updates and -R will perform an automated restart. The process works just fine if you are the logged in user. If the system needs to update the BridgeOS the Mac will shutdown and then will power back on with the T2 Chip to install the BridgeOS update. If the system does not require a BrigeOS update the system will restart to the update installer. The problem comes in if you try to automate the install from the login window using the softwareupate -R or –restart option. Softwareudpate will run run through the process listed out above only to stop at the very end and be unable to restart.

Looks great until the very end, when at the login window the system will NOT restart!

Once all your Macs are updated to 10.14.4, you can now use the -R restart for all situations. Softwareupdate can now restart the Mac if it’s at loginwindow.

3. 10.14 FV2 Authorized restarts can use the PRK (Personal Recovery Key) again.

When 10.13 arrived you could no longer perform FV2 Authenticated restarts using the PRK (Personal Recovery Key). This feature was just flat out broken. This previously worked in 10.12 Sierra and below. NOTE: You could still perform an Authorized restart with your FV2 name and password. An example of a PRK Authorized restart would be if you are a JAMF Pro customer and had a policy that installed a package but it also required a restart. You could select the option “Perform Authenticated Restart” Jamf would then send a fdesetup authrestart using the PRK. The package would install and then the system would perform an FV2 authorized reboot so the user did not have to enter in the password at the FV2 unlock screen.

10.12, 10.11 & 10.10 – Works!

sudo fdesetup authrestart = Enter a password for ‘/’, or the recovery key:

10.13 – Doesn’t work

sudo fdesetup authrestart = Enter the user name: ( hit the enter key to toggle Recovery Key Entry) = Error: Missing user name. Error: Unable to restart (error = -54).

10.14 – Works again!

sudo fdesetup authrestart = Enter the Username: (again hit the enter key to toggle Recovery Key Entry) Enter the current recovery key:

I hope that at least one of the fixes I mentioned in this article helps you. In the future I would love to see more documented Enterprise fixes listed in the combo update patch notes. Until then though, I will continue to document said fixes and let you know about them when I can.

If you have any questions or comments, please feel free to reach out!