Previously, I’d written a script to manage sending device lock commands using the Jamf Pro Classic API. After writing it, I thought that it would be a good idea if the script could also generate a report that could be handed off to others so I forked the script and updated it to generate a report in .tsv format. Since others might prefer the original script without the automatically generated report, I left that one alone and have made the forked copy into its own script. For more details, please see below the jump.

Pre-requisites:

If setting up a specific Jamf Pro user account for this purpose with limited rights, here are the required API privileges for the account on the Jamf Pro server:

Jamf Pro Server Objects:

Computers: Create, Read

Jamf Pro Server Action:

Send Computer Remote Lock Command

This script reads a .csv file formatted as follows:

“Jamf Pro ID, PIN Code” as the first line

Subsequent lines:
Column 1: A Mac’s Jamf Pro ID
Column 2: Device Lock PIN code

For authentication, the script can accept manual input or values stored in a ~/Library/Preferences/com.github.jamfpro-info.plist file.

The plist file can be created by running the following commands and substituting your own values where appropriate:

To store the Jamf Pro URL in the plist file:

defaults write com.github.jamfpro-info jamfpro_url https://jamf.pro.server.goes.here:port_number_goes_here

To store the account username in the plist file:

defaults write com.github.jamfpro-info jamfpro_user account_username_goes_here

To store the account password in the plist file:

defaults write com.github.jamfpro-info jamfpro_password account_password_goes_here

Once you have authentication handled, the script is designed to run as shown below:

/path/to/Jamf_Pro_MDM_Device_Lock.sh /path/to/filename_goes_here.csv

Once executed, the script will then do the following:

Skip the first line of the .csv file (this is the “Jamf Pro ID, PIN Code” line.)
Read each subsequent line of the .csv one at a time and assign the values of column 1
and column 2 to separate variables.

Use the variables in an API POST call to identify a Jamf Pro computer inventory record using the Jamf Pro ID listed in the .csv file and lock the Mac in question using the the PIN code listed in the .csv file.

A successful MDM lock should produce output similar to that shown below:

Failures should look similar to this:

Attempting to send MDM lock to Jamf Pro ID 1234567890 with PIN code 348201.

ERROR! MDM lock of computer with Jamf Pro ID 1234567890 failed.

Attempting to send MDM lock to Jamf Pro ID 29352935 with PIN code 12345.

Invalid PIN code data provided: 12345

Attempting to send MDM lock to Jamf Pro ID AA2319 with PIN code 348206.

Invalid Jamf Pro ID data provided: AA2319

This script will also automatically generate a report in .tsv format with information similar to what’s shown below:

This script is available below and also from GitHub at the following location:

https://github.com/rtrouton/rtrouton_scripts/tree/main/rtrouton_scripts/Casper_Scripts/Jamf_Pro_MDM_Device_Lock_with_Report

This week, like last year, I’m attending Apple’s WWDC 2021 conference from the comforts of home. As part of this, I’m taking notes during the labs and session videos. Due to wanting to stay on the right side of Apple’s NDA, I’ve been posting my notes to Apple’s developer forums rather than to here.

To make it easier for Mac admins to access them, I’ve set up a post in the forums where I’ve linking the various forum posts with my notes. It’s available via the link below:

https://developer.apple.com/forums/thread/681818

For those who wanted a copy of my talk at the MacDevOpsYVR 2021 conference, here are links to the slides in PDF and Keynote format.

PDF – https://tinyurl.com/MDOYVR2021PDF

Keynote – https://tinyurl.com/MDOYVR2021Keynote

The MacDevOps YVR folks have posted the session videos for from MacDevOps YVR 2021, including the video for my Ride on the Release Train session.

For those interested, all of the the MacDevOps YVR 2021 session videos are available on YouTube. For convenience, I’ve linked my session here.

As part of the release of Jamf Pro 10.30, the following entry was added to the Deprecations section of the Jamf Pro Release Notes:

Functionality to issue the Tomcat SSL/TLS certificate from Jamf Pro’s built-in certificate authority — Jamf Pro’s functionality to issue the Tomcat SSL/TLS certificate from the JSS built-in certificate authority (CA) will be discontinued in a future release of Jamf Pro. The release version for this change has not been determined.

Before this change occurs, it is recommended that all on-premise Jamf Pro instances leveraging this functionality switch to a publicly trusted third-party CA to issue the Tomcat SSL/TLS certificate. This will prevent the potential loss of MDM communication from Jamf Pro to enrolled devices.

If needed, a Tomcat SSL/TLS server certificate for Jamf Pro may be issued from an internal certificate authority. The JSS built-in CA will maintain its current ability to manually issue server certificates to other servers.

For shops which use Jamf Pro’s built-in certificate authority to create the SSL certificate used by the Tomcat web application, this means that at some point in the near(ish) future, you will need to plan to use a certificate for your Jamf Pro server which is no longer being issued by your Jamf Pro server’s built-in certificate authority.

For more details, please see below the jump.

As part of the deprecation notes, Jamf recommends a switch to a publicly trusted certificate for Tomcat. One way to get those is to use the Let’s Encrypt certificate authority. This is a free service which will issue free publicly trusted certificates that are valid for 90 days before needing to be renewed.

While Jamf Pro does not natively include functionality for using and renewing Let’s Encrypt-issued certificates, there is at least one script available on GitHub for using Let’s Encrypt certificates with a Jamf Pro server:

https://github.com/sean-rabbitt/letsEncryptJSS

I’ve been using this script on a development Jamf Pro server myself for over a year and it works pretty well with the host OS (CentOS 7.x.) The script renews the certificate with Let’s Encrypt’s certificate authority on a scheduled basis and automatically updates the Java keystone with the new certificate for Tomcat to detect and use.

Tomcat needs to be started as part of the renewal process because the certificate in the Java keystore is being changed out for the new certificate, but the script handles that as well.

I’ve also leveraged the same Let’s Encrypt-issued certificate to provide an Apache-hosted HTTPS local distribution point for this server. In this case, Apache has been configured with the filesystem path of the Let’s Encrypt  certificate files and is able to use them without additional importing into Java or other services.

A while ago, I wrote a post on how to back up your Jamf Pro Self Service bookmarks. I’ve been using that process to back up my bookmarks and it’s been working fine until after my upgrade to Jamf Pro 10.30.0. At that point, my script stopped working. When I checked into it and talked with some colleagues, it became apparent that Jamf had made a change with how they stored bookmark information for Self Service.

In 10.29.x and earlier, Jamf had stored bookmarks as individual plist files in the following location:

/Library/Application Support/JAMF/Self Service/Managed Plug-ins

In 10.30.x and later, the /Library/Application Support/JAMF/Self Service/Managed Plug-ins directory has disappeared.

Jamf now stores bookmark information inside an XML file named CocoaAppCD.storedata in the user’s home folder at the following location:

~/Library/Application Support/com.jamfsoftware.selfservice.mac/CocoaAppCD.storedata

Inside the CocoaAppCD.storedata file, the bookmarks are stored as XML objects similar to what is shown below:

Fortunately, I was able to figure out a way to do the following:

1. Parse the document for the bookmark XML objects.
2. Split them out into individual XML files.
3. Name the files using the title of the Self Service bookmark.

For more details, please see below the jump.

To make backups of the Self Service bookmarks, I’ve written a script which performs the following tasks:

1. If necessary, create a directory for storing backup copies of the Self Service bookmark files.
2. Make copies of the Self Service bookmark files.
3. Name the copied files using the title of the Self Service bookmark.
4. Store the copied bookmarks in the specified directory.

Once the script is run, you should see copies of the Self Service bookmark files appearing in the script-specified location. This location can be manually set or created automatically by the script.

When examined, the files should look similar to this:

The script is available below, and at the following address on GitHub:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Scripts/Jamf_Pro_Self_Service_Bookmark_Backup

Jamf_Pro_Self_Service_Bookmark_Backup.sh:

Now that Apple has made direct download links available for Lion and Mountain Lion, I’ve written AutoPkg .download and .pkg recipes for the following OS X installers:

• OS X Lion
• OS X Mountain Lion

These recipes will download the disk images linked to the relevant KBase articles, extract the installer packages stored inside the disk images and rename the disk images and installer packages with the OS name and version number.

One thing to be aware of is that the downloaded installers do not themselves install the relevant version of OS X. Instead, they install the Install.app for that version of OS X into the /Applications directory.

Another thing to know is that the downloaded installers are signed using Software Update signing certificates which expired in 2019. As of June 30th, 2021, I do not know if Apple is planning to re-sign the installers with the current Software Update signing certificate.

One of the consequences of this is that I cannot use AutoPkg’s code signature verification as part of the AutoPkg recipes, since AutoPkg’s current code signature verification will error when it hit the expired certificates. If Apple does choose to re-sign these certificate with valid non-expired signing certificates, I’ll add code signature verification to the recipes.

If you do need to use these installers, setting the system clock on your Mac to a date and time before the October 24th 2019 expiration date will allow these certificates to appear as valid again and any expiration-related issues should go away.

The AutoPkg recipes are available via the links below:

OS X Lion: https://github.com/autopkg/rtrouton-recipes/tree/master/OSXLion
OS X Mountain Lion: https://github.com/autopkg/rtrouton-recipes/tree/master/OSXMountainLion

For those who wanted a copy of my talk from Penn State MacAdmins 2021, here are links to the slides in PDF and Keynote format.

• PDF – https://tinyurl.com/PSUMac2021PDF
• Keynote – https://tinyurl.com/PSUMac2021Keynote

To help maintain the security of the Apple Silicon Macs in your environment, it’s helpful to be able to monitor what the Startup Security settings are for those Macs.

For this task, the reporting functions of the bputil tool are available. Normally, Apple wants you to avoid the bputil tool like you would a swarm of bees. As part of that, the following warning is displayed by bputil:

However, the bputil -d command is safe to use as it displays the contents of the current security policy’s settings. When the default Full Security security mode is enabled, running the bputil -d command with root privileges should display content similar to what’s shown below:

Here’s what bputil -d will return if the Startup Security settings are configured as follows:

• Reduced Security: Enabled
• Allow user management or kernel extensions from identified developers: Enabled
• Allow remote management of kernel extensions from identified developers: Enabled

Note: This reporting function does not require macOS Recovery and works while booted from regular macOS.

To check the Startup Security settings, the following status codes should be checked:

• smb0
• smb2
• smb3

In the Startup Security Utility app in macOS Recovery, the following settings correspond to the status codes listed above:

• smb0: Full Security / Reduced Security
• smb2: Allow user management of kernel extensions from identified developers
• smb3: Allow remote management of kernel extensions from identified developers

For more details, please see below the jump.

If you want to check to see if an Apple Silicon Mac is set for Full Security or Reduced Security, run the command shown below with root privileges:

If Full Security is set, you should see the following result:

absent

If Reduced Security is set, you should see the following result:

1

If you want to check to see if an Apple Silicon Mac is set for Allow user management or kernel extensions from identified developers, run the command shown below with root privileges:

If Allow user management or kernel extensions from identified developers is not set, you should see the following result:

absent

If Allow user management or kernel extensions from identified developers is set, you should see the following result:

1

Note: If this setting is returning a value of 1, this means that Reduced Security is enabled, so the smb0 status code will also return 1.

If you want to check to see if an Apple Silicon Mac is set for Allow remote management of kernel extensions from identified developers, run the command shown below with root privileges:

If Allow remote management of kernel extensions from identified developers is not set, you should see the following result:

absent

If Allow remote management of kernel extensions from identified developers is set, you should see the following result:

1

Note: If this setting is returning a value of 1, this means that Reduced Security is enabled, so the smb0 status code will also return 1.

One of the recent changes for the macOS version of SAP GUI for Java is that both SapMachine Java 11 and OpenJFX 11 are now bundled with SAP GUI, so it is no longer required to have Java installed on your machine in order for SAP GUI to work. This change has also been extended to the SAP GUI installer, which is now available as a notarized installer application as of SAP GUI 7.70.

You can run this installer on a Mac which does not have Java already installed and it will install SAP GUI for Java with SapMachine Java 11 and OpenJFX 11 installations embedded inside the SAP GUI application.

Note: As of SAP GUI 7.70 rev 2, Rosetta 2 is required if installing on an Apple Silicon Mac so Rosetta needs to be installed and running before installing SAP GUI.

The installer application is available for download to customers via a link on the announcement blog post:

https://blogs.sap.com/2021/03/16/ann-sap-gui-for-java-7.70-available-for-download/

When you click the download link, you will see two choices:

• DMG
• JAR

The DMG download will provide the notarized installer application and the JAR download will provide the Java .jar installer that SAP GUI has traditionally used on macOS. I’ve discussed how to package the .jar installer in previous posts, so this post is going to focus on the new installer application contained inside the DMG download.

For more details, please see below the jump.

If you want to run the SAP GUI installer application without repackaging it as a macOS installer package, use the procedure below:

1. Download the disk image.

2. Mount the disk image.

3. Copy the SAP GUI for Java Installer application to a convenient location.

If you have a templates.jar file, copy the templates.jar file to the same location. As long as both files are in the same directory, the SAP GUI for Java Installer application will detect and use the templates.jar file’s contents to help configure SAP GUI.

4. Launch the SAP GUI for Java Installer application.

5. Follow the prompts to install.

To build an installer package for SAP GUI which uses the installer application, use the procedure shown below:

Building the SAP GUI installer

Pre-requisites:

• Packages
• SAP GUI for Java Installer application
• templates.jar file (optional)

1. Set up a new Packages project and select Raw Package.

2. In this case, I’m naming the project SAP GUI 7.70 rev2.

3. Once the Packages project opens, click on the Project tab. You’ll want to make sure that the your information is correctly set here (if you don’t know what to put in, check the Help menu for the Packages User Guide. The information you need is in Chapter 4 – Configuring a project.)

In this example, I’m not changing any of the options from what is set by default.

4. Next, click on the Settings tab. In the case of my project, I want to install with root privileges and not require a logout, restart or shutdown.

To accomplish this, I’m choosing the following options in the Settings section:

In the Tag section:

• Identifier: set as appropriate (for my installer, I’m using com.sap.pkg.SAPGUI770rev2
• Version: set as appropriate (for my installer, I’m usings 7.70.02 )

In the Post-installation Behavior section:

• On Success: should be set to Do Nothing

In the Options section:

• Require admin password for installation should be checked
• Relocatable should be unchecked
• Overwrite directory permissions should be unchecked
• Follow symbolic links should be unchecked

7. Select the Payload tab. Nothing here should be changed from the defaults.

8. Select the Scripts tab.

Under the Additional Resources section, add the following files:

• The latest SAP GUI for Java installer (this is the SAP GUI for Java Installer application file)

• If you have a templates.jar file, also add that file.

The last part is telling the SAP GUI for Java installer to run. For this, you’ll need a postinstall script.

Here’s the postinstall script being used for this installer package:

If not already selected, select the postinstall script and add it to the project.

9. Build the package. (If you don’t know to build, check the Help menu for the Packages User Guide. The information you need is in Chapter 3 – Creating a raw package project and Chapter 10 – Building a project.)

Testing the installer

Once the package has been built, test it by installing it on a test machine which has the following:

• Does not have the SAP GUI client installed

The end result should be that the SAP GUI client installs into /Applications.

If a templates.jar file was included with the installer, the SAP GUI configuration files specified by the templates.jar file should also be installed.

The good folks at Penn State have been posting session videos from the Penn State MacAdmins Campfire Sessions to YouTube. As they become available, you should be able to access them via the link below:

https://www.youtube.com/playlist?list=PLRUboZUQxbyUEsp4L7hPYdWpFwXK53Zmt

I’ve linked my SAP in the Haus – How SAP transitioned its global workforce to working from home session here:

For those that need to sign their AutoPkg-generated installer packages with a signing certificate, the PkgSigner processor is available to assist with this. When I originally started using this processor, I was building the signing part directly into .pkg recipes, but my teammate @jaharmi came up with a better and more modular idea: the .sign recipe.

The .sign recipe uses the PkgSigner processor and is designed to be placed in the AutoPkg workflow between a .pkg recipe and a.jss recipe for JSSImporter, a .munki recipe for Munki or other recipes used to upload an installer package to a deployment tool. In this case, the .pkg recipe would be a parent recipe for the .sign recipe. In turn, the .sign recipe would be used as the parent recipe for whatever came next in the workflow.

For those who want to use .sign recipes, there is an example recipe available via the link below:

https://github.com/autopkg/rtrouton-recipes/blob/master/SharedProcessors/Example.sign.recipe

If you want to use the PkgSigner processor hosted from my AutoPkg recipe repo, first verify that AutoPkg is installed on the Mac you’re using. Once verified, run the following command:

autopkg repo-add rtrouton-recipes

Every so often, you may find yourself in a situation where you need to reinstall macOS Big Sur and everything is failing on you. Installing from macOS Recovery? Not working via the usual methods. Building a USB installer? Left the flash drive in your other pants. Using DFU mode and Apple Configurator on an Apple Silicon Mac? You need a second Mac to use this process and you just have the one Mac available.

For those situations, there’s one more option when you’ve exhausted all of the others. For more details, please see below the jump.

This method is referenced in the following Apple KBase article:

https://support.apple.com/HT211983

It involves the following:

• Wiping the drive that you intend to install macOS Big Sur onto.
• Creating the proper directory structure manually on the drive.
• Copying the Install macOS app available in macOS Recovery manually into the proper location on the drive 
• Using the curl tool to download the needed installer files onto the drive
• Launching the Install macOS app
• Using the Install macOS app to install macOS Big Sur

To install macOS Big Sur using the methods described above, use the procedure below:

1. Boot to macOS Recovery.

2. Erase your Mac’s startup drive using the correct procedure for your Mac model:

Macs with Intel processors: https://support.apple.com/HT208496
Apple Silicon Macs: https://support.apple.com/kb/HT212030

By default, an erased drive is named Untitled. We’ll be using that drive name for the examples shown in this post.

2. Once the drive is erased, open Safari and go to the following URL:

https://support.apple.com/HT211983

3. Scroll to the bottom of the KBase article and locate the Or use Terminal to reinstall section.

4. Copy the complete command which begins with curl. (This will save a lot of typing later.)

5. Quit Safari.

6. Open Terminal.

7. Run the following command to change to using the drive named Untitled:

cd "/Volumes/Untitled"

8. Run the following command to create a directory named private on the Untitled drive as well as a sub-directory inside of private which is named tmp:

mkdir -p private/tmp

9. Run the following command to copy the Install macOS Big Sur.app application from macOS Recovery to the /Volumes/Untitled/private/tmp directory.

cp -R "/Install macOS Big Sur.app" private/tmp

10. Run the following command to change to the /Volumes/Untitled/private/tmp/Install macOS Big Sur.app directory:

cd "private/tmp/Install macOS Big Sur.app"

11. Run the following command to create a directory named Contents on the Untitled drive as well as a sub-directory inside of Contents which is named SharedSupport:

mkdir Contents/SharedSupport

12. Paste the copied curl command and hit the enter key on your keyboard to have the macOS Big Sur installer files be downloaded into a file named SharedSupport.dmg. The SharedSupport.dmg will be located in /Volumes/Untitled/private/tmp/Install macOS Big Sur.app directory/Contents/SharedSupport.

curl -L -o Contents/SharedSupport/SharedSupport.dmg https://swcdn.apple.com/content/downloads/01/60/071-72781-A_CZ1D1FENMH/a09fvud3xxgih7qyau9a7lhtspho36mp0l/InstallAssistant.pkg

13. Once curl has finished downloading /Volumes/Untitled/private/tmp/Install macOS Big Sur.app directory/Contents/SharedSupport/SharedSupport.dmg, run the following command to launch the macOS Big Sur installer.

./Contents/MacOS/InstallAssistant_springboard

14. Follow the prompts to install macOS Big Sur.

A number of folks noticed that certain older applications they use on macOS stopped working as of August 24th, 2021. As of this date, this appears to affect the following applications among others:

• RSA SecurID Software Token 4.2.1
• Citrix Receiver
• Cisco AnyConnect 4.7 and earlier

Note: This list is not complete, it’s just the ones I’m aware of as of August 24, 2021.

Why this is happening goes back to an episode in 2018, where Symantec had to get out of the PKI certificate issuing business because of a number of issues discovered with how Symantec had been issuing certificates.

As part of these issues, Apple issued an advisory that a number of Symantec Certificate Authority (CA) root certificates were to be distrusted by Apple on a timeline which concluded with the full distrust of Symantec CAs on February 25, 2020.

While this primarily affected website operators, Symantec also issued certificates from the affected Symantec CAs which were used to provide code signing for applications. An example of this is RSA SecurID Software Token 4.2.1.

Update 8-26-2021: RSA has released RSA SecurID Software Token 4.2.2 to resolve the issue with RSA SecurID Software Token 4.2.1. For more details, please see the link below:

https://community.rsa.com/t5/securid-access-product/updated-securid-announces-securid-software-token-4-2-2-for-macos/ta-p/640000?emcs_t=S2h8ZW1haWx8Ym9hcmRfc3Vic2NyaXB0aW9ufEtTUTg5SktCWUQxS1JHfDY0MDAwMHxTVUJTQ1JJUFRJT05TfGhL

In the case of SecureID, this app relies on Qt Core for user interface support and ships copies of the QT Core framework along with the SecureID app. SecurID stores this in the following location:

/Library/Frameworks/stauto32.framework

If you take a look at the installer, you can see where the files are supposed to go.

However, the actual file which is causing the issue is buried further down in the following location:

/Library/Frameworks/stauto32.framework/Versions/4/QtCore.cire

This file is important because the QT Core framework is shipped without Apple’s code signing, which is to say that QT is not using an Apple Developer ID signing certificate to sign QT Core. Instead, QT ships a code signing certificate chain and that information is stored in the QtCore.cire file.

One of the certificates in the code signing certificate chain is using VeriSign Class 3 Public Primary Certification Authority – G5 as its root certificate authority (root CA). That root CA is one of the Symantec CAs which is no longer trusted by Apple.

To summarize: the SecureID app has a component which is signed by a not-trusted certificate. This is causing SecureID to not trust that component, which then prevents the app from launching correctly.

Why is this happening now?

Apple released updates on August 23, 2021 for both XProtect (now version 2150) and Malware Removal Tool (now version 1.82). My assumption is that XProtect’s update included instructions to no longer accept code signing from the distrusted Symantec CAs. XProtect checks executable code on launch, so it would be working with Gatekeeper to detect and block the no-longer-trusted code signing.

What should you do?

See if your vendor has released an updated version of the app which is having problems. If they haven’t yet, I recommend contacting them to make sure they’re aware of the problem.

Hat tip to all the folks working on this issue in the MacAdmins Slack for helping diagnose the issue and why it is happening.

Every so often, it may be necessary to generate a report from Jamf Pro on which computers are assigned to a particular person. To assist with this task, I’ve written a script which uses the Jamf Pro Classic API to search through the computer inventory records and generate a report in .tsv format.

For more details, please see below the jump.

Pre-requisites:

If setting up a specific Jamf Pro user account for this purpose with limited rights, here are the required API privileges for the account on the Jamf Pro server:

Jamf Pro Server Objects

• Computers: Read

Computer inventory records

• In Jamf Pro, the username field must be populated in the User and Location section of the computer inventory record.

For authentication, the script can accept manual input or values stored in a ~/Library/Preferences/com.github.jamfpro-info.plist file.

The plist file can be created by running the following commands and substituting your own values where appropriate:

To store the Jamf Pro URL in the plist file:

defaults write com.github.jamfpro-info jamfpro_url https://jamf.pro.server.goes.here:port_number_goes_here

To store the account username in the plist file:

defaults write com.github.jamfpro-info jamfpro_user account_username_goes_here

To store the account password in the plist file:

defaults write com.github.jamfpro-info jamfpro_password account_password_goes_here

This script imports a list of usernames from a plaintext file and uses that information to generate a report about the computers assigned to that username.

Usage:

./Generate_Assigned_Mac_Report_From_Jamf_Pro_Usernames.sh usernames.txt

Plaintext file format should look like this:

The script can also accept one username as input, if a plaintext file containing usernames
is not available.

Usage:

./Generate_Assigned_Mac_Report_From_Jamf_Pro_Usernames.sh

Once the username(s) are read from in from the plaintext file or from manual input, the script takes the following actions:

1. Uses the Jamf Pro API to download all information about the matching computer inventory record in XML format.
2. Pulls the following information out of the inventory entry:

• Jamf Pro ID
• Assigned user’s username
• Assigned user’s email
• Manufacturer
• Model
• Serial Number
• Hardware UDID

3. Create a report in tab-separated value (.tsv) format which contains the following information about the deleted Macs

• Jamf Pro ID
• Assigned user’s username
• Assigned user’s email
• Manufacturer
• Model
• Serial Number
• Hardware UDID
• Jamf Pro URL for the computer inventory record

This script will generate a report in .tsv format with information similar to what’s shown below:

One user:

Multiple users:

This script is available below and also from GitHub at the following location:

https://github.com/rtrouton/rtrouton_scripts/tree/main/rtrouton_scripts/Casper_Scripts/Generate_Assigned_Mac_Report_From_Jamf_Pro_Usernames

Recently, I was working on a task where I wanted to set up an automated process to create manual database snapshots for a database hosted in Amazon’s RDS service. Normally this is a straightforward process because you can use the database’s unique identifier when requesting the database snapshot to be created.

However in this case, the database was being created as part of an Elastic Beanstalk configuration. This meant that there was the potential for the database in question to be removed from RDS and a new one set up, which meant a new unique identifier for the database I wanted to create manual database snapshots from.

The Elastic Beanstalk configuration does tag the database, using a Name tag specified in the Elastic Beanstalk configuration, so the answer seemed obvious: Use the tag information to identify the database. That way, even if the database identifier changed (because a new database had been created), the automated process could find the new database on its own and continue to make snapshots.

One hitch: Within the AWS API, RDS lists only the following three API calls to interact with tags.

• AddTagsToResource
• ListTagsForResource
• RemoveTagsFromResource

ListTagsForResource would seem to be the answer, but the hitch there is that you have to have the database’s Amazon Resource Name (ARN) identifier available first and then use that to list the tags associated with the database:

aws rds add-tags-to-resource --resource-name arn:aws:rds:us-east-1:123456789102:db:dev-test-db-instance --tags Key=Name

I was coming at it from the other end – I wanted to use the tag information to find the database. RDS’s API doesn’t support that.

Fortunately, the RDS API is not the only way to read tags from an RDS database. For more details, please see below the jump.

The answer is that outside of RDS, there is also the Resource Groups Tagging API, which is accessible using the resourcegroupstaggingapi command for the AWS CLI tool. Among other things, the resourcegroupstaggingapi command allows you to identify a specified values for a specified key for a specified service.

For example, if you were looking for a RDS-hosted database whose database identifier you didn’t know, but you did know that it is in AWS’s eu-west-1 region and had a Name tag with the value of VIPDatabase, you could run the following query to get that databases’s ARN identifier:

Once you had the ARN identifier, you could then use the following command to get the matching database’s instance identifier. For this example, we’re using arn:aws:rds:eu-west-1:123456789012:db:database_name_here as the ARN identifier:

aws rds --region eu-west-1 describe-db-instances --db-instance-identifier arn:aws:rds:eu-west-1:123456789012:db:database_name_here --query "*[].{DBInstanceIdentifier:DBInstanceIdentifier}"

Assuming you wanted to use this lookup capability in a shell script, the following code should get you started:

In the case of our example, where you’re looking for a database with a Name tag where the Name tag’s value is VIPDatabase, it would look like this:

When setting up software for deployment, it’s usually a good idea to first send it out to a small percentage of the Macs in your environment. That way, if there’s a problem that wasn’t caught in testing, the amount of cleanup required is also small. If that initial deployment works, the software can then be sent out to greater percentages of the Mac population until all of them are eventually covered by the deployment.

This can be a pain to track manually though. New Macs come in, older ones are retired and keeping all Macs covered can turn into a significant investment of time. Fortunately, this is a task which can be automated and enable the Macs to assign themselves to deployment groups based on their machine UUID identifier. For more details, please see below the jump.

This method uses a Jamf Pro Extension Attribute, which is designed to calculate and set a numerical identifier for individual Macs based on the Mac’s machine UUID. This numerical identifier in turn is designed to be used to determine deployment groups.

Once identified, the value will be written to a plist file located in /Library/Preferences. By default, this file is named as follows:

/Library/Preferences/com.companyname.deploymentgroup.plist

You can change the companyname part by setting a different value for the organizationName variable in the Extension Attribute.

If the plist file is present in /Library/Preferences, the Extension Attribute will read the correct value from the plist file.

If the plist file is not present in /Library/Preferences, the Extension Attribute will calculate the correct value and store in the plist as the value of the deploymentGroupAssignmentValue key.

By default, this Extension Attribute is designed to assign Macs to seven deployment groups, with the following percentage of Macs assigned to each group.

When all is working correctly, the Extension Attribute will display one of the following values for each Mac:

When not working properly, the Extension Attribute will display the following value:

The Extension Attribute’s values can then be used as Jamf Pro smart group criteria to create smart groups for software deployment.

This script is available below and also from GitHub at the following location:

https://github.com/rtrouton/rtrouton_scripts/tree/main/rtrouton_scripts/Casper_Extension_Attributes/set_deployment_group

I recently needed to set up a connection test so that an outside vendor could verify that firewall rules had been set up correctly on both ends and that a connection which originated at a specific IP address on the vendor’s end was able to resolve a DNS address on our end and make a connection.

I remembered that Python has a simple way to set up a web server, so I decided to use this to create a script which creates a connection listener by setting up a web server on the desired port. For more details, please see below the jump.

Pre-requisites:

• Python 3

The script does the following:

• Creates a temporary directory
• Changes location into the temporary directory
• Creates an index.html file inside the temporary directory
• Starts Python 3’s web service using the content inside the temporary directory

Once running, you should be able to run connection tests against the port number defined in the script. In this example, port 8080 is being used.

Note: If you need to use a privileged port number between 0 – 1023, be aware that you will need to run this script with root privileges or by using authbind.

When the address being checked is connected to, you should see results similar to what’s shown below:

Note: In this case, localhost is being used as the address to check:

Curl connection test:

Telnet connection test using curl:

As a web page is also being created by the script, you can also try connecting via a web browser. If successful, you should see a Hello World message as shown below.

The connection test script is available below:

When connecting via SSH to a remote Mac running macOS Big Sur, Apple’s user-level privacy controls apply. You can access data in the home folder of the account you’re using to connect, but you can’t access or alter protected data in other account’s home folders.

For most use cases, this is fine. However, there may be circumstances when full disk access for SSH connections is desired. To accommodate for this, Apple added an Allow full disk access for remote users checkbox in the Remote Login settings in System Preference’s Sharing preference pane.

This setting can normally only be enabled by the logged-in user sitting at that Mac. However, there is a way to manage this with a configuration profile. For more details, please see below the jump.

I’ve written a profile to manage full disk access for SSH connections which does the following:

• Enables the Allow full disk access for remote users checkbox in the Remote Login settings in System Preference’s Sharing preference pane
• Enables full disk access for /usr/libexec/sshd-keygen-wrapper

The first part is mainly cosmetic. It enables the Allow full disk access for remote users checkbox, but does not actually enable full disk access for SSH. That function is handled by the second part, which are the PPPC settings to allow full disk access for /usr/libexec/sshd-keygen-wrapper.

In order to apply PPPC settings, there are some pre-requisites:

• User Approved Mobile Device Management (UAMDM) must be enabled on the target Mac.
• Profile must be installed by an MDM server.

Those pre-requisites also apply to deploying this profile, which is available via the link below:

https://github.com/rtrouton/profiles/tree/main/EnableFullDiskAccessforSSH

When deployed, the profile should appear similar to this in System Preference’s Profiles preference pane.

Hat tip to poundbangbash for providing the correct PPPC settings for SSH full disk access by allowing full disk access to /usr/libexec/sshd-keygen-wrapper.

For those who wanted a copy of my cloud hosting for AutoPkg talk at at the MacSysAdmin 2021 conference, here are links to the slides in PDF and Keynote format.

• PDF: https://tinyurl.com/MSA2021PDF
• Keynote: https://tinyurl.com/MSA2021Keynote

The video of my session is available for download from here:

• https://www.macsysadmin.se/video/day1session3.mp4