MacTech Groups Agenda
Tuesday, Aug 13, 2019
2:30 to 4:30 pm
Room B16-B Hillsborough Bld.

Announcements – 5 min

• OIT only supports macOS 10.13.6 or newer
• Status page for jamfcloud.com services see http://status.jamfsoftware.com
• OIT Macintosh Support Web Site go.ncsu.edu/mac for updates.
• Slack group ncstateit.slack.com #macintosh
• Apple Sales: Paul Petrogeorge-paulpetro@apple.com & Sys Eng: Dave Andersen-andersen1@apple.com
• macOS versions that shipped with Intel Hardware: support.apple.com/kb/HT1159
• Vintage and Obsolete Apple Products: support.apple.com/kb/HT1752
• Apple Education Support Line 800-800-2775 use this number only. Always verify Apple Care Coverage.
• Antivirus for university owned devices – go.ncsu.edu/antivirus
• Unity Macintosh Workflow uses Active Directory configuration with local home directory at /Users/$uid$
• OIT supports only Apple, Intel (i386) hardware for Mac OS and software. Only unmodified iOS is supported.
• Please remember to check prices at www.apple.com/education/pricelists/ to verify best price with NC State Marketplace
• Authorized NC State personnel wanting to get training and tools for Apple Certified Technician should request invitation by opening a help desk ticket at  help@ncsu.edu Must login to GSX monthly!!
• UNC Combined Pricing Initiative (CPI) oit.ncsu.edu/campus-it/it-purchasing/unc-combined-pricing-initiative-cpi-program-at-nc-state/
• JAMF Pro Enterprise service go.ncsu.edu/jamf,  go.ncsu.edu/jamfinfo and go.ncsu.edu/uwc for details
• JNUC 2019 www.jamf.com/events/jamf-nation-user-conference/2019/  Everette attending, Joey J. Presenting.

Training – 5 min

OIT-iOS Mobile Device Security  – TBA  reporter.ncsu.edu/link/courseview?courseID=OIT-iOSMob-Security&deptName=OIT

OIT-Managing Apple Devices with Jamf Pro – Sep 24, 2019 – reporter.ncsu.edu/link/courseview?courseID=OIT-JPro01-JPro01&deptName=OIT

OIT-Jamf Pro Best Practices for Packagers – Oct 24, 2019 – reporter.ncsu.edu/link/courseview?courseID=OIT-JPro03-JPro03&deptName=OIT

OIT-Advanced Apple Device  Management with Jamf Pro – 11/19/2019  reporter.ncsu.edu/link/courseview?courseID=OIT-JPro02-JPro02&deptName=OIT

CrashPlan for Sub-Org Administrators – Request – reporter.ncsu.edu/link/courseview?courseID=OIT-CPlan1-CPlan1&deptName=OIT

Local Based Commercial Training – training.computertree.com/course/

JAMF Pro Training – www.jamf.com/training/

 

Service Updates – 15 min

Configuration Management  – Jamf Pro 10.11.1 is production.
Jamf Pro 10.14.1 is now available for test on nccloudtest.jamfcloud.com
Our production service on nc.jamfcloud.com will be updated to 10.14.1+hotfix (unless issues are found) on Sep 4, 2019 starting at 1800.
Release notes: https://docs.jamf.com/10.14.0/jamf-pro/release-notes/What’s_New.html  PLEASE TEST!
NOTE: For emailed Enrollment Invitations (and any other email notifications) the From field MUST be   nobody@nc.jamfcloud.com

CommunityPatch – No change.  PLEASE TEST in nccloudtest.jamfcloud.com!!

CrashPlan – Move to fully cloud hosted version on Aug 27, 2019.  The web interface look and feel will change.  The client look and feel may have slight changes. Applying 6.8.9 update Thu Aug 15 to fix security issue on current server.

Internet Recovery – https://support.apple.com/en-us/HT204904 Command-Option-R to install latest version for hardware or Command-R to install currently installed version.

Software Packaging – autopkg-conductor is installed and working  with a new version of JSS-Importer! We still see an occasional upload failure but for the most part (97% wish) packages upload as expected.
We are working on new recipes that only upload packages and set package categories (old ones tried to create test policies, groups, etc) to increase the reliability even more.

AntiMalware– MSSCEP is End Of Life by Microsoft and should be removed.   DetectX Swift is now available and should be installed see oit.ncsu.edu/help-support/apple/jamf-pro/detectx-setup-in-jamf-pro/

Sensitive Data Discovery – NCSU-Campus-Spirion10800.pkg

https://nc.jamfcloud.com/packages.html?id=6679

Apple School Manager – No changes or updates.  Working to test and see if we can enable Federated Login with NCSU Azure.

AppleCare for Enterprise update – AppleCare for Enterprise is on hold pending Apple being able to add to MarketPlace

Endpoint Protection Standard – Phase 1 deadline has past. Phase 2 is Dec 31, 2020.  Please note the updates to the implementation plan to include iOS/iPadOS with no deadline yet.
See Jamf Pro Cheat Sheet at:
https://oit.ncsu.edu/help-support/apple/jamf-pro/jamf-pro-policy-cheat-sheet/

---

Adobe Packages– 5 min

OIT has create individual packages for each of the current Adobe CC 2019 software titles and they are available on Jamf Pro with names of the form:

NCSU-Campus-AdobeCC2019-<ProductName><ProductVersion)_Install.pkg.zip like for example NCSU-Campus-AdobeCC2019-PremiereRush1.1_Install.pkg.zip
This includes Acrobat.
The installers are all named license.  Any one or all of these can be converted to Shared Device License by making the very last installer be the licensing package for your license.
NOTE: there is no package or license that will allow the applications to run without logging in.  As I understand it, OIT Licensing is still working to get federated login working.
Discussion

Interest in Patch Management Service – 5 min

With the patch management standard, we have been working to automate as much patching on macOS as possible.  This includes using App Store apps with automatic update, configuring Jamf Patch, and using Autopkg recipes to provide installers.  Recently a few 3rd party patch source servers like kinobi.io have started to be available.  These promise to provide curated, verified Jamf Patch definitions  for a large number of titles (Kinobi already provides 1,000).  These are updated at a known schedule.  While we would still have to provide installers this would automate some of the process and allow us to provide our own definitions if needed.  Costs are not huge (Kinobi is ~$2150 per year).  Would folks be interested in OIT researching 3rd party patch servers ?

Reclaiming our Authentication Domain from Apple or Why is my iTunes asking me to change my Email ? – 15 min

IF we move our Apple School Manager configuration to use Federated Identities from our NCSU Azure instance we will be required to use Email addresses that end in “@ncsu.edu” for login.  This has the side effect of conflicting with every personal iTunes and iCould account that has been created with an @ncsu.edu email address (We had similar issue a few years ago when we went to our Google accounts).  Initially this will effect a small number of us that are using ASM but as we move to macOS 10.15.x and potentially use Azure for device login more folks will be affected.  There is no action we can take to change this  or help the end users.  Apple will notify and enforce the needed changes according to this web page:

support.apple.com/guide/apple-school-manager/apple-notifies-users-conflicts-apd3bfda7748/1/web/1

OIT will announce the date of this change if/when we have finished testing via sys news and other usual channels.  Please be aware of how this might impact your users and point them to Apple’s documentation.  The OIT Help Desk will not be able to “fix” this and will simply point end users to the same documentation.
Discussion

Measuring Success of EPS – 15 min

Now that the EPS phase one deadline has past, I wanted to have a discussion on how each site is measuring success.  What metric are you using, how often are you measuring, and what reports are you producing.
The phase one requirements:
Enroll endpoints into approved CMS. – How are you making sure endpoints stay enrolled?
Establish an ongoing collection of software inventory. – How frequently are you checking the last inventory date?
Provide anti-malware and antivirus protection. – How do you report last scan, AM/AV software patching, and has your site completely remove Kaspersky?
Require authentication for device access. – Can you report on the status of automatic login?
Provide OS and software patching. – What report do you look at to make sure each application is at current version?
Provide ongoing Sensitive Information Identification and Remediation (SIIR).Discussion. Do you have a report that shows the version of Spirion being run on each device?

 

Endpoint Protection for iOS/iPadOS devices – 15 min

As noted earlier the implementation plan for endpoint protection has added an undetermined deadline for “mobile devices”.  For Apple devices this would include iOS, iPadOS, tvOS , and watchOS devices.  Not much has been said about how the security controls should be implemented.  For tvOS, so far, the devices does not store university data or sensitive data beyond passwords for accounts.  For watchOS again so far the devices do not store university data but this may change with the next OS and the App Store for Apple Watch! The main focus right now should be on iOS/iPadOS devices.  Best practice already indicates the following for the EPS controls:

Configuration Management – Jamf Pro is available for management of iOS and tvOS devices
Inventory – Enroll in Jamf Pro where daily inventory is collected
Authentication – set a passcode with some “timeout” that requires re-entry, Best practice on tvOS is to require a password to change settings or add apps.
“Full Disk” Encryption – setting a passcode enables encryption and builtin sand boxing provides extra protection
Network Encryption –  our Cisco AnyConnect VPN is available free from the App Store and use of https, etc protocols for connecting to services should be observed on all platforms regardless
AM/AV – NCSU does not currently offer AM/AV software for iOS/iPadOS devices.  Devices should not be jail broken.
Sensitive Data – NCSU does not currently offer Sensitive Data remediation software for iOS/iPadOS devices.
OS and Software Patching – this is provided by Apple and the App Store vendors. Best practice is to turn on automatic update.
Discussion

Q&A – 15 min

You ask we try to answer

 

Next meeting:

MacTech – Tue. Sep 10, 2019 in Room B16-B Hillsborough from 2:30-4:30 pm.

MacTech – 2nd Tuesday each month: Jan, Feb, Mar, Apr, May, Jun, Aug, Sep, Oct, Nov, Dec

MacTech dos not meet in July.

Meetings usually held in B16-B Hillsborough Bld.

Please mark your calendar.