MacTech 11082022

MacTech Groups Agenda
Tue, Nov 8, 2022
2:30 to 4:30 pm
In person Room B16-B Hillsborough Building
or
https://ncsu.zoom.us/j/98050685794?pwd=bU9aQUVqaW5ydU5JS0k1bzA5V0Jqdz09

Announcements – 5 min OIT only supports macOS 11.6.7 or newer after Dec 31, 2022 
Status page for jamfcloud.com services see http://status.jamfsoftware.com
OIT Macintosh Support Web Site go.ncsu.edu/mac for updates.
Slack group ncstateit.slack.com #macintosh
Apple Sales: Paul Petrogeorge-paulpetro@apple.com & Sys Eng: Dave Andersen-andersen1@apple.com
Vintage and Obsolete Apple Products: support.apple.com/kb/HT1752
Apple Education Support Line 800-800-2775 use this number only. Always verify Applecare Coverage.
Antivirus for university owned devices – go.ncsu.edu/antivirus
Unity MultiUser Workflow uses XCreds with local home directory  See go.ncsu.edu/jamfcheat#xcreds
OIT supports only Apple branded Intel (intel64) and Apple Silicon(arm64) hardware for macOS and software. Only unmodified iOS/iPadOS/tvOS is supported.
Please remember to verify prices at www.apple.com/education/pricelists/ with NC State Marketplace
Authorized NC State personnel wanting to get training and tools for Apple Certified Technician should request an invitation by opening a help desk ticket at  help@ncsu.edu Must login to GSX monthly!!
JAMF Pro Enterprise service go.ncsu.edu/jamf,  go.ncsu.edu/jamfinfo and go.ncsu.edu/uwc for details
Required Jamf Pro Implementation of Endpoint Protection Standard – go.ncsu.edu/jamfeps
JAMF Pro Cheat Sheet at go.ncsu.edu/jamfcheat for details on common configuration management tasksTraining – 5 min
Virtual Quick Start Jamf Pro at NCSU course – 1 Hour – available by scheduling Everette at calendly.com/ncsuega
Hands On only:
OIT-Jamf Pro Best Practices for Packagers – TBA reporter.ncsu.edu/link/instanceview?courseID=OIT-JPro03-JPro03&deptName=OIT&instanceID=000008
OIT-Managing Apple Devices with Jamf Pro – TBA 
reporter.ncsu.edu/link/instanceview?courseID=OIT-JPro01-JPro01&deptName=OIT&instanceID=000009
OIT-Advanced Apple Device  Management with Jamf Pro – 11/22/20222:00-5:00pm
reporter.ncsu.edu/link/instanceview?courseID=OIT-JPro02-JPro02&deptName=OIT&instanceID=000008 Local Based Commercial Training – training.computertree.com/course/ JAMF Pro Training – www.jamf.com/training/Service Updates – 30 min

Configuration Management
  – Jamf Pro production is currently 10.42.0, test on nccloudtest is 10.42.1, and the current beta is 10.43B1.   Please test 10.42.1 for update to production on Wed Nov 9, 2022 @ 1800.
Jamf Pro is the only approved Configuration Management system for macOS, iOS, iPadOS, and tvOS.  See oit.ncsu.edu/it-security/eps-implementation/config-mgt-systems/
Discussion

Patch Management
– The Jamf App Catalog at docs.jamf.com/jamf-app-catalog/Jamf_App_Catalog.html now has 116 titles including Adobe 2023 apps and should be used to install and patch on macOS.
NOTE we have seen a few issues patching Zoom after the macOS 12.6.1 and 13.0 updates but they are not widespread.

Jamf Connect Updates
– the latest version of Jamf Connect, 2.16.0,  has a fix for the pause at reboot issue with OS upgrades.  Basically any loginwindow replacement (NoLoAD, Jamf Connect, Xcreds) will pause the boot process during a minor or major update and require login even if authenticated login on restart is set (only avoids FileVault). If you are delivering Jamf Connect by assigning it to a profile in Settings> Jamf Apps> Jamf Connect be sure to update the version to the latest and verify with inventory before updating to macOS 13

XCreds Project
– PreBeta-XCreds_Build-3301_Version-2.1.pkg  of XCreds is now in testing with support for macOS 13.  See: github.com/twocanoes/xcreds/releases/

BE AWARE: BEFORE you update to macOS 13 install PreBeta-XCreds_Build-3301_Version-2.1 !  Otherwise macOS will hang on restart!!
To “turn off” Xcreds before an upgrade use:
/Applications/XCreds.app/Contents/Resources/xcreds_login.sh -e to remove XCreds from loginwindow and get macOS default loginwindow
If you get completely hung, boot into recovery mode, open terminal from the Utility Menu and type /Volumes/“Macintosh HD”/bin/rm -rf /Volumes/“Macintosh HD”/var/db/auth.db
Then reboot
Also there is a new version of the XCreds JSON manifest with new keys at
https://github.com/Jamf-Custom-Profile-Schemas/ProfileManifestsMirror/blob/main/manifests/ManagedPreferencesApplications/com.twocanoes.xcreds.json
This one is
not required and is not pre-configured for NCSU.
All Sites should move away from NoLoAD as it will require an update to work beyond macOS 13 and is no longer in development. Use either XCreds(free) or Jamf Connect (buy licenses from UNC SO contract).
See go.ncsu.edu/jamfcheat#xcreds and go.ncsu.edu/jamfcheat#jc for implementation details.

Backup for Endpoints – No Change The Crashplan production service is at version 10.4.0.224.
All updates to existing clients are pushed from the web service. The latest installer from CrashPlan is now fully universal! For NEW installs only, use the package in JAMF is “NCSU-Campus-Code42_CrashPlan-10.4.0.pkg” The “NCSU-Campus-Install Code42CrashPlan License and Config.pkg” is required in the policy as before for new installs.
At the Inet2 CrashPlan community update meeting Oct 3, 2022 CrashPlan said the expect the app name and branding to change in late Jan or early Feb 2023.  This change may include some path names so please be aware if you have documentation or workflows that have “Code42” in them.
We have made a request to CrashPlan for them to support Apple Configuration Profiles for initial configuration of license server, etc. and we await their response.

Internet Recovery – No change
https://support.apple.com/en-us/HT204904.
Also see: https://mrmacintosh.com/restore-macos-firmware-on-an-apple-silicon-mac-boot-to-dfu-mode/

Software Packaging
Autopkg server is now using JamfUploader and JSSImporter has been removed.
New package for MatLab 2022B is now available in the Jamf packages.

AntiMalware – No Change
DetectX Swift 1.0983 (universal) is still available. See oit.ncsu.edu/help-support/apple/jamf-pro/detectx-setup-in-jamf-pro/   
For Sites that have paid for a Crowdstrike Falcon license use NCSU-OIT-Crowdstrike-6.4.155.03.pkg for new installs.  Patching is done directly from the MCNC Crowdstike server.   Note that a PPPC configuration profile is needed for silent installation on devices with non-admin users.  See details at:
help.redcanary.com/hc/en-us/articles/4535994057879-How-to-Manually-Create-a-Jamf-Pro-Configuration-Profile-for-all-CrowdStrike-macOS-Sensor-Versions

Apple School Manager – No change. REMINDER Make sure you *unassign* any devices you have sent to surplus.

Endpoint Protection Standard  – Required Jamf Pro Implementation of Endpoint Protection Standard is at  go.ncsu.edu/jamfeps

XCreds issues – 10 min
NOTE: Jamf Connect and NoLoAD MAY also experience these issues but none have been reported with JamfConnect 2.16.0 and OIT no longer routinely tests NoLoAD.OIT is tracking 2 issues with XCreds related to macOS updates. 
These are unrelated to the pause issue previously discussed.
1) The first new account creation on provisioning/re-provisioning fails until after the first local login.  We can reproduce this on a new or re-provisioned device under macOS 12.6.1 or 13.0 which is provisioned to replace the Apple Setup Assistant with XCreds.  The first account will authenticate, create an account but fail to create a home directory, the user will see a black screen and then get logged out after several seconds. Attempting to create other users will fail from XCreds login window.  The workaround is to switch to Mac Login and use the account just created to login to finish the Login Setup Assistant.  After this all other accounts work as expected.
2) Unable to type in XCreds window after Upgrade to macOS 13.  This may be related to an Apple issue fixed in macOS 13.1 (see appleseed.apple.com 31.1 release notes). The workarounds are a) disable XCreds before update and re-enable after using the script
/Applications/XCreds.app/Contents/Resources/xcreds_login.sh or b) Boot to recovery mode, run terminal from the Utilities menu and remove the auth.db using
/Volumes/“Macintosh HD”/bin/rm -rf /Volumes/“Macintosh HD”/var/db/auth.db
Our vendor is aware of these issues and working on them.
Discussion

New Login Items Background Permissions and Notifications – 10 min With macOS 13 Apple has added new permissions and new notifications for login items that run in the background. To suppress the notifications use the new Notifications tab in Jamf Pro and add the bundle id of com.apple.btmnotificationagent.  
See: https://community.jamf.com/t5/jamf-pro/quot-login-items-added-quot-in-ventura/td-p/270481
For pre-approving background items there is no UI in Jamf yet. Custom profile can be created using https://n8felton.wordpress.com/2022/10/24/login-and-background-item-management-in-macos-ventura-13/
Demo
Discussion

Q&A – 15 min
You ask we try to answer Next meeting:
MacTech – Tue. Dec 13, 2022  In person/Zoom hybrid
MacTech – 2nd Tuesday each month: Jan, Feb, Mar, Apr, May, Jun, Aug, Sep, Oct, Nov, Dec
MacTech does not meet in July.
Meetings usually held in B16-B Hillsborough Bld.
Please mark your calendar.