MacTech Groups Agenda
Tue, Dec 13, 2022
2:30 to 4:30 pm
In person Room B16-B Hillsborough Building
or
https://ncsu.zoom.us/j/98050685794?pwd=bU9aQUVqaW5ydU5JS0k1bzA5V0Jqdz09

Announcements – 5 min 

OIT only supports macOS 11.6.7 or newer after Dec 31, 2022 
NOTE: Many vendors are dropping support for 10.x versions of macOS.  If there is hardware that can not update to macOS 11 or newer, it is time to plan for replacement.
Status page for jamfcloud.com services see http://status.jamfsoftware.com
OIT Macintosh Support Web Site go.ncsu.edu/mac for updates.
Slack group ncstateit.slack.com #macintosh
Apple Sales: Paul Petrogeorge-paulpetro@apple.com & Sys Eng: Dave Andersen-andersen1@apple.com
Vintage and Obsolete Apple Products: support.apple.com/kb/HT1752
Apple Education Support Line 800-800-2775 use this number only. Always verify Applecare Coverage.
Antivirus for university owned devices – go.ncsu.edu/antivirus
Unity MultiUser Workflow uses XCreds with local home directory  See go.ncsu.edu/jamfcheat#xcreds
OIT supports only Apple branded Intel (intel64) and Apple Silicon(arm64) hardware for macOS and software. Only unmodified iOS/iPadOS/tvOS is supported.
Please remember to verify prices at www.apple.com/education/pricelists/ with NC State Marketplace
Authorized NC State personnel wanting to get training and tools for Apple Certified Technician should request an invitation by opening a help desk ticket at  help@ncsu.edu Must login to GSX monthly!!
JAMF Pro Enterprise service go.ncsu.edu/jamf,  go.ncsu.edu/jamfinfo and go.ncsu.edu/uwc for details
Required Jamf Pro Implementation of Endpoint Protection Standard – go.ncsu.edu/jamfeps
JAMF Pro Cheat Sheet at go.ncsu.edu/jamfcheat for details on common configuration management tasks

Training – 5 min

Virtual Quick Start Jamf Pro at NCSU course – 1 Hour – available by scheduling Everette at calendly.com/ncsuega

Hands On only:

OIT-Managing Apple Devices with Jamf Pro Feb 21, 2023 1:30-4:30 HLB B3
reporter.ncsu.edu/link/courseview?courseID=OIT-JPro01-JPro01&deptName=OIT&instanceID=000010

OIT-Jamf Pro Best Practices for Packagers Mar 23, 2023 1:30-4:30 HLB B3
reporter.ncsu.edu/link/instanceview?courseID=OIT-JPro03-JPro03&deptName=OIT&instanceID=000009

OIT-Advanced Apple Device Management with Jamf Pro Apr 27, 2022 1:30-4:30 HLB B3
reporter.ncsu.edu/link/instanceview?courseID=OIT-JPro02-JPro02&deptName=OIT&instanceID=000009

Local Based Commercial Training – training.computertree.com/course/ 

JAMF Pro Training – www.jamf.com/training/ 

Service Updates – 30 min 

Configuration Management  – Jamf Pro production is currently 10.42.1, test on nccloudtest is 10.42.1, and the current beta is 10.43B1.  Jamf Pro is the only approved Configuration Management system for macOS, iOS, iPadOS, and tvOS.  See oit.ncsu.edu/it-security/eps-implementation/config-mgt-systems/
Discussion

Patch Management – No Change The Jamf App Catalog at docs.jamf.com/jamf-app-catalog/Jamf_App_Catalog.html still has 116 titles.

 

Jamf Connect Updates – the latest version of Jamf Connect, 2.18.0. Starting Dec 2022 MS is dropping support for the “common” link for authentication to Azure and requiring use of the tenant link.  This will mean the profiles will need change.  See the release notes at
https://docs.jamf.com/jamf-connect/2.18.0/documentation/Release_History.html
Discussion

XCreds Project – PreBeta-XCreds_Build-3309_Version-2.1.pkg  of XCreds is now in testing with more logging for issues around File Vault  See: github.com/twocanoes/xcreds/releases/
See go.ncsu.edu/jamfcheat#xcreds and go.ncsu.edu/jamfcheat#jc for implementation details.
We are tracking an issue with Twocanoes related to first login after macOS updates failures when FileVault is turned on.

Backup for Endpoints – No Change The Crashplan production service is at version 10.4.0.224.
All updates to existing clients are pushed from the web service. The latest installer from CrashPlan is now fully universal! For NEW installs only, use the package in JAMF is “NCSU-Campus-Code42_CrashPlan-10.4.0.pkg” The “NCSU-Campus-Install Code42CrashPlan License and Config.pkg” is required in the policy as before for new installs.
CrashPlan expects and app name and branding to change in late Jan or early Feb 2023.  This change will include some path names so please be aware if you have documentation or workflows that have “Code42” in them. 

Internet Recovery – No change
https://support.apple.com/en-us/HT204904.
Also see: https://mrmacintosh.com/restore-macos-firmware-on-an-apple-silicon-mac-boot-to-dfu-mode/

Software Packaging
New Autopkg servers based in M1 MacMinis are purchased and ready to replace 2012 models in Jan 2023.

AntiMalware – No Change
DetectX Swift 1.0983 (universal) is still available. See oit.ncsu.edu/help-support/apple/jamf-pro/detectx-setup-in-jamf-pro/   
For Sites that have paid for a Crowdstrike Falcon license use NCSU-OIT-Crowdstrike-6.4.155.03.pkg for new installs.  Patching is done directly from the MCNC Crowdstike server.   Note that a PPPC configuration profile is needed for silent installation on devices with non-admin users.  See details at:
help.redcanary.com/hc/en-us/articles/4535994057879-How-to-Manually-Create-a-Jamf-Pro-Configuration-Profile-for-all-CrowdStrike-macOS-Sensor-Versions

Apple School Manager – No change. REMINDER Make sure you *unassign* any devices you have sent to surplus.

Endpoint Protection Standard  – Required Jamf Pro Implementation of Endpoint Protection Standard is at  go.ncsu.edu/jamfeps  

— 

XCreds issues update – 10 min
Update on XCreds issues
1) The first new account creation on provisioning/re-provisioning fails until after the first local login. Twocanoes is working on this issue and it is related to FileVault so may be after the holiday break before we see a fix (Must test with hardware not VM)
2) Unable to type in XCreds window after Upgrade to macOS 13.  Twocanoes is aware and working on these.  Maybe fixed by macOS 13.1.
Discussion

Jamf Connect Changes – 10 min
Jamf is changing the retail version of Jamf Connect product into 2 different levels- Basic and Premium. Basic is just Jamf Connect we are using now with retail cost going down.  Premium will include the Jamf Private Access features with retail cost going up slightly.  However there will be no change in cost or features for the Jamf Connect we get in education.
Discussion

MS changes to the Azure “Common” URL for configuring Jamf Connect and XCreds – 10 min

The best summary and links for this change is at
https://docs.jamf.com/jamf-connect/2.18.0/documentation/Release_History.html#ID-000006a1
Basically the discovery URL
https://login.microsoftonline.com/common/.well-known/openid-configuration
Is being blocked and we must use the link with our tenant id in it.  For XCreds the Jamf Configuration Profile Template already has the correct default value.  Please check your Jamf Connect configuration profiles and update the URL if needed.
Discussion

White paper on Login Items Background Permissions and Notifications – 10 min

 With macOS 13 Apple has added new permissions and new notifications for login items that run in the background. A new configuration white paper from HCS is available from:
https://hcsonline.com/images/PDFs/Manage_Background_Tasks_Jamf.pdf
NOTE: Pay special attention to using a new smart group criteria of “com.jamf.servicemanagement.backgroundapps” to avoid installing on older devices which might fail and cause a profile loop.  Also see p 20 on using the Label, Bundle Identifier and Team Identifier. These identifier types will become more commonly used going forward and can be used with PPPC profiles to make  managing access easier.
Discussion

TechShort: Better way to do Printing Profiles – 30 min

 Currently the Jamf Cheat Sheet recommends setting up printers using the AirPrint payload.  In working with CNR we discovered that “easy” printers like this are created under macOS 13 but do not show up to the end user reliably.  There is another type of profile supported by Jamf under the the com.apple.mcxprinting domain that works well.  Jamf already has this payload under Printing but they only support adding existing printers that can not be created by Site administrators.  Also there is a custom JSON template that can be used but it is malformed in Github and will appear to work but does not create usable printers.  The best option is to use an unsigned (yes) XML .mobileconfig that covers all the keys.  Get the example preconfigured with all Wolf Print printers from:
https://drive.google.com/file/d/1xc1B-4zL0B38-yUwonah2JndtaiQjL5f/view?usp=sharing
NOTE: Don’t forget to change the PayloadUUID using /usr/bin/uuidgen.
Also some tricks on how to provide PPDs from central location.
Demo
Discussion

Q&A – 15 min
You ask we try to answer 

Next meeting:
MacTech – Tue. Jan 10, 2023  In person/Zoom hybrid
MacTech – 2nd Tuesday each month: Jan, Feb, Mar, Apr, May, Jun, Aug, Sep, Oct, Nov, Dec
MacTech does not meet in July.
Meetings usually held in B16-B Hillsborough Bld.
Please mark your calendar.