MacTech Groups Agenda
Tue, Oct 10, 2023
2:30 to 4:30 pm
In person Room B16-B Hillsborough Building
or
https://ncsu.zoom.us/j/98050685794?pwd=bU9aQUVqaW5ydU5JS0k1bzA5V0Jqdz09
Announcements – 5 min
OIT only supports macOS 12.x or newer after Dec 31, 2023
NOTE: Many vendors are dropping support for 10.x versions of macOS. If there is hardware that can not update to macOS 12 or newer, it is time to plan for replacement.
Status page for jamfcloud.com services see http://status.jamfsoftware.com
OIT Macintosh Support Web Site go.ncsu.edu/mac for updates.
Slack group ncstateit.slack.com #macintosh
Apple Sales: Paul Petrogeorge-paulpetro@apple.com & Sys Eng: Dave Andersen-andersen1@apple.com
Vintage and Obsolete Apple Products: support.apple.com/kb/HT1752
Apple Education Support Line 800-800-2775 use this number only. Always verify Applecare Coverage.
Antivirus for university owned devices – go.ncsu.edu/antivirus
Unity MultiUser Workflow uses XCreds with local home directory See go.ncsu.edu/jamfcheat#xcreds
OIT supports only Apple branded Apple Silicon(arm64) and Intel (intel64) hardware for macOS and software. Only unmodified iOS/iPadOS/tvOS is supported. NOTE: watchOS and xrOS are best effort with no official support.
Please remember to verify prices at www.apple.com/education/pricelists/ with NC State Marketplace
Authorized NC State personnel wanting to get training and tools for Apple Certified Technician should request an invitation by opening a help desk ticket at help@ncsu.edu Must login to GSX monthly!!
JAMF Pro Enterprise service go.ncsu.edu/jamf, go.ncsu.edu/jamfinfo and go.ncsu.edu/uwc for details
Required Jamf Pro Implementation of Endpoint Protection Standard – go.ncsu.edu/jamfeps
JAMF Pro Cheat Sheet at go.ncsu.edu/jamfcheat for details on common configuration management tasks
JNUC 2023- will be held in Austin, TX- Sep. 19-21, 2023 Several NCSU folks are attending. community.jamf.com/t5/jamf-nation-user-conference/jamf-nation-user-conference-2023-registration-is-open/td-p/283510
UNC CAUSE 2023- will be held in Winston Salem, NC – Oct. 25-27, 2023
— Everette will co-host the Apple Managers SIG at UNC CAUSE OCT 25 @ 1645
— Brooks Person from ECU will give a talk on “ECU School of Dental Medicine’s Journey with Jamf Protect & macOS
Security Compliance” at UNC CAUSE Oct 27 @ 1100
Training – 5 min
Virtual Quick Start Jamf Pro at NCSU course – 1 Hour – available by scheduling Everette at calendly.com/ncsuega
Hands On only:
OIT-Managing Apple Devices with Jamf Pro -Hands On Only TBA
reporter.ncsu.edu/link/instanceview?courseID=OIT-JPro01-JPro01&deptName=OIT&instanceID=000012
OIT-Jamf Pro Best Practices for Packagers -Hands On Only Oct 24, 2023 HLB B3
reporter.ncsu.edu/link/instanceview?courseID=OIT-JPro03-JPro03&deptName=OIT&instanceID=000010
OIT-Advanced Apple Device Management with Jamf Pro -Hands On Only Nov 7, 2023 1:30-4:30 HLB B3
reporter.ncsu.edu/link/instanceview?courseID=OIT-JPro02-JPro02&deptName=OIT&instanceID=000011
JAMF Pro Training – www.jamf.com/training/
Apple Training – training.apple.com/it – Certified IT Professional and Certified Support Professional
Service Updates – 30 min
Configuration Management – Jamf Pro production is currently 10.50, test on nccloudtest is 10.50.0, and beta 11.0B1. We continue to do on-going clean up of unused objects in the Jamf Pro database and are working with Jamf support on several known product issues (PI). Please remove any unused Smart Groups and switch any Smart Groups that are not used in a Scope to an Advanced Report. Please verify that any Configuration Profiles for kernel or system extensions have the correct exclusions based on the processor types they run on. Expect more clean up lists shortly. Jamf Pro is the only approved Configuration Management system for macOS, iOS, iPadOS, and tvOS. See oit.ncsu.edu/it-security/eps-implementation/config-mgt-systems/
Discussion
Patch Management – The Jamf App Catalog which has 145 titles.
learn.jamf.com/bundle/jamf-app-catalog/page/Release_History_App_Installers.html
Jamf Connect Updates – the latest version of Jamf Connect, 2.28.0. See the release notes at
learn.jamf.com/bundle/jamf-connect-documentation-current/page/Release_History.html
NOTE: Jamf Connect 2.20.0 is last version that supports macOS 10.x
Discussion
XCreds Project – No change. Latest installer is NCSU-Campus-XCreds-3.1.5084 in Jamf Pro Distribution.
Note: XCreds requires a free, Campus wide, license configuration profile.
The license for XCreds is available for the entire campus use at no cost and will remain so.
See go.ncsu.edu/jamfcheat#xcreds for implementation details.
Backup for Endpoints – CrashPlan version 11.1.1.2 is in production, macOS PPPC see:
support.crashplan.com/hc/en-us/articles/8695023896845-Grant-CrashPlan-permissions-to-macOS-devices
NOTE: All updates to existing clients are pushed from the web service.
For NEW installs only, use the package in JAMF is “NCSU-Campus-Install_CrashPlan-11.1.1.2.pkg” The “NCSU-Campus-CrashPlan License.pkg” is required in the policy as before for new installs.
The license package for CrashPlan has been updated to reflect the new service URL along with the SSO configuration of the service. This was needed due to the final transfer of resources from Code42 to CrashPlan.
Internet Recovery – No change
https://support.apple.com/en-us/HT204904.
Also see: https://mrmacintosh.com/restore-macos-firmware-on-an-apple-silicon-mac-boot-to-dfu-mode/
Software Packaging
NCSU-Campus-Matlab_2023b.pkg and NCSU-Campus-AlertusDesktopClientInstaller_v2.12.03.1810.pkg were added to the Jamf Distribution service along with the updated Crashplan License installer.
Are there other needs?
AntiMalware – No Change
DetectX Swift 1.0983 (universal) is still available. See oit.ncsu.edu/help-support/apple/jamf-pro/detectx-setup-in-jamf-pro/
For Sites that have paid for a Crowdstrike Falcon license use NCSU-Campus-Crowdstrike-6.49.162.01.pkg for new installs. Patching is done directly from the MCNC Crowdstike server. Note that a PPPC configuration profile is needed for silent installation on devices with non-admin users. See details at:
help.redcanary.com/hc/en-us/articles/4535994057879-How-to-Manually-Create-a-Jamf-Pro-Configuration-Profile-for-all-CrowdStrike-macOS-Sensor-Versions
Apple School Manager – No change. REMINDER Make sure you *unassign* any devices you have sent to surplus.
Endpoint Protection Standard – Required Jamf Pro Implementation of Endpoint Protection Standard is at go.ncsu.edu/jamfeps
—
Apple OS Security Updates – 1 min
Just a reminder that Apple has released even more security updates that combat known security issues that are in the wild. There are now 3 dot releases of iPadOS and iOS. All users should be encouraged to do these updates in a timely manner especially on iOS.
Understanding Jamf LAPS testing on nccloudtest.jamfcloud.com – 30 min
Jamf controlled MDM LAPS is now on for testing in nc.jamfcloud.com. Here is a slide showing the conditions that enforce both kinds of LAPS. The “macadd” account will ALWAYS be subject to the Jamf LAPS (JLAPS) regardless from now on. This does not matter to 99.9% of the world. The admin account configured in PreStage will always be under Apple’s MDM LAPS when created if we turn it on like we have in nccloudtest. Admin accounts created by a policy will NOT be under any LAPS(Everette tested this). Today there is no web GUI to get the MDM LAPS password escrowed, only the API. Use the script,“Retrieve JAMF LAPS Password.zsh” (see https://gist.github.com/talkingmoose/fe84537a3a6951caa7fcb767d15ee3e6) for testing.
We will not turn MDM LAPS on in production until there is a web GUI to view the escrowed passwords.
Currently the settings on nccloudtest are 1) rotate the password 60 minutes after it is viewed (ie retrieved with API) and 2) rotate the password every 90 days from last rotation.
Currently we have control to enable this or not. However Jamf documentation says:
“MDM LAPS is disabled by default. In a future release of Jamf Pro,
automatic password randomization for this account(Prestage Admin) will be enabled.”
See https://learn.jamf.com/bundle/technical-paper-laps-current/page/Types_of_LAPS.html
Discussion
Apple OS Updates – 5 min
Apple has released updates for macOS14 and iOS/iPadOS 17. If you have not already tested your software workflows it is past time. Remember you will not be able to prevent updates unless you set a deferral profile and then only for 90 days max. End users running macOS 13 or better will be able to update WITHOUT being administrator or elevating permissions. Remember that anyone with a school.apple.com account can login to appleseed.apple.com and download the latest pre-releases and there is a good reference on the Mr. Macintosh web site at:
mrmacintosh.com/macos-sonoma-full-installer-database-download-directly-from-apple/
Discussion
Apple Managed Software Updates in Jamf Pro – 5 min
On Wed Oct 11, 2023 about 0900 we will enable the “new” managed Apple Software updates tab in Jamf Pro. This should work with macOS 10.15 and newer including macOS 14.0. In testing this has been a more reliable way to update macOS. HOWEVER, please remember 1) the download is still 12+ gig and the updates will not take place until the download is complete however long that takes on your network, 2) Jamf has not yet implemented all the features of MDM Software Updates so getting the status of updates in progress is not yet available, 3) Works with computers with macOS 10.15 or later, supervised or enrolled via a PreStage enrollment in Jamf Pro and 4)To have the update for computers with Apple silicon (i.e., M1 chip) installed automatically without user interaction, a Bootstrap Token for target computers must be escrowed with Jamf Pro.
See: https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Updating_macOS_Groups_Using_Beta_Managed_Software_Updates.html
Discussion
Q&A – 15 min
You ask we try to answer
Next meeting:
MacTech – Tue. Nov 14, 2023 In person/Zoom hybrid
MacTech – 2nd Tuesday each month: Jan, Feb, Mar, Apr, May, Jun, Aug, Sep, Oct, Nov, Dec
MacTech does not meet in July.
Meetings usually held in B16-B Hillsborough Bld.
Please mark your calendar.