MacTech Groups Agenda
Tuesday, Aug 11, 2020
2:30 to 4:30 pm
meet.google.com/aie-ypji-pqd
Announcements – 5 min
OIT only supports macOS 10.14.6 or newer
Status page for jamfcloud.com services see http://status.jamfsoftware.com
OIT Macintosh Support Web Site go.ncsu.edu/mac for updates.
Slack group ncstateit.slack.com #macintosh
Apple Sales: Paul Petrogeorge-paulpetro@apple.com & Sys Eng: Dave Andersen-andersen1@apple.com
macOS versions that shipped with Intel Hardware: support.apple.com/kb/HT1159
Vintage and Obsolete Apple Products: support.apple.com/kb/HT1752
Apple Education Support Line 800-800-2775 use this number only. Always verify Apple Care Coverage.
Antivirus for university owned devices – go.ncsu.edu/antivirus
Unity Macintosh MultiUser Workflow uses NoLoAD configuration with local home directory at /Users/$uid$
OIT supports only Apple, Intel (i386) hardware for Mac OS and software. Only unmodified iOS is supported.
Please remember to verify prices at www.apple.com/education/pricelists/ with NC State Marketplace
Authorized NC State personnel wanting to get training and tools for Apple Certified Technician should request invitation by opening a help desk ticket at help@ncsu.edu Must login to GSX monthly!!
JAMF Pro Enterprise service go.ncsu.edu/jamf, go.ncsu.edu/jamfinfo and go.ncsu.edu/uwc for details
JNUC 2020 is virtual and free – www.jamf.com/events/jamf-nation-user-conference/2020/
UNC CAUSE 2020 virtual – October 6-8 , 13-15, and 20-22 – 2020.unccause.org
Training – 5 min (any course available via Meet/Zoom upon request)
OIT-iOS Mobile Device Security – TBA reporter.ncsu.edu/link/courseview?courseID=OIT-iOSMob-Security&deptName=OIT
OIT-Managing Apple Devices with Jamf Pro – Request – reporter.ncsu.edu/link/courseview?courseID=OIT-JPro01-JPro01&deptName=OIT
OIT-Jamf Pro Best Practices for Packagers – Request – reporter.ncsu.edu/link/courseview?courseID=OIT-JPro03-JPro03&deptName=OIT
OIT-Advanced Apple Device Management with Jamf Pro – Request reporter.ncsu.edu/link/courseview?courseID=OIT-JPro02-JPro02&deptName=OIT
CrashPlan for Sub-Org Administrators – Request – reporter.ncsu.edu/link/courseview?courseID=OIT-CPlan1-CPlan1&deptName=OIT
Local Based Commercial Training – training.computertree.com/course/
JAMF Pro Training – www.jamf.com/training/
Service Updates – 30 min
Configuration Management – Jamf Pro production is 10.22.1 Jamf Pro 10.23.0 in test on nccloudtest.jamfcloud.com. Jamf Pro 10.24b1 is the latest beta.
Jamf Pro is the only approved Configuration Management system for macOS, iOS/iPadOS, and tvOS. See oit.ncsu.edu/it-security/eps-implementation/config-mgt-systems/
The USWCA Team will turn on automatic installation of Self Service.app Aug 12, 2020 about 0800. If you are currently delivering Self Service.app to iPad/iPhone/iTouch devices you will need to remove the AppStore/VPP configuration to avoid delivering the app twice.
Patch Definition Management – Kinobi Standard no change
Backup for Endpoints – The vendor has renamed CrashPlan to Code42.
Code42 production service is at version 8.2.2. Automatic update from Cloud for server and clients. Use the NCSU-Campus-Install_Code42-822.pkg for new installs which should autoupdate (7.2 for 10.12 or less will not update to 8.x but will continue to work). The NCSU-Campus-Install Code42CrashPlan License and Config.pkg is still required in the policy as before. The 7.x clients are compatible with 8.x server.
Internet Recovery – No change. https://support.apple.com/en-us/HT204904
Software Packaging – No change. Will be moving the Autopkg server to a new location (DC 1 closing) sometime June 2020. No impact is expected.
AntiMalware – DetectX Swift is still available and should be installed see oit.ncsu.edu/help-support/apple/jamf-pro/detectx-setup-in-jamf-pro/ Still no meeting of the OIT AV Steering teams scheduled.
Sensitive Data Discovery – NCSU-Campus-Spirion10800.pkg waiting for approval for 11.4.
Apple School Manager – No changes or updates.
AppleCare for Enterprise – Still on hold pending Apple being able to add to MarketPlace.
Endpoint Protection Standard – Phase 2 deadline-Dec 31, 2020. Several updates have been added to the Jamf Pro Cheat Sheet at:
oit.ncsu.edu/help-support/apple/jamf-pro/jamf-pro-policy-cheat-sheet/
—
Automated device enrollment in Eduroam Available – 10 min
The project for use of Eduroam with automated device enrollment is complete and the service is in production. See oit.ncsu.edu/help-support/apple/jamf-pro/jamf-pro-policy-cheat-sheet/#enc to configure. The use of device certificates to access Eduroam at other institutions when traveling has been confirmed working. Discussion
Move to Duo MFA for Jamf Pro login on Sep 15, 2020 – 15 min
In order to better secure our approved Apple configuration management system OIT will begin requiring Duo MFA for Jamf Pro beginning Sep 15, 2020. In preparation for the Apple School Manager federation with Azure we are working on, the username format will change to unityid@ncsu.edu on the same date. NOTE: This is not Single Sign On (SSO) as Jamf does not allow SSO on a per Site basis. This will secure Jamf Pro from a known issue where a stolen account could enroll in our configuration management process without permissions. See labs.f-secure.com/blog/jamfing-for-joy-attacking-macos-in-enterprise/. We have taken all the other steps needed to secure the CMS from the other attacks known. The impact of this is that clients using Self Service Login, the Over the Air Enrollment url (go.ncsu.edu/jamenroll), and Jamf Site administrators using the web console (go.ncsu.edu/jamf) will be prompted for Duo MFA after logging in with unityid@ncsu.edu.
There are 2 additional impacts with this change:
- Just clients logging in will not see a DUO dialog during the login process but will be prompted for DUO MFA on their registered device. This is similar to the way or VPN client works.
- Web Console users only including Site admins will have to respond 2 times to a DUO prompt. This additional burden is due to an known issue with Jamf Pro where it logs in 2 times once to verify the user and the second time to lookup authorization groups for the user. Users of Self Service login and OTA enrollment will only be prompted 1 time.
Discussion
Apple Silicon and other WWDC Enterprise Announcements – 20 min
OIT has tested several of the current configuration profiles for EPS delivered from Jamf Pro with macOS 11 Big Sur Beta and found them working. Jamf Pro 10.24 should have full support. We were not able to get developer pre-release Apple Silicon hardware but will request testing units as soon as production models are available (rumor of MacBook Air in Dec?). Of great concern is vendor lag as Apple strictly enforces move from kernel extensions to system extensions. We have several products including Cisco VPN, Spirion, OpenAFS, and all antimalware(SCEP for mac, Malware Bytes which require kernel extensions (Detect X does not require kernel extensions or system extensions). In general most 64 bit software is reported to run just fine on Apple Silicon due to Rosetta 2.
Discussion
Q&A – 15 min
You ask we try to answer
Next meeting:
MacTech – NO JULY MEETING Tue. Sep 8, 2020 Virtual via Google Meet.
MacTech – 2nd Tuesday each month: Jan, Feb, Mar, Apr, May, Jun, Aug, Sep, Oct, Nov, Dec
MacTech does not meet in July.
Meetings usually held in B16-B Hillsborough Bld.
Please mark your calendar.