Automating setup of a Jamf Pro server on Ubuntu LTS

I recently had a need to set up an on-premise Jamf Pro server for some quick testing. In this case, I needed to set up a Jamf Pro server with the following characteristics:

  1. MySQL 8.x installed on the same server as the Jamf Pro Tomcat software
  2. Jamf Pro set up as a single instance and not clustered. 

To help simplify the process, I went back to some previous work. I had previously written a script for AWS’s Lightsail service which does the following on Ubuntu LTS:

  1. Downloads a Jamf Pro installer from a defined download URL
  2. Installs OpenJDK 11, MySQL 8.x Community Server and other tools
  3. Creates a new MySQL database for Jamf Pro’s use
  4. Installs Jamf Pro
  5. Configures Jamf Pro to use the new MySQL database

I’ve now updated it to do the following on Ubuntu 22.04 LTS:

  1. Downloads the Jamf Pro 11.x installer from a defined download URL
  2. Installs OpenJDK 11, MySQL 8.x Community Server and other tools
  3. Creates a new MySQL database for Jamf Pro’s use
  4. Installs Jamf Pro 11.x
  5. Configures Jamf Pro 11.x to use the new MySQL database

Even though it was written for use with Lightsail, the script should work on any Ubuntu 22.04 LTS install. It’s available via the link below:

https://github.com/rtrouton/aws_lightsail/tree/master/lightsail_jamf_pro_setup/lightsail_jamf_pro_setup_with_mysql_8

Resolving “Signing Certificate issued by SSO Identity Provider is expiring in 30 days” notifications in Jamf Pro after rotating Entra ID SAML signing certificate

I have a Jamf Pro server which is connected to Microsoft’s Entra ID for its directory service. Recently, I received an email from Microsoft letting me know that the SAML signing certificate for the Entra ID app I was using to provide a connection between Jamf Pro and Entra ID was coming up for expiration in about 30 days.

IMG_4134_1 copy

This certificate is used by Entra ID to sign the SAML tokens being issued to the Entra ID app and by default, this certificate is good for three years. For those interested, Microsoft has a KBase article available with more information about this topic:

Tutorial: Manage certificates for federated single sign-on: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tutorial-manage-certificates-for-federated-single-sign-on

The instructions for rotation of this certificate are pretty straightforward and were provided in the email sent to me by Microsoft.

IMG_4135_1 copy

I scheduled the rotation during a planned maintenance downtime and everything appeared fine once the new SAML signing certificate was in place and active.

Screenshot 2023-11-04 at 6.41.27 AM copy

However, when I logged into Jamf Pro following the certificate rotation, I noticed I had a new notification appearing:

Signing Certificate issued by SSO Identity Provider is expiring in 30 days

Since I had just rotated the SAML signing certificate and had verified that the new one (which does not expire in 30 days) was the active one, this message was concerning. After some research, I ran across a Jamf Nation discussion which provided an explanation for the message:

Even though the old SAML signing certificate was now marked as inactive, Jamf Pro was still detecting its presence and reporting (correctly) that it would expire in 30 days.

From there, the solution was straightforward: Delete the inactive SAML signing certificate from Entra ID.

This left only the active SAML signing certificate listed in Entra ID. This certificate has an expiration date greater than 30 days.

Screenshot 2023-11-04 at 7.41.29 AM copy

Once the inactive SAML signing certificate was deleted, Jamf Pro took about twenty minutes to register that fact. After that, the notification message disappeared from Jamf Pro without additional actions needed on my part

Preparing installer packages for installation using MDM commands

An issue that some Mac admins have had to deal with is that their system management tool is using MDM commands to install installer packages. This usually applies if the system management tool does not have an agent installed on the managed Macs and instead is using only MDM for management.

In those cases, installer packages must have the following attributes for a successful installation via MDM command:

  1. Signed with an Apple Developer ID Installer certificate
  2. Be a distribution installer package

For criteria #2, this references the fact that there are two kinds of modern installer packages for macOS:

  • Component packages: these are the standard type of installer package, which contain an archive of files to install and the information on where the files should be installed.
  • Distribution packages: These packages can contain one or more component packages, and may also include additional resources to customize and control the user interface shown in the Installer application.

Both component and distribution packages use the same icon by default, so you can’t tell the difference by visually looking at an installer package. However, you can use the xar command line tool to check inside an installer package and list the files stored inside. The reason why this helps is that all distribution packages will have a file inside named Distribution and component packages will not.

To check an installer package to see if it is a distribution package, use the command shown below:


xar -tf /path/to/pkg_name_goes_here.pkg | grep -o Distribution

view raw

gistfile1.txt

hosted with ❤ by GitHub

If it’s a distribution package, you should get output similar to this:


username@computername ~ % xar -tf /path/to/pkg_name_goes_here.pkg | grep -o Distribution
Distribution
username@computername ~ %

view raw

gistfile1.txt

hosted with ❤ by GitHub

If it’s not a distribution package, you should get output similar to this:


username@computername ~ % xar -tf /path/to/pkg_name_goes_here.pkg | grep -o Distribution
username@computername ~ %

view raw

gistfile1.txt

hosted with ❤ by GitHub

If it is not a distribution package, you can use the productbuild command line tool to convert the installer package into a distribution package. To convert a component installer package to a distribution installer package, use the command shown below:


/usr/bin/productbuild –package /path/to/package_being_converted_to_distribution.pkg /path/to/new_distribution_package.pkg

view raw

gistfile1.txt

hosted with ❤ by GitHub

In this case, package_being_converted_to_distribution.pkg is the name of the package that you want to convert to a distribution package and new_distribution_package.pkg is the name you want to give to the newly-created distribution package.

Note: If converting a signed installer package, the new distribution package will not be signed. If needed, you will need to sign the distribution package following its creation.

Thanks to the folks in the #packaging channel of the Mac Admins Slack who assisted with providing information for this post.

Re-enabling OpenBSM auditing on macOS Sonoma

Apple deprecated its OpenBSM audit system beginning with macOS Big Sur, but the audit system itself stayed enabled until the release of macOS Sonoma. As of macOS Sonoma, it is now disabled and does not run by default. The man page includes this deprecation notice section:


DEPRECATION NOTICE
The audit(4) subsystem has been deprecated since macOS 11.0, disabled since macOS 14.0, and WILL BE REMOVED in a future version of macOS. Applications that
require a security event stream should use the EndpointSecurity(7) API instead.
On this version of macOS, you can re-enable audit(4) by renaming or copying /etc/security/audit_control.example to /etc/security/audit_control, re-enabling the
system/com.apple.auditd service by running launchctl enable system/com.apple.auditd as root, and rebooting.

view raw

gistfile1.txt

hosted with ❤ by GitHub

Screenshot 2023 10 18 at 11 00

If you still need to have the OpenBSM audit system running on macOS Sonoma, it’s possible to re-enable it using the procedure described in the man page. For more information, please see below the jump.

Check if it’s already running

Before enabling, I recommend verifying that it’s not already running. For example, I know that Jamf Pro 10.50 and later will re-enable the OpenBSM auditing system on macOS Sonoma Macs. Please use the procedure below to check and see if something else has already enabled the OpenBSM audit system.

1. Run the following command with root privileges:


/bin/launchctl list | grep auditd

view raw

gistfile1.txt

hosted with ❤ by GitHub

If it’s already enabled and running, you should see output similar to what’s shown below:


username@computername ~ % sudo /bin/launchctl list | grep auditd
375 0 com.apple.auditd
username@computername ~ %

view raw

gistfile1.txt

hosted with ❤ by GitHub

Enable OpenBSM auditing

If it’s not running you should see output similar to what’s shown below:


username@computername ~ % sudo /bin/launchctl list | grep auditd
username@computername ~ %

view raw

gistfile1.txt

hosted with ❤ by GitHub

If the OpenBSM audit system is not running and you want to enable it, please use the procedure described below:

1. Run the following command with root privileges:


cp /etc/security/audit_control.example /etc/security/audit_control

view raw

gistfile1.txt

hosted with ❤ by GitHub

2. Run the following command with root privileges:


/bin/launchctl enable system/com.apple.auditd

view raw

gistfile1.txt

hosted with ❤ by GitHub

3. Restart the Mac.

4. Following the restart, verify that the auditd service is enabled by running the following command with root privileges:


/bin/launchctl list | grep auditd

view raw

gistfile1.txt

hosted with ❤ by GitHub

You should see output similar to what’s shown below:


username@computername ~ % sudo /bin/launchctl list | grep auditd
375 0 com.apple.auditd
username@computername ~ %

view raw

gistfile1.txt

hosted with ❤ by GitHub

Note: If you have a custom configuration for OpenBSM auditing, you’ll need to add those configuration settings to the following file:

/etc/security/audit_control

For more information on configuration of OpenBSM auditing, please see the audit_control man page or my earlier post on OpenBSM auditing.

Session videos and slides available from MacSysAdmin 2023

The documentation from MacSysAdmin 2023 is available, with the session slides and videos being accessible from the link below:

http://documentation.macsysadmin.se

The video of my session is available for download from here:

I also like to thank Patrik Jerneheim again for inviting me to speak at this year’s MacSysAdmin.

Enabling Touch ID authentication for sudo on macOS Sonoma

Since the release of macOS High Sierra, it has been possible to enable Touch ID authentication for the sudo tool. However, the necessary modifications needed to be re-applied after every update to macOS because the modified file would get overwritten with the OS’s default values each time macOS was updated.

As of macOS Sonoma though, this modification can now be persistent. Apple included the following note as part of the the What’s new for enterprise in macOS Sonoma KBase article:

Touch ID can be allowed for sudo with a configuration that persists across software updates using /etc/pam.d/sudo_local. See /etc/pam.d/sudo_local.template for details.

Screenshot 2023 10 14 at 1 43 01 PM

When examined on macOS Sonoma 14.0.0, the contents of the /etc/pam.d/sudo_local.template file are as shown below:


# sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
#auth sufficient pam_tid.so

view raw

gistfile1.txt

hosted with ❤ by GitHub

Copying the /etc/pam.d/sudo_local.template file to /etc/pam.d/sudo_local and uncommenting the indicated line allows Touch ID to work for authentication to the sudo tool.

Screenshot 2023 10 14 at 1 40

To assist with the process of enabling and disabling Touch ID authentication for the sudo tool, I’ve written a couple of scripts. For more details, please see below the jump.

The scripts are available via the link below:

https://github.com/rtrouton/rtrouton_scripts/tree/main/rtrouton_scripts/enable_and_disable_touch_id_for_sudo

There are two scripts available at the above location:

Both scripts are set to check if they are being run on macOS Sonoma or later, and will exit with a message if they are run on an earlier version of macOS.

Slides from the “Introduction to Declarative MDM” session at MacSysAdmin 2023

For those who wanted a copy of my declarative device management talk at MacSysAdmin 2023, here are links to the slides in PDF and Keynote format.

Suppressing undesired local account password policy notifications on macOS Sonoma

As part of the release of macOS Sonoma 14.0.0, there is a bug which may be triggered if you have deployed a configuration profile which sets password rules for local accounts. An example profile is shown below:


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Passcode</string>
<key>PayloadIdentifier</key>
<string>com.apple.mobiledevice.passwordpolicy.3BCA8E01-3CB9-4D6B-8338-518C51B80AAF</string>
<key>PayloadType</key>
<string>com.apple.mobiledevice.passwordpolicy</string>
<key>PayloadUUID</key>
<string>F0B7EB5D-5DF1-4DDC-8A80-01CA458E6157</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>allowSimple</key>
<false/>
<key>forcePIN</key>
<true/>
<key>maxFailedAttempts</key>
<integer>10</integer>
<key>minLength</key>
<integer>15</integer>
<key>minutesUntilFailedLoginReset</key>
<integer>15</integer>
<key>requireAlphanumeric</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>Sets password rules for local accounts on this Mac.</string>
<key>PayloadDisplayName</key>
<string>Local Account Password Rules</string>
<key>PayloadIdentifier</key>
<string>com.company.9EF1E03A-5DEB-4D1F-9E14-D76AFF153C35</string>
<key>PayloadOrganization</key>
<string>Company Name</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>40829036-5EAF-42C9-9678-D27F0C28654B</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

 

In those cases, you may see one or the other following notifications when you log into macOS Sonoma for the first time.

IMG 3879

IMG 3880

These notifications don’t actually indicate a problem and clicking on them does nothing but make the messages disappear. However, for shops which are using profiles which set local account password rules, these messages will almost certainly cause tickets asking “What is this and what does it mean?” from your user community.

I have filed feedback with Apple regarding this issue. For those wishing to reference it, it is Feedback # FB12845634.

For the initial release of Sonoma, the best solution identified so far is to suppress the notifications for local password management, to make sure that these notifications don’t appear until Apple releases an update to macOS Sonoma which addresses this problem. To assist with this, I have an example profile available from the link below:

https://github.com/rtrouton/profiles/tree/main/DisableAppleLocalUserAccountPasswordNotifications

Note: The example profile linked above will suppress all local account password policy notifications. If you are using local account password policy notifications for other purposes, this solution may not work for you.

The component in macOS which generates the local account password notifications also exists on macOS Ventura, so you should be able to deploy a profile like the one linked above to macOS Ventura. This should ensure that Macs upgrading to macOS Sonoma also have these notifications suppressed from the start on macOS Sonoma 14.0.0.

 

Managing the “Click wallpaper to reveal desktop” setting in macOS Sonoma

Every so often, something gets added to macOS and enabled by default where I wish it was off by default. In macOS Sonoma, that’s the new Click wallpaper to reveal desktop option, which works like this by default.

  1. Click on an empty spot on the desktop.
  2. Watch your open windows disappear off-screen.

Click wallpaper to reveal desktop default behavior

Apple does include a one-time message which explains the behavior, but if you click away from the message it won’t re-appear when you click again on an empty spot on the desktop.

Screenshot 2023 09 20 at 8 41 02 PM

This behavior is managed in System Settings: Desktop & Dock and is listed as the Click wallpaper to reveal desktop setting. This has two settings:

  • Always
  • Only in Stage Manager

The default behavior is Always. To stop making your windows disappear whenever you click on the desktop, select Only in Stage Manager.

Screenshot 2023 09 20 at 8 07 35 PM

Fortunately for my preferences, I was able to figure out that the Click wallpaper to reveal desktop behavior was controlled via the following setting:

  • Domain: com.apple.WindowManager
  • Key: EnableStandardClickToShowDesktop
  • Value: Boolean

To set the Click wallpaper to reveal desktop setting to Always, run the following command as the logged-in user:


/usr/bin/defaults write com.apple.WindowManager EnableStandardClickToShowDesktop -bool true

view raw

gistfile1.txt

hosted with ❤ by GitHub

To set the Click wallpaper to reveal desktop setting to Only in Stage Manager, run the following command as the logged-in user:


/usr/bin/defaults write com.apple.WindowManager EnableStandardClickToShowDesktop -bool false

view raw

gistfile1.txt

hosted with ❤ by GitHub

In my case, I wanted this setting permanently set to Only in Stage Manager so I’ve also written a profile which can enforce this. It’s available via the link below:

https://github.com/rtrouton/profiles/blob/main/ManageClickWallpaperToShowDesktopItems

Slides from the “Installer Package Scripting” session at Jamf Nation User Conference 2023

For those who wanted a copy of my installer package scripting talk at Jamf Nation User Conference 2023, here are links to the slides in PDF and Keynote format.