babgond

For those who wanted a copy of my installer packaging talk at Penn State MacAdmins 2024, here are links to the slides in PDF and Keynote format.

• PDF: https://tinyurl.com/PSUMac2024PDF
• Keynote: https://tinyurl.com/PSUMac2024Keynote

This week, as in previous years since 2020, I attended Apple’s WWDC 2024 conference from the comforts of home. As part of this, I took notes during the labs and session videos. Due to wanting to stay on the right side of Apple’s NDA, I’ve posted my notes to Apple’s developer forums rather than to here.

To make it easier for Mac admins to access them, I’ve set up a post in the forums where I’ve linking the various forum posts with my notes. It’s available via the link below:

https://forums.developer.apple.com/forums/thread/758357

Update 6-17-2024: The content posted to the Apple developer forums is no longer available. I have received no communication from Apple as to why it is no longer available, but my assumption is that posting the content was objectionable and subsequently removed.

As the Apple developer forums were the only location that I felt were safe to post this content, and because I have no desire to speak with Apple Legal about this issue, I will not be sharing the notes I took at WWDC to any other locations. Instead, I would encourage interested parties to watch the session videos for the two sessions I took notes in:

• What’s new in Privacy: https://developer.apple.com/wwdc24/10123
• Whats new in device management: https://developer.apple.com/wwdc24/10143

Update 6-28-2024: The notes are back! The link above has been updated to point to a new post in the forums where I’ve linked the various forum posts with my notes.

I learned about the posts being restored via a message from Apple that the notes were restored, along with an apology for their previous removal. Apparently they were flagged as being spam, which is what prompted them to be removed.

Thanks to Apple for restoring them, and also for reaching out to let me know!

As part of preparing for macOS Sequoia, it may be useful to have a way to easily distinguish between the Macs in your fleet which can run macOS Sequoia and those which can’t. Apple has published the following list of Macs which are compatible with Sequoia, which will help with both identifying the compatible Mac models as well as the incompatible Mac models. 

• iMac: 2019 and later models
• iMac Pro: All models
• Mac Studio: All models
• MacBook Pro: 2018 and later models
• MacBook Air: 2020 and later models
• Mac Mini: 2018 and later models
• Mac Pro: 2019 and later models

From there, here’s the list of Mac models which are compatible with macOS Sequoia:

We can use this information to build smart groups which can help identify which Macs are compatible with Sequoia and which are not. For more details, see below the jump:

Using the information mentioned above, I was able to build two smart groups, one which displays compatible Macs and the other which displays incompatible Macs.

The compatible Macs’ smart group checks for if the Mac in question’s model identifier is any of the model identifiers which are compatible with Sequoia:

The incompatible Macs’ smart group checks for if the Mac in question’s model identifier is not any of the model identifiers which are compatible with Sequoia:

To upload these smart group XML files to a Jamf Pro server server using the API, download the XML file to a convenient location, then run the commands shown below (substituting your Jamf Pro server and Jamf Pro user account information as appropriate):

Note: You will first need to get an API bearer token for authentication. Use the commands below (depending on which OS you’re using) to obtain a bearer token from your Jamf Pro server:

Get API bearer token on macOS Monterey and later:

Get API bearer token on macOS Big Sur and earlier:

The bearer token should look something like this:

Once you have the bearer token, use to authenticate the API command as shown below:

If the API bearer token is the one shown above, the API command should look something like this:

If the smart group was successfully uploaded, you should next see output similar to that shown below:

The new smart group should now be present on the Jamf Pro server.

A while back, I had a deployment requirement where I could deploy a specific something to regular Macs but under no circumstances could I deploy it to virtual machines. The reason was that someone could install the thing on a virtual machine, then copy the virtual machine’s files elsewhere.

The issue I was looking at was how to reliably identify a virtual machine. There are various virtualization solutions for macOS available and the macOS virtual machines hosted by them all report various information for model, serial number and other characteristics. However, one thing that macOS virtual machines should have in common regardless of virtualization solution is that they don’t have a hardware Wi-Fi interface. When you’re a VM, it’s an Ethernet world. Meanwhile, every single real Mac for decades has had Wi-Fi hardware installed. Even if it’s never used by the Mac, that Wi-Fi hardware interface should be there.

We can use this with Jamf Pro to help identify macOS virtual machines. For more details, please see below the jump.

Here’s an example Jamf Pro Extension Attribute:

In this case, we’re using the networksetup tool’s listallhardwareports function and using it to filter for any hardware network interface with Wi-Fi (or similar enough to match) as part of the interface’s returned information. 

With the example EA, if at least one matching result is found, the following output is returned:

1

Otherwise, the following output is returned:

0

You can then use the returned result in a Jamf Pro smart group or advanced computer search to help you identify the macOS virtual machines enrolled with your Jamf Pro server.

A colleague ran into a problem recently where they tried to run the Erase All Content and Settings (EACAS) function on an Apple Silicon Mac. Instead of erasing the Mac, instead the following error message was displayed.

Erase Assistant is not supported on this Mac

The error message was misleading however, because the Mac actually supported EACAS without a problem. The root problem was the user account which was logged in had the following characteristics:

• Had administrator rights
• Did not have volume ownership

macOS on Apple Silicon Macs includes a concept known as volume ownership. You must be a volume owner to perform the following tasks on an Apple Silicon Mac:

• Make changes to startup security policy for a specific install of macOS.*
• Be able to authorize the installation of macOS software updates or macOS upgrades.
• Authorize running Erase All Contents and Settings.

* There may be multiple installations of macOS on one Apple Silicon Mac; each macOS install would have their own startup security policy.

For more information on volume ownership, please see Apple’s Platform Deployment article linked below:

https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web (see the Volume ownership section.)

In this case, since the account in question did not have volume ownership, it couldn’t run EACAS. Fortunately for my colleague, there was another account on the Mac which did have the following characteristics:

• Had administrator rights
• Had volume ownership

Once they logged into that account and ran the EACAS function, this time EACAS worked fine and the Mac was successfully wiped.

As a follow-up to my earlier post on Basic Authentication being deprecated for the Jamf Pro Classic API (first announced as part of the release of Jamf Pro 10.35.0), Jamf has disabled Basic Authentication support for the Jamf Pro Classic API as Jamf Pro 11.5.0.

One thing to note is that this change does not impact Cisco ISE integration, which also uses Basic Authentication.

For those looking now to transition away from Basic Authentication for connecting to the Jamf Pro Classic API, I’ve written a couple of shell script functions to assist with getting the bearer tokens now used for API authentication for the following categories:

• Jamf Pro API clients
• Jamf Pro user accounts

For more details, please see below the jump.

Jamf Pro API clients:

Jamf Pro user accounts:

A colleague ran into an issue recently where he was trying to clear out cached data using Safari’s Manage Website Data… option.

When they clicked the button, the expected behavior was that a new window would appear where they could find and remove the data in question.

Instead Safari crashed.

After some digging, we found a fix for the issue via a comment on this Reddit post:

I had the exact same problem. I was able to fix it by checking and unchecking “Block all cookies” checkbox above the “Manage Website Data” button. Afterward, that button started working again.

https://www.reddit.com/r/applehelp/comments/vhou48/comment/j0h6whs

For more details, please see below the jump.

If you’re also seeing this problem, please follow the process below to fix it:

1. Launch Safari

2. Under the Safari menu, click Settings.

3. Click on the Advanced option.

4. In the Advanced window, perform the following actions:

• Check Block all cookies if unchecked, or uncheck Block all cookies if checked.
• Uncheck Block all cookies if checked, or check Block all cookies if unchecked.

5. Click on the Privacy option.

6. Click the Manage Website Data… button.

The relevant window should now open in place of Safari crashing.

Full disclosure: I don’t fully understand why the fix described above works. My working theory is that Safari has an incomplete or corrupted settings file when it crashes and forcing an update to the relevant settings file via selecting and unselecting the Block all cookies setting fixes the issue.

I learned today that Charles Edge, one of the smartest people I’ve been privileged to know in my life, has passed away. I don’t know more details, but we have lost a kind and magnificent giant in the Mac Admins community and I have lost a good friend. 

It hits all the harder in that his death is so unexpected. Charles was one of the most alive people I knew. He wrote countless books (including a couple editions of Apple Device Management with me as co-author), either ran or appeared in multiple podcasts, had a full time job, contributed multiple open source tools and despite all of that always seemed to have time to talk. My regret is that I didn’t talk to him more often, with our last conversation happening in February.

I already miss you terribly, man. Wherever you are now, I hope you know how much you are loved and missed here.

If you have good memories of Charles, please share them in the comments below.

As part of an earlier post, I had provided scripts for downloading installer packages from a JCDS2 distribution point. I’ve made some updates to the scripts to provide more checking of the installer packages, to hopefully ensure that the downloaded installer package and the package available in the JCDS2 distribution point are exactly the same package.

The original scripts would check the download directory and see if there was an installer package with the same name as an installer package in the JCDS2 distribution point. If there was an installer package with a matching name, download of the installer package was skipped and the script would move on to the next installer package.

In the updated scripts, if there are installer packages already in the download directory which have the same name as an installer package in the JCDS distribution point, the MD5 hash of the existing installer package is checked against the MD5 hash of the installer package stored in the JCDS distribution point. 

If the MD5 hashes match, download of the installer package with the matching name is skipped. If the MD5 hashes do not match, the existing installer package in the download directory is deleted and a fresh copy of the installer package is downloaded. For more details, please see below the jump.

Usage: 

/path/to/Jamf_Pro_JCDS_Installer_Package_Download.sh

The script takes the following actions:

• Creates a download directory if none has been specified in the script.
• Uses the Jamf Pro Classic API to download the list of installer packages from the Jamf Pro server.
• Gets the Jamf Pro ID numbers for the individual installer packages.
• Uses the Jamf Pro Classic API to get the names of the individual installer packages.
• Checks to see if a file with a matching name exists in the download directory.
• If a file with a matching name does not exist in the download directory, use the Jamf Pro API to query the JCDS2 distribution point for the download URL of the installer package and download the installer package.
• If a file with a matching name exists in the download directory, check the MD5 hash of the file with the matching name and compare it against the MD5 hash of the file in the JCDS2 distribution point. 
•  If the MD5 hashes match, display a message that the file exists in the download directory. 
•  If they don’t match, delete the file with the matching name from the download directory, use the Jamf Pro API to query the JCDS2 distribution point for the download URL of the installer package and download the installer package.

The script should provide output similar to this:

The scripts are available from GitHub at the following location:

https://github.com/rtrouton/rtrouton_scripts/tree/main/rtrouton_scripts/Casper_Scripts/Jamf_Pro_JCDS_Installer_Package_Download

I recently needed to migrate a Jamf Cloud-hosted Jamf Pro instance from using an AWS-hosted cloud distribution point to using a Jamf-hosted JCDS2 cloud distribution point. For those looking at a similar migration, please see below the jump for more details.

Advisory: I strongly advise having Jamf’s Professional Services folks involved if you’re planning a migration like this. The reason is that, as of the current Jamf Pro 11.3.2 release, you can only have one cloud distribution point at a time. A migration like the one I performed will involve a cut-over process which includes having to re-upload your current distribution point’s installer packages to the new JCDS2 distribution point. This process also necessitates having good recent backups for the Jamf Pro instance in question.

With the assistance of Jamf’s Professional Services (particular thanks to Sepie Moinipanah, Leslie Helou and David Raabe for their support), the migration in my case went smoothly. Please see below for the process I followed to migrate from an AWS-hosted cloud distribution point to using a Jamf-hosted JCDS2 cloud distribution point:

Pre-requisites:

• A copy of all of the installers in the current AWS-hosted cloud distribution point
• The Cloud Services connection enabled in your Jamf Pro server’s settings
• jamfCPR
• API Client Role and API Client with the correct permissions
• A very recent backup of your Jamf Cloud-hosted Jamf Pro server

Getting the installers from your current distribution point:

There are several ways to get the installers from an AWS-hosted cloud distribution point. The method I chose was to use AWS’s command line tool to sync the contents of the S3 bucket used by the cloud distribution point to a local directory on my workstation:

https://derflounder.wordpress.com/2018/02/15/backing-up-the-contents-of-an-aws-hosted-jamf-pro-cloud-distribution-point-to-a-local-directory/

API Client Role and API Client:

The jamfCPR wiki describes the necessary permissions needed to sync installer packages to a JCDS2 cloud distribution point, in the context of an API Client Role. As a result, I used an API Client Role and API Client in this case because the API Client Role permissions don’t always map one-to-one to the permissions available to Jamf Pro accounts and groups. Please see below for the permissions I set for my API Client Role:

• Read Cloud Services Settings
• Read Distribution Points
• Create Packages
• Read Packages
• Update Packages
• Delete Packages
• Read Cloud Distribution Point
• Update Cloud Distribution Point
• Create Jamf Content Distribution Server Files
• Read Jamf Content Distribution Server Files
• Delete Jamf Content Distribution Server Files
• Jamf Packages Action

Preparing for the distribution point migration:

1. Verify that you have the latest version of jamfCPR available.

Note: If the JCDS2 cloud distribution point you’re migrating to is located outside of the United States, make sure you’re using jamfCPR 5.x or later. jamfCPR 4.12 and earlier is not able to work with JCDS2 cloud distribution points which are hosted in AWS regions outside of the United States.

2. Verify that you have an API Client Role and API Client on the Jamf Pro server which has the correct permissions assigned.

3. Verify that you have a copy of all installers on your current AWS-hosted cloud distribution point stored on the same Mac that you have the jamfCPR app installed on.

4. Work with Jamf to make sure that a backup of your Jamf Pro service is made just prior to doing the migration.

Advisory about the Jamf Pro backup:

At this point, I want to stop for a moment and discuss why that backup of your Jamf Pro service is so important. The reason has to do with how AWS-hosted cloud distribution points are created. When you set one up, Jamf Pro will do the following:

1. Create an S3 bucket with a randomly-generated name in the US-East-1 AWS region.
2. Create an associated CloudFront distribution which connects to the S3 bucket created in Step 1.

As the Jamf Pro admin, you don’t get to choose anything in this process and you can’t select an existing S3 bucket. What this means is that the migration goes wrong and you need to revert back to your AWS-hosted cloud distribution point, the only way to do so is to roll back your Jamf Pro service to a point in time before the migration started. You will not be able to go back to using your existing AWS-hosted cloud distribution point without restoring from that backup because there is no way otherwise to have Jamf Pro use that existing AWS-hosted cloud distribution point.

If you try to go back otherwise, Jamf Pro will not use the existing AWS-hosted cloud distribution point. Instead, Jamf Pro will set up a new S3 bucket and CloudFront distribution and you will now have a brand-new and completely empty AWS-hosted cloud distribution point.

Running the migration:

1. Log into your Jamf Pro server as an admin user with all needed rights.

2. Verify that the Cloud Services connection is logged in and appears to be working properly.

3. Go to Settings: Server: Cloud distribution point.

4. Click the Test button and verify that your connection to the cloud distribution point is working correctly.

5. Install something from your Jamf Pro server and verify that installation is working correctly.

6. Verify in your policy logs that the installer is coming from an address which matches something similar to what’s shown below:

https://d2zft6agzhvlnv.cloudfront.net

7. In your Jamf Pro server, go to Settings: Server: Cloud distribution point.

Note: The next step is a point of no return, for reasons described above in the Advisory about the Jamf Pro backup section. Make sure a very recent Jamf Pro backup is available.

8. Select Jamf Cloud and click the Save icon.

9. Click the Test button and verify that your connection to the cloud distribution point is working correctly.

10. Open the jamfCPR app on your Mac.

11. Select the directory containing the downloaded copy of the installers from the existing AWS-hosted cloud distribution point.

12. Set up the connection to your Jamf Pro service, using the API Client ID and its associated Client ID Secret.

13. Click the List button in the jamfCPR app. You should now see a list of packages that your Jamf Pro service has, showing a status of different.

Note: To allow the migration process to go quickly for this blog post, I’m using dummy installer packages with a size of one kilobyte. The jamfCPR app should display the actual size of the installer packages in its application window when the installers are listed.

14. Select the packages you want to copy back from the downloaded copy of the installers to your Jamf Pro service.

15. Click the Replicate button.

You can monitor the replication process using the jamfCPR logs, which are available under the View menu using the Show Logs command.

16. Once replication is completed, the packages should appear as Availability Pending when you bring up information on the package in the Jamf Pro admin console.

You also won’t see any packages listed in the Cloud distribution point screen available via Settings: Server: Cloud distribution point.

This is normal and the package should already be available for installation. One way to verify that the packages are present in the JCDS2 distribution point is by downloading them from the JCDS2 distribution point. I have a post on how to do this available via the link below:

https://derflounder.wordpress.com/2024/02/24/using-the-jamf-pro-api-to-download-installer-packages-from-a-jcds2-distribution-point/

17. Install something from your Jamf Pro server and verify that installation is working correctly.

18. Verify in your policy logs that the installer is coming from an address which matches something similar to what’s shown below:

https://server_name_here.jamfcloud.com/jcds

Note: If you’re using a custom DNS name for your Jamf Cloud instance, it would appear similar to what’s shown below:

https://server_name_here.custom_domain.here/jcds

Post-migration:

After about an hour, the packages should appear listed in the Cloud distribution point screen available via Settings: Server: Cloud distribution point:

The Availability Pending message should also disappear when you view information about the installer package.