Installing the Jamf Software Server (JSS) onto Windows Server – Crib Sheet

Hey all. As mentioned previously, I recently had a requirement to install a Jamf Software Server onto a Windows Server on-premise. In case you didn’t notice, I’m a big fan of crib sheets and checklists to ensure that, in the heat of the moment, I’m not missing steps unknowingly.

This post is part-update, part-new version of my almost 2 year old Amsys post “Jamf Pro Server / Casper JSS Windows Upgrade Crib Sheet“. It’ll also pull from a few Jamf KB articles that are linked at the end.

It’s designed to act as a starting point for your own crib sheet / checklist for a fresh JSS install, as well as a possible basis for an upgrade crib sheet. It won’t go into all the customisations and options you may require for your environment so make sure to test everything and adapt as required. This also assumes you’ll be running the JSS on port 8443 and MySQL and Tomcat on the same server.

PLEASE NOTE: Before you touch anything, and at various points throughout, TAKE BACKUPS. I’m serious, they’ll get you out of trouble more times then you want and you’ll be glad each time.

Dates and Versions

In order to ensure this ages as gracefully as possible, I’m including dates and versions of the items used to build this guide. Please always check the KBs and your own notes in case of any changes required.

• Date drafted: 2019-08-18
• JSS Version: 10.14.0
• Java Version: 11.0.4.11.1
• MySQL Version: 8.0.17

The Guide

Without further ado, lets get cracking

Installing Java and MySQL

1) Download the Windows .msi for Corretto Java from here

2) Run through the standard installer for Corretto Java

3) Download the MySQL Community Server 64-bit MSI installer for Microsoft Windows from here

4) Launch the installer and pick “Server Only” for setup type and click Next

5) The installer will check the environment before continuing. If the ‘Microsoft Visual C++ Redistributable’ needs to be installed, it’ll let you know. If so, click ‘Execute’ to install it. Click Next

6) Click Execute to start the install

7) Once complete, you’ll be taken through the initial configuration options

8) Select the “Standalone MySQL Server” option and click Next

9) Select “Server Computer” and click Next

10) Select the “Use Legacy Authentication Method (Retain MySQL 5.x Compatibility)” and click Next

11) Set a password for the MySQL root account and click Next. Ensure it’s a long and complex password and is recorded somewhere safe.

12) These should be set by default, but ensure the options for “Configure MySQL Server as a Windows Service”, “Start the MySQL Server at System Startup” and “Standard System Account” are enabled. Click Next.

13) Click “Execute” to apply the configuration

14) Click “Finish” to complete the install and close the installer.

Configuring MySQL

1) Stop the MySQL server (either via the command line, or via the “Services” Windows application).

2) Make a backup of the MySQL configuration file (normally found at C:\ProgramData\MySQL Server 8.x\my.ini )

3) Open this file in your preferred code editor (don’t forget about possible issues with Notepad, as discussed here!)

4) Find the line [mysqld]

5) Add the following on a new line below this:

default-authentication-plugin=mysql_native_password

6) Find the setting for innodb_buffer_pool_size

7) Edit this to a value appropriate for your server. The Jamf KB discusses this in detail but an example I’ve used initially is:

12GB Total Server RAM = 6GB for the Tomcat service, 2GB for the host OS, and so 4GB for the innodb_buffer_pool_size

8) Find the setting for innodb_file_per_table and set this to 1

9) Save the file and restart MySQL

Create the MySQL Database

1) Launch the “MySQL Command Line Client”

2) Enter the MySQL root password we set above

3) Run the below command to create the Jamf Pro database, swapping out [MyGreatDatabase] for the database name of your choosing.

CREATE DATABASE [MyGreatDatabase];

4) Run the below command to create the JSS database user, swapping out [MyDatabaseUser] for a username of your choosing, and [MyDatabaseUserPassword] for a long and complex password for this user. Ensure it’s recorded somewhere safe.

CREATE USER '[MyDatabaseUser]'@'localhost' IDENTIFIED WITH mysql_native_password BY '[MyDatabaseUserPassword]';

5) Grant this user access to the database, swapping in the values as before:

 GRANT ALL ON [MyGreatDatabase].* TO '[MyDatabaseUser]'@'localhost';

6) Exit the application

exit

Jamf Pro Software Server Installation

1) Run the downloaded Jamf Pro Server installer .msi as the Local Administrator User (not a network user with local administration rights). Ensure to run a ‘complete’ install

2) Once complete, stop the Tomcat service (either via the command line, or via the “Services” Windows application).

3) Find the Jamf DataBase.xml file (normally in C:\Program Files\JSS\Tomcat\webapps\ROOT\WEB-INF\xml\DataBase.xml)

4) Take a backup of this file and open it in your code editor of choice

5) Edit the DataBaseName, DataBaseUser and DataBasePassword with the values set when you created the MySQL Database

6) Save and close the file

7) Start the Tomcat service, and ensure the webpage loads as required.

8) Launch the Jamf Pro Server Tools from C:\Program Files\JSS\bin\server-tools-gui.jar

9) Go to “Tomcat Settings” and find the “Tomcat maximum memory” field

10) Set this appropriately for your server (see “Configuring MySQL” – step 7 above)

11) Restart the Tomcat service.

Configure Database Backups

1) Launch the Jamf Pro Server Tools from C:\Program Files\JSS\bin\server-tools-gui.jar

2) Go to “Scheduled Backups”

3) Configure this as required

Links

• Installing Java and MySQL for Jamf Pro 10.14.0 or Later
• Configuring MySQL 8.0 for Jamf Pro
• Manually Editing the Database Connection
• Editing the Database Connection Using Jamf Pro Server Tools
• Starting and Stopping Tomcat
• Jamf Pro Web App Memory
• Backing Up the Database
• Installing Jamf Pro Using the Installer
• Creating the Jamf Pro Database Using the Jamf Pro Server Tools Command-Line Interface
• SSL Certificate

Summary

This post covers a template crib sheet / check list for a new Jamf Pro Server installation on Microsoft Windows Server. As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

Editing the MySQL Configuration File on Windows Server

Hey All. I recently had a requirement to install a Jamf Software Server to an on-premise Windows Server. Typically, this is not something we’d do at dataJAR, preferring to host customers on our own .mobi platform.

As part of the installation process, I had to make some tweaks to the MySQL configuration file, located at  C:\ProgramData\MySQL Server 8.x\my.ini. Typically, I’d download and use the Notepad++ free source code editor to ensure that the file remains in plain text (ANSI) and no fancy “smart” quotes or dashes are added. However as this was to only be a few edits, I decided to just rock-on with the built in Notepad App.

I made a copy of the file, made my edits as per the Jamf documentation, saved and restarted MySQL.

The service failed to start…

Huh? I must have screwed something up

My first thought was I must have used an unexpected value somewhere or otherwise ‘fat-fingered’ the changes. I restored the original copy of the file and the service started fine.

I went back in, made my changes again (being extra careful) , saved the file and restarted MySQL.

The service failed to start again…

Weird

Ok, I restored my backup file, restarted MySQL and all worked again.

This time I opened the file in Notepad, made no changes and re-saved the file. I restarted MySQL and…

The service failed to start again!

Help from the Interwebs

As with most IT issues, I did a quick Google search to try and find if someone else had the same issue. After some digging and lots of trying of ideas, I came across this post.

It turns out the default MySQL 8.0 my.ini file on Windows has some text that Notepad transforms into non-ANSI characters when you save the file, rendering the configuration file invalid!

The line in question contains the following:

1. “Unique” means that each ID must be different.

Those double quotes get changed to “smart” or curly quotes and the file is saved as non-ANSI.

The fix, or TL;DR

Either edit the file using the command line, or a code editor like Notepad++, or remove that line and have Notepad Save-As the file as ANSI.

After this, restart MySQL and the service starts as expected!

Summary

This post covers a workaround when installing MySQL 8.0+ on Windows and editing the configuration file causes the service not to start. As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

Session Videos are live from MacAdmins at Penn State 2019 (PSU 2019)

Hi folks,

The amazing team at PSU have finished their work and released the session videos for the 2019 conference. You can find the entire playlist on YouTube here.

This was my first non-domestic talk and (as no surprise) it was on Adobe 2019!

You can find a direct link to the video here, as well as an updated resources post here.

I’d like to take the time to thank the great crew at PSU who made an awesome conference a success. Fingers crossed that I’ll be able to make next years one!

Adobe CC2019 in Education – PSU 2019

Hi all,

If I time this right, this post should be going live about halfway through my talk at PSU on Adobe CC2019 and Shared Device Licenses in Education.

This talk is an extension and expansion of my previous meet up talk Moving out of the Pool: Adobe’s new Shared Device Licensing.

Video

Video

Slide-deck

deployment-considerations-and-workflows-for-adobe-cc2019-in-education-1.3-1.pdf

Attendee Notes

Massive thank to Nate Felton, there’s a Google Doc provided to attendees to allow them to make notes on the session. I’ve linked this here.

Links

As promised, here is a list of all the links from the presentation:

• Mac Mule: Adobe Creative Cloud 2019, The Death Of Creative Cloud Packager, Serial Numbers & Device Pool Licensing
• Mac Mule: Adobe Shared Device Licensing
• Adobe-supported identity types
• Adobe Set up the User Sync tool
• Sound Mac Guy: The Adobe User Sync Tool – I’ve got that “syncing” feeling
• Adobe Set up user identity in the Adobe Admin Console
• Adobe Enabling Single Sign-On with SAML
• Adobe Create Named User Licensing Packages
• Adobe Shared Device License Webinar
• Adobe Check expiration of volume or CC enterprise serial numbers with AdobeExpiryCheck tool
• Adobe Shared Device Licensing | Deployment guide
• Adobe Migrate from Device Licensing to Shared Device Licensing
• Adobe Uninstall products using command line
• Daz Wallace: Using Adobe Creative Cloud Packager to create an uninstaller in preparation for Adobe Creative Cloud 2019 Shared Device License deployment
• Mac Mule: Modifying the deployed CCDA after deployment 
• Sound Mac Guy: Customising the Creative Cloud Desktop App – what Adobe doesn’t tell you 
• dataJAR’s Adobe CC2019 import tool
• Daz Wallace: The Great Adobe Purge of ’19
• Adobe Coming soon – Automatic student asset migration for education

Aaand follow ups I suggest reading / viewing when you get the chance:

• Adobe Application Manager Enterprise Edition (AAMEE)
• Sound Mac Guy: Adobe Shared Device Licensing – Answers to questions you probably didn’t want to ask
• Daz Wallace: University of Utah MacAdmins Meeting, and Adobe’s new SDL licensing – The Content!
• Adobe Licensing overview
• Adobe GitHub User Sync tool configuration wizard
• Adobe Deploy Packages for Adobe Creative Cloud
• Adobe Shared Device Licensing FAQ
• Adobe Creative Cloud for education deployment resources
• Adobe Manage identity types in Adobe Enterprise Offerings
• Adobe Shared Device License 1.5 webinar 
• Adobe Shared Device Licensing | What’s new
• Adobe Recover shared device licenses
• Adobe Apps not available in Creative Cloud Packager | CC 2019
• Adobe Shared device configuration User Access Policy
• Adobe User Sync Tool Documentation
• Adobe Create Shared Device Licensing packages
• Adobe Use Adobe Remote Update Manager

The Great Adobe Purge of ’19

Earlier today, the #adobe MacAdmins Slack channel was awoken from it’s afternoon/morning slumber with the following message:

Shortly afterwards, I myself, along with other Adobe customers received the same email that can be found here

What does it mean?

Adobe have informed its customers that certain versions of certain Adobe applications are not longer part of any license. If you continue to use these unauthorised versions, you run the risk of claims of infringement by third parties.

Adobe have requested that you update or remove & upgrade (depending on how far behind you are) any unauthorised versions of software you have in your fleet. They also request you delete and (if possible) recreate any deployment installers for the affected versions.

Finally, Adobe will now only offer the latest two releases for applications via their packaging tools and the Creative Cloud Desktop App.

Which applications are these?

Adobe provided the below table:

As mentioned in the #adobe channel, the Product Versions do not match the Creative Cloud Marketing versions they ship with!

Take Photoshop, for example:

• Photoshop version 20.x is from Adobe Creative Cloud 2019
• Photoshop version 19.x is from Adobe Creative Cloud 2018

Patrick Fergus (@foigus) made a brilliant new table with the Official Marketing names as well as the applications numbers which should help Admins:

I annotated Adobe’s “authorized” applications table with “marketing” versions. Note “if an Adobe product is not listed in the table below, all versions continue to be authorized.”https://t.co/4re491pjUc pic.twitter.com/av8NY0KTzT

— Patrick Fergus (@foigus) May 8, 2019

Why?

At this point Adobe haven’t specified why this new requirement has come about. There was an incident a few years ago where they lost a case around Dolby Labs’ copyrighted materials (link) but this doesn’t seem related.

It could be to do with the new Java requirements announced by Oracle earlier this year, since a number of the Adobe products have in the past utilised the local Java runtime.

At this point in time, who knows?

Credit

Credit goes to Eric Holtam and Parick Fergus along with everyone else in #adobe who shared and discussed the above!

Summary

This post covers the changes Adobe announced earlier today in regards to older versions of their Applications. As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Mass-Deploying Settings for Atom

Hi all. This one came from a discussion during a recent training course I attended. How could we deploy settings for Atom, without overwriting any settings configured by the user? Things like suppressing first run messages, and disabling auto-update?

Firstly, some detective work…

The Atom application stores it’s configuration and data files in a hidden folder, in each user’s home area at ~/.atom/

Most (if not all) of the configuration settings are stored in a file called config.cson in this directory. This includes core application settings, as well as settings for any installed packages. Forcing this file to open in a text editor shows what appears to be very similar to (but not quite) a JSON file:


This is actually a CSON (CoffeeScript Object Notation) file as detailed by the Atom developers here.

Why not just set the file up and push out to all users?

In theory, this would indeed work (assuming you deploy the file with the parent directory, and permission it appropriately), but would also wipe out any settings configured by the end user. Not ideal or user friendly!

Ok, so how can we pre-configure these settings?

My first thoughts here were to write a Bash script to work on the file, adding the configuration into whatever settings were already present. After struggling for an hour or so with this, it was pointed out that Atom supports a ‘start up’ script for configuration via the application APIs, an init.coffee file!

An init.coffee file?

Yup, this is a file located in the same ~/.atom/ directory, with the name init.coffee. The file contains configuration commands in the format:

atom.config.set('[package].[key]', '[value]')

For example, the below will suppress the welcome screen at startup:

atom.config.set('welcome.showOnStartup', 'false')

I’ve built a full example init.coffee file that will:

• Suppress the welcome screen on launch
• Turning auto-update off (ensure to patch via other methods!)
• Setting Telemetry consent to no and suppress the request.

That example file can be found here.

What else can the init.coffee file do?

To be honest, I didn’t delve too much further than this. I do know you can configure options for other packages (such as enabling the indent guide in the git-editor package), however check out the Atom developer documentation for more details.

So how can I deploy the init.coffee file?

So this init.coffee file will need to be:

• Added to each user’s home area
• Added to a directory called .atom at the root of the user’s home area
• At least readable by the user account

You have a few options for this, depending on the toolset available, and personal preferences:

1. (If you’re a Jamf customer) – Create the file in-place, package as a disk image via Jamf Composer and deploy with FEU (Fill Existing Homes) and optionally FUT (Fill User Templates) enabled.
2. (If you use Outset) – Package up the file to be deployed somewhere local, and have a ‘login once’ or ‘login always’ script to copy the file into place
3. (If you’re happy writing a LaunchAgent) – Package up the file to be deployed somewhere local, and have a Launch Agent triggered script to copy the file into place
4. (If you’re lazy!) – I’ve written up a script that can be found here. This creates the directory and writes the file out to all home folders in /Users/and all User Template folders in /System/Library/User Template. This can be triggered as a script in a Jamf policy, a Munki post-install script or a traditional postinstall script in an installation package!

Summary

This post covers a possible method for pre-configuring some helpful Atom settings for your deployment. As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Firefox Configuration Profile Support

Hi all. This week I’ve been mostly recovering from coming down from the fun that was the MacADUK conference (that my employer helped curate and direct). On the last day I bumped into Mike Kaply, on his second MacADUK speaker engagement.

Some Background…

Mike may be familiar to some of you as the developer of the great Firefox Client Customisation Kit v2 (or CCK2). This tool allowed you to create a management configuration using a nice clickable GUI, instead of editing a large number of various files and key/values. The tool could then spit out an extension (that could be installed in your Firefox deployment), or a Zip file (that could be injected in your Firefox App bundle) to control a whole host of options.

I still remember spending many hours (many years ago) manually carrying out this work (which can be found with a previous-previous-employer here). With the discovery of Mike’s CCK2 solution, that workload reduced significantly. Combined with Greg Neagle’s Firefox AutoPKG recipe, it pretty much vanished!

Mike eventually moved to a more ‘in-house’ role with Firefox but still remained active in the Firefox community, including with us admins. One of the key requests that many of us still had was “proper” macOS native management tool support (e.g. Configuration Profiles)!

The Goodness!

With my own roles and employers changing, I lost track of the progress but it turns out Mike and the team got it all working with Firefox version 64!

Support is with both the (current at time of writing) mainstream Firefox release as well as the ESR. No more injecting files into the Application Bundle!

Details of the various settings and keys can be found here, however, Mike has strongly suggested, instead of building your own profiles by hand, use the great (and free) Profile Creator tool from Erik Berglund to generate your Firefox configuration profiles.

Examples!

This weekend I had a play around with some profiles and created the following 3 examples that show you what you can do. For reference, all three were tested on Firefox version 66.0.2 and Firefox ESR version 60.6.1esr:

Setting the Homepage

This profile sets Firefox to open the Homepage when opening a new tab, sets the homepage to https://datajar.co.uk and locks this setting to prevent the user from changing it.

Firefox – Set Homepage.mobileconfig

Disabling Auto-update

This profile disables Firefox’s built-in auto-update option (please ensure to patch Firefox often via an alternative system, as you should with all web browsers).

Firefox – Disable Autoupdate.mobileconfig

This is how this appears in the About menu for both Firefox and Firefox ESR

Firefox with auto-update disabled

Firefox ESR with auto-update disabled

Generic Lab Setup

This last one is a bit more interesting. It contains a whole heap of settings that I personally feel may be ideal for a lab environment, including (but not limited to):

• Homepage set (same as above)
• Auto-update disabled (same as above)
• Add-ons and profiles disabled
• Default browser check disabled
• First run and recently updated pages disabled
• Default bookmarks removed
• Proxy set (and locked) to use the macOS system proxy settings

Firefox – Lab setup.mobileconfig

Summary

This post covers a much better way to manage Firefox settings, and keeps it in line with other fully-macOS support tools. Big thanks to Mike and his team for all their work and the MacADUK team for putting on a great conference! As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.