London Apple Admins, Mac Admin

Configuring Azure SSO in Jamf Pro – A Better Way?

Hi All. Time for another post from the tales of an Integrator!

This time I was helping a customer integrator Azure Active Directory with Jamf Cloud for SSO/SAML. Now Jamf has a number of KB articles on the matter but there’s always a window between the last time these are updated and when an IdP vender makes some changes. Additionally, sometimes it’s helpful to utilise a guide written from a different prospective to get a better understanding.

A New Hope Guide

After searching around for updated guides and more information, I stumbled across a new guide from Microsoft themselves. This can be found here

Tutorial: Azure Active Directory integration with Jamf Pro

Why is this better?

Well, firstly it should be more current with the Azure specific options (since both the KB and Azure are under Microsoft’s control).

Secondly, was this little gem I found part-way through:

That’s right! you can install a Microsoft browser extension that will automatically configure the SSO settings in your Jamf Cloud console with the right options!

This should speed up the process, as well as reduce mistakes and miss-configurations!

I’m afraid there doesn’t seem to be an extension for Safari, so you’ll have to use Chrome or Firefox. If anyone has a chance to test with IE and Edge, let me know and I’ll update the post.

I’ve also included links to the Jamf KBs below:

Summary

This post covers a different (arguably better) way to setup Azure SSO with Jamf Pro. As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Standard
London Apple Admins, Mac Admin

Grabbing packages out of Jamf Cloud DP

Hi All,

This is something I’ve seen crop up in Slack a few times recently so I thought I’d write something up! When you upload packages, is there a built-in method to grab a copy of those installers out of a Jamf Cloud Distribution Point (JCDP)?

Grabbing those Packages

With a traditional File Share Distribution Point (FSDP) you could simply mount the File Share, or go via the host server OS and grab whatever packages you require.

Currently, there is no official method for re-grabbing packages you upload to a JCDP (at least not yet?). An ongoing suggestion would be to ensure you keep a copy of packages you upload to a JCDP somewhere locally. But that’s not gonna help you if you’ve already got stuff already uploaded.

The How

1) Grab a Mac or a VM you have enrolled in your Jamf Instance

2) Create a new policy, and add this device to the scope

3) Using the “Package” section, add the package you need a copy of.

4) Ensure to select “Cache” from the “Action” drop down menu

5) Run the policy on your Mac from step 1. This can be via a Self Service policy, recurring check in trigger or a manual trigger

6) Once the policy has run (successfully!), open up Terminal on the Mac. Switch to root / sudo.

7) Use the cd command to navigate to /Library/Application Support/JAMF/Waiting Room/

cd /Library/Application\ Support/JAMF/Waiting\ Room/

8) If you run an ls command here, you should see your package cached locally

ls -al

9) Use the cp command to copy the installer package to your desktop folder

cp ./[package name] /Users/[username]/Desktop/

10) Change the permissions on the package to make it usable

chmod -R [username] /Users/[username]/Desktop/[package name]

11) There you go, the package should be on your desktop, ready for use elsewhere.

12) Delete the policy you create in step 2

13) Repeat the steps above for each package you need.

Feature Request Time!

Ok I’ll admit, this is rather long. If you agree, check out this Feature Request and get upvoting!

Summary

This post covered how to grab packages back out of your Jamf Cloud Distribution Point. As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Standard
London Apple Admins, Mac Admin

Using Autopkg for package Uploads to Jamf Cloud only

Hi all, in a follow up to a previous post on using AutoPKGr with Jamf Cloud (Using AutoPKGr with a Jamf Cloud Distribution Point), I worked with a second customer on how to use the same system, but only to upload the packages. No smart groups, no policies, just the packages!

But….Why?

A fair question. If you wish to utilise the included Patch Management system you will need to upload packages ready to link them to software versions. As explained in the previous post, this could be a manual task.

Alternatively you can use the AutoPKG recipes to package and upload your software patches, but this will also include smart groups and policies (since this pre-dates the Jamf Patch Management system).

What if you could have the best of both worlds? What if you could use AutoPKG/r to package and upload software to your Jamf Cloud server , ready for you to link to your Patch Policies / Versions?

Turns out, you can!

How?

So to do this, I took an example .jss policy (in this case the Firefox one) and started removing the various Arguments keys until I found the minimum required. Turns out, it’s only one!

            <key>prod_name</key>
            <string>%NAME%</string>

That key alone will upload the package into your Jamf Cloud server without any of the Smart Groups or Policies. But, it will also upload it without a category, so if you need / want this, you’ll need the second key:

            <key>category</key>
            <string>CATEGORY GOES HERE</string>

The JSSImporter processor will automatically create this category if required, upload the package and set the category.

Please Note: In order to avoid confusion with already existing .jss recipes, I’d suggest using .jss-upload instead of .jss

How does that look?

Well altogether, the process section of the recipe looks as follows:

<key>Process</key>
<array>
    <dict>
        <key>Arguments</key>
        <dict>
            <key>category</key>
            <string>CATEGORY GOES HERE</string>
            <key>prod_name</key>
            <string>%NAME%</string>
        </dict>
        <key>Processor</key>
        <string>JSSImporter</string>
    </dict>
</array>

I’ve uploaded an example of the changes to a Firefox recipe here.

Summary

This post covers how to create an AutoPKG recipe to only upload packages to your Jamf Pro server. As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Standard
London Apple Admins, Mac Admin

Using Adobe Creative Cloud Packager to create an uninstaller in preparation for Adobe Creative Cloud 2019 Shared Device License deployment

Hi All. So I was thinking….what’s the longest blog title I can legitimately use?

On a serious note, as part of most Adobe CC2019 deployments you’ll want to remove any previous Adobe Applications you have installed. Additionally, this is required if you’re moving from Device Licensing (Legacy – aka DL), to Shared Device Licensing (SDL) and CC2019.

If, when building your deployment packages, you kept the matching uninstaller packages, you can use these to uninstall the specific versions of your Adobe products.

You can also use the installed Command Line Tool to uninstall products, as long as you can look up the specific sapCodes and baseVersions (more info).

However, not everyone has kept these packages or fancies digging around the CLI tool. Or maybe you’re not sure exactly what versions of Adobe products you have installed on your fleet, and just want to remove them all. In that case, this post might be of help to you!

Please Note: Adobe Creative Cloud Packager (CCP) is not compatible with CC2019 and so you could argue it’s days are numbered! While the tool is still available, feel free to utilise it as required.

Downloading and ‘Installing’ Adobe Creative Cloud Packager

So first of all, let’s cover getting a copy of the Adobe Creative Cloud Packager (CCP). If you already have a copy installed, launch this from your Mac from the location /Applications/Utilities/Adobe Application Manager/CCP/CreativeCloudPackager.app and skip this section.

If not, read on:

1) Navigate to the Adobe Admin console at https://adminconsole.adobe.com

2) Login with an Adobe Admin ID who has access to your portal

3) Click “Packages” then “Tools” and then “Download for Mac” in the “Creative Cloud Packager” section

4) Once downloaded, mount the “CCPLauncher” disk image and open the “CCPLauncher” App inside

5) The App will firstly download the most up to date version of the CCP App, then ask for Admin rights to install this on the local device.

6) Once finished up, the launcher will also open the main CCP App. For future usage, you can launch this directly on this Mac from /Applications/Utilities/Adobe Application Manager/CCP/CreativeCloudPackager.app

Generating an Adobe Uninstaller

1) Once you’ve got the CCP App open, you’ll need to review the Software License Agreement. If you’re happy with these terms, click “Accept”

2) On the product selection screen, select the product your institute has purchased. In this example, I’ve gone for the lower section.

3) The CCP App will relaunch and you’ll need to log into an Admin Adobe ID. Do this and click “Sign in”. The CCP will do some background work that can between a few seconds, and up to 15 minutes (in one rare instance!)

4) Shortly, you should be back at a more…responsive page. This will show a warning that CCP is not for CC2019 usage. Scroll down until you can see a section called “Create Uninstall Package”. Click this.

5) Give your uninstall an appropriate name and an output location. Click “Next”

6) Now you get a chance to select the Apps you’d like to remove via this tool. If you expand a product section (in this example Photoshop), you can pick specific versions of the Adobe Apps to remove.

7) If you’re only concerned with removing all older Adobe versions, check the “Select All” box and click “Build”

8) After a few seconds, the CCP App will complete the Uninstaller build and output the result to the location you specified in step 5

9) The output of this won’t actually be an installer package, but rather a binary and an XML Config file

Using the CCP Uninstaller Output

So, you’ve done all this work, and all you got was a lousy T-Shirt binary and config file! The last part of the puzzle is using these to carry out the removals.

The binary file is a CLI tool (more info) that is used to complete the uninstall task/s. The syntax for this is (all on one line):

/path/to/AdobeCCUninstaller --uninstallConfigPath=/path/to/AdobeCCUninstallerConfig.xml

My suggestion would be to create a new macOS Installer Package that adds the above folder to /private/tmp/, then runs a post-install script with the above command.

In our example, this would be /private/tmp/Adobe\ Uninstall\ all\ non-CC2019\ Apps/AdobeCCUninstaller \

--uninstallConfigPath=/private/tmp/Adobe\ Uninstall\ all\ non-CC2019\ Apps/AdobeCCUninstallerConfig.xml.

This new package can then be deployed by your management / deployment system of choice before you roll out your CC2019 Apps and SDL packages.

One last note, I did have two Apps left behind when I used this method, Adobe Scout and the Adobe Gaming SDK. I ended up writing a post-install / task script utilising the rm -R /path/to/App command to removing these two Apps.

Summary

This post covers using CCP to create an uninstaller solution for all currently installed Adobe CC Apps prior to a CC2019 SDL rollout. As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Standard