London Apple Admins, Mac Admin

Session Videos are live from MacAdmins at Penn State 2019 (PSU 2019)

Hi folks,

The amazing team at PSU have finished their work and released the session videos for the 2019 conference. You can find the entire playlist on YouTube here.

This was my first non-domestic talk and (as no surprise) it was on Adobe 2019!

You can find a direct link to the video here, as well as an updated resources post here.

I’d like to take the time to thank the great crew at PSU who made an awesome conference a success. Fingers crossed that I’ll be able to make next years one!

Standard
London Apple Admins, Mac Admin

Adobe CC2019 in Education – PSU 2019

Hi all,

If I time this right, this post should be going live about halfway through my talk at PSU on Adobe CC2019 and Shared Device Licenses in Education.

This talk is an extension and expansion of my previous meet up talk Moving out of the Pool: Adobe’s new Shared Device Licensing.

Video

Video

Slide-deck

Attendee Notes

Massive thank to Nate Felton, there’s a Google Doc provided to attendees to allow them to make notes on the session. I’ve linked this here.

Links

As promised, here is a list of all the links from the presentation:

Aaand follow ups I suggest reading / viewing when you get the chance:

Standard
London Apple Admins, Mac Admin

Firefox Configuration Profile Support

Hi all. This week I’ve been mostly recovering from coming down from the fun that was the MacADUK conference (that my employer helped curate and direct). On the last day I bumped into Mike Kaply, on his second MacADUK speaker engagement.

Some Background…

Mike may be familiar to some of you as the developer of the great Firefox Client Customisation Kit v2 (or CCK2). This tool allowed you to create a management configuration using a nice clickable GUI, instead of editing a large number of various files and key/values. The tool could then spit out an extension (that could be installed in your Firefox deployment), or a Zip file (that could be injected in your Firefox App bundle) to control a whole host of options.

I still remember spending many hours (many years ago) manually carrying out this work (which can be found with a previous-previous-employer here). With the discovery of Mike’s CCK2 solution, that workload reduced significantly. Combined with Greg Neagle’s Firefox AutoPKG recipe, it pretty much vanished!

Mike eventually moved to a more ‘in-house’ role with Firefox but still remained active in the Firefox community, including with us admins. One of the key requests that many of us still had was “proper” macOS native management tool support (e.g. Configuration Profiles)!

The Goodness!

With my own roles and employers changing, I lost track of the progress but it turns out Mike and the team got it all working with Firefox version 64!

Support is with both the (current at time of writing) mainstream Firefox release as well as the ESR. No more injecting files into the Application Bundle!

Details of the various settings and keys can be found here, however, Mike has strongly suggested, instead of building your own profiles by hand, use the great (and free) Profile Creator tool from Erik Berglund to generate your Firefox configuration profiles.

Examples!

This weekend I had a play around with some profiles and created the following 3 examples that show you what you can do. For reference, all three were tested on Firefox version 66.0.2 and Firefox ESR version 60.6.1esr:

Setting the Homepage

This profile sets Firefox to open the Homepage when opening a new tab, sets the homepage to https://datajar.co.uk and locks this setting to prevent the user from changing it.

Firefox – Set Homepage.mobileconfig

Disabling Auto-update

This profile disables Firefox’s built-in auto-update option (please ensure to patch Firefox often via an alternative system, as you should with all web browsers).

Firefox – Disable Autoupdate.mobileconfig

This is how this appears in the About menu for both Firefox and Firefox ESR

Firefox with auto-update disabled
Firefox ESR with auto-update disabled

Generic Lab Setup

This last one is a bit more interesting. It contains a whole heap of settings that I personally feel may be ideal for a lab environment, including (but not limited to):

  • Homepage set (same as above)
  • Auto-update disabled (same as above)
  • Add-ons and profiles disabled
  • Default browser check disabled
  • First run and recently updated pages disabled
  • Default bookmarks removed
  • Proxy set (and locked) to use the macOS system proxy settings

Firefox – Lab setup.mobileconfig

Summary

This post covers a much better way to manage Firefox settings, and keeps it in line with other fully-macOS support tools. Big thanks to Mike and his team for all their work and the MacADUK team for putting on a great conference! As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Standard
London Apple Admins, Mac Admin

Configuring Azure SSO in Jamf Pro – A Better Way?

Hi All. Time for another post from the tales of an Integrator!

This time I was helping a customer integrator Azure Active Directory with Jamf Cloud for SSO/SAML. Now Jamf has a number of KB articles on the matter but there’s always a window between the last time these are updated and when an IdP vender makes some changes. Additionally, sometimes it’s helpful to utilise a guide written from a different prospective to get a better understanding.

A New Hope Guide

After searching around for updated guides and more information, I stumbled across a new guide from Microsoft themselves. This can be found here

Tutorial: Azure Active Directory integration with Jamf Pro

Why is this better?

Well, firstly it should be more current with the Azure specific options (since both the KB and Azure are under Microsoft’s control).

Secondly, was this little gem I found part-way through:

That’s right! you can install a Microsoft browser extension that will automatically configure the SSO settings in your Jamf Cloud console with the right options!

This should speed up the process, as well as reduce mistakes and miss-configurations!

I’m afraid there doesn’t seem to be an extension for Safari, so you’ll have to use Chrome or Firefox. If anyone has a chance to test with IE and Edge, let me know and I’ll update the post.

I’ve also included links to the Jamf KBs below:

Summary

This post covers a different (arguably better) way to setup Azure SSO with Jamf Pro. As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Standard
London Apple Admins, Mac Admin

Grabbing packages out of Jamf Cloud DP

Hi All,

This is something I’ve seen crop up in Slack a few times recently so I thought I’d write something up! When you upload packages, is there a built-in method to grab a copy of those installers out of a Jamf Cloud Distribution Point (JCDP)?

Grabbing those Packages

With a traditional File Share Distribution Point (FSDP) you could simply mount the File Share, or go via the host server OS and grab whatever packages you require.

Currently, there is no official method for re-grabbing packages you upload to a JCDP (at least not yet?). An ongoing suggestion would be to ensure you keep a copy of packages you upload to a JCDP somewhere locally. But that’s not gonna help you if you’ve already got stuff already uploaded.

The How

1) Grab a Mac or a VM you have enrolled in your Jamf Instance

2) Create a new policy, and add this device to the scope

3) Using the “Package” section, add the package you need a copy of.

4) Ensure to select “Cache” from the “Action” drop down menu

5) Run the policy on your Mac from step 1. This can be via a Self Service policy, recurring check in trigger or a manual trigger

6) Once the policy has run (successfully!), open up Terminal on the Mac. Switch to root / sudo.

7) Use the cd command to navigate to /Library/Application Support/JAMF/Waiting Room/

cd /Library/Application\ Support/JAMF/Waiting\ Room/

8) If you run an ls command here, you should see your package cached locally

ls -al

9) Use the cp command to copy the installer package to your desktop folder

cp ./[package name] /Users/[username]/Desktop/

10) Change the permissions on the package to make it usable

chmod -R [username] /Users/[username]/Desktop/[package name]

11) There you go, the package should be on your desktop, ready for use elsewhere.

12) Delete the policy you create in step 2

13) Repeat the steps above for each package you need.

Feature Request Time!

Ok I’ll admit, this is rather long. If you agree, check out this Feature Request and get upvoting!

Summary

This post covered how to grab packages back out of your Jamf Cloud Distribution Point. As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Standard
London Apple Admins, Mac Admin

Using Autopkg for package Uploads to Jamf Cloud only

Hi all, in a follow up to a previous post on using AutoPKGr with Jamf Cloud (Using AutoPKGr with a Jamf Cloud Distribution Point), I worked with a second customer on how to use the same system, but only to upload the packages. No smart groups, no policies, just the packages!

But….Why?

A fair question. If you wish to utilise the included Patch Management system you will need to upload packages ready to link them to software versions. As explained in the previous post, this could be a manual task.

Alternatively you can use the AutoPKG recipes to package and upload your software patches, but this will also include smart groups and policies (since this pre-dates the Jamf Patch Management system).

What if you could have the best of both worlds? What if you could use AutoPKG/r to package and upload software to your Jamf Cloud server , ready for you to link to your Patch Policies / Versions?

Turns out, you can!

How?

So to do this, I took an example .jss policy (in this case the Firefox one) and started removing the various Arguments keys until I found the minimum required. Turns out, it’s only one!

            <key>prod_name</key>
            <string>%NAME%</string>

That key alone will upload the package into your Jamf Cloud server without any of the Smart Groups or Policies. But, it will also upload it without a category, so if you need / want this, you’ll need the second key:

            <key>category</key>
            <string>CATEGORY GOES HERE</string>

The JSSImporter processor will automatically create this category if required, upload the package and set the category.

Please Note: In order to avoid confusion with already existing .jss recipes, I’d suggest using .jss-upload instead of .jss

How does that look?

Well altogether, the process section of the recipe looks as follows:

<key>Process</key>
<array>
    <dict>
        <key>Arguments</key>
        <dict>
            <key>category</key>
            <string>CATEGORY GOES HERE</string>
            <key>prod_name</key>
            <string>%NAME%</string>
        </dict>
        <key>Processor</key>
        <string>JSSImporter</string>
    </dict>
</array>

I’ve uploaded an example of the changes to a Firefox recipe here.

Summary

This post covers how to create an AutoPKG recipe to only upload packages to your Jamf Pro server. As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Standard
London Apple Admins, Mac Admin

Using Adobe Creative Cloud Packager to create an uninstaller in preparation for Adobe Creative Cloud 2019 Shared Device License deployment

Hi All. So I was thinking….what’s the longest blog title I can legitimately use?

On a serious note, as part of most Adobe CC2019 deployments you’ll want to remove any previous Adobe Applications you have installed. Additionally, this is required if you’re moving from Device Licensing (Legacy – aka DL), to Shared Device Licensing (SDL) and CC2019.

If, when building your deployment packages, you kept the matching uninstaller packages, you can use these to uninstall the specific versions of your Adobe products.

You can also use the installed Command Line Tool to uninstall products, as long as you can look up the specific sapCodes and baseVersions (more info).

However, not everyone has kept these packages or fancies digging around the CLI tool. Or maybe you’re not sure exactly what versions of Adobe products you have installed on your fleet, and just want to remove them all. In that case, this post might be of help to you!

Please Note: Adobe Creative Cloud Packager (CCP) is not compatible with CC2019 and so you could argue it’s days are numbered! While the tool is still available, feel free to utilise it as required.

Downloading and ‘Installing’ Adobe Creative Cloud Packager

So first of all, let’s cover getting a copy of the Adobe Creative Cloud Packager (CCP). If you already have a copy installed, launch this from your Mac from the location /Applications/Utilities/Adobe Application Manager/CCP/CreativeCloudPackager.app and skip this section.

If not, read on:

1) Navigate to the Adobe Admin console at https://adminconsole.adobe.com

2) Login with an Adobe Admin ID who has access to your portal

3) Click “Packages” then “Tools” and then “Download for Mac” in the “Creative Cloud Packager” section

4) Once downloaded, mount the “CCPLauncher” disk image and open the “CCPLauncher” App inside

5) The App will firstly download the most up to date version of the CCP App, then ask for Admin rights to install this on the local device.

6) Once finished up, the launcher will also open the main CCP App. For future usage, you can launch this directly on this Mac from /Applications/Utilities/Adobe Application Manager/CCP/CreativeCloudPackager.app

Generating an Adobe Uninstaller

1) Once you’ve got the CCP App open, you’ll need to review the Software License Agreement. If you’re happy with these terms, click “Accept”

2) On the product selection screen, select the product your institute has purchased. In this example, I’ve gone for the lower section.

3) The CCP App will relaunch and you’ll need to log into an Admin Adobe ID. Do this and click “Sign in”. The CCP will do some background work that can between a few seconds, and up to 15 minutes (in one rare instance!)

4) Shortly, you should be back at a more…responsive page. This will show a warning that CCP is not for CC2019 usage. Scroll down until you can see a section called “Create Uninstall Package”. Click this.

5) Give your uninstall an appropriate name and an output location. Click “Next”

6) Now you get a chance to select the Apps you’d like to remove via this tool. If you expand a product section (in this example Photoshop), you can pick specific versions of the Adobe Apps to remove.

7) If you’re only concerned with removing all older Adobe versions, check the “Select All” box and click “Build”

8) After a few seconds, the CCP App will complete the Uninstaller build and output the result to the location you specified in step 5

9) The output of this won’t actually be an installer package, but rather a binary and an XML Config file

Using the CCP Uninstaller Output

So, you’ve done all this work, and all you got was a lousy T-Shirt binary and config file! The last part of the puzzle is using these to carry out the removals.

The binary file is a CLI tool (more info) that is used to complete the uninstall task/s. The syntax for this is (all on one line):

/path/to/AdobeCCUninstaller --uninstallConfigPath=/path/to/AdobeCCUninstallerConfig.xml

My suggestion would be to create a new macOS Installer Package that adds the above folder to /private/tmp/, then runs a post-install script with the above command.

In our example, this would be /private/tmp/Adobe\ Uninstall\ all\ non-CC2019\ Apps/AdobeCCUninstaller \

--uninstallConfigPath=/private/tmp/Adobe\ Uninstall\ all\ non-CC2019\ Apps/AdobeCCUninstallerConfig.xml.

This new package can then be deployed by your management / deployment system of choice before you roll out your CC2019 Apps and SDL packages.

One last note, I did have two Apps left behind when I used this method, Adobe Scout and the Adobe Gaming SDK. I ended up writing a post-install / task script utilising the rm -R /path/to/App command to removing these two Apps.

Summary

This post covers using CCP to create an uninstaller solution for all currently installed Adobe CC Apps prior to a CC2019 SDL rollout. As always, if you have any questions, queries or comments, let me know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Standard