NoMAD: Get AD features, without binding your Mac!

August 02, 2016 by François in OS X

Today, Joel Rennich (aka mactroll) released the first Public Beta of NoMAD, with the quite aggressive tagline: Get all of AD, with none of the bind!

Read more below!

Full-Stack DEP: Modern Mac Deployment

July 29, 2016 by François in OS X

I had the chance to talk at London Apple Admins 28th Meet Up @ Airbnb (July 2016).

We had three presentations:

“Being nice with your management tools” – Graham Gilbert, Airbnb
“Testing AutoPkg Recipes” – Ben Goodstein, University of Oxford
“Full Stack DEP: Modern Mac Deployment” – Francois Levaux-Tiffreau

I loved Graham and Ben's presentations. Graham, who recently joined Airbnb, gave us some insights on how to "Be A Host" with your users. Ben shared his techniques on how to automate AutoPkg recipe testing. The most important part of his story was the background. Like many universities and businesses, Oxford has more than one IT. In fact, they have many, and they don't necessarily work together. How do you roll out a global IT project in this environment? By collaborating. Ben's goal is to allow every IT department at Oxford to create and push AutoPkg recipes.

My presentation was about focusing on the end-user by giving him the proper tools he needs while minimising IT involvement. It was surprisingly close to Graham's presentation while using radically different tools.

Key takeaways:

Focus on your users
Use Apple Tools
Leverage Apple Professional Services
Consider MicroMDM if using Munki

Thank you to our hosts, Macmule and Graham Gilbert!

Full Stack DEP: Modern Mac Deployment from François Levaux-Tiffreau

JSS Mass Update Tool

July 27, 2016 by François in iOS, OS X

Did you ever try to mass update assets in JSS?

Even if you like to use the API, you might be more comfortable using Michael Levenick's Tool: JSS MUT.

Solving SMB Performance Issues on macOS

July 26, 2016 by François in OS X

macOS units were experiencing performance issues both authenticating and browsing Hitachi HNAS appliances navigating through any DFS namespace. This lead to the following issues:

Long delays mounting shares, browsing folders, and opening files (15s for auth dialog to appear, 15s to connect).
Slow file searches
File corruption
Disappearing files
Crashing applications
Permissions problems
Locked files and file naming issues
Failed downloads when using Google Chrome to save gmail attachments directly to server
Microsoft Office intermittently fails to save documents opened from the server

This was solved by disabling the SMB packet signing.

Read more below!

AirWatch: Using a EAP-TLS certificate with WPA2 Enterprise (802.11x)

November 23, 2015 by François in OS X

So now you want to get Wi-Fi.

Use a cloud connector and configure Enterprise Integration to request a certificate from your Active Directory CA (ADDS) -- Not covered here
Create a single profile.

In this profile, you'll add two payloads:

Credentials (order is important):
1. First tab: Upload your CA, and select "Allow access to all applications" and "Allow export from Keychain"
2. Second tab: use your machine certificate (uncheck everything)
Network:
1. check Auto-Join
2. WPA/WPA2 Enteprise. For some reason, if I choose only "WPA2 Enterprise", it fails. But it will then connect as WPA2.
3. Uncheck "User logs in to authenticate with the network"
4. Protocols: EAP-TLS
5. Username: {EnrollmentUser}
6. Identity Certificate: Certificate #2 (This is why order is important).
7. Trusted certificates: Check both
8. Allow trust exceptions: Check

Using AirWatch with Munki

November 23, 2015 by François in OS X

So you want to use AirWatch, but you're unsure about the viability of their Self Service or package management system. I understand. Let me show you how to do it basically.

You need 3 Devices > File/Actions:

Munki Tools: Download and install latest release. Then upload it to /Library/AW and set Manifest to Install=/Library/AW/munkitools-xx.yy.pkg
Munki Bootstrap: Run=/usr/bin/touch /Users/Shared/.com.googlecode.munki.checkandinstallatstartup
Munki Forcerun: Run=/usr/local/munki/managedsoftwareupdate --auto

I'm aware Forcerun is bad practice and you should reboot before. But I was told by Greg that worst case scenario nothing works until next reboot. I think I'm safe enough.

You need 1 Devices > Products:

Create a product that includes the three File/Actions before.

You need 1 Devices > Profiles:

Custom Settings

<dict>
    <key>PayloadDisplayName</key>
    <string>MacLovin - Munki (Demonstration Setup)</string>
    <key>PayloadEnabled</key>
    <true />
    <key>PayloadIdentifier</key>
    <string>org.maclovin.munki.test</string>
    <key>PayloadUUID</key>
    <string>8214F1A8-0E65-422C-A82C-088502A14FD6</string>
    <key>PayloadType</key>
    <string>ManagedInstalls</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>SoftwareRepoURL</key>
    <string>http://munki.maclovin.org/munki_repo</string>
    <key>ClientIdentifier</key>
    <string>test_munki_client</string>
</dict>

Now have fun and let me know!

Casper: Forget a package

November 18, 2015 by François in OS X

Forgetting a package is a good way to troubleshoot some behaviours. It doesn't install anything, but the computer will believe the package was never installed.

Installer.app/SWU

For OS X packages, installed by Installer.app or Software update, simply use sudo pkgutil --forget [package_id]. You can list current installed packages with pkgutil --pkgs

This will get updated at next recon to Inventory > Package Receipts > Installer.app/SWU.

Casper Suite

To change this (unrelated) list, you need to delete the relevant file in /Library/Application Support/JAMF/Receipts, then do a sudo jamf recon

Again, this doesn't do anything but change inventory.