Wednesday, October 22, 2014

#jnuc #jamf 10/22 - Small and Medium Rollouts (Bushel)

Preparing for the Bushel preso

Why I chose this session:

I originally chose this because it looked like something that might apply to me at the education service center. During the keynote, JAMF revealed a new program called "Bushel" that is targeted at small-to-medium businesses with an easier to use (read, fewer features and/or less access to advanced features). I am very interested to see how I might leverage this new program.

What I learned:

Enterprise Tools - lots of features; useful, help users, etc.
What about smaller business? Need a "playground" with someone else to monitor. Small biz generally does not have the monitor. Shadow IT? Maybe, but can lack time, budget.

What if MDM was simple? Centrally managed, didn't need IT assistance hands-on all the time Compliance?

Bushel is new product. For persons whose primary function is not IT but has hands in IT.

Bushel does NOT need:
- Jumpstart, training, VPP Codes, scripts, imaging, packages, user accounts...

Bushel - free for 3 devices forever. After that $2/device/month. Hosted system.

Steps to walk through Push Certificates. Download cert, handoff to bushel. Set up devices.

Various settings to push out (Security, Email, Apps (Managed VPP), invite users, Devices (Various enrollment scenarios)

Devices can show status, perform various actions (remove passcode, lock device, wipe, remove corporate data, unenroll device)

Live Chat support available at all times, globally

User gets device, walks through setup, device gets enrolled and configured.

Very simple, straight-forward

Currently INVITE-ONLY (at time of this writing).

How far does this scale? Not a technical issue, but logistical. This is for one group. So, not for entire district, but maybe for one grade. Essentially need a homogenous group. Not meant for different groups/kinds of users.

Will consultants be given a high-level view of multiple accounts? So far, no. May scale out a type of "admin panel."

If you already have Casper, is Bushel for me? Overall, this is not for Casper users. Will you be able to up/downgrade in the future? That is in the pipeline. Possible to see your bushel devices within Casper might be in the works.

Will not work with Casper Focus (this is not Casper).

Could have separate Bushel accounts for each "group" of users, if trying to leverage this in that manner. Not really the appropriate fit for Bushel, but could pilot the program before rolling out on larger scale. Another example would be carts - don't need Casper, necessarily, but still want management.

Is this cloud-only? Yes. Hosted in US right now. Plan to host in EU.

Single-App mode is a Casper feature, not appropriate for Bushel.

Other Q&A, mostly stemming from the highly-technical folks in the room. This is NOT for the tech folks running Casper, so was a challenge to release this product in front of this group.

Jeff took a picture of me taking a picture of the trees.

via Instagram

#jnuc #jamf 10/22 - Simplifying VPP

Comparing VPP to a public library

Why I chose this:

VPP is a key component to any Apple-related mass rollout and management system. I am hoping to grab some tips and hints to help me handle our VPP better.

What I learned (These are loose notes and will be missing actual steps):

JSS Framework
Users, VPP Invitations VPP Assignments, VPP Content Deployment

Compared VPP to being at the public library - what do you want? Get a card. Check it out from the library. Take book home, etc.

VPP Service Token
Purchase content via VPP
SMTP integration active

Use the fields in the JSS with VPP accounts (which email address, etc)
Modify JSS User Accounts and Group Permissions

Users vs JSS User Accounts and Groups - reframe our thinking, different than users logging into jss.
Assigned to a device
User-Initiated Enrollment
Manual Creation (non-LDAP)

Find the computer, Computer/User info, fill in LDAP info
Could use Devices and find user-initiated users
Manually create users (or for testing purposes)

Use LDAP if possible
Enroll with user-initiated enrollment if possible

Fill in various screens (send email to user).

Use Smart Group (Not associated and Not Sent)
Use email invitation
Do not block app store for mobile devices

VPP Assignment
What are you assigning? iOS Apps and/or Mac Apps
Who are you assigning these to?

Create a smart group (VPP invitation is associated - that is, user accepted token)
Select the EDU account
Select user group that have completed process
Limited group to actual staff group
App shows in purchase history

Same thing for Mac or iOS apps. Must be done for each app on each platform

Use a Smart User Group (IS associated)
Be modular and try not to bundle
Content appears in Users' Purchase History

VPP Content Deployment
Computer or mobile device?

Make it available in self-service
Limit to LDAP group who should get the app (Staff, etc)
Save config

Keep your network infrastructure in mind - use self service
Install automatically - conditions that MUST be met
Automatic Downloads - does not need to be enabled

Self service allows users to install the app(s) when THEY want/need them

Revoking apps:
iOS Apps/Mac Apps - yes
eBooks - cannot be revoked

How to revoke (choose one - do not use all of these, though circumstance governs):
Remove user from LDAP Group
Change scope
Change app selection
Delete VPP assignment
Revoke All

1. JSS Framework in place, configured, VPP token
2. Users
3. VPP Invitations
4. VPP Assignments
5. VPP Content Deployment

Q&A -
For free apps: Nice thing about VPP is updating apps with their apple id.
Other q&a ensued, but I was talking with a colleague about LDAP integration and true SSO for local domain, Google Apps, and JSS

Changing leaves near #guthrietheater

via Instagram

Random pics from #mallofamerica

via Instagram

Tuesday, October 21, 2014

Cool prismatic effect on one of the walls at The #Guthrie!

New #Vikings stadium construction

#jnuc #jamf - 10/21 - Session 2: JSS REST API

Discussing API usage/features

Why I chose this:
This is marked as advanced session, which seems a bit counterproductive, given my first session was a "101" variety. But, the other sessions offered at this time did not appeal to me, and I wanted to see what an "Advanced" session was like. So, why not, right?

What I learned:

What it means to be RESTful

Replace in all polices with...

RADAR and Printer Chooser. Client API usage.

Representational State Transfer (REST) Methods
- Standard web calls with different methods being used.
-- Get method (get information)
-- Put method (replacing collections, update specific element)
-- Post method creates a new member element (forms in web)
-- Delete method - cannot delete entire collection, used to delete specific element

Usage: yourjssurl:port/api/

(Presenter showed examples of the methods in order to pull the "get" url and the xml response body.)

These are used in your scripts as ways to get/put/update/delete information from within your jamf scripting.

Replace in all policies with...
-- define variables
-- gather list of policies
-- loop through all policies, searching for policies which deploy a specific pkg
-- replace found entries with the updated package
-- update policy record by uploading updated xml

Define jssserver; username/password for service account; old/new package id; newaction
Gather a list of policies
Loop through all policies
Find package and replace
Update policy record

XML must be used for updating. JSON can be used to read data only.

- Robust multi-Area Distribution Active Routing
-- Pings Distribution points in parallel then downloads from the "closest" DistPoint

Printer Chooser
- Grabs all printers defined in JSS
- Can use drop-down to find the printer. Can browse to find the printer and install.
- Specify driver to look for
- Cache all drivers on client machine
- Checks to see if driver is installed. If not, install the driver then install the printer.

Revision Control in JSS
Pull down anything from jss via XML
Commit > git hook > update jss script(s)

Covered package-related questions such as clearing logs, not replacing unaffected packages from within a given policy. Question about the API and smart groups -  display glitched but not affect actual devices. Other Q&A as well.