#jnuc #jamf 10/23 - Casper Focus in the Enterprise

Why I picked this:
Interested to see how Focus could be used in a non-educational environment. As it turned out, the district with whom I was traveling experienced a Focus problem as we waited for this session. The local JAMF folks on site had never seen the problem nor could solve it. Turns out the school tech coord was able to narrow the problem down to a class size greater than 20 devices will not release focus on the teacher app. Turns out 8.0.2 and 8.1 both crash the Focus App. The tech will have to submit a ticket to support.

What was covered:
(Note, my battery was nearing its end during this session. If it is incomplete, I may attempt to fill in the blanks at some point)

EventBoard App
- Conference Room Schedule display
-- Needed to be physically secured
-- Interactively secured (App Lock)

Crestron AV Automation app
- Works with existing crestron environment
- Physically secure
- limited mobility as an option
- interactively secured

ArmorAcive's iPad Enclosure

AppLock
- Apple Configurator - enable supervision, enable profiles, etc.
-- Requires physical connection

- Casper Focus
-- Enable OTA focus
-- Only need iOS device

Created classrooms. Field service techs as 'teachers' in the classroom for working on the devices.
Push app through MDM so you can select the device/app

Apple Deployment Program
- pre-stage enrollment
-- with supervision
- create smart groups
-- wireless settings, apps installs, etc
- scope class to mobile device group

This is handy for posting the ipads outside conference rooms and push the conference information for the appropriate rooms so participants know which room/session they are walking into.

Q&A
How do you designate info for each ipad? In AD, etc? User info in AD for each room.

Other use cases? Tom Larkin may have seen them.

Could Sites have been used? Perhaps, but easier to set it up with AD info.

#jnuc #jamf 10/23 - Avoid Gotchas of Enterprise Cloud Dist in Education

Why I chose this:
Education-specific sessions are few and far between, so I picked this one.

What was covered:

Statewide hosted solution with every higher ed institution in the NC system under a single Casper instance.

17 schools plus UNC general admin system.

How can they leverage the system to allow common operation across all systems?

Right Time
Decreased budgets
Taste for streamlined licensing
Desire to not reinvent the wheel (shared packages, etc)
Increased demand for Mac and iOS
VPP and DEP

UNC System handles AD, LDAP, packages, etc.

Use Sites for each school so folks aren't stepping on each other's toes.

Hosted JSS and local JDS
- Best of speed and cost
- Auto sync of the JDS
- Someone else (mostly) does infrastructure
- Allows smaller groups/institutions easy scaling
- Each group maintains security via LDAPS

Admin team does very little work, then hands-off. Can be done on group-level (ex: School of Journalism) as opposed to ONLY the school at large.

The Good
- It works!!
- Shared work packaging and scripting
- Read-only policies for examples
- Communities form group help/Crowdsourcing - need a peer-review system for vetting

Challenging
- Migration from local Casper to Shared Cloud
-- Take time to clean up JSS.
-- Rebuild the JSS
- Web-only interface (takes time getting used to it)
- Casper Admin limited to read-only (take away delete permission wholesale, can change things)
- Politics of LDAP/AD access (run through governance body at university level; takes time to work through admins etc. Help them understand - https, read-only, which ports, etc)
- Technical details of secure LDAP/AD access (self-sign certs, where is root, etc)
- Packages without licenses (who is responsible for licensing? Spell it out. Make sure you have rights to share, etc)
- Change management - get into logs, check details
- Political policies to promote good neighbors (shared section, so had to set/enforce naming conventions with packages and scripts, etc.)
- Shared GSX and APN accounts (who has it? Who is logging in to check? That is global in JSS, not a site setting)
- Disk encryptions are not site specific. Make sure security folks understand it is a shared model

The Bad
- No concept of site for: Categories, packages, scripts, printers, directory bindings, dock items, configurations, and self service plugins. Must plan scope of work, naming, etc.
- Network segment collisions (NAT, subnets, etc)
- Needed prefixes to avoid confusion (naming conventions)
- SCCM Plugin not support (*multiple SCCM could be supported, but who rules the roost on that one!?)

The Cost to Join
- 10 Licenses for either OSX or iOS devices to have their own Casper Site Setup
- Secure (ldaps) access to supported directory site for group of Casper Site Admins
- Firewall changes (443, 636)
- Internal Netboot and/or SUS servers (not provided, must be local)
- Internal JDS (optional, but recommended)
- JAMF training (optional, but recommended)
- Can request packaging rights (create a Directory Service group, which would be added)
- Can request to member of UWCA (Admin) team
- Can request access to APIs

Q&A

How many sites and who are site admins? 41 sites/subsites, don't care who the local admin is so it varies. Purchasing dept adds admin(s) to directory service group.

Packages: Sites can upload packages. Cannot delete packages without requesting from the overall admin.

Security info stored in JDS. Each institution evaluates what they can/cannot store in the cloud.

How about non-Apple devices? At certain sites, use SCCM locally. Not big demand for Android support. Planning for future implementation. Right now, polices and best practices.

Created a template license and got it approved by Attorney General for use among all participating entities.

Easier for schools to come on because they are not installing all the backend.

Helpful to set up a 'kick the tires' account for schools to test the system and see if they want to join.

#jnuc #jamf 10/22 - Small and Medium Rollouts (Bushel)

Preparing for the Bushel preso

Why I chose this session:

I originally chose this because it looked like something that might apply to me at the education service center. During the keynote, JAMF revealed a new program called "Bushel" that is targeted at small-to-medium businesses with an easier to use (read, fewer features and/or less access to advanced features). I am very interested to see how I might leverage this new program.

What I learned:

Enterprise Tools - lots of features; useful, help users, etc.
What about smaller business? Need a "playground" with someone else to monitor. Small biz generally does not have the monitor. Shadow IT? Maybe, but can lack time, budget.

What if MDM was simple? Centrally managed, didn't need IT assistance hands-on all the time Compliance?

Bushel is new product. For persons whose primary function is not IT but has hands in IT.

Bushel does NOT need:
- Jumpstart, training, VPP Codes, scripts, imaging, packages, user accounts...

Bushel - free for 3 devices forever. After that $2/device/month. Hosted system.

Steps to walk through Push Certificates. Download cert, handoff to bushel. Set up devices.

Various settings to push out (Security, Email, Apps (Managed VPP), invite users, Devices (Various enrollment scenarios)

Devices can show status, perform various actions (remove passcode, lock device, wipe, remove corporate data, unenroll device)

Live Chat support available at all times, globally

User gets device, walks through setup, device gets enrolled and configured.

Very simple, straight-forward

Currently INVITE-ONLY (at time of this writing).

Q&A
How far does this scale? Not a technical issue, but logistical. This is for one group. So, not for entire district, but maybe for one grade. Essentially need a homogenous group. Not meant for different groups/kinds of users.

Will consultants be given a high-level view of multiple accounts? So far, no. May scale out a type of "admin panel."

If you already have Casper, is Bushel for me? Overall, this is not for Casper users. Will you be able to up/downgrade in the future? That is in the pipeline. Possible to see your bushel devices within Casper might be in the works.

Will not work with Casper Focus (this is not Casper).

Could have separate Bushel accounts for each "group" of users, if trying to leverage this in that manner. Not really the appropriate fit for Bushel, but could pilot the program before rolling out on larger scale. Another example would be carts - don't need Casper, necessarily, but still want management.

Is this cloud-only? Yes. Hosted in US right now. Plan to host in EU.

Single-App mode is a Casper feature, not appropriate for Bushel.

Other Q&A, mostly stemming from the highly-technical folks in the room. This is NOT for the tech folks running Casper, so was a challenge to release this product in front of this group.

#jnuc #jamf 10/22 - Simplifying VPP

Comparing VPP to a public library

Why I chose this:

VPP is a key component to any Apple-related mass rollout and management system. I am hoping to grab some tips and hints to help me handle our VPP better.

What I learned (These are loose notes and will be missing actual steps):

JSS Framework
Users, VPP Invitations VPP Assignments, VPP Content Deployment

Compared VPP to being at the public library - what do you want? Get a card. Check it out from the library. Take book home, etc.

VPP Service Token
Purchase content via VPP
SMTP integration active

Use the fields in the JSS with VPP accounts (which email address, etc)
Modify JSS User Accounts and Group Permissions

Users:
Users vs JSS User Accounts and Groups - reframe our thinking, different than users logging into jss.
Assigned to a device
User-Initiated Enrollment
Manual Creation (non-LDAP)
LDAP

Find the computer, Computer/User info, fill in LDAP info
Could use Devices and find user-initiated users
Manually create users (or for testing purposes)

Use LDAP if possible
Enroll with user-initiated enrollment if possible

Fill in various screens (send email to user).

Use Smart Group (Not associated and Not Sent)
Use email invitation
Do not block app store for mobile devices

VPP Assignment
What are you assigning? iOS Apps and/or Mac Apps
Who are you assigning these to?

Create a smart group (VPP invitation is associated - that is, user accepted token)
Select the EDU account
Select user group that have completed process
Limited group to actual staff group
App shows in purchase history

Same thing for Mac or iOS apps. Must be done for each app on each platform

Use a Smart User Group (IS associated)
Be modular and try not to bundle
Content appears in Users' Purchase History

VPP Content Deployment
Computer or mobile device?

Make it available in self-service
Limit to LDAP group who should get the app (Staff, etc)
Save config

Keep your network infrastructure in mind - use self service
Install automatically - conditions that MUST be met
Automatic Downloads - does not need to be enabled

Self service allows users to install the app(s) when THEY want/need them

Revoking apps:
iOS Apps/Mac Apps - yes
eBooks - cannot be revoked

How to revoke (choose one - do not use all of these, though circumstance governs):
Remove user from LDAP Group
Change scope
Change app selection
Delete VPP assignment
Revoke All

Review:
1. JSS Framework in place, configured, VPP token
2. Users
3. VPP Invitations
4. VPP Assignments
5. VPP Content Deployment

Q&A -
For free apps: Nice thing about VPP is updating apps with their apple id.
Other q&a ensued, but I was talking with a colleague about LDAP integration and true SSO for local domain, Google Apps, and JSS

#jnuc #jamf - 10/21 - Session 2: JSS REST API

Discussing API usage/features

Why I chose this:
This is marked as advanced session, which seems a bit counterproductive, given my first session was a "101" variety. But, the other sessions offered at this time did not appeal to me, and I wanted to see what an "Advanced" session was like. So, why not, right?


What I learned:

What it means to be RESTful

Replace in all polices with...

RADAR and Printer Chooser. Client API usage.

Representational State Transfer (REST) Methods
- Standard web calls with different methods being used.
-- Get method (get information)
-- Put method (replacing collections, update specific element)
-- Post method creates a new member element (forms in web)
-- Delete method - cannot delete entire collection, used to delete specific element

Usage: yourjssurl:port/api/

(Presenter showed examples of the methods in order to pull the "get" url and the xml response body.)

These are used in your scripts as ways to get/put/update/delete information from within your jamf scripting.

Replace in all policies with...
-- define variables
-- gather list of policies
-- loop through all policies, searching for policies which deploy a specific pkg
-- replace found entries with the updated package
-- update policy record by uploading updated xml

Define jssserver; username/password for service account; old/new package id; newaction
Gather a list of policies
Loop through all policies
Find package and replace
Update policy record

XML must be used for updating. JSON can be used to read data only.

RADAR
- Robust multi-Area Distribution Active Routing
-- Pings Distribution points in parallel then downloads from the "closest" DistPoint

Printer Chooser
- Grabs all printers defined in JSS
- Can use drop-down to find the printer. Can browse to find the printer and install.
- Specify driver to look for
- Cache all drivers on client machine
- Checks to see if driver is installed. If not, install the driver then install the printer.

Revision Control in JSS
Pull down anything from jss via XML
Commit > git hook > update jss script(s)

Q&A
Covered package-related questions such as clearing logs, not replacing unaffected packages from within a given policy. Question about the API and smart groups -  display glitched but not affect actual devices. Other Q&A as well.

#jnuc #Jamf - 10/21 - Session 1: Policies 101: Unleashing Power

As I have come to do with all my conference sessions, I will be posting about the sessions I attend, why I chose the particular sessions and what I learned while in there.

Getting ready for the session

Why I chose this session:
Since I am brand-new to JAMF, CasperSuite, etc, I am hoping to learn what I can about the software in order to help the schools in my area that are running the software or who are looking to implement it.

What I learned:

What do I want to do?
To Whom?

General
- Display Name (the "pretty" name, what users see in self-service)
- Enabled
- Category (Apps, OS, Printers, plug-ins, etc) - relevant to end-user

Triggers
- Startup (Firewall settings)
- Login (Make sure on YOUR network, then mount share, etc. validation BEFORE the attempt)
- Logout
- Network state change (wifi vs wired)
- Enrollment complete (1st-run script)
- Recurring Check-in
- Custom (useful for prerequisites)

Execution Freq
- Once per computer
- Once per user
- Once per day, week, month (ex: software updates)
- Ongoing (can make avail offline)

Server-side/client-side limitations
- particular days/times (ex: updates during work hours)
- Network connection (ex: only if on ethernet, etc)

Packages
- Install, cache, install from cache
- Select distribution point (location, cloud storage, etc)

Software Updates
- Self-service, auto-install, etc

Scripting
- first three variables taken by JAMF
-- $1 = mount point target drive
-- $2 = computer name
-- $3 = username, usually. Make sure user is logged in

Printers and Docks
- Add/remove printer configs, remove/add items from dock (without delete)

Local Accounts
- Create one
- Allow as admin
- check for filevault
- reset, delete, disable for filevault
- Ex: standardized testing environment (change pw every 24 hrs, delete acct after 14 days, etc)

Management Account
- Be different account than helpdesk uses.
- Password can be randomize it and is unknown

Restart Options
- Startup disk, installer, etc
- Issues with restarting (logged in user, running apps may be issue, etc)

Maintenace
- Update inventory
- Reset name
- Install cached items
- "Mac Voodoo" (fix permissions, flush cache, etc)

Files and Processes
- Find a file or folder, option to delete if found
- Option to kill process if running
- Run command

To Whom
- Scope
- Self-service

Scope
- Set up buildings, departments, etc
- Smart and static groups
- Targets (Can use ALL, if needed)
- Can set up exclusions (depts, groups, buildings, etc)

Self-Service
- Make standard users feel like they have power. They have control over which apps they can install, etc.
- grab icons from clipboard after copying to SS

User Interaction
- Start message (warn the user)
- Defer for 1hr, 2hr, etc

Open for Q&A
- "iBeacon was on slide?" "Yes, but for exclusions and limitations."
- "Do you recommend using update server?" "Depends on the environment. Ex: govt had to vet every update, so they used SUS. Can also use caching service (with various parameters)."
- Discussion about firmware updates. Watch for firmware updates as they will wipe out other updates, continual reboot
- limitation for custom triggers? not that they are aware. Cascading triggers are actually nested, so be careful about order and subtriggers.
- Do not lump a bunch of installs because update releases are not in sync. Keep each install/update as its own policy. Exception: dependencies, printer drivers.
- Issue discussions regarding non-installs/misinstalls. Common solution is to have two policies: one for drivers and one for printers with a check for driver before installing printer.

This photo captures just how RED this room is! Whoa!