Managing Microsoft System Center Endpoint Protection (SCEP) – Part 3

The Mac Admins community is interesting (amongst other things!). What’s really interesting is when someone contributes something, others often come forward and build on their work, ever-advancing it towards a state of pure awesome.

@glaurung got in touch with me on the Slack after I published part 1 and part 2 of my thoughts on managing SCEP. Here’s what he said:


This definitely builds on what I’ve done so far, and after some tinkering, I think I’ve in turn built on that… Read on! Continue reading “Managing Microsoft System Center Endpoint Protection (SCEP) – Part 3”



I’m finally getting around to using GitHub properly, instead of randomly putting things up on Gist.

I’ve kicked things off by creating a repo containing a lot of the custom configuration profiles I push to the Macs I manage. I’ll be documenting them properly in the README in the near future. Maybe they’ll be useful to other folks.

Click here to go to the repo!

A lot of them focus on suppressing welcome/first run screens and disabling automatic updating for the apps they manage (because Mac Labs). There are some that do bespoke stuff as well, such as Logic Pro (probably worthy of its own post here, eventually).

I’ll also be moving various scripts and Jamf Pro Extension Attributes over to it.

Setting the default sound device automatically – switchaudiosource

We’ve got Macs in lots of weird and wonderful places like recording studios and video editing suites. Our Macs are bound to Active Directory so any student can log in with their university ID and get to work. These specialist areas often use a third party sound card/audio interface, so the first thing students should do is set that as their default device in System Preferences, Sound. As well as having the usual stuff like web browsers and media players route audio through that lovely device, applications like GarageBand and Logic Pro will set their audio input/output to whatever you choose there too. Enter switchaudiosource. Continue reading “Setting the default sound device automatically – switchaudiosource”

Deploying firmware updates during imaging – wot about security updates, m8?

Edit: There be dragons! This workflow is completely unsupported by Apple and they don’t want us to image anymore. It’s a naughty stop-gap, but in my case, right now, needs must. As for myself, I’ll only be doing this going forward for the remaining Security Updates released for macOS 10.12. I won’t be doing this for 10.13 (and it probably won’t work anyway!). We use Jamf Pro and I really hope that Jamf add support to their tools for automated re-provisioning leveraging startosinstall. I’ve even asked them to – please upvote my feature request if it’s important to you too.

So Apple released macOS 10.13.1 to the world and we’ve just had the obligatory Security Updates for 10.12.6 and 10.11.6. If, like me, you’re still deploying a previous version of macOS starting with a base image, with the Security Updates baked in, a-la AutoDMG, you might be thinking about firmware. Because, yep, those Security Updates include new firmware which you won’t get if you just restore that pre-baked image. And that’s bad, mmmkay?

Luckily, due to our awesome community, Allister Banks and Darren Wallace have done great work writing up workflows to extract the firmware from the App Store installer and get it into a traditional imaging workflow. But can we get the newer firmware out of those newly released Security Updates and use it in the same way? Why, yes, we can. Continue reading “Deploying firmware updates during imaging – wot about security updates, m8?”

Managing Microsoft System Center Endpoint Protection (SCEP) – Part 2

In Part 1, we looked at how it was possible to configure pretty much anything in SCEP with the venerable scep_set command. Here, we’re going to focus on something else. It’s often in an organisation’s information security policy to ascertain whether the devices you manage are “compliant” with a set benchmark, whatever it may be.

For many, that benchmark may include the need for an antivirus/malware solution that has up-to-date definitions. We might also want to know how many “infections” each client has encountered. As systems administrators, the expectation is that we should be able to know this stuff and report on it. Turning to SCEP, if we look in the user interface of the application itself, it does indeed give us a window into its activity logs for each Mac, individually, but again, when it comes to integration with management tools that could report on the entire fleet, it appears we’re stuck.

Or are we?


Continue reading “Managing Microsoft System Center Endpoint Protection (SCEP) – Part 2”

Managing Microsoft System Center Endpoint Protection (SCEP) – Part 1

If you’re using Microsoft System Center Configuration Manager (SCCM) to deal with Windows machines in your environment, you may notice that it comes licensed with an antivirus/malware product; Endpoint Protection (SCEP), with versions for Windows, Linux and macOS. This fits the bill nicely for organisations where their IT security policies dictate that such software is required on all company devices – just deploy this everywhere without having to deal with the expense and complexity of different products.

One thing I’ve noticed is that there seems to be a misconception that SCEP for Mac can be managed centrally with SCCM. This might be because SCCM admins who deploy SCEP for Windows can indeed enjoy this luxury, so why would the non-Windows versions be any different? After all, SCEP is SCEP is SCEP, right? Well, no. The macOS version is essentially a Microsoft-rebranded version of ESET Cyber Security for Mac. And at first glance there seems to be no way to manage its settings/configuration centrally. As far as I know, there’s no documentation on this so here’s an account of what I’ve discovered and hopefully it’ll help you manage your SCEP deployment. Continue reading “Managing Microsoft System Center Endpoint Protection (SCEP) – Part 1”

NoMAD – “Say hello to my little friend”

At yesterday evening’s London Apple Admins meetup I spoke about NoMAD and the goodness it brings to our environment. Thanks again to Louis Treger (@tregerl on Slack) and MullenLowe for hosting us in their lovely offices and thanks to Amsys for providing copious amounts of food and drink for the event!

Click here to get my presentation slides.

Watch the video below: