Managing Microsoft System Center Endpoint Protection (SCEP) – Part 1

If you’re using Microsoft System Center Configuration Manager (SCCM) to deal with Windows machines in your environment, you may notice that it comes licensed with an antivirus/malware product; Endpoint Protection (SCEP), with versions for Windows, Linux and macOS. This fits the bill nicely for organisations where their IT security policies dictate that such software is required on all company devices – just deploy this everywhere without having to deal with the expense and complexity of different products.

One thing I’ve noticed is that there seems to be a misconception that SCEP for Mac can be managed centrally with SCCM. This might be because SCCM admins who deploy SCEP for Windows can indeed enjoy this luxury, so why would the non-Windows versions be any different? After all, SCEP is SCEP is SCEP, right? Well, no. The macOS version is essentially a Microsoft-rebranded version of ESET Cyber Security for Mac. And at first glance there seems to be no way to manage its settings/configuration centrally. As far as I know, there’s no documentation on this so here’s an account of what I’ve discovered and hopefully it’ll help you manage your SCEP deployment. Continue reading “Managing Microsoft System Center Endpoint Protection (SCEP) – Part 1”

Advertisements

NoMAD – “Say hello to my little friend”

At yesterday evening’s London Apple Admins meetup I spoke about NoMAD and the goodness it brings to our environment. Thanks again to Louis Treger (@tregerl on Slack) and MullenLowe for hosting us in their lovely offices and thanks to Amsys for providing copious amounts of food and drink for the event!

Click here to get my presentation slides.

Watch the video below:

Apple – when it rains, it pours…

Today, Apple published a couple of articles on their support website that are of particular interest to the admin community. Especially as they talk about things coming up in macOS 10.13 High Sierra!

Prepare for changes to kernel extensions in macOS High Sierra

Upgrade macOS on a Mac at your institution

A couple of things these articles confirm for us:

NetBoot (or at least NetInstall) is still alive and kicking! But watch out if you image Macs, as Apple now officially confirm that firmware updates don’t get applied during imaging, but only when you run their installer-proper or install an OS update later (e.g. 10.12.5 to 10.12.6 or one of the security updates for the older OS’s – but then you may not get the latest firmware, depending on your Mac). Click here for an excellent table showing which firmwares come with each OS update. Huge thanks to Pepijn Bruienne!

And then there’s this quote, which might make you breathe a sigh of relief (if you manage your Macs with an MDM):

In macOS High Sierra, enrolling in Mobile Device Management (MDM) automatically disables SKEL. The behavior for loading kernel extensions will be the same as macOS Sierra.

In a future update to macOS High Sierra, you will be able to use MDM to enable or disable SKEL and to manage the list of kernel extensions which are allowed to load without user consent.

Secure Kernel Extension Loading (SKEL) is a security feature that would mean kernel extensions need to be manually authorised (interactively by the user). It looked set to cause a great deal of inconvenience for us in particular, specifically for things like third party drivers and anti-virus/malware products that make use of them. Until now, to disable SKEL you would use the spctl command in a NetInstall or recovery environment, so this change is great news.

So not only will SKEL not be a problem if you use an MDM, but soon we’ll be able to optionally enable it (which would be of great benefit in some security conscious environments – but then if you have a third party security product that uses kernel extensions, then users being able to stop them loading presents a bit of an irony…).

Jamf Pro Scripts – running commands in the current logged in user’s context

I’ve already been using this technique for a while but today, thanks to our fantastic Mac Admins community, I’ve learned a little bit more about it, so it might be worth a blog post.

One interesting thing about Jamf Pro is that it can execute scripts during a policy run. Scripts executed this way are run as the root user, which is all well and good if you need to do stuff to the system as a whole with elevated privileges. But what if you need to run a command as if it’s being run by the current logged in user themselves as part of a policy? One example would be to use a utility like mysides to configure a their sidebar, or if you want to invoke lsregister to register an application so that user doesn’t see something this the first time it’s launched (kudos to @franton on the MacAdmins Slack for pointing out that this tends to be more of an issue for applications living outside /Applications as macOS takes care of those automatically, but I digress):

audaemon

Continue reading “Jamf Pro Scripts – running commands in the current logged in user’s context”

London Apple Admins Zentral Workshop at Sony Music

We had a London Apple Admins meet up at Sony Music last Thursday! As one of the resident ‘herders’ (along with Ben, Darren, Graham and Steve), I’m honoured to share the video of this event, which includes a workshop on Zentral, an open source framework for monitoring stuff.

Huge thanks to Ross Drummond at Sony for hosting us and for putting on an awesome spread of fine beverages and pizza. Thanks also to Henry Stamerjohann at Zentral for his most informative workshop. There were much learnings to be had!

If you’d like to host a future meet up or present at one, we’d love to hear from you! Give us a shout.

Integrating Bomgar and Jamf Self Service

To me, what follows didn’t seem overly remarkable, until I shared it in #jamfnation on the MacAdmin’s Slack. I received some great feedback and was encouraged to share what I did with the wider community. I honestly didn’t think it would be that useful to as many people as it was.

We use Bomgar to give our staff and students an easy way to get help when they need it, be that on their Windows PCs, Macs or even Android tablets. Unfortunately, the user’s journey with Bomgar on a Mac is something like this:

  1. Click a URL that takes you to an online form.
  2. Fill in that form with details about your issue.
  3. Download a Disk Image (DMG) containing the Bomgar client.
  4. Open/mount the DMG file.
  5. Open your mounted Disk Image and run the Bomgar application.

Not great and full of manual steps that a lot of people will find challenging or frustrating, especially in situations where they need help quickly to resolve their issues. It’s a faff and faffing is bad. There has to be a better way. And our students and staff love using Jamf Self Service. Continue reading “Integrating Bomgar and Jamf Self Service”

Casper Imaging – Wot, no scripts after Autorun?

Yes, yes, imaging is dead, I know. But if you manage Macs in an education setting, especially in a lab environment with lots of shared use, it’s still a great way to provision those machines (DEP isn’t quite there yet IMO). I’m not going to get into the thorny subject of monolithic vs thin imaging workflows etc, let’s not beat that horse! It’s not what this post is about anyway…

Following the Jamf Pro hotfix release for 9.97.1488392992 those of us who use Autorun Imaging had a bit of a surprise. Namely, if you have scripts in your Imaging Configuration set to run at restart (like a first run script), they would no longer run. In fact, the scripts weren’t even being copied onto the target Mac at all. If you did a postmortem and looked in /var/logs/jamf.log you’d have found this entry where the magic should have happened:

The script could not be found.

Frustratingly, this wasn’t addressed in the 9.98 update, and Jamf won’t fix it because it relates directly to the security hole the patched in 9.97.1488392992. Thanks to Chris Gachowski on Jamf Nation, there is a workaround.

Continue reading “Casper Imaging – Wot, no scripts after Autorun?”