Cats in Space: Giving Admins the Tools They Need to Support Users

© JAMF Software, LLC Cats in Space: Giving Admins the
Tools They Need to Support Users 4-4:45 pm UP NEXT

Title slide uses the “Reveal” slide transition

© JAMF Software, LLC Allen Golbig Mac Systems Engineer NASA
(GRC) Joshua Harvey Senior Principal Systems Administrator NASA (GSFC) In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. 275x275 head shot

© JAMF Software, LLC Chris Tinker Systems Security Engineer NASA
(GSFC) Mike Nestor Principal Systems Admin NASA (GSFC) In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. 275x275 head shot 275x275 head shot

© JAMF Software, LLC Cats in Space Presentation agenda: Background
High Level Overview PIV-Mandatory Value Add In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC ARC AFRC JSC SSC MSFC KSC
GRC HQ LaRC GSFC

© JAMF Software, LLC Background Everyone had their own Munki
KACE Apple Remote Desktop (yes really) BigFix Even Jamf Pro In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC Background Management No single solution to
apply NASA security baselines Dispersed patching methodologies (sometimes none) No oﬀsite user support Led to higher count of admin users In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC High-Level Overview Existing setups Non-compliant systems
Gather requirements 200+ system administrators In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC High-Level Overview Admins’ Treats Palatable menu
oﬀering, low overhead freebies Patching support, internal script sharing Role-based access control The opposite of restricting access In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC High-Level Overview Agency’s Treats High availability
Full integration with existing identity providers Smartcard support PIV & CAC Compliant admins = happy agency In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC High-Level Overview In session recording, Picture-in-Picture
of you presenting will be placed here. Please don’t put anything especially important in this area. How many of you use sites?

© JAMF Software, LLC High-Level Overview Why So Many Sites?
150+ sites Project isolation requirements Diﬀerent security plans Diﬀerent leadership structures In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

of you presenting will be placed here. Please don’t put anything especially important in this area. Don’’t Do This!!

© JAMF Software, LLC In session recording, Picture-in-Picture of you
presenting will be placed here. Please don’t put anything especially important in this area. AWS Zone 1 (Primary) ARC GSFC GSFC ARC Other Agency Other Agency ARC AWS Zone 2 (Load Balancing & Failover) ARC GSFC GSFC Other Agency Other Agency macOS End Users Admin Workstation GSFC Primary Distribution Point ARC Sub Distribution Point NASA IP Space AWS Load Balancer AWS RDS MySQL Primary AWS RDS MySQL Secondary Replication Replication Admin Interfaces Device Communication Admin Interfaces Device Communication

© JAMF Software, LLC High-Level Overview Why so many servers?
Political reasons Multiple centers Multiple sites within What we learned In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

of you presenting will be placed here. Please don’t put anything especially important in this area. How many of you tap into your IdP?

© JAMF Software, LLC High-Level Overview How to deal with
so many sites SAML + ADFS + internal IdP provisioning Active Directory groups More than we’d like to share All provisioned automagically In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC Automated Provisioning In session recording, Picture-in-Picture
of you presenting will be placed here. Please don’t put anything especially important in this area.

presenting will be placed here. Please don’t put anything especially important in this area. Automated Provisioning

© JAMF Software, LLC PIV Mandatory Background HSPD-12 OMB M-11-11
FISMA CIO metrics In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC PIV Mandatory Top issues Centrify deployment
gone bad Stopped binding to Active Directory macOS 10.12 deﬁciencies macOS 10.13 and meeting a deadline In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC PIV Mandatory SUCCESS! Attribute mapping local
accounts Glory of APNS Low failure rate User satisfaction increased In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC Value Add In session recording, Picture-in-Picture
of you presenting will be placed here. Please don’t put anything especially important in this area. Overview Jamf Upload Page Security Baselines Admin Mapping LAPS for Mac Smartcard Exemption Page

© JAMF Software, LLC Jamf Upload Page In session recording,
Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC Jamf Upload Page If system administrators
were going to “buy in” to using Jamf Pro, it had to meet two core needs. In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Simplicity Mimic Jamf Pro’s ease of use Set category for packages Simple interface Drag and drop

Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Upload to Jamf Pro HTTPS distribution points Will work with S3 distribution points Can download any package uploaded Edit scripts after uploaded Audit logs

Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Role/Site-Based Access Site selection drop down Center admins have full access Site admins have access to their site Jamf access grants read-only

Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Smartcard Government requirement Jamf Pro lacks SSO Integrated with our IdP

© JAMF Software, LLC Resources PHP Vue.js Webserver MacAdmins Video
Jamf Upload Page In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC Security Baselines We spent months creating
and testing macOS and application specs, but they were rarely applied. In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC Security Baselines In session recording, Picture-in-Picture
of you presenting will be placed here. Please don’t put anything especially important in this area. History XCCDF and CIS-CAT No universal checks and remediations Wild West approach to meeting compliancy

of you presenting will be placed here. Please don’t put anything especially important in this area. Where are we now? Modification of Jamf Pro’s CIS Scripts Configuration profiles wherever possible Sites can make risk-based decisions Higher acceptance and deployment AsciiDoc guides

of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC Admin Mapping Our systems are now
PIV Mandatory, so what happens when an admin needs to log in locally? In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC Admin Mapping In session recording, Picture-in-Picture
of you presenting will be placed here. Please don’t put anything especially important in this area. Solution Attribute mapping Ability to set multiple admins Can also be used for non-admins Shared accounts

of you presenting will be placed here. Please don’t put anything especially important in this area. /usr/bin/dscl . read /Users/localadmin AltSecurityIdentities AltSecurityIdentities: Kerberos:[email protected] Kerberos:[email protected] Kerberos:[email protected]

of you presenting will be placed here. Please don’t put anything especially important in this area. Which led to… Login keychain prompt Preference panes requiring password Didn’t want a shared admin password

of you presenting will be placed here. Please don’t put anything especially important in this area. LAPS for Mac Local admin password script Does not rely on Active Directory Random password stored as extension attribute Optional Self Service policy

presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC Smartcard Exemption Page What happens if
a user can’t login with their smartcard and can’t reach their admins? In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

© JAMF Software, LLC Smartcard Exemption Page In session recording,
Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Stopgap User could only call system admin Admin not always available Flipping an extension attribute manually Didn’t fully meet smartcard compliance

Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. And Now User can now call Help Desk 24/7 Help Desk doesn’t need access to Jamf API call to ﬂip the extension attribute 48 hour expiration Doesn’t have to be for smartcard exemption

© JAMF Software, LLC PIV Exemption Page In session recording,
Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Resources PHP Vue.js Webserver

© JAMF Software, LLC TL;DR Teaching admins it’s ok to
be hands-oﬀ • Self Service reduced calls • Allows more time for testing • There is always more work • Mike likes something! In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.

presenting will be placed here. Please don’t put anything especially important in this area.

THANK YOU!

© JAMF Software, LLC Thank you for listening! Give us
feedback by completing the 2-question session survey in the JNUC 2019 app.

Cats in Space: Giving Admins the Tools They Need to Support Users

Cats in Space: Giving Admins the Tools They Need to Support Users

More Decks by Jamf

Featured

Transcript