Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cats in Space: Giving Admins the Tools They Nee...

Jamf
November 13, 2019
220

Cats in Space: Giving Admins the Tools They Need to Support Users

Jamf

November 13, 2019
Tweet

Transcript

  1. © JAMF Software, LLC Cats in Space: Giving Admins the

    Tools They Need to Support Users 4-4:45 pm UP NEXT
  2. © JAMF Software, LLC Allen Golbig Mac Systems Engineer NASA

    (GRC) Joshua Harvey Senior Principal Systems Administrator NASA (GSFC) In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. 275x275 head shot
  3. © JAMF Software, LLC Chris Tinker Systems Security Engineer NASA

    (GSFC) Mike Nestor Principal Systems Admin NASA (GSFC) In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. 275x275 head shot 275x275 head shot
  4. © JAMF Software, LLC Cats in Space Presentation agenda: Background

    High Level Overview PIV-Mandatory Value Add In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  5. © JAMF Software, LLC Background Everyone had their own Munki

    KACE Apple Remote Desktop (yes really) BigFix Even Jamf Pro In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  6. © JAMF Software, LLC Background Management No single solution to

    apply NASA security baselines Dispersed patching methodologies (sometimes none) No offsite user support Led to higher count of admin users In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  7. © JAMF Software, LLC High-Level Overview Existing setups Non-compliant systems

    Gather requirements 200+ system administrators In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  8. © JAMF Software, LLC High-Level Overview Admins’ Treats Palatable menu

    offering, low overhead freebies Patching support, internal script sharing Role-based access control The opposite of restricting access In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  9. © JAMF Software, LLC High-Level Overview Agency’s Treats High availability

    Full integration with existing identity providers Smartcard support PIV & CAC Compliant admins = happy agency In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  10. © JAMF Software, LLC High-Level Overview In session recording, Picture-in-Picture

    of you presenting will be placed here. Please don’t put anything especially important in this area. How many of you use sites?
  11. © JAMF Software, LLC High-Level Overview Why So Many Sites?

    150+ sites Project isolation requirements Different security plans Different leadership structures In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  12. © JAMF Software, LLC High-Level Overview In session recording, Picture-in-Picture

    of you presenting will be placed here. Please don’t put anything especially important in this area. Don’’t Do This!!
  13. © JAMF Software, LLC In session recording, Picture-in-Picture of you

    presenting will be placed here. Please don’t put anything especially important in this area. AWS Zone 1 (Primary) ARC GSFC GSFC ARC Other Agency Other Agency ARC AWS Zone 2 (Load Balancing & Failover) ARC GSFC GSFC Other Agency Other Agency macOS End Users Admin Workstation GSFC Primary Distribution Point ARC Sub Distribution Point NASA IP Space AWS Load Balancer AWS RDS MySQL Primary AWS RDS MySQL Secondary Replication Replication Admin Interfaces Device Communication Admin Interfaces Device Communication
  14. © JAMF Software, LLC High-Level Overview Why so many servers?

    Political reasons Multiple centers Multiple sites within What we learned In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  15. © JAMF Software, LLC High-Level Overview In session recording, Picture-in-Picture

    of you presenting will be placed here. Please don’t put anything especially important in this area. How many of you tap into your IdP?
  16. © JAMF Software, LLC High-Level Overview How to deal with

    so many sites SAML + ADFS + internal IdP provisioning Active Directory groups More than we’d like to share All provisioned automagically In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  17. © JAMF Software, LLC Automated Provisioning In session recording, Picture-in-Picture

    of you presenting will be placed here. Please don’t put anything especially important in this area.
  18. © JAMF Software, LLC In session recording, Picture-in-Picture of you

    presenting will be placed here. Please don’t put anything especially important in this area. Automated Provisioning
  19. © JAMF Software, LLC PIV Mandatory Background HSPD-12 OMB M-11-11

    FISMA CIO metrics In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  20. © JAMF Software, LLC PIV Mandatory Top issues Centrify deployment

    gone bad Stopped binding to Active Directory macOS 10.12 deficiencies macOS 10.13 and meeting a deadline In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  21. © JAMF Software, LLC PIV Mandatory SUCCESS! Attribute mapping local

    accounts Glory of APNS Low failure rate User satisfaction increased In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  22. © JAMF Software, LLC Value Add In session recording, Picture-in-Picture

    of you presenting will be placed here. Please don’t put anything especially important in this area. Overview Jamf Upload Page Security Baselines Admin Mapping LAPS for Mac Smartcard Exemption Page
  23. © JAMF Software, LLC Jamf Upload Page In session recording,

    Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  24. © JAMF Software, LLC Jamf Upload Page If system administrators

    were going to “buy in” to using Jamf Pro, it had to meet two core needs. In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  25. © JAMF Software, LLC Jamf Upload Page In session recording,

    Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Simplicity Mimic Jamf Pro’s ease of use Set category for packages Simple interface Drag and drop
  26. © JAMF Software, LLC Jamf Upload Page In session recording,

    Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Upload to Jamf Pro HTTPS distribution points Will work with S3 distribution points Can download any package uploaded Edit scripts after uploaded Audit logs
  27. © JAMF Software, LLC Jamf Upload Page In session recording,

    Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Role/Site-Based Access Site selection drop down Center admins have full access Site admins have access to their site Jamf access grants read-only
  28. © JAMF Software, LLC Jamf Upload Page In session recording,

    Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Smartcard Government requirement Jamf Pro lacks SSO Integrated with our IdP
  29. © JAMF Software, LLC Jamf Upload Page In session recording,

    Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  30. © JAMF Software, LLC Jamf Upload Page In session recording,

    Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  31. © JAMF Software, LLC Jamf Upload Page In session recording,

    Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  32. © JAMF Software, LLC Jamf Upload Page In session recording,

    Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  33. © JAMF Software, LLC Resources PHP Vue.js Webserver MacAdmins Video

    Jamf Upload Page In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  34. © JAMF Software, LLC Security Baselines We spent months creating

    and testing macOS and application specs, but they were rarely applied. In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  35. © JAMF Software, LLC Security Baselines In session recording, Picture-in-Picture

    of you presenting will be placed here. Please don’t put anything especially important in this area. History XCCDF and CIS-CAT No universal checks and remediations Wild West approach to meeting compliancy
  36. © JAMF Software, LLC Security Baselines In session recording, Picture-in-Picture

    of you presenting will be placed here. Please don’t put anything especially important in this area. Where are we now? Modification of Jamf Pro’s CIS Scripts Configuration profiles wherever possible Sites can make risk-based decisions Higher acceptance and deployment AsciiDoc guides
  37. © JAMF Software, LLC Security Baselines In session recording, Picture-in-Picture

    of you presenting will be placed here. Please don’t put anything especially important in this area.
  38. © JAMF Software, LLC Security Baselines In session recording, Picture-in-Picture

    of you presenting will be placed here. Please don’t put anything especially important in this area.
  39. © JAMF Software, LLC Admin Mapping Our systems are now

    PIV Mandatory, so what happens when an admin needs to log in locally? In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  40. © JAMF Software, LLC Admin Mapping In session recording, Picture-in-Picture

    of you presenting will be placed here. Please don’t put anything especially important in this area. Solution Attribute mapping Ability to set multiple admins Can also be used for non-admins Shared accounts
  41. © JAMF Software, LLC Admin Mapping In session recording, Picture-in-Picture

    of you presenting will be placed here. Please don’t put anything especially important in this area. /usr/bin/dscl . read /Users/localadmin AltSecurityIdentities AltSecurityIdentities: Kerberos:[email protected] Kerberos:[email protected] Kerberos:[email protected]
  42. © JAMF Software, LLC Admin Mapping In session recording, Picture-in-Picture

    of you presenting will be placed here. Please don’t put anything especially important in this area. Which led to… Login keychain prompt Preference panes requiring password Didn’t want a shared admin password
  43. © JAMF Software, LLC Admin Mapping In session recording, Picture-in-Picture

    of you presenting will be placed here. Please don’t put anything especially important in this area. LAPS for Mac Local admin password script Does not rely on Active Directory Random password stored as extension attribute Optional Self Service policy
  44. © JAMF Software, LLC In session recording, Picture-in-Picture of you

    presenting will be placed here. Please don’t put anything especially important in this area.
  45. © JAMF Software, LLC Smartcard Exemption Page What happens if

    a user can’t login with their smartcard and can’t reach their admins? In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  46. © JAMF Software, LLC Smartcard Exemption Page In session recording,

    Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Stopgap User could only call system admin Admin not always available Flipping an extension attribute manually Didn’t fully meet smartcard compliance
  47. © JAMF Software, LLC Smartcard Exemption Page In session recording,

    Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. And Now User can now call Help Desk 24/7 Help Desk doesn’t need access to Jamf API call to flip the extension attribute 48 hour expiration Doesn’t have to be for smartcard exemption
  48. © JAMF Software, LLC Smartcard Exemption Page In session recording,

    Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  49. © JAMF Software, LLC Smartcard Exemption Page In session recording,

    Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  50. © JAMF Software, LLC PIV Exemption Page In session recording,

    Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Resources PHP Vue.js Webserver
  51. © JAMF Software, LLC TL;DR Teaching admins it’s ok to

    be hands-off • Self Service reduced calls • Allows more time for testing • There is always more work • Mike likes something! In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
  52. © JAMF Software, LLC In session recording, Picture-in-Picture of you

    presenting will be placed here. Please don’t put anything especially important in this area.
  53. © JAMF Software, LLC Thank you for listening! Give us

    feedback by completing the 2-question session survey in the JNUC 2019 app.