$30 off During Our Annual Pro Sale. View Details »

Providing the Best Mac Experience Possible, From the Mac CoE Team with ❤️

Jamf
October 24, 2018

Providing the Best Mac Experience Possible, From the Mac CoE Team with ❤️

Presentation from JNUC 2018, the world's largest rally of Apple IT administrators.

Session:
Providing the Best Mac Experience Possible, From the Mac CoE Team with ❤️

Presented by:
Rich Trouton, SAP

View all session slides, recordings and more at https://www.jamf.com/events/jamf-nation-user-conference/2018/.

Jamf

October 24, 2018
Tweet

More Decks by Jamf

Other Decks in Technology

Transcript

  1. View Slide

  2. Providing the Best Mac
    Experience Possible,
    from the Apple CoE
    Team with —
    Rich Trouton
    Apple CoE @

    View Slide

  3. The Way It Was….

    View Slide

  4. =
    Right?

    View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. USB Stick Script + Jamf Pro

    View Slide

  10. View Slide

  11. https://www.sap.com/products/enterprise-social-collaboration.html

    View Slide

  12. View Slide

  13. View Slide

  14. Product Backlog Sprint Backlog Sprints
    1 week
    Working
    increment
    Product Owner
    Agile

    View Slide

  15. SAP Mac applications must fulfill the following requirements to be
    added to the monthly Release Train process:
    • Must be 64-bit and sandboxed
    • Must be digitally signed with a valid Apple Developer Certificate
    • Must be packaged with Apple’s technology (e.g. Installer or drag-n-drop)
    • Must be self-contained, single application bundle and cannot install code or
    resources in shared locations not approved by Apple (shared Containers for
    sandboxed Apps is OK for example)
    • Must not install kernel extensions! (kexts)
    • Must not spawn additional processes that continue to run after the user has quit the
    App without the user’s consent
    • Must not use deprecated or optionally installed technologies (Java, Flash, etc.)
    • Must not add to Login or startup without the user’s consent
    • Must not request elevation to root privileges or use setuid attributes (e.g. it must run
    within the user’s space as standard user)
    • Must only use public API’s for OS X and approved API’s for accessing or modifying
    user data for other Apps
    • Must comply with macOS File System
    • Must not modify, change or disable the build in Quarantine, firewall or Gatekeeper

    View Slide

  16. deploy
    operate
    monitor
    release
    code
    build
    test
    plan
    DevOps

    View Slide

  17. View Slide

  18. 2700
    5025
    7350
    9675
    12000
    October 2012 October 2013 October 2014 August 2016

    View Slide

  19. 0
    2250
    4500
    6750
    9000
    Jan 2013 October 2013 October 2014 October 2015 August 2016
    MacBook Pro
    MacBook Air
    Mac Mini
    iMac
    MacBook

    View Slide

  20. View Slide

  21. Privileges
    Refresh Signature
    Assistant

    View Slide

  22. Refresh Assistant
    +
    (Machine-level)

    View Slide

  23. View Slide

  24. Assistant
    (User-level)

    View Slide

  25. View Slide

  26. Signature

    View Slide

  27. View Slide

  28. Privileges

    View Slide

  29. Privileges
    •Allows a standard user account to easily request admin rights
    • Give yourself admin rights when you need them.
    • Take away admin rights when you don’t.
    • Enhances the Mac’s security without impacting performance or productivity.
    • Easy to use application
    • Includes command line version to allow workflow automation

    View Slide

  30. View Slide

  31. https://github.com/SAP/macos-icon-generator
    Icons

    View Slide

  32. View Slide

  33. Apple Pies

    View Slide

  34. https://www.sap.com/products/fiori.html
    Fiori

    View Slide

  35. View Slide

  36. One place to discuss Macs
    and to be informed of
    new developments
    All new Knowledge Base
    All information is now

    available outside the
    corporate network
    Well structured
    More colourful and engaging
    using nice pictures and emojis
    Current news and information
    2000+ new members
    in run up to Sierra release
    Videos

    View Slide

  37. View Slide

  38. View Slide

  39. View Slide

  40. View Slide

  41. View Slide

  42. View Slide

  43. View Slide

  44. Removing IT’s Local Admin

    View Slide

  45. Management via Jamf Pro

    View Slide

  46. Using Local Accounts

    View Slide

  47. View Slide

  48. Moving Jamf Pro to AWS

    View Slide

  49. Why host in Amazon
    Web Services?
    •Leverage AWS’ high availability
    services
    •Mac-supporting services
    accessible anywhere
    •SAP IT is able to manage all
    corporate-managed Macs
    anywhere

    View Slide

  50. What are we using in
    Amazon Web Services?
    S3
    Elastic Load Balancing
    EC2
    RDS
    Elasticache
    https://aws.amazon.com/products/

    View Slide

  51. Amazon

    RDS
    Jamf Pro MySQL
    database
    Amazon

    S3
    Jamf Pro
    Cloud
    Distribution
    Point
    (Internet
    Accessible)
    Amazon
    EC2
    Jamf Pro admin
    console
    (not Internet
    accessible)
    Jamf Pro cluster nodes
    Elastic Load
    Balancing
    Application Load
    Balancer
    (Internet Accessible;
    TLS Termination)
    security group
    (admin console disabled,
    not Internet accessible)
    security group
    security group
    HTTPS
    HTTPS
    MySQL
    (Not Internet accessible)
    AWS Virtual Private Cloud
    MySQL
    Application Load
    Balancer
    (Accessible to SAP
    IP addresses; TLS
    Termination)
    Amazon
    Elasticache
    Memcache
    (not Internet
    accessible)
    Memcache
    Connecting to
    admin console
    EC2
    Systems
    Manager
    HTTPS
    Internet
    Encrypted LDAP Query
    HTTPS
    HTTPS
    SAP-managed
    Mac
    Jamf
    Infrastructure
    Manager (JIM)
    Active Directory
    Domain
    Encrypted
    LDAP queries to AD
    Non-LDAP JIM comms
    Non-LDAP JIM comms
    LDAPS

    View Slide

  52. Amazon
    EC2
    Jamf Pro admin
    console
    (not Internet
    accessible)
    Jamf Pro cluster nodes
    Elastic Load
    Balancing
    (admin console disabled,
    not Internet accessible)
    security group
    security group
    HTTPS
    AWS Virtual
    Private Cloud
    Application Load
    Balancer
    (Accessible to SAP
    IP addresses; TLS
    Termination)
    Connecting to
    admin console
    Administration

    View Slide

  53. Amazon
    EC2
    Systems
    Manager
    Jamf Pro admin console
    (EC2 Systems Manager
    agents installed)
    Jamf Pro cluster nodes
    (EC2 Systems Manager
    agents installed)
    security group
    security group
    AWS Virtual Private Cloud
    HTTPS
    HTTPS
    Administration
    https://derflounder.wordpress.com/2017/05/30/managing-aws-hosted-vms-
    using-ec2-systems-manager/

    View Slide

  54. #!/bin/bash
    # Stop the Jamf Tomcat processes
    service jamf.tomcat8 stop

    View Slide

  55. {
    "schemaVersion": "1.2",
    "description": "Stop Tomcat on Jamf Pro instances",
    "parameters": {
    "upgradeType":{
    "type":"String",
    "default": "",
    "description":"Stopping the Tomcat server on Jamf Pro servers"
    }
    },
    "runtimeConfig": {
    "aws:runShellScript": {
    "properties": [
    {
    "id": "0.aws:runShellScript",
    "runCommand": [
    "#!/bin/bash",
    "",
    "# Stop the Jamf Tomcat processes",
    "",
    "service jamf.tomcat8 stop"
    ]
    }
    ]
    }
    }
    }

    View Slide

  56. #!/bin/bash
    # This script is designed for use with EC2 Systems Manager's
    # State Manager. It does the following tasks:
    #
    # 1. Check to see if /root/.TomcatMonitoringActive is present.
    # 2. If /root/.TomcatMonitoringActive is present, run the
    # following tasks:
    #
    # A. Check to see if the Tomcat service is active on port 8080
    # B. If the Tomcat service is active, print a message and exit.
    # C. If the Tomcat service is not active, print an error message
    # and take the following actions:
    # i. Restart the Tomcat service
    #
    # The reason for the file check for /root/.TomcatMonitoringActive
    # is to allow Tomcat monitoring to be easily disabled for times
    # when it would not be convenient for the automated Tomcat service
    # restart to be active, like when performing upgrades to the Tomcat
    # application or when the Tomcat application needs to be offline
    # for maintenance reasons.
    # Check for /root/.TomcatMonitoringActive
    MONITORCHECK="/root/.TomcatMonitoringActive"
    ERROR=0
    if [[ -f "$MONITORCHECK" ]]; then
    echo "Tomcat port monitoring is active."
    # Check for Tomcat to be running on port 8080
    PORTCHECK=$(/bin/netstat -tln | awk '/:8080/ {print $4}' | sed "s/://g")
    if [[ "$PORTCHECK" = "8080" ]]; then
    echo "Tomcat service is running on port $PORTCHECK"
    else
    echo "Tomcat service is not responding on port 8080"
    echo "Restarting Tomcat service"
    # Starts the JAMF Tomcat processes
    service jamf.tomcat8 restart
    fi
    else
    echo "Tomcat port monitoring is offline."
    fi
    exit $ERROR

    View Slide

  57. {
    "schemaVersion": "1.2",
    "description": "Monitor Tomcat on Jamf Pro instances",
    "parameters": {
    "upgradeType":{
    "type":"String",
    "default": "",
    "description":"Monitoring the Tomcat service on Jamf Pro servers and perform automated service restarts if necessary"
    }
    },
    "runtimeConfig": {
    "aws:runShellScript": {
    "properties": [
    {
    "id": "0.aws:runShellScript",
    "runCommand": [
    "#!/bin/bash",
    "",
    "# This script is designed for use with EC2 Systems Manager's",
    "# State Manager. It does the following tasks:",
    "#",
    "# 1. Check to see if /root/.TomcatMonitoringActive is present.",
    "# 2. If /root/.TomcatMonitoringActive is present, run the ",
    "# following tasks:",
    "# ",
    "# A. Check to see if the Tomcat service is active on port 8080",
    "# B. If the Tomcat service is active, print a message and exit.",
    "# C. If the Tomcat service is not active, print an error message",
    "# and take the following actions:",
    "# i. Restart the Tomcat service",
    "#",
    "# The reason for the file check for /root/.TomcatMonitoringActive",
    "# is to allow Tomcat monitoring to be easily disabled for times",
    "# when it would not be convenient for the automated Tomcat service",
    "# restart to be active, like when performing upgrades to the Tomcat",
    "# application or when the Tomcat application needs to be offline ",
    "# for maintenance reasons.",
    "",
    "# Check for /root/.TomcatMonitoringActive",
    "",
    "MONITORCHECK=\"/root/.TomcatMonitoringActive\"",
    "",
    "ERROR=0",
    "",
    "if [[ -f \"$MONITORCHECK\" ]]; then",
    "",
    " echo \"Tomcat port monitoring is active.\"",
    "",
    " # Check for Tomcat to be running on port 8080",
    " PORTCHECK=$(/bin/netstat -tln | awk '/:8080/ {print $4}' | sed \"s/://g\")",
    " ",
    " if [[ \"$PORTCHECK\" = \"8080\" ]]; then",
    " echo \"Tomcat service is running on port $PORTCHECK\"",
    " else",
    " echo \"Tomcat service is not responding on port 8080\"",
    " echo \"Restarting Tomcat service\"",
    "",
    " # Starts the JAMF Tomcat processes",
    "",
    " service jamf.tomcat8 restart",
    " fi",
    "else",
    " echo \"Tomcat port monitoring is offline.\"",
    "fi",
    "",
    "exit $ERROR"
    ]
    }
    ]
    }
    }
    }

    View Slide

  58. Systems Manager
    https://github.com/rtrouton/ec2_systems_manager

    View Slide

  59. Amazon

    S3
    Jamf Pro
    Cloud
    Distribution
    Point
    (Internet
    Accessible)
    Amazon
    EC2
    Jamf Pro cluster nodes
    Elastic Load
    Balancing
    Application Load
    Balancer
    (Internet Accessible;
    TLS Termination)
    (admin console disabled,
    not Internet accessible)
    security group
    Internet
    HTTPS
    HTTPS
    HTTPS
    SAP-managed
    Mac
    AWS Virtual
    Private Cloud
    Client Management

    View Slide

  60. View Slide

  61. Active
    Directory Jamf Infrastructure
    Manager (JIM)
    LDAPS
    Jamf Pro
    Service
    JIM enrollment and check-ins
    DMZ
    Encrypted
    LDAP queries to AD
    AWS Virtual
    Private Cloud
    Active Directory Access
    https://derflounder.wordpress.com/category/jamf-infrastructure-manager/

    View Slide

  62. Amazon

    RDS
    Jamf Pro MySQL
    database
    Amazon
    EC2
    Jamf Pro cluster
    nodes
    (not Internet
    accessible)
    security group
    security group
    (Not Internet accessible)
    Virtual Private
    Cloud
    MySQL
    Database Hosting

    View Slide

  63. Amazon

    Elasticache
    Amazon
    EC2
    Jamf Pro cluster
    nodes
    (not Internet
    accessible)
    security group
    security group
    Virtual Private
    Cloud
    Memcache
    Memcache
    (not Internet
    accessible)
    Memcache Hosting

    View Slide

  64. Moving Jamf Pro to AWS

    View Slide

  65. View Slide

  66. The Road To High Sierra
    "The shipping OS is
    our supported OS"
    •Once High Sierra launched, it would be our
    only supported operating system.
    •Users requesting assistance, but not yet
    running High Sierra, would need to upgrade to
    High Sierra before the helpdesk could assist.

    View Slide

  67. The Road To High Sierra

    View Slide

  68. The Road To High Sierra
    Admin user vs.
    standard user
    Standard
    User
    +
    ?

    View Slide

  69. The Road To High Sierra
    Refresh Assistant
    +
    Recovery

    View Slide

  70. View Slide

  71. View Slide

  72. View Slide

  73. View Slide

  74. View Slide

  75. View Slide

  76. View Slide

  77. View Slide

  78. View Slide

  79. Apple Pies

    View Slide

  80. View Slide

  81. View Slide

  82. View Slide

  83. View Slide

  84. View Slide

  85. View Slide

  86. View Slide

  87. @HanaFiori

    View Slide

  88. Apple Pies

    View Slide

  89. View Slide

  90. View Slide

  91. Secure Token

    View Slide

  92. View Slide

  93. Local user accounts
    • Created by Setup Assistant or Users &
    Groups.
    One user account per Mac
    • Primary user of the Mac
    • No IT user account
    =
    Secure Token enabled automatically

    View Slide

  94. View Slide

  95. View Slide

  96. Assistant
    +
    Recovery

    View Slide

  97. View Slide

  98. SAP Mac applications must fulfill the following requirements to be
    added to the monthly Release Train process:
    • Must be 64-bit and sandboxed
    • Must be digitally signed with a valid Apple Developer Certificate
    • Must be packaged with Apple’s technology (e.g. Installer or drag-n-drop)
    • Must be self-contained, single application bundle and cannot install code or
    resources in shared locations not approved by Apple (shared Containers for
    sandboxed Apps is OK for example)
    • Must not install kernel extensions! (kexts)
    • Must not spawn additional processes that continue to run after the user has quit the
    App without the user’s consent
    • Must not use deprecated or optionally installed technologies (Java, Flash, etc.)
    • Must not add to Login or startup without the user’s consent
    • Must not request elevation to root privileges or use setuid attributes (e.g. it must run
    within the user’s space as standard user)
    • Must only use public API’s for OS X and approved API’s for accessing or modifying
    user data for other Apps
    • Must comply with macOS File System
    • Must not modify, change or disable the build in Quarantine, firewall or Gatekeeper

    View Slide

  99. View Slide

  100. View Slide

  101. View Slide

  102. SAP Mac applications must fulfill the following requirements to be
    added to the monthly Release Train process:
    • Must be 64-bit and sandboxed
    • Must be digitally signed with a valid Apple Developer Certificate
    • Must be packaged with Apple’s technology (e.g. Installer or drag-n-drop)
    • Must be self-contained, single application bundle and cannot install code or
    resources in shared locations not approved by Apple (shared Containers for
    sandboxed Apps is OK for example)
    • Must not install kernel extensions! (kexts)
    • Must not spawn additional processes that continue to run after the user has quit the
    App without the user’s consent
    • Must not use deprecated or optionally installed technologies (Java, Flash, etc.)
    • Must not add to Login or startup without the user’s consent
    • Must not request elevation to root privileges or use setuid attributes (e.g. it must run
    within the user’s space as standard user)
    • Must only use public API’s for OS X and approved API’s for accessing or modifying
    user data for other Apps
    • Must comply with macOS File System
    • Must not modify, change or disable the build in Quarantine, firewall or Gatekeeper

    View Slide

  103. View Slide

  104. View Slide

  105. View Slide

  106. The Road To Mojave
    Assistant
    +
    Recovery Apple@SAP

    View Slide

  107. View Slide

  108. View Slide

  109. Apple CoE @
    Mac CoE @

    View Slide

  110. View Slide

  111. View Slide

  112. View Slide

  113. Downloads
    PDF available from the following link:
    http://tinyurl.com/JNUC2018SAPPDF
    Keynote slides available from the
    following link:
    http://tinyurl.com/JNUC2018SAPKeynote

    View Slide

  114. © JAMF Software, LL
    THANK YOU!

    View Slide