Providing the Best Mac Experience Possible, From the Mac CoE Team with ❤️

View Slide

Providing the Best Mac
Experience Possible,
from the Apple CoE
Team with —
Rich Trouton
Apple CoE @

View Slide

The Way It Was….

View Slide

=
Right?

View Slide

View Slide

USB Stick Script + Jamf Pro

View Slide

View Slide

https://www.sap.com/products/enterprise-social-collaboration.html

View Slide

View Slide

Product Backlog Sprint Backlog Sprints
1 week
Working
increment
Product Owner
Agile

View Slide

SAP Mac applications must fulfill the following requirements to be
added to the monthly Release Train process:
• Must be 64-bit and sandboxed
• Must be digitally signed with a valid Apple Developer Certificate
• Must be packaged with Apple’s technology (e.g. Installer or drag-n-drop)
• Must be self-contained, single application bundle and cannot install code or
resources in shared locations not approved by Apple (shared Containers for
sandboxed Apps is OK for example)
• Must not install kernel extensions! (kexts)
• Must not spawn additional processes that continue to run after the user has quit the
App without the user’s consent
• Must not use deprecated or optionally installed technologies (Java, Flash, etc.)
• Must not add to Login or startup without the user’s consent
• Must not request elevation to root privileges or use setuid attributes (e.g. it must run
within the user’s space as standard user)
• Must only use public API’s for OS X and approved API’s for accessing or modifying
user data for other Apps
• Must comply with macOS File System
• Must not modify, change or disable the build in Quarantine, firewall or Gatekeeper

View Slide

deploy
operate
monitor
release
code
build
test
plan
DevOps

View Slide

View Slide

2700
5025
7350
9675
12000
October 2012 October 2013 October 2014 August 2016

View Slide

0
2250
4500
6750
9000
Jan 2013 October 2013 October 2014 October 2015 August 2016
MacBook Pro
MacBook Air
Mac Mini
iMac
MacBook

View Slide

View Slide

Privileges
Refresh Signature
Assistant

View Slide

Refresh Assistant
+
(Machine-level)

View Slide

View Slide

Assistant
(User-level)

View Slide

View Slide

Signature

View Slide

View Slide

Privileges

View Slide

Privileges
•Allows a standard user account to easily request admin rights
• Give yourself admin rights when you need them.
• Take away admin rights when you don’t.
• Enhances the Mac’s security without impacting performance or productivity.
• Easy to use application
• Includes command line version to allow workflow automation

View Slide

View Slide

https://github.com/SAP/macos-icon-generator
Icons

View Slide

View Slide

Apple Pies

View Slide

https://www.sap.com/products/fiori.html
Fiori

View Slide

View Slide

One place to discuss Macs
and to be informed of
new developments
All new Knowledge Base
All information is now 
available outside the
corporate network
Well structured
More colourful and engaging
using nice pictures and emojis
Current news and information
2000+ new members
in run up to Sierra release
Videos

View Slide

View Slide

Removing IT’s Local Admin

View Slide

Management via Jamf Pro

View Slide

Using Local Accounts

View Slide

View Slide

Moving Jamf Pro to AWS

View Slide

Why host in Amazon
Web Services?
•Leverage AWS’ high availability
services
•Mac-supporting services
accessible anywhere
•SAP IT is able to manage all
corporate-managed Macs
anywhere

View Slide

What are we using in
Amazon Web Services?
S3
Elastic Load Balancing
EC2
RDS
Elasticache
https://aws.amazon.com/products/

View Slide

Amazon 
RDS
Jamf Pro MySQL
database
Amazon 
S3
Jamf Pro
Cloud
Distribution
Point
(Internet
Accessible)
Amazon
EC2
Jamf Pro admin
console
(not Internet
accessible)
Jamf Pro cluster nodes
Elastic Load
Balancing
Application Load
Balancer
(Internet Accessible;
TLS Termination)
security group
(admin console disabled,
not Internet accessible)
security group
security group
HTTPS
HTTPS
MySQL
(Not Internet accessible)
AWS Virtual Private Cloud
MySQL
Application Load
Balancer
(Accessible to SAP
IP addresses; TLS
Termination)
Amazon
Elasticache
Memcache
(not Internet
accessible)
Memcache
Connecting to
admin console
EC2
Systems
Manager
HTTPS
Internet
Encrypted LDAP Query
HTTPS
HTTPS
SAP-managed
Mac
Jamf
Infrastructure
Manager (JIM)
Active Directory
Domain
Encrypted
LDAP queries to AD
Non-LDAP JIM comms
Non-LDAP JIM comms
LDAPS

View Slide

Amazon
EC2
Jamf Pro admin
console
(not Internet
accessible)
Elastic Load
Balancing
security group
security group
HTTPS
AWS Virtual
Private Cloud
Application Load
Balancer
(Accessible to SAP
IP addresses; TLS
Termination)
Connecting to
admin console
Administration

View Slide

Amazon
EC2
Systems
Manager
Jamf Pro admin console
(EC2 Systems Manager
agents installed)
(EC2 Systems Manager
agents installed)
security group
security group
AWS Virtual Private Cloud
HTTPS
HTTPS
Administration
https://derﬂounder.wordpress.com/2017/05/30/managing-aws-hosted-vms-
using-ec2-systems-manager/

View Slide

#!/bin/bash
# Stop the Jamf Tomcat processes
service jamf.tomcat8 stop

View Slide

{
"schemaVersion": "1.2",
"description": "Stop Tomcat on Jamf Pro instances",
"parameters": {
"upgradeType":{
"type":"String",
"default": "",
"description":"Stopping the Tomcat server on Jamf Pro servers"
}
},
"runtimeConfig": {
"aws:runShellScript": {
"properties": [
{
"id": "0.aws:runShellScript",
"runCommand": [
"#!/bin/bash",
"",
"# Stop the Jamf Tomcat processes",
"",
"service jamf.tomcat8 stop"
]
}
]
}
}
}

View Slide

#!/bin/bash
# This script is designed for use with EC2 Systems Manager's
# State Manager. It does the following tasks:
#
# 1. Check to see if /root/.TomcatMonitoringActive is present.
# 2. If /root/.TomcatMonitoringActive is present, run the
# following tasks:
#
# A. Check to see if the Tomcat service is active on port 8080
# B. If the Tomcat service is active, print a message and exit.
# C. If the Tomcat service is not active, print an error message
# and take the following actions:
# i. Restart the Tomcat service
#
# The reason for the file check for /root/.TomcatMonitoringActive
# is to allow Tomcat monitoring to be easily disabled for times
# when it would not be convenient for the automated Tomcat service
# restart to be active, like when performing upgrades to the Tomcat
# application or when the Tomcat application needs to be offline
# for maintenance reasons.
# Check for /root/.TomcatMonitoringActive
MONITORCHECK="/root/.TomcatMonitoringActive"
ERROR=0
if [[ -f "$MONITORCHECK" ]]; then
echo "Tomcat port monitoring is active."
# Check for Tomcat to be running on port 8080
PORTCHECK=$(/bin/netstat -tln | awk '/:8080/ {print $4}' | sed "s/://g")
if [[ "$PORTCHECK" = "8080" ]]; then
echo "Tomcat service is running on port $PORTCHECK"
else
echo "Tomcat service is not responding on port 8080"
echo "Restarting Tomcat service"
# Starts the JAMF Tomcat processes
service jamf.tomcat8 restart
fi
else
echo "Tomcat port monitoring is offline."
fi
exit $ERROR

View Slide

{
"schemaVersion": "1.2",
"description": "Monitor Tomcat on Jamf Pro instances",
"parameters": {
"upgradeType":{
"type":"String",
"default": "",
"description":"Monitoring the Tomcat service on Jamf Pro servers and perform automated service restarts if necessary"
}
},
"runtimeConfig": {
"aws:runShellScript": {
"properties": [
{
"id": "0.aws:runShellScript",
"runCommand": [
"#!/bin/bash",
"",
"# This script is designed for use with EC2 Systems Manager's",
"# State Manager. It does the following tasks:",
"#",
"# 1. Check to see if /root/.TomcatMonitoringActive is present.",
"# 2. If /root/.TomcatMonitoringActive is present, run the ",
"# following tasks:",
"# ",
"# A. Check to see if the Tomcat service is active on port 8080",
"# B. If the Tomcat service is active, print a message and exit.",
"# C. If the Tomcat service is not active, print an error message",
"# and take the following actions:",
"# i. Restart the Tomcat service",
"#",
"# The reason for the file check for /root/.TomcatMonitoringActive",
"# is to allow Tomcat monitoring to be easily disabled for times",
"# when it would not be convenient for the automated Tomcat service",
"# restart to be active, like when performing upgrades to the Tomcat",
"# application or when the Tomcat application needs to be offline ",
"# for maintenance reasons.",
"",
"# Check for /root/.TomcatMonitoringActive",
"",
"MONITORCHECK=\"/root/.TomcatMonitoringActive\"",
"",
"ERROR=0",
"",
"if [[ -f \"$MONITORCHECK\" ]]; then",
"",
" echo \"Tomcat port monitoring is active.\"",
"",
" # Check for Tomcat to be running on port 8080",
" PORTCHECK=$(/bin/netstat -tln | awk '/:8080/ {print $4}' | sed \"s/://g\")",
" ",
" if [[ \"$PORTCHECK\" = \"8080\" ]]; then",
" echo \"Tomcat service is running on port $PORTCHECK\"",
" else",
" echo \"Tomcat service is not responding on port 8080\"",
" echo \"Restarting Tomcat service\"",
"",
" # Starts the JAMF Tomcat processes",
"",
" service jamf.tomcat8 restart",
" fi",
"else",
" echo \"Tomcat port monitoring is offline.\"",
"fi",
"",
"exit $ERROR"
]
}
]
}
}
}

View Slide

Systems Manager
https://github.com/rtrouton/ec2_systems_manager

View Slide

Amazon 
S3
Jamf Pro
Cloud
Distribution
Point
(Internet
Accessible)
Amazon
EC2
Elastic Load
Balancing
Application Load
Balancer
(Internet Accessible;
TLS Termination)
security group
Internet
HTTPS
HTTPS
HTTPS
SAP-managed
Mac
AWS Virtual
Private Cloud
Client Management

View Slide

View Slide

Active
Directory Jamf Infrastructure
Manager (JIM)
LDAPS
Jamf Pro
Service
JIM enrollment and check-ins
DMZ
Encrypted
LDAP queries to AD
AWS Virtual
Private Cloud
Active Directory Access
https://derﬂounder.wordpress.com/category/jamf-infrastructure-manager/

View Slide

Amazon 
RDS
Jamf Pro MySQL
database
Amazon
EC2
Jamf Pro cluster
nodes
(not Internet
accessible)
security group
security group
(Not Internet accessible)
Virtual Private
Cloud
MySQL
Database Hosting

View Slide

Amazon 
Elasticache
Amazon
EC2
Jamf Pro cluster
nodes
(not Internet
accessible)
security group
security group
Virtual Private
Cloud
Memcache
Memcache
(not Internet
accessible)
Memcache Hosting

View Slide

Moving Jamf Pro to AWS

View Slide

View Slide

The Road To High Sierra
"The shipping OS is
our supported OS"
•Once High Sierra launched, it would be our
only supported operating system.
•Users requesting assistance, but not yet
running High Sierra, would need to upgrade to
High Sierra before the helpdesk could assist.

View Slide


View Slide

Admin user vs.
standard user
Standard
User
+
?

View Slide

Refresh Assistant
+
Recovery

View Slide

View Slide

Apple Pies

View Slide

View Slide

@HanaFiori

View Slide

Apple Pies

View Slide

View Slide

Secure Token

View Slide

View Slide

Local user accounts
• Created by Setup Assistant or Users &
Groups.
One user account per Mac
• Primary user of the Mac
• No IT user account
=
Secure Token enabled automatically

View Slide

View Slide

Assistant
+
Recovery

View Slide

View Slide

The Road To Mojave
Assistant
+
Recovery Apple@SAP

View Slide

View Slide

Apple CoE @
Mac CoE @

View Slide

View Slide

Downloads
PDF available from the following link:
http://tinyurl.com/JNUC2018SAPPDF
Keynote slides available from the
following link:
http://tinyurl.com/JNUC2018SAPKeynote

View Slide

Providing the Best Mac Experience Possible, From the Mac CoE Team with ❤️

Providing the Best Mac Experience Possible, From the Mac CoE Team with ❤️

Jamf

More Decks by Jamf

Other Decks in Technology

Featured

Transcript