Providing the Best Mac Experience Possible, From the Mac CoE Team with ❤️

Transcript

1. None

2. Providing the Best Mac Experience Possible, from the Apple CoE

   Team with — Rich Trouton Apple CoE @

3. The Way It Was….

4. = Right?

5. None
6. None
7. None
8. None

9. USB Stick Script + Jamf Pro

10. None

11. https://www.sap.com/products/enterprise-social-collaboration.html

12. None
13. None

14. Product Backlog Sprint Backlog Sprints 1 week Working increment Product

    Owner Agile

15. SAP Mac applications must fulfill the following requirements to be

    added to the monthly Release Train process: • Must be 64-bit and sandboxed • Must be digitally signed with a valid Apple Developer Certificate • Must be packaged with Apple’s technology (e.g. Installer or drag-n-drop) • Must be self-contained, single application bundle and cannot install code or resources in shared locations not approved by Apple (shared Containers for sandboxed Apps is OK for example) • Must not install kernel extensions! (kexts) • Must not spawn additional processes that continue to run after the user has quit the App without the user’s consent • Must not use deprecated or optionally installed technologies (Java, Flash, etc.) • Must not add to Login or startup without the user’s consent • Must not request elevation to root privileges or use setuid attributes (e.g. it must run within the user’s space as standard user) • Must only use public API’s for OS X and approved API’s for accessing or modifying user data for other Apps • Must comply with macOS File System • Must not modify, change or disable the build in Quarantine, firewall or Gatekeeper

16. deploy operate monitor release code build test plan DevOps

17. None

18. 2700 5025 7350 9675 12000 October 2012 October 2013 October

    2014 August 2016

19. 0 2250 4500 6750 9000 Jan 2013 October 2013 October

    2014 October 2015 August 2016 MacBook Pro MacBook Air Mac Mini iMac MacBook
20. None

21. Privileges Refresh Signature Assistant

22. Refresh Assistant + (Machine-level)

23. None

24. Assistant (User-level)

25. None

26. Signature

27. None

28. Privileges

29. Privileges •Allows a standard user account to easily request admin

    rights • Give yourself admin rights when you need them. • Take away admin rights when you don’t. • Enhances the Mac’s security without impacting performance or productivity. • Easy to use application • Includes command line version to allow workflow automation
30. None

31. https://github.com/SAP/macos-icon-generator Icons

32. None

33. Apple Pies

34. https://www.sap.com/products/fiori.html Fiori

35. None

36. One place to discuss Macs and to be informed of

    new developments All new Knowledge Base All information is now
 available outside the corporate network Well structured More colourful and engaging using nice pictures and emojis Current news and information 2000+ new members in run up to Sierra release Videos
37. None
38. None
39. None
40. None
41. None
42. None
43. None

44. Removing IT’s Local Admin

45. Management via Jamf Pro

46. Using Local Accounts

47. None

48. Moving Jamf Pro to AWS

49. Why host in Amazon Web Services? •Leverage AWS’ high availability

    services •Mac-supporting services accessible anywhere •SAP IT is able to manage all corporate-managed Macs anywhere

50. What are we using in Amazon Web Services? S3 Elastic

    Load Balancing EC2 RDS Elasticache https://aws.amazon.com/products/

51. Amazon
 RDS Jamf Pro MySQL database Amazon
 S3 Jamf Pro

    Cloud Distribution Point (Internet Accessible) Amazon EC2 Jamf Pro admin console (not Internet accessible) Jamf Pro cluster nodes Elastic Load Balancing Application Load Balancer (Internet Accessible; TLS Termination) security group (admin console disabled, not Internet accessible) security group security group HTTPS HTTPS MySQL (Not Internet accessible) AWS Virtual Private Cloud MySQL Application Load Balancer (Accessible to SAP IP addresses; TLS Termination) Amazon Elasticache Memcache (not Internet accessible) Memcache Connecting to admin console EC2 Systems Manager HTTPS Internet Encrypted LDAP Query HTTPS HTTPS SAP-managed Mac Jamf Infrastructure Manager (JIM) Active Directory Domain Encrypted LDAP queries to AD Non-LDAP JIM comms Non-LDAP JIM comms LDAPS

52. Amazon EC2 Jamf Pro admin console (not Internet accessible) Jamf

    Pro cluster nodes Elastic Load Balancing (admin console disabled, not Internet accessible) security group security group HTTPS AWS Virtual Private Cloud Application Load Balancer (Accessible to SAP IP addresses; TLS Termination) Connecting to admin console Administration

53. Amazon EC2 Systems Manager Jamf Pro admin console (EC2 Systems

    Manager agents installed) Jamf Pro cluster nodes (EC2 Systems Manager agents installed) security group security group AWS Virtual Private Cloud HTTPS HTTPS Administration https://derflounder.wordpress.com/2017/05/30/managing-aws-hosted-vms- using-ec2-systems-manager/

54. #!/bin/bash # Stop the Jamf Tomcat processes service jamf.tomcat8 stop

55. { "schemaVersion": "1.2", "description": "Stop Tomcat on Jamf Pro instances",

    "parameters": { "upgradeType":{ "type":"String", "default": "", "description":"Stopping the Tomcat server on Jamf Pro servers" } }, "runtimeConfig": { "aws:runShellScript": { "properties": [ { "id": "0.aws:runShellScript", "runCommand": [ "#!/bin/bash", "", "# Stop the Jamf Tomcat processes", "", "service jamf.tomcat8 stop" ] } ] } } }

56. #!/bin/bash # This script is designed for use with EC2

    Systems Manager's # State Manager. It does the following tasks: # # 1. Check to see if /root/.TomcatMonitoringActive is present. # 2. If /root/.TomcatMonitoringActive is present, run the # following tasks: # # A. Check to see if the Tomcat service is active on port 8080 # B. If the Tomcat service is active, print a message and exit. # C. If the Tomcat service is not active, print an error message # and take the following actions: # i. Restart the Tomcat service # # The reason for the file check for /root/.TomcatMonitoringActive # is to allow Tomcat monitoring to be easily disabled for times # when it would not be convenient for the automated Tomcat service # restart to be active, like when performing upgrades to the Tomcat # application or when the Tomcat application needs to be offline # for maintenance reasons. # Check for /root/.TomcatMonitoringActive MONITORCHECK="/root/.TomcatMonitoringActive" ERROR=0 if [[ -f "$MONITORCHECK" ]]; then echo "Tomcat port monitoring is active." # Check for Tomcat to be running on port 8080 PORTCHECK=$(/bin/netstat -tln | awk '/:8080/ {print $4}' | sed "s/://g") if [[ "$PORTCHECK" = "8080" ]]; then echo "Tomcat service is running on port $PORTCHECK" else echo "Tomcat service is not responding on port 8080" echo "Restarting Tomcat service" # Starts the JAMF Tomcat processes service jamf.tomcat8 restart fi else echo "Tomcat port monitoring is offline." fi exit $ERROR

57. { "schemaVersion": "1.2", "description": "Monitor Tomcat on Jamf Pro instances",

    "parameters": { "upgradeType":{ "type":"String", "default": "", "description":"Monitoring the Tomcat service on Jamf Pro servers and perform automated service restarts if necessary" } }, "runtimeConfig": { "aws:runShellScript": { "properties": [ { "id": "0.aws:runShellScript", "runCommand": [ "#!/bin/bash", "", "# This script is designed for use with EC2 Systems Manager's", "# State Manager. It does the following tasks:", "#", "# 1. Check to see if /root/.TomcatMonitoringActive is present.", "# 2. If /root/.TomcatMonitoringActive is present, run the ", "# following tasks:", "# ", "# A. Check to see if the Tomcat service is active on port 8080", "# B. If the Tomcat service is active, print a message and exit.", "# C. If the Tomcat service is not active, print an error message", "# and take the following actions:", "# i. Restart the Tomcat service", "#", "# The reason for the file check for /root/.TomcatMonitoringActive", "# is to allow Tomcat monitoring to be easily disabled for times", "# when it would not be convenient for the automated Tomcat service", "# restart to be active, like when performing upgrades to the Tomcat", "# application or when the Tomcat application needs to be offline ", "# for maintenance reasons.", "", "# Check for /root/.TomcatMonitoringActive", "", "MONITORCHECK=\"/root/.TomcatMonitoringActive\"", "", "ERROR=0", "", "if [[ -f \"$MONITORCHECK\" ]]; then", "", " echo \"Tomcat port monitoring is active.\"", "", " # Check for Tomcat to be running on port 8080", " PORTCHECK=$(/bin/netstat -tln | awk '/:8080/ {print $4}' | sed \"s/://g\")", " ", " if [[ \"$PORTCHECK\" = \"8080\" ]]; then", " echo \"Tomcat service is running on port $PORTCHECK\"", " else", " echo \"Tomcat service is not responding on port 8080\"", " echo \"Restarting Tomcat service\"", "", " # Starts the JAMF Tomcat processes", "", " service jamf.tomcat8 restart", " fi", "else", " echo \"Tomcat port monitoring is offline.\"", "fi", "", "exit $ERROR" ] } ] } } }

58. Systems Manager https://github.com/rtrouton/ec2_systems_manager

59. Amazon
 S3 Jamf Pro Cloud Distribution Point (Internet Accessible) Amazon

    EC2 Jamf Pro cluster nodes Elastic Load Balancing Application Load Balancer (Internet Accessible; TLS Termination) (admin console disabled, not Internet accessible) security group Internet HTTPS HTTPS HTTPS SAP-managed Mac AWS Virtual Private Cloud Client Management
60. None

61. Active Directory Jamf Infrastructure Manager (JIM) LDAPS Jamf Pro Service

    JIM enrollment and check-ins DMZ Encrypted LDAP queries to AD AWS Virtual Private Cloud Active Directory Access https://derflounder.wordpress.com/category/jamf-infrastructure-manager/

62. Amazon
 RDS Jamf Pro MySQL database Amazon EC2 Jamf Pro

    cluster nodes (not Internet accessible) security group security group (Not Internet accessible) Virtual Private Cloud MySQL Database Hosting

63. Amazon
 Elasticache Amazon EC2 Jamf Pro cluster nodes (not Internet

    accessible) security group security group Virtual Private Cloud Memcache Memcache (not Internet accessible) Memcache Hosting

64. Moving Jamf Pro to AWS

65. None

66. The Road To High Sierra "The shipping OS is our

    supported OS" •Once High Sierra launched, it would be our only supported operating system. •Users requesting assistance, but not yet running High Sierra, would need to upgrade to High Sierra before the helpdesk could assist.

67. The Road To High Sierra

68. The Road To High Sierra Admin user vs. standard user

    Standard User + ?

69. The Road To High Sierra Refresh Assistant + Recovery

70. None
71. None
72. None
73. None
74. None
75. None
76. None
77. None
78. None

79. Apple Pies

80. None
81. None
82. None
83. None
84. None
85. None
86. None

87. @HanaFiori

88. Apple Pies

89. None
90. None

91. Secure Token

92. None

93. Local user accounts • Created by Setup Assistant or Users

    & Groups. One user account per Mac • Primary user of the Mac • No IT user account = Secure Token enabled automatically
94. None
95. None

96. Assistant + Recovery

97. None

98. SAP Mac applications must fulfill the following requirements to be

    added to the monthly Release Train process: • Must be 64-bit and sandboxed • Must be digitally signed with a valid Apple Developer Certificate • Must be packaged with Apple’s technology (e.g. Installer or drag-n-drop) • Must be self-contained, single application bundle and cannot install code or resources in shared locations not approved by Apple (shared Containers for sandboxed Apps is OK for example) • Must not install kernel extensions! (kexts) • Must not spawn additional processes that continue to run after the user has quit the App without the user’s consent • Must not use deprecated or optionally installed technologies (Java, Flash, etc.) • Must not add to Login or startup without the user’s consent • Must not request elevation to root privileges or use setuid attributes (e.g. it must run within the user’s space as standard user) • Must only use public API’s for OS X and approved API’s for accessing or modifying user data for other Apps • Must comply with macOS File System • Must not modify, change or disable the build in Quarantine, firewall or Gatekeeper
99. None
100. None
101. None

102. SAP Mac applications must fulfill the following requirements to be

     added to the monthly Release Train process: • Must be 64-bit and sandboxed • Must be digitally signed with a valid Apple Developer Certificate • Must be packaged with Apple’s technology (e.g. Installer or drag-n-drop) • Must be self-contained, single application bundle and cannot install code or resources in shared locations not approved by Apple (shared Containers for sandboxed Apps is OK for example) • Must not install kernel extensions! (kexts) • Must not spawn additional processes that continue to run after the user has quit the App without the user’s consent • Must not use deprecated or optionally installed technologies (Java, Flash, etc.) • Must not add to Login or startup without the user’s consent • Must not request elevation to root privileges or use setuid attributes (e.g. it must run within the user’s space as standard user) • Must only use public API’s for OS X and approved API’s for accessing or modifying user data for other Apps • Must comply with macOS File System • Must not modify, change or disable the build in Quarantine, firewall or Gatekeeper
103. None
104. None
105. None

106. The Road To Mojave Assistant + Recovery Apple@SAP

107. None
108. None

109. Apple CoE @ Mac CoE @

110. None
111. None
112. None

113. Downloads PDF available from the following link: http://tinyurl.com/JNUC2018SAPPDF Keynote slides

     available from the following link: http://tinyurl.com/JNUC2018SAPKeynote

114. © JAMF Software, LL THANK YOU!