State Management In The Era Of MDM

Transcript

1. None

2. © JAMF Software, LLC Sergio Aviles Systems Engineer, Unified Endpoint

   Management Comcast Corporation 275x275 head shot

3. © JAMF Software, LLC Introduction Born the seventh son of

   a seventh son, on a cold night under a blood moon….

4. © JAMF Software, LLC Introduction • Using Apple Computers circa

   1985 • Majored in Illustration at UArts in Philly • Bass player in several unknown bands • Has an album in iTunes and Spotify Things to know about me

5. © JAMF Software, LLC Introduction • Worked in several Pre-Press

   shops • Worked for an Apple Reseller • Worked in Managed Services • Hired to focus on Mac management Things to know about me

6. © JAMF Software, LLC State Management in the Era of

   MDM Overview What is State Management? Why is it important? How is State Management done? What are the challenges DEP/MDM introduce? Where do we go from here?

7. © JAMF Software, LLC What is State Management? • State

   = desired set of apps, configurations, files, services and users • Maintenance of that desired state in an idempotent way Managing a desired state of a device.

8. © JAMF Software, LLC What is State Management? Idempotence is…

9. © JAMF Software, LLC What is State Management? Idempotence is…

   • Not actually a word

10. © JAMF Software, LLC What is State Management? Idempotent is…

11. © JAMF Software, LLC What is State Management? Idempotence, then,

    is… • Consistent, repeatable results from a process or workflow • “An essential property for reliable 
 systems”

12. © JAMF Software, LLC What is State Management? Also known

    as Configuration Management • More apt term when applied to client devices • Interchangeable • Invokes initial deployment

13. © JAMF Software, LLC What is State Management? Like matter,

    devices can have different states • Initial, Current, Frozen, Desired, Ideal • The state of a device changes • Verifies current state vs. desired state • Control how, when, why and rate

14. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Types of States Initial: State of the device before you apply or install anything to the device.

15. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Types of States Current: State of the device as it exists at the time last reported.

16. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Types of States Current: State of the device as it exists at the time you’re checking. (Heisenberg’s uncertainty principle)

17. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Types of States Current: State of the device as it exists at the time you’re checking. (Heisenberg’s uncertainty principle)

18. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Types of States Desired: State of the device compliant with your environment.

19. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Types of States Frozen: Desired state that doesn’t change or reverts.

20. © JAMF Software, LLC Types of States • Current should

    always match Desired • An idempotent system ensures that • Doesn’t preclude changes Ideal:

21. © JAMF Software, LLC There is nothing permanent except change.

    -Heraclitus

22. © JAMF Software, LLC Change is constant • Software needs

    to be updated • New software needs to be installed • Profiles need to be changed or pulled • Settings need to be tweaked Device states will change.

23. © JAMF Software, LLC Change is constant • Users customize

    and/or install extra software • Software needs to be uninstalled • Device becomes unmanaged • Device needs to be re-deployed Device states will change.

24. © JAMF Software, LLC Change is constant • A continuous,

    relentless cycle of changes, big and small, constantly threatening to overwhelm you Device states will change.

25. © JAMF Software, LLC Managing Changes • Does $jawn need

    to change? • Why? • How do you want to change it? • When do you want to change it? Decide/define when changes will happen

26. © JAMF Software, LLC Managing Changes • How do you

    implement? • How do you track? • What is success or failure? • Who is responsible? Verifying changes

27. © JAMF Software, LLC Why is State Management Important? •

    Control • Automation • Reporting The way to lazy admin nirvana

28. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Why is State Management Important? Control • Ensure compliance • Manage changes • Manage who is responsible for changes

29. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Why is State Management Important? Automation • Do more with less • Idempotency • Quality of Life

30. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Why is State Management Important? Reporting • Know your environment • Answer questions • Justification • Manager friendly

31. © JAMF Software, LLC Standard State Management How it’s typically

    done • Your desired state exists as text file

32. © JAMF Software, LLC Standard State Management How it’s typically

    done • Text file lives in a repo somewhere

33. © JAMF Software, LLC Standard State Management How it’s typically

    done • Commit changes to file in the repo

34. © JAMF Software, LLC Standard State Management How it’s typically

    done • Commit changes to file in the repo

35. © JAMF Software, LLC Standard State Management How it’s typically

    done • Commit changes to file in the repo

36. © JAMF Software, LLC Standard State Management How it’s typically

    done • Clients make changes to match

37. © JAMF Software, LLC Standard State Management • “Infrastructure as

    code” • Change control • Versioning • Bulk of work is done client side How it’s typically done

38. © JAMF Software, LLC Standard State Management How it’s typically

    done

39. © JAMF Software, LLC How MDM changes the equation •

    User driven • 3rd party actions should be approved • No distinction for intent • MDM is exception mechanism Apple’s Security Posture

40. © JAMF Software, LLC How MDM changes the equation •

    UAMDM/Supervised mode • UAKEL • User Privacy in macOS Mojave • MDM is now mandatory Apple’s Security Posture

41. © JAMF Software, LLC How MDM changes the equation •

    User data in certain directories now protected • AppleEvents and inter-app exchanges • Admin tools that subprocess out • May fail or not run if not approved Privacy Preferences Policy Control

42. © JAMF Software, LLC How MDM changes the equation MDM

    is not an idempotent service

43. © JAMF Software, LLC How MDM changes the equation •

    Best Effort • External service • Lack of insight/logging • “UDP of Management” MDM is not an idempotent service.

44. © JAMF Software, LLC How MDM changes the equation •

    APNS, DEP, ABM/ASM, VPP, Activation • Process has been detailed extensively • Notification delivery isn’t guaranteed • Not idempotent Best Effort service

45. © JAMF Software, LLC How MDM changes the equation •

    APNS network owned by Apple • DEP/VPP requires 3rd party support • Secure Boot = DEP only deployments* • DEP not available everywhere, yet External Service

46. © JAMF Software, LLC How MDM changes the equation •

    Lack of communication around changes • Little documentation around changes • Short testing windows for all parties • Immature implementations External Service

47. © JAMF Software, LLC How MDM changes the equation •

    Lack of admin tools for DEP, MDM • Little documentation around tools Insight and Logging

48. © JAMF Software, LLC $ man mdmclient

49. © JAMF Software, LLC How MDM changes the equation •

    Lack of admin tools for DEP, MDM • Little documentation around tools • Logging and troubleshooting not trivial • MDM vendors and 3rd party fill in gaps Insight and Logging

50. © JAMF Software, LLC Screenshot or photo dimensions 1080 px

    525 px

51. © JAMF Software, LLC How MDM changes the equation •

    Some settings can be overridden • Some Profiles only work at install time • Can’t pre-deploy some profiles • Not actively validating state Configuration Profiles

52. © JAMF Software, LLC Where do we go from here?

    • Configuration profiles dynamically generated • Installed via `profiles` command • Not User-Approved • No whitelisting State Management Systems lack MDM

53. © JAMF Software, LLC Where do we go from here?

    • Not mutually exclusive • Smart Groups and EAs • Adds additional complexity • Requires additional engineering Toward a Stateful Jamf Pro

54. © JAMF Software, LLC Where do we go from here?

    • Make clients do the work • Vary frequency • Passive over Active EAs • Simplify Smart Group Criteria Server-side processing

55. © JAMF Software, LLC Where do we go from here?

    • Search for something existing • Modify if necessary • Write your own if possible Tooling

56. © JAMF Software, LLC Where do we go from here?

    • LaunchDaemon that calls app/script • Desired State hosted • Script reads state and verifies locally • Sets local EA values and does recon Experiment #1

57. © JAMF Software, LLC Where do we go from here?

    • EA values read during recon • Smart group calculations made • Policies run at next check-in or trigger • Frequency to be determined Experiment #1

58. © JAMF Software, LLC Where do we go from here?

    • Pro: Scales • Con: Reinventing the wheel Experiment #1

59. © JAMF Software, LLC Where do we go from here?

    • Same as #1 except locally hosted state file • Pro: Less setup • Con: doesn’t scale as well Experiment #2

60. © JAMF Software, LLC Where do we go from here?

    • Conditional Access integration helps • Integrate an existing solution • File FRs • Vote for similar FRs Toward a Stateful Jamf Pro

61. © JAMF Software, LLC Website | Facebook | Twitter |

    #philly on MacAdmins Slack Greater Philadelphia Mac Admins

62. © JAMF Software, LLC

63. © JAMF Software, LLC Check out Philly’s own John Mahlman

    • Thursday, Oct. 25 at 9:00 AM - 9:45 AM • Nicollet Grand Ballroom Leveraging DEPNotify and Jamf Pro for Device Deployment

64. © JAMF Software, LLC Thanks to the following people The

    Donna MacAdmins Twitter and Slack Jamf folks Comcast folks Et al

65. © JAMF Software, LL THANK YOU!