Upgrade to Pro — share decks privately, control downloads, hide ads and more …

State Management In The Era Of MDM

Jamf
October 23, 2018

State Management In The Era Of MDM

Presentation from JNUC 2018, the world's largest rally of Apple IT administrators.

Session:
State Management In The Era Of MDM

Presented by:
Sergio Aviles

View all session slides, recordings and more at https://www.jamf.com/events/jamf-nation-user-conference/2018/.

Jamf

October 23, 2018
Tweet

More Decks by Jamf

Other Decks in Technology

Transcript

  1. © JAMF Software, LLC Sergio Aviles Systems Engineer, Unified Endpoint

    Management Comcast Corporation 275x275 head shot
  2. © JAMF Software, LLC Introduction Born the seventh son of

    a seventh son, on a cold night under a blood moon….
  3. © JAMF Software, LLC Introduction • Using Apple Computers circa

    1985 • Majored in Illustration at UArts in Philly • Bass player in several unknown bands • Has an album in iTunes and Spotify Things to know about me
  4. © JAMF Software, LLC Introduction • Worked in several Pre-Press

    shops • Worked for an Apple Reseller • Worked in Managed Services • Hired to focus on Mac management Things to know about me
  5. © JAMF Software, LLC State Management in the Era of

    MDM Overview What is State Management? Why is it important? How is State Management done? What are the challenges DEP/MDM introduce? Where do we go from here?
  6. © JAMF Software, LLC What is State Management? • State

    = desired set of apps, configurations, files, services and users • Maintenance of that desired state in an idempotent way Managing a desired state of a device.
  7. © JAMF Software, LLC What is State Management? Idempotence, then,

    is… • Consistent, repeatable results from a process or workflow • “An essential property for reliable 
 systems”
  8. © JAMF Software, LLC What is State Management? Also known

    as Configuration Management • More apt term when applied to client devices • Interchangeable • Invokes initial deployment
  9. © JAMF Software, LLC What is State Management? Like matter,

    devices can have different states • Initial, Current, Frozen, Desired, Ideal • The state of a device changes • Verifies current state vs. desired state • Control how, when, why and rate
  10. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Types of States Initial: State of the device before you apply or install anything to the device.
  11. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Types of States Current: State of the device as it exists at the time last reported.
  12. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Types of States Current: State of the device as it exists at the time you’re checking. (Heisenberg’s uncertainty principle)
  13. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Types of States Current: State of the device as it exists at the time you’re checking. (Heisenberg’s uncertainty principle)
  14. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Types of States Desired: State of the device compliant with your environment.
  15. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Types of States Frozen: Desired state that doesn’t change or reverts.
  16. © JAMF Software, LLC Types of States • Current should

    always match Desired • An idempotent system ensures that • Doesn’t preclude changes Ideal:
  17. © JAMF Software, LLC Change is constant • Software needs

    to be updated • New software needs to be installed • Profiles need to be changed or pulled • Settings need to be tweaked Device states will change.
  18. © JAMF Software, LLC Change is constant • Users customize

    and/or install extra software • Software needs to be uninstalled • Device becomes unmanaged • Device needs to be re-deployed Device states will change.
  19. © JAMF Software, LLC Change is constant • A continuous,

    relentless cycle of changes, big and small, constantly threatening to overwhelm you Device states will change.
  20. © JAMF Software, LLC Managing Changes • Does $jawn need

    to change? • Why? • How do you want to change it? • When do you want to change it? Decide/define when changes will happen
  21. © JAMF Software, LLC Managing Changes • How do you

    implement? • How do you track? • What is success or failure? • Who is responsible? Verifying changes
  22. © JAMF Software, LLC Why is State Management Important? •

    Control • Automation • Reporting The way to lazy admin nirvana
  23. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Why is State Management Important? Control • Ensure compliance • Manage changes • Manage who is responsible for changes
  24. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Why is State Management Important? Automation • Do more with less • Idempotency • Quality of Life
  25. © JAMF Software, LLC 780 px 650 px Max image

    dimensions Why is State Management Important? Reporting • Know your environment • Answer questions • Justification • Manager friendly
  26. © JAMF Software, LLC Standard State Management How it’s typically

    done • Your desired state exists as text file
  27. © JAMF Software, LLC Standard State Management How it’s typically

    done • Text file lives in a repo somewhere
  28. © JAMF Software, LLC Standard State Management How it’s typically

    done • Commit changes to file in the repo
  29. © JAMF Software, LLC Standard State Management How it’s typically

    done • Commit changes to file in the repo
  30. © JAMF Software, LLC Standard State Management How it’s typically

    done • Commit changes to file in the repo
  31. © JAMF Software, LLC Standard State Management • “Infrastructure as

    code” • Change control • Versioning • Bulk of work is done client side How it’s typically done
  32. © JAMF Software, LLC How MDM changes the equation •

    User driven • 3rd party actions should be approved • No distinction for intent • MDM is exception mechanism Apple’s Security Posture
  33. © JAMF Software, LLC How MDM changes the equation •

    UAMDM/Supervised mode • UAKEL • User Privacy in macOS Mojave • MDM is now mandatory Apple’s Security Posture
  34. © JAMF Software, LLC How MDM changes the equation •

    User data in certain directories now protected • AppleEvents and inter-app exchanges • Admin tools that subprocess out • May fail or not run if not approved Privacy Preferences Policy Control
  35. © JAMF Software, LLC How MDM changes the equation •

    Best Effort • External service • Lack of insight/logging • “UDP of Management” MDM is not an idempotent service.
  36. © JAMF Software, LLC How MDM changes the equation •

    APNS, DEP, ABM/ASM, VPP, Activation • Process has been detailed extensively • Notification delivery isn’t guaranteed • Not idempotent Best Effort service
  37. © JAMF Software, LLC How MDM changes the equation •

    APNS network owned by Apple • DEP/VPP requires 3rd party support • Secure Boot = DEP only deployments* • DEP not available everywhere, yet External Service
  38. © JAMF Software, LLC How MDM changes the equation •

    Lack of communication around changes • Little documentation around changes • Short testing windows for all parties • Immature implementations External Service
  39. © JAMF Software, LLC How MDM changes the equation •

    Lack of admin tools for DEP, MDM • Little documentation around tools Insight and Logging
  40. © JAMF Software, LLC How MDM changes the equation •

    Lack of admin tools for DEP, MDM • Little documentation around tools • Logging and troubleshooting not trivial • MDM vendors and 3rd party fill in gaps Insight and Logging
  41. © JAMF Software, LLC How MDM changes the equation •

    Some settings can be overridden • Some Profiles only work at install time • Can’t pre-deploy some profiles • Not actively validating state Configuration Profiles
  42. © JAMF Software, LLC Where do we go from here?

    • Configuration profiles dynamically generated • Installed via `profiles` command • Not User-Approved • No whitelisting State Management Systems lack MDM
  43. © JAMF Software, LLC Where do we go from here?

    • Not mutually exclusive • Smart Groups and EAs • Adds additional complexity • Requires additional engineering Toward a Stateful Jamf Pro
  44. © JAMF Software, LLC Where do we go from here?

    • Make clients do the work • Vary frequency • Passive over Active EAs • Simplify Smart Group Criteria Server-side processing
  45. © JAMF Software, LLC Where do we go from here?

    • Search for something existing • Modify if necessary • Write your own if possible Tooling
  46. © JAMF Software, LLC Where do we go from here?

    • LaunchDaemon that calls app/script • Desired State hosted • Script reads state and verifies locally • Sets local EA values and does recon Experiment #1
  47. © JAMF Software, LLC Where do we go from here?

    • EA values read during recon • Smart group calculations made • Policies run at next check-in or trigger • Frequency to be determined Experiment #1
  48. © JAMF Software, LLC Where do we go from here?

    • Pro: Scales • Con: Reinventing the wheel Experiment #1
  49. © JAMF Software, LLC Where do we go from here?

    • Same as #1 except locally hosted state file • Pro: Less setup • Con: doesn’t scale as well Experiment #2
  50. © JAMF Software, LLC Where do we go from here?

    • Conditional Access integration helps • Integrate an existing solution • File FRs • Vote for similar FRs Toward a Stateful Jamf Pro
  51. © JAMF Software, LLC Website | Facebook | Twitter |

    #philly on MacAdmins Slack Greater Philadelphia Mac Admins
  52. © JAMF Software, LLC Check out Philly’s own John Mahlman

    • Thursday, Oct. 25 at 9:00 AM - 9:45 AM • Nicollet Grand Ballroom Leveraging DEPNotify and Jamf Pro for Device Deployment
  53. © JAMF Software, LLC Thanks to the following people The

    Donna MacAdmins Twitter and Slack Jamf folks Comcast folks Et al