State Management In The Era Of MDM

View Slide

© JAMF Software, LLC
Sergio Aviles
Systems Engineer, Uniﬁed Endpoint Management

Comcast Corporation
275x275

head shot

View Slide

Introduction
Born the seventh son
of a seventh son, on a
cold night under a
blood moon….

View Slide

Introduction
• Using Apple Computers circa 1985

• Majored in Illustration at UArts in Philly

• Bass player in several unknown bands

• Has an album in iTunes and Spotify
Things to know about me

View Slide

Introduction
• Worked in several Pre-Press shops

• Worked for an Apple Reseller

• Worked in Managed Services

• Hired to focus on Mac management
Things to know about me

View Slide

State Management in the Era of MDM
Overview
What is State Management?

Why is it important?

How is State Management done?

What are the challenges DEP/MDM introduce?

Where do we go from here?

View Slide

• State = desired set of apps, conﬁgurations, ﬁles,
services and users

• Maintenance of that desired state in an
idempotent way
Managing a desired state of a device.

View Slide

Idempotence is…

View Slide

Idempotence is…
• Not actually a word

View Slide

Idempotent is…

View Slide

Idempotence, then, is…
• Consistent, repeatable results from a
process or workﬂow

• “An essential property for reliable  
systems”

View Slide

Also known as Conﬁguration Management
• More apt term when applied to client devices

• Interchangeable

• Invokes initial deployment

View Slide

Like matter, devices can have different states
• Initial, Current, Frozen, Desired, Ideal

• The state of a device changes

• Veriﬁes current state vs. desired state

• Control how, when, why and rate

View Slide

780 px
650 px
Max image dimensions
Types of States
Initial:
State of the device
before you apply or
install anything to the
device.

View Slide

780 px
650 px
Types of States
Current:
State of the device as it
exists at the time last
reported.

View Slide

780 px
650 px
Types of States
Current:
State of the device as it
exists at the time you’re
checking.
(Heisenberg’s
uncertainty principle)

View Slide

780 px
650 px
Types of States
Desired:
State of the device
compliant with your
environment.

View Slide

780 px
650 px
Types of States
Frozen:
Desired state that
doesn’t change or
reverts.

View Slide

Types of States
• Current should always match Desired

• An idempotent system ensures that

• Doesn’t preclude changes
Ideal:

View Slide

There is nothing permanent
except change.
-Heraclitus

View Slide

Change is constant
• Software needs to be updated

• New software needs to be installed

• Proﬁles need to be changed or pulled

• Settings need to be tweaked
Device states will change.

View Slide

Change is constant
• Users customize and/or install extra software

• Software needs to be uninstalled

• Device becomes unmanaged

• Device needs to be re-deployed

View Slide

Change is constant
• A continuous, relentless cycle of changes,
big and small, constantly threatening to
overwhelm you

View Slide

Managing Changes
• Does $jawn need to change?

• Why?

• How do you want to change it?

• When do you want to change it?
Decide/deﬁne when changes will happen

View Slide

Managing Changes
• How do you implement?

• How do you track?

• What is success or failure?

• Who is responsible?
Verifying changes

View Slide

Why is State Management Important?
• Control

• Automation

• Reporting
The way to lazy admin nirvana

View Slide

780 px
650 px
Control
• Ensure compliance

• Manage changes

• Manage who is
responsible for changes

View Slide

780 px
650 px
Automation
• Do more with less

• Idempotency

• Quality of Life

View Slide

780 px
650 px
Reporting
• Know your environment

• Answer questions

• Justiﬁcation

• Manager friendly

View Slide

Standard State Management
How it’s typically done
• Your desired state exists as text ﬁle

View Slide

• Text ﬁle lives in a repo somewhere

View Slide

• Commit changes to ﬁle in the repo

View Slide

• Clients make changes to match

View Slide

• “Infrastructure as code”

• Change control

• Versioning

• Bulk of work is done client side

View Slide


View Slide

How MDM changes the equation
• User driven

• 3rd party actions should be approved

• No distinction for intent

• MDM is exception mechanism
Apple’s Security Posture

View Slide

• UAMDM/Supervised mode

• UAKEL

• User Privacy in macOS Mojave

• MDM is now mandatory
Apple’s Security Posture

View Slide

• User data in certain directories now protected

• AppleEvents and inter-app exchanges

• Admin tools that subprocess out

• May fail or not run if not approved
Privacy Preferences Policy Control

View Slide

MDM is not an idempotent service

View Slide

• Best Eﬀort

• External service

• Lack of insight/logging

• “UDP of Management”
MDM is not an idempotent service.

View Slide

• APNS, DEP, ABM/ASM, VPP, Activation

• Process has been detailed extensively

• Notiﬁcation delivery isn’t guaranteed

• Not idempotent
Best Effort service

View Slide

• APNS network owned by Apple

• DEP/VPP requires 3rd party support

• Secure Boot = DEP only deployments*

• DEP not available everywhere, yet
External Service

View Slide

• Lack of communication around changes

• Little documentation around changes

• Short testing windows for all parties

• Immature implementations
External Service

View Slide

• Lack of admin tools for DEP, MDM

• Little documentation around tools
Insight and Logging

View Slide

$ man mdmclient

View Slide

• Lack of admin tools for DEP, MDM

• Little documentation around tools

• Logging and troubleshooting not trivial

• MDM vendors and 3rd party ﬁll in gaps

Insight and Logging

View Slide

Screenshot or photo dimensions

1080 px
525 px

View Slide

• Some settings can be overridden

• Some Profiles only work at install time

• Can’t pre-deploy some profiles

• Not actively validating state
Configuration Profiles

View Slide

• Configuration profiles dynamically generated

• Installed via `profiles` command

• Not User-Approved

• No whitelisting
State Management Systems lack MDM

View Slide

• Not mutually exclusive

• Smart Groups and EAs

• Adds additional complexity

• Requires additional engineering
Toward a Stateful Jamf Pro

View Slide

• Make clients do the work

• Vary frequency

• Passive over Active EAs

• Simplify Smart Group Criteria
Server-side processing

View Slide

• Search for something existing

• Modify if necessary

• Write your own if possible
Tooling

View Slide

• LaunchDaemon that calls app/script

• Desired State hosted

• Script reads state and veriﬁes locally

• Sets local EA values and does recon
Experiment #1

View Slide

• EA values read during recon

• Smart group calculations made

• Policies run at next check-in or trigger

• Frequency to be determined
Experiment #1

View Slide

• Pro: Scales

• Con: Reinventing the wheel
Experiment #1

View Slide

• Same as #1 except locally hosted state ﬁle

• Pro: Less setup

• Con: doesn’t scale as well
Experiment #2

View Slide

• Conditional Access integration helps

• Integrate an existing solution

• File FRs

• Vote for similar FRs
Toward a Stateful Jamf Pro

View Slide

Website | Facebook | Twitter | #philly on MacAdmins Slack
Greater Philadelphia Mac Admins

View Slide


View Slide

Check out Philly’s own John Mahlman
• Thursday, Oct. 25 at 9:00 AM - 9:45 AM

• Nicollet Grand Ballroom
Leveraging DEPNotify and Jamf Pro for Device
Deployment

View Slide

Thanks to the following people
The Donna

MacAdmins Twitter and Slack

Jamf folks

Comcast folks

Et al

View Slide

State Management In The Era Of MDM

State Management In The Era Of MDM

Jamf

More Decks by Jamf

Other Decks in Technology

Featured

Transcript