Under the Hood: Device Enrollment

Transcript

1. None

2. © JAMF Software, LLC Marcus Ransom Senior Apple Systems Engineer

   CompNow - Melbourne, Australia >_ Melbourne Apple Admins

3. © JAMF Software, LLC 67 JAMF Related Events 35 Certified

   Engineers 95% Retention Rate Working Together Since 2011 849 Customers 259K Seats &

4. © JAMF Software, LLC The Artist formerly known as DEP?

5. © JAMF Software, LLC

6. © JAMF Software, LLC Device Enrollment: under the hood Presentation

   agenda: • What is Device Enrollment? • What’s going on? • Testing and troubleshooting

7. © JAMF Software, LLC What is Device Enrollment? “Device Enrollment

   lets you automate Mobile Device Management (MDM) enrollment and simplify initial device setup. You can supervise devices during activation without touching them, and lock MDM enrollment for ongoing management.”

8. © JAMF Software, LLC Device Enrollment over the years •

   Launched as Device Enrollment Program (DEP) • Devices purchased from Apple • deploy.apple.com • USA only February 2014

9. © JAMF Software, LLC Device Enrollment over the years •

   Approved resellers • 26 countries November 2014 January 2016 • Apple School Manager

10. © JAMF Software, LLC Device Enrollment over the years 2017

    • iOS 11 provisional enrollment 2018 • Apple Business Manager • Now 62 Countries

11. © JAMF Software, LLC Device Enrollment over the years •

    Organisation registered with Apple • From an approved vendor* • iOS7 or Mac OS X 10.9 • tvOS 10.2 (4th gen Apple TV only) • Purchased after March 2011* Requirements

12. © JAMF Software, LLC Device Enrollment documentation $ man deviceEnrollment

    No manual entry for deviceEnrollment

13. © JAMF Software, LLC Apple Deployment Programs
 Device Enrollment Program

    Guide Overview The Device Enrollment Program (DEP) helps businesses easily deploy and configure Apple devices. DEP provides a fast, streamlined way to deploy organization-owned iPad and iPhone devices, Mac computers, and Apple TV purchased directly from Apple or participating Apple Authorized Resellers or carriers. This guide will give you an overview of program features, explain how to enroll, and help you get started. Program Features DEP simplifies initial setup by automating mobile device management (MDM) enrollment and supervision of devices during setup, which enables you to configure your organization’s devices without touching them. To further simplify the process, you can skip certain Setup Assistant screens so users can start using their devices right out of the box. Mandatory and lockable MDM enrollment All iOS, macOS, and tvOS devices added to DEP will be enrolled automatically in MDM. Automatic enrollment ensures that devices are configured based on your organization’s requirements, and guarantees that all users receive those configurations on their devices. Your users’ devices are also locked in MDM for ongoing management. Wireless supervision Supervision provides a higher level of device management for organization-owned iOS devices. It 
 allows additional restrictions, such as turning off iMessage, AirDrop, or Game Center, and it provides additional device configurations and features, such as web content filtering and Single App Mode. With DEP, supervision is wirelessly enabled on a device as part of the setup process. Zero-touch configuration for IT With DEP, large-scale deployments of iPad, iPhone, Mac, and Apple TV are seamless. Once devices have been activated, you can immediately configure account settings, apps, and access to IT services over 
 the air. You don’t need to use staging services or physically access each device to complete the setup. Streamlined Setup Assistant DEP also makes it easier for your users to set up their iOS devices, Mac computers, and Apple TV. Using an MDM solution to configure your organization’s devices, users are guided through the activation process with the built-in Setup Assistant. You can streamline the Setup Assistant even further by specifying that certain screens be skipped. Apple Deployment Programs | Device Enrollment Program Guide | December 2017 1

14. © JAMF Software, LLC

15. © JAMF Software, LLC

16. © JAMF Software, LLC

17. © JAMF Software, LLC

18. © JAMF Software, LLC

19. © JAMF Software, LLC

20. © JAMF Software, LLC Why is this so important now?

    User-Approved MDM - UAMDM

21. © JAMF Software, LLC

22. © JAMF Software, LLC Let’s go down the rabbit hole!

23. © JAMF Software, LLC What’s going on? • Vendor API

    • Cloud API • Private API Three basic pieces

24. © JAMF Software, LLC

25. © JAMF Software, LLC Vendor API 33645004YAM 33645004YAM { "requestContext":

    { "shipTo": "0000052010", "timeZone": "420", "langCode": "en" }, "transactionId": "TXN_001122", "depResellerId": "16FCE4A0", "orders": [ { "orderNumber": "ORDER_900123", "orderDate": "2014-08-28T10:10:10Z", "orderType": "OR", "customerId": “12345678", "poNumber": "PO_12345", "deliveries": [ { "deliveryNumber": "D1.2", "shipDate": "2014-10-10T05:10:00Z", "devices": [ { "deviceId": "33645004YAM", "assetTag": "A123456" } 33645004YAM { "requestContext": { "shipTo": "0000052010", "timeZone": "420", "langCode": "en" }, "transactionId": "TXN_001122", "depResellerId": "16FCE4A0", "orders": [ { "orderNumber": "ORDER_900123", "orderDate": "2014-08-28T10:10:10Z", "orderType": "OR", "customerId": “12345678", "poNumber": "PO_12345", "deliveries": [ { "deliveryNumber": "D1.2", "shipDate": "2014-10-10T05:10:00Z", "devices": [ { "deviceId": " "assetTag": "A123456" }

26. © JAMF Software, LLC

27. © JAMF Software, LLC Cloud API Jamf Pro school.apple.com business.apple.com

28. © JAMF Software, LLC

29. © JAMF Software, LLC Cloud API • Sync device records

    from Apple • Post “DEP profiles” to Apple RESTful API

30. © JAMF Software, LLC Device sync {
 ”serial_number” : ”33645004YAM”,


    ”model” : ”IPAD”,
 ”color” : ”black”,
 ”description” : ”IPAD WI-FI 16GB”,
 ”asset_tag” : ”304214”,
 ”profile_status” : ”empty”,
 ”op_type” : ”added”,
 ”op_date” : ”2013-05-09T14:30:00Z”, ”device_assigned_by” : ”[email protected]”, ”device_assigned_date” : ”2013-05-09T14:30:00Z”, ”os” : ”iOS”,
 ”device_family” : ”iPad” },

31. © JAMF Software, LLC Cloud API Jamf Pro mdmenrollment.apple.com 33645004YAM

    33645004YAM 33645004YAM 33645004YAM

32. © JAMF Software, LLC

33. © JAMF Software, LLC Cloud API • POSTs information from

    Prestage DEP profile (prestage)

34. © JAMF Software, LLC

35. © JAMF Software, LLC Cloud API Jamf Pro mdmenrollment.apple.com 33645004YAM

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/D$ <plist version="1.0"> <dict> <key>CloudConfigProfile</key> <dict> <key>AllowPairing</key> <false/> <key>AnchorCertificates</key> <array/> <key>AwaitDeviceConfigured</key> <true/> <key>ConfigurationURL</key> <string>https://jamfinstance.jamfcloud.com/cloudenroll</stri$ <key>IsMDMUnremovable</key> <false/> <key>IsMandatory</key> <true/> <key>IsSupervised</key> <true/> <key>OrganizationAddress</key> <string>352 Ferntree Gully Road , Notting Hill, VI, 3166 (AUS$ <key>OrganizationAddressLine1</key> <string>352 Ferntree Gully Road</string> <key>OrganizationAddressLine2</key> <string>NULL</string> <key>OrganizationCity</key> <string>Notting Hill</string> <key>OrganizationCountry</key> <string>AUS</string> <key>OrganizationDepartment</key> <string>IT</string> <key>OrganizationEmail</key> <string>[email protected]</string> <key>OrganizationMagic</key> <string>0BA88B6ExxDE4D44x998990Ax9748Ex8</string> <key>OrganizationName</key> <string>Computers Now Pty Ltd</string> <key>OrganizationPhone</key> <string>+613 9684 3600</string> <key>OrganizationSupportPhone</key> <string>+613 9684 3600</string> <key>OrganizationZipCode</key> <string>3168</string> <key>SkipSetup</key> <array> <string>Siri</string> <string>Privacy</string> <string>Restore</string> <string>iCloudStorage</string> <string>TOS</string> <string>Biometric</string> <string>Payment</string> <string>Registration</string> <string>iCloudDiagnostics</string> <string>AppleID</string> <string>Diagnostics</string> </array> </dict> </dict> </plist>

36. © JAMF Software, LLC Private API • Devices to Apple

    • On activation (iOS) • First network contact (macOS) RESTful API

37. © JAMF Software, LLC Language Chooser Setup Assistant boot User

    = _mbsetupuser User = root MacBuddy

38. © JAMF Software, LLC cloudconfigurationd User = _mbsetupuser https://iprofiles.apple.com/resource/certificate.cer https://iprofiles.apple.com/session

    33645004YAM { “action”: “RequestProfileConfiguration”, “sn”: “33645004YAM” }

39. © JAMF Software, LLC cloudconfigurationd User = _mbsetupuser https://iprofiles.apple.com/macProfile 33645004YAM

40. © JAMF Software, LLC http://init-p01st.push.apple.com/bag Apple Push Notification JNUC 2017:

    A Push Odyssey - Bradley Chapman

41. © JAMF Software, LLC User = _mbsetupuser https://name.jamfcloud.com/cloudenroll Mdmclient User

    = $username InstallApplication (Jamf Binary) enrollmentcomplete Jamf Pro

42. © JAMF Software, LLC

43. © JAMF Software, LLC Testing and Troubleshooting

44. © JAMF Software, LLC

45. © JAMF Software, LLC

46. © JAMF Software, LLC Testing and Troubleshooting No network connection

47. © JAMF Software, LLC Testing and Troubleshooting

48. © JAMF Software, LLC Troubleshooting Command Line at the setup

    assistant

49. © JAMF Software, LLC

50. © JAMF Software, LLC Troubleshooting At Language screen - root

    At Setup Assistant - _mbsetupuser touch /Volumes/Macintosh\ HD/var/db/.RunLanguageChooserToo - run from recovery, prompts for language at next boot

51. © JAMF Software, LLC Trigger files drwxr-xr-x@ 6 root wheel

    192 13 Jul 09:29 . drwxr-xr-x 7 root wheel 224 6 Jul 15:59 .. -rw-r--r-- 1 root wheel 0 5 Oct 13:38 .cloudConfigHasActivationRecord -rw-r--r-- 1 root wheel 1387 5 Oct 13:38 .cloudConfigRecordFound -rw-r--r-- 1 root wheel 0 5 Oct 13:38 .migrated /var/db/ConfigurationProfiles/Settings

52. © JAMF Software, LLC Trigger files

53. © JAMF Software, LLC Testing and Troubleshooting

54. © JAMF Software, LLC

55. © JAMF Software, LLC Testing and Troubleshooting Clock skew date

    <mmddhhmmyy> date 1023161418

56. © JAMF Software, LLC Trigger files drwxr-xr-x@ 6 root wheel

    192 13 Jun 09:29 . drwxr-xr-x 7 root wheel 224 13 Jun 09:29 .. -rw-r--r-- 1 root wheel 0 17 Jun 13:38 .cloudConfigNoActivationRecord -rw-r--r-- 1 root wheel 0 17 Jun 13:38 .cloudConfigRecordNotFound -rw-r--r-- 1 root wheel 0 13 Jun 09:29 .migrated

57. © JAMF Software, LLC Network

58. © JAMF Software, LLC Network

59. © JAMF Software, LLC Network

60. © JAMF Software, LLC Network

61. © JAMF Software, LLC Network • Authenticated or manual proxies

    • SSL inspection • Firewall rules • Latency/flooding Potential roadblocks

62. © JAMF Software, LLC Network

63. © JAMF Software, LLC Virtualisation Serial + AutoDMG + vfuse

    + VMware Fusion Pro

64. © JAMF Software, LLC Virtualisation

65. © JAMF Software, LLC Virtualisation

66. © JAMF Software, LLC Remediation sudo /usr/libexec/mdmclient dep nag* sudo

    /usr/bin/profiles show -type enrollment sudo /usr/bin/profiles status -type enrollment sudo /usr/bin/profiles renew -type enrollment *pre 10.13.4

67. © JAMF Software, LLC Remediation 1. Re-scope prestage enrollment 2.

    Open a root shell (ctl-opt-cmd-t) 3. sudo profiles renew -type enrollment 4. Reboot again

68. © JAMF Software, LLC Remediation Your mileage may vary The

    most reliable solution is to nuke and pave

69. © JAMF Software, LLC

70. © JAMF Software, LLC Conclusion • Clear network access •

    Test your workflow • Understand the limitations The secrets to a smooth Device Enrollment

71. © JAMF Software, LLC Here’s to the crazy ones •

    Victor Vrantchan • Pepijn Bruienne • Jesse Peterson • Jesse Endahl • Max Belanger • Owen Pragel • Bradley Chapman • Richard Purves Thanks to the following folks • Joe Chilcote • Emily Kausalik-Whittle • Chris Collins • Mosen • Graham Pugh • Ross Derewianko • Per Olofsson • Charles Edge

72. © JAMF Software, LLC Conference presentations • Demystifying MDM Jesse

    Peterson Victor Vrantchan, PSU Macadmins 2017 • 2017: A Push Odyssey Bradley Chapman, JNUC 2017 • A Deep Dive into macOS MDM (and how it can be compromised) Jesse Endahl, Max Belanger, Black Hat 2018 • MDM Me Maybe James Barclay, Ekoparty 2018

73. © JAMF Software, LLC References Use Device Enrollment https://support.apple.com/HT204142 TCP

    and UDP ports used by Apple Software https://support.apple.com/HT202944 Get Started using Apple Business Manager with Mobile Device Management https://support.apple.com/HT207516 If you aren’t getting Apple push notifications https://support.apple.com/HT203609 If you service or replace a device in Apple School Manager or Apple Business Manager https://support.apple.com/en-us/HT203016 Find Apple Customer Numbers, DEP Reseller ID and DEP Reseller ID https://support.apple.com/HT204401

74. © JAMF Software, LLC Apple System Status Page https://www.apple.com/au/support/systemstatus/ Device

    Enrollment Program Guide https://www.apple.com/business/site/docs/DEP_Guide.pdf https://www.apple.com/au/education/docs/DEP_Guide.pdf Apple Deployment Programs Help https://help.apple.com/deployment/business/ https://help.apple.com/deployment/education/ Deployment Reference https://help.apple.com/deployment/macos/ https://help.apple.com/deployment/ios/ MDM Protocol Reference https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf AppleCare Connect DEP API guide https://applecareconnect.apple.com/api-docs/depuat/html/WSStart.html References

75. © JAMF Software, LLC MicroMDM wiki - Troubleshooting MDM and

    DEP https://github.com/micromdm/micromdm/wiki/Troubleshooting-MDM Using Terminal at the setup assistant https://chris-collins.io/2018/03/15/Using-Terminal-At-macOS-Setup-Assistant/ Showing the language chooser screen after reinstalling macOS https://grahamrpugh.com/2017/11/22/language-chooser.html AutoDMG https://github.com/MagerValp/AutoDMG vfuse https://github.com/chilcote/vfuse Creating VMs that work with Device Enrollment https://www.rderewianko.com/how-to-create-a-vm-thatll-work-with-dep-on-vmware-fusion/ References

76. © JAMF Software, LLC Duo Security - MDM Me Maybe

    https://duo.com/labs/research/mdm-me-maybe https://www.youtube.com/watch?v=lz6ikbC3Rdg Demystifying MDM: open source endeavors to manage Macs - Jesse Peterson and Victor Vrantchan https://www.youtube.com/watch?v=6DBGIDcBKFw Getting MicroMDM working and working with MicroMDM – Jesse Peterson https://www.youtube.com/watch?v=WGKT-PyHz6I A Deep Dive into macOS MDM (and how it can be compromised) https://i.blackhat.com/us-18/Thu-August-9/us-18-Endahl-A-Deep-Dive-Into-macOS-MDM- And-How-It-Can-Be-Compromised-wp.pdf A Push Odyssey: Journey to the Center of APNS | JNUC 2017 https://www.youtube.com/watch?v=Z-Lg9uBbmfk References

77. © JAMF Software, LLC References • goo.gl/YgB9XB • ransomware.ransom.net.au

78. © JAMF Software, LLC Questions?

79. © JAMF Software, LL THANK YOU!