Security, IT
Jason MIller
EDR Testing and Evaluation is a PITA
General, Security
Jason MIller
If you don’t have IAM(Identity Access ...

IAM (Identity and Access Management) is important because it helps organizations control who has access to their resources, and what actions those users can perform. This is essential for maintaining the security and integrity of sensitive data, and for complying with regulatory requirements. IAM also makes it easier for organizations to manage user access across multiple systems and services, and to quickly revoke access when necessary. Additionally, IAM enables organizations to implement a "least privilege" model, where users only have the permissions they need to do their jobs, which can help prevent accidental or malicious breaches.

If you don’t have IAM(Identity Access Management system) get one!
Culture
Jason MIller
Angry, hurt, and sad

Black lives matter and these are a few of my thoughts

Image credit:[George Floyd’s Death At The Hands Of Police Is A Terrible Echo Of The Past: Code Switch: NPR](https://www.npr.org/2020/05/29/865261916/a-decade-of-watching-black-people-die)

Angry, hurt, and sad
Recaps, General
Jason MIller
2018 A year in review

A 2018 review of my year.

General
Jason MIller
Be wary when traveling
,

EDR Testing and Evaluation is a PITA

,

Over the last three years, I have worked with my teams, stakeholders, end-users, and antivirus (a/v) and endpoint detection response(EDR) account reps to help secure my company's assets. During this journey, one common thread is that marketing teams must be explicit about what exact SKUs these companies offer. The only way to find out what companies offer is to contact sales and have a conversation. It would be best to look at each platform's features, write down the features you think you would like, and ask how their pricing bundles work. This will allow you to determine if their "Enterprise" SKU includes all the features you need versus the ones they are trying to sell you.

The guide below is material I created and have utilized over the last few years when evaluating EDRs. While it is not an all-encompassing list of items, the items are a great building block to launch your version of an EDR POC. With that said, check out the resources below.

Questions to ask an EDR vendor before you POC their product.

  • How does your EDR detect and respond to threats?
  • Can you provide examples of threats your EDR has detected and responded to?
  • Does the EDR integrate with other security tools, such as firewalls and intrusion detection systems?
  • How easy is it to use and manage the EDR?
  • How scalable is the EDR? Can it accommodate a large number of endpoints?
  • What kind of technical support and updates do you offer?
  • How does your EDR help with compliance and regulatory requirements?
  • How does your EDR handle false positives?
  • Can you provide a demo or trial of the software?
  • What are the pricing options, and what is included in the package?
  • How does your EDR handle data privacy and security?
  • How does the EDR handle remote workers and mobile devices?
  • Does the EDR provide threat intelligence and analytics?
  • Does the EDR have an incident response plan and incident management?
  • Is SSO based on service tier?
  • Is console access IP based?
  • What IAM roles are available on your platform?

While these may seem like many questions, it's essential to find out this information to determine the maturity of each company and the platform.

Below is a Comparison Chart I developed in Notion, but it can easily be a Confluence page, Google Sheets, or Excel Worksheet.

Here is an EDR & XDR Comparison Chart.

My advice to all of you is to choose 2 - 3 platforms for POC. You can evaluate and resource as many as you would like, but only select one of the tools you think will be good for your environment and company. Preparation is critical, and before you gain access to your POC environments, please set up your testing environment for each POC.

  • Set up 3-5 of each Operating System for each tool you are testing. Prep the physical machines, virtual machines, or remote desktops before getting access to tenants.
  • Identify Beta users who will enroll their devices into the POC platforms.

If you use Beta users, there are two routes you can take, fully automate the installation experience or have users manually install the agent. The are pros and cons to both; however, you should utilize whatever will help enroll users into your program with the least amount of friction. Some environments are more technical than others, so choose wisely.

Key things to complete before Kicking off your POC.

  • Set a timeline for the start and stopping of the POC
  • Prep Machines for POCs
  • Prep documentation for user enrollment & unenrollment
  • Prep documentation for why the company is evaluating an EDR tool.
  • Prep what information will be collected during the POC
  • Identity Beta Users
    • Identify outspoken users 1 - 2 minimum
    • Identify proponents of IT / 1 - 2 people minimum
    • Identify Engineers/Technical individuals
    • Identify a Senior Member of the executive team

Here is a sample EDR Testing plan you could utilize as a framework. Please note that this should only be a framework, and you need to modify this to meet your organizational needs based on the SKUs you are acquiring. For example, if you pick up a Vulnerability Management plugin from your EDR vendor, you will need to add in testing to verify the module's functionality. EDR & XDR Testing Plan.

EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response) Test Plan

Introduction: This test plan outlines the testing process for evaluating the effectiveness of an EDR and XDR solution. The goal of this testing is to ensure that the EDR and XDR solution can detect, respond to, and prevent security threats on endpoint devices and networks.

Scope: The scope of this test plan includes the following:

  • Evaluating the EDR and XDR solution's ability to detect, respond to, and prevent security threats on endpoint devices and across the network.
  • We are evaluating the EDR and XDR solution's ability to integrate with other security solutions, such as firewalls, intrusion detection and prevention, and antivirus.
  • We are evaluating the EDR and XDR solution's ability to provide detailed forensic information on security threats and incidents.
  • Evaluating the EDR and XDR solution's ease of use and management.

Pre-Test Preparation:

  • Configure the EDR and XDR solution according to the vendor's instructions.
    • Set up test endpoints, including Windows and MacOS systems and mobile devices. Install the EDR and XDR agent on the test endpoints.
    • Set up EDR and XDR solution test cases to detect and respond to.
    • Create a test environment that simulates a production environment.

Testing Procedures:

Threat Detection and Response Testing:

  • Inject test cases of known security threats, such as malware, into the test environment.
  • Observe the EDR and XDR solution's ability to detect and respond to threats.
  • Evaluate the EDR and XDR solution's ability to prevent the threats from executing.
  • Evaluate the EDR and XDR solution's ability to provide detailed forensic information on the threats and incidents.

Integration Testing:

  • Test the EDR and XDR solution's ability to integrate with other security solutions, such as firewalls, intrusion detection and prevention, and antivirus.
  • Test the EDR and XDR solution's ability to share threat intelligence with other security solutions.
  • Evaluate the EDR and XDR solution's ability to automate incident response actions across multiple security solutions.

Ease of Use and Management Testing:

Test the EDR and XDR solution's ease of use and management, including the ability to:

  • Configure and deploy the EDR and XDR agent on endpoint devices.
  • Manage and monitor the EDR and XDR solution from a central console.
  • Generate reports and alerts on security threats and incidents.

Acceptance Criteria:

  • The EDR and XDR solution should detect and respond to at least 90% of the test cases of known security threats.
  • The EDR and XDR solution should integrate with other security solutions and share threat intelligence with at least 80% accuracy.
  • The EDR and XDR solution should be easy to use and manage, with a user-friendly interface and minimal training required.

Documentation:

  • Test results, including screenshots, logs, and reports, should be documented and shared with the vendor for review and feedback.
  • Any issues or bugs discovered during testing should be reported to the vendor and tracked until resolved.
  • A final report should summarize the test results and include improvement recommendations.

Post-Test Clean-up:

  • Remove the EDR and XDR solution from the test environment. Remove the EDR and XDR agents from the test endpoints.
  • Delete any test cases.

If you need to test an EDR detection capability, I will use the eicar.org Anti-malware file. This file can be downloaded onto devices, resulting in a positive hit in an EDR system. If this fails to hit, I would ask EDR if they have any commands that will produce a positive result so you can simulate a positive/negative event.

Notion Database Tools

The links below will allow you to duplicate the database into your own instance of notion, and does allow for comments. I will follow up with the comments as well.

This post will provide the kicking-off point for getting your EDR testing and evaluation off the ground.

Please contact me if anyone has any comments or wants to add to the samples provided.

,

If you don’t have IAM(Identity Access Management system) get one!

,
If you don’t have IAM(Identity Access Management system) get one!

IAM (Identity and Access Management) is important because it helps organizations control who has access to their resources, and what actions those users can perform. This is essential for maintaining the security and integrity of sensitive data, and for complying with regulatory requirements. IAM also makes it easier for organizations to manage user access across multiple systems and services, and to quickly revoke access when necessary. Additionally, IAM enables organizations to implement a "least privilege" model, where users only have the permissions they need to do their jobs, which can help prevent accidental or malicious breaches.

Be wary when traveling

🛩 🚎 🚆

During this holiday season, people will travel by bus, boat, car, or plane to visit friend and family. While this is the time to turn off work and re-charge your batteries not everyone is afforded that luxury. If you are not afforded that luxury or feel so inclined that you need to use a work or personal device while in such a public space, please use your devices with caution.

Public spaces are precise as stated public. Many people hop on public wifi

  • Airport
  • Bus
  • Train
  • Coffee Shop

First I will address working in these spaces. If possible just don’t do it. The risk associated with connecting to the wrong network, someone shoulder surfing your screen, Laptop or Tablet are high. A simple glance by a stranger they could see a confidential email, spreadsheet, or presentation. While most people are just curious and harmless, traveling themselves to see family and friends, because you don’t know the people involved why risk leaking data accidentally. If you must work, there are mitigation’s to help keep your company and personal data safe.

  • VPN
  • Privacy Screen
  • Adjust Screen Brightness
  • Limit work/browsing session

Virtual Private Network(VPN) is a critical piece of software to ask your IT department to implement or for access if you travel. At a high level, a VPN will help provide encryption of data leaving and coming to your machine. This is important because VPN can make it harder for a malicious individual to view information going or coming into your device.

A privacy screen will help reduce the shoulder surfaces from viewing your screen. Privacy screens make your screen hard to see from certain angles. A privacy screen will not protect every viewing angle but will protect most. Computers today are smart enough to adjust the lighting of your display in comparison with the ambient light in the room. While this is great when you are at home or in the office, dimming your screen will reduce a person’s ability to eavesdrop on your screen.

Keeping your brightness at 50% or less will help protect you. Lastly, limit the type of things you work on in public. Can the presentation about financials or HR related topics wait until you are your destination? Think of the fallout of having someone report seeing that information to your company or worst the media.

Non-sensitive email or research/searching are some of the items safe to check in public places. Meaning checking out cnn.com without logging into your account, or ESPN.com for sports news without logging into your account. Never log into any service while on public wifi. Lastly, not managing payroll, updating Github repos, checking bank statements are particular items to skip while traveling or on untrusted networks. Finally, as safe browser tip is ensuring all websites you visit are HTTPS. While HTTPS does not guarantee a website is it safe it is better than visiting any site that is HTTP. HTTPS Everywhere, by the EFF, is a great tool to help with this.

There are multitudes of other items that you could do to keep yourself safe. But the things I have listed out are just a start. Don’t have someone looking at your sales pitch, potential client list or talking points, or access to any financial information during this holiday season.

The light amount of information I have provided is helpful to a point. Choosing a VPN service or privacy screen can be troublesome. I will say I am a fan of 3M privacy screen with tabs. Tabs allow you to remove the privacy screen at your leisure, say sharing a screen during a meeting or once you get to your final destination. A VPN service is a bit more challenging. There is a multitude of things to be worried about with VPN, where are the servers located, are they really encrypting your data, how many devices can I use, connection speed, plus a plethora of other topics. I do not have a suggestion, but I will say it never hurts to do a bit of light reading:

Articles for reading:

Safe travels Cheers✌🏽

Win the day: Evolve

My involvement with the Mac community is about to hit double digits. One of the reasons why I love the community is it indeed feels like a community. Individuals are getting together to support one another knowing that the IT department for specific companies is a single individual or a collection of individuals. No matter the size of the team or the skillset of the person, the community is always willing to try to offer the best solution in which the team can use manager here in now. Still leaving room for people to grow. The same community is also there as a sounding board when it feels like everything is going wrong. Lastly, when it is time for a change the community is there to help support that change. While I have been primarily involved with the community via Macbrained and speaking at Mac conferences, I have noticed over the last few years a difference with chatting at times with the community. Endpoint management and ideologies around how to manage the Apple ecosystem are abundant.

A trend with Mac the administration is if your organization has enough resources Jamf Pro was the tool, but depending on your needs it could require custom code to effectively manage your fleet. If a company was requiring IT be scrappy,(my favorite IT term by management) Jamf Pro usually wasn’t an option therefore Munki is the tool of choice. Lastly, for those companies who had a team of Endpoint engineers usually deployed tools like Puppet or Chef. All of the previously listed tools are great options depending on the make and composition of your team and company. While the Mac management tools may not be as old as Active Directory, the tools at all of our disposals are more than capable of managing our fleets. Depending on the size on an administrators company a Mac administrator may have to manage Windows. The choice is usually not to manage Windows or barely support Windows, due to a lack of experience or a claim of Windows isn’t better. This is always a matter of opinion but, one that I would like to address.

Administrators of macOS usually do not work on Windows or Windows Administration. I say usually as some do not care and for those admins this is not for you, I think. A comment I’ve heard before is “Windows administrators just don’t get it. Mac is different.” While this rings true on the surface, if you start to dig deeper into the last statement, I know it does not ring true. At it’s core Windows and Mac environments are endpoints. Both operating systems have management tools which perform modifications to ensure a device is compliant based on a companies requirements. Both platforms have advantages depending on an individuals role and responsibility. We all know the finance loves Windows. But many Mac administrators either refuse or are not comfortable or willing enough to take the leap into Windows management. They are not interested with Windows management because they do not know the environment or unsure of who, what, where, and why of Windows management. Well I am here to say Mac Endpoint Engineers, need to come out of the dark and learn how to manage Windows on a miminal level.

Part of evolving and becoming a better administrator is taking on new and challenging tasks or projects. Learning Windows administration will frustrate, challenge, enlighten, prove some similarities in managing both operating systems. Managing Windows is very challenging as the amount of ways to apply a setting are vast. The amount of Windows logging alone is overwhelming. Even though Windows management does require a different skill set, managing the endpoint keeps the same philosophy as Mac management. Over my next few posts, I will begin to show how managing Windows is eerily similar to managing Macs. I hope to provide guidance to Mac administrators who have to manage windows or Mac admins who want to embrace Windows in their environment. It’s time for evolution of the Mac admin.

Macad.UK

Hello All,

It's been a while since we've last spoke. Since we have last spoke I have changed jobs, added a new member to the family, and graduated with a degree in Securing Information Systems. Needless to say, I have been busy. Upcoming in the next month, I have been granted the privilege of presenting at MacAD.UK 2017 in London. I will be presenting on a topic I have written about previously PF Firewall on OS X. My blog has a few post about for those would like to become familiar with the material. I am looking forward to spending time with people I don't know, people I know, and exploring another country. Here is the conference and all the great learns that will come.

Here is a link to the website and the schedule. See you soon London. 

PSU Macadmins Conference 2016

PSU MacAdmins is a great conference for MacAdmins across the world to come together to talk about issues that are happening in the Mac world. This year I have the privilege to speak at the conference on a topic that I have blogged about previously Packet Firewall (PF). The talk is similar to the one I gave at MacTech 2015, with updated slides and an example of how to use the ELK stack (Elastisearch, Logstash, Kibana) to build a dashboard of pf.log data. Visualization provides a quick glance at pf data or can provide enough information to determine how often an IP address are hitting all of your clients. Here is the slide deck. 

Links:
How Packet Firewall (PF) Can Protect Your Enterprise(PSUMac 2016)

 

pf.anchor

I have started to talk a bit more about PF in a broad sense. Over the course of my talks or general discussion it has been brought to my attention that people would like to see a sample pf.anchor. Well I have posted on my github a sample of pf.anchor.

Please not that when you place the file inside of pf.anchor you will do some following items in order for it to be successful

  1. Create a com.yourcompany within the pf.anchors folder
  2. Ensure the pf.conf file is set to read all the anchors within pf.anchors
  3. TEST

Here are the samples of both the pf.conf and pf.anchor files along with the link to Github. Happy Trails
#Default PF configuration file.
#

# This file contains the main ruleset, which gets automatically loaded
# at startup.  PF will not be automatically enabled, however.  Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8).  That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically 
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

scrub-anchor "com.jason"
nat-anchor "com.jason"
rdr-anchor "com.jason"
dummynet-anchor "com.jason"
anchor "com.jason"
load anchor "com.jason" from "/etc/pf.anchors/com.jason"

This is the beginning of the pf.anchor file, which is read by pf.conf

#Macros
tcp_services = "{ rfb }"
casper_ssh = "{ ssh }"
casper_filerep = "{ 443 }"
casper_comms = "{ 8443 }"
udp_services = "{ rfb }"
icmp_types = "{ echorep, echoreq, timex, unreach }"

#Tables
#list out hosts to allow for whitelisting of "our" services

#table <block_hosts> persist
#table <dont_log_block_host> persist
#table <private> const { 10/8 172.16/12 192.168/16 224/8 }
#table <martians> const { 127/8 10/8 172.16/12 192.168/16 169.254/16 240/4 0/8 192.2.0.2/24 }

#Cyber Security Scanners
#table <whitelist_host> persist { \
        129.8.64.0/24 \
        150.342.46.291/27 \
#}

#Your Services
#table <yourhosts> persist { 821.6.14.24 123.4.5.987 198.33.45.11 128.4.98.103 198.7.128.193 100.3.28.14}
#           821.6.14.24      \ #Casper Server
#        123.4.5.987      \ #Bigfix production service
#        198.33.45.11        \ #Test server for Casper infrastructure
#        128.4.98.103       \ #jFuture management server
#        198.7.128.193       \ #Casper Software Repo
#        100.3.28.141       \ #Future management server

#table <bigfix> persist { 123.4.5.987  }

#these are added in if we need to allow SSH via OTP on a client device. 
#table <otp> const { 281.4.56.43 }      

#ssh.server.corp = 113.56.78.987
#otp.example.corp = 281.4.56.43

#Rules Created by "You"

#disable all filtering on loopback, possible Vmware nets
set skip on {lo,vmnet}

#block all inbound traffic
block in log all

#allow out the tcp and udp traffic
#pass in log proto tcp from <yourhosts> to port $tcp_services 
#pass in log proto udp from <yourhosts> to port $udp_services
#pass in log proto udp from <bigfix> to port $bigfix_udp 
#pass in log quick proto tcp from <otp> to port $casper_ssh
#pass in log quick proto udp from <otp> to port $casper_ssh
#pass in log proto tcp from <yourhosts> to port $casper_ssh
#pass in log proto udp from <yourhosts> to port $casper_ssh
#pass in log proto tcp from any to port $casper_comms
#pass in log proto tcp from <yourhosts> to port $casper_filerep

#Allow whitelist hosts
#pass in log from <whitelist_host> to any

#Allow Your Service hosts
#pass in log from <yourhosts> to any

#Allow control traffic from LBL router
#pass in proto igmp from router_ip_here allow-opts

#ICMP traffic allowed to be passed in
pass in log inet proto icmp icmp-type $icmp_types
#We specified the address family 'inet' because it is required by pf when specifing icmp type

#Trust all outbound
pass out all keep state

#James has these in his pf.conf files to do not log these, but we can take them out if necessary     
block in proto { tcp, udp } to port { 137:139, 17500 }
block in proto { tcp, udp } to port 631 #ipp - printers
,

JNUC 2015 - Day 3

,

On Thursday was the last day of the JNUC 2015. There were quite a few talks lined up along with a couple of panels. The talks that grabbed my attention were:

  • Integrating & Automating Your Help Desk Ticketing
  • Security Matters: Making Infosec Your Friend
  • Simplifying Complex Management Infrastructures
  • Security Panel/VPP & DEP Panel

There were a multitude of other talks that grabbed my attention but alas I can only be in one place at a time. Integrating & Automating Your Help Desk Ticketing was an interesting talk. The takeaways from this talk were:

  • Develop Automation
  • Automation is proactive when done right
  • Use APIs from Casper and your Ticketing system

I had a few conversations with people about this talk and some have done this an automated even further. They assign the ticket to an technician with all the appropriate information, so there is no need to decide who will complete each newly created task.

The infosec talk caused many users to think differently about how you deal with your infosec team. At times Macadamias only think of things in terms of what we need to do in order to patch or repair a machine. If you talk or create a relationship with your infosec team you will learn about their worries or concerns on OS X.

  • Spotlight EULA, which sends results to Microsoft BING
  • Bluetooth Vulnerabilities
  • Setting EFI Password to protect machines
  • Using FileVault
  • Adobe FLASH
  • Web Browsers, keeping them up to date
  • Network Layer Attacks

By having open conversations with your infosec team you can collaborate, reduce frustrations, and provide a more secure environment for your users and employer.

Simplifying Complex Management Infrastructure provided great examples of how you can take your environment no matter the size and manage it using the Casper Suite. That is management of OS X servers and knowing all the information about what is installed, Software Updates, or updating software. OS X admins have servers located in many locations and sometimes basic updates from OS X server are not enough. The Casper Suite can provide inventory information and can automate server management tasks.

I hoped between both panels but they provided great information about each particular topic. People were able to submit questions via JAMFNation, Twitter, or in person via a JAMFer. The twitter hash tags are:

  • JNUCSecurity
  • JNUCVPP
  • JNUCDEP

Lastly, the conference ended with a wrap up session where people talked shop, said their goodbyes, and finished their conference questions for speakers. It was a great time in Minneapolis for the JNUC. Can't wait for next 2016.

,

JNUC 2015 - Day 2

,

Today, the JNUC was filled with very entertaining talks. The day started off with a talk from the team at IBM, discussion the integration of 30,000K Macs. It was quite impressive to see a deployment at such scale. During the talk IBM talked about Workstation-as-a-Service (WaaS), which is an interesting approach to defining your workstation infrastructure. IBM is deploying 1,900 Macs a week, with a support staff of 24, and still growing. 98.7% of their Mac tickets are solved on first call in attempt. The folks who are working on the Mac deployment at IBM are very passionate about the product and the people they serve. IBM is leveraging DEP for their OS X clients which gives them the ability to:

  • Printed Welcome Insert (inside of Macbook Boxes)
  • Self Service (Only location for Mac Applications)
  • Users are ADMINS on their workstations
  • NO Active Directory

Check out the article about their presentation:

Mac@IBM, Zero to 30,000 in 6 months

This was a great presentation about Culture and how Macs work at IBM, think user first and build backward.

A highly entertaining and informative talk was Ben Toms, Let's Talk About Certificates. Ben reviewed:

  • PKI
  • SCEP
  • CSR
  • APNS
  • Root and Intermediary CAs

It was quite informative and even had the appearance of a few plumbers. Watch the video when it is released.

Lastly, I went to a talk about Make Your JSS Feel New with the Help of API. It was a great talk and provided great examples of why you want to start over with a new JSS and how to automate the process of migrating JSS framework in under 30 minutes.

Day two was great and I will share more on day three later.

JNUC 2015 - Day 1

I am writing today from JNUC 2015, in Minneapolis, MN. JNUC stands for Jamf Nation User Conference. It's a 3-day conference centered around everything Casper Suite. JAMF Software model is "Helping the enterprise succeed with the Apple platform." This motto greatly aligns with my personal vision for helping an IT organization. Over 1,500 people have come from all over the world to share the experiences with Casper Suite, Casper Focus, and Composer. I am excited to be afforded the opportunity to share, explore, and learn about new ways to utilize the software. Today there were talks on System Integrity Protection, by Rich Trouton, JAMF Software Security, and Vulnerability Assessments, by Daniel Mayer, and Novel Solutions with JAMF IT, by Byron Terrell of JAMF Software. The agenda had plenty of other talks, but those were the three that caught my eye and attention. For a complete listing of talks navigate to the JNUC 2015 Sessions schedule.

One final note, I attended a talked "Culture Matters: Casper Suite for People Who Fear Going Corporate." This was an interesting talk because it centered around the idea of managing a people who aren't used to be being managed. It is an interesting idea of how to get everyone "on board" while ensuring IT is ensuring a safe environment. Four statements stood out from the talk:

  • Things they'll be able to do
  • Things we'll be able to do
  • Things we won't be able to do
  • What will they say at lunch?

These are all value points to consider when dealing with any users/staff/engineers etc...When managing or providing services to client devices ensure you explain the top three items and think about what people are saying about your service during lunch because it may not be the right thing.

Lastly, Macbrained threw an awesome, or what I think was awesome, event at Day Block Brewery. Well Over 140 people showed up to have beers, food, and great conversation centered around tech and life. As a disclaimer I do help organize the Macbrained events. Overall it was a great day and I look forward to all the sessions and conversations on day 2.

OS X Admin Playing with Windows

Oh Windows, you are thou heartless....No, it really isn't but as a Macadmin who spends most of my time on an OS X boxes mixed in with other Unix/Linux OS, Windows Server can seem strange. Windows Server does have command line options however, they expectation is for Admins to use the GUI to configure services or roles. For those who are interested in the Command Line options take a look at Powershell. This is Microsofts recommendation for interacting with Windows Server via the command line. While on Unix/Linux systems you configure via the terminal. Using the GUI has been a huge shift for me, not to mention just knowing some of the nuisances of Windows Server 2012. Windows have changed and made Server Manager much more powerful than the versions in Windows 2008.

Lucky for me that during the setup of my groups Windows Server, I was simultaneously enrolled in a Windows Server configuration course. The course afforded me an opportunity to gain a better understanding of new features and settings Windows in Server 2012. During the setup, I did have concerns about the setup of the Server. Standard Windows configurations would have admins join a domain, which will apply the necessary settings in order to protect the system. But what do you do if you are not joining it to a domain and letting it be a stand alone server?

Things that I thought about were:

  • Local Security Policy
  • Remote Desktop Services
  • Windows Firewall

Local Security Policy is loaded with different Windows Settings that need to be changed or left alone. The different categories to think of are:

  • Account Policies
  • Local Policies
  • Windows Firewall with Advanced Security
  • Network List Manager Policies
  • Public Key Policies
  • Software Restriction Policies
  • Application Control Policies
  • IP Security Policies on Local Computer
  • Advanced Audit Policy Configuration

I have yet to find a comprehensive list of suggestive settings but Microsoft does have resources on their TechNet site which help administrators with this topic:

These are just a few resources I used in order to help configure a Windows Server, however, there are many other resources. If someone has a list of best practices for setting up a Windows Server it may be worthwhile to create a document for the masses at large. Not all Macadmins touch or deal with Windows Server on a regular basis, however, if it would be good to have a guide to help navigate the Windows Waters. At times, I still feel lost but it is a matter of knowing my limitations and finding the correct resources to help solve my problem.

Deploying a EULA with the Casper Suite

Recently I spoke at the JAMF Road Show in San Francisco on the basics of the Casper Suite. During this talk I reviewed OS X and iOS management of the Casper Suite. I described the different ways an organization can utilize the suite to accomplish their goals and give their admins their weekends and time back. I also discussed how we are having users sign a EULA and why we had not figured out how to deploy the EULA with Casper. Because I am working on deploying a couple hundred iPads within my fleet, I needed to determine a way to deploy a EULA with Casper. After digging around the JSS (Jamf Software Server) I found out how to deploy a custom EULA with the Casper Suite. The web interface does not blatantly tell you how to customize the EULA, but it does hint that it can be done. I will now describe how to locate and modify the enrollment page, which will support a custom EULA.  

First, login to your JSS and navigate to the settings tab, which is the blue gear in the upper right hand corner. Once there click on:

  1. Global Management
    then
  2. User-Initiated Enrollment

Where is the Eula?

The first screen the admin will see is the User-initiated Enrollment. This will provide four options:

  • General
  • Messaging
  • Platforms
  • Access

Each section will aid the end user in enrolling your management tool. The general section contains the following:

  • Restrict re enrollment
  • Skip certificate installation during enrollment

In order to create a customize EULA, click on the second tab labeled Messaging. 

Four tabs to rule them all

Once you select the Messaging tab, you will be presented with the Language box that says English. The view button is the key to deploying a customized EULA and enrollment environment. 

Eula, enrollment text, and more oh my!

The first option you have to customize the enrollment title page, Page Title for Enrollment.

https://yourjss.com:8443/enroll

There are ten categories:

  • Login
  • Device Ownership
  • EULA
  • Sites
  • Certificate
  • Institutional MDM Profile
  • Personal MDM Profile
  • QuickAdd Package
  • App for Android
  • Complete

Login lets you customize everything on the login page:

  • Login Page Text
  • Username Text
  • Password Text
  • Login Button Text

Login Page

The next tab is the Device Ownership. This page will help the user determine what type of device they will be enrolling.  This will also determine the level of control you will have as the administrator.

Device Ownership

The next tab is why we are all here today. FINALLY THE EULA. This section is where you can add your customized text from your legal or IT departments. The EULA terms will vary depending on if the device is personally or institutionally owned. If this was the only section you needed then you can skip the rest of the post; however, there are more options you can customize.

Ladies and Gentleman the main event, the EULA. 

The next three slides allow you to customize:

  • Sites
  • Certificate
  • Institutional MDM Profile
  • Personal MDM Profile

I would not recommend changing this text as there are a lot of system defaults here that may explain the purpose of the profiles and certificates in better detail. 

The Quickadd Package tab may be a tab you want to edit if you are granting technicians or users the ability to self-enroll OS X devices. The Quickadd Package Installation Text has the default text

Download and install this package

It wouldn't hurt to potentially add a bit more context about the installation package. Downloading and installing this package is great; however, the message could also read

Download and install this package that will grant access to the VPN, Wifi, and E-mail.

VPN, WiFi, and Email tend be the sticking points for a lot of people so what better way to draw people in than to tell them they can gain access to all this by installing one package?

OS X Customization

If you plan on deploying Android devices with the Casper Suite then there is a section that allows you to customize that text.

Droids

The last customizable portion of this section is the completion page. You can edit successful and failed installation messages. Instead of the standard contact for your administrator you can direct them to call the help desk or open a ticket. 

Game over

The last two tabs are:

  • Platforms
  • Access

The Platforms tab allows you to select what kind of devices can be enrolled with user-initiated enrollment. If you would like to allow enrollment of OS X, iOS, or Android devices then ensure you check all the correct boxes.

The Access tab allows certain or all LDAP groups to enroll devices and determines what types of devices.

Options for platform enrollment

Deploying a customizable EULA is very easy with the Casper Suite. If your organization requires this before devices can be enrolled (whether they are institutional or personal) then it is an option. I will say that just because this option is available does not mean it is necessary. Make sure you weigh the cost and benefits of changing the verbiage when devices are enrolled. Every time a rule is modified the EULA may need to be updated, which means you must be in the loop with legal or IT about policy change. 

Penn State MacAdmins 2015

 

Penn State MacAdmins conference was last week. Over 600+ MacAdmins traveled from all over the world to discuss and share knowledge regarding OS X. This was my first year at PSU MacAdmins so I did not know what to expect. With that said I found this conference to very informative and collaborative. 

The first day there were five workshop's for attendees to choose from:

  • Apple Workshop
  • Fundamentals of Wi-Fi(or, Arguing with Physics)
  • Packaging Workshop
  • All Things Security
  • Introduction to Cocoa Development and Reverse Engineering on OS X

All great workshops but I choose the Packaging Workshop. This was of particular interest to me because I did not know how an installer should actually look and behave. This workshop explained did a great job of explaining how packages should look and behave. In addition to this information there were helpful tips with hands on packaging experience in the GUI and on the command line. The workshop had some of the following topics and suggested a few applications: 

There was also scripting and Stupid packaging tricks recommendations. This was by far one of the most helpful sessions for me all conference. I did not have a strong background with this particular topic but after this workshop I feel more than confident in my ability to exam and build proper applications packages for deployment. 

There were a plethora of amazing sessions all week long. Check out the schedule http://psumac2015.sched.org. Some of my favorites were:

  • Integrating AutoPKG and the Casper Suite with the JSSImporter
  • To 12,00 Macs and beyond....
  • Administering Office 2016 for Mac
  • It's Dangerous to Go Alone, Take This!
  • Automated Testing with VMware Fusion
  • The 12 Unix Commands Everyone Should Know
  • OS X Operating System Security at Scale
  • Using AutoPKG for Windows Software
  • Open (and/or Free) vs Closed Source - Steel Cage Death Match
  • Using Google's Open Source Tools to Manage Macs

The list is too long to list all the other sessions that I enjoyed because I could not attend them all. But something interesting occurred during this conference, crowd sourcing notes with Google Docs. I have always wondered why more people are not using crowd sourcing note taking.  It could allow you to be in multiple places at once or the ability to review the notes at the end of the day. Slack was the primary driver when organizing notes for most of the sessions and EVERYONE seemed to be on board with the idea. Many times before a session would be begin someone would place a link to the notes in #PSUMAC slack channel to allow note collaboration. 

Slides and video's will be released at a later on PSU Mac Admins website and on youtube but for those who people want to immediately review this was the perfect medium. Slack brought people who weren't even at the conference into the conversation adding input regarding topics or peering into the notes, causing further interest about all of the talks and topics. Here is a Google Docs Collection links from the notes taken by everyone at PSU Mac Admins 2015:

One particular theme that I heard constantly whether in the packaging workshop, sessions or during general conversations at Legends, automation is key. There are plenty of tools that can help you automate very simple and complex task during your day. If you have not heard of autopkg, please go and read the github page.. It interfaces with many of the tools you use everyday, and will take the mundane task of patching & deploying applications out of your hands. Automate your VMs with vfuse by Joseph Chilcote or with Rich Trouton's session on virtualization testing. The theme was your time is precious as a Mac admin, therefore save time where you can which will free your mind to accomplish more challenging tasks. 

I do want to give a thank you to Penn State Mac Admins Conference, Penn Stater, and for all the individuals who attended or interacted with community during the conference. I can't wait for PSU Mac Admins 2016! See you then and thank you again for the best week of Summer Camp. 

The Google Docs

Mobile technology is growing ever so powerful. We all knew how powerful it was however the amount of functionality developers are drawing off of their software and hardware is astonishing. The Google Suite of apps is ever changing however on the mobile side they are constantly adding features and functionality similar to their suite within the browser. With that said, let me tell you about the time I decided to write a paper on my iPhone 5s while commuting home using Google Docs. 

Technology grow's in leaps and bounds. It quickly changes day by day, month by month, and year by year. I have been long time Google Docs users however it is not the primary place I go to for document creation. I tend use Evernote, Letterspace, or just a plain text file if I need to jot down a quick note. Depending on the device in my hand,  it determines my writing volume. Currently I am working on getting a B.A. in, Information Systems with a concentration in cyber security, and on Monday I happened to have a paper due, which I had been struggling to get my ideas down on virtual paper. On Monday, I thought if I leave work at my normal time I will arrive home at decent time and finish my paper. As I arrived at the BART station I could hear and see my train pulling off, WITHOUT ME! Instead of freaking out, I now know I would be behind schedule I thought to myself why not start the paper while I wait for the next train, in 20 mins. Because my commute home would be well over 90 mins, I thought it best to begin finalizing my paper. 

I rarely use my laptop while on BART due to you never know who is around you. Living in San Francisco I have seen many laptop, iPad, and iPhone stolen because people were too immersed in their system and not their surroundings.  This left my iPhone as the tool I would use to write, edit, and finalize this paper. Previously I used Google Docs on the iPhone and quickly realized it was missing many of the capabilities I am accustomed to on my laptop. But because my options were limited I thought what the hell why not give it a shot. Let's just say after commuting for two hours I was able to complete an entire paper, share it out for editing, while highlighting and editing the color of the document. Thanks to Google Docs I was able to complete my task all during my commute home without batting and eye. 

The power that many people have right at there fingertips is quite amazing. The mere fact that I could create a document, share it, and the post it all from my phone is simply amazing. No longer do we need to provide users with some computer that has max ram, and cpu. With proper training and use cases we may able to allow users similar productivity to their pc, packed into their  mobile device. Google Docs, Evernote, Letterspace, and other editable document platforms allow users and IT folks alike the flexibility of quickly documenting a process, environment, or just notes all with thumbs.  

Freeradius and OTP

People often wonder how they can harden their OS X environment. There are many methods and tools that can be used to harden a system. Most admins live and die by SSH; however, for those who are not seasoned with SSH it can be a daunting task.

To help protect weak passwords you can set up your OS X infrastructure to use One Time Password (OTP). Here is a the internet standard surrounding OTP. Depending on your environment the prerequisites for setting up OTP on a machine may vary, but you will need these at minimum:

  • OTP Server
  • Auth Module
  • OS X System
  • Static Address
  • Shared Secret

I actually utilize FreeRADIUS pam auth module, version 1.3.17, in this write up. Version 1.3.17 has some bugs, thus the reason I had to write up how I was able to utilize the buggy version. FreeRADIUS has released version 1.4, which is suppose to address the problems in 1.3.17. For those who have not updated or seen 1.4 you can use this write up to get the 1.3.17 module working. 

The first thing to do is download version 1.3.17 from https://github.com/FreeRADIUS/pam_radius. Then, unzip the file and move the folder onto your Desktop. Before you run the Make command, there are some edits that need to be made to Makefile and the pam_radius_auth.c file. If you try to compile without making the edits then this error will occur:

" pam_radius_auth.c:358:23: error: variable has incomplete type 'struct timezone’:

      struct timezone tz;

To counter this error you must change line 358:23 you must add in the follow lines above the struct timeval tv;

struct timeval {
 time_t tv_sec;
 suseconds_t tv_usec;
 };
struct timezone {
 int tz_minuteswest;
 int tz_dsttime;
 };

It should look like the following screenshot:

After this edit your code should be able to compile however what I found if you system is considered newer you will need run a different GCC command in order to compile correctly. The error you receive when running the make command without making a change to the Makefile is:

ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so

In order to combat this you must edit the Makefile. Within the Makefile there is a section called Build Shared Library. Inside of Build Shared Library it states “On systems with a newer GCC, you will need to do:" gcc -shared pam_radius_auth.o md5.o -lpam -lc -o pam_radius_auth.so". You will want to uncomment out the code for gcc.

Next copy gcc line and run it in your terminal but with a -v flag at the end:

gcc -shared pam_radius_auth.o md5.o -lpam -lc -o pam_radius_auth.so

The output of the command should look like the following:

Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld" -demangle -dynamic -dylib -arch x86_64 -macosx_version_min 10.10.0 -syslibroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.10.sdk -o pam_radius_auth.so pam_radius_auth.o md5.o -lpam -lc -lSystem /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib/darwin/libclang_rt.osx.a

ou will need to copy this section of code and enter it into your terminal. Once it completes, run the make command, which should result in a correct compile.

After these steps you will now have a complete and function pam_radius_auth.so. Half of OTP setup is now is complete.

Next, you will need to edit the proper configuration files, move the pam_radius_auth.so into the proper location, and test.

Configuration Files Editing

Navigate to /etc/sshd_config. Only lines that need to be edited inside of the file are the following:

Some lines maybe yes or no, you want to ensure they look like the previous image. 

After that you will need to move pam_radius_auth.so file into its correct place "/usr/lib/pam". Next navigate to “/etc” and create pam_radius.conf file or utilize one with the pam_radius.conf that was located in the zipped pam_radius folder on your desktop. Inside of the .conf file you will be specifiy the information about your OTP server. The information you will need to procure from your identity management or cyber team are:

  • server
  • shared_secret
  • timeout

Here is an example of the file. I would leave your localhost there, as the conf file indicates and add your infrastructure below the localhost.

Next you will need to edit the "/etc/pam.d/sshd". This file will tell your system where to find your pam_radius.conf. It also dictates which .so files to use for pam authorization. A non edited conf file will have nothing commented out. You will need to add in the line 5 into your file.

Using free radius, my file looks like the following:

Once you have all these items in place I would reboot the system and test OTP to ensure authentication is working properly. During testing, remember to have the console open on the device you are setting up OTP on in order to provide possible insight into any errors

If you have any questions please do not hesitate to comment to drop me a line info @ jasonkmiller.com or jason @ jasonkmiller.co