Security, IT
Jason MIller
EDR Testing and Evaluation is a PITA
General, Security
Jason MIller
If you don’t have IAM(Identity Access ...

IAM (Identity and Access Management) is important because it helps organizations control who has access to their resources, and what actions those users can perform. This is essential for maintaining the security and integrity of sensitive data, and for complying with regulatory requirements. IAM also makes it easier for organizations to manage user access across multiple systems and services, and to quickly revoke access when necessary. Additionally, IAM enables organizations to implement a "least privilege" model, where users only have the permissions they need to do their jobs, which can help prevent accidental or malicious breaches.

If you don’t have IAM(Identity Access Management system) get one!
Culture
Jason MIller
Angry, hurt, and sad

Black lives matter and these are a few of my thoughts

Image credit:[George Floyd’s Death At The Hands Of Police Is A Terrible Echo Of The Past: Code Switch: NPR](https://www.npr.org/2020/05/29/865261916/a-decade-of-watching-black-people-die)

Angry, hurt, and sad
Recaps, General
Jason MIller
2018 A year in review

A 2018 review of my year.

General
Jason MIller
Be wary when traveling

EULA

Deploying a EULA with the Casper Suite

Recently I spoke at the JAMF Road Show in San Francisco on the basics of the Casper Suite. During this talk I reviewed OS X and iOS management of the Casper Suite. I described the different ways an organization can utilize the suite to accomplish their goals and give their admins their weekends and time back. I also discussed how we are having users sign a EULA and why we had not figured out how to deploy the EULA with Casper. Because I am working on deploying a couple hundred iPads within my fleet, I needed to determine a way to deploy a EULA with Casper. After digging around the JSS (Jamf Software Server) I found out how to deploy a custom EULA with the Casper Suite. The web interface does not blatantly tell you how to customize the EULA, but it does hint that it can be done. I will now describe how to locate and modify the enrollment page, which will support a custom EULA.  

First, login to your JSS and navigate to the settings tab, which is the blue gear in the upper right hand corner. Once there click on:

  1. Global Management
    then
  2. User-Initiated Enrollment

Where is the Eula?

The first screen the admin will see is the User-initiated Enrollment. This will provide four options:

  • General
  • Messaging
  • Platforms
  • Access

Each section will aid the end user in enrolling your management tool. The general section contains the following:

  • Restrict re enrollment
  • Skip certificate installation during enrollment

In order to create a customize EULA, click on the second tab labeled Messaging. 

Four tabs to rule them all

Once you select the Messaging tab, you will be presented with the Language box that says English. The view button is the key to deploying a customized EULA and enrollment environment. 

Eula, enrollment text, and more oh my!

The first option you have to customize the enrollment title page, Page Title for Enrollment.

https://yourjss.com:8443/enroll

There are ten categories:

  • Login
  • Device Ownership
  • EULA
  • Sites
  • Certificate
  • Institutional MDM Profile
  • Personal MDM Profile
  • QuickAdd Package
  • App for Android
  • Complete

Login lets you customize everything on the login page:

  • Login Page Text
  • Username Text
  • Password Text
  • Login Button Text

Login Page

The next tab is the Device Ownership. This page will help the user determine what type of device they will be enrolling.  This will also determine the level of control you will have as the administrator.

Device Ownership

The next tab is why we are all here today. FINALLY THE EULA. This section is where you can add your customized text from your legal or IT departments. The EULA terms will vary depending on if the device is personally or institutionally owned. If this was the only section you needed then you can skip the rest of the post; however, there are more options you can customize.

Ladies and Gentleman the main event, the EULA. 

The next three slides allow you to customize:

  • Sites
  • Certificate
  • Institutional MDM Profile
  • Personal MDM Profile

I would not recommend changing this text as there are a lot of system defaults here that may explain the purpose of the profiles and certificates in better detail. 

The Quickadd Package tab may be a tab you want to edit if you are granting technicians or users the ability to self-enroll OS X devices. The Quickadd Package Installation Text has the default text

Download and install this package

It wouldn't hurt to potentially add a bit more context about the installation package. Downloading and installing this package is great; however, the message could also read

Download and install this package that will grant access to the VPN, Wifi, and E-mail.

VPN, WiFi, and Email tend be the sticking points for a lot of people so what better way to draw people in than to tell them they can gain access to all this by installing one package?

OS X Customization

If you plan on deploying Android devices with the Casper Suite then there is a section that allows you to customize that text.

Droids

The last customizable portion of this section is the completion page. You can edit successful and failed installation messages. Instead of the standard contact for your administrator you can direct them to call the help desk or open a ticket. 

Game over

The last two tabs are:

  • Platforms
  • Access

The Platforms tab allows you to select what kind of devices can be enrolled with user-initiated enrollment. If you would like to allow enrollment of OS X, iOS, or Android devices then ensure you check all the correct boxes.

The Access tab allows certain or all LDAP groups to enroll devices and determines what types of devices.

Options for platform enrollment

Deploying a customizable EULA is very easy with the Casper Suite. If your organization requires this before devices can be enrolled (whether they are institutional or personal) then it is an option. I will say that just because this option is available does not mean it is necessary. Make sure you weigh the cost and benefits of changing the verbiage when devices are enrolled. Every time a rule is modified the EULA may need to be updated, which means you must be in the loop with legal or IT about policy change.