Security, IT
Jason MIller
EDR Testing and Evaluation is a PITA
General, Security
Jason MIller
If you don’t have IAM(Identity Access ...

IAM (Identity and Access Management) is important because it helps organizations control who has access to their resources, and what actions those users can perform. This is essential for maintaining the security and integrity of sensitive data, and for complying with regulatory requirements. IAM also makes it easier for organizations to manage user access across multiple systems and services, and to quickly revoke access when necessary. Additionally, IAM enables organizations to implement a "least privilege" model, where users only have the permissions they need to do their jobs, which can help prevent accidental or malicious breaches.

If you don’t have IAM(Identity Access Management system) get one!
Culture
Jason MIller
Angry, hurt, and sad

Black lives matter and these are a few of my thoughts

Image credit:[George Floyd’s Death At The Hands Of Police Is A Terrible Echo Of The Past: Code Switch: NPR](https://www.npr.org/2020/05/29/865261916/a-decade-of-watching-black-people-die)

Angry, hurt, and sad
Recaps, General
Jason MIller
2018 A year in review

A 2018 review of my year.

General
Jason MIller
Be wary when traveling

JAMF

,

JNUC 2015 - Day 2

,

Today, the JNUC was filled with very entertaining talks. The day started off with a talk from the team at IBM, discussion the integration of 30,000K Macs. It was quite impressive to see a deployment at such scale. During the talk IBM talked about Workstation-as-a-Service (WaaS), which is an interesting approach to defining your workstation infrastructure. IBM is deploying 1,900 Macs a week, with a support staff of 24, and still growing. 98.7% of their Mac tickets are solved on first call in attempt. The folks who are working on the Mac deployment at IBM are very passionate about the product and the people they serve. IBM is leveraging DEP for their OS X clients which gives them the ability to:

  • Printed Welcome Insert (inside of Macbook Boxes)
  • Self Service (Only location for Mac Applications)
  • Users are ADMINS on their workstations
  • NO Active Directory

Check out the article about their presentation:

Mac@IBM, Zero to 30,000 in 6 months

This was a great presentation about Culture and how Macs work at IBM, think user first and build backward.

A highly entertaining and informative talk was Ben Toms, Let's Talk About Certificates. Ben reviewed:

  • PKI
  • SCEP
  • CSR
  • APNS
  • Root and Intermediary CAs

It was quite informative and even had the appearance of a few plumbers. Watch the video when it is released.

Lastly, I went to a talk about Make Your JSS Feel New with the Help of API. It was a great talk and provided great examples of why you want to start over with a new JSS and how to automate the process of migrating JSS framework in under 30 minutes.

Day two was great and I will share more on day three later.

JNUC 2015 - Day 1

I am writing today from JNUC 2015, in Minneapolis, MN. JNUC stands for Jamf Nation User Conference. It's a 3-day conference centered around everything Casper Suite. JAMF Software model is "Helping the enterprise succeed with the Apple platform." This motto greatly aligns with my personal vision for helping an IT organization. Over 1,500 people have come from all over the world to share the experiences with Casper Suite, Casper Focus, and Composer. I am excited to be afforded the opportunity to share, explore, and learn about new ways to utilize the software. Today there were talks on System Integrity Protection, by Rich Trouton, JAMF Software Security, and Vulnerability Assessments, by Daniel Mayer, and Novel Solutions with JAMF IT, by Byron Terrell of JAMF Software. The agenda had plenty of other talks, but those were the three that caught my eye and attention. For a complete listing of talks navigate to the JNUC 2015 Sessions schedule.

One final note, I attended a talked "Culture Matters: Casper Suite for People Who Fear Going Corporate." This was an interesting talk because it centered around the idea of managing a people who aren't used to be being managed. It is an interesting idea of how to get everyone "on board" while ensuring IT is ensuring a safe environment. Four statements stood out from the talk:

  • Things they'll be able to do
  • Things we'll be able to do
  • Things we won't be able to do
  • What will they say at lunch?

These are all value points to consider when dealing with any users/staff/engineers etc...When managing or providing services to client devices ensure you explain the top three items and think about what people are saying about your service during lunch because it may not be the right thing.

Lastly, Macbrained threw an awesome, or what I think was awesome, event at Day Block Brewery. Well Over 140 people showed up to have beers, food, and great conversation centered around tech and life. As a disclaimer I do help organize the Macbrained events. Overall it was a great day and I look forward to all the sessions and conversations on day 2.

Deploying a EULA with the Casper Suite

Recently I spoke at the JAMF Road Show in San Francisco on the basics of the Casper Suite. During this talk I reviewed OS X and iOS management of the Casper Suite. I described the different ways an organization can utilize the suite to accomplish their goals and give their admins their weekends and time back. I also discussed how we are having users sign a EULA and why we had not figured out how to deploy the EULA with Casper. Because I am working on deploying a couple hundred iPads within my fleet, I needed to determine a way to deploy a EULA with Casper. After digging around the JSS (Jamf Software Server) I found out how to deploy a custom EULA with the Casper Suite. The web interface does not blatantly tell you how to customize the EULA, but it does hint that it can be done. I will now describe how to locate and modify the enrollment page, which will support a custom EULA.  

First, login to your JSS and navigate to the settings tab, which is the blue gear in the upper right hand corner. Once there click on:

  1. Global Management
    then
  2. User-Initiated Enrollment

Where is the Eula?

The first screen the admin will see is the User-initiated Enrollment. This will provide four options:

  • General
  • Messaging
  • Platforms
  • Access

Each section will aid the end user in enrolling your management tool. The general section contains the following:

  • Restrict re enrollment
  • Skip certificate installation during enrollment

In order to create a customize EULA, click on the second tab labeled Messaging. 

Four tabs to rule them all

Once you select the Messaging tab, you will be presented with the Language box that says English. The view button is the key to deploying a customized EULA and enrollment environment. 

Eula, enrollment text, and more oh my!

The first option you have to customize the enrollment title page, Page Title for Enrollment.

https://yourjss.com:8443/enroll

There are ten categories:

  • Login
  • Device Ownership
  • EULA
  • Sites
  • Certificate
  • Institutional MDM Profile
  • Personal MDM Profile
  • QuickAdd Package
  • App for Android
  • Complete

Login lets you customize everything on the login page:

  • Login Page Text
  • Username Text
  • Password Text
  • Login Button Text

Login Page

The next tab is the Device Ownership. This page will help the user determine what type of device they will be enrolling.  This will also determine the level of control you will have as the administrator.

Device Ownership

The next tab is why we are all here today. FINALLY THE EULA. This section is where you can add your customized text from your legal or IT departments. The EULA terms will vary depending on if the device is personally or institutionally owned. If this was the only section you needed then you can skip the rest of the post; however, there are more options you can customize.

Ladies and Gentleman the main event, the EULA. 

The next three slides allow you to customize:

  • Sites
  • Certificate
  • Institutional MDM Profile
  • Personal MDM Profile

I would not recommend changing this text as there are a lot of system defaults here that may explain the purpose of the profiles and certificates in better detail. 

The Quickadd Package tab may be a tab you want to edit if you are granting technicians or users the ability to self-enroll OS X devices. The Quickadd Package Installation Text has the default text

Download and install this package

It wouldn't hurt to potentially add a bit more context about the installation package. Downloading and installing this package is great; however, the message could also read

Download and install this package that will grant access to the VPN, Wifi, and E-mail.

VPN, WiFi, and Email tend be the sticking points for a lot of people so what better way to draw people in than to tell them they can gain access to all this by installing one package?

OS X Customization

If you plan on deploying Android devices with the Casper Suite then there is a section that allows you to customize that text.

Droids

The last customizable portion of this section is the completion page. You can edit successful and failed installation messages. Instead of the standard contact for your administrator you can direct them to call the help desk or open a ticket. 

Game over

The last two tabs are:

  • Platforms
  • Access

The Platforms tab allows you to select what kind of devices can be enrolled with user-initiated enrollment. If you would like to allow enrollment of OS X, iOS, or Android devices then ensure you check all the correct boxes.

The Access tab allows certain or all LDAP groups to enroll devices and determines what types of devices.

Options for platform enrollment

Deploying a customizable EULA is very easy with the Casper Suite. If your organization requires this before devices can be enrolled (whether they are institutional or personal) then it is an option. I will say that just because this option is available does not mean it is necessary. Make sure you weigh the cost and benefits of changing the verbiage when devices are enrolled. Every time a rule is modified the EULA may need to be updated, which means you must be in the loop with legal or IT about policy change.