Macadmin

Win the day: Evolve

My involvement with the Mac community is about to hit double digits. One of the reasons why I love the community is it indeed feels like a community. Individuals are getting together to support one another knowing that the IT department for specific companies is a single individual or a collection of individuals. No matter the size of the team or the skillset of the person, the community is always willing to try to offer the best solution in which the team can use manager here in now. Still leaving room for people to grow. The same community is also there as a sounding board when it feels like everything is going wrong. Lastly, when it is time for a change the community is there to help support that change. While I have been primarily involved with the community via Macbrained and speaking at Mac conferences, I have noticed over the last few years a difference with chatting at times with the community. Endpoint management and ideologies around how to manage the Apple ecosystem are abundant.

A trend with Mac the administration is if your organization has enough resources Jamf Pro was the tool, but depending on your needs it could require custom code to effectively manage your fleet. If a company was requiring IT be scrappy,(my favorite IT term by management) Jamf Pro usually wasn’t an option therefore Munki is the tool of choice. Lastly, for those companies who had a team of Endpoint engineers usually deployed tools like Puppet or Chef. All of the previously listed tools are great options depending on the make and composition of your team and company. While the Mac management tools may not be as old as Active Directory, the tools at all of our disposals are more than capable of managing our fleets. Depending on the size on an administrators company a Mac administrator may have to manage Windows. The choice is usually not to manage Windows or barely support Windows, due to a lack of experience or a claim of Windows isn’t better. This is always a matter of opinion but, one that I would like to address.

Administrators of macOS usually do not work on Windows or Windows Administration. I say usually as some do not care and for those admins this is not for you, I think. A comment I’ve heard before is “Windows administrators just don’t get it. Mac is different.” While this rings true on the surface, if you start to dig deeper into the last statement, I know it does not ring true. At it’s core Windows and Mac environments are endpoints. Both operating systems have management tools which perform modifications to ensure a device is compliant based on a companies requirements. Both platforms have advantages depending on an individuals role and responsibility. We all know the finance loves Windows. But many Mac administrators either refuse or are not comfortable or willing enough to take the leap into Windows management. They are not interested with Windows management because they do not know the environment or unsure of who, what, where, and why of Windows management. Well I am here to say Mac Endpoint Engineers, need to come out of the dark and learn how to manage Windows on a miminal level.

Part of evolving and becoming a better administrator is taking on new and challenging tasks or projects. Learning Windows administration will frustrate, challenge, enlighten, prove some similarities in managing both operating systems. Managing Windows is very challenging as the amount of ways to apply a setting are vast. The amount of Windows logging alone is overwhelming. Even though Windows management does require a different skill set, managing the endpoint keeps the same philosophy as Mac management. Over my next few posts, I will begin to show how managing Windows is eerily similar to managing Macs. I hope to provide guidance to Mac administrators who have to manage windows or Mac admins who want to embrace Windows in their environment. It’s time for evolution of the Mac admin.

pf.anchor

I have started to talk a bit more about PF in a broad sense. Over the course of my talks or general discussion it has been brought to my attention that people would like to see a sample pf.anchor. Well I have posted on my github a sample of pf.anchor.

Please not that when you place the file inside of pf.anchor you will do some following items in order for it to be successful

  1. Create a com.yourcompany within the pf.anchors folder
  2. Ensure the pf.conf file is set to read all the anchors within pf.anchors
  3. TEST

Here are the samples of both the pf.conf and pf.anchor files along with the link to Github. Happy Trails
#Default PF configuration file.
#

# This file contains the main ruleset, which gets automatically loaded
# at startup.  PF will not be automatically enabled, however.  Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8).  That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically 
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

scrub-anchor "com.jason"
nat-anchor "com.jason"
rdr-anchor "com.jason"
dummynet-anchor "com.jason"
anchor "com.jason"
load anchor "com.jason" from "/etc/pf.anchors/com.jason"

This is the beginning of the pf.anchor file, which is read by pf.conf

#Macros
tcp_services = "{ rfb }"
casper_ssh = "{ ssh }"
casper_filerep = "{ 443 }"
casper_comms = "{ 8443 }"
udp_services = "{ rfb }"
icmp_types = "{ echorep, echoreq, timex, unreach }"

#Tables
#list out hosts to allow for whitelisting of "our" services

#table <block_hosts> persist
#table <dont_log_block_host> persist
#table <private> const { 10/8 172.16/12 192.168/16 224/8 }
#table <martians> const { 127/8 10/8 172.16/12 192.168/16 169.254/16 240/4 0/8 192.2.0.2/24 }

#Cyber Security Scanners
#table <whitelist_host> persist { \
        129.8.64.0/24 \
        150.342.46.291/27 \
#}

#Your Services
#table <yourhosts> persist { 821.6.14.24 123.4.5.987 198.33.45.11 128.4.98.103 198.7.128.193 100.3.28.14}
#           821.6.14.24      \ #Casper Server
#        123.4.5.987      \ #Bigfix production service
#        198.33.45.11        \ #Test server for Casper infrastructure
#        128.4.98.103       \ #jFuture management server
#        198.7.128.193       \ #Casper Software Repo
#        100.3.28.141       \ #Future management server

#table <bigfix> persist { 123.4.5.987  }

#these are added in if we need to allow SSH via OTP on a client device. 
#table <otp> const { 281.4.56.43 }      

#ssh.server.corp = 113.56.78.987
#otp.example.corp = 281.4.56.43

#Rules Created by "You"

#disable all filtering on loopback, possible Vmware nets
set skip on {lo,vmnet}

#block all inbound traffic
block in log all

#allow out the tcp and udp traffic
#pass in log proto tcp from <yourhosts> to port $tcp_services 
#pass in log proto udp from <yourhosts> to port $udp_services
#pass in log proto udp from <bigfix> to port $bigfix_udp 
#pass in log quick proto tcp from <otp> to port $casper_ssh
#pass in log quick proto udp from <otp> to port $casper_ssh
#pass in log proto tcp from <yourhosts> to port $casper_ssh
#pass in log proto udp from <yourhosts> to port $casper_ssh
#pass in log proto tcp from any to port $casper_comms
#pass in log proto tcp from <yourhosts> to port $casper_filerep

#Allow whitelist hosts
#pass in log from <whitelist_host> to any

#Allow Your Service hosts
#pass in log from <yourhosts> to any

#Allow control traffic from LBL router
#pass in proto igmp from router_ip_here allow-opts

#ICMP traffic allowed to be passed in
pass in log inet proto icmp icmp-type $icmp_types
#We specified the address family 'inet' because it is required by pf when specifing icmp type

#Trust all outbound
pass out all keep state

#James has these in his pf.conf files to do not log these, but we can take them out if necessary     
block in proto { tcp, udp } to port { 137:139, 17500 }
block in proto { tcp, udp } to port 631 #ipp - printers

JNUC 2015 - Day 3

On Thursday was the last day of the JNUC 2015. There were quite a few talks lined up along with a couple of panels. The talks that grabbed my attention were:

  • Integrating & Automating Your Help Desk Ticketing
  • Security Matters: Making Infosec Your Friend
  • Simplifying Complex Management Infrastructures
  • Security Panel/VPP & DEP Panel

There were a multitude of other talks that grabbed my attention but alas I can only be in one place at a time. Integrating & Automating Your Help Desk Ticketing was an interesting talk. The takeaways from this talk were:

  • Develop Automation
  • Automation is proactive when done right
  • Use APIs from Casper and your Ticketing system

I had a few conversations with people about this talk and some have done this an automated even further. They assign the ticket to an technician with all the appropriate information, so there is no need to decide who will complete each newly created task.

The infosec talk caused many users to think differently about how you deal with your infosec team. At times Macadamias only think of things in terms of what we need to do in order to patch or repair a machine. If you talk or create a relationship with your infosec team you will learn about their worries or concerns on OS X.

  • Spotlight EULA, which sends results to Microsoft BING
  • Bluetooth Vulnerabilities
  • Setting EFI Password to protect machines
  • Using FileVault
  • Adobe FLASH
  • Web Browsers, keeping them up to date
  • Network Layer Attacks

By having open conversations with your infosec team you can collaborate, reduce frustrations, and provide a more secure environment for your users and employer.

Simplifying Complex Management Infrastructure provided great examples of how you can take your environment no matter the size and manage it using the Casper Suite. That is management of OS X servers and knowing all the information about what is installed, Software Updates, or updating software. OS X admins have servers located in many locations and sometimes basic updates from OS X server are not enough. The Casper Suite can provide inventory information and can automate server management tasks.

I hoped between both panels but they provided great information about each particular topic. People were able to submit questions via JAMFNation, Twitter, or in person via a JAMFer. The twitter hash tags are:

  • JNUCSecurity
  • JNUCVPP
  • JNUCDEP

Lastly, the conference ended with a wrap up session where people talked shop, said their goodbyes, and finished their conference questions for speakers. It was a great time in Minneapolis for the JNUC. Can't wait for next 2016.

JNUC 2015 - Day 2

Today, the JNUC was filled with very entertaining talks. The day started off with a talk from the team at IBM, discussion the integration of 30,000K Macs. It was quite impressive to see a deployment at such scale. During the talk IBM talked about Workstation-as-a-Service (WaaS), which is an interesting approach to defining your workstation infrastructure. IBM is deploying 1,900 Macs a week, with a support staff of 24, and still growing. 98.7% of their Mac tickets are solved on first call in attempt. The folks who are working on the Mac deployment at IBM are very passionate about the product and the people they serve. IBM is leveraging DEP for their OS X clients which gives them the ability to:

  • Printed Welcome Insert (inside of Macbook Boxes)
  • Self Service (Only location for Mac Applications)
  • Users are ADMINS on their workstations
  • NO Active Directory

Check out the article about their presentation:

Mac@IBM, Zero to 30,000 in 6 months

This was a great presentation about Culture and how Macs work at IBM, think user first and build backward.

A highly entertaining and informative talk was Ben Toms, Let's Talk About Certificates. Ben reviewed:

  • PKI
  • SCEP
  • CSR
  • APNS
  • Root and Intermediary CAs

It was quite informative and even had the appearance of a few plumbers. Watch the video when it is released.

Lastly, I went to a talk about Make Your JSS Feel New with the Help of API. It was a great talk and provided great examples of why you want to start over with a new JSS and how to automate the process of migrating JSS framework in under 30 minutes.

Day two was great and I will share more on day three later.

JNUC 2015 - Day 1

I am writing today from JNUC 2015, in Minneapolis, MN. JNUC stands for Jamf Nation User Conference. It's a 3-day conference centered around everything Casper Suite. JAMF Software model is "Helping the enterprise succeed with the Apple platform." This motto greatly aligns with my personal vision for helping an IT organization. Over 1,500 people have come from all over the world to share the experiences with Casper Suite, Casper Focus, and Composer. I am excited to be afforded the opportunity to share, explore, and learn about new ways to utilize the software. Today there were talks on System Integrity Protection, by Rich Trouton, JAMF Software Security, and Vulnerability Assessments, by Daniel Mayer, and Novel Solutions with JAMF IT, by Byron Terrell of JAMF Software. The agenda had plenty of other talks, but those were the three that caught my eye and attention. For a complete listing of talks navigate to the JNUC 2015 Sessions schedule.

One final note, I attended a talked "Culture Matters: Casper Suite for People Who Fear Going Corporate." This was an interesting talk because it centered around the idea of managing a people who aren't used to be being managed. It is an interesting idea of how to get everyone "on board" while ensuring IT is ensuring a safe environment. Four statements stood out from the talk:

  • Things they'll be able to do
  • Things we'll be able to do
  • Things we won't be able to do
  • What will they say at lunch?

These are all value points to consider when dealing with any users/staff/engineers etc...When managing or providing services to client devices ensure you explain the top three items and think about what people are saying about your service during lunch because it may not be the right thing.

Lastly, Macbrained threw an awesome, or what I think was awesome, event at Day Block Brewery. Well Over 140 people showed up to have beers, food, and great conversation centered around tech and life. As a disclaimer I do help organize the Macbrained events. Overall it was a great day and I look forward to all the sessions and conversations on day 2.