├── .gitignore ├── About ├── Contributing.rst ├── License.rst ├── Resources.rst ├── Tools.rst ├── edit_on_github.png └── index.rst ├── Applications ├── Google-Chrome.rst ├── Microsoft-Office-2016.rst ├── SQL_Client.rst ├── images │ └── SQuirreL-conf.gif └── index.rst ├── Contributors ├── ftiff.rst ├── ftiff_avatar.png ├── generic_avatar.png ├── index.rst ├── mactroll.rst ├── mosen.rst └── mosen_avatar.png ├── General ├── Apple_KB.rst ├── Files_and_Storage │ ├── Storage_Structure.rst │ └── index.rst ├── Packaging │ ├── Forgetting-a-package.rst │ └── index.rst ├── Peripherals │ ├── Printing.rst │ └── index.rst ├── index.rst ├── macOS_Configuration │ ├── SysPrefs-10.12.3-Hardware.png │ ├── SysPrefs-10.12.3-Network.png │ ├── SysPrefs-10.12.3-Personal.png │ ├── SysPrefs-10.12.3-System.png │ ├── SysPrefs-10.12.3-ThirdParty.png │ ├── System_Preferences.rst │ └── index.rst └── macOS_Installation │ ├── Setup_Assistant.rst │ └── index.rst ├── Integration ├── Active_Directory.rst └── index.rst ├── MDM ├── AirWatch │ ├── AirWatch-API.md │ ├── Profiles │ │ ├── Airwatch+Munki.md │ │ └── EAP-TLS.md │ └── index.rst ├── CasperSuite │ ├── AutoPKG │ │ ├── Word-example.md │ │ └── img │ │ │ ├── Word-example-package.png │ │ │ ├── Word-example-policy1.png │ │ │ ├── Word-example-policy2.png │ │ │ ├── Word-example-policy3.png │ │ │ └── Word-example-smartgroup.png │ ├── CDP.rst │ ├── JSS │ │ ├── Infrastructure-Manager.rst │ │ ├── JSS-Upgrade-Manual.md │ │ ├── images │ │ │ ├── JAMF-IM-Infra.png │ │ │ ├── JAMF-IM-Infra.xml │ │ │ ├── jamf-im-1.png │ │ │ ├── jamf-im-2.png │ │ │ ├── jamf-im-ldap.png │ │ │ ├── jamf-im-sa-1.png │ │ │ ├── jamf-im-sa-2.png │ │ │ ├── jamf-im-sa-3.png │ │ │ ├── jamf-im-sa-4.png │ │ │ ├── jamf-im-sa-5.png │ │ │ └── restrict-major-os-update │ │ │ │ ├── add-restricted-software-record.png │ │ │ │ ├── computer-inventory-collection.png │ │ │ │ ├── edit-computer-inventory-collection.png │ │ │ │ ├── on-the-client.png │ │ │ │ ├── restrict-beta-version.png │ │ │ │ ├── restricted-software-records-1.png │ │ │ │ ├── restricted-software-records.png │ │ │ │ └── scope-restricted-software-record.png │ │ └── restrict-major-os-update.md │ ├── img │ │ ├── cyberduck-s3-add.png │ │ ├── cyberduck-s3.png │ │ └── jss-cdp.png │ └── index.rst ├── Puppet │ ├── Additional-Resources.md │ ├── Basic-Configuration.md │ ├── Getting-Started.md │ └── index.rst └── jamfpro │ ├── JSS_on_AWS.md │ ├── JSS_on_AWS │ ├── EC2-Details.png │ ├── EC2-Keypair.png │ ├── EC2-SecurityGroups.png │ ├── EC2-Storage.png │ ├── JSS-DBconfig.png │ ├── RDS-AdvancedSettings.png │ ├── RDS-DBDetails.png │ ├── VPC-AZ2.png │ └── VPC.png │ ├── Jamf_Resources.rst │ ├── Open-Source-Links.rst │ ├── Tuning.rst │ └── index.rst ├── Profiles-and-Settings ├── OS-X-Updates.rst └── index.rst ├── README.md ├── Security ├── Antivirus │ ├── Microsoft-SCEP.rst │ └── index.rst └── index.rst ├── _static └── extra.css ├── conf.py ├── index.rst ├── mkdocs.yml └── requirements.txt /.gitignore: -------------------------------------------------------------------------------- 1 | # Mac OS X hidden files 2 | .DS_Store 3 | 4 | # Vim swap files 5 | .*.sw? 6 | -------------------------------------------------------------------------------- /About/Contributing.rst: -------------------------------------------------------------------------------- 1 | Contributing 2 | ============ 3 | 4 | Community Structure 5 | ------------------- 6 | 7 | - **Owner** is currently @ftiff 8 | - **Maintainers and Collaborators** are all the members of [Shufflepuck](http://github.com/Shufflepuck) 9 | - **Contributors** is everyone who has had a pull request merged into this project 10 | - **Community Members** are all the MacAdmins. You're part of it if you professionaly administer Macs 11 | 12 | We welcome everyone interested in sharing to the MacAdmin community at large. 13 | 14 | Getting Started 15 | --------------- 16 | 17 | If you're new to the MacAdmin community, please read the doc :ref:`Getting Started `. 18 | 19 | Best practices? 20 | --------------- 21 | 22 | This site is about things that have a large consensus in the MacAdmin Community. For example: 23 | 24 | * thin imaging is better than thick imaging (not always). 25 | * Apple maintains only the last three major OS releases (well… we had a security update for 10.6.8 after 10.11 was released[#]_). 26 | 27 | .. [#] https://support.apple.com/kb/HT205267 28 | 29 | So yes, defining "best practice" is not that easy. Think of what you will tell to your apprentice. 30 | 31 | What is a good doc? 32 | ------------------- 33 | 34 | A good documentation: 35 | 36 | - **uses International English** - Keep the sentences clear, simple and straight to the point; 37 | - **is neutral** - Show multiple point-of-views. Be accurate by citing reliable and authoritative sources. Debate is welcomed, but only on Issues and Pull Requests; 38 | - **uses Free content** - As per the [license](http://creativecommons.org/licenses/by-sa/4.0/), no one owns the content; 39 | - **is respectful** - Follows the [Contributor Code of Conduct v1.3.0](http://contributor-covenant.org/version/1/3/0/). 40 | - **is honest, but positive**. 41 | 42 | 43 | Contributing docs 44 | ----------------- 45 | 46 | We use `Github `_ to manage the whole content. You should be familiar with `how to contribute on GitHub `_. 47 | I personally use `TextMate `_ to edit the `reStructuredText `_ documents. 48 | 49 | The easiest way for quick edits is to click on the "Edit on GitHub" on upper right of every page. 50 | 51 | .. image:: edit_on_github.png 52 | 53 | For more substantial edits, please fork the project and open a pull request. 54 | 55 | .. note:: You can always `Create an issue `_. Please do it if you don't have time! -------------------------------------------------------------------------------- /About/License.rst: -------------------------------------------------------------------------------- 1 | License 2 | ======== 3 | 4 | License is Creative Common `Attribution-ShareAlike 4.0 International `_ (CC BY-SA 4.0) 5 | 6 | This means: 7 | 8 | You are free to: 9 | ---------------- 10 | 11 | * **Share** — copy and redistribute the material in any medium or format 12 | * **Adapt** — remix, transform, and build upon the material 13 | 14 | for any purpose, even commercially. 15 | 16 | The licensor cannot revoke these freedoms as long as you follow the license terms. 17 | 18 | under the following terms: 19 | -------------------------- 20 | 21 | * **Attribution** — You must give appropriate credit, provide a link to the license, and indicate if changes were made. 22 | * **ShareAlike** — If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original. 23 | 24 | `Read more… `_ 25 | -------------------------------------------------------------------------------- /About/Resources.rst: -------------------------------------------------------------------------------- 1 | MacAdmins Resources 2 | =================== 3 | 4 | Discussion 5 | ---------- 6 | 7 | - **`MacAdmins Slack `_** - if you like instant communication; 8 | - **`##osx-server `_** - this was the go-to before Slack existed. Try the `Field Guide to IRC `_ from AFP548; 9 | - **`JAMF Nation `_** - Primarily focused on JAMF Product, this is nonetheless a great resource; 10 | - **`Munki Google Group `_** 11 | - **`Mac Enterprise Mailing List `_** 12 | -------------------------------------------------------------------------------- /About/Tools.rst: -------------------------------------------------------------------------------- 1 | Tools for MacAdmins 2 | =================== 3 | 4 | Editors 5 | ------- 6 | 7 | TextEdit 8 | ^^^^^^^^ 9 | Being free and available on every Mac, this is a no-brainer. 10 | 11 | * Make sure you edit in text-only (CMD+SHIFT+T) 12 | * Add it to your Dock for quick drag 'n drop 13 | * in CLI, use `open -e [file]` to open in TextEdit 14 | 15 | Sublime Text 16 | ^^^^^^^^^^^^ 17 | Download for free `here `_ 18 | 19 | * This is the preferred choice for a lots of developers 20 | * Useful for highlighting 21 | * `Add it to your Command Line `_ 22 | 23 | TextMate 24 | ^^^^^^^^^^^^ 25 | Download for free `here `_ 26 | 27 | * My preferred editor. Thanks to `@lolopb `_ for pointing this out! 28 | 29 | 30 | -------------------------------------------------------------------------------- /About/edit_on_github.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/About/edit_on_github.png -------------------------------------------------------------------------------- /About/index.rst: -------------------------------------------------------------------------------- 1 | About MacAdminsDoc 2 | ********************* 3 | 4 | .. toctree:: 5 | :maxdepth: 2 6 | :titlesonly: 7 | :glob: 8 | 9 | * 10 | -------------------------------------------------------------------------------- /Applications/Google-Chrome.rst: -------------------------------------------------------------------------------- 1 | .. only:: html 2 | 3 | .. sidebar:: Article information 4 | 5 | :Authors: 6 | :ref:`ftiff ` 7 | 8 | :Updated: |today| 9 | 10 | Google Chrome 11 | ============= 12 | 13 | Configure Suggested Preferences 14 | ------------------------------- 15 | 16 | To do that, we'll create a file: ``/Library/Google/Google Chrome Master Preferences`` 17 | 18 | Use these pages as a reference: 19 | * 20 | * (may not be up to date) 21 | 22 | For example: 23 | 24 | .. code-block:: json 25 | 26 | { 27 | "homepage" : "http://www.maclovin.org", 28 | "homepage_is_newtabpage" : true, 29 | "browser" : { 30 | "show_home_button" : true, 31 | "check_default_browser" : false 32 | }, 33 | "bookmark_bar" : { 34 | "show_on_all_tabs" : true 35 | }, 36 | "distribution" : { 37 | "skip_first_run_ui" : true, 38 | "show_welcome_page" : false, 39 | "import_search_engine" : true, 40 | "import_history" : false, 41 | "create_all_shortcuts" : true, 42 | "do_not_launch_chrome" : true, 43 | "make_chrome_default" : false 44 | }, 45 | "first_run_tabs" : [ 46 | "http://www.maclovin.org", 47 | "welcome_page", 48 | "new_tab_page" 49 | ] 50 | } 51 | 52 | If you want to delete every user Preferences and Cache, and launch Chrome as if it was its first run, use the following commands: 53 | 54 | .. code-block:: sh 55 | 56 | rm ~/Library/Preferences/com.google.Chrome.plist 57 | rm -rf ~/Library/Caches/Google/ 58 | rm -rf ~/Library/Application\ Support/Google/Chrome/ 59 | Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --force-first-run 60 | 61 | -> `Good ressource on Google Chrome's Command Line options `_ 62 | -------------------------------------------------------------------------------- /Applications/Microsoft-Office-2016.rst: -------------------------------------------------------------------------------- 1 | .. only:: html 2 | 3 | .. sidebar:: Article information 4 | 5 | :Authors: 6 | :ref:`ftiff ` 7 | 8 | :Updated: |today| 9 | 10 | Microsoft Office 2016 11 | ===================== 12 | 13 | Changing the Name and Initials 14 | ------------------------------ 15 | 16 | If you deployed Office 2016 with a volume license, chances are your user will complain that the name used for reviews (or Auto-Track changes) is "Microsoft Office User" with initials "MO" (or any localized variation). 17 | 18 | It is stored here : ``~/Library/Group Containers/UBF8T346G9.Office/MeContact.plist`` 19 | 20 | .. code-block:: bash 21 | 22 | $ defaults read "/Users/fti/Library/Group Containers/UBF8T346G9.Office/MeContact.plist" 23 | { 24 | Initials = FTI; 25 | Name = "Francois Levaux-Tiffreau"; 26 | } 27 | 28 | How to script it 29 | ^^^^^^^^^^^^^^^^ 30 | 31 | A simple script that sets both the Office 2016 Name and Initials values in the MeContact.plist for the currently logged in user. 32 | 33 | .. code-block:: bash 34 | 35 | #!/bin/bash 36 | 37 | PATH=/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/libexec 38 | export PATH 39 | 40 | FullScriptName=$(basename "$0") # Variable used to store the file name of this script 41 | 42 | DsclSearchPath="/Local/Default" # Variable used to store the search path used by the dscl command. 43 | 44 | # Get the username of the person currently running the script. 45 | username=$(id -un) 46 | 47 | echo "$FullScriptName -- Personalizing Office 2016 for $username" 48 | 49 | # Lookup the user's name from the local directory 50 | firstname=$(dscl "$DsclSearchPath" -read /Users/$username RealName | tr -d '\n' | awk '{print $2}') 51 | lastname=$(dscl "$DsclSearchPath" -read /Users/$username RealName | tr -d '\n' | awk '{print $3}') 52 | 53 | # Get the first letter for the initial 54 | firstInitial=${firstname:0:1} 55 | 56 | # Get the first letter for the initial 57 | lastInitial=${lastname:0:1} 58 | 59 | # Concatenate the initials together into one variable. 60 | UserInitials="$(echo $firstInitial$lastInitial)" 61 | 62 | # Concatenate the full name together into one variable. 63 | UserFullName="$(echo $firstname $lastname)" 64 | 65 | # Remove any leading or trailing whitepace 66 | UserFullName="$(echo -e "${UserFullName}" | sed -e 's/^[[:space:]]//' -e 's/[[:space:]]$//')" 67 | UserInitials="$(echo -e "${UserInitials}" | sed -e 's/^[[:space:]]//' -e 's/[[:space:]]$//')" 68 | 69 | defaults write "/Users/$username/Library/Group Containers/UBF8T346G9.Office/MeContact.plist" Name "$UserFullName" 70 | 71 | defaults write "/Users/$username/Library/Group Containers/UBF8T346G9.Office/MeContact.plist" Initials "$UserInitials" 72 | 73 | echo "$FullScriptName -- Completed personalizing Office 2016 for $username" 74 | 75 | # Quit the script without errors. 76 | exit 0 77 | 78 | 79 | Deploying Office Templates 80 | -------------------------- 81 | 82 | It's technically possible to deploy your templates in `~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Templates.localized`, but unfortunately this container won't exist until the user launches an Office application. There's a better way. 83 | 84 | Simply drop your templates in `/Library/Application Support/Microsoft/Office365/User Content.localized/Templates.localized` to get them avaiable for all users at any time. They will be available to the user in `File > New from Template…`. You can also create subfolders (won't change display). As they're directly referenced, any change to this folder will be reflected in Office (they're not copied). 85 | 86 | How to script it 87 | ^^^^^^^^^^^^^^^^ 88 | 89 | You can either create a package to deploy the templates at the right place, or use this script to create the directories: 90 | 91 | .. code-block:: bash 92 | 93 | # This script checks for and creates if needed the directories for Office 2016 templates for Word, PowerPoint and Excel 94 | # Made by Rich-the-Great 95 | 96 | function test_command { 97 | "$@" 98 | local status=$? 99 | /bin/echo -n "Executing '$@'… " 100 | if [ $status -ne 0 ]; then 101 | echo "ERROR: $@" >&2 102 | exit $status 103 | fi 104 | echo "OK" 105 | 106 | } 107 | 108 | if [[ ! -d "/Library/Application Support/Microsoft/Office365/User Content.localized/Templates.localized" ]]; then 109 | /bin/echo "Necessary support directories for Office 2016 templates not found." 110 | /bin/echo "Creating necessary support directories for Office 2016 templates." 111 | 112 | test_command /bin/mkdir -p "/Library/Application Support/Microsoft/Office365/User Content.localized/Templates.localized" 113 | 114 | # We don't use -R to make sure we don't step on anybody's shoe 115 | # On a fresh 15.19.1 install, perms are root:wheel 755 116 | test_command /usr/sbin/chown root:wheel "/Library/Application Support/Microsoft/Office365" 117 | test_command /usr/sbin/chown root:wheel "/Library/Application Support/Microsoft/Office365/User Content.localized" 118 | test_command /usr/sbin/chown root:wheel "/Library/Application Support/Microsoft/Office365/User Content.localized/Templates.localized" 119 | test_command /bin/chmod 755 "/Library/Application Support/Microsoft/Office365" 120 | test_command /bin/chmod 755 "/Library/Application Support/Microsoft/Office365/User Content.localized" 121 | test_command /bin/chmod 755 "/Library/Application Support/Microsoft/Office365/User Content.localized/Templates.localized" 122 | fi 123 | 124 | -------------------------------------------------------------------------------- /Applications/SQL_Client.rst: -------------------------------------------------------------------------------- 1 | .. only:: html 2 | 3 | .. sidebar:: Article information 4 | 5 | :Authors: 6 | :ref:`ftiff ` 7 | 8 | :Updated: |today| 9 | 10 | SQL Clients 11 | =========== 12 | 13 | IBMi DB2 Databases 14 | ------------------ 15 | 16 | 17 | You could use the IBM System i Navigator, but how about a tool you can use on all DB (PostgreSQL, MySQL, SQL Server, DB2…). I must warn you: it's Java from the nineties. 18 | 19 | Components needed 20 | ^^^^^^^^^^^^^^^^^ 21 | 22 | - `Java 1.8 JDK `_ 23 | - `JTOpen `_ 24 | - `SQuirrel `_ 25 | 26 | 27 | JTOpen 28 | """"""""" 29 | 30 | The IBM Toolbox for Java is a library of Java classes supporting the client/server and internet programming models to a system running IBM i (or i5/OS or OS/400). The classes are used by SQuirreL to easily access IBM i data and resources. 31 | 32 | 1. Download and install `Java 1.8 JDK `_ 33 | 2. Download `JTOpen `_ 34 | 3. Copy lib/ where you'd like. I believe the right path is '/usr/local/lib/jtopen/':: 35 | 36 | ``sudo ditto ~/Downloads/jtopen_9_0/lib /usr/local/lib/jtopen_9_0`` 37 | 38 | SQuirreL 39 | """""""""""" 40 | 41 | 1. Download `SQuirrel >`_ 42 | 2. Open squirrel-sql-3.7-MACOSX-install.jar 43 | 3. Make sure you select "Optional Plugin - DB2" 44 | 4. Click on Drivers > JTOpen(AS/400) 45 | 5. Click on Extra Class Path 46 | 6. Click Add, then choose /usr/local/lib/jtopen_9_0/java8/jt400.jar and click OK. 47 | 7. You should get a green message "Driver class com.ibm.as400.access.AS400JDBCDriver successfully registered for driver definition: JTOpen(AS/400)" 48 | 8. Click on Aliases > + (blue cross) 49 | 9. Select Driver: JTOpen(AS/400) (it should have a blue check mark) 50 | 10. Enter your info, click OK. It should now be working! 51 | 52 | .. image:: images/SQuirreL-conf.gif 53 | 54 | `More info… `_ 55 | -------------------------------------------------------------------------------- /Applications/images/SQuirreL-conf.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/Applications/images/SQuirreL-conf.gif -------------------------------------------------------------------------------- /Applications/index.rst: -------------------------------------------------------------------------------- 1 | Applications 2 | ********************* 3 | 4 | .. toctree:: 5 | :maxdepth: 2 6 | :titlesonly: 7 | :glob: 8 | 9 | * 10 | -------------------------------------------------------------------------------- /Contributors/ftiff.rst: -------------------------------------------------------------------------------- 1 | .. _team-ftiff: 2 | 3 | .. sidebar:: Profile Picture 4 | 5 | .. image:: ftiff_avatar.png 6 | 7 | ftiff 8 | ----- 9 | 10 | ================================ ============================ 11 | Real Name François Levaux-Tiffreau 12 | ================================ ============================ 13 | Employer Amaris 14 | Slack `@ftiff `_ 15 | Twitter `@ftiff `_ 16 | Linkedin `ftiff `_ 17 | Blog ``_ 18 | ================================ ============================ 19 | 20 | 21 | -------------------------------------------------------------------------------- /Contributors/ftiff_avatar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/Contributors/ftiff_avatar.png -------------------------------------------------------------------------------- /Contributors/generic_avatar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/Contributors/generic_avatar.png -------------------------------------------------------------------------------- /Contributors/index.rst: -------------------------------------------------------------------------------- 1 | Notable Contributors 2 | ********************* 3 | 4 | .. toctree:: 5 | :maxdepth: 2 6 | :titlesonly: 7 | :glob: 8 | 9 | * 10 | -------------------------------------------------------------------------------- /Contributors/mactroll.rst: -------------------------------------------------------------------------------- 1 | .. _team-mactroll: 2 | 3 | .. sidebar:: Profile Picture 4 | 5 | .. image:: generic_avatar.png 6 | 7 | mactroll 8 | -------- 9 | 10 | ================================ ============================ 11 | Real Name Joel Rennich 12 | ================================ ============================ 13 | Employer Trusource Labs 14 | Slack `@mactroll `_ 15 | ================================ ============================ 16 | 17 | 18 | -------------------------------------------------------------------------------- /Contributors/mosen.rst: -------------------------------------------------------------------------------- 1 | .. _team-mosen: 2 | 3 | .. sidebar:: Profile Picture 4 | 5 | .. image:: mosen_avatar.png 6 | 7 | mosen 8 | ----- 9 | 10 | 11 | ================================ ============================ 12 | Real Name Unknown 13 | ================================ ============================ 14 | Slack `@mosen `_ 15 | ================================ ============================ 16 | 17 | 18 | -------------------------------------------------------------------------------- /Contributors/mosen_avatar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/Contributors/mosen_avatar.png -------------------------------------------------------------------------------- /General/Apple_KB.rst: -------------------------------------------------------------------------------- 1 | Apple Support Knowledge Base 2 | ============================ 3 | 4 | - `Edit and Share 4K video with iMovie `_ 5 | - `Edit and Share Video at 60 frames per second in iMovie `_ 6 | - `How to delete an app that has a configuration profile on your iPhone, iPad, or iPod touch `_ 7 | - `Change the name of a Bluetooth device `_ 8 | - `If an external display doesn't work with your MacBook Pro (Retina, 15-inch, Mid 2015) or MacBook Air (11-inch, Early 2015) running OS X El Capitan v10.11 `_ 9 | - `Get help with resetting your iPhone `_ 10 | - `About the App Store on your Apple TV (4th generation) `_ 11 | - `If you can’t use your Photos library in other apps `_ 12 | - `About the OS X El Capitan v10.11.3 Update `_ 13 | - `Set up your Apple TV (4th generation) `_ 14 | - `Enter your account information again when changing the YouTube share destination in Final Cut Pro `_ 15 | - `About the OS X El Capitan v10.11.1 Update `_ 16 | - `About OS X Server 5.0.15 `_ 17 | - `Set up Find My iPhone, iPad, Apple Watch, and Mac `_ 18 | - `Manage your Apple Music membership if you’re using an Android phone `_ 19 | - `Join Apple Music on your Android phone `_ 20 | - `Get help with Apple Music on Android `_ 21 | - `View the Holidays calendar for other regions `_ 22 | - `About the security content of iOS 9.1 `_ 23 | - `If your Apple Watch won't charge or it won't turn on `_ 24 | - `About the security content of iTunes 12.3.1 `_ 25 | - `About the security content of Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6 `_ 26 | - `About the security content of OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks `_ 27 | - `About the security content of OS X Server 5.0.15 `_ 28 | - `About the security content of Safari 9.0.1 `_ 29 | - `About the security content of watchOS 2.0.1 `_ 30 | - `About the security content of Xcode 7.1 `_ 31 | - `If custom alert sounds don't appear after upgrading to El Capitan `_ 32 | - `If your country or region doesn't have Google Play, download the Apple Music app from the Apple website `_ 33 | - ` If some email messages or mailboxes are missing in Mail after upgrading to El Capitan `_ 34 | - `Charge your Siri Remote or Apple TV Remote `_ 35 | - `About Apple Configurator 2.1 `_ 36 | - `If a project you created in iPhoto shows empty frames in Photos for OS X `_ 37 | - `Email photos from iPhoto with your account that uses two-step verification `_ 38 | - `Import and export different file formats with Numbers `_ 39 | - `If you can't sign in with your Apple ID after you upgrade to iOS 9 `_ 40 | - `If you can't download iTunes for Windows using Microsoft Edge `_ 41 | - `Create and manage your music collection in Apple Music on Android `_ 42 | - `Create interlaced H.264 files in Final Cut Pro X and Compressor `_ 43 | - `Update your iPad Pro (9.7-inch) from iOS 9.3 or 9.3.1 to iOS 9.3.2 or later `_ 44 | - `Guest mode isn't available with some IPv6 configurations on AirPort devices `_ 45 | - `About iPad keyboard `_ 46 | - `Check the status of your library in Photos for macOS `_ 47 | - `About APN and Cellular profile payloads in Apple Configurator 2.1 `_ 48 | - `Restore previous versions of iWork documents stored on iCloud Drive `_ 49 | - `If inline images are missing from wiki pages hosted from OS X Server 5 `_ 50 | - `Charge your iPhone with your Smart Battery Case `_ 51 | - `About Apple TV (4th generation) software updates `_ 52 | - `Use VoiceOver on Apple TV (4th generation) `_ 53 | - `Set up your devices to use two-factor authentication `_ 54 | - `Change the watch face on your Apple Watch `_ 55 | - `How to use your Apple Watch without your iPhone nearby `_ 56 | - `Switch between apps using the Dock on your Apple Watch `_ 57 | - `Use your Apple Watch as a remote control for your Apple TV or iTunes `_ 58 | - `Status icons on Apple Watch `_ 59 | - `Change the brightness and text size on your Apple Watch `_ 60 | - `About your Apple Watch `_ 61 | - `About the OS X El Capitan v10.11.2 Update `_ 62 | - `If XAVC-S media from your Sony camera appears blank in iMovie for Mac `_ 63 | - `Manage the cards that you use with Apple Pay `_ 64 | - `Charge your Apple Watch using the Apple Watch Magnetic Charging Dock `_ 65 | - `Apple Music and Family Sharing `_ 66 | - `If you see error -54 when you sync with iTunes `_ 67 | - `If your iPhone, iPad, or iPod touch won't turn on `_ 68 | - `Update the firmware for your Kirkland Signature hearing aids `_ 69 | - `If CoreAudioToolbox.dll is listed in the problem details when iTunes for Windows stops working `_ 70 | - `If still images are solid green or black in the iMovie Viewer `_ 71 | - `If you see error 53 and your iPhone or iPad gets stuck on the 'Connect to iTunes' screen `_ 72 | - `Using Apple Music on Sonos `_ 73 | - `Get help adding cards to Apple Pay `_ 74 | - `Changes to iTunes U course material storage locations `_ 75 | - `If you're missing Health data after restoring from an iCloud backup you made with iOS 9 `_ 76 | - `Set up CarPlay with your iPhone `_ 77 | - `About the security content of iOS 9.2 `_ 78 | - `About the security content of iTunes 12.3.2 `_ 79 | - `About the security content of OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks `_ 80 | - `About the security content of QuickTime 7.7.9 `_ 81 | - `About the security content of Safari 9.0.2 `_ 82 | - `About the security content of tvOS 9.1 `_ 83 | - `About the security content of watchOS 2.1 `_ 84 | - `About the security content of Xcode 7.2 `_ 85 | - `About EMV and Apple Pay for merchants `_ 86 | - `If Photos for OS X stops responding when you create a card `_ 87 | - `If your iPhone, iPad, or iPod touch won't turn on `_ 88 | - `Printer and scanner software available for download for OS X Lion `_ 89 | - `Share files between macOS and Windows on the same Mac `_ 90 | - `About the security content of Security Update 2015-006 Yosemite `_ 91 | - `If apps don't finish installing with Mobile Device Management (MDM) and iOS 9.2 `_ 92 | - `Ergonomics `_ 93 | - `If you see the 'This app cannot be assigned to a device' alert in Configurator 2 `_ 94 | - `Take and edit photos with your iPhone, iPad, and iPod touch `_ 95 | - `Use a Baum VarioUltra display with VoiceOver `_ 96 | - `Clean the keyboard of your MacBook (Retina, 12-inch, Early 2015) and later `_ 97 | - `If you're asked to let Apple Music manage calls on your Android phone `_ 98 | - `If you get an alert from BTK in Turkey saying that your IMEI isn't registered `_ 99 | - `Change the shipping address for print product orders in Photos for macOS `_ 100 | - `About the Mac App Store Update for OS X Snow Leopard `_ 101 | - `Manage your photo and video storage `_ 102 | - `If your Xsan volume doesn't automatically mount at startup `_ 103 | - `If you see an error in iTunes on your Mac or PC `_ 104 | - `If your iPhone 6s or iPhone 6s Plus battery percentage doesn't update `_ 105 | - `If your iPad Pro wakes unexpectedly when connected to a Smart Keyboard `_ 106 | - `About the security content of tvOS 9.1.1 `_ 107 | - `About the security content of Safari 9.0.3 `_ 108 | - `About the security content of OS X El Capitan 10.11.3 and Security Update 2016-001 `_ 109 | - `About the security content of iOS 9.2.1 `_ 110 | - `Topics for the ACMT 2016 Mac Service Certification Exam (MAC-16A) `_ 111 | - `Courses to study for the ACMT 2016 Mac Service Certification Exam (MAC-16A) `_ 112 | - `Topics for the ACiT 2016 iOS Service Certification Exam (iOS-16A) `_ 113 | - `Courses to study for the ACiT 2016 iOS Service Certification Exam (iOS-16A) `_ 114 | - `Topics for the Apple Service Fundamentals Exam (SVC-16A) `_ 115 | - `Courses to study for the Apple Service Fundamentals Exam (SVC-16A) `_ 116 | - `Exams and courses that you need to service iOS products `_ 117 | - `Find audio-described content in the iTunes Store `_ 118 | - `About iCloud Photo Library and My Photo Stream `_ 119 | - `Apple FIPS Cryptographic Modules v6.0 for iOS 9 `_ 120 | - `How do I accept Apple Pay in my store `_ 121 | - `Apple FIPS Cryptographic Modules v6.0 for OS X El Capitan v10.11 `_ 122 | - `Set up your new Mac `_ 123 | - `About the OS X El Capitan v10.11.4 Update `_ 124 | - `Use iCloud Drive or iBooks to access your PDF files, ePub files, and books `_ 125 | - `Merchant training for Apple Pay `_ 126 | - `If installation of Windows 10 on your Mac stops at RealTek software `_ 127 | - `Keep your contacts up to date on all of your devices with iCloud `_ 128 | - `Stop older Apple Remotes from controlling your Apple TV (4th generation) `_ 129 | - `Where to get answers about your Mac `_ 130 | - `Apple security updates (2013) `_ 131 | - `If user profiles don't finish installing after updating to OS X Server 5.0.15 `_ 132 | - `Change the SMB connection limit in OS X Server 5 `_ 133 | - `Apple security updates (2014) `_ 134 | - `Help your child set up an iPhone, iPad, or iPod touch `_ 135 | - `Import XF and XF-AVC media from Canon cameras with Final Cut Pro X `_ 136 | - `If Time Machine doesn't appear correctly on one of your Mac displays `_ 137 | - `If you can’t send an email in the Mail app, because the compose window disappears and reappears `_ 138 | - `Control VoiceOver with Trackpad Commander `_ 139 | - `Uninstall QuickTime 7 for Windows `_ 140 | - `Use Notes on your iPhone, iPad, and iPod touch `_ 141 | - `Read and reply to messages with your Apple Watch `_ 142 | - `If you see a “Windows installer package” error message when you try to uninstall iTunes from your PC `_ 143 | - `Import Music Memos recordings into Logic Pro X `_ 144 | - `Use more than one Apple Watch with your iPhone `_ 145 | - `Import your notes and files to the Notes app `_ 146 | - `Keep your notes secure with password-protection `_ 147 | - `About the security content of Apple TV 7.2.1 `_ 148 | - `Turn on audio descriptions on your iPhone, iPad, or iPod touch `_ 149 | - `Turn on audio descriptions on iPod nano `_ 150 | - `Turn on audio descriptions in iTunes for Windows `_ 151 | - `Turn on audio descriptions on your Apple TV `_ 152 | - `Turn on audio descriptions on your Mac `_ 153 | - `Create an album from a project in Photos for OS X `_ 154 | - `About Apple USB-C to Lightning cable `_ 155 | - `Be productive on your new Mac `_ 156 | - `Delete photos on your iPhone, iPad, and iPod touch `_ 157 | - `About the USB-C Multiport Adapter Update 1.0 `_ 158 | - `Use Reminders on your iPhone, iPad, or iPod touch `_ 159 | - `Hide photos on your iPhone, iPad, iPod touch, or Mac `_ 160 | - `If you can't open or save changes to a shared file `_ 161 | - `If your Alchemy window doesn't show presets `_ 162 | - `Automatically assign MIDI controller knobs, sliders, and other controls with Logic Pro X 10.2.2 `_ 163 | - `Get help with missing photos `_ 164 | - `About Managed Apple IDs for education `_ 165 | - `Get your music collection on all of your devices `_ 166 | - `If you see error -5000, -69, 13010, or 13014 when you sync music in iTunes `_ 167 | - `Turn off packet signing for SMB 2 and SMB 3 connections `_ 168 | - `If GarageBand for Mac won't open or play back your project `_ 169 | - `Get an Apple Music Student Membership `_ 170 | - `If GarageBand for iOS won't open or playback your project `_ 171 | - `Read along with iBooks StoryTime on Apple TV `_ 172 | - `Get help with the Photos app on your Mac `_ 173 | - `About the Multithreading setting in Logic Pro X `_ 174 | - `ATLAS frequently asked questions `_ 175 | - `If the built-in display on your MacBook Pro (Retina, 15-inch, Mid 2015) doesn't turn on `_ 176 | - `About the security content of Apple Software Update 2.2 `_ 177 | - `How to get a Tech ID `_ 178 | - `Change your payment method from ClickandBuy `_ 179 | - `About OS X Server 5.1 `_ 180 | - `About Classroom 1.1.2 `_ 181 | - `If you see a "VPN Using PPTP May Not Be Secure" alert `_ 182 | - `About Configurator 2.2 `_ 183 | - `VPN Key Exchange Enhancements in iOS 9.3, OS X 10.11.4 and Server 5.1 `_ 184 | - `Get help with iMovie `_ 185 | - `About subscriptions in Apple News `_ 186 | - `About the security content of iOS 9.3 `_ 187 | - `About the security content of OS X El Capitan v10.11.4 and Security Update 2016-002 `_ 188 | - `About the security content of watchOS 2.2 `_ 189 | - `About the security content of tvOS 9.2 `_ 190 | - `How to download content from the cloud when using Optimized Storage `_ 191 | - `About the security content of Safari 9.1 `_ 192 | - `About the security content of Xcode 7.3 `_ 193 | - `About the security content of OS X Server 5.1 `_ 194 | - `About the macOS Sierra 10.12.1 update `_ 195 | - `Languages supported by VoiceOver `_ 196 | - `About Apple Remote Desktop Client 3.8.5 `_ 197 | - `If OS X Server 3 and earlier doesn't display recent VPP purchases `_ 198 | - `About collaboration for Pages, Numbers, and Keynote `_ 199 | - `Add a song to a playlist in Apple Music without adding it to your library `_ 200 | - `Set up your document in Pages `_ 201 | - `Use Photos on your Mac `_ 202 | - `If Boot Camp Assistant gives a "Not enough space" error `_ 203 | - `If you can't activate your iPhone `_ 204 | - `Get started with Keynote Live `_ 205 | - `If Final Cut Pro X doesn't respond when you share to DVD `_ 206 | - `About OS X wireless roaming for enterprise customers `_ 207 | - `If you can’t activate your iPad 2 (GSM model) after you update to iOS 9.3 `_ 208 | - `Add photos to your project in Photos for OS X `_ 209 | - `Get help with over-the-air iOS updates `_ 210 | - `If hyperlinks don't open in Safari, Mail, or Messages after updating to iOS 9.3 `_ 211 | - `About the security content of iBooks Author 2.4.1 `_ 212 | - `About the security content of iOS 9.3.1 `_ 213 | - `Use Thai Baht in the iTunes Store and App Store `_ 214 | - `About the OS X El Capitan v10.11.5 Update `_ 215 | - `Export and import wikis created with macOS Server `_ 216 | - `"Duplicate these displays" not supported in Boot Camp running Windows 8.1 or Windows 10 `_ 217 | - `If Network User accounts do not receive profile updates while logged in `_ 218 | - `About the security content of Xcode 7.3.1 `_ 219 | - `About the security content of iTunes 12.4 `_ 220 | - `Change the audio and notification settings on your Apple Watch `_ 221 | - `Organize your classical music in iTunes `_ 222 | - `About OS X Server 5.1.5 `_ 223 | - `About storage on your device and in iCloud `_ 224 | - `If photos from an album or folder don't sync correctly to your iPhone, iPad, or iPod touch `_ 225 | - `Get help if you can't deregister iMessage `_ 226 | - `About the security content of tvOS 9.2.1 `_ 227 | - `About the security content of Safari 9.1.1 `_ 228 | - `About the security content of watchOS 2.2.1 `_ 229 | - `About the security content of OS X El Capitan v10.11.5 and Security Update 2016-003 `_ 230 | - `About the security content of iOS 9.3.2 `_ 231 | - `About Configurator 2.2.1 `_ 232 | - `How to access Chinese instruments and loops in GarageBand for iOS `_ 233 | - `Using 4K displays, 5K displays, and Ultra HD TVs with your Mac `_ 234 | - `If your installation stalls when you're upgrading Classroom app `_ 235 | - `Prepare to upgrade to Apple School Manager `_ 236 | - `If MacBook Pro (Retina, 13-inch, Early 2015) becomes unresponsive when a web browser is running `_ 237 | - `If the Caps Lock key on your MacBook or MacBook Pro isn't working as expected `_ 238 | - `View, change, or cancel your subscriptions in Israel, South Africa, or Turkey `_ 239 | - `Apple Pay participating banks in Europe `_ 240 | - `Apple Pay participating banks and card issuers in Asia-Pacific `_ 241 | - `About the OS X El Capitan v10.11.6 Update `_ 242 | - `When to use the Auto-Compensate Latency option in Logic Pro X `_ 243 | - `Manage included Apple apps for your institution `_ 244 | - `Prepare for changes to Xsan before you update to macOS Sierra `_ 245 | - `Some Logic Pro X plug-ins might sound different in MainStage `_ 246 | - `Logic Studio (2009) `_ 247 | - `About Apple Teacher Program Registration `_ 248 | - `Prepare for removal of PPTP VPN before you upgrade to iOS 10 and macOS Sierra `_ 249 | - `Security update for mDNSResponder `_ 250 | - `About the security content of AirPort Base Station Firmware Update 7.6.7 and 7.7.7 `_ 251 | - `Prepare your institution for iOS 10 and macOS Sierra `_ 252 | - `Fonts included with macOS Sierra `_ 253 | - `Verify your certificates for macOS Server `_ 254 | - `Prepare for macOS Sierra 10.12 with Active Directory `_ 255 | - `If your app doesn't start to install when you use Mobile Device Management (MDM) `_ 256 | - `Use a Managed Apple ID with iTunes U `_ 257 | - `Use Markup in Mail on your iPhone, iPad, or iPod touch `_ 258 | - `Upgrade to OS X El Capitan `_ 259 | - `About OS X Server v5.1.7 `_ 260 | - `macOS Sierra: Sophos Anti-Virus on-access scanner version 9.2.5 and earlier `_ 261 | - `macOS Sierra: Yamaha Steinberg USB Driver version 1.9.9 and earlier `_ 262 | - `OS X: When your computer spontaneously restarts or displays "Your computer restarted because of a problem." `_ 263 | - `Use message effects with iMessage on your iPhone, iPad, and iPod touch `_ 264 | - `Use Digital Touch on your iPhone, iPad, and iPod touch `_ 265 | - `About the security content of iCloud for Windows 5.2.1 `_ 266 | - `About the security content of Safari 9.1.2 `_ 267 | - `About the security content of iTunes 12.4.2 for Windows `_ 268 | - `About the security content of iOS 9.3.3 `_ 269 | - `About the security content of OS X El Capitan v10.11.6 and Security Update 2016-004 `_ 270 | - `About the security content of watchOS 2.2.2 `_ 271 | - `About the security content of tvOS 9.2.2 `_ 272 | - `Use iMessage apps on your iPhone, iPad, and iPod touch `_ 273 | - `Scribble on your Apple Watch `_ 274 | - `Apple Thunderbolt 3 (USB-C) to Thunderbolt 2 Adapter requires Thunderbolt 3 `_ 275 | - `Thunderbolt networking over USB-C requires Thunderbolt 3 `_ 276 | - `Use the Control Center on your Apple Watch `_ 277 | - `If you can't create accounts with email addresses that use the '+' or '.' character `_ 278 | - `Upgrade your institution to Apple School Manager `_ 279 | - `About SOS on Apple Watch `_ 280 | - `If you see a message that says you signed up for Apple Music through both your mobile phone service provider and Apple `_ 281 | - `Add your Desktop and Documents files to iCloud Drive `_ 282 | - `About time-zone updates for iOS 10 or later, watchOS 3 or later, and tvOS 10 or later `_ 283 | - `Share your notes `_ 284 | - `Switch between apps using the Dock on your Apple Watch `_ 285 | - `Use Siri on your Mac `_ 286 | - `Automatically unlock your Mac with your Apple Watch `_ 287 | - `Free up storage space on your Mac `_ 288 | - `Watch video using Picture in Picture on your Mac `_ 289 | - `Use tabs with apps on your Mac `_ 290 | - `Use the Breathe app `_ 291 | - `About iMessage and SMS/MMS `_ 292 | - `Learn more about your AirPods with charging case `_ 293 | - `Use your AirPods `_ 294 | - `Charge your AirPods with charging case and learn about battery life `_ 295 | - `Share your Activity with your Apple Watch `_ 296 | - `Manage Personalized Recommendations `_ 297 | - `Set up your Medical ID in the Health app on your iPhone `_ 298 | - `Enjoy your Memories in Photos `_ 299 | - `If your Apple Watch is lost or stolen `_ 300 | - `Use Display Accommodations on your iPhone, iPad, and iPod touch `_ 301 | - `About the security content of iOS 9.3.4 `_ 302 | - `About macOS Server 5.2 `_ 303 | - `Use SFTP to upload student, staff, and class data to Apple School Manager `_ 304 | - `Use a Handy Tech Active Star 40 with your iPhone, iPad, or iPod touch with VoiceOver `_ 305 | - `Use Display Accommodations on your Apple TV (4th generation) `_ 306 | - `Answer or make TTY calls from your iPhone `_ 307 | - `Upgrade and migrate data on your macOS Server `_ 308 | - `Use Single sign-on with your iOS device or Apple TV (4th generation) `_ 309 | - `About iPhone 7 and iPhone 7 Plus splash, water, and dust resistance `_ 310 | - `Use a GW Braille Sense Plus display with your iPhone, iPad, or iPod touch `_ 311 | - `Digital camera RAW formats supported by iOS 10 and macOS Sierra `_ 312 | - `Use your HIMS Smart Beetle display with VoiceOver on your iPhone, iPad, and iPod touch `_ 313 | - `Use Touch ID on MacBook Pro `_ 314 | - `Use the Touch Bar on your MacBook Pro `_ 315 | - `About Location Services and Privacy `_ 316 | - `Automate and remotely access your HomeKit accessories `_ 317 | - `Printer and scanner software for OS X Mountain Lion `_ 318 | - `Stream your iTunes Store movies or TV shows `_ 319 | - `Use Typing Feedback on your iPhone, iPad, or iPod touch `_ 320 | - `Use GPS and Location Services for apps on your iPhone, iPad, or iPod touch `_ 321 | - `Charge your MacBook Pro with Thunderbolt 3 `_ 322 | - `Detect and block spam phone calls with third-party apps `_ 323 | - `Mac computers in USB Target Disk Mode via USB-C appear as "unknown" in Windows `_ 324 | - `About People in Photos on your iPhone, iPad, or iPod touch `_ 325 | - `Start up your MacBook Pro by opening it or plugging it in `_ 326 | - `About the security content of iOS 9.3.5 `_ 327 | - `If you're asked to click Connect before reconnecting to a server `_ 328 | - `How to daisy-chain USB 2.0 devices to Thunderbolt 3 ports `_ 329 | - `Use Widgets on your iPhone, iPad, and iPod touch `_ 330 | - `Cleaning your iPhone `_ 331 | - `How updating a library for Final Cut Pro X 10.3 can affect your audio `_ 332 | - `If your Bluetooth mouse doesn't work during Windows installation `_ 333 | - `Use shared storage with Final Cut Pro X 10.3 `_ 334 | - `About the security content of Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite `_ 335 | - `About the security content of Safari 9.1.3 `_ 336 | - `Find and organize emails on your iPhone, iPad, or iPod touch `_ 337 | - `About Apple Configurator 2.3 `_ 338 | - `About the security content of Xcode 8 `_ 339 | - `About the security content of watchOS 3 `_ 340 | - `About the security content of tvOS 10 `_ 341 | - `About the security content of iOS 10 `_ 342 | - `Manage Exchange meeting invitations on your iPhone, iPad, or iPod touch `_ 343 | - `About the security content of iOS 10.0.1 `_ 344 | - `About the security content of iCloud for Windows 6.0 `_ 345 | - `iTunes Gift Card Scams - Official Apple Support `_ 346 | - `Get help transferring Suica cards to your iPhone or Apple Watch `_ 347 | - `Using Suica on iPhone or Apple Watch in Japan `_ 348 | - `Set up a Suica card in Apple Pay `_ 349 | - `About the security content of Safari 10 `_ 350 | - `About the security content of iTunes 12.5.1 for Windows `_ 351 | - `If some apps don’t load on your iPhone, iPad, or iPod touch `_ 352 | - `About the security content of macOS Sierra 10.12 `_ 353 | - `About the security content of macOS Server 5.2 `_ 354 | - `List of available trusted root certificates in iOS 10 `_ 355 | - `Use #images with Messages in iOS 10 `_ 356 | - `See a voicemail transcription on your iPhone `_ 357 | - `If Pages, Numbers, or Keynote suddenly quit when you open them on your iPhone, iPad, or iPod touch `_ 358 | - `If some apps don’t load on your iPhone, iPad, or iPod touch `_ 359 | - `About the Home button on iPhone 7 and iPhone 7 Plus `_ 360 | - `List of available trusted root certificates in macOS Sierra `_ 361 | - `List of available trusted root certificates in watchOS 3 `_ 362 | - `Apple School Manager release notes `_ 363 | - `Connect with Thunderbolt 3 on your new MacBook Pro `_ 364 | - `Hear Mickey Mouse or Minnie Mouse speak the time `_ 365 | - `Switch from two-step verification to two-factor authentication `_ 366 | - `About the security content of iOS 10.0.2 `_ 367 | - `If a Core Audio alert appears in GarageBand for iOS `_ 368 | - `Use Apple School Manager and Profile Manager to assign Volume Store content `_ 369 | - `Manage and delete contacts on your iPhone, iPad, or iPod touch `_ 370 | - `Change the font size or zoom level of web pages in Safari `_ 371 | - `Use mailboxes to organize emails on your iPhone, iPad, and iPod touch `_ 372 | - `How to find your parked car with Maps on your iPhone `_ 373 | - `Lists of available trusted root certificates in tvOS `_ 374 | - `List of available trusted root certificates in tvOS 10 `_ 375 | - `About Subscriptions and Privacy `_ 376 | - `How to use pro apps with Optimized Storage `_ 377 | - `If you can't find your shared Final Cut Pro X media in iTunes `_ 378 | - `Export XML from Final Cut Pro X 10.3 for Logic Pro X `_ 379 | - `Using function keys on MacBook Pro with Touch Bar `_ 380 | - `Pages for iOS release notes `_ 381 | - `Pages for Mac release notes `_ 382 | - `Numbers for Mac release notes `_ 383 | - `Numbers for iOS release notes `_ 384 | - `Keynote for iOS release notes `_ 385 | - `Keynote for Mac release notes `_ 386 | - `Verify installation of Pro Video Formats `_ 387 | - `Prevent your Mac from downloading updates in the background `_ 388 | - `Add a personal Apple ID as a contributor to a managed iTunes U course `_ 389 | - `Use the TV app on your Apple TV (4th generation), iPhone, and iPad `_ 390 | - `Connect with Thunderbolt 3 on your new MacBook Pro `_ 391 | - `Use accessibility features with Touch Bar on your MacBook Pro `_ 392 | - `Use accessibility features with Touch Bar on your MacBook Pro `_ 393 | - `Use camera modes on your iPhone, iPad, and iPod touch `_ 394 | - `Update your libraries for Final Cut Pro X 10.3 `_ 395 | - `If your iPhone 7 or iPhone 7 Plus enters recovery mode as you try to update `_ 396 | - `About the security content of iOS 10.0.3 `_ 397 | - `About Final Cut Pro X and Motion plug-in compatibility `_ 398 | - `Connect devices and displays with the Apple Thunderbolt 3 (USB-C) to Thunderbolt 2 Adapter `_ 399 | - `Xsan 5 volumes might be temporarily inaccessible after some operations `_ 400 | - `About the security content of Xcode 8.1 `_ 401 | - `About the security content of watchOS 3.1 `_ 402 | - `About the security content of tvOS 10.0.1 `_ 403 | - `About the security content of iOS 10.1 `_ 404 | - `About the security content of Safari 10.0.1 `_ 405 | - `About the security content of iCloud for Windows 6.0.1 `_ 406 | - `About the security content of iTunes 12.5.2 for Windows `_ 407 | - `About the security content of macOS Sierra 10.12.1, Security Update 2016-002 El Capitan, and Security Update 2016-006 Yosemite `_ 408 | - `Redeem your App Store Top-Up card in China `_ 409 | - `If a DVD created in Final Cut Pro X, Motion, or Compressor is blank `_ 410 | - `If your MacBook Pro (15-inch, Late 2016) doesn't start up correctly with Sharp PN-K321 display connected `_ 411 | - `How to use the flashlight on your iPhone and iPod touch `_ 412 | - `About the security content of iOS 10.1.1 `_ 413 | - `If you see a "No images are available" error message when you install Windows 10 `_ 414 | - `Turn off Voice Control on your iPhone `_ 415 | - `If images appear cropped in the viewer in Final Cut Pro X 10.3 `_ 416 | - `Availability of Apple programs for education and business `_ 417 | - `About the macOS Sierra 10.12.2 Update `_ 418 | - `iOS Compatibility with Cisco QoS Fastlane & Adaptive 802.11r `_ 419 | - `Take and edit Live Photos `_ 420 | - `Safety certifications for iPod touch batteries `_ 421 | - `Replace your iPhone, iPad, or Apple Watch `_ 422 | - `Share photos to Facebook from iPhoto and Aperture `_ 423 | - `If a library won't update in Final Cut Pro X 10.3 `_ 424 | - `Using the Escape button on your MacBook Pro with Touch Bar `_ 425 | - `If kernel_task is using a large percentage of your Mac CPU `_ 426 | - `If your Xsan service doesn’t work after you upgrade to macOS Sierra 10.12.2 `_ 427 | - `Organize and find your photos `_ 428 | - `If Final Cut Pro X 10.3 doesn't open previously open libraries `_ 429 | - `If you see an ISO file error while using Boot Camp to install Windows `_ 430 | - `If you can't buy, redownload, or play 1080p video content from the iTunes Store `_ 431 | - `Connect your Student Information System to Apple School Manager `_ 432 | - `Install Audio Driver Update for Boot Camp to avoid issues with 2016 MacBook Pro speakers `_ 433 | - `Upgrade to Xsan 5 `_ 434 | - `About iTunes U `_ 435 | - `About the security content of Safari 10.0.2 `_ 436 | - `About the security content of iOS 10.2 `_ 437 | - `About the security content of macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite `_ 438 | - `About the security content of iCloud for Windows 6.1 `_ 439 | - `About the security content of tvOS 10.1 - Appl^Ce Support `_ 440 | - `About the security content of iTunes 12.5.4 for Windows `_ 441 | - `What does iCloud back up? `_ 442 | - `About the security content of Transporter 1.9.2 `_ 443 | - `Preserve or migrate data for Apple Configurator 2 `_ 444 | - `Use the LG UltraFine 4K Display with your MacBook or MacBook Pro `_ 445 | - `Use the LG UltraFine 5K Display with your Mac `_ 446 | - `About the battery usage on your iPhone, iPad, and iPod touch `_ 447 | - `Safari and WebKit ending support for SHA-1 certificates `_ 448 | - `About the macOS Sierra 10.12.3 Update `_ 449 | - `Apply plug-in effects to audio regions in Logic Pro X `_ 450 | - `Work with track alternatives in Logic Pro X `_ 451 | - `Turn off Hyper-V to use Windows 10 on your Mac `_ 452 | - `Use HDR on your iPhone, iPad, and iPod touch `_ 453 | - `Use Extreme Tuning in GarageBand for iOS `_ 454 | - `Logic Pro X 10.2 – 10.2.4 release notes `_ 455 | - `About the security content of Logic Pro X 10.3 `_ 456 | - `About the security content of GarageBand 10.1.5 `_ 457 | - `About the security content of iCloud for Windows 6.1.1 `_ 458 | - `About the security content of iOS 10.2.1 `_ 459 | - `About the security content of macOS Sierra 10.12.3 `_ 460 | - `About the security content of Safari 10.0.3 `_ 461 | - `About the security content of tvOS 10.1.1 `_ 462 | - `About the security content of iTunes 12.5.5 for Windows `_ 463 | - `About the security content of watchOS 3.1.3 `_ 464 | - `If an alert in the TV app repeatedly asks you to connect your apps `_ 465 | - `If text in Osaka font looks clipped in iPhoto projects `_ 466 | - `Apple FIPS Cryptographic Modules v7.0 for iOS 10 `_ 467 | - `Apple FIPS Cryptographic Modules v7.0 for macOS Sierra 10.12 `_ 468 | - `Exchange "Pro Apps Bundle for Education" redemption codes `_ 469 | 470 | -------------------------------------------------------------------------------- /General/Files_and_Storage/Storage_Structure.rst: -------------------------------------------------------------------------------- 1 | Storage Structure 2 | ================= 3 | 4 | 5 | Partition Schemes 6 | ----------------- 7 | 8 | 9 | ======= ======================= ========================================================================= 10 | Acronym Name Description 11 | ======= ======================= ========================================================================= 12 | APM Apple Partition Map This is the traditional Apple partitioning scheme used to start up a 13 | PowerPC-based Macintosh computer, to use the disk as a non-startup disk 14 | with any Mac, or to create a multiplatform compatible startup disk. 15 | MBR Master Boot Record This is the DOS/Windows-compatible partitioning scheme. 16 | GPT GUID Partitioning Table This is the partitioning scheme used to start up an Intel-based 17 | Macintosh computer. 18 | ======= ======================= ========================================================================= 19 | 20 | Source: `diskutil(8) `_ 21 | 22 | Filesystems 23 | ----------- 24 | 25 | ======================================== ============================================== =========== 26 | Acronym Name Description 27 | ======================================== ============================================== =========== 28 | APFS APFS 29 | ExFAT ExFAT 30 | Free Space (or free) Free Space 31 | MS-DOS MS-DOS (FAT) 32 | MS-DOS FAT12 MS-DOS (FAT12) 33 | MS-DOS FAT16 MS-DOS (FAT16) 34 | MS-DOS FAT32 (or fat32) MS-DOS (FAT) 35 | HFS+ Mac OS Extended 36 | Case-sensitive HFS+ (or hfsx) Mac OS Extended (Case-sensitive) 37 | Case-sensitive Journaled HFS+ (or jhfsx) Mac OS Extended (Case-sensitive, Journaled) 38 | Journaled HFS+ (or jhfs+) Mac OS Extended (Journaled) 39 | ======================================== ============================================== =========== 40 | 41 | 42 | Source: `diskutil(8) `_ 43 | 44 | APFS 45 | ^^^^ 46 | 47 | APFS is the new FileSystem that was announced at WWDC '16. It will be available on all Mac and iOS devices in 2017. 48 | 49 | It features awesome new and improved features such as: 50 | 51 | - Clones 52 | - Snapshots 53 | - Space Sharing 54 | - Encryption 55 | - Crash Protection 56 | - Sparse Files 57 | - Fast Directory Sizing 58 | - Atomic Safe-Save 59 | 60 | 61 | Rich Trouton did a very interesting talk at MacAdUk. Grab it `here `_. 62 | 63 | Source: `APFS Guide `_ 64 | 65 | CoreStorage 66 | ----------- 67 | 68 | ======= ======================= ========================================================================= 69 | Acronym Name Description 70 | ======= ======================= ========================================================================= 71 | LVG Logical Volume Group 72 | PV Physical Volume 73 | LVF Logical Volume Family 74 | LV Logical Volume 75 | ======= ======================= ========================================================================= 76 | 77 | Source: `diskutil(8) `_ 78 | -------------------------------------------------------------------------------- /General/Files_and_Storage/index.rst: -------------------------------------------------------------------------------- 1 | Files and Storage 2 | ****************** 3 | 4 | .. toctree:: 5 | :maxdepth: 1 6 | :glob: 7 | 8 | * 9 | -------------------------------------------------------------------------------- /General/Packaging/Forgetting-a-package.rst: -------------------------------------------------------------------------------- 1 | Forgetting a Package 2 | ==================== 3 | 4 | Forgetting a package is a good way to troubleshoot some behaviours. It doesn't change anything on disk, but the computer will believe the package was never installed. 5 | 6 | Installer.app/SWU 7 | ----------------- 8 | 9 | For OS X packages, installed by Installer.app or Software update, use ``sudo pkgutil --forget [package_id]``. You can list current installed packages with ``pkgutil --pkgs`` 10 | 11 | This will get updated at next recon to Inventory > Package Receipts > Installer.app/SWU. 12 | 13 | Note: According to `pkgutil(1) `_:: 14 | 15 | Discard all receipt data about package-id, but do not touch the installed files. 16 | DO NOT use this command from an installer package script to fix broken package design. 17 | 18 | Casper Suite 19 | ------------ 20 | 21 | To change this (unrelated) list, you need to delete the relevant file in ``/Library/Application Support/JAMF/Receipts``, then do a ``sudo jamf recon`` 22 | 23 | This doesn't do anything but change inventory. 24 | -------------------------------------------------------------------------------- /General/Packaging/index.rst: -------------------------------------------------------------------------------- 1 | Packaging 2 | ********* 3 | 4 | .. toctree:: 5 | :maxdepth: 2 6 | :titlesonly: 7 | :glob: 8 | 9 | * 10 | -------------------------------------------------------------------------------- /General/Peripherals/Printing.rst: -------------------------------------------------------------------------------- 1 | Printing 2 | ======== 3 | On OS X, the printing subsystem is CUPS. 4 | 5 | Ways to modify CUPS configuration 6 | --------------------------------- 7 | 8 | - System Preferences > Printers & Scanners 9 | - ``_ 10 | - ``sudo lpadmin`` 11 | 12 | Options 13 | ------- 14 | 15 | Set default printer 16 | ^^^^^^^^^^^^^^^^^^^ 17 | 18 | ``sudo lpadmin -d [printer]`` 19 | 20 | Enable Kerberos Authentication 21 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 22 | 23 | ``sudo lpadmin -p [printer] -o auth-info-required=negotiate`` 24 | 25 | You can eventually follow `this article `_ from Apple. 26 | 27 | Change default options 28 | ^^^^^^^^^^^^^^^^^^^^^^ 29 | 30 | To change defaults, use this command: ``sudo lpadmin -p [printer] -o [option]=[value]``. For example: ``sudo lpadmin -p Follow-Me -o XRBannerSheet=None`` 31 | 32 | List available options 33 | ^^^^^^^^^^^^^^^^^^^^^^ 34 | 35 | Use ``lpoptions -p [printer] -l``. 36 | 37 | Notable options 38 | ^^^^^^^^^^^^^^^ 39 | 40 | ================== ================================================================================== ====================================================== 41 | Option Values Description 42 | ================== ================================================================================== ====================================================== 43 | printer_is_shared true/false share printer 44 | auth-info-required "none", "username,password", "domain,username,password", or "negotiate" (Kerberos) Set to ``negotiate`` to allow Kerberos 45 | media Letter A4… See `here `_ for more info 46 | XRBannerSheet \*None AtStart On Xerox, displays the coverpage with Job ID 47 | ================== ================================================================================== ====================================================== 48 | 49 | More info `here `_ 50 | 51 | Discovering options 52 | ^^^^^^^^^^^^^^^^^^^ 53 | 54 | This will allow you to make changes using a GUI, and find the right option. 55 | 56 | Using GUI 57 | """"""""" 58 | 59 | 1. Open print dialog 60 | 2. Create a preset 61 | 3. execute ``defaults read ~/Library/Preferences/com.apple.print.custompresets.forprinter.[printer].plist [preset] > before.txt`` 62 | 4. Make changes 63 | 5. Create a new preset 64 | 6. execute ``defaults read ~/Library/Preferences/com.apple.print.custompresets.forprinter.[printer].plist [new_preset] > after.txt`` 65 | 7. See differences with ``diff before.txt after.txt`` 66 | 67 | Using CUPS Web 68 | """""""""""""" 69 | 70 | I found it quite interesting to follow this: 71 | 72 | 1. ``lpoptions -p [printer] -l > before.txt`` 73 | 2. Make the changes on ``_ > Printer > Set default Options 74 | 3. Run ``lpoptions -p [printer] -l > after.txt`` 75 | 4. See differences with ``diff before.txt after.txt`` 76 | 77 | 78 | Adding a printer 79 | ---------------- 80 | 81 | Network Printer 82 | ^^^^^^^^^^^^^^^ 83 | The command to install a printer is ``lpadmin``. You will need to specify: 84 | 85 | - ``-E`` to Enable the destination and accept jobs 86 | - ``-p [name]``: name of the printer 87 | - ``-v [uri]``: path to the queue (smb://server/queue) 88 | - ``-P [PPD]``: path to PPD (usually in /Library/Printers/PPDs/Contents/Resources/) 89 | - ``-o [option]=[value]``: specify options 90 | 91 | 92 | Example 93 | """""""" 94 | 95 | .. code-block:: bash 96 | 97 | #!/bin/bash 98 | # 99 | # Installs printer, using Xerox Drivers (Xerox_Print_Driver_3.52.0.pkg) 100 | # 101 | 102 | readonly LPSTAT='/usr/bin/lpstat' 103 | readonly LPADMIN='/usr/sbin/lpadmin' 104 | readonly CUPSENABLE='/usr/sbin/cupsenable' 105 | readonly CUPSACCEPT='/usr/sbin/cupsaccept' 106 | 107 | 108 | ####################################### 109 | # Add printers using cups 110 | # Globals: 111 | # LPSTAT 112 | # LPADMIN 113 | # CUPSENABLE 114 | # CUPSACCEPT 115 | # Arguments: 116 | # name 117 | # uri 118 | # ppd 119 | # Returns: 120 | # None 121 | ####################################### 122 | 123 | add_printer() { 124 | 125 | local name="$1" 126 | local uri="$2" 127 | local ppd="$3" 128 | 129 | if ! ${LPADMIN} -E -p "${name}" \ 130 | -v "${uri}" \ 131 | -P "${ppd}" \ 132 | -o printer_is_shared=false \ 133 | -o auth-info-required=negotiate \ 134 | -o XRBannerSheet=None \ 135 | -o media=iso_a4_210x297mm; then 136 | echo "ERROR: ${name}: Unable to lpadmin (add printer)" >&2 137 | exit -1 138 | fi 139 | 140 | # cupsaccept and cupsenable are not needed before of '-E'. I don't remember why I included them. 141 | if ! ${CUPSACCEPT} "${name}"; then 142 | echo "ERROR: ${name}: Unable to cupsaccept." >&2 143 | exit -1 144 | fi 145 | 146 | if ! ${CUPSENABLE} "${name}"; then 147 | echo "ERROR: ${name}: Unable to cupsenable." >&2 148 | exit -1 149 | fi 150 | } 151 | 152 | if (! ${LPSTAT} -v "Follow-Me"); then 153 | add_printer "Follow-Me" \ 154 | "smb://printserver.fti.io/Follow-Me%20Xerox%20(PCL6)" \ 155 | "/Library/Printers/PPDs/Contents/Resources/Xerox WC 7545.gz" 156 | fi 157 | 158 | 159 | exit 0 160 | 161 | -------------------------------------------------------------------------------- /General/Peripherals/index.rst: -------------------------------------------------------------------------------- 1 | Peripherals 2 | *********** 3 | 4 | .. toctree:: 5 | :maxdepth: 2 6 | :titlesonly: 7 | :glob: 8 | 9 | * 10 | -------------------------------------------------------------------------------- /General/index.rst: -------------------------------------------------------------------------------- 1 | General Mac Knowledge 2 | ********************* 3 | 4 | .. toctree:: 5 | :maxdepth: 2 6 | :titlesonly: 7 | :glob: 8 | 9 | * 10 | Packaging/index 11 | macOS_Installation/index 12 | macOS_Configuration/index 13 | Files_and_Storage/index 14 | Peripherals/index 15 | -------------------------------------------------------------------------------- /General/macOS_Configuration/SysPrefs-10.12.3-Hardware.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/General/macOS_Configuration/SysPrefs-10.12.3-Hardware.png -------------------------------------------------------------------------------- /General/macOS_Configuration/SysPrefs-10.12.3-Network.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/General/macOS_Configuration/SysPrefs-10.12.3-Network.png -------------------------------------------------------------------------------- /General/macOS_Configuration/SysPrefs-10.12.3-Personal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/General/macOS_Configuration/SysPrefs-10.12.3-Personal.png -------------------------------------------------------------------------------- /General/macOS_Configuration/SysPrefs-10.12.3-System.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/General/macOS_Configuration/SysPrefs-10.12.3-System.png -------------------------------------------------------------------------------- /General/macOS_Configuration/SysPrefs-10.12.3-ThirdParty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/General/macOS_Configuration/SysPrefs-10.12.3-ThirdParty.png -------------------------------------------------------------------------------- /General/macOS_Configuration/System_Preferences.rst: -------------------------------------------------------------------------------- 1 | System Preferences 2 | ================== 3 | 4 | Personal 5 | -------- 6 | .. image:: SysPrefs-10.12.3-Personal.png 7 | 8 | Hardware 9 | -------- 10 | .. image:: SysPrefs-10.12.3-Hardware.png 11 | 12 | Network 13 | -------- 14 | .. image:: SysPrefs-10.12.3-Network.png 15 | 16 | System 17 | ------ 18 | .. image:: SysPrefs-10.12.3-System.png 19 | 20 | 21 | Third Party 22 | ----------- 23 | .. image:: SysPrefs-10.12.3-ThirdParty.png -------------------------------------------------------------------------------- /General/macOS_Configuration/index.rst: -------------------------------------------------------------------------------- 1 | macOS Configuration 2 | ******************* 3 | 4 | .. toctree:: 5 | :maxdepth: 1 6 | :glob: 7 | 8 | * 9 | -------------------------------------------------------------------------------- /General/macOS_Installation/Setup_Assistant.rst: -------------------------------------------------------------------------------- 1 | Setup Assistant 2 | =================== 3 | 4 | Setup Assistant is also called "MacBuddy" 5 | 6 | Setup Assistant Panes 7 | --------------------- 8 | 9 | ============================================ =================== =========== ============== ================================ 10 | Name Log Short Name MDM Key MDM Skippable? File Trigger 11 | ============================================ =================== =========== ============== ================================ 12 | Choose Language No `/var/db/.AppleSetupDone` 13 | Select Keyboard SelectKeyboard No `/var/db/.AppleSetupDone` 14 | Network Setup SelectWiFiNetwork No `/var/db/.AppleSetupDone` 15 | Transfer Data MigrationWelcome Restore Yes `/var/db/.AppleSetupDone` 16 | Location Services EnableCoreLocation Location Yes `/var/db/.AppleSetupDone` 17 | Apple ID and iCloud Sign-in iCloudLogin AppleID Yes `com.apple.SetupAssistant.plist` 18 | Terms and Conditions LicenseViewer TOS Yes `/var/db/.AppleSetupDone` 19 | Create User Account CreateUserAccount Yes* `/var/db/.AppleSetupDone` 20 | Automatically sending diagnostic information DiagnosticsAndUsage Diagnostics Yes `com.apple.SetupAssistant.plist` 21 | Siri EnableSiri Siri Yes `/var/db/.AppleSetupDone` 22 | Touch ID Biometric Yes `/var/db/.AppleSetupDone` 23 | Apple Pay Payment Yes `/var/db/.AppleSetupDone` 24 | Setting Up Your Mac SettingUpYourMac No `/var/db/.AppleSetupDone` 25 | ============================================ =================== =========== ============== ================================ 26 | 27 | \*Initial User Creation can be skipped under certain conditions 28 | 29 | 30 | Skipping Setup Assistant 31 | ------------------------ 32 | 33 | With an MDM 34 | ^^^^^^^^^^^^ 35 | 36 | Having a MDM can allow skipping some steps. 37 | 38 | More info on MDM protocol `here `_ (search for `skip_setup_items`) 39 | 40 | By messing with some files 41 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 42 | 43 | Setup Assistant will only launch if `/var/db/.AppleSetupDone` is not present. Deleting this key will skip most of the steps. 44 | 45 | `/Users/[username]/Library/Preferences/com.apple.SetupAssistant.plist` will store iCloud/Apple ID setup and Diagnostic Information agreement. More info on `Rich's blog `_ 46 | 47 | Mager Valp has an `interesting script `_ you might want to check. -------------------------------------------------------------------------------- /General/macOS_Installation/index.rst: -------------------------------------------------------------------------------- 1 | macOS Installation 2 | ****************** 3 | 4 | .. toctree:: 5 | :maxdepth: 1 6 | :glob: 7 | 8 | * 9 | -------------------------------------------------------------------------------- /Integration/Active_Directory.rst: -------------------------------------------------------------------------------- 1 | .. only:: html 2 | 3 | .. sidebar:: Article information 4 | 5 | :Authors: 6 | :ref:`Ftiff `, 7 | :ref:`Mactroll `, 8 | Rick, 9 | Adam 10 | 11 | :Updated: |today| 12 | 13 | Active Directory 14 | ================ 15 | 16 | Binding or not to Active Directory is *the* debate today. A couple of years ago, the general recommandation was to bind computers to Active Directory. With the change from desktop and shared computers to 1-to-1 laptop deployments, the picture has dramatically changed. 17 | 18 | After the Kerbminder and ADPassMon scripts, we now have two alternatives: 19 | 20 | * Apple Enterprise Connect 21 | * Orchard & Grove - NoMAD 22 | 23 | Arguments for binding or not binding to Active Directory 24 | -------------------------------------------------------- 25 | 26 | ============================================================================ ================================================================================================================================================================================================================================================================================================== ==================================================================================================================================================================================================================================== 27 | Topic Binding Not Binding 28 | ============================================================================ ================================================================================================================================================================================================================================================================================================== ==================================================================================================================================================================================================================================== 29 | 802.1x Wi-Fi (WPA2 Enterprise EAP-TLS) can use the machine certificate generated by AD We can also use a profile that will deploy the root certificates and request a machine certificate through SCEP 30 | NoMAD can request a 802.1x certificate 31 | Kerberos tickets AD automatically provides Kerberos tickets, but only at login and when unlocking from screensaver. On mobile computers, users don’t logout as often and are mostly on Wi-Fi which doesn’t have time to connect before unlocking the screensaver. As a result, kerberos tickets are rarely renewed. Enterprise Connect or NoMAD handles the renewal of Kerberos tickets 32 | AD users can log in to any bound Mac & Shared use of Mac (eg. Lab computers) As user identification and authentication resides on server, users can log in on any bound Mac. This is especially interesting for shared environments such as Labs On mobile devices, this is getting harder as Portable Home Directories (syncing user home from file share) is no longer supported. The only possibility is to use network directories which are impractical in a mobile environment 33 | User identification and computer usage traceability Binding to AD ensures that each username and uid is used only once across the bound Mac computers MDM can better trace computer usage 34 | Users can be admins via the directory plugin A group of users can be specified as a local admins A MDM can create a “management account” and take care of renewing the password 35 | Password policies Password policies are handled in the AD account A Password policy can be deployed 36 | User Password expiry Password expiry is handled in the AD account A Password policy can be deployed 37 | Ease of setup Computer needs to have access to AD during setup No particular setup is needed 38 | For authenticated DEP, computer needs access to the MDM 39 | Account lock Local account is locked at next login or unlock from screensaver A better way to lock the user is to issue the wipe or lock MDM command 40 | Keychain The keychain password is not synchronized with Active Directory. Local and remote passwords are not synced 41 | When the password change is not done on the Mac, the users will get prompted to enter his old and new password Enterprise Connect or NoMAD will sync the local password when it detects a change. Change will be replicated to the Keychain 42 | FileVault Password FileVault and remote passwords are not synced Filevault and remote passwords are not synced 43 | When the AD password is reset, Filevault will keep the previous password, meaning we need to also reset FileVault using the recovery key Enterprise Connect or NoMAD will sync the local password when it detects a change. Change will be replicated to FileVault 44 | 45 | ============================================================================ ================================================================================================================================================================================================================================================================================================== ==================================================================================================================================================================================================================================== 46 | 47 | Choosing between NoMAD and Apple Enterprise Connect 48 | --------------------------------------------------- 49 | 50 | Versions used: 51 | 52 | - Enterprise Connect 1.8.0 53 | - NoMAD 1.0.5 54 | - macOS 10.12 55 | 56 | ============================================================================= =============================================================================== ======================================================== ========================== 57 | x Enterprise Connect NoMAD (Active Directory binding) 58 | ============================================================================= =============================================================================== ======================================================== ========================== 59 | Vendor Apple Orchard & Grove Inc. Apple 60 | Open Source x √ x 61 | Support Supported by Apple PS as included in the engagement and/or AppleCare OS Support Support plans available Supported by AppleCare OS Support 62 | OS requirement 10.10+ 10.10+ 10.3+ 63 | Single Sign-On Automatically Automatically Only at login and screensaver 64 | Password Expiration via Notification Center via Notification Center Only at Login 65 | Password change via menu item via menu item via System Preferences or login window 66 | Fine Grained Password Policy support ~ (doesn't honor password expiration time) √ x 67 | Quick links to getting support and software x √ x 68 | Support for changing passwords not using AD, e.g. a web-based password portal √ √ x 69 | Password Synchronization Only when user is logged in Only when user is logged in Automatic 70 | Home Network Share Automount √ √ x 71 | Network Share Automount √ √ x 72 | Change Keychain Items on AD password change x √ x 73 | AD Binding required? x x √ 74 | macOS native? Uses Apple Frameworks Uses Apple Frameworks macOS Native 75 | Script on password change √ √ x 76 | Script on connection completed √ √ x 77 | Audit script √ x x 78 | Distribution single .pkg single .pkg macOS Native 79 | Configuration via a Configuration Profile (and .plist) via a Configuration Profile (and .plist) multiple ways 80 | X509 Identity from CA Script provided to request it via an AD Certificate profile payload √ Mature 81 | Language Support All macOS languages English, French, German, Spanish and others. All macOS languages 82 | Maturity Mature 1.1.0 x 83 | Installation Two-day on-site professional services engagement None None 84 | Price $5,500 (one-time fee) Free, Support plans available ($399 to $2,500 per year) Free 85 | Availability Contact your local Apple Sales Rep http://nomad.menu macOS Native 86 | ============================================================================= =============================================================================== ======================================================== ========================== 87 | 88 | -------------------------------------------------------------------------------- /Integration/index.rst: -------------------------------------------------------------------------------- 1 | Integration 2 | *********** 3 | 4 | Talking about integrating the Mac Computers to Enterprise environments. 5 | 6 | .. toctree:: 7 | :maxdepth: 2 8 | :titlesonly: 9 | :glob: 10 | 11 | * 12 | -------------------------------------------------------------------------------- /MDM/AirWatch/AirWatch-API.md: -------------------------------------------------------------------------------- 1 | 2 | # Using AirWatch API 3 | ## Initial Setup 4 | 5 | According to the "AirWatch REST API Guide" PDF document that you can get in https://my.air-watch.com, you need: 6 | 7 | - **the URL**: https:///API/v1/help 8 | - **the Token**: aw-tenant-code (or API Key) 9 | - **Authorization**: Basic base64.b64encode("username:password") 10 | 11 | ### Enable Basic Authentication and get the Token 12 | 13 | 1. Select the right Organization Group (eg. Root) 14 | 2. Enable Basic Authentication from `Groups > Groups & Settings > System > Advanced > API > REST > Authentication` 15 | 2. Go to `Group & Settings > System > Advanced > API > REST > General` 16 | 3. Tick “Enable API Access” & add a service. Entering a service name will generate an API Key, which we’ll need for API calls. 17 | 18 | > NOTE: This was called "Tenant Code" or "aw-tenant-code" previously & in the current (8.2) API documentation & will be referred as such within this post.[^accessing-airwatchs-rest-api-with-python] 19 | 20 | [^accessing-airwatchs-rest-api-with-python]: https://macmule.com/2015/12/14/accessing-airwatchs-rest-api-with-python/ 21 | 22 | ### Authorization 23 | 24 | The easiest way is to use Basic authentication. 25 | 26 | 1. Make sure your admin has the correct role. In production, you should create a custom Role, but for test, Console Administrator is fine. Make sure he's in the correct OG, of course. 27 | 2. The form should be "username:password", encoded using Base64. You can do this on OS X terminal (see below) 28 | 29 | ```bash 30 | $ python -c "import base64; print base64.b64encode('login:password')" 31 | bG9naW46cGFzc3dvcmQ= 32 | ``` 33 | 34 | ### Testing 35 | 36 | #### Testing with Curl 37 | 38 | ```bash 39 | $ curl -X "GET" "https://host.awmdm.com/API/v1/help" \ -H "Authorization: Basic bG9naW46cGFzc3dvcmQ=" \ -H "aw-tenant-code: bG9naW46cGFzc3dvcmFzZG/2FmYXNkZmFkc2Zhc2Zk=" 40 | ``` 41 | 42 | #### Testing with Python 43 | 44 | ```python 45 | # Install the Python Requests library: 46 | # from bash: pip install requests 47 | 48 | import requests 49 | 50 | 51 | def send_request(): 52 | # My API 53 | # GET https://host.awmdm.com/API/v1/help 54 | 55 | try: 56 | response = requests.get( 57 | url="https://host.awmdm.com/API/v1/help", 58 | headers={ 59 | "Authorization": "Basic bG9naW46cGFzc3dvcmQ=", 60 | "aw-tenant-code": "bG9naW46cGFzc3dvcmFzZGZ/2FmYXNkZmFkc2Zhc2Zk=", 61 | }, 62 | ) 63 | print('Response HTTP Status Code: {status_code}'.format( 64 | status_code=response.status_code)) 65 | print('Response HTTP Response Body: {content}'.format( 66 | content=response.content)) 67 | except requests.exceptions.RequestException: 68 | print('HTTP Request failed') 69 | ``` 70 | 71 | ## Queries (using Python) 72 | 73 | I suggest using a REST editor to test your parameters, such as [Paw](https://luckymarmot.com/paw). It can also automatically generates python code. 74 | 75 | ### Opening Request 76 | 77 | 78 | ```python 79 | import requests 80 | 81 | # Set your console URL (eg. 'http://cn23.awmdm.com') 82 | consoleURL = 'http://cn23.awmdm.com' 83 | 84 | # Maximum set of values (1-10000 - default: 500) 85 | lookupLimit = '500' 86 | 87 | # Base64 encoded 'login:password' -- discouraged in production 88 | b64EncodedAuth = 'bG9naW46cGFzc3dvcmQ=' 89 | 90 | # Your tenant code (see above) 91 | tenantCode = 'bG9naW46cGFzc3dvcmFzZG/2FmYXNkZmFkc2Zhc2Zk=' 92 | 93 | # Your request. See API documentation. 94 | request = '/API/v1/mdm/devices/search' 95 | 96 | # It's a good idea to enclose the following in a try-except format. 97 | try: 98 | # API call, pulling in all Employee Owned devices from the OG "All Peoples Devices" 99 | request = requests.get(consoleURL + request + "?pagesize=" + lookupLimit, 100 | headers={"Authorization": "Basic " + b64EncodedAuth, 101 | "aw-tenant-code": tenantCode, 102 | "Accept": "application/json"}, 103 | timeout=30) 104 | 105 | # If the above gives a 4XX or 5XX error 106 | request.raise_for_status() 107 | 108 | # Insert your code here 109 | 110 | except requests.exceptions.RequestException as e: 111 | print 'Get request failed with %s' % e 112 | ``` 113 | 114 | 115 | ### Getting all devices 116 | 117 | `request = '/API/v1/mdm/devices/search'` 118 | 119 | ```python 120 | # Get the JSON from the above 121 | deviceDetails = request.json() 122 | 123 | # Pull in the "Devices' dict only 124 | deviceDetails = deviceDetails['Devices'] 125 | 126 | # For each device in deviceDetails 127 | for device in deviceDetails: 128 | 129 | # Log each devices one by one 130 | print device 131 | ``` 132 | 133 | ## Using with OS X Clients 134 | 135 | Unfortunately, the API doesn't -yet- support all the features from OS X Clients: 136 | ```xml 137 | 138 | 56b6ed75-30a2-418e-84fa-f8e04d35506a 139 | 501 140 | Functionality not supported for device type : AppleOsX 141 | 142 | ``` 143 | -------------------------------------------------------------------------------- /MDM/AirWatch/Profiles/Airwatch+Munki.md: -------------------------------------------------------------------------------- 1 | # Using AirWatch with Munki 2 | 3 | ##You need 3 Devices > File/Actions: 4 | 5 | 1. **Munki Tools**: Download and install latest release. Then upload it to /Library/AW and set Manifest to Install=`/Library/AW/munkitools-xx.yy.pkg` 6 | 2. **Munki Bootstrap**: Run= `/usr/bin/touch /Users/Shared/.com.googlecode.munki.checkandinstallatstartup` 7 | 3. **Munki Forcerun**: Run=`/usr/local/munki/managedsoftwareupdate --auto` 8 | 9 | I'm aware Forcerun is bad practice and you should reboot before. But I was told by Greg that worst case scenario nothing works until next reboot. I think I'm safe enough. 10 | 11 | ##You need one "Devices > Products": 12 | 13 | Create a product that includes the three File/Actions before. 14 | ##You need one "Devices > Profiles": 15 | 16 | ###Custom Settings 17 | ```xml 18 | 19 | PayloadDisplayName 20 | MacLovin - Munki (Demonstration Setup) 21 | PayloadEnabled 22 | 23 | PayloadIdentifier 24 | org.maclovin.munki.test 25 | PayloadUUID 26 | 8214F1A8-0E65-422C-A82C-088502A14FD6 27 | PayloadType 28 | ManagedInstalls 29 | PayloadVersion 30 | 1 31 | SoftwareRepoURL 32 | http://munki.maclovin.org/munki_repo 33 | ClientIdentifier 34 | test_munki_client 35 | 36 | ``` 37 | -------------------------------------------------------------------------------- /MDM/AirWatch/Profiles/EAP-TLS.md: -------------------------------------------------------------------------------- 1 | # Using a EAP-TLS certificate with WPA2 Enterprise (802.11x) 2 | 3 | ## Pre-requisites: 4 | 5 | 1. Use a cloud connector and configure Enterprise Integration to request a certificate from your Active Directory CA (ADDS) -- Not covered here 6 | 2. Create a single profile. 7 | 8 | In this profile, you'll add two payloads: 9 | 10 | ### Credentials (order is important): 11 | 1. First tab: Upload your CA, and select "Allow access to all applications" and "Allow export from Keychain" 12 | 2. Second tab: use your machine certificate (uncheck everything) 13 | 14 | ###Network: 15 | 1. check Auto-Join 16 | 2. WPA/WPA2 Enteprise. For some reason, if I choose only "WPA2 Enterprise", it fails. But it will then connect as WPA2. 17 | 3. Uncheck "User logs in to authenticate with the network" 18 | 4. Protocols: EAP-TLS 19 | 5. Username: {EnrollmentUser} 20 | 6. Identity Certificate: Certificate #2 (This is why order is important). 21 | 7. Trusted certificates: Check both 22 | 8. Allow trust exceptions: Check 23 | -------------------------------------------------------------------------------- /MDM/AirWatch/index.rst: -------------------------------------------------------------------------------- 1 | AirWatch 2 | ******** 3 | 4 | .. toctree:: 5 | :maxdepth: 2 6 | :titlesonly: 7 | :glob: 8 | 9 | * 10 | -------------------------------------------------------------------------------- /MDM/CasperSuite/AutoPKG/Word-example.md: -------------------------------------------------------------------------------- 1 | # AutoPkg: Word Example 2 | ## Make an Override 3 | ```bash 4 | $ autopkg make-override com.github.jss-recipes.jss.MicrosoftWord 5 | Override file saved to /Users/admin/Library/AutoPkg/RecipeOverrides/Microsoft Word.jss.recipe 6 | $ mv ~/Library/AutoPkg/RecipeOverrides/Microsoft\ Word.jss.recipe ~/Library/AutoPkg/RecipeRepos/com.github.ftiff.mac-autopkg/MicrosoftOffice2016/ 7 | $ cd ~/Library/AutoPkg/RecipeRepos/com.github.ftiff.mac-autopkg/MicrosoftOffice2016/ 8 | ``` 9 | 10 | ## Recipe 11 | 12 | Delete all the keys you will not override. 13 | 14 | 1. Change the Identifier 15 | 2. Category (for Package) 16 | 3. Policy_Category (for Policy) 17 | 18 | ```xml 19 | 20 | 21 | 22 | 23 | Identifier 24 | com.github.ftiff.mac-autopkg.jss.Microsoft Word 25 | Input 26 | 27 | CATEGORY 28 | Productivity 29 | GROUP_NAME 30 | %NAME%-update-smart 31 | GROUP_TEMPLATE 32 | SmartGroupTemplateCasper.xml 33 | POLICY_CATEGORY 34 | Productivity 35 | POLICY_TEMPLATE 36 | PolicyTemplate.xml 37 | 38 | ParentRecipe 39 | com.github.jss-recipes.jss.MicrosoftWord 40 | 41 | 42 | ``` 43 | 44 | ## Smart Group Template 45 | ```xml 46 | 47 | %group_name% 48 | true 49 | 50 | 51 | Packages Installed By Casper 52 | 0 53 | and 54 | does not have 55 | %NAME%-%VERSION%.pkg 56 | 57 | 58 | 59 | ``` 60 | 61 | ## Policy Template 62 | ```xml 63 | 64 | 65 | %PROD_NAME% 66 | true 67 | Ongoing 68 | 69 | %POLICY_CATEGORY% 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | true 83 | true 84 | Install %VERSION% 85 | %SELF_SERVICE_DESCRIPTION% 86 | 87 | 88 | true 89 | 90 | 91 | ``` 92 | 93 | ## Build the Recipe 94 | `$ autopkg run Microsoft\ Word.jss.recipe` 95 | 96 | ## Results 97 | 98 | ### Package 99 | 100 | ![Package](img/Word-example-package.png) 101 | 102 | ### Policy 103 | 104 | ![Package](img/Word-example-policy1.png) 105 | 106 | ![Package](img/Word-example-policy2.png) 107 | 108 | ![Package](img/Word-example-policy3.png) 109 | 110 | ### Smart Group 111 | 112 | ![Package](img/Word-example-smartgroup.png) -------------------------------------------------------------------------------- /MDM/CasperSuite/AutoPKG/img/Word-example-package.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/AutoPKG/img/Word-example-package.png -------------------------------------------------------------------------------- /MDM/CasperSuite/AutoPKG/img/Word-example-policy1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/AutoPKG/img/Word-example-policy1.png -------------------------------------------------------------------------------- /MDM/CasperSuite/AutoPKG/img/Word-example-policy2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/AutoPKG/img/Word-example-policy2.png -------------------------------------------------------------------------------- /MDM/CasperSuite/AutoPKG/img/Word-example-policy3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/AutoPKG/img/Word-example-policy3.png -------------------------------------------------------------------------------- /MDM/CasperSuite/AutoPKG/img/Word-example-smartgroup.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/AutoPKG/img/Word-example-smartgroup.png -------------------------------------------------------------------------------- /MDM/CasperSuite/CDP.rst: -------------------------------------------------------------------------------- 1 | .. only:: html 2 | 3 | .. sidebar:: Article information 4 | 5 | **Authors**: 6 | * :ref:`ftiff ` 7 | 8 | Configuring Cloud Distribution Points 9 | ===================================== 10 | 11 | Concept 12 | ------- 13 | 14 | A Cloud Distribution Point (CDP) is a glorified FTP service. 15 | Currently, the JSS supports: 16 | 17 | - Amazon Web Services (S3 + CloudFront) 18 | - Rackspace Cloud Files 19 | - Akamai 20 | 21 | I will currently focus on Amazon S3. Feel free to fork and add more info. 22 | 23 | Amazon S3 + CloudFront 24 | ^^^^^^^^^^^^^^^^^^^^^^ 25 | 26 | As told earlier, Amazon S3 is a glorified FTP service. It's available from Amazon Web Services, and permit to store your files online. On top of that, we use CloudFront, that replicates your Amazon S3 data to all Amazon datacenters worldwide. Quite neat! But all great things come with a cost. Be careful with what you store. Perhaps it's time to leverage your applications autoupdate mechanisms! 27 | 28 | .. note:: CloudFront automatically replicates your files accross all Amazon datacenters. That means there will be a few minutes delay until your files are available everywhere. 29 | 30 | Common setups 31 | ------------- 32 | 33 | A single Cloud Distribution Point 34 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 35 | 36 | - Few users or few packages 37 | - small, spread-out websites 38 | 39 | CDP acting as 'backup' DP 40 | ^^^^^^^^^^^^^^^^^^^^^^^^^ 41 | 42 | - Provide data wherever the user is (= outside of the network) 43 | - Provide data to small sites that don't need/want a local server 44 | 45 | CDP for some files 46 | ^^^^^^^^^^^^^^^^^^ 47 | 48 | Setup a CDP and select which files you want to provide from it. 49 | 50 | - Provide a fail-safe Distribution Point for small packages 51 | 52 | Setting up 53 | ---------- 54 | 55 | Amazon S3 56 | ^^^^^^^^^ 57 | 58 | You need to create a IAM (Identity Access Management) group, user, and assign a profile to limit its access rights. 59 | 60 | 1. Navigate to IAM 61 | 2. Create a group `jamf-group` 62 | 3. Create a user `jamf-user` 63 | 4. Assign the user `jamf-user` to the group `jamf-group` 64 | 5. Create and assign policy `jamf-policy` (see below) to the group `jamf-group` 65 | 66 | With AWS CLI:: 67 | 68 | # Create group 69 | aws iam create-group --group-name jamf-group --output table 70 | 71 | # Create user 72 | aws iam create-user --user-name jamf-user --output table 73 | 74 | # Create an access key for this user (will dump AcessKeyId and SecretAccessKey) 75 | aws iam create-access-key --user-name jamf-user 76 | 77 | # Add user to group 78 | aws iam add-user-to-group --user-name jamf-user --group-name jamf-group 79 | 80 | # Assign policy to group 81 | aws iam put-group-policy --group-name jamf-group --policy-document file://./jamf-group-policy.json --policy-name jamf-policy 82 | 83 | # Check if it's working well: 84 | aws iam get-group --group-name jamf-group --output table 85 | aws iam get-group-policy --group-name jamf-group --policy-name jamf-policy --output table 86 | 87 | 88 | Your ``jamf-policy`` file: 89 | 90 | .. code-block:: json 91 | 92 | { 93 | "Version": "2016-01-05", 94 | "Statement": [ 95 | { 96 | 97 | "Effect": "Allow", 98 | "Action": [ 99 | "s3:*" 100 | ], 101 | "Resource": [ 102 | "*" 103 | ] 104 | }, 105 | { 106 | 107 | "Effect": "Allow", 108 | "Action": [ 109 | "cloudfront:CreateCloudFrontOriginAccessIdentity", 110 | "cloudfront:CreateDistribution", 111 | "cloudfront:CreateInvalidation", 112 | "cloudfront:CreateStreamingDistribution", 113 | "cloudfront:GetCloudFrontOriginAccessIdentity", 114 | "cloudfront:GetCloudFrontOriginAccessIdentityConfig", 115 | "cloudfront:GetDistribution", 116 | "cloudfront:GetDistributionConfig", 117 | "cloudfront:GetInvalidation", 118 | "cloudfront:GetStreamingDistribution", 119 | "cloudfront:GetStreamingDistributionConfig", 120 | "cloudfront:ListCloudFrontOriginAccessIdentities", 121 | "cloudfront:ListDistributions", 122 | "cloudfront:ListInvalidations", 123 | "cloudfront:ListStreamingDistributions", 124 | "cloudfront:UpdateCloudFrontOriginAccessIdentity", 125 | "cloudfront:UpdateDistribution", 126 | "cloudfront:UpdateStreamingDistribution" 127 | ], 128 | "Resource": [ 129 | "*" 130 | ] 131 | } 132 | ] 133 | } 134 | 135 | 136 | .. note:: **TODO**: need to try to use "jamf*" as the ressource. 137 | 138 | JSS 139 | ^^^^ 140 | 141 | .. code-block:: sh 142 | 143 | $ java -version 144 | java version "1.7.0_91" 145 | OpenJDK Runtime Environment (rhel-2.6.2.3.el7-x86_64 u91-b00) 146 | OpenJDK 64-Bit Server VM (build 24.91-b01, mixed mode) 147 | 148 | .. tip:: Centos users: if you installed 1.8 by mistake, try ``sudo yum swap java-1.8.0-openjdk.x86_64 java-1.7.0-openjdk.x86_64`` then ``sudo systemctl restart jamf.tomcat7.service`` to restart the JSS. 149 | 150 | 1. Navigate to Settings > Computer Management > Cloud Distribution Point 151 | 2. Enter all the relevant info you provided earlier. 152 | 153 | .. image:: img/jss-cdp.png 154 | 155 | AutoPkg 156 | ^^^^^^^^ 157 | 158 | The JSS is acting as a dispatcher. You simply need to provide the necessary `information `_. 159 | 160 | Example: 161 | 162 | .. code-block:: bash 163 | 164 | # Check the current settings: 165 | defaults read ~/Library/Preferences/com.github.autopkg.plist 166 | 167 | # Setup the array (optional if you have something already) 168 | /usr/libexec/PlistBuddy -c "Add :JSS_REPOS array" ~/Library/Preferences/com.github.autopkg.plist 169 | 170 | # Setup a new dict (make sure to change index number if you have some already) 171 | /usr/libexec/PlistBuddy -c "Add :JSS_REPOS:0 dict" ~/Library/Preferences/com.github.autopkg.plist 172 | /usr/libexec/PlistBuddy -c "Add :JSS_REPOS:0:type string CDP" ~/Library/Preferences/com.github.autopkg.plist 173 | 174 | 175 | Testing 176 | ------- 177 | 178 | Listing the files on Amazon S3 with Cyberduck 179 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 180 | 181 | I found out the easiest way to see what's actually store on Amazon S3 is to use Cyberduck. Simply add a profile with "S3 (Amazon Simple Storage Service). 182 | 183 | .. note:: your file may take several minutes to show up here. 184 | 185 | .. image:: img/cyberduck-s3-add.png 186 | .. image:: img/cyberduck-s3.png 187 | -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/Infrastructure-Manager.rst: -------------------------------------------------------------------------------- 1 | Infrastructure Manager 2 | ====================== 3 | 4 | Architecture 5 | ------------ 6 | 7 | .. image:: images/JAMF-IM-Infra.png 8 | 9 | Your JAMF Infrastructure Manager server should sit in the DMZ and should only be able to talk with the correct port of your LDAP server. 10 | 11 | It should be reachable from Internet at the port you'll specify in the JSS. 12 | 13 | Prerequisites 14 | ------------- 15 | 16 | Please read the `Administrator Manual `_ first. 17 | 18 | Ubuntu 14.04 LTS 19 | ^^^^^^^^^^^^^^^^ 20 | 21 | You'll need to download and setup Ubuntu 14.04 LTS. I won't cover this here. 22 | 23 | I use Microsoft Azure for test purposes. 24 | 25 | Firewall settings 26 | ^^^^^^^^^^^^^^^^^ 27 | 28 | Internal Network <-> DMZ 29 | """""""""""""""""""""""" 30 | 31 | Infrastructure Manager Server should be able to reach: 32 | 33 | - the LDAP server (389, 636 or 3268) 34 | - your internal DNS server 35 | - your internal NTP server if available 36 | 37 | DMZ <-> Internet 38 | """""""""""""""" 39 | 40 | Infrastructure manager should be able to reach 41 | 42 | - your JSS (port 8443 usually) 43 | 44 | Infrastructure manager needs to be reached on the port you'll set later. Choose a port > 1024. 45 | 46 | Consult `Permitting Inbound/Outbound Traffic with JAMF Cloud `_ for more information. 47 | 48 | Java 1.8 49 | ^^^^^^^^^ 50 | In an ideal world, you should download Java from `Oracle `_. Or better, you shouldn't use Java. 51 | 52 | I found the best way to install Oracle Java 1.8 is doing the following: 53 | 54 | .. code-block:: sh 55 | 56 | sudo add-apt-repository ppa:webupd8team/java 57 | sudo apt-get update 58 | sudo apt-get install oracle-java8-installer 59 | 60 | 61 | You'll have to access Oracle's License to proceed. 62 | 63 | As this is a third-party repository, use it with caution, and only on test instances. If you found a better way, please `contribute< `_ 64 | 65 | 66 | Test with `java -version` to see if it works. 67 | 68 | .. code-block:: sh 69 | 70 | $ java -version 71 | java version "1.8.0_101" 72 | Java(TM) SE Runtime Environment (build 1.8.0_101-b13) 73 | Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode) 74 | 75 | JAMF Infrastructure Manager package 76 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 77 | 78 | 1. Connect to JAMF Nation 79 | 2. Go to `My Assets `_ 80 | 3. Download Infrastructure Manager 81 | 4. Upload it to your Linux server 82 | 83 | 84 | I use ``scp`` to upload the binary to my server: 85 | 86 | .. code-block:: sh 87 | 88 | cd ~/Downloads 89 | scp jamf-im_1.0.0-0_all.deb fti@13.93.87.150: 90 | 91 | Configuring 92 | ----------- 93 | 94 | Create the correct user in JSS 95 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 96 | 97 | Create a Standard User that has only "Infrastructure Manager" role. 98 | 99 | .. image:: images/jamf-im-1.png 100 | .. image:: images/jamf-im-2.png 101 | 102 | Launch the setup assistant 103 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 104 | 105 | By installing the package, you'll launch the setup assistant. 106 | ``sudo dpkg -i jamf-im_1.0.0-0_all.deb`` 107 | 108 | Enter the host for your cloud instance: 109 | .. image:: images/jamf-im-sa-5.png 110 | 111 | Enter the login and password you created earlier: 112 | .. image:: images/jamf-im-sa-4.png 113 | .. image:: images/jamf-im-sa-3.png 114 | 115 | Enter the public IP Address of your Infrastructure Manager server: 116 | .. image:: images/jamf-im-sa-2.png 117 | 118 | Setup the frequency. I use the default value of 30 seconds: 119 | .. image:: images/jamf-im-sa-1.png 120 | 121 | If everything goes well, you should see the following: 122 | ``` 123 | Enrollment invitation stored. 124 | Successfully obtained enrollment invitation from https://ftiff.jamfcloud.com 125 | ``` 126 | 127 | Create a LDAP Server 128 | ^^^^^^^^^^^^^^^^^^^^ 129 | 130 | It's all downhill for now. Just kidding. This is the tricky part, as LDAP can be difficult to configure. We won't cover LDAP configuration here. 131 | 132 | 1. Open JSS 133 | 2. Go to System Settings > LDAP Servers 134 | 3. Add a LDAP Server 135 | 4. Choose "Configure Manually" 136 | 5. Choose "Enable LDAP Proxy Server" 137 | 138 | Make sure you choose the right port number. It should be >1024 and be reachable from internet to your public IP address. 139 | 140 | .. image:: images/jamf-im-ldap.png 141 | 142 | 143 | Troubleshooting 144 | --------------- 145 | 146 | Log files 147 | ^^^^^^^^^ 148 | Log files are located here: 149 | 150 | - /var/log/jamf-im-launcher.log 151 | - /var/log/jamf-im.log 152 | 153 | LDAP Server needs authentication 154 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 155 | 156 | :: 157 | 158 | Error: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'OU=Org,DC=fti,DC=io' 159 | Suggestion: No suggestion available 160 | 161 | 162 | Infrastructure Manager cannot bind to address 163 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 164 | 165 | :: 166 | 167 | 2016-08-30 14:43:16,834 INFO c.j.j.l.LpsServerSocketListener [lps: /13.93.87.150:31337 (ssl)] Sleeping for 5000 ms before retry of server socket bind for address /13.93.87.150:31337 168 | 2016-08-30 14:43:21,835 INFO c.j.j.l.LpsServerSocketListener [lps: /13.93.87.150:31337 (ssl)] Waking for retry of server socket bind for address /13.93.87.150:31337 169 | 2016-08-30 14:43:21,839 ERROR c.j.j.l.LpsServerSocketListener [lps: /13.93.87.150:31337 (ssl)] Failed to obtain server socket for address /13.93.87.150:31337 170 | com.jamfsoftware.jsam.lps.LpsException: Failed to bind server socket to [/13.93.87.150:31337] 171 | at com.jamfsoftware.jsam.lps.socket.LpsSocketSupplier.bindServerSocket(LpsSocketSupplier.java:136) ~[11:ldap-proxy:0.0.1.20160714202842] 172 | at com.jamfsoftware.jsam.lps.socket.LpsSocketSupplier.createSslServerSocket(LpsSocketSupplier.java:61) ~[11:ldap-proxy:0.0.1.20160714202842] 173 | at com.jamfsoftware.jsam.lps.LpsServerSocketListener.safeCreateServerSocket(LpsServerSocketListener.java:150) [11:ldap-proxy:0.0.1.20160714202842] 174 | at com.jamfsoftware.jsam.lps.LpsServerSocketListener.bindServerSocket(LpsServerSocketListener.java:114) [11:ldap-proxy:0.0.1.20160714202842] 175 | at com.jamfsoftware.jsam.lps.LpsServerSocketListener.execute(LpsServerSocketListener.java:93) [11:ldap-proxy:0.0.1.20160714202842] 176 | at com.jamfsoftware.jsam.lps.LpsServerSocketListener.run(LpsServerSocketListener.java:72) [11:ldap-proxy:0.0.1.20160714202842] 177 | Caused by: java.net.BindException: Cannot assign requested address 178 | at java.net.PlainSocketImpl.socketBind(Native Method) ~[?:?] 179 | at java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:387) ~[?:?] 180 | at java.net.ServerSocket.bind(ServerSocket.java:375) ~[?:?] 181 | at java.net.ServerSocket.bind(ServerSocket.java:329) ~[?:?] 182 | at com.jamfsoftware.jsam.lps.socket.LpsSocketSupplier.bindServerSocket(LpsSocketSupplier.java:132) ~[?:?] 183 | ... 5 more 184 | 2016-08-30 14:43:21,840 INFO c.j.j.l.LpsServerSocketListener [lps: /13.93.87.150:31337 (ssl)] Sleeping for 5000 ms before retry of server socket bind for address /13.93.87.150:31337 185 | 186 | 187 | This error might happen if your server is not bound to a public address (if `ip show add` doesn't show the public address). This happens if you create a NAT to map a public IP address to a private IP. 188 | 189 | I haven't found the solution for this one yet. It seems that JAMF haven't thought of this use case. -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/JSS-Upgrade-Manual.md: -------------------------------------------------------------------------------- 1 | # Upgrade JSS, the Manual way 2 | 3 | 4 | ## Disclaimer 5 | I'm just listing what I usually do to upgrade JSS. If you have a better idea, please [contribute](https://github.com/Shufflepuck/MacAdminsDoc/blob/master/00_About/Contributing.md)! 6 | 7 | Please first test on a test JSS. 8 | 9 | 10 | ## Backup, Backup, Backup! 11 | Make sure you have a working backup before doing anything. 12 | I use the following command: 13 | `java -jar /usr/local/jss/bin/JSSDatabaseUtil.jar backup -saveBackupTo ~/ -server jamf-mysql1.sdfsfsaa111.eu-west-1.rds.amazonaws.com -pass` 14 | This will save the backup in your user home folder. Send it to another computer. 15 | 16 | In general, please follow this article: [Preparing to Upgrade the JSS](https://jamfnation.jamfsoftware.com/article.html?id=136) 17 | 18 | ## Prepare the JSS Installer 19 | Download the JSS Installer from JAMF Nation. 20 | 21 | 1. Connect to JAMF Nation 22 | 2. Go to [My Assets](https://jamfnation.jamfsoftware.com/myAssets.html) 23 | 3. Click "Show JSS installer downloads" 24 | 4. Download JSS Manual Installation 25 | 5. Upload it to your Linux box 26 | 6. Unzip it, and you're ready to go! 27 | 28 | Note: I usually upload it to my Distribution Point, and get it from my Ubuntu server using: 29 | 30 | `curl https://login:password@dp-1.fti.io/JSS_Installers/JSSInstallation9.93.zip --digest -k -O` 31 | 32 | ## Upgrade JSS 33 | If you have a Clustered JSS, please read [Upgrading the JSS in a Clustered Environment](https://jamfnation.jamfsoftware.com/article.html?id=212). 34 | 35 | First, let's stop the JSS: 36 | 37 | `service jamf.tomcat7 stop` 38 | 39 | Then archive the current install to `~/ROOT-war-20160830.tgz`: 40 | ```sh 41 | tar czf ~/ROOT-war-20160830.tgz /usr/local/jss/tomcat/webapps/ 42 | rm -rf /usr/local/jss/tomcat/webapps/* 43 | ``` 44 | 45 | Copy the new ROOT.war and restart tomcat: 46 | ```sh 47 | mv JSSInstallation/JSS\ Components/ROOT.war /usr/local/jss/tomcat/webapps/ 48 | service jamf.tomcat7 start 49 | ``` 50 | 51 | Just reconfigure the database, and everything should be working again! 52 | 53 | ## If something goes wrong 54 | 55 | Read the logs in `/usr/local/jss/tomcat/logs/`. Worst case, restore from backup and use the Linux automatic updater. 56 | -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/JAMF-IM-Infra.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/JAMF-IM-Infra.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/JAMF-IM-Infra.xml: -------------------------------------------------------------------------------- 1 | xVdLb9swDP41BrZLYceN0xzz7Do0Q4Ee9rhptmJrVcxAkfPYry8pU7Uzt+uApWkOhviJFOmPnywliCer/bUR62IBmdRBL8z2QTwNer1BcoVPAg41kFyGNZAbldVQ1AD36rdk0LtVKpObI0cLoK1aH4MplKVM7REmjIHdsdsS9HHWtch9xga4T4Xuol9VZosavepzeYR/kiovfOYo5JmfIn3IDVQl5wt68dL96umV8Gux/6YQGexaUDxDWg0Arkyj1X4iNVHraavj5i/MPtVtZMm1vRLAEVuhK3736eIH12YPno9doay8X4uU7B22PIjHhV1ptCIcZmJTSFqRjKXSegIajAuN5/NxfxAivpXGKqR4pFVe4pwFWmUJpeX+Y6nxmMtBX8lieuadHMQvdC1hJa05oAsHxGG/DmHxYXZn7ppOPgmtaHURA1lBrJ78aemGQRwwiS8Qiq5/EHpTWmlKaU/J6myUjJPknKz2o/dkldfosCrI64u0OzAPp+R3OJiGg8E5+R2+I73DDnUyw+8hm2BsATkg17MGHbuPnKOPCGjRKvfKfmOYxt9pfNEnq8S6aMq5kdHM/ZLWHphSUVlAqMl7C8S6C6srpfL+zjO+DVTGdR7NSz5DhMlxH9ZH0vPdMFILq7bHq/8Pt5y6pdzPo8U86CUaCxlnaovDnIY35dKIjTVVaisjMWQhSjxnjHfFRC3vTseafhBNr0j/FF9ZfxiyYKNhV7GRP+baik1OIFi+XpxYsBcRfVFbmnWiRfNOGoU1Yi/q4LcVK38I2mJ1IjqDWDl1W6xitZxoqLIu41rjdYyYxUvMmsDU+Z1DfH0vIi++gdvOr4vv6gTi41Qtkkap60IvnCqD11Gg9Tr7+wOeLZi4pNe4nY7uPv7jxn57NiN/Oz/DVkazud26udY/iHj2CA== -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/jamf-im-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/jamf-im-1.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/jamf-im-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/jamf-im-2.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/jamf-im-ldap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/jamf-im-ldap.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/jamf-im-sa-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/jamf-im-sa-1.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/jamf-im-sa-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/jamf-im-sa-2.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/jamf-im-sa-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/jamf-im-sa-3.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/jamf-im-sa-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/jamf-im-sa-4.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/jamf-im-sa-5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/jamf-im-sa-5.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/restrict-major-os-update/add-restricted-software-record.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/restrict-major-os-update/add-restricted-software-record.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/restrict-major-os-update/computer-inventory-collection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/restrict-major-os-update/computer-inventory-collection.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/restrict-major-os-update/edit-computer-inventory-collection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/restrict-major-os-update/edit-computer-inventory-collection.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/restrict-major-os-update/on-the-client.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/restrict-major-os-update/on-the-client.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/restrict-major-os-update/restrict-beta-version.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/restrict-major-os-update/restrict-beta-version.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/restrict-major-os-update/restricted-software-records-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/restrict-major-os-update/restricted-software-records-1.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/restrict-major-os-update/restricted-software-records.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/restrict-major-os-update/restricted-software-records.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/images/restrict-major-os-update/scope-restricted-software-record.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/JSS/images/restrict-major-os-update/scope-restricted-software-record.png -------------------------------------------------------------------------------- /MDM/CasperSuite/JSS/restrict-major-os-update.md: -------------------------------------------------------------------------------- 1 | # Restrict installation of macOS Sierra 2 | 3 | Apple has yet to provide a way to prevent the update to a major OS release. 4 | 5 | But, I believe it's for the greater good. Everyone should work toward supporting macOS on the day it is released. Apple gives us plenty of time to do this, thanks to the Developer, Apple Seed and Public betas. 6 | 7 | If something goes wrong and you want to make sure your user don't upgrade to the newest macOS, follow these steps. 8 | 9 | ## Restrict Beta Version 10 | 11 | If your goal is to restrict the Beta version, Apple provides the following kbase: [https://support.apple.com/en-us/HT203018](https://support.apple.com/en-us/HT203018) 12 | 13 | On Casper Suite, simply create a Configuration profile with a "Software Update" payload and deselect "Allow installation of OS X beta releases". 14 | 15 | ![][1] 16 | 17 | [1]: images/restrict-major-os-update/restrict-beta-version.png 18 | 19 | ## Restrict Retail Version 20 | 21 | As stated above, Apple doesn't provide a way to disable a major OS upgrade. 22 | 23 | We'll use JSS built-in "Restricted Software" mechanism to kill the Installation app as soon as it's launched by the user. 24 | 25 | It is not super user-friendly, so make sure you communicate to the users first. 26 | 27 | ## Restricted Software Records 28 | 29 | 1. Open your JSS 30 | 1. Go to Computers > Restricted Software 31 | 1. Click + "New" 32 | 33 | ![][2] 34 | 35 | [2]: images/restrict-major-os-update/restricted-software-records.png 36 | 37 | ## Add Restricted Software Record 38 | 39 | macOS Sierra installer uses the process "osinstallersetupd" to setup installation. 40 | 41 | Blocking this process will ensure that no user will be able to launch the installation, even if renaming "Install macOS Sierra.app". 42 | 43 | ![][3] 44 | 45 | [3]: images/restrict-major-os-update/add-restricted-software-record.png 46 | 47 | ## Scope Restricted Software Record 48 | 49 | Choose the right Scope. "All Managed Clients" is usually a good choice. 50 | 51 | I exclude from this Smart Group my test machines and my BYOD clients. 52 | 53 | ![][4] 54 | 55 | [4]: images/restrict-major-os-update/scope-restricted-software-record.png 56 | 57 | ## Restricted Software Records 58 | 59 | Our Record is now ready. 60 | 61 | ![][5] 62 | 63 | [5]: images/restrict-major-os-update/restricted-software-records-1.png 64 | 65 | ## Computer Inventory Collection 66 | 67 | 1. Navigate to Computers > Management Settings 68 | 1. Click on "Inventory Collection" 69 | 70 | ![][6] 71 | 72 | [6]: images/restrict-major-os-update/computer-inventory-collection.png 73 | 74 | ## Edit Computer Inventory Collection 75 | 76 | Check "Collect active services". 77 | 78 | Note: I couldn't find relevant ressources to confirm this was needed, but my tests indicate so 79 | 80 | ![][7] 81 | 82 | [7]: images/restrict-major-os-update/edit-computer-inventory-collection.png 83 | 84 | ## On the client 85 | 86 | You may want to try a "jamf manage" and a "jamf policy" to refresh the management framework. 87 | 88 | If you launch "Install macOS Sierra.app", you'll get the following screen. 89 | 90 | ![][8] 91 | 92 | [8]: images/restrict-major-os-update/on-the-client.png -------------------------------------------------------------------------------- /MDM/CasperSuite/img/cyberduck-s3-add.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/img/cyberduck-s3-add.png -------------------------------------------------------------------------------- /MDM/CasperSuite/img/cyberduck-s3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/img/cyberduck-s3.png -------------------------------------------------------------------------------- /MDM/CasperSuite/img/jss-cdp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/CasperSuite/img/jss-cdp.png -------------------------------------------------------------------------------- /MDM/CasperSuite/index.rst: -------------------------------------------------------------------------------- 1 | .. toctree:: 2 | :maxdepth: 1 3 | :titlesonly: 4 | :glob: 5 | 6 | * 7 | AutoPKG/* 8 | JSS/* 9 | -------------------------------------------------------------------------------- /MDM/Puppet/Additional-Resources.md: -------------------------------------------------------------------------------- 1 | # Additional Resources 2 | 3 | Here are some additional resources created by the MacAdmin Community regarding Puppet that I'm aware of. 4 | 5 | ## Michael Holt 6 | 7 | - [Example Core Repo](https://github.com/MichaelHoltTech/example-core_repo) - Additional code for adding to your own Puppet Repository 8 | - [Puppetserver Docker Container](https://hub.docker.com/r/michaelholttech/puppetserver/) - Docker Container running Puppet, used in the "Getting Started" tutorial 9 | 10 | ## Graham Gilbert 11 | 12 | - [Puppet Outset](https://github.com/grahamgilbert/puppet-outset) - Puppet module to manage Outset scripts and packages 13 | - [Puppetserver Docker Container](https://github.com/grahamgilbert/docker-puppetserver) - Another take on running Puppetserver on Docker 14 | - [Puppetserver & Sal Docker Container](https://github.com/grahamgilbert/docker-sal-puppetserver) - another take on running Puppetserver on Docker and checking your Sal instance before signing the certificate 15 | - [Personal Puppet](https://github.com/grahamgilbert/personal-puppet) - some code that Graham has publicly shared from his Puppet Configuration 16 | - [Setup Assistant Profiler](https://github.com/grahamgilbert/puppet-SetupAssistantProfiler) - Puppet Module that deploys an outset script to skip the setup assistant via a profile that is applied at every boot. Based on [Nick McSpadden's SetupAssistantProfiler](https://github.com/nmcspadden/SetupAssistantProfiler) 17 | - [Mac Admin](https://github.com/grahamgilbert/puppet-mac_admin) - A Puppet module to administer Mac OS X Machines 18 | - [Grahamconfig](https://github.com/grahamgilbert/puppet-grahamconfig) - Some more code that Graham has shared. 19 | - [Puppet Run](https://github.com/grahamgilbert/puppet-puppet_run) - A module to run Puppet periodically on OS X 20 | - [Mac Facts](https://github.com/grahamgilbert/grahamgilbert-mac_facts) - A collection of custom Facter facts to aid with the management of OS X Machines 21 | - [Sal Client](https://github.com/grahamgilbert/puppet-sal_client) - A module to configure the Sal Server & Key on your machine. (Requires Mac Admin Module) 22 | - [MacDefaults](https://github.com/pebbleit/puppet-macdefaults) - A Puppet module to manage defaults on an OS X system 23 | 24 | ## Samuel Keeley 25 | 26 | - [Mac Profilers Handler](https://github.com/keeleysam/puppet-mac_profiles_handler) - A module to create and manage Profiles. 27 | 28 | ## Brian Warsing 29 | 30 | - [ManagedMac](https://github.com/dayglojesus/managedmac) - A Comprehensive Puppet module for OS X. 31 | 32 | 33 | # Additional Information 34 | 35 | This is not intended to be a comprehensive list but I'll do my best to add as I find additional resources. Feel free to contribute more as well with a pull request (See the **Contributing** section under **00 About** for more details). 36 | -------------------------------------------------------------------------------- /MDM/Puppet/Basic-Configuration.md: -------------------------------------------------------------------------------- 1 | # Basic Configuration 2 | 3 | This tutorial goes over how to add some basic configuration to your Puppetserver for managing your macs. 4 | 5 | Originally Posted at: [www.mholt.tech/blog/2015/12/07/basic-puppet-configuration/](http://www.mholt.tech/blog/2015/12/07/basic-puppet-configuration/) 6 | 7 | ## Configuration Overview 8 | 9 | So this is the second post about Puppet. I'm going to go through a brief overview deploying some configuration to your computer using Puppet. 10 | 11 | If you don't already have Puppetserver running, please go back to my previous post [Here](/blog/2015/12/04/getting-started-with-puppet/) to get up and running with Puppet. If you aren't following from my previous post some of this will be different depending on your Environment but I will be continuing with the setup on the Docker Image that I've created. We're going to start with some basic configuration so you can understand how the basics work. Next year I'll be providing a repository with more detailed configuration options that won't necessarily be covered here. 12 | 13 | There are multiple parts to applying configurations to your computer. Inside of the Core Repo folder that you cloned previously you'll see a folder named **Hiera**. 14 | 15 | First off, you have Hiera. These files are used to apply configuration to your machine. 16 | 17 | - ``machine/c02n5heug3qj.yaml`` (You may have renamed this in the previous post) 18 | - ``role/test.yaml`` 19 | - ``common.yaml`` 20 | 21 | The files inside of ``machine`` are optional and used if you want to apply a special configuration option to a specific machine. These files should be named after the serial number of the machine, always in lower case. 22 | 23 | The files in ``role`` are used to create a configuration file that is applied to multiple machines and is defined as a custom fact as done in the previous post. 24 | 25 | The final file, ``common.yaml `` is a master configuration that is applied to all machines. 26 | 27 | When defining specific configuration data, you can have the same variable in multiple files and the one that is seen first in the order of files above is what is applied. 28 | 29 | Lets start with opening ``common.yaml``. In this file you'll see a few lines of code. Classes are configuration functions defined in manifests either from Modules that are included in Puppetfile, or additional custom manifests defined in site/(profiles or roles)/manifests. 30 | 31 | The first line you see under classes is "puppet_run". This is calling a function inside of a Puppet Module by [Graham Gilbert](http://www.grahamgilbert.com) called [Puppet Run](https://github.com/grahamgilbert/puppet-puppet_run). This module configures puppet agent on the machine and configures puppet to automatically run every 30 minutes along with a random delay of anywhere between 0 and 20 minutes to prevent all of your machines from checking in at the same time. 32 | 33 | The next line you'll see under Classes is ``roles::default``. This calls a custom configuration file inside of ``site/roles/manifests/default.pp`` and simply run an echo command outputting "Default Role" when running ``puppet agent -t`` 34 | 35 | The final line is a variable, ``puppet_run::server_name``. This variable is what tells the Puppet Run module what your puppet servers name is. When it comes to variables you can override them on a per role or per machine basis by also including the variable along with the corresponding class inside of the respective role or machine yaml file. 36 | 37 | ## Lets add some custom configuration 38 | 39 | Your needs and environment are going to vary from mine but i'm going to go over some basic configuration options using [ManagedMac](https://github.com/dayglojesus/managedmac) by [dayglojesus](https://github.com/dayglojesus). 40 | 41 | ### Add some text to Login Window. 42 | 43 | We're going to start off with configuring puppet to display a message on the login window. 44 | 45 | We'll start off with adding a message that will be applied to everyone. To do this, lets open up common.yaml and add these lines. 46 | 47 | Under ``classes`` add: 48 | ```` 49 | - managedmac::loginwindow 50 | ```` 51 | 52 | now at the bottom of the file lets add the variable to define the message. 53 | 54 | ```` 55 | managedmac::loginwindow::loginwindow_text: "This is a global message" 56 | 57 | ```` 58 | 59 | Once this is done go ahead and save, commit, and push the file to your git repository. Once this is done you need to log into your Docker server and run 60 | 61 | ```` 62 | docker exec -it puppetserver r10k deploy environment -pv 63 | ```` 64 | 65 | Once your puppetserver has been updated lets manually run Puppet on your test machine 66 | 67 | ```` 68 | puppet agent -t 69 | ```` 70 | 71 | Now go ahead and log out and you should see a message on the login window saying "This is a global message". 72 | 73 | Now lets go ahead and define a machine specific message on the login window. 74 | 75 | Create a file inside of hiera/machine/.yaml (Ensure that you use all lower case). Inside of this file go ahead and populate with: 76 | 77 | ```` 78 | --- 79 | classes: 80 | - managedmac::loginwindow 81 | managedmac::loginwindow::loginwindow_text: "This is a machine message" 82 | 83 | ```` 84 | 85 | Go ahead and commit and push this to your git repository, then once again run this on the server: 86 | 87 | ```` 88 | docker exec -it puppetserver r10k deploy environment -pv 89 | ```` 90 | 91 | Afterwards, run on your machine 92 | 93 | ```` 94 | puppet agent -t 95 | ```` 96 | 97 | Log out and you will now see your login window saying "This is a machine message" instead of "This is a global message". 98 | 99 | There are a lot more configuration options for ManagedMac and they can all be found [Here](http://dayglojesus.github.io/managedmac/). 100 | 101 | 102 | ## Hide Puppet User 103 | 104 | Lets go ahead and do one more thing before we wrap up this session. We're going to hide the annoying "Puppet" user that shows up on the login window. 105 | 106 | Go ahead and navigate to ``site/profiles/manifests`` and create a file called ``hidepuppetuser.pp``. 107 | 108 | Inside of this file, insert 109 | 110 | ```` 111 | class profiles::hidepuppetuser { 112 | exec { 113 | 'Hide Puppet User': 114 | command => "/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add puppet", 115 | } 116 | } 117 | ```` 118 | 119 | Now go ahead and save this file and close it. The next step is to tell the machines to go ahead and run this manifest. We want to apply this to ALL machines, so go ahead and edit ``hiera/common.yaml`` and under classes insert 120 | 121 | ```` 122 | - profiles::hidepuppetuser 123 | 124 | ```` 125 | 126 | Save this file, then commit and push both files to your git repository. After that, run r10k to update your Puppetserver and then run puppet on your test machine. After this is done, you should no longer see the user "Puppet" when you are at the login window. 127 | 128 | This concludes this blog post and gives you an idea of how to use Puppet to configure your machines. As I mentioned previously, i'll be posting a number of my configurations up on Github when I get back from Christmas Vacation. 129 | 130 | **UPDATE**: An Example Core Repository can be found [**HERE**](https://github.com/MichaelHoltTech/example-core_repo) 131 | -------------------------------------------------------------------------------- /MDM/Puppet/Getting-Started.md: -------------------------------------------------------------------------------- 1 | # Getting Started 2 | 3 | This tutorial goes over how to get started with running Puppet in a Docker Container to manage your mac configuration. 4 | 5 | Originally Posted at: [www.mholt.tech/blog/2015/12/04/getting-started-with-puppet/](http://www.mholt.tech/blog/2015/12/04/getting-started-with-puppet/) 6 | 7 | ## Installing Docker 8 | 9 | I'm going to assume you already have a working Ubuntu 14.04 Server. If not, I Highly recommend using Linode, which is what we use to run our Management Platform. You can sign up [Here](https://www.linode.com/?r=eb7892d4b2b5528c799c9bab969491ae8b02970a). 10 | 11 | Our first job after SSH'ing into the server is to get Docker installed. This is a very easy process. 12 | 13 | First lets makes sure we have `` wget `` installed: 14 | 15 | ```` 16 | which wget 17 | ```` 18 | 19 | 20 | If nothing is returned, we need to install `` wget ``: 21 | 22 | ```` 23 | sudo apt-get update 24 | sudo apt-get install wget 25 | ```` 26 | 27 | And now we can install Docker. 28 | 29 | ```` 30 | wget -qO- https://get.docker.com/ | sh 31 | ```` 32 | 33 | Enter your password when asked and then you're done. 34 | 35 | If you aren't running as root (which isn't secure anyways so I hope you aren't), you can give a user access to Docker without having to grant sudo and preface all docker commands with sudo. This can be done by running 36 | 37 | ```` 38 | sudo usermod -aG docker 39 | ```` 40 | 41 | ## Clone the Core Repo 42 | Now before we continue with docker we need to clone the base configuration that our Puppetserver will be using. I'm going to go with the assumption that you are familiar with git. If this is you're first time there are a lot of tutorials on the internet, personally I like to use a GUI and recommend [SourceTree](https://www.sourcetreeapp.com/). 43 | 44 | This is also going to be based on using Bitbucket for storing your configurations privately. Bitbucket gives you unlimited *PRIVATE* repositories for free which I highly recommend doing to keep your configuration data private. This is also compatible with GitHub as well. You can get a BitBucket account [here](https://bitbucket.org/). 45 | 46 | Here's how to get started with your own copy of the Core Repository: 47 | 48 | 1. To start off, go to Bitbucket's website and log in. 49 | 2. Go to Repositories -> Import Repository 50 | 3. For **URL**, enter: https://github.com/MichaelHoltTech/puppet-core_repo.git 51 | 4. For **Name**, you may keep the name of the imported repository or change this to anything you want. 52 | 5. For **Access Level**, make sure to check "This is a private repository" 53 | 6. Click **Import Repository** to import the base repository into your Bitbucket account. It'll take a moment for the code to import and then you can continue. 54 | 55 | ## Start setting up Puppetserver 56 | 57 | Now we're ready to go back to Docker and start setting up Puppetserver. This is a very simple process. 58 | 59 | We'll start off with creating what is called a Volume Container. This will store the SSL Certificates used by Puppet so that the container can be updated as needed without worrying about losing some important configuration. 60 | 61 | On your Ubuntu server, start by running this command. *Note: If you are not logged in with root then preface all commands from here on out with sudo* 62 | 63 | ```` 64 | docker pull busybox 65 | docker run -d --name data_puppet \ 66 | -v /root/.ssh \ 67 | -v /var/lib/puppet/ssl \ 68 | busybox 69 | ```` 70 | 71 | Now we have to create a file in order for the Puppetserver to know how to get your Core Repository. If you skip this step you'll run into some issues when we get to restarting the container. I prefer nano, but you use whatever editor you prefer on the Linux Server. 72 | 73 | To begin, lets create some directories and grant all users inside of the Docker user group access. 74 | 75 | ```` 76 | sudo mkdir -p /usr/local/docker/puppetserver 77 | sudo chgrp -R docker /usr/local/docker 78 | sudo chmod -R 770 /usr/local/docker 79 | cd /usr/local/docker/puppetserver 80 | nano custom.yaml 81 | ```` 82 | 83 | Inside of custom.yaml insert the following contents, replacing the repo url in single quotes with repo's SSH URL found by clicking: ... -> Clone -> Change HTTPS to SSH. 84 | 85 | ```` 86 | --- 87 | repo_url: 'git@github.com:MichaelHoltTech/puppet-core_repo.git' 88 | ```` 89 | 90 | Now lets go ahead and close and save this file 91 | 92 | Now that we have that out of the way we can get started with the Puppetserver. Make sure you replace `` puppet.example.com `` with the url/hostname you intend to use for your puppet server. 93 | 94 | ```` 95 | docker pull michaelholttech/puppetserver 96 | docker run -d --name=puppetserver \ 97 | --volumes-from data_puppet \ 98 | -v /root/.ssh \ 99 | -v /var/lib/puppet/ssl \ 100 | -v /usr/local/docker/puppetserver/custom.yaml:/root/bootstrap/hiera/data/custom.yaml \ 101 | -e PUPPETSERVER_JAVA_ARGS="-Xms384m -Xmx384m -XX:MaxPermSize=256m" \ 102 | -p 8140:8140 \ 103 | -h puppet.example.com \ 104 | --restart="always" \ 105 | michaelholttech/puppetserver 106 | ```` 107 | 108 | After you have run those commands we need to monitor the logs for some important information that will be provided. This can be done by running: 109 | 110 | ```` 111 | docker logs -f puppetserver 112 | ```` 113 | 114 | Once the initial scripts have run you'll see Public Key displayed in the logs. You need to take this and enter it as a Deployment Key for your Repository. This can be done by browsing to your repository on the Bitbucket Website, and then going to Setttings -> Deployment Keys -> Add Key. Copy/Paste the Publickey starting with `` ssh-rsa `` and ending with `` R10K Deployment Key `` 115 | 116 | Now that we've gotten that done we're ready to let Puppet finish bootstraping itself. This can be done by copy/pasting the commands after the Publickey in the logs that were looking at in the last step. You can also run: 117 | 118 | ```` 119 | docker stop puppetserver 120 | docker start puppetserver 121 | ```` 122 | 123 | Now if you watch the logs again you can see puppet preparing itself 124 | 125 | ```` 126 | docker logs -f puppetserver 127 | ```` 128 | 129 | This will take several minutes to complete. When it is done you will see a line saying `` [p.s.m.master-service] Puppet Server has successfully started and is now ready to handle requests `` 130 | 131 | Now that your puppetserver is running there's only one last command to run. This command is only needed if there isn't already data existing inside of `` data_puppet ``. This command is also set up to automatically run ever 30 minutes inside of the container. 132 | 133 | ```` 134 | docker exec -it puppetserver puppet agent -t 135 | ```` 136 | 137 | ## Set up you're first client! 138 | 139 | Whew we're almost there. Not much longer until you will have your first client checking into your brand new Puppetserver. 140 | 141 | Let's start with a fresh Mac OS environment, be it a VM or spare computer. We're going to have to start off by installing two packages on the machine... Puppet & Facter. 142 | 143 | Puppet v3.8.4 can be downloaded [**HERE**](https://downloads.puppetlabs.com/mac/puppet-3.8.4.dmg). 144 | 145 | Facter v2.4.4 can be downloaded [**HERE**](https://downloads.puppetlabs.com/mac/facter-2.4.4.dmg). 146 | 147 | Once downloaded go ahead and install these onto your test machine. 148 | 149 | At this point all that's left is to get your machine configured. This is extremly simple and can be done with running one command in terminal, replacing `` puppet.example.com `` with your puppetserver's URL. *If you don't have a DNS record for it, make sure you add a manual entry inside of `` /etc/hosts `` on your test machine!* 150 | 151 | ```` 152 | sudo puppet agent -t --certname $(ioreg -l | awk '/IOPlatformSerialNumber/ { split($0, line, "\""); printf("%s\n", line[4]); }' | tr '[:upper:]' '[:lower:]') --waitforcert 20 --server puppet.example.com 153 | ```` 154 | 155 | You now have your first machine up and running on Puppet! Congratulations! 156 | 157 | There's plenty of information online if you want to begin playing with some configuration settings inside of the Core Repository. 158 | 159 | We'll go over this more in a future post, but to configure a role we need to create a fact on the local machine. This can be done by running: 160 | 161 | ```` 162 | sudo mkdir -p /etc/facter/facts.d 163 | sudo nano /etc/facter/facts.d/computer_role.yaml 164 | ```` 165 | 166 | Paste the following inside of `` computer_role.yaml `` 167 | 168 | ```` 169 | --- 170 | computer_role: "test" 171 | ```` 172 | 173 | Since the machine is now configured with puppet, you can trigger puppet by running a much simpler command: 174 | 175 | ```` 176 | sudo puppet agent -t 177 | ```` 178 | 179 | If you have added the computer_role fact, you should get an output similar to the following when you run `` puppet agent -t ``: 180 | 181 | ```` 182 | Info: Retrieving pluginfacts 183 | Info: Retrieving plugin 184 | Info: Loading facts 185 | Info: Caching catalog for c02n5heug3qj 186 | Info: Applying configuration version '1449305286' 187 | Notice: Test Role 188 | Notice: /Stage[main]/Roles::Test/Notify[Test Role]/message: defined 'message' as 'Test Role' 189 | Notice: Default Role 190 | Notice: /Stage[main]/Roles::Default/Notify[Default Role]/message: defined 'message' as 'Default Role' 191 | Notice: Common Profile 192 | Notice: /Stage[main]/Profiles::Common/Notify[Common Profile]/message: defined 'message' as 'Common Profile' 193 | Notice: Test Profile 194 | Notice: /Stage[main]/Profiles::Test/Notify[Test Profile]/message: defined 'message' as 'Test Profile' 195 | Notice: Finished catalog run in 13.84 seconds 196 | ```` 197 | 198 | ## Additional Notes 199 | 200 | Whenever you make a change to your Core Repo, you also need to manually tell your Puppetserver to pull in the changes. This can be done by running this on the server: 201 | 202 | ```` 203 | docker exec -it puppetserver r10k deploy environment -pv 204 | ```` 205 | 206 | Yay! We've made it to the end and we now have a functional Puppetserver! If you've made it this far give yourself a pat on the back, it took me much longer to get up and running with Puppet when I first started. 207 | 208 | Here's a few quick notes: 209 | 210 | 1. This is a new Docker image and could have some bugs and issues. I'm relying on the community to help identify these issues. 211 | 2. I'm not an expert at this, I just started using puppet a few months ago myself. If you see areas that could be improved feel free to submit a pull request. 212 | 1. The Puppetserver code can be found [**here**](https://github.com/MichaelHoltTech/puppetserver). 213 | 2. The Core Repo code can be found [**here**](https://github.com/MichaelHoltTech/puppet-core_repo/). 214 | 3. An Example Repository with more code can be found [**here**](https://github.com/MichaelHoltTech/example-core_repo). 215 | 4. The Base Image code can be found [**here**](https://github.com/MichaelHoltTech/baseimage). It is based off of work done by phusion, located [**here**](https://github.com/phusion/baseimage-docker). 216 | 3. I'm currently not running this Image in Production. I plan on moving over to it after the Christmas Holidays as I continue to document our Management Platform. 217 | 218 | Stay Tuned for the next post! No promises but i'll see if I can at least get one more post up documenting how to begin programming some configuration options. If I don't get to it, I'll definitely have time in January! (I'll do my best not to keep you waiting 2 months this time) 219 | -------------------------------------------------------------------------------- /MDM/Puppet/index.rst: -------------------------------------------------------------------------------- 1 | Puppet 2 | ******** 3 | 4 | .. toctree:: 5 | :maxdepth: 2 6 | :titlesonly: 7 | :glob: 8 | 9 | * 10 | -------------------------------------------------------------------------------- /MDM/jamfpro/JSS_on_AWS.md: -------------------------------------------------------------------------------- 1 | http://docs.jamf.com/9.98/casper-suite/jss-install-guide-linux/ 2 | 3 | # Introduction 4 | 5 | ## Prerequisites 6 | 7 | # Configure AWS 8 | 9 | ## Configure Security 10 | 11 | ### Create VPC 12 | ![](JSS_on_AWS/VPC.png) 13 | - Create VPC 14 | 15 | ### Create Subnets 16 | - Create subnet on second Availability Zone ![](JSS_on_AWS/VPC-AZ2.png) 17 | 18 | ### Create Security Groups 19 | - jss-lab-jss: will reference my JSS instances 20 | - jss-lab-jss-ports: Public ports (SSH and HTTPS/8443) 21 | - jss-lab-db: MySQL from jss-lab 22 | 23 | 24 | 25 | ## Create RDS Instance 26 | 27 | 1. Choose MySQL (then Dev/Test MySQL) 28 | 2. DB Details ![](JSS_on_AWS/RDS-DBDetails.png) 29 | 3. Advanced Settings ![](JSS_on_AWS/RDS-AdvancedSettings.png) 30 | 31 | ## Create EC2 Instance 32 | 33 | 1. RedHat 7 34 | 2. t2.micro (not recommended in production) ![](JSS_on_AWS/EC2-Details.png) 35 | 3. Select storage ![](JSS_on_AWS/EC2-Storage.png) 36 | 4. Configure Security Group (SSH+HTTPS) ![](JSS_on_AWS/EC2-SecurityGroups.png) 37 | 38 | 39 | 40 | # Install the JSS 41 | ## On EC2 Instance 42 | 43 | Login to the EC2 Instance by using your newly created SSH key: 44 | 45 | `ssh -i Jamf-EC2.pem ec2-user@ec2-34-251-175-48.eu-west-1.compute.amazonaws.com` 46 | 47 | Let's update the instance! 48 | 49 | `sudo yum update` 50 | 51 | You may need to reboot (a good idea if kernel or firmware was upgraded!) 52 | 53 | `sudo reboot` 54 | 55 | Wait a few minutes until the instance is back online. 56 | 57 | Upload the JSS Installer to the instance 58 | 59 | `scp -i Jamf-EC2.pem ~/Downloads/JSSInstallerLinux9.98.zip ec2-user@ec2-34-251-175-48.eu-west-1.compute.amazonaws.com:` 60 | 61 | Login to the EC2 Instance: 62 | 63 | `ssh -i Jamf-EC2.pem ec2-34-251-175-48.eu-west-1.compute.amazonaws.com` 64 | 65 | 66 | Install Java 1.8 67 | 68 | `sudo yum install java-1.8.0-openjdk-devel` 69 | 70 | 71 | Install unzip 72 | 73 | `sudo yum install unzip` 74 | 75 | Unzip the JSS Installer 76 | 77 | `unzip JSSInstallerLinux9.98.zip` 78 | 79 | Launch the Installation Script 80 | 81 | `sudo JSSInstallerLinux/JSS\ Installation/jssinstaller.run` 82 | 83 | ``` 84 | [ec2-user@ip-172-30-2-85 ~]$ sudo JSSInstallerLinux/JSS\ Installation/jssinstaller.run 85 | Verifying archive integrity... All good. 86 | Uncompressing JSS Installer 100% 87 | Starting the Linux JSS Installation 88 | Checking installation requirements... 89 | Checking for a 64-bit OS...OK 90 | Checking for Java 1.7+ ...Java minor version found: 8 91 | Verifying JCE Unlimited Strength Jurisdiction Policy files...Found required JCE support on this server. 92 | Java JCE files verified 93 | Checking if Tomcat is NOT installed...OK 94 | Passed all requirements 95 | 96 | To be installed into /usr/local/jss: 97 | * Tomcat 8.0.41 98 | * JSS 99 | * JSS Database Utility 100 | * 101 | * NOTE: When upgrading to Tomcat 8 for the first time, the account and group named 'tomcat7' will be renamed to 'jamftomcat' 102 | 103 | Proceed? (y/n): y 104 | Installing... 105 | Starting Tomcat Installation 106 | Adding Tomcat user and group... 107 | 108 | 109 | Installing init.d script... 110 | Copying Tomcat files... 111 | Setting permissions... 112 | Tomcat Installation Done! 113 | Starting JSS Installation 114 | Generating Tomcat keystore...OK 115 | Copying JSS Webapp... 116 | jar command found 117 | Creating the ROOT webapp directory for extraction point 118 | Extracting ROOT.war using jar command 119 | ROOT.war extracted successfully 120 | Done extracting war... 121 | Finalizing Tomcat and Web App settings... 122 | JSS Webapp Installation Done! 123 | Starting Database Backup Utility Installation 124 | Copying JSS Database Backup Utility...Error: The JSS Database Utility must be launched on a system with MySQL installed. If MySQL is already installed, you must specify the location of MySQL using the -mysqlPath flag. 125 | JSS Database Utility 9.98 126 | OK 127 | JSS Database Backup Utility and backup script are located in /usr/local/jss/bin 128 | 129 | The JSS has been installed. 130 | Verify that port 8443 is not blocked by a firewall. 131 | 132 | Note: MySQL is required for the JSS to run. If you do not have MySQL installed, download and install the latest version. 133 | MySQL Enterprise Edition is recommended and may be found at http://www.mysql.com/downloads/mysql 134 | Alternatively, MySQL Community Edition may be installed: 135 | Ubuntu/Debian users can run "apt-get install mysql-server" 136 | RedHat users can run "yum install mysql-server" 137 | Or any Linux distribution can download and install the appropriate package at http://www.mysql.com/downloads/mysql 138 | 139 | To complete the installation, open a web browser and navigate to https://ip-172-30-2-85.eu-west-1.compute.internal:8443. 140 | If you are installing the JSS for the first time, you are prompted with the JSS Setup Assistant. Complete the JSS Setup Assistant to start using your JSS. 141 | [ec2-user@ip-172-30-2-85 ~]$ 142 | ``` 143 | 144 | Done! 145 | 146 | 147 | ## Configure RDS 148 | 149 | When first connecting to your instance, you should get a "Database Connection Error" 150 | 151 | Connect to your EC2 Instance. 152 | 153 | First, install MySQL: 154 | 155 | `sudo yum install mysql` 156 | 157 | Create the `jamfsoftware` database 158 | 159 | `mysql -h jamf-lab-db.c6kljkzma1b2.eu-west-1.rds.amazonaws.com -u jamfdbroot -p -e "CREATE DATABASE jamfsoftware"` 160 | 161 | Create a new user `jamfsoftware` who will only connect from `10.0.0.248` and have access to all tables from `jamfsoftware` database, with password `changeme` 162 | 163 | `mysql -h jamf-lab-db.c6kljkzma1b2.eu-west-1.rds.amazonaws.com -u jamfdbroot -p -e "GRANT ALL ON jamfsoftware.* TO jamfsoftware@10.0.0.248 IDENTIFIED BY 'changeme';"` 164 | 165 | You can now go to https://ec2-34-251-175-48.eu-west-1.compute.amazonaws.com:8443/ 166 | 167 | Configure the DB with the database and credentials you entered above 168 | ![](JSS_on_AWS/JSS-DBconfig.png) 169 | 170 | And… Done!! You should now see the license! 171 | 172 | # Redirecting from 8443 to 443 173 | 174 | Install FirewallD 175 | 176 | `sudo yum install firewalld` 177 | 178 | Start the service 179 | 180 | `sudo systemctl start firewalld` 181 | 182 | Add the redirection 183 | 184 | `sudo firewall-cmd --permanent --add-masquerade` 185 | `sudo firewall-cmd --permanent --add-forward-port=port=443:proto=tcp:toport=8443` 186 | 187 | Allow port 8443/TCP 188 | 189 | `sudo firewall-cmd --permanent --add-port=8443/tcp` 190 | 191 | Allow port 443/TCP 192 | 193 | `sudo firewall-cmd --permanent --add-port=443/tcp` 194 | 195 | Reload the service 196 | `sudo firewall-cmd --reload` 197 | 198 | Enable FirewallD at boot 199 | 200 | `sudo systemctl enable firewalld` 201 | 202 | Why not reboot to test that everything is working fine! 203 | 204 | `sudo reboot` 205 | 206 | And that's done! 207 | 208 | # Conclusion -------------------------------------------------------------------------------- /MDM/jamfpro/JSS_on_AWS/EC2-Details.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/jamfpro/JSS_on_AWS/EC2-Details.png -------------------------------------------------------------------------------- /MDM/jamfpro/JSS_on_AWS/EC2-Keypair.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/jamfpro/JSS_on_AWS/EC2-Keypair.png -------------------------------------------------------------------------------- /MDM/jamfpro/JSS_on_AWS/EC2-SecurityGroups.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/jamfpro/JSS_on_AWS/EC2-SecurityGroups.png -------------------------------------------------------------------------------- /MDM/jamfpro/JSS_on_AWS/EC2-Storage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/jamfpro/JSS_on_AWS/EC2-Storage.png -------------------------------------------------------------------------------- /MDM/jamfpro/JSS_on_AWS/JSS-DBconfig.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/jamfpro/JSS_on_AWS/JSS-DBconfig.png -------------------------------------------------------------------------------- /MDM/jamfpro/JSS_on_AWS/RDS-AdvancedSettings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/jamfpro/JSS_on_AWS/RDS-AdvancedSettings.png -------------------------------------------------------------------------------- /MDM/jamfpro/JSS_on_AWS/RDS-DBDetails.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/jamfpro/JSS_on_AWS/RDS-DBDetails.png -------------------------------------------------------------------------------- /MDM/jamfpro/JSS_on_AWS/VPC-AZ2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/jamfpro/JSS_on_AWS/VPC-AZ2.png -------------------------------------------------------------------------------- /MDM/jamfpro/JSS_on_AWS/VPC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shufflepuck/MacAdminsDoc/58379e36d1e9fb8ec051e35af2eb52c3a2d86c33/MDM/jamfpro/JSS_on_AWS/VPC.png -------------------------------------------------------------------------------- /MDM/jamfpro/Jamf_Resources.rst: -------------------------------------------------------------------------------- 1 | Jamf Resources 2 | ============== 3 | 4 | Community 5 | ---------- 6 | - `Jamf Nation `_ 7 | - Join the #jamfnation channel on `MacAdmin Slack `_ 8 | 9 | 10 | Jamf Resources 11 | -------------- 12 | 13 | - `Start here if you're a Windows Admin `_ 14 | - `Case Studies `_ 15 | - `White papers `_ 16 | - `Webinars `_ 17 | - `Videos `_ 18 | - `Technical Papers `_ 19 | 20 | 21 | Jamf Product Documentation 22 | -------------------------- 23 | 24 | - `Product Documentation `_ 25 | - `Release Notes `_ 26 | - `Installation Guides `_ 27 | - `Quickstart Guides `_ 28 | 29 | Jamf Training 30 | ------------- 31 | 32 | See all training information `here `_. 33 | 34 | CCT is a great introductory-level training. Anyone remotely involved in managing, supporting and selling Mac and iOS devices at your organization should take it. It's a 4-day course. Anyone can join, don't be shy! 35 | 36 | CCA is for your MacAdmins. They should all have it. Don't go cheap on this one. They need to have 6 month of experience. 37 | 38 | CCE is for your experienced MacAdmins who need additional challenges. It's scenario-based. They will love it. But it's purely optional. 39 | 40 | CJA is for your JSS Administrators, it doesn't cover Mac Administration at all. 41 | 42 | I suggest you buy a `Training pass `_: 43 | 44 | - **Individual**: one of your staff can go to any number of Jamf training for one year 45 | - **Organizational**: any of your staff cxan go to any number of Jamf trainings for one year, provided they don't attend to the same one at the same time. -------------------------------------------------------------------------------- /MDM/jamfpro/Open-Source-Links.rst: -------------------------------------------------------------------------------- 1 | .. only:: html 2 | 3 | .. sidebar:: Article information 4 | 5 | :Authors: 6 | :ref:`Mosen ` 7 | 8 | :Updated: |today| 9 | 10 | Open Source and Jamf 11 | ==================== 12 | 13 | This list contains some open source projects that are related to managing JAMF Pro (formerly Casper Suite). 14 | They may help you to do some things that are not possible with the Web UI alone. 15 | 16 | Repositories 17 | ------------ 18 | 19 | These are some notable repositories that are dedicated to supporting JAMF Pro or have a significant number of projects 20 | related to JAMF. 21 | 22 | - `JAMF IT `_ 23 | - `JAMF Pro Services `_ 24 | - `JAMF Support `_ 25 | - `JAMF Open Source Community `_ 26 | 27 | API 28 | --- 29 | 30 | - `python-jss `_ Python wrapper for the Jamf JSS Rest API 31 | - `ruby-jss `_ Access to the Casper Suite from Ruby 32 | 33 | Command Line Tools 34 | ------------------ 35 | 36 | - `jss_helper `_ jss_helper is a powerful commandline interface for managing 37 | and auditing your Casper JSS. 38 | 39 | Configuration Management Modules 40 | -------------------------------- 41 | 42 | - `jss_chef `_ This cookbook installs and configures Jamf Pro. 43 | - `puppet-jss `_ Puppet manifests for deploying and configuring JAMF Software JSS, 44 | MySQL, and Distribution Points. 45 | 46 | Extension Attributes 47 | -------------------- 48 | 49 | - `jhbush `_ 2014 50 | - `franton `_ 51 | - `74bit `_ 52 | - `acodega `_ 53 | - `mondada `_ 54 | - `smashism `_ 55 | - `apizz `_ 56 | - `stevewood-tx `_ 57 | 58 | 59 | Migration 60 | --------- 61 | 62 | - (Do not use in prod!) `promoter `_ 63 | - `jssMigrationUtility `_ 64 | 65 | Onboarding 66 | ---------- 67 | 68 | - `ProgressScreen `_ by Jason Tratta 69 | - `CasperSplash `_ Onboarding splash screen for Casper Suite DEP 70 | 71 | Packaging 72 | --------- 73 | 74 | - `JSSImporter `_ Upload packages made with AutoPkg to your JSS with 75 | customizable policies. 76 | - `Spruce `_ Identify unused packages and scripts on a JAMF Casper JSS and 77 | optionally remove them. 78 | - `Depot3 `_ Command line package and patch management for Casper 79 | - `jamJAR `_ jamJAR: Jamf, AutoPKG & Munki combined by dataJAR. 80 | - `patchoo `_ Patchoo somewhat emulates munki workflows and user experience for 81 | JAMF Software's Casper Suite. 82 | 83 | Scripts (Misc) 84 | -------------- 85 | 86 | Troubleshooting 87 | --------------- 88 | 89 | - `Deadpool `_ JAMF check-ins with healing factor and a mouth 90 | -------------------------------------------------------------------------------- /MDM/jamfpro/Tuning.rst: -------------------------------------------------------------------------------- 1 | :Title: JSS Tuning 2 | :Author: Mosen 3 | 4 | JSS Tuning 5 | ========== 6 | 7 | .. warning:: Do not attempt to make any of these changes without a Backup of your JSS Database. 8 | 9 | Java & Tomcat 10 | ------------- 11 | 12 | - See `Rich Trouton's Post `_ 13 | 14 | Database 15 | -------- 16 | 17 | optimizer_search_depth 18 | ^^^^^^^^^^^^^^^^^^^^^^^ 19 | 20 | For some reason this is recommended to be set to **3**. 21 | I believe this is to stop MariaDB/MySQL from coming up with too many execution plans. 22 | 23 | key_buffer_size 24 | ^^^^^^^^^^^^^^^ 25 | 26 | As per this `article `_, key buffer size should be set to 27 | about 25% or more of the available server RAM. 28 | 29 | query_cache_size 30 | ^^^^^^^^^^^^^^^^ 31 | 32 | See `article `_, Set to 0. 33 | 34 | query_cache_type 35 | ^^^^^^^^^^^^^^^^ 36 | 37 | Set to 0 to disable the query cache. 38 | 39 | (ignore) Table Storage: InnoDB 40 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 41 | 42 | Changing the table storage might have far reaching implications for you so I don't recommend this now, but these settings were recommended:: 43 | 44 | innodb_log_file_size=512M 45 | innodb_flush_log_at_trx_commit=1 46 | innodb_file_per_table=1 47 | innodb_buffer_pool_size=amount_of_RAMG # 60% or more of your total ram 48 | innodb_buffer_pool_instances=8 49 | -------------------------------------------------------------------------------- /MDM/jamfpro/index.rst: -------------------------------------------------------------------------------- 1 | Jamf Pro 2 | ******** 3 | 4 | .. toctree:: 5 | :maxdepth: 2 6 | :glob: 7 | 8 | * 9 | ../CasperSuite/index 10 | -------------------------------------------------------------------------------- /Profiles-and-Settings/OS-X-Updates.rst: -------------------------------------------------------------------------------- 1 | macOS Updates 2 | ============= 3 | 4 | com.apple.commerce 5 | ------------------ 6 | 7 | * **AutoUpdate** → Install app updates 8 | * **AutoUpdateRestartRequired** → Install OS X updates 9 | 10 | com.apple.SoftwareUpdate 11 | ------------------------ 12 | 13 | * **AutomaticCheckEnabled** → Automatically check for updates 14 | * **AutomaticDownload** → Download newly available updates in the background 15 | * **ConfigDataInstall** → Install system data files 16 | * **CriticalUpdateInstall** → Install security updates ([Der Flouder](https://derflounder.wordpress.com/2014/12/24/managing-os-xs-automatic-security-updates/)) 17 | * **AllowPreReleaseInstallation** → Allow OS X Beta ([HT203018](https://support.apple.com/HT203018)) 18 | 19 | Deploying 20 | --------- 21 | 22 | As of 2017.07.27, deploying com.apple.commerce settings via profile is unpredictable. Forcing the settings to "false" appears to work, but forcing the settings to "true" does not. For maximum reliablity, use a `script `_. 23 | 24 | With Casper Suite 25 | ^^^^^^^^^^^^^^^^^ 26 | 27 | 1. Create a `script `_ from "Computer Management > Scripts" 28 | 2. Create a Policy "Once per Computer" to execute this script 29 | 3. Create a Policy "Once per Week" with Software Updates > Install Software Updates from "Each computer's default software update server". Don't forget to set restart options. 30 | -------------------------------------------------------------------------------- /Profiles-and-Settings/index.rst: -------------------------------------------------------------------------------- 1 | Profiles and Settings 2 | ********************* 3 | 4 | .. toctree:: 5 | :maxdepth: 2 6 | :titlesonly: 7 | :glob: 8 | 9 | * 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # MacAdminsDoc 2 | Best Practices for the Mac Admin community 3 | -------------------------------------------------------------------------------- /Security/Antivirus/Microsoft-SCEP.rst: -------------------------------------------------------------------------------- 1 | .. only:: html 2 | 3 | .. sidebar:: Article information 4 | 5 | :Authors: 6 | :ref:`ftiff ` 7 | 8 | :Updated: |today| 9 | 10 | Microsoft SCEP 11 | ============= 12 | 13 | title 14 | ------------------------------- 15 | 16 | placeholder 17 | -------------------------------------------------------------------------------- /Security/Antivirus/index.rst: -------------------------------------------------------------------------------- 1 | Antivirus 2 | ********************* 3 | 4 | .. toctree:: 5 | :maxdepth: 2 6 | :titlesonly: 7 | :glob: 8 | 9 | * 10 | -------------------------------------------------------------------------------- /Security/index.rst: -------------------------------------------------------------------------------- 1 | Security 2 | ********************* 3 | 4 | .. toctree:: 5 | :maxdepth: 2 6 | :titlesonly: 7 | :glob: 8 | 9 | * 10 | Antivirus/index 11 | -------------------------------------------------------------------------------- /_static/extra.css: -------------------------------------------------------------------------------- 1 | /* override table width restrictions */ 2 | .wy-table-responsive table td, .wy-table-responsive table th { 3 | white-space: normal; 4 | } 5 | 6 | .wy-table-responsive { 7 | margin-bottom: 24px; 8 | max-width: 100%; 9 | overflow: visible; 10 | } 11 | 12 | -------------------------------------------------------------------------------- /conf.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import os 3 | 4 | sys.path.insert(0, os.path.abspath('..')) 5 | #import recommonmark 6 | from recommonmark.parser import CommonMarkParser 7 | from recommonmark.transform import AutoStructify 8 | 9 | source_parsers = { 10 | '.md': CommonMarkParser 11 | } 12 | 13 | source_suffix = ['.rst', '.md'] 14 | 15 | html_static_path = ['_static'] 16 | 17 | master_doc = 'index' 18 | project = u'MacAdmins Community Documentation' 19 | copyright = u'CC BY-SA 4.0' 20 | github_doc_root = 'http://github.com/Shufflepuck/MacAdminsDoc/tree/master/' 21 | 22 | html_context = { 23 | "display_github": True, # Integrate GitHub 24 | "github_user": "Shufflepuck", # Username 25 | "github_repo": "MacAdminsDoc", # Repo name 26 | "github_version": "master", # Version 27 | "conf_py_path": "/", # Path in the checkout to the docs root 28 | } 29 | 30 | # app setup hook 31 | def setup(app): 32 | app.add_stylesheet("extra.css") 33 | app.add_config_value('recommonmark_config', { 34 | 'url_resolver': lambda url: github_doc_root + url, 35 | 'auto_toc_tree_section': 'Contents', 36 | }, True) 37 | app.add_transform(AutoStructify) 38 | -------------------------------------------------------------------------------- /index.rst: -------------------------------------------------------------------------------- 1 | Welcome 2 | ======= 3 | 4 | Welcome to the MacAdmins Documentation. 5 | 6 | The goal of this website is to assemble best-practices and useful docs found from the web. It is curated by top-notch MacAdmins. 7 | 8 | It is dedicated to Investigate, Clarify and Resolve key issues in managing Macs. 9 | 10 | It is independent and welcomed to every MacAdmin. 11 | 12 | Think of a collection of pages that you would use as ultimate reference. 13 | 14 | The goal of this repository is to: 15 | 16 | - Help the beginers to learn the basics 17 | - Help the veterants to keep current on technologies 18 | - Provide a quick way to answer common questions 19 | - Be an authoritative answer to endless discussions 20 | - Be a checklist to assess the state of your current work 21 | 22 | macOS is getting more and more used by Businesses. This means more and more non-Mac Admins need to learn how to administer Macs. Unfortunately, today only a few resources are available. They might give you technical answers, but to get the full experience, you need to understand the vision, or philosophy. It's like using open source projects and embracing the GNU philosophy. 23 | 24 | 25 | .. image:: https://i.creativecommons.org/l/by-sa/4.0/88x31.png 26 | 27 | _MacAdmins Doc_ is licensed under a `Creative Commons Attribution-ShareAlike 4.0 International License `_ 28 | 29 | 30 | .. _docs: 31 | 32 | .. toctree:: 33 | :maxdepth: 2 34 | :caption: Documentation 35 | 36 | General/index 37 | Integration/index 38 | MDM/jamfpro/index 39 | MDM/AirWatch/index 40 | MDM/Puppet/index 41 | Profiles-and-Settings/index 42 | Applications/index 43 | Security/index 44 | 45 | 46 | .. toctree:: 47 | :maxdepth: 2 48 | :caption: About 49 | 50 | About/index 51 | Contributors/index 52 | -------------------------------------------------------------------------------- /mkdocs.yml: -------------------------------------------------------------------------------- 1 | site_name: MacAdmins Community Documentation 2 | repo_url: https://github.com/Shufflepuck/MacAdminsDoc 3 | repo_name: 'GitHub' 4 | copyright: Creative Commons Attribution-ShareAlike 4.0 International License 5 | google_analytics: ['UA-68588325-4'] 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | recommonmark==0.4.0 2 | 3 | --------------------------------------------------------------------------------