├── .gitignore ├── Apple ├── Jamf │ ├── README.md │ └── Extension Attributes │ │ ├── get-onedrive-kfmStatus.zsh │ │ ├── get-zscalerLoginStatus.zsh │ │ ├── get-zscalerStatusZIA.zsh │ │ ├── get-zscalerStatusZDX.zsh │ │ └── get-zscalerStatusZPA.zsh ├── README.md ├── Scripts │ ├── install-or-update-sentinelone.zsh │ ├── createUsers_macOS_FV-test.bash │ ├── invoke-jamfSelfServiceItem.zsh │ ├── README.md │ ├── set-defaultDock.bash │ ├── Set-AzVpnConfig.sh │ └── set-proxyVariables.zsh ├── MDM Comparison Table.md └── MDM Networking Requirements.md ├── Scripts ├── README.md └── Create-JiraIssuesForClinics.ps1 ├── LICENSE └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | *.DS_Store 2 | .DS_Store -------------------------------------------------------------------------------- /Apple/Jamf/README.md: -------------------------------------------------------------------------------- 1 | # Jamf 2 | Various items related to using Jamf Pro to manage Apple devices (macOS focused at the moment) 3 | 4 | ## [Extension Attributes](Extension%20Attributes) 5 | Extension Attributes for some things I'm able to share -------------------------------------------------------------------------------- /Scripts/README.md: -------------------------------------------------------------------------------- 1 | # Scripts 2 | Some scripts I find useful. Maybe you will, too. 3 | 4 | ## [Create-JiraIssuesForClinics.ps1](Create-JiraIssuesForClinics.ps1) 5 | 6 | This was a very specific project to create a massive amount of Jira issues for hundreds of physical sites and leverage Google Maps' API to put clickable map links in the issues for use by local service techs. 7 | 8 | --- 9 | ### Moved some scripts to different folder 10 | * [set-proxyVariables.zsh](/Apple/Scripts/set-proxyVariables.zsh) 11 | * MOVED to [/Apple/Scripts/](/Apple/Scripts/README.md) 12 | 13 | * [install-or-update-sentinelone.zsh](/Apple/Scripts/install-or-update-sentinelone.zsh) 14 | * MOVED to [/Apple/Scripts/](/Apple/Scripts/README.md) 15 | 16 | * [set-defaultDock.bash](/Apple/Scripts/set-defaultDock.bash) 17 | * MOVED to [/Apple/Scripts/](/Apple/Scripts/README.md) -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2025 hkystar35 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # MDM 2 | MDM Related code, docs, scripts, snippets, thoughts, and musings. 3 | 4 | ## Evaluating MDM products 5 | 6 | 7 | 8 | $${\color{red}New!}$$ 9 | > Check out the new format of this table (as of 2024-01-09). Please [create a new PR](https://github.com/hkystar35/MDM/pull/new/main) to correct or add any items, MDMs, or add supporting documentation links. 10 | 11 | If you're lucky (unlucky?) enough to get to choose an MDM product for your organization, whether starting new or migrating from an existing one, you need to figure out what your true needs are. 12 | 13 | Being prepared to make concessions on superfluous items while holding firm on high-priority features is a delicate balance. Ultimately, most admins will have to balance cost, functionality, and learning curve. 14 | For more info, check out my blog on Sysmansquad: [Evaluating Apple MDM Products](https://sysmansquad.com/2022/05/03/2022-05-03-evaluating-apple-mdm-products/). 15 | 16 | 17 | ### Managing Apple Devices 18 | To start, check out this [MDM Comparison Table](https://github.com/hkystar35/MDM/blob/main/Apple/MDM%20Comparison%20Table.md) for some medium-to-high-level info on features of a few leading MDM products. 19 | -------------------------------------------------------------------------------- /Apple/Jamf/Extension Attributes/get-onedrive-kfmStatus.zsh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env zsh 2 | 3 | # Heavily borrowed from https://gist.github.com/colorenz/ffcd2906262ade3af16b91361ffef47e#file-check_onedrive_kfm_new-sh 4 | 5 | #Get Current logined User 6 | currentUser=$(/bin/echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name :/&&!/loginwindow/{print $3}') 7 | currentUserHomeFolder=$(dscl . -read /users/${currentUser} NFSHomeDirectory | cut -d " " -f 2) 8 | 9 | plist="${currentUserHomeFolder}/Library/Group Containers/UBF8T346G9.OneDriveStandaloneSuite/Library/Preferences/UBF8T346G9.OneDriveStandaloneSuite.plist" 10 | plistKey='AccountInfo_Business1:KfmFoldersProtectedNow' 11 | RESULT='Not Found' 12 | 13 | if [[ -n "${plistKey}" && -n "${plist}" ]]; then 14 | if value="$(/usr/libexec/PlistBuddy -c "Print :${plistKey}" "${plist}")"; then 15 | case "$value" in 16 | "0") 17 | RESULT='FALSE' 18 | ;; 19 | "512") 20 | RESULT='Desktop=TRUE' 21 | ;; 22 | "1024") 23 | RESULT='Documents=TRUE' 24 | ;; 25 | "1536") 26 | RESULT='DesktopDocuments=TRUE' 27 | ;; 28 | *) 29 | RESULT="${value}" 30 | ;; 31 | esac 32 | fi 33 | fi 34 | 35 | /bin/echo "${RESULT}" 36 | 37 | exit 0 38 | -------------------------------------------------------------------------------- /Apple/README.md: -------------------------------------------------------------------------------- 1 | # Apple 2 | This is where my career is currently: Managing Apple devices in enterprise environments. 3 | 4 | I put things here that are mostly helpful to me (so I don't forget them) and hopefully useful to aMac Admins 5 | 6 | ## Community Resources 7 | A while back, I wrote a blog about my experiences having a near-greenfield to implement an MDM solution at a previous org: [Evaluating Apple MDM Products | SysManSquad](https://sysmansquad.com/2022/05/03/2022-05-03-evaluating-apple-mdm-products). 8 | From that, these tables were born: 9 | 10 | ### [MDM Comparison Table](Apple/MDM%20Comparison%20Table.md) 11 | A big table comparing various MDM vendor features in an attempt to make it easier for others to see pros/cons of each 12 | 13 | ### [MDM Networking Requirements](Apple/MDM%20Networking%20Requirements.md) 14 | This one started much later when it became necessary to track and manage a ton of URLs for an org with high security and a requirement to Allow List only what's needed. 15 | This is definitely out of date, I have no automation skills with git/Github Actions. Sorry. 16 | 17 | ## [Jamf](Jamf) 18 | Anything I'm able to publish that useful for Jamf Pro. Much of it can likely be modified to work with other MDMs with low-to-mid effort. 19 | 20 | ### [Extension Attributes](Apple/Jamf/Extension%20Attributes) 21 | Jamf Pro Extension Attributes 22 | 23 | ### [Scripts](Apple/Scripts) 24 | Bash, Zsh, Shell, Powershell scripts related to managing macOS -------------------------------------------------------------------------------- /Apple/Jamf/Extension Attributes/get-zscalerLoginStatus.zsh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env zsh 2 | 3 | : <<'COMMENT-BLOCK' 4 | .SYNOPSIS 5 | Jamf Extension Attribute to get Logged In user for Zscaler 6 | 7 | .DESCRIPTION 8 | Jamf Extension Attribute to get Logged In user for Zscaler. 9 | Output options: 10 | `Not LoggedIn` 11 | `username@contoso.com` 12 | 13 | .NOTES 14 | Requires Zscaler Client Connecter 4.3 or higher installed 15 | Requires zscli to be enabled in your Zcloud portal 16 | 17 | Author: hkystar35 18 | Date Created: 2025-03-03 18:34 MST 19 | Github: https://github.com/hkystar35/MDM/Apple/Jamf/Extension%20Attributes/zscaler_get-loginStatus.zsh 20 | 21 | History: 22 | 2025-03-03 18:34 MST hkystar35 - created script 23 | 24 | COMMENT-BLOCK 25 | 26 | _zscli="/Applications/Zscaler/Zscaler.app/Contents/PlugIns/zscli" 27 | result="Not LoggedIn" 28 | jamf_jq="install-jq" # Jamf Policy event trigger 29 | 30 | #region functions 31 | 32 | function log_output { 33 | echo $(date +"%Y-%m-%d %H:%M:%S")" $1" >&2 34 | #echo $(date +"%Y-%m-%d %H:%M:%S")" $1" >>"$LOGFILE" # uncomment if you want a local log created 35 | } 36 | 37 | function test-jq { 38 | _jq=$(which jq) 39 | if jq --version; then 40 | log_output "jq is installed" 41 | else 42 | log_output "jq not installed" 43 | log_output "Running trigger ${jamf_jq}" 44 | jamf policy -event "${jamf_jq}" 45 | fi 46 | 47 | if jq --version; then 48 | log_output "jq is installed" 49 | else 50 | log_output "jq install FAILED" 51 | exit 0 52 | fi 53 | } 54 | 55 | #endregion functions 56 | 57 | # Check if zscli found 58 | if [ -f "${_zscli}" ]; then 59 | log_output "_zscli found: ${_zscli}" 60 | 61 | # Check jq installed 62 | test-jq 63 | 64 | # Check zscli for zpa username 65 | userName="$($_zscli status -s zpa | jq -r '.zpa.username')" 66 | if [[ $userName == *@contoso.com* ]]; then # modify with your companies username requirements 67 | log_output "$userName matches *@contoso.com*" 68 | result="${userName}" 69 | fi 70 | fi 71 | 72 | # Echo result to Jamf 73 | echo "${result}" 74 | 75 | exit 0 76 | -------------------------------------------------------------------------------- /Apple/Jamf/Extension Attributes/get-zscalerStatusZIA.zsh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env zsh 2 | 3 | autoload is-at-least 4 | 5 | ############################################################################## 6 | # Check Zscaler service status 7 | # 8 | # Zscaler Internet Access (ZIA) 9 | # 10 | # Pre-requisites: 11 | # 1) Zscaler Client Connector version 4.3 or higher Installed 12 | # 2) Zscaler CLI is present 13 | # 3) Zscaler CLI enabled in Zcloud Portal 14 | # 4) jq installed 15 | # 16 | ############################################################################## 17 | 18 | minimumZCCversion="4.3" 19 | ZCCversion="$(defaults read /Applications/Zscaler/Zscaler.app/Contents/Info.plist CFBundleShortVersionString)" 20 | _zscli="/Applications/Zscaler/Zscaler.app/Contents/PlugIns/zscli" 21 | jamf_jq="install-jq" 22 | zscaler_service="zia" # zpa, zia, zdx 23 | 24 | #region functions 25 | 26 | function log_output { 27 | echo $(date +"%Y-%m-%d %H:%M:%S")" $1" >&2 28 | #echo $(date +"%Y-%m-%d %H:%M:%S")" $1" >>"$LOGFILE" # uncomment if you want a local log created 29 | } 30 | 31 | function test-jq { 32 | _jq=$(which jq) 33 | if jq --version; then 34 | log_output "jq is installed" 35 | else 36 | log_output "jq not installed" 37 | log_output "Running trigger ${jamf_jq}" 38 | jamf policy -event "${jamf_jq}" 39 | fi 40 | } 41 | 42 | #endregion functions 43 | 44 | if [[ -e "/Applications/Zscaler/Zscaler.app" ]]; then 45 | log_output "Zscaler exists" 46 | if is-at-least "${minimumZCCversion}" "${ZCCversion}"; then # don't change to double-[[]]; breaks the line 47 | log_output "$ZCCversion is greater than or equal to $minimumZCCversion" 48 | if [[ -f "${_zscli}" ]]; then 49 | log_output "ZCC cli exists: $_zscli" 50 | else 51 | log_output "ZCC cli not found" 52 | exit 0 53 | fi 54 | else 55 | log_output "$ZCCversion is LESS than or equal to $minimumZCCversion" 56 | exit 0 57 | fi 58 | else 59 | log_output "Zscaler not installed" 60 | exit 0 61 | fi 62 | 63 | test-jq 64 | 65 | zscaler_Status=$( sudo /Applications/Zscaler/Zscaler.app/Contents/PlugIns/zscli status -s "${zscaler_service}" ) 66 | status1="$(echo $zscaler_Status | jq -r ".${zscaler_service}.serviceStatus")" # TUNNEL_FORWARDING | TUNNEL_NONE 67 | 68 | /bin/echo "$(echo $status1 | tr ' ' ';')" 69 | -------------------------------------------------------------------------------- /Apple/Jamf/Extension Attributes/get-zscalerStatusZDX.zsh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env zsh 2 | 3 | autoload is-at-least 4 | 5 | ############################################################################## 6 | # Check Zscaler service status 7 | # 8 | # Zscaler Digital Experience (ZDX) 9 | # 10 | # Pre-requisites: 11 | # 1) Zscaler Client Connector version 4.3 or higher Installed 12 | # 2) Zscaler CLI is present 13 | # 3) Zscaler CLI enabled in Zcloud Portal 14 | # 4) jq installed 15 | # 16 | ############################################################################## 17 | 18 | minimumZCCversion="4.3" 19 | ZCCversion="$(defaults read /Applications/Zscaler/Zscaler.app/Contents/Info.plist CFBundleShortVersionString)" 20 | _zscli="/Applications/Zscaler/Zscaler.app/Contents/PlugIns/zscli" 21 | jamf_jq="install-jq" 22 | zscaler_service="zdx" # zpa, zia, zdx 23 | 24 | #region functions 25 | 26 | function log_output { 27 | echo $(date +"%Y-%m-%d %H:%M:%S")" $1" >&2 28 | #echo $(date +"%Y-%m-%d %H:%M:%S")" $1" >>"$LOGFILE" # uncomment if you want a local log created 29 | } 30 | 31 | function test-jq { 32 | _jq=$(which jq) 33 | if jq --version; then 34 | log_output "jq is installed" 35 | else 36 | log_output "jq not installed" 37 | log_output "Running trigger ${jamf_jq}" 38 | jamf policy -event "${jamf_jq}" 39 | fi 40 | } 41 | 42 | #endregion functions 43 | 44 | if [[ -e "/Applications/Zscaler/Zscaler.app" ]]; then 45 | log_output "Zscaler exists" 46 | if is-at-least "${minimumZCCversion}" "${ZCCversion}"; then # don't change to double-[[]]; breaks the line 47 | log_output "$ZCCversion is greater than or equal to $minimumZCCversion" 48 | if [[ -f "${_zscli}" ]]; then 49 | log_output "ZCC cli exists: $_zscli" 50 | else 51 | log_output "ZCC cli not found" 52 | exit 0 53 | fi 54 | else 55 | log_output "$ZCCversion is LESS than or equal to $minimumZCCversion" 56 | exit 0 57 | fi 58 | else 59 | log_output "Zscaler not installed" 60 | exit 0 61 | fi 62 | 63 | test-jq 64 | 65 | zscaler_Status=$( sudo /Applications/Zscaler/Zscaler.app/Contents/PlugIns/zscli status -s "${zscaler_service}" ) 66 | 67 | status1="$(echo $zscaler_Status | jq -r ".${zscaler_service}.upmAuthState")" # Authenticated 68 | status2="$(echo $zscaler_Status | jq -r ".${zscaler_service}.upmServiceState")" # ON 69 | 70 | /bin/echo "$(echo $status1 $status2 | tr ' ' ';')" 71 | -------------------------------------------------------------------------------- /Apple/Jamf/Extension Attributes/get-zscalerStatusZPA.zsh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env zsh 2 | 3 | autoload is-at-least 4 | 5 | ############################################################################## 6 | # Check Zscaler service status 7 | # 8 | # Zscaler Private Access (ZPA) 9 | # 10 | # Pre-requisites: 11 | # 1) Zscaler Client Connector version 4.3 or higher Installed 12 | # 2) Zscaler CLI is present 13 | # 3) Zscaler CLI enabled in Zcloud Portal 14 | # 4) jq installed 15 | # 16 | ############################################################################## 17 | 18 | minimumZCCversion="4.3" 19 | ZCCversion="$(defaults read /Applications/Zscaler/Zscaler.app/Contents/Info.plist CFBundleShortVersionString)" 20 | _zscli="/Applications/Zscaler/Zscaler.app/Contents/PlugIns/zscli" 21 | jamf_jq="install-jq" 22 | zscaler_service="zpa" # zpa, zia, zdx 23 | 24 | #region functions 25 | 26 | function log_output { 27 | echo $(date +"%Y-%m-%d %H:%M:%S")" $1" >&2 28 | #echo $(date +"%Y-%m-%d %H:%M:%S")" $1" >>"$LOGFILE" # uncomment if you want a local log created 29 | } 30 | 31 | function test-jq { 32 | _jq=$(which jq) 33 | if jq --version; then 34 | log_output "jq is installed" 35 | else 36 | log_output "jq not installed" 37 | log_output "Running trigger ${jamf_jq}" 38 | jamf policy -event "${jamf_jq}" 39 | fi 40 | } 41 | 42 | #endregion functions 43 | 44 | if [[ -e "/Applications/Zscaler/Zscaler.app" ]]; then 45 | log_output "Zscaler exists" 46 | if is-at-least "${minimumZCCversion}" "${ZCCversion}"; then # don't change to double-[[]]; breaks the line 47 | log_output "$ZCCversion is greater than or equal to $minimumZCCversion" 48 | if [[ -f "${_zscli}" ]]; then 49 | log_output "ZCC cli exists: $_zscli" 50 | else 51 | log_output "ZCC cli not found" 52 | exit 0 53 | fi 54 | else 55 | log_output "$ZCCversion is LESS than or equal to $minimumZCCversion" 56 | exit 0 57 | fi 58 | else 59 | log_output "Zscaler not installed" 60 | exit 0 61 | fi 62 | 63 | test-jq 64 | 65 | zscaler_Status=$( sudo /Applications/Zscaler/Zscaler.app/Contents/PlugIns/zscli status -s "${zscaler_service}" ) 66 | status1="$(echo $zscaler_Status | jq -r ".${zscaler_service}.authenticationStatus")" # = AUTHENTICATED 67 | status2="$(echo $zscaler_Status | jq -r ".${zscaler_service}.serviceStatus")" # = TUNNEL_FORWARDING 68 | 69 | /bin/echo "$(echo $status1 $status2 | tr ' ' ';')" 70 | -------------------------------------------------------------------------------- /Apple/Scripts/install-or-update-sentinelone.zsh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Thanks to https://macadmins.slack.com/team/U03FJURNFNU for the start 4 | 5 | # Jamf Variables. Override local values if value passed by Jamf 6 | version="" 7 | if [ "$4" != "" ]; then 8 | version=$4 9 | fi 10 | installerPkgName="" 11 | if [ "$5" != "" ]; then 12 | installerPkgName=$5 13 | fi 14 | s1Token="" 15 | if [ "$6" != "" ]; then 16 | s1Token=$6 17 | fi 18 | 19 | # Script Variables 20 | installerFolder="/Library/Application Support/JAMF/Waiting Room" 21 | installerFullPath="$installerFolder/$installerPkgName" 22 | s1TokenFileName="com.sentinelone.registration-token" 23 | s1TokenFullPath="$installerFolder/$s1TokenFileName" 24 | 25 | # Validate Variable values 26 | [[ -z "$version" ]] && $echo "version missing" 27 | [[ -z "$installerPkgName" ]] && echo "installerPkgName missing" 28 | [[ -z "$s1Token" ]] && echo "s1Token missing" 29 | [[ ! -d "$installerFolder" ]] && echo "installerFolder not exist" 30 | [[ ! -f "$installerFullPath" ]] && echo "installerFullPath not exist: \"$installerFullPath\"" 31 | 32 | if [[ -z "$version" ]] || [[ -z "$installerPkgName" ]] || [[ -z "$s1Token" ]] || [[ ! -d "$installerFolder" ]] || [[ ! -f "$installerFullPath" ]]; then 33 | echo "terminating error" 34 | exit 1 35 | fi 36 | 37 | #function versionConvert - converts version string to integer for comparison 38 | versionConvert() { 39 | echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }' 40 | } 41 | 42 | #function writeTokenFile - write token file to installer package folder 43 | writeTokenFile() { 44 | echo "writing token file" 45 | echo "$s1Token" >"$@" 46 | } 47 | 48 | # Check for sentinelctl binary 49 | S1_cmd=$(which sentinelctl) 50 | 51 | if [ -f "$S1_cmd" ]; then 52 | echo "S1_cmd is installed: $S1_cmd" 53 | 54 | S1_version=$($S1_cmd version | awk '{print $2}') 55 | if [ $(versionConvert $S1_version) -ge $(versionConvert $version) ]; then 56 | echo "Installed version, $S1_version, is greater than or equal to required version, $version" 57 | echo "S1 is up to date nothing to install" 58 | code=0 59 | else 60 | echo "upgrading S1 using command \"$S1_cmd and installer package $installerFullPath\"" 61 | writeTokenFile "$s1TokenFullPath" 62 | $S1_cmd upgrade-pkg "$installerFullPath" 63 | code=$(echo $?) 64 | fi 65 | else 66 | echo "S1 not installed. Installing." 67 | writeTokenFile "$s1TokenFullPath" 68 | /usr/sbin/installer -pkg "$installerFullPath" -target / 69 | code=$(echo $?) 70 | fi 71 | 72 | if [[ -f "$s1TokenFullPath" ]]; then 73 | echo "deleting token file:" 74 | rm -f -v "$s1TokenFullPath" 75 | else 76 | echo "token file not found: $s1TokenFullPath" 77 | fi 78 | 79 | echo "code $code" 80 | 81 | exit $code -------------------------------------------------------------------------------- /Apple/Scripts/createUsers_macOS_FV-test.bash: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | : <<'COMMENT-BLOCK' 4 | .SYNOPSIS 5 | Creates a large number of local Mac user accounts for testing FileVault 6 | 7 | .DESCRIPTION 8 | Creates a large number of local Mac user accounts for testing FileVault 9 | The purpose is to: 10 | - test the limits of how many users can get a SecureToken to unlock FileVault 11 | - test how many users are visible in the FileVault user selection scrolling window 12 | 13 | .NOTES 14 | This probably isn't useful for many, but it was written as a quick way to make sure a 15 | shared Mac at a front desk could have many users able to unlock FileVault as a PoC for 16 | upper management 17 | 18 | Author: hkystar35 19 | Date Created: 2022-07-22 20 | Github: https://github.com/hkystar35/MDM/Apple/Scripts/createUsers_macOS_FV-test.bash 21 | 22 | History: 23 | 2022-07-22 hkystar35 - created script 24 | 2025-03-03 hkystar35 - added this comment block 25 | - updated shebang 26 | 27 | COMMENT-BLOCK 28 | 29 | # Use a name generator site to create your array of fake names 30 | arrUsers=("Zbikowski Johansen" 31 | "Zuehlke Karlsen" 32 | "Zachmann Johansson" 33 | "Yingling Taylor" 34 | "Yarish Walker" 35 | "Zampogna Smith" 36 | "Yearout Johansson" 37 | "Zornes Karlsson" 38 | "Zell Hughes" 39 | "Yearsley Jones" 40 | "Yuill Bengtsson" 41 | "Youson Johansson" 42 | "Yeary Martinez" 43 | "Yorston Jones" 44 | "Zweck Watson" 45 | "Zollicoffer Pedersen" 46 | "Zimmermann Johansson" 47 | "Zillgitt Johannessen" 48 | "Zoeller Johnsen" 49 | "Yotsler Green" 50 | "Zerwe Wilson" 51 | "Zoellers Ross" 52 | "Zeliff Patel" 53 | "Yolland Karlsson" 54 | "Yousef Nilsson" 55 | "Zalmers Walker" 56 | "Zimple Johansen" 57 | "Youngblood Andreassen" 58 | "Zeigler Pettersson" 59 | "Zenichowski Robertson") 60 | 61 | password="TestPassword2022!!" 62 | 63 | for name in "${arrUsers[@]}"; do 64 | LastID=`dscl . -list /Users UniqueID | awk '{print $2}' | sort -n | tail -1` 65 | NextID=$((LastID + 1)) 66 | username="${name// /.}" 67 | username=$(echo $username | awk '{print tolower($0)}') 68 | echo "User: $name" 69 | echo " username: $username" 70 | 71 | #dscl . -delete /Users/$username 72 | 73 | # Create a new user with the username New user 74 | dscl . -create /Users/$username 75 | 76 | # Add the display name of the User as John Doe 77 | dscl . -create /Users/$username RealName "$name" 78 | # Replace password_here with your desired password to set the password for this user 79 | dscl . -passwd /Users/$username "$password" 80 | 81 | dscl . create /Users/$username UniqueID $NextID 82 | dscl . create /Users/$username PrimaryGroupID 20 83 | dscl . create /Users/$username UserShell /bin/bash 84 | dscl . create /Users/$username NFSHomeDirectory /Users/administrator 85 | cp -R /System/Library/User\ Template/English.lproj /Users/$username 86 | chown -R $username:staff /Users/$username 87 | 88 | done -------------------------------------------------------------------------------- /Apple/Scripts/invoke-jamfSelfServiceItem.zsh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env zsh 2 | 3 | : <<'COMMENT-BLOCK' 4 | .SYNOPSIS 5 | Script to open or execute a Jamf Self Service item as the logged in user. 6 | 7 | .DESCRIPTION 8 | Script to open or execute a Jamf Self Service item as the logged in user. 9 | 10 | .PARAMETER $1 11 | Reserved for Jamf - mount point 12 | 13 | .PARAMETER $2 14 | Reserved for Jamf - computer name 15 | 16 | .PARAMETER $3 17 | Reserved for Jamf - username 18 | 19 | .PARAMETER $4 20 | jamfSelfServiceEntity="$4" 21 | Must be one of: configprofile, policy, or app-installer 22 | $entityList variable sets the list regex match 23 | 24 | .PARAMETER $5 25 | jamfSelfServiceItemId="$5" 26 | Must be integer 27 | $iDregex variable sets the list regex match 28 | 29 | .PARAMETER $6 30 | jamfSelfServiceAction="$6" 31 | Must be one of: view or execute 32 | $actionList variable sets the list regex match 33 | 34 | .EXAMPLE 35 | ./invoke-jamfSelfServiceItem.zsh '' '' '' 'policy' '123' 'view' 36 | 37 | .NOTES 38 | To use this outside of the Jamf script node, it's recommended to change the parameters to use 1-3 instead of 4-6 to avoid passing empty arguments. 39 | 40 | 41 | Author: hkystar35 42 | Date Created: 2025-10-13 17:16 MST 43 | 44 | History: 45 | 2025-10-13 - hkystar35 - created script 46 | 47 | 48 | COMMENT-BLOCK 49 | 50 | # Jamf Variable. Override local values if value passed by Jamf. Jamf Script Param Label: 51 | jamfSelfServiceEntity='' 52 | if [ "$4" != "" ]; then 53 | jamfSelfServiceEntity="${4}" 54 | fi 55 | 56 | jamfSelfServiceItemId='' 57 | if [ "$5" != "" ]; then 58 | jamfSelfServiceItemId=$5 59 | fi 60 | 61 | jamfSelfServiceAction='' 62 | if [ "$6" != "" ]; then 63 | jamfSelfServiceAction=$6 64 | fi 65 | 66 | # check not empty 67 | entityList='^(configprofile|policy|app\-installer)+$' 68 | iDregex='^[0-9]+$' 69 | actionList='^(view|execute)+$' 70 | 71 | if ! [[ "${jamfSelfServiceEntity}" =~ ${entityList} ]]; then 72 | echo " \"$jamfSelfServiceEntity\" does not match list \"${entityList}\"" 73 | exit 1 74 | fi 75 | 76 | if ! [[ $jamfSelfServiceItemId =~ $iDregex ]]; then 77 | echo " \"$jamfSelfServiceItemId\" does not match regex \"${iDregex}\"" 78 | exit 1 79 | fi 80 | 81 | if ! [[ "${jamfSelfServiceAction}" =~ $actionList ]]; then 82 | echo " \"$jamfSelfServiceAction\" does not match list \"${actionList}\"" 83 | exit 1 84 | fi 85 | 86 | # jamfConfigurationProfileId='523' 87 | jamfSelfServiceUrl="jamfselfservice://content?entity=${jamfSelfServiceEntity}&id=${jamfSelfServiceItemId}&action=${jamfSelfServiceAction}" 88 | 89 | ## Get current logged on user 90 | currentUser=$(/bin/echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name :/&&!/loginwindow/{print $3}') 91 | currentUserUID=$(/bin/echo "show State:/Users/ConsoleUser" | scutil | awk '/kCGSSessionUserIDKey :/ { print $3 }') 92 | currentUserHomeFolder=$(dscl . -read /users/${currentUser} NFSHomeDirectory | cut -d " " -f 2) 93 | 94 | runAsUser() { 95 | if [ "$currentUser" != "loginwindow" ]; then 96 | launchctl asuser "$currentUserUID" sudo -u "$currentUser" "$@" 97 | else 98 | echo "no user logged in" 99 | fi 100 | } 101 | 102 | runAsUser open "${jamfSelfServiceUrl}" 103 | -------------------------------------------------------------------------------- /Apple/Scripts/README.md: -------------------------------------------------------------------------------- 1 | # Scripts 2 | Notes on some of these scripts, mostly steps to setup in Jamf Pro 3 | 4 | ## [set-proxyVariables.zsh](set-proxyVariables.zsh) 5 | 6 | Proxies are rarely fun to deal with, especially when pairing them high-security setups to limit admin-level permissions to nearly all aspects of macOS, which prevents users from many self-help options. 7 | Because of this, I set out to script a way to set your proxy information by script using an MDM, in this case Jamf. 8 | My goals were: 9 | 1) Flexible. 10 | - Needs to be easily changeable. In case hosts or URLs change, being able to quikcly modify only a parameter and not the core script makes changes faster and more predictable. 11 | 2) Easy to deploy. 12 | - Deploying via MDM is the easiest and most reliable option. Jamf's script runner is great and allows for parameters to be labeled and modified within a policy without modifying the script directly. 13 | 3) Non-invasive. 14 | - Will not interrupt any existing connections (open Terminal windows). Also, if an OS update clears out the system shell profile, the settings won't throw errors when opening a Terminal. 15 | 4) Easy to remove (or ensure missing info didn't break connections). 16 | - Avoid having to remove lines from a system shell profile at all costs. Instead, only *add* a one-liner to check for a settings file and source it if exists. 17 | 18 | Check the comment block in the script for params. 19 | I cannot share screenshots at this time, sorry. 20 | 21 | ## [install-or-update-sentinelone.zsh](install-or-update-sentinelone.zsh) 22 | 23 | With help from [Willk675](https://macadmins.slack.com/team/U03FJURNFNU) to get it started, I expanded to make this script more verbose, add an installation piece, and support for Jamf Pro's script parameter variables. 24 | 25 | ### Jamf Pro Setup 26 | 1) In Settings > Scripts > click **New +** 27 | * General -> Name it 28 | * Script -> Paste contents 29 | * Options -> label variables 4-6 (see script contents for suggestion) 30 | **Save** 31 | 32 | 2) In Computers > Policies > click **New +** 33 | * General -> name what you want, triggers, etc. 34 | * Packages 35 | * Select your uploaded SentinelOne package 36 | * Make sure to select **Cache** 37 | * Copy the package name text 38 | * Scripts 39 | * Select the script you created in Step 1 40 | * Set parameter values 41 | * Paste the package name, version, and token as necessary 42 | 43 | Configure the rest how you want (scope, maintenance, etc.) 44 | 45 | Deploy and you should only have to deploy 1 policy to all targeted machines to update or install the agent. 46 | 47 | ## [set-defaultDock.bash](set-defaultDock.bash) 48 | 49 | This script leverages [Dockutil](https://github.com/kcrawford/dockutil) to set the currently logged-in Mac user's Dock items. 50 | 51 | ### Jamf Pro Setup (recommended approach) 52 | 1) In Settings > Scripts > click **New +** 53 | * General -> Name it 54 | * Script -> Paste contents 55 | * Options -> label variables 4-6 (see script contents for suggestion) 56 | **Save** 57 | * I only have Option 4 set for installing Dockutil using a Jamf Pro Policy item's Custom Event trigger. Customize as you se fit. 58 | 59 | 2) In Computers > Policies > click **New +** 60 | * General -> name what you want, triggers, etc. 61 | * Trigger 62 | * Custom: `set-defaultdock` 63 | * Execution Frequency: Ongoing 64 | * Scripts 65 | * Select the script you created in Step 1 66 | * Set parameter values, if needed 67 | * Scope 68 | * All Computers or a Smart Group for all computers 69 | * Self Service 70 | * I like to make this available in Self Service in case users ever want to reset their Dock quickly 71 | 72 | 3) Add Policy from Step 2 to your Enrollment setup (DEPNotify, Jamf Setup Manager, SUPER, Octory, etc) 73 | * Have it run last after all apps are installed and Mac is at the user's desktop -------------------------------------------------------------------------------- /Apple/Scripts/set-defaultDock.bash: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # This script sets the default dock for the logged in user if the apps in the array exist. 4 | # This script was mostly written by someone else, but I cannot find the source to give credit. Please message me if you find it. 5 | 6 | # Include Standard PATH for commands 7 | export PATH=/usr/bin:/bin:/usr/sbin:/sbin 8 | 9 | # Set up variables 10 | # Jamf Variable. Override local values if value passed by Jamf. Jamf Script Param Label: custom Jamf trigger for Dockutil installation 11 | jamfEvent="install-dockutil" 12 | if [ "$4" != "" ]; then 13 | jamfEvent=$4 14 | fi 15 | 16 | dockutil="/usr/local/bin/dockutil" 17 | loggedInUser=$(/bin/echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name :/&&!/loginwindow/{print $3}') 18 | loggedInUserHome="/Users/$loggedInUser" 19 | userPlist=$loggedInUserHome/Library/Preferences/com.apple.dock.plist 20 | 21 | whoami="/usr/bin/whoami" 22 | echo="/bin/echo" 23 | sudo="/usr/bin/sudo" 24 | jamf="/usr/local/bin/jamf" 25 | killall="/usr/bin/killall" 26 | 27 | ########################################################################################## 28 | # Check if script is running as root 29 | ########################################################################################## 30 | 31 | if [ "$($whoami)" != root ]; then 32 | $echo "[ERROR] This script must be run using sudo or as root. Exiting..." 33 | exit 1 34 | fi 35 | 36 | ########################################################################################## 37 | # Check if Dockutil is installed, try remediation or exit 38 | ########################################################################################## 39 | 40 | if [[ -f "$dockutil" ]]; then 41 | $echo "dockutil installed at \"$dockutil\"" 42 | else 43 | $echo "dockutil not installed. Calling Jamf policy to install." 44 | $jamf policy -event "$jamfEvent" 45 | if [[ -f "$dockutil" ]]; then 46 | $echo "dockutil installed successfully by Jamf" 47 | else 48 | $echo "Failed to install Jamf event \"$jamfEvent\". Exiting script." 49 | exit 1 50 | fi 51 | fi 52 | 53 | ########################################################################################## 54 | # Use Dockutil to Modify Logged-In User's Dock 55 | ########################################################################################## 56 | $echo "----------------------------------------------------------------------" 57 | $echo "Dockutil script to modify logged-in user's Dock" 58 | $echo "----------------------------------------------------------------------" 59 | $echo "Current logged-in user: $loggedInUser" 60 | $echo "----------------------------------------------------------------------" 61 | $echo "Removing all Items from $loggedInUser's Dock..." 62 | $sudo -u "$loggedInUser" $dockutil --remove all --no-restart "$userPlist" 63 | 64 | $echo "Creating New Dock..." 65 | $echo 66 | $echo "Adding \"Finder\"..." 67 | 68 | # Add items in order, if exist 69 | array_dockApps_sectionApps=( 70 | "/Applications/Self Service.app" 71 | "/Applications/Microsoft Outlook.app" 72 | "/Applications/Microsoft Teams.app" 73 | "/Applications/zoom.us.app" 74 | "/Applications/Microsoft Edge.app" 75 | "/Applications/Microsoft Excel.app" 76 | "/Applications/Microsoft OneNote.app" 77 | "/Applications/Microsoft PowerPoint.app" 78 | "/Applications/Microsoft Word.app" 79 | "/Applications/Windows App.app" 80 | "/Applications/OneDrive.app" 81 | "/Users/$loggedInUser/Applications/Edge Apps.localized/IT Help.app" 82 | ) 83 | 84 | for APP in "${array_dockApps_sectionApps[@]}"; do 85 | if [ -d "$APP" ]; then 86 | $echo "$APP exists, Adding to dock ..." 87 | $sudo -u $loggedInUser $dockutil --no-restart --add "$APP" --section apps $userPlist 88 | else 89 | $echo "$APP does NOT exist, skipping" 90 | fi 91 | done 92 | 93 | # Add Launchpad to beginning and restarting dock 94 | $echo "Restarting Dock..." 95 | $sudo -u "$loggedInUser" $dockutil --add "/System/Applications/Launchpad.app" --position beginning $userPlist 96 | 97 | exit 0 98 | -------------------------------------------------------------------------------- /Apple/Scripts/Set-AzVpnConfig.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #region Variables 4 | # Main variables 5 | scriptName="$(/usr/bin/basename "$0")" 6 | logPipe="/private/tmp/${scriptName%.*}.pipe" 7 | logPath="/private/var/log/${scriptName%.*}.log" 8 | consoleUser="$(/usr/bin/stat -f %Su /dev/console)" 9 | uid=$(id -u "$consoleUser") 10 | computerName="$(/usr/sbin/scutil --get ComputerName)" 11 | homeFolder=$(dscl . -read /users/${consoleUser} NFSHomeDirectory | cut -d " " -f 2) 12 | 13 | # Script variables 14 | # Exact App Name, without .app at the end 15 | appName="Azure VPN Client" 16 | appFolderName="${appName}.app" 17 | appFullPath="/Applications/${appFolderName}" 18 | # Full Path to the folder where the XML file needs to be created 19 | vpnXMLDestinationFolder="${homeFolder}/Library/Containers/com.microsoft.AzureVpnMac/Data/Library/Application Support/com.microsoft.AzureVpnMac" 20 | # VPN Connection Name 21 | prodVPNname="Contoso_VPN-Profile" 22 | prodVPNconfigFileName="${prodVPNname}.AzureVpnProfile.xml" 23 | 24 | # Paste the contents of your Azure VPN Config file here 25 | # https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client-mac#download 26 | prodXmlConfig=$( 27 | cat < 29 | REDACTED CONTENT 30 | 31 | EOFxml 32 | ) 33 | #endregion Variables 34 | 35 | #region Functions 36 | 37 | #region Logging functions 38 | # Credit Brock Walters https://www.linkedin.com/in/brock-walters-247a2990 39 | /usr/bin/mkfifo "$logPipe" 40 | /usr/bin/tee -a "$logPath" <"$logPipe" & 41 | exec &>"$logPipe" 42 | echo "$(/bin/date "+%Y-%m-%dT%H:%M:%S") [START] logging $scriptName" >>"$logPath" 43 | echo $(tail -n 1 "$logPath") 44 | 45 | # Logs Info messages 46 | logInfo() { 47 | echo "$(/bin/date "+%Y-%m-%dT%H:%M:%S") [INFO] $1" >>"$logPath" 48 | echo $(tail -n 1 "$logPath") 49 | } 50 | # Logs Alert messages 51 | logAlert() { 52 | echo "$(/bin/date "+%Y-%m-%dT%H:%M:%S") [ALERT] $1" >>"$logPath" 53 | echo $(tail -n 1 "$logPath") 54 | } 55 | # Exit function to close out FIFO pipe 56 | exiting() { 57 | echo "$(/bin/date "+%Y-%m-%dT%H:%M:%S") [STOP] logging $scriptName" >>"$logPath" 58 | echo $(tail -n 1 "$logPath") 59 | /bin/rm -rf "$logPipe" 60 | /usr/bin/pkill -ail tee >/dev/null 61 | 62 | exit 63 | } 64 | #endregion Logging functions 65 | 66 | # runAsUser function 67 | # Credit: Armin Briegel @ scriptingOSX https://scriptingosx.com/2020/08/running-a-command-as-another-user/ 68 | runAsUser() { 69 | if [ "$consoleUser" != "loginwindow" ]; then 70 | logInfo "FUNCTION runAsUser | Console User: $consoleUser | uid: $uid" 71 | #logInfo "FUNCTION runAsUser | Trying to launch with launchctl" 72 | logInfo "FUNCTION runAsUser | Trying to launch with sudo" 73 | #launchctl asuser "$uid" 74 | launchctl asuser "$uid" sudo -u "$consoleUser" "$@" 75 | 76 | else 77 | logAlert "no user logged in" 78 | # uncomment the exit command 79 | # to make the function exit with an error when no user is logged in 80 | exit 1 81 | fi 82 | } 83 | 84 | #endregion Functions 85 | 86 | ########## 87 | ## MAIN ## 88 | ########## 89 | 90 | #region Main Script 91 | 92 | logInfo "Computer: $computerName | ConsoleUser: $consoleUser" 93 | 94 | # Ensure app is installed first, otherwise exit script 95 | # In macOS, an App is a Container, not a file, so we use '-d' to check for the directory 96 | if [ -d "$appFullPath" ]; then 97 | logInfo "App installed: $appFolderName" 98 | logInfo "Launching $appFolderName.." 99 | 100 | # Open App as consoleUser then kill. This created the folder we need with required permissions. 101 | runAsUser open -F -j "$appFullPath" 102 | sleep 5 103 | logInfo "Killing $appFolderName" 104 | # Kill the app 105 | pkill -x "$appName" 106 | else 107 | logAlert "App not installed: $appFolderName" 108 | logAlert "Exiting Script" 109 | exiting 110 | fi 111 | 112 | # Make sure the destination folder was created, otherwise exit script 113 | if [ -d "$vpnXMLDestinationFolder" ]; then 114 | logInfo "folder $vpnXMLDestinationFolder exists" 115 | # Remove any existing files or subfolders. This ensures old configs are removed for future updates. 116 | rm -rf "$vpnXMLDestinationFolder"/* 117 | else 118 | logAlert "Destination Folder does not exist: $vpnXMLDestinationFolder" 119 | exiting 120 | fi 121 | 122 | #region Set Folder Permissions 123 | # Document folder permissions need in case future app updates break the above process 124 | #logInfo "Setting permissions of 755 to Folder: $vpnXMLDestinationFolder" 125 | #chmod 755 "$vpnXMLDestinationFolder" 126 | 127 | #logInfo "Setting xattr to Folder: $vpnXMLDestinationFolder" 128 | #xattr -w com.apple.quarantine "0086;00000000;Azure VPN Client;" "$vpnXMLDestinationFolder" 129 | #endregion Set Folder Permissions 130 | 131 | logInfo "Creating File: $prodVPNconfigFileName" 132 | # Set content for and create file in destination folder 133 | cat <<<"$prodXmlConfig" >"${vpnXMLDestinationFolder}/${prodVPNconfigFileName}" 134 | 135 | exiting 136 | #endregion Main Script -------------------------------------------------------------------------------- /Apple/Scripts/set-proxyVariables.zsh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env zsh 2 | 3 | : <<'COMMENT-BLOCK' 4 | .SYNOPSIS 5 | Sets organization's proxy variables in system shell profile and creates files if missing. 6 | 7 | .DESCRIPTION 8 | Sets organization's proxy variables in system shell profile and creates files if missing. 9 | Setting these values ensures command-line operations, like curl, are proxy-aware and can function with minimal user impact. 10 | 11 | .EXAMPLE 12 | set-ProxyVariables.zsh 13 | 14 | .NOTES 15 | Terminal.app will need to be restarted fully in order for printenv to reflect values 16 | 17 | Author: hkystar35 18 | Date Created: 2023-04-19 16:41 MST 19 | Github: https://github.com/hkystar35/MDM/blob/main/Apple/Scripts/set-proxyVariables.zsh 20 | 21 | History: 22 | 2023-04-19 hkystar35 - created script 23 | 2023-04-19 hkystar35 - added comment blocks and timestamps to line entries for auditing 24 | 2023-04-28 hkystar35 - updated variables to include UPPER and lower cases and used variables 25 | 2023-06-21 hkystar35 - re-wrote script to NOT mess with user's profiles 26 | - /etc/zshrc is modified with a test command to try sourcing "/etc/${orgShortName:l}/${orgShortName:l}_shell_proxySettings.sh" 27 | - "/etc/${orgShortName:l}/${orgShortName:l}_shell_proxySettings.sh" contains the proxy variables 28 | - backup created of /etc/zshrc 29 | - log function writes to /etc/$orgShortName/$log_file 30 | 2025-07-11 hkystar35 - corrected github link in comment blocks 31 | 32 | COMMENT-BLOCK 33 | 34 | # Jamf built-in variables 35 | ## comment out or modify these if not using Jamf's built in script runner 36 | mountPoint="$1" 37 | computerName="$2" 38 | userName="$3" 39 | 40 | # Script Parameters 41 | ## Be sure to modify the numbers if not using Jamf's script runner 42 | orgName="$4" # Jamf parameter name: Full Organization Name, like Example International, LLC 43 | orgShortName="$5" # Jamf parameter name: Org short name, like Example. Will be lower-cased in script. 44 | webproxy_domain="$6" # Jamf parameter name: Proxy domain, like proxy.example.com (don't include http prefixes) 45 | webproxy_port="$7" # Jamf parameter name: Proxy port, like 80 46 | noProxyString="$8" # Jamf parameter name: No Proxy string, comma separated list like .example.com,127.0.0.1,localhost,*.example.com 47 | webproxy_prefix="http" 48 | webproxy_URL="$webproxy_prefix://$webproxy_domain" 49 | webproxy_fullURL="$webproxy_prefix://$webproxy_domain:$webproxy_port" 50 | 51 | # Global settings file 52 | globalSettings_FullPath="/etc/${orgShortName:l}/${orgShortName:l}_shell_proxySettings.sh" 53 | globalSettings_Folder="${globalSettings_FullPath:h}" 54 | globalSettings_FileName="${globalSettings_FullPath:t}" 55 | 56 | # Script variables 57 | log_file="${globalSettings_Folder}/${globalSettings_FileName:t:r}.log" 58 | system_shells=("/etc/profile" "/etc/zshenv") 59 | 60 | # Functions 61 | 62 | # log [-e] [-f FILE] MESSAGE... 63 | function log() { 64 | function timestamp() { 65 | date '+%F %T %Z' 66 | } 67 | set -eu 68 | local prefix="$(timestamp)" 69 | local stream=1 70 | local files=("$log_file") 71 | # handle options 72 | while ! ${1+false}; do 73 | case "$1" in 74 | -e | --error) 75 | prefix="$(timestamp) ERROR:" 76 | stream=2 77 | ;; 78 | -f | --file) 79 | shift 80 | files+=("${1-}") 81 | ;; 82 | --) 83 | shift 84 | break 85 | ;; # end of arguments 86 | -*) 87 | log -e "log: invalid option '$1'" 88 | return 1 89 | ;; 90 | *) break ;; # start of message 91 | esac 92 | shift 93 | done 94 | if ${1+false}; then 95 | log -e "log: no message!" 96 | return 1 97 | fi 98 | # if we have a prefix, update our argument list 99 | if [ "$prefix" ]; then 100 | set -- "$prefix " "$@" 101 | fi 102 | # now perform the action 103 | for file ("$files[@]"); do 104 | /bin/mkdir -p $file:h 105 | /usr/bin/touch $file 106 | done 107 | printf '%b' "$@" '\n' | tee -a "${files[@]}" >&$stream 108 | } 109 | 110 | function lines() { 111 | local ret 112 | reply=( "${(@f)$(cat -- "$@"; ret=$?; echo .; exit $ret)}" ) 113 | ret=$? 114 | reply[-1]=( ${reply[-1]%.} ) 115 | return $ret 116 | } 117 | 118 | # Main script 119 | log " ###" 120 | log "START of script" 121 | log " ===" 122 | 123 | # Log variables 124 | log "Script Param | Organization Name: $orgName" 125 | log "Script Param | Organization Short Name: $orgShortName" 126 | log "Script Param | Web Proxy full URL: $webproxy_fullURL" 127 | log "Script Variable | Log folder: $globalSettings_Folder" 128 | log "Script Variable | Log file: $log_file" 129 | log "Script Variable | Target settings file: $globalSettings_FullPath" 130 | 131 | # Create files and folders 132 | log "Creating folder path: $globalSettings_Folder" 133 | /bin/mkdir -p "$globalSettings_Folder" 134 | log "Creating file: $globalSettings_FullPath" 135 | /usr/bin/touch "$globalSettings_FullPath" 136 | 137 | 138 | # $globalSettings_FullPath Content 139 | cat << GLOBALSETTINGSBLOCK > "$globalSettings_FullPath" 140 | # $orgName proxy settings 141 | proxyDef="$webproxy_fullURL" 142 | export http_proxy="\${proxyDef}" 143 | export HTTP_PROXY="\${proxyDef}" 144 | export https_proxy="\${proxyDef}" 145 | export HTTPS_PROXY="\${proxyDef}" 146 | export no_proxy="$noProxyString" 147 | export NO_PROXY="$noProxyString" 148 | GLOBALSETTINGSBLOCK 149 | 150 | log "Added proxy settings to $globalSettings_FullPath" 151 | i=0 152 | lines "$globalSettings_FullPath" && 153 | for line in "$reply[@]"; do 154 | ((++i)) 155 | log " Line$i | $line" 156 | done 157 | 158 | # Modify System Shells 159 | 160 | for shell in "$system_shells[@]"; do 161 | 162 | log "Creating file: $shell" 163 | /usr/bin/touch "$shell" 164 | log "Adding missing lines to $shell, if needed" 165 | backup_shell="$shell.bak" 166 | /bin/cp $shell $backup_shell 167 | shell_line1="# $orgName Proxy settings" 168 | grep -qxF "$shell_line1" $shell || echo "$shell_line1" >> $shell 169 | 170 | shell_line2="test -f \"$globalSettings_FullPath\" && source \"$globalSettings_FullPath\"" 171 | grep -qxF "$shell_line2" $shell || echo "$shell_line2" >> $shell 172 | 173 | done 174 | 175 | log " ===" 176 | log "END of script" 177 | log " ###" 178 | -------------------------------------------------------------------------------- /Scripts/Create-JiraIssuesForClinics.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Creates Jira Story Issues for clinic locations 4 | 5 | .DESCRIPTION 6 | Creates Jira Story Issues for clinic locations 7 | Organizies them into Epics for each US State 8 | Looks up each address with Google API to add Google Maps link to ticket 9 | Creates custom Labels for State, City, County, ZIP, and clinicID 10 | 11 | .PARAMETER ExcelSheetFullPath 12 | Full path to Excel file 13 | 14 | .PARAMETER ParentInitiativeKey 15 | Jira Initiative key for Parent Link to Epics 16 | 17 | .PARAMETER jirauser 18 | Email of Jira user for API authentications 19 | 20 | .PARAMETER JiraReporterUserID 21 | Jira User ID for use in Reporter field 22 | 23 | .PARAMETER jiraServerURL 24 | Full URL for Atlassian instance, like 'https://contoso.atlassian.net' 25 | 26 | .PARAMETER googleAPIKey 27 | API Key for Google APIs project with permissions to Google Maps 28 | 29 | .PARAMETER jiraAPIKey 30 | API Key for authentication 31 | 32 | .EXAMPLE 33 | .\Create-JiraIssuesForClinics.ps1 -ExcelSheetFullPath .\Clinics.xlsx ` 34 | -ParentInitiativeKey 'PROJ-1234' ` 35 | -jirauser 'hkystar35@contoso.com' ` 36 | -JiraReporterUserID '12345abcde67890fghijkl' ` 37 | -jiraServerURL 'https://contoso.atlassian.net' ` 38 | -googleAPIKey 'jnwef34fh8340hf340fnfn3049f' ` 39 | -jiraAPIKey 'ndosfin80ecin230fh04n0384hf8304f' 40 | 41 | .NOTES 42 | =========================================================================== 43 | Created on: 05 June 2022 44 | Created by: Nic Wendlowsky (hkystar35) 45 | Organization: CONTOSO 46 | Filename: Create-JiraIssuesForClinics.ps1 47 | =========================================================================== 48 | #> 49 | [CmdletBinding()] 50 | PARAM 51 | ( 52 | [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]$ExcelSheetFullPath, 53 | [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]$ParentInitiativeKey, 54 | [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]$jirauser, 55 | [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]$JiraReporterUserID, 56 | [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]$jiraServerURL, 57 | [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]$googleAPIKey, 58 | [Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]$jiraAPIKey 59 | ) 60 | BEGIN { 61 | $InvocationInfo = $MyInvocation 62 | [System.IO.FileInfo]$ScriptFileInfo = $InvocationInfo.MyCommand.Path 63 | [string]$ScriptFullPath = $ScriptFileInfo.FullName 64 | [string]$ScriptNameFileExt = $ScriptFileInfo.Name 65 | [string]$ScriptName = $ScriptFileInfo.BaseName 66 | [string]$scriptRoot = Split-Path $ScriptFileInfo 67 | 68 | #region FUNCTION Write-Log 69 | FUNCTION Write-Log { 70 | [CmdletBinding()] 71 | PARAM 72 | ( 73 | [Parameter(Mandatory = $true, 74 | ValueFromPipelineByPropertyName = $true)][ValidateNotNullOrEmpty()][Alias("LogContent")][string]$Message, 75 | [Parameter(Mandatory = $false)][Alias('LogPath')][string]$Path = "$env:windir\Logs\$($ScriptName).log", 76 | [Parameter(Mandatory = $false)][ValidateSet("Error", "Warn", "Info")][string]$Level = "Info", 77 | [Parameter(Mandatory = $false)][switch]$NoClobber, 78 | [Parameter(Mandatory = $false)][int]$MaxLogSize = '2097152' 79 | ) 80 | 81 | BEGIN { 82 | # Set VerbosePreference to Continue so that verbose messages are displayed. 83 | $VerbosePreference = 'SilentlyContinue' 84 | $FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" 85 | } 86 | PROCESS { 87 | 88 | # Test if log exists 89 | IF (Test-Path -Path $Path) { 90 | $FilePath = Get-Item -Path $Path 91 | IF ($NoClobber) { 92 | Write-Error "Log file $Path already exists, and you specified NoClobber. Either delete the file or specify a different name." 93 | RETURN 94 | } 95 | IF ($FilePath.Length -gt $MaxLogSize) { 96 | Rename-Item -Path $FilePath.FullName -NewName $($FilePath.BaseName).log_ -Force 97 | } 98 | } 99 | ELSEIF (!(Test-Path $Path)) { 100 | Write-Verbose "Creating $Path." 101 | $NewLogFile = New-Item $Path -Force -ItemType File 102 | } 103 | # Write message to error, warning, or verbose pipeline and specify $LevelText 104 | SWITCH ($Level) { 105 | 'Error' { 106 | Write-Error $Message 107 | $LevelText = 'ERROR:' 108 | } 109 | 'Warn' { 110 | Write-Warning $Message 111 | $LevelText = 'WARNING:' 112 | } 113 | 'Info' { 114 | Write-Verbose $Message 115 | $LevelText = 'INFO:' 116 | } 117 | } 118 | 119 | # Write log entry to $Path 120 | "$FormattedDate $LevelText $Message" | Out-File -FilePath $Path -Append 121 | } 122 | END { 123 | } 124 | } 125 | #endregion FUNCTION Write-Log 126 | 127 | } 128 | PROCESS { 129 | TRY { 130 | #Requires -Modules pwshPlaces, jiraPS, importexcel 131 | 132 | # Variable translations 133 | $InitiativeKey = $ParentInitiativeKey 134 | $reporter = $JiraReporterUserID 135 | 136 | # Google API 137 | [securestring]$secStringPassword = ConvertTo-SecureString $jiraAPIKey -AsPlainText -Force 138 | 139 | # Jira API 140 | [pscredential]$jiracreds = New-Object System.Management.Automation.PSCredential ($jirauser, $secStringPassword) 141 | Set-JiraConfigServer -Server $jiraServerURL 142 | New-JiraSession -Credential $jiracreds 143 | 144 | # US State conversion Hashtable 145 | $StateAbbrToFullName = [ordered]@{ 146 | 'AL' = 'Alabama' 147 | 'AK' = 'Alaska' 148 | 'AR' = 'Arkansas' 149 | 'AZ' = 'Arizona' 150 | 'CA' = 'California' 151 | 'CO' = 'Colorado' 152 | 'CT' = 'Connecticut' 153 | 'DE' = 'Delaware' 154 | 'DC' = 'District of Columbia' 155 | 'FL' = 'Florida' 156 | 'GA' = 'Georgia' 157 | 'HI' = 'Hawaii' 158 | 'ID' = 'Idaho' 159 | 'IL' = 'Illinois' 160 | 'IN' = 'Indiana' 161 | 'IA' = 'Iowa' 162 | 'KS' = 'Kansas' 163 | 'KY' = 'Kentucky' 164 | 'LA' = 'Louisiana' 165 | 'ME' = 'Maine' 166 | 'MD' = 'Maryland' 167 | 'MA' = 'Massachusetts' 168 | 'MI' = 'Michigan' 169 | 'MN' = 'Minnesota' 170 | 'MS' = 'Mississippi' 171 | 'MO' = 'Missouri' 172 | 'MT' = 'Montana' 173 | 'NE' = 'Nebraska' 174 | 'NV' = 'Nevada' 175 | 'NH' = 'New Hampshire' 176 | 'NJ' = 'New Jersey' 177 | 'NM' = 'New Mexico' 178 | 'NY' = 'New York' 179 | 'NC' = 'North Carolina' 180 | 'ND' = 'North Dakota' 181 | 'OH' = 'Ohio' 182 | 'OK' = 'Oklahoma' 183 | 'OR' = 'Oregon' 184 | 'PA' = 'Pennsylvania' 185 | 'RI' = 'Rhode Island' 186 | 'SC' = 'South Carolina' 187 | 'SD' = 'South Dakota' 188 | 'TN' = 'Tennessee' 189 | 'TX' = 'Texas' 190 | 'UT' = 'Utah' 191 | 'VT' = 'Vermont' 192 | 'VA' = 'Virginia' 193 | 'WA' = 'Washington' 194 | 'WV' = 'West Virginia' 195 | 'WI' = 'Wisconsin' 196 | 'WY' = 'Wyoming' 197 | } 198 | 199 | # Excel Source info 200 | Write-Log -Message "Importing Unique Clinic Identifiers spreadsheet" 201 | $ExcelInfo = Get-ExcelSheetInfo -Path $ExcelSheetFullPath 202 | 203 | # Get all rows in each sheet 204 | Write-Log -Message "Ingest all " 205 | $AllItemsInAllSheets = @( 206 | $ExcelInfo | Foreach { 207 | [PSCustomObject]@{ 208 | SheetName = $_.Name 209 | Content = Import-Excel $_.Path -WorksheetName $_.Name 210 | } 211 | } 212 | ) 213 | 214 | # Parse clinic info 215 | Write-Log -Message "Parsing clinic info and looking up Google Maps info" 216 | $AllClinics = @( 217 | foreach ($Sheet in ($AllItemsInAllSheets | Where-Object { $_.sheetname -notmatch 'Temp|Glossary' } ) ) { 218 | 219 | foreach ($row in ($Sheet.Content | Where-Object { 220 | $null -ne $_.'Alpha Numeric Clinic Number' ` 221 | -and $null -ne $_.'Address' ` 222 | -and $null -ne $_.'City' ` 223 | -and $null -ne $_.'State' ` 224 | -and $null -ne $_.'ZIP' 225 | } 226 | ) 227 | ) { 228 | $Clinic = [pscustomobject]@{ 229 | UniqueClinic = $row.'Alpha Numeric Clinic Number' 230 | CommonName = $row.'Conventional Clinic Name' 231 | StreetAddress = $row.Address.TrimStart() 232 | Suite = $row.Suite 233 | City = $row.City 234 | State = $StateAbbrToFullName[$($row.State)] 235 | StateAbbr = $row.State 236 | ZIP = $row.ZIP 237 | FullAddress = '{0}, {1}, {2} {3}' -f $row.Address.TrimStart(), $row.City, $row.State, $row.ZIP 238 | } 239 | 240 | # Lookup the address in Google Maps API 241 | $GoogleFindAddress = Find-GMapPlace -Query $Clinic.FullAddress -GoogleAPIKey $googleAPIKey -ErrorAction SilentlyContinue | Select-Object -First 1 242 | 243 | $GooglePlaceID = Get-GMapPlaceDetail -PlaceID $GoogleFindAddress.Place_ID -GoogleAPIKey $googleAPIKey 244 | # Looks like the "administrative_area_level_2" is the County 245 | $county = $GooglePlaceID.address_components | where types -Match "administrative_area_level_2" | Select-Object -ExpandProperty long_name 246 | 247 | # Add/update properties for later use 248 | $Clinic.FullAddress = $GoogleFindAddress.Address 249 | IF ($null -ne $GooglePlaceID.name) { $Clinic.StreetAddress = $GooglePlaceID.name } 250 | $Clinic | Add-Member -Force -MemberType NoteProperty -Name County -Value $(IF ($null -ne $county) { $county }else { 'unknown' }) 251 | $Clinic | Add-Member -Force -MemberType NoteProperty -Name GoogleMapsLink -Value $(IF ($null -ne $GooglePlaceID.GoogleMapsURL) { $GooglePlaceID.GoogleMapsURL }else { $null }) 252 | $Clinic | Add-Member -Force -MemberType NoteProperty -Name JiraDescription -Value "`n$($Clinic.PSObject.Properties | Where-Object {$_.Name -ne "JiraDescription"} | % { "{0} = {1}`n" -f $_.Name, $_.Value })`n`nPlease VERIFY the data above, it was pulled directly from the Unique Clinic Identifiers sheet and addresses and clinic status has not been validated." 253 | 254 | $Clinic 255 | } 256 | 257 | } 258 | ) 259 | 260 | # Index by State 261 | $AllClinicsIndexedByState = $AllClinics | Group-Object -Property StateAbbr -AsHashTable -AsString 262 | 263 | # Get each State clinics are in 264 | $states = $AllClinics | Select-Object -ExpandProperty StateAbbr -Unique | Sort-Object 265 | 266 | # Create and capture Epics for each State 267 | Write-Log -Message "Creating Epics for each State" 268 | $stateEpics = @( 269 | foreach ($state in $states) { 270 | $CountofClinics = $AllClinicsIndexedByState["$($state)"].Count 271 | 272 | SWITCH ($CountofClinics) { 273 | { $_ -ge 2 } { 274 | $summary = "{0} | {1} Clinics to Migrate" -f $StateAbbrToFullName[$($state)], $CountofClinics 275 | } 276 | 277 | { $_ -eq 1 } { 278 | $summary = "{0} | 1 Clinic to Migrate" -f $StateAbbrToFullName[$($state)], $CountofClinics 279 | } 280 | 281 | default { 282 | $summary = "{0} | (unknown) Clinic(s) to Migrate" -f $StateAbbrToFullName[$($state)] 283 | } 284 | } 285 | 286 | 287 | $stateJiraSplat = [ordered]@{ 288 | Project = "ITSE" 289 | IssueType = "Epic" 290 | Reporter = $reporter 291 | Summary = $summary 292 | Description = "This epic has a Story for every clinic in {0}`n`nThere are approximately {1} clinics in {0}" -f $StateAbbrToFullName[$($state)], $CountofClinics 293 | Fields = @{ 294 | "Epic Name" = "{0} | Clinic Migrations" -f $StateAbbrToFullName[$($state)] 295 | customfield_10018 = $InitiativeKey 296 | } 297 | Labels = @( 298 | $("Clinic_State_{0}" -f $State) 299 | ) 300 | Credential = $jiracreds 301 | } 302 | 303 | # Add properties for later use 304 | $Epic = New-JiraIssue @stateJiraSplat 305 | $Epic | Add-Member -Force -MemberType NoteProperty -Name State -Value $StateAbbrToFullName[$($state)] 306 | $Epic | Add-Member -Force -MemberType NoteProperty -Name StateAbbr -Value $state 307 | $Epic | Add-Member -Force -MemberType NoteProperty -Name ClinicCount -Value $CountofClinics 308 | 309 | # Return the object to the array 310 | $Epic 311 | 312 | } 313 | ) 314 | Write-Log -Message "Epics created" 315 | 316 | # Index Jira Epics for matching to clinics 317 | $stateEpicsIndexed = $stateEpics | Group-Object -Property StateAbbr -AsHashTable -AsString 318 | 319 | # Create and Capture Stories for each clinic 320 | # Link to Epic, lookup address with Google Maps API for Navigation link, lookup county 321 | Write-Log -Message "Creating Stories for each clinic" 322 | $clinicStories = @( 323 | foreach ($Clinic in $AllClinics) { 324 | 325 | 326 | # Set splat for creating Jira issue 327 | #$clinicJiraSplat = 328 | [PSCustomObject]@{ 329 | Project = "ITSE" 330 | IssueType = "Story" 331 | reporter = $reporter 332 | Summary = "{0} | {1} | {2} | {3} | {4} | {5}" -f $Clinic.StateAbbr, $Clinic.County, $Clinic.City, $Clinic.ZIP, $Clinic.StreetAddress, $Clinic.UniqueClinic 333 | Description = $Clinic.JiraDescription 334 | Fields = @{ 335 | #"Epic Name" = "{0} | Clinic Migrations" -f $StateAbbrToFullName[$($_)] 336 | customfield_10014 = $stateEpicsIndexed["$($Clinic.StateAbbr)"].key 337 | } 338 | Labels = @( 339 | $( "Clinic_State_{0}" -f $( $Clinic.StateAbbr ) ), 340 | $( "Clinic_County_{0}" -f $( $Clinic.County ).Replace(' ', '-') ), 341 | $( "Clinic_City_{0}" -f $( $Clinic.City ).Replace(' ', '-') ), 342 | $( "Clinic_ZIP_{0}" -f $( $Clinic.ZIP ) ), 343 | $( "Clinic_UniqueID_{0}" -f $( $Clinic.UniqueClinic ) ) 344 | ) 345 | 346 | #Credential = $jiracreds 347 | } 348 | 349 | } 350 | ) 351 | # Create Stories 352 | $jirastories = $clinicStories | New-JiraIssue -Credential $jiracreds 353 | Write-Log -Message "Stories finished" 354 | 355 | } 356 | CATCH { 357 | $Line = $_.InvocationInfo.ScriptLineNumber 358 | "Error was in Line $line" 359 | Write-Log -Message "Error: $_" -Level Error 360 | Write-Log -Message "Error: on line $line" -Level Error 361 | } 362 | } 363 | END { 364 | 365 | } 366 | 367 | -------------------------------------------------------------------------------- /Apple/MDM Comparison Table.md: -------------------------------------------------------------------------------- 1 | ___ 2 | > Check out my Blog that started this all: [Evaluating Apple MDM Products | SysManSquad](https://sysmansquad.com/2022/05/03/2022-05-03-evaluating-apple-mdm-products) 3 | ___ 4 | 5 | # Simple table comparing some basic features of Apple MDM products 6 | 7 | ## Key 8 | 9 | | **Icon/Term** | *Description* | 10 | |---------------------------|---------------------------------------------------| 11 | | **:white_check_mark:** | Yes | 12 | | **:x:** | No | 13 | | **:grey_exclamation:** | Maybe or Partial | 14 | | **:heavy_minus_sign:** | Not Applicable | 15 | | **:grey_question:** | Unknown or Unclear | 16 | | **:asterisk:** | Additional Requirements Needed | 17 | | **:heavy_dollar_sign:** | Additional Cost on top of base licensing | 18 | | **macOS** | Feature for macOS | 19 | | **iOS/iPadOS** | Feature for iOS flavors: iPhoneOS, iPadOS, iPodOS | 20 | | **tvOS** | Feature for tvOS (Apple TV) | 21 | | **watchOS** | Feature for watchOS (Apple Watch) | 22 | | **visionOS** | Feature for visionOS (Apple Vision Pro) | 23 | | **Server Infrastructure** | Infrastructure feature, not OS-specific | 24 | 25 | ## MDM Comparison Table 26 | 27 | | **Feature** | **Category** | **OS** | **ManageEngine** | **Meraki SM** | **Jamf** | **Kandji** | **Mosyle** | **Addigy** | **JumpCloud** | **Intune** | **Workspace ONE** | **Rippling** | 28 | |---|---|---|---|---|---|---|---|---|---|---|---|---| 29 | |
**Local agent/binary**A vendor-provided GUI app for installation on the local Mac, used to provide capabilities beyond Apple's Device Management framework or notifications. Uses the vendors communication protocol rather that APNS
| Agent | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 30 | |
**CLI for local agent/binary**Command line interface of vendor-maintained/deployed code that provides status/inventory or interaction with admin actions
| Agent | macOS | :x: | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | :white_check_mark: | :x: | 31 | |
**Native Teams Integration**'Batteries included' capability to send as little as admin/monitoring/status messages or as much as approval/creation/update/deletion actions via 'chatops'
| Alerts | Server Infrastructure | :x: | :x: | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: | 32 | |
**Native Slack Integration**Same detail as above
| Alerts | Server Infrastructure | :x: | :x: | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: | :white_check_mark: | 33 | |
**Email Alert**'Batteries included' capability to have 'messages 'pushed' from the MDM
| Alerts | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark::asterisk: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 34 | |
**Generic Outgoing Webhook**Near-realtime, 'consequential'/to some extent practically useful, outbound HTTP POSTs in at least json if not protobuf/rpc format
| Alerts | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :x: | :x: | :white_check_mark: | :x: | :x: | | :white_check_mark: | 35 | |
**EDR/Antivirus product**Either running locally on the computer or able to cause the MDM to use non-customer 'sourced' intelligence to detect/respond to malware etc.
| Antivirus | macOS | :x: | :grey_question: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | 36 | |
**EDR/Antivirus product**Non-customer 'sourced' intelligence to detect/respond to malware etc.
| Antivirus | iOS/iPadOS | :x: | :grey_question: | :x: | :x: | :x: | :white_check_mark::heavy_dollar_sign: | :x: | :white_check_mark::heavy_dollar_sign: | | :x: | 37 | |
**Self Service App**Device/user-focused/facing 'store/catalog' or way for end users to interact with info, 'curated' apps/scripts
| App Delivery | macOS | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: | 38 | |
**Self Service App**Device/user-focused/facing 'store/catalog' or way for end users to interact with info or 'curated' apps/functions
| App Delivery | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: | 39 | |
**Custom Cloud Content Distribution Network (CDN)**Vendor-facilitated hosting with at least some redundancy (multiple data center/region), to distribute apps/assets/configs
| Content Delivery | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 40 | |
**Custom On-Premises Content Distribution**Some applicable resources can be 'cached' and hosted within a known network/cloud provider region/address space
| Content Delivery | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | | :x: | | :x: | 41 | |
**Apple Business/School Manager (AxM) VPP Token**Can access and account for app licenses purchased via either applicable program
| Apple Business Manager | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 42 | |
**Custom Configuration Profile/Declaration/Command support**At least custom configuration profiles (containing arbitrary domains/keys/values/'depths'/data structures, as long as valid in the spec/XML) can be loaded in and distributed with some parity to other 'baked-in' payloads/commands
| Configuration | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 43 | |
**Custom Configuration Profile/Declaration/Command support**Same detail as above
| Configuration | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | 44 | |
**Built-in Notifications to device**'Batteries included' capability to send practically useful notifications to enrolled computers
| App Update | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | |:white_check_mark: | 45 | |
**Built-in Notifications to device**Same as above but within platform constraints e.g. vendor's app badging/'toaster' banners
| App Update | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: | | :x: | 46 | |
**Enforced Installs**Assuming reasonable criteria for success, can ensure installation occurs when app not present & without MDM protocol/VPP
| App Delivery | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | 47 | |
**Enforced Installs**Within platform limitations, ensure an app is 'locked' on a managed/supervised device
| App Delivery | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | 48 | |
**Enforced Updates**Can ensure when an app is already considered present it can be updated to a functional desired version (without VPP)
| App Update | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | 49 | |
**Enforced Updates**Can ensure a non-latest app version is updated to functional desired version
| App Update | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 50 | |
**Declarative Device Management support**Can leverage the updated protocol commands supported by Apple as defined in the [Apple Platform Deployment](https://support.apple.com/guide/deployment) guide
| Device Management | macOS | :white_check_mark: | :grey_question: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: | :white_check_mark: | 51 | |
**Declarative Device Management support**Same, for applicable platform
| Device Management | iOS/iPadOS | :white_check_mark: | :grey_question: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: beta | :x: | 52 | |
**Declarative Device Management support**Same, for applicable platform
| Device Management | watchOS | :x: | :grey_question: | :white_check_mark: | :x: | :x: | | | :x: | | :x: | 53 | |
**Declarative Device Management support**Same, for applicable platform
| Device Management | visionOS | :x: | :grey_question: | :x: | :white_check_mark: | :x: | | | | | :x: | 54 | |
**Apple TV support**Can manage applicable platform
| Apple TV | tvOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | | :x: | 55 | |
**Apple Watch support**Can manage applicable platform
| Apple Watch | watchOS | :x: | :white_check_mark: | :white_check_mark: | :x: | :x: | | | :x: | | :x: | 56 | |
**Apple Vision Pro support**Can manage applicable platform
| Apple Vision Pro | visionOS | :x: | :x: | :x: | :white_check_mark: | | | | :x: | | :x: | 57 | |
**API - Public Documentation**Provides usable documentation/browser for API endpoints without undue access restriction
| Automation | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 58 | |
**API - REST standards**API is built with reasonable industry standard design, e.g. versioned with consistent URL structure, supports [CRUD](https://en.wikipedia.org/wiki/Create,_read,_update_and_delete) interactions, is not e.g. SOAP or arcane
| Automation | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | 59 | |
**API - Interactive browser/executable support**Provides confirmation/browsing of some API functionality via a browser like [Swagger](https://swagger.io/)/[Postman](https://www.postman.com) or a similar way to simulate/perform interactions
| Automation | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :grey_exclamation: | :white_check_mark: | | 60 | |
**API - Non-standard**While not RESTful, an API 'surface' is provided in a reasonably consumable format at all for practically useful needs
| Automation | Server Infrastructure | :x: | :white_check_mark: | | | | | | | | | 61 | |
**Offline mode**When 'air-gap'd or otherwise without server connectivity, can use local agent/binary to enforce (non-config profile) configurations
| Agent | macOS | :x: | :x: | :white_check_mark: | :grey_exclamation: Parameters only | :x: | :grey_exclamation: | :x: | | | :white_check_mark: | 62 | |
**Blueprint Configuration framework**A working abstraction is present to make configuration/assets/tasks reusable across devices, resources, and/or users/groups
| Configuration | Server Infrastructure | :white_check_mark: | :x: | :x: | :x: | :white_check_mark: | :white_check_mark: | | | | | 63 | |
**Device Groups - Attribute-based membership - Automatic updates**Calculation of device group membership happens in near-to-constant time, based on practical attributes
| Configuration | Server Infrastructure | :white_check_mark: | :x: | :white_check_mark: | :x: | :grey_exclamation: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | 64 | |
**Device Groups - Attribute-based membership - Interval updates**Device group membership is recalculated on a scheduled interval
| Configuration | Server Infrastructure | :white_check_mark: | :x: | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | 65 | |
**User Groups - Attribute-based membership - Automatic updates**Calculation of user group membership happens in near-to-constant time, based on practical attributes
| Configuration | Server Infrastructure | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: | :x: | | :white_check_mark: | 66 | |
**User Groups - Attribute-based membership - Interval updates**User group membership is recalculated on a scheduled interval
| Configuration | Server Infrastructure | :white_check_mark: | :x: | :x: | :x: | :x: | :white_check_mark: | :x: | :white_check_mark: | | :white_check_mark: | 67 | |
**User Groups - Directory Service group membership**Server-side group membership can be linked to a database like LDAP/Active Directory
| Configuration | Server Infrastructure | :white_check_mark: | :x: | :x: | :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 68 | |
**Shared iPad Mode support**Can configure and manage devices in Shared iPad Mode
| Shared iPad Mode | iPadOS | :white_check_mark: | :grey_exclamation: Education only | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: | 69 | |
**App Lock - Single App Mode**Can lock a device into a single approved app, including handling to update the app with minimal disruption
| Configuration | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | 70 | |
**Custom Scripts Deployment**Provides a secure way to distribute and orchestrate execution of arbitrary code in common scripting languages to (applicable) enrolled devices
| Configuration | Server Infrastructure | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 71 | |
**Restrictions - App Block List**Can reasonably intercept/prevent the execution of identified unwanted processes
| Configuration | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | 72 | |
**Supervise Device**Can establish a supervision 'relationship' with a device to provide enhanced MDM features like specific configuration profile payloads
| Configuration | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 73 | |
**Supervise Device**Same as above, for iOS/iPadOS devices
| Configuration | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | 74 | |
**Automated Device Enrollment (ADE) support**Can support the enrollment and configuration of macOS devices using Device Enrollment
| Enrollment | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 75 | |
**Automated Device Enrollment (ADE) support**Same as above, for iOS/iPadOS devices
| Enrollment | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | 76 | |
**ADE Package support**Allows admins to provide their own arbitrary executable code (e.g. contained in a package) to be delivered at time of ADE enrollment
| Enrollment | macOS | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | | | 77 | |
**ADE Automatic User Creation via Identity Provider (IdP)**The MDM can ensure device authentication at time of provisioning is associated with a user account in an external database/via an identity provider, like (generically) OIDC, Okta, OneLogin, Entra ID, Google Workspace, etc.
| Enrollment | macOS | :white_check_mark: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | | :x: | 78 | |
**Directory Integration - Okta**Zooming in on specific vendor support, can integrate and sync with Okta for at group/user visibility/authentication
| Configuration | Server Infrastructure | :white_check_mark: | :x: | :x: | :white_check_mark: SCIM | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: | 79 | |
**Directory Integration - Google Workspace **Same as above, for Google Workspace
| Configuration | Server Infrastructure | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | | :x: | 80 | |
**Directory Integration - Microsoft Entra ID**Same as above, for Entra ID
| Configuration | Server Infrastructure | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | 81 | |
**Admin Portal - SSO Login**Admin interface supports SSO login via IdP/SAML/OAuth
| Identity | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 82 | |
**Login Window replacement with IdP**Has supported offering to *replace* the native macOS login window with an interface for authenticating to an IdP
| Identity | macOS | :white_check_mark::heavy_dollar_sign: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | 83 | |
**IdP Password Sync with local account**Has offering to sync passwords from an IdP with the local macOS user account
| Identity | macOS | :white_check_mark: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | 84 | |
**Admin-Custom Inventory Collection**Has mechanism to collect/display admin-provided custom/arbitrary inventory criteria, e.g. by enabling the running of scripts/binaries
| Inventory | Server Infrastructure | :white_check_mark: | :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | | 85 | |
**Migration agent or package from previous MDM**Provides meaningful end-user facing/backend assistance to migrate/re-enroll devices previously enrolled in another MDM
| Migration | macOS | :white_check_mark: | :x: | :x: | :white_check_mark: | :grey_exclamation: | :white_check_mark: | :x: | :x: | :grey_exclamation: | :x: | 86 | |
**OS Updates**Follows spec to send commands that force devices to new minor or major macOS versions
| OS Update | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 87 | |
**OS Updates**Same as above, for iOS/iPadOS devices
| OS Update | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | 88 | |
**OS Updates**Same as above, for tvOS devices
| OS Update | tvOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | | :x: | 89 | |
**Admin Portal - Custom Access Roles (RBAC)**Can arbitrarily allow/restrict R/W access to admin portal features for identified groups/users
| Configuration | Server Infrastructure | :white_check_mark: | :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 90 | |
**Admin Portal - Pre-configured Roles (RBAC)**Groups pre-determined elsewhere can allow/restrict collections of features
| Configuration | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 91 | |
**Reporting - Pre-canned**Basic reasonable display of practically useful/relevant data to operating the service without forcing export of logs for external visualizations
| Reporting | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: | 92 | |
**Reporting - Customize within Admin Portal**Capability to configure persistent metrics or visualizations of the relevant service data
| Reporting | Server Infrastructure | :white_check_mark: | :x: | :grey_exclamation: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | | :white_check_mark: | 93 | |
**Built-In - Local Admin Password Solution (LAPS)**Can manage/rotate local admin account passwords
| Security | macOS | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | | :white_check_mark: | 94 | |
**Baseline (Hardening) Pre-built Configs**Compliance/security-related baseline configuration adherence is natively handled and can be determined/targeted without undue admin effort
| Compliance | Server Infrastructure | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | | :x: | 95 | |
**Compliance Control**Explicit capabilities to enforce specific compliance controls on devices
| Compliance | Server Infrastructure | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :x: | 96 | |
**Security Templates**Foundational/commonly-named security-specfic controls are built-in for applying without undue admin effort
| Security | Server Infrastructure | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | | :white_check_mark: | 97 | |
**Sandbox instance**Supports/provides access to another instance of the service as an environment for isolating/validating service concerns or otherwise
| Sandbox | Server Infrastructure | :white_check_mark: | :x: | :white_check_mark: | :grey_exclamation: | :x: | :x: | :x: | :white_check_mark: | | :x: | 98 | |
**Microsoft Conditional Access support**Directly powers/supports enabling/enforcing Microsoft conditional access policies
| Security | Server Infrastructure | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | 99 | |
**Okta Device Trust support**Directly powers/supports enabling/enforcing Okta Device Trust
| Security | Server Infrastructure | :white_check_mark: | :x: | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | | | :x: | 100 | |
**Other conditional access support**Significantly enables similar policy engine-style access controls
| Security | Server Infrastructure | :white_check_mark: | :x: | :white_check_mark: | | | | | | :white_check_mark: | :white_check_mark: | 101 | -------------------------------------------------------------------------------- /Apple/MDM Networking Requirements.md: -------------------------------------------------------------------------------- 1 | # Simple table showing networking requirements for managing Apple devices 2 | 3 | NOTE: This is not all-encompassing. 4 | 5 | ## Vendors & Products present 6 | * Apple 7 | * Apple Business|School Manager 8 | * Apple Business Essentials 9 | * Apple IDs 10 | * Managed Apple IDs 11 | * Single Sign-On 12 | * Software Updates 13 | * Jamf 14 | * Jamf Pro (cloud and on-prem) 15 | * Jamf Infrastructure Manager 16 | * SCCM Plug-in 17 | * Single Sign-On 18 | * Microsoft 19 | * Microsoft 365 Apps (Office) 20 | * Single Sign-On 21 | * Tenant Restrictions 22 | 23 | ## Networking Requirements Table 24 | ### This table is wiiiiiiiiiiiide --> 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 289 | 290 | 291 | 292 | 293 | 294 | 295 | 296 | 297 | 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 | 372 | 373 | 374 | 375 | 376 | 377 | 378 | 379 | 380 | 381 | 382 | 383 | 384 | 385 | 386 | 387 | 388 | 389 | 390 | 391 | 392 | 393 | 394 | 395 | 396 | 397 | 398 | 399 | 400 | 401 | 402 | 403 | 404 | 405 | 406 | 407 | 408 | 409 | 410 | 411 | 412 | 413 | 414 | 415 | 416 | 417 | 418 | 419 | 420 | 421 | 422 | 423 | 424 | 425 | 426 | 427 | 428 | 429 | 430 | 431 | 432 | 433 | 434 | 435 | 436 | 437 | 438 | 439 | 440 | 441 | 442 | 443 | 444 | 445 | 446 | 447 | 448 | 449 | 450 | 451 | 452 | 453 | 454 | 455 | 456 | 457 | 458 | 459 | 460 | 461 | 462 | 463 | 464 | 465 | 466 | 467 | 468 | 469 | 470 | 471 | 472 | 473 | 474 | 475 | 476 | 477 | 478 | 479 | 480 | 481 | 482 | 483 | 484 | 485 | 486 | 487 | 488 | 489 | 490 | 491 | 492 | 493 | 494 | 495 | 496 | 497 | 498 | 499 | 500 | 501 | 502 | 503 | 504 | 505 | 506 | 507 | 508 | 509 | 510 | 511 | 512 | 513 | 514 | 515 | 516 | 517 | 518 | 519 | 520 | 521 | 522 | 523 | 524 | 525 | 526 | 527 | 528 | 529 | 530 | 531 | 532 | 533 | 534 | 535 | 536 | 537 | 538 | 539 | 540 | 541 | 542 | 543 | 544 | 545 | 546 | 547 | 548 | 549 | 550 | 551 | 552 | 553 | 554 | 555 | 556 | 557 | 558 | 559 | 560 | 561 | 562 | 563 | 564 | 565 | 566 | 567 | 568 | 569 | 570 | 571 | 572 | 573 | 574 | 575 | 576 | 577 | 578 | 579 | 580 | 581 | 582 | 583 | 584 | 585 | 586 | 587 | 588 | 589 | 590 | 591 | 592 | 593 | 594 | 595 | 596 | 597 | 598 | 599 | 600 | 601 | 602 | 603 | 604 | 605 | 606 | 607 | 608 | 609 | 610 | 611 | 612 | 613 | 614 | 615 | 616 | 617 | 618 | 619 | 620 | 621 | 622 | 623 | 624 | 625 | 626 | 627 | 628 | 629 | 630 | 631 | 632 | 633 | 634 | 635 | 636 | 637 | 638 | 639 | 640 | 641 | 642 | 643 | 644 | 645 | 646 | 647 | 648 | 649 | 650 | 651 | 652 | 653 | 654 | 655 | 656 | 657 | 658 | 659 | 660 | 661 | 662 | 663 | 664 | 665 | 666 | 667 | 668 | 669 | 670 | 671 | 672 | 673 | 674 | 675 | 676 | 677 | 678 | 679 | 680 | 681 | 682 | 683 | 684 | 685 | 686 | 687 | 688 | 689 | 690 | 691 | 692 | 693 | 694 | 695 | 696 | 697 | 698 | 699 | 700 | 701 | 702 | 703 | 704 | 705 | 706 | 707 | 708 | 709 | 710 | 711 | 712 | 713 | 714 | 715 | 716 | 717 | 718 | 719 | 720 | 721 | 722 | 723 | 724 | 725 | 726 | 727 | 728 | 729 | 730 | 731 | 732 | 733 | 734 | 735 | 736 | 737 | 738 | 739 | 740 | 741 | 742 | 743 | 744 | 745 | 746 | 747 | 748 | 749 | 750 | 751 | 752 | 753 | 754 | 755 | 756 | 757 | 758 | 759 | 760 | 761 | 762 | 763 | 764 | 765 | 766 | 767 | 768 | 769 | 770 | 771 | 772 | 773 | 774 | 775 | 776 | 777 | 778 | 779 | 780 | 781 | 782 | 783 | 784 | 785 | 786 | 787 | 788 | 789 | 790 | 791 | 792 | 793 | 794 | 795 | 796 | 797 | 798 | 799 | 800 | 801 | 802 | 803 | 804 | 805 | 806 | 807 | 808 | 809 | 810 | 811 | 812 | 813 | 814 | 815 | 816 | 817 | 818 | 819 | 820 | 821 | 822 | 823 | 824 | 825 | 826 | 827 | 828 | 829 | 830 | 831 | 832 | 833 | 834 | 835 | 836 | 837 | 838 | 839 | 840 | 841 | 842 | 843 | 844 | 845 | 846 | 847 | 848 | 849 | 850 | 851 | 852 | 853 | 854 | 855 | 856 | 857 | 858 | 859 | 860 | 861 | 862 | 863 | 864 | 865 | 866 | 867 | 868 | 869 | 870 | 871 | 872 | 873 | 874 | 875 | 876 | 877 | 878 | 879 | 880 | 881 | 882 | 883 | 884 | 885 | 886 | 887 | 888 | 889 | 890 | 891 | 892 | 893 | 894 | 895 | 896 | 897 | 898 | 899 | 900 | 901 | 902 | 903 | 904 | 905 | 906 | 907 | 908 | 909 | 910 | 911 | 912 | 913 | 914 | 915 | 916 | 917 | 918 | 919 | 920 | 921 | 922 | 923 | 924 | 925 | 926 | 927 | 928 | 929 | 930 | 931 | 932 | 933 | 934 | 935 | 936 | 937 | 938 | 939 | 940 | 941 | 942 | 943 | 944 | 945 | 946 | 947 | 948 | 949 | 950 | 951 | 952 | 953 | 954 | 955 | 956 | 957 | 958 | 959 | 960 | 961 | 962 | 963 | 964 | 965 | 966 | 967 | 968 | 969 | 970 | 971 | 972 | 973 | 974 | 975 | 976 | 977 | 978 | 979 | 980 | 981 | 982 | 983 | 984 | 985 | 986 | 987 | 988 | 989 | 990 | 991 | 992 | 993 | 994 | 995 | 996 | 997 | 998 | 999 | 1000 | 1001 | 1002 | 1003 | 1004 | 1005 | 1006 | 1007 | 1008 | 1009 | 1010 | 1011 | 1012 | 1013 | 1014 | 1015 | 1016 | 1017 | 1018 | 1019 | 1020 | 1021 | 1022 | 1023 | 1024 | 1025 | 1026 | 1027 | 1028 | 1029 | 1030 | 1031 | 1032 | 1033 | 1034 | 1035 | 1036 | 1037 | 1038 | 1039 | 1040 | 1041 | 1042 | 1043 | 1044 | 1045 | 1046 | 1047 | 1048 | 1049 | 1050 | 1051 | 1052 | 1053 | 1054 | 1055 | 1056 | 1057 | 1058 | 1059 | 1060 | 1061 | 1062 | 1063 | 1064 | 1065 | 1066 | 1067 | 1068 | 1069 | 1070 | 1071 | 1072 | 1073 | 1074 | 1075 | 1076 | 1077 | 1078 | 1079 | 1080 | 1081 | 1082 | 1083 | 1084 | 1085 | 1086 | 1087 | 1088 | 1089 | 1090 | 1091 | 1092 | 1093 | 1094 | 1095 | 1096 | 1097 | 1098 | 1099 | 1100 | 1101 | 1102 | 1103 | 1104 | 1105 | 1106 | 1107 | 1108 | 1109 | 1110 | 1111 | 1112 | 1113 | 1114 | 1115 | 1116 | 1117 | 1118 | 1119 | 1120 | 1121 | 1122 | 1123 | 1124 | 1125 | 1126 | 1127 | 1128 | 1129 | 1130 | 1131 | 1132 | 1133 | 1134 | 1135 | 1136 | 1137 | 1138 | 1139 | 1140 | 1141 | 1142 | 1143 | 1144 | 1145 | 1146 | 1147 | 1148 | 1149 | 1150 | 1151 | 1152 | 1153 | 1154 | 1155 | 1156 | 1157 | 1158 | 1159 | 1160 | 1161 | 1162 | 1163 | 1164 | 1165 | 1166 | 1167 | 1168 | 1169 | 1170 | 1171 | 1172 | 1173 | 1174 | 1175 | 1176 | 1177 | 1178 | 1179 | 1180 | 1181 | 1182 | 1183 | 1184 | 1185 | 1186 | 1187 | 1188 | 1189 | 1190 | 1191 | 1192 | 1193 | 1194 | 1195 | 1196 | 1197 | 1198 | 1199 | 1200 | 1201 | 1202 | 1203 | 1204 | 1205 | 1206 | 1207 | 1208 | 1209 | 1210 | 1211 | 1212 | 1213 | 1214 | 1215 | 1216 | 1217 | 1218 | 1219 | 1220 | 1221 | 1222 | 1223 | 1224 | 1225 | 1226 | 1227 | 1228 | 1229 | 1230 | 1231 | 1232 | 1233 | 1234 | 1235 | 1236 | 1237 | 1238 | 1239 | 1240 | 1241 | 1242 | 1243 | 1244 | 1245 | 1246 | 1247 | 1248 | 1249 | 1250 | 1251 | 1252 | 1253 | 1254 | 1255 | 1256 | 1257 | 1258 | 1259 | 1260 | 1261 | 1262 | 1263 | 1264 | 1265 | 1266 | 1267 | 1268 | 1269 | 1270 | 1271 | 1272 | 1273 | 1274 | 1275 | 1276 | 1277 | 1278 | 1279 | 1280 | 1281 | 1282 | 1283 | 1284 | 1285 | 1286 | 1287 | 1288 | 1289 | 1290 | 1291 | 1292 | 1293 | 1294 | 1295 | 1296 | 1297 | 1298 | 1299 | 1300 | 1301 | 1302 | 1303 | 1304 | 1305 | 1306 | 1307 | 1308 | 1309 | 1310 | 1311 | 1312 | 1313 | 1314 | 1315 | 1316 | 1317 | 1318 | 1319 | 1320 | 1321 | 1322 | 1323 | 1324 | 1325 | 1326 | 1327 | 1328 | 1329 | 1330 | 1331 | 1332 | 1333 | 1334 | 1335 | 1336 | 1337 | 1338 | 1339 | 1340 | 1341 | 1342 | 1343 | 1344 | 1345 | 1346 | 1347 | 1348 | 1349 | 1350 | 1351 | 1352 | 1353 | 1354 | 1355 | 1356 | 1357 | 1358 | 1359 | 1360 | 1361 | 1362 | 1363 | 1364 | 1365 | 1366 | 1367 | 1368 | 1369 | 1370 | 1371 | 1372 | 1373 | 1374 | 1375 | 1376 | 1377 | 1378 | 1379 | 1380 | 1381 | 1382 | 1383 | 1384 | 1385 | 1386 | 1387 | 1388 | 1389 | 1390 | 1391 | 1392 | 1393 | 1394 | 1395 | 1396 | 1397 | 1398 | 1399 | 1400 | 1401 | 1402 | 1403 | 1404 | 1405 | 1406 | 1407 | 1408 | 1409 | 1410 | 1411 | 1412 | 1413 | 1414 | 1415 | 1416 | 1417 | 1418 | 1419 | 1420 | 1421 | 1422 | 1423 | 1424 | 1425 | 1426 | 1427 | 1428 | 1429 | 1430 | 1431 | 1432 | 1433 | 1434 | 1435 | 1436 | 1437 | 1438 | 1439 | 1440 | 1441 | 1442 | 1443 | 1444 | 1445 | 1446 | 1447 | 1448 | 1449 | 1450 | 1451 | 1452 | 1453 | 1454 | 1455 | 1456 | 1457 | 1458 | 1459 | 1460 | 1461 | 1462 | 1463 | 1464 | 1465 | 1466 | 1467 | 1468 | 1469 | 1470 | 1471 | 1472 | 1473 | 1474 | 1475 | 1476 | 1477 | 1478 | 1479 | 1480 | 1481 | 1482 | 1483 | 1484 | 1485 | 1486 | 1487 | 1488 | 1489 | 1490 | 1491 | 1492 | 1493 | 1494 | 1495 | 1496 | 1497 | 1498 | 1499 | 1500 | 1501 | 1502 | 1503 | 1504 | 1505 | 1506 | 1507 | 1508 | 1509 | 1510 | 1511 | 1512 | 1513 | 1514 | 1515 | 1516 | 1517 | 1518 | 1519 | 1520 | 1521 | 1522 | 1523 | 1524 | 1525 | 1526 | 1527 | 1528 | 1529 | 1530 | 1531 | 1532 | 1533 | 1534 | 1535 | 1536 | 1537 | 1538 | 1539 | 1540 | 1541 | 1542 | 1543 | 1544 | 1545 | 1546 | 1547 | 1548 | 1549 | 1550 | 1551 | 1552 | 1553 | 1554 | 1555 | 1556 | 1557 | 1558 | 1559 | 1560 | 1561 | 1562 | 1563 | 1564 | 1565 | 1566 | 1567 | 1568 | 1569 | 1570 | 1571 | 1572 | 1573 | 1574 | 1575 | 1576 | 1577 | 1578 | 1579 | 1580 | 1581 | 1582 | 1583 | 1584 | 1585 | 1586 | 1587 | 1588 | 1589 | 1590 | 1591 | 1592 | 1593 | 1594 | 1595 | 1596 | 1597 | 1598 | 1599 | 1600 | 1601 | 1602 | 1603 | 1604 | 1605 | 1606 | 1607 | 1608 | 1609 | 1610 | 1611 | 1612 | 1613 | 1614 | 1615 | 1616 | 1617 | 1618 | 1619 | 1620 | 1621 | 1622 | 1623 | 1624 | 1625 | 1626 | 1627 | 1628 | 1629 | 1630 | 1631 | 1632 | 1633 | 1634 | 1635 | 1636 | 1637 | 1638 | 1639 | 1640 | 1641 | 1642 | 1643 | 1644 | 1645 | 1646 | 1647 | 1648 | 1649 | 1650 | 1651 | 1652 | 1653 | 1654 | 1655 | 1656 | 1657 | 1658 | 1659 | 1660 | 1661 | 1662 | 1663 | 1664 | 1665 | 1666 | 1667 | 1668 | 1669 | 1670 | 1671 | 1672 | 1673 | 1674 | 1675 | 1676 | 1677 | 1678 | 1679 | 1680 | 1681 | 1682 | 1683 | 1684 | 1685 | 1686 | 1687 | 1688 | 1689 | 1690 | 1691 | 1692 | 1693 | 1694 | 1695 | 1696 | 1697 | 1698 | 1699 | 1700 | 1701 | 1702 | 1703 | 1704 | 1705 | 1706 | 1707 | 1708 | 1709 | 1710 | 1711 | 1712 | 1713 | 1714 | 1715 | 1716 | 1717 | 1718 | 1719 | 1720 | 1721 | 1722 | 1723 | 1724 | 1725 | 1726 | 1727 | 1728 | 1729 | 1730 | 1731 | 1732 | 1733 | 1734 | 1735 | 1736 | 1737 | 1738 | 1739 | 1740 | 1741 | 1742 | 1743 | 1744 | 1745 | 1746 | 1747 | 1748 | 1749 | 1750 | 1751 | 1752 | 1753 | 1754 | 1755 | 1756 | 1757 | 1758 | 1759 | 1760 | 1761 | 1762 | 1763 | 1764 | 1765 | 1766 | 1767 | 1768 | 1769 | 1770 | 1771 | 1772 | 1773 | 1774 | 1775 | 1776 | 1777 | 1778 | 1779 | 1780 | 1781 | 1782 | 1783 | 1784 | 1785 | 1786 | 1787 | 1788 | 1789 | 1790 | 1791 | 1792 | 1793 | 1794 | 1795 | 1796 | 1797 | 1798 | 1799 | 1800 | 1801 | 1802 | 1803 | 1804 | 1805 | 1806 | 1807 | 1808 | 1809 | 1810 | 1811 | 1812 | 1813 | 1814 | 1815 | 1816 | 1817 | 1818 | 1819 | 1820 | 1821 | 1822 | 1823 | 1824 | 1825 | 1826 | 1827 | 1828 | 1829 | 1830 | 1831 | 1832 | 1833 | 1834 | 1835 | 1836 | 1837 | 1838 | 1839 | 1840 | 1841 | 1842 | 1843 | 1844 | 1845 | 1846 | 1847 | 1848 | 1849 | 1850 | 1851 | 1852 | 1853 | 1854 | 1855 | 1856 | 1857 | 1858 | 1859 | 1860 | 1861 | 1862 | 1863 | 1864 | 1865 | 1866 | 1867 | 1868 | 1869 | 1870 | 1871 | 1872 | 1873 | 1874 | 1875 | 1876 | 1877 | 1878 | 1879 | 1880 | 1881 | 1882 | 1883 | 1884 | 1885 | 1886 | 1887 | 1888 | 1889 | 1890 | 1891 | 1892 | 1893 | 1894 | 1895 | 1896 | 1897 | 1898 | 1899 | 1900 | 1901 | 1902 | 1903 | 1904 | 1905 | 1906 | 1907 | 1908 | 1909 | 1910 | 1911 | 1912 | 1913 | 1914 | 1915 | 1916 | 1917 | 1918 | 1919 | 1920 | 1921 | 1922 | 1923 | 1924 | 1925 | 1926 | 1927 | 1928 | 1929 | 1930 | 1931 | 1932 | 1933 | 1934 | 1935 | 1936 | 1937 | 1938 | 1939 | 1940 | 1941 | 1942 | 1943 | 1944 | 1945 | 1946 | 1947 | 1948 | 1949 | 1950 | 1951 | 1952 | 1953 | 1954 | 1955 | 1956 | 1957 | 1958 | 1959 | 1960 | 1961 | 1962 | 1963 | 1964 | 1965 | 1966 | 1967 | 1968 | 1969 | 1970 | 1971 | 1972 | 1973 | 1974 | 1975 | 1976 | 1977 | 1978 | 1979 | 1980 | 1981 | 1982 | 1983 | 1984 | 1985 | 1986 | 1987 | 1988 | 1989 | 1990 | 1991 | 1992 | 1993 | 1994 | 1995 | 1996 | 1997 | 1998 | 1999 | 2000 | 2001 | 2002 | 2003 | 2004 | 2005 | 2006 | 2007 | 2008 | 2009 | 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021 | 2022 | 2023 | 2024 | 2025 | 2026 | 2027 | 2028 | 2029 | 2030 | 2031 | 2032 | 2033 | 2034 | 2035 | 2036 | 2037 | 2038 | 2039 | 2040 | 2041 | 2042 | 2043 | 2044 | 2045 | 2046 | 2047 | 2048 | 2049 | 2050 | 2051 | 2052 | 2053 | 2054 | 2055 | 2056 | 2057 | 2058 | 2059 | 2060 | 2061 | 2062 | 2063 | 2064 | 2065 | 2066 | 2067 | 2068 | 2069 | 2070 | 2071 | 2072 | 2073 | 2074 | 2075 | 2076 | 2077 | 2078 | 2079 | 2080 | 2081 | 2082 | 2083 | 2084 | 2085 | 2086 | 2087 | 2088 | 2089 | 2090 | 2091 | 2092 | 2093 | 2094 | 2095 | 2096 | 2097 | 2098 | 2099 | 2100 | 2101 | 2102 | 2103 | 2104 | 2105 | 2106 | 2107 | 2108 | 2109 | 2110 | 2111 | 2112 | 2113 | 2114 | 2115 | 2116 | 2117 | 2118 | 2119 | 2120 | 2121 | 2122 | 2123 | 2124 | 2125 | 2126 | 2127 | 2128 | 2129 | 2130 | 2131 | 2132 | 2133 | 2134 | 2135 | 2136 | 2137 | 2138 | 2139 | 2140 | 2141 | 2142 | 2143 | 2144 | 2145 | 2146 | 2147 | 2148 | 2149 | 2150 | 2151 | 2152 | 2153 | 2154 | 2155 | 2156 | 2157 | 2158 | 2159 | 2160 | 2161 | 2162 | 2163 | 2164 | 2165 | 2166 | 2167 | 2168 | 2169 | 2170 | 2171 | 2172 | 2173 | 2174 | 2175 | 2176 | 2177 | 2178 | 2179 | 2180 | 2181 | 2182 | 2183 | 2184 | 2185 | 2186 | 2187 | 2188 | 2189 | 2190 | 2191 | 2192 | 2193 | 2194 | 2195 | 2196 | 2197 | 2198 | 2199 | 2200 | 2201 | 2202 | 2203 | 2204 | 2205 | 2206 | 2207 | 2208 | 2209 | 2210 | 2211 | 2212 | 2213 | 2214 | 2215 | 2216 | 2217 | 2218 | 2219 | 2220 | 2221 | 2222 | 2223 | 2224 | 2225 | 2226 | 2227 | 2228 | 2229 | 2230 | 2231 | 2232 | 2233 | 2234 | 2235 | 2236 | 2237 | 2238 | 2239 | 2240 | 2241 | 2242 | 2243 | 2244 | 2245 | 2246 | 2247 | 2248 | 2249 | 2250 | 2251 | 2252 | 2253 | 2254 | 2255 | 2256 | 2257 | 2258 | 2259 | 2260 | 2261 | 2262 | 2263 | 2264 | 2265 | 2266 | 2267 | 2268 | 2269 | 2270 | 2271 | 2272 | 2273 | 2274 | 2275 | 2276 | 2277 | 2278 | 2279 | 2280 | 2281 | 2282 | 2283 | 2284 | 2285 | 2286 | 2287 | 2288 | 2289 | 2290 | 2291 | 2292 | 2293 | 2294 | 2295 | 2296 | 2297 | 2298 | 2299 | 2300 | 2301 | 2302 | 2303 | 2304 | 2305 | 2306 | 2307 | 2308 | 2309 | 2310 | 2311 | 2312 | 2313 | 2314 | 2315 | 2316 | 2317 | 2318 | 2319 | 2320 | 2321 | 2322 | 2323 | 2324 | 2325 | 2326 | 2327 | 2328 | 2329 | 2330 | 2331 | 2332 | 2333 | 2334 | 2335 | 2336 | 2337 | 2338 | 2339 | 2340 | 2341 | 2342 | 2343 | 2344 | 2345 | 2346 | 2347 | 2348 | 2349 | 2350 | 2351 | 2352 | 2353 | 2354 | 2355 | 2356 | 2357 | 2358 | 2359 | 2360 | 2361 | 2362 | 2363 | 2364 | 2365 | 2366 | 2367 | 2368 | 2369 | 2370 | 2371 | 2372 | 2373 | 2374 | 2375 | 2376 | 2377 | 2378 | 2379 | 2380 | 2381 | 2382 | 2383 | 2384 | 2385 | 2386 | 2387 | 2388 | 2389 | 2390 | 2391 | 2392 | 2393 | 2394 | 2395 | 2396 | 2397 | 2398 | 2399 | 2400 | 2401 | 2402 | 2403 | 2404 | 2405 | 2406 | 2407 | 2408 | 2409 | 2410 | 2411 | 2412 | 2413 | 2414 | 2415 | 2416 | 2417 | 2418 | 2419 | 2420 | 2421 | 2422 | 2423 | 2424 | 2425 | 2426 | 2427 | 2428 | 2429 | 2430 | 2431 | 2432 | 2433 | 2434 | 2435 | 2436 | 2437 | 2438 | 2439 | 2440 | 2441 | 2442 | 2443 | 2444 | 2445 | 2446 | 2447 | 2448 | 2449 | 2450 | 2451 | 2452 | 2453 | 2454 | 2455 | 2456 | 2457 | 2458 | 2459 | 2460 | 2461 | 2462 | 2463 | 2464 | 2465 | 2466 | 2467 | 2468 | 2469 | 2470 | 2471 | 2472 | 2473 | 2474 | 2475 | 2476 | 2477 | 2478 | 2479 | 2480 | 2481 | 2482 | 2483 | 2484 | 2485 | 2486 | 2487 | 2488 | 2489 | 2490 | 2491 | 2492 | 2493 | 2494 | 2495 | 2496 | 2497 | 2498 | 2499 | 2500 | 2501 | 2502 | 2503 | 2504 | 2505 | 2506 | 2507 | 2508 | 2509 | 2510 | 2511 | 2512 | 2513 | 2514 | 2515 | 2516 | 2517 | 2518 | 2519 | 2520 | 2521 | 2522 | 2523 | 2524 | 2525 | 2526 | 2527 | 2528 | 2529 | 2530 | 2531 | 2532 | 2533 | 2534 | 2535 | 2536 | 2537 | 2538 | 2539 | 2540 | 2541 | 2542 | 2543 | 2544 | 2545 | 2546 | 2547 | 2548 | 2549 | 2550 | 2551 | 2552 | 2553 | 2554 | 2555 | 2556 | 2557 | 2558 | 2559 | 2560 | 2561 | 2562 | 2563 | 2564 | 2565 | 2566 | 2567 | 2568 | 2569 | 2570 | 2571 | 2572 | 2573 | 2574 | 2575 | 2576 | 2577 | 2578 | 2579 | 2580 | 2581 | 2582 | 2583 | 2584 | 2585 | 2586 | 2587 | 2588 | 2589 | 2590 | 2591 | 2592 | 2593 | 2594 | 2595 | 2596 | 2597 | 2598 | 2599 | 2600 | 2601 | 2602 |
VendorCategoryHostsPortsProtocolOSDescriptionConnections InitiatedSupports proxiesMust be exempt from SSL/HTTPS Inspection?Documentation LinkAdditional Info
AppleAdditional contentaudiocontentdownload.apple.com80, 443TCPiOS, iPadOS, macOSGarageBand downloadable contentApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleAdditional contentplaygrounds-assets-cdn.apple.com443TCPiPadOS, macOSSwift PlaygroundsApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleAdditional contentplaygrounds-cdn.apple.com443TCPiPadOS, macOSSwift PlaygroundsApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleAdditional contentdevimages-cdn.apple.com80, 443TCPmacOS onlyXcode downloadable componentsApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleAdditional contentdownload.developer.apple.com80, 443TCPmacOS onlyXcode downloadable componentsApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleAdditional contentsylvan.apple.com80, 443TCPtvOS onlyApple TV screen saversApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApp features*.appattest.apple.com443TCPiOS, iPadOS, macOSApp validation, Touch ID and Face ID authentication for websitesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApp featuresapi.apple-cloudkit.com443TCPmacOS onlyApp notarizationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApp Store.itunes.apple.com443, 80TCPiOS, iPadOS, tvOS, macOSStore content such as apps, books, and musicApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleApp Store*.apps.apple.com443TCPiOS, iPadOS, tvOS, macOSStore content such as apps, books, and musicApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleApp Store*.mzstatic.com443TCPiOS, iPadOS, tvOS, macOSStore content such as apps, books, and musicApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApp Storeitunes.apple.com443, 80TCPiOS, iPadOS, tvOS, macOSApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleApp Storeppq.apple.com443TCPiOS, iPadOS, tvOS, macOSEnterprise App validationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Essentials device management*.apple-mapkit.com443TCPiOS, iPadOSView the location of devices in Managed Lost ModeApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Essentials device managementaxm-app.apple.com443TCPiOS, iPadOS, macOSView and manage apps and devicesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Essentials device managementaxm-adm-enroll.apple.com443TCPiOS, iPadOS, tvOS, macOSDEP enrollment serverApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Essentials device managementaxm-adm-mdm.apple.com443TCPiOS, iPadOS, tvOS, macOSMDM serverApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Essentials device managementaxm-adm-scep.apple.com443TCPiOS, iPadOS, tvOS, macOSSCEP serverApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Essentials device managementicons.axm-usercontent-apple.com443TCPmacOS onlyCustom Package iconsApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Manager and Apple School Managerupload.appleschoolcontent.com22SSH-SFTP uploadsApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Manager and Apple School Manager*.business.apple.com443, 80TCP-Apple Business ManagerApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Manager and Apple School Manager*.itunes.apple.com443, 80TCP-Apps and BooksApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Manager and Apple School Manager*.mzstatic.com443TCP-Apps and BooksApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Manager and Apple School Manager*.school.apple.com443, 80TCP-Apple School ManagerApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Manager and Apple School Manager*.vertexsmb.com443TCP-Validating tax-exempt statusApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Manager and Apple School Managerapi.edu.apple.com443TCP-Apps and Books (ASM)Apple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Manager and Apple School Managerapi.ent.apple.com443TCP-Apps and Books (ABM)Apple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Manager and Apple School Managerappleid.cdn-apple.com443TCP-Login authenticationApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Manager and Apple School Manageridmsa.apple.com443TCP-Login authenticationApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Manager and Apple School Managerstatici.icloud.com443TCP-Device iconsApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Manager and Apple School Managerwww.apple.com443TCP-Fonts for certain languagesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple Business Manager and Apple School Manager - Managed Apple Apple IDsws-ee-maidsvc.icloud.com443, 80TCPiOS, iPadOS, macOSUser lookup serviceApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleApple diagnosticsdiagassets.apple.com443TCPiOS, iPadOS, tvOS, macOSUsed by Apple devices to help detect possible hardware issuesApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleApple IDappleid.apple.com443TCPiOS, iPadOS, tvOS, macOSApple ID authentication in Settings and System PreferencesApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleApple IDappleid.cdn-apple.com443TCPiOS, iPadOS, tvOS, macOSApple ID authentication in Settings and System PreferencesApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleApple IDgsa.apple.com443TCPiOS, iPadOS, tvOS, macOSApple ID authenticationApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleApple IDidmsa.apple.com443TCPiOS, iPadOS, tvOS, macOSApple ID authenticationApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleAssociated Domainsapp-site-association.cdn-apple.com443TCP, UDPiOS, iPadOS, macOSAssociated domains for universal linksApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleAssociated Domainsapp-site-association.networking.apple443TCP, UDPiOS, iPadOS, macOSAssociated domains for universal linksApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleBeta updatescssubmissions.apple.com443TCPiOS, iPadOS, tvOS, macOSUsed by Feedback Assistant to upload filesApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleBeta updatesfba.apple.com443TCPiOS, iPadOS, tvOS, macOSUsed by Feedback Assistant to file and view feedbackApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleBeta updatesbpapi.apple.com443TCPiOS, iPadOS, tvOS, watchOS, macOSBeta update enrollmentApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleCarrier updatesappldnld.apple.com80TCPiOS, iPadOSCellular carrier bundle updatesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCarrier updatesappldnld.apple.com.edgesuite.net80TCPiOS, iPadOSCellular carrier bundle updatesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCarrier updatesitunes.apple.com443TCPiOS, iPadOSCarrier bundle update discoveryApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCarrier updatesitunes.com80TCPiOS, iPadOSCarrier bundle update discoveryApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCarrier updatesupdates-http.cdn-apple.com80TCPiOS, iPadOSCellular carrier bundle updatesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCarrier updatesupdates.cdn-apple.com443TCPiOS, iPadOSCellular carrier bundle updatesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCertificate validationcerts.apple.com80, 443TCPiOS, iPadOS, tvOS, macOSCertificate validationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCertificate validationcrl.apple.com80TCPiOS, iPadOS, tvOS, macOSCertificate validationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCertificate validationcrl.entrust.net80TCPiOS, iPadOS, tvOS, macOSCertificate validationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCertificate validationcrl3.digicert.com80TCPiOS, iPadOS, tvOS, macOSCertificate validationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCertificate validationcrl4.digicert.com80TCPiOS, iPadOS, tvOS, macOSCertificate validationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCertificate validationocsp.apple.com80TCPiOS, iPadOS, tvOS, macOSCertificate validationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCertificate validationocsp.digicert.cn80TCPiOS, iPadOS, tvOS, macOSCertificate validation in ChinaApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCertificate validationocsp.digicert.com80TCPiOS, iPadOS, tvOS, macOSCertificate validationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCertificate validationocsp.entrust.net80TCPiOS, iPadOS, tvOS, macOSCertificate validationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCertificate validationocsp2.apple.com443TCPiOS, iPadOS, tvOS, macOSCertificate validationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleCertificate validationvalid.apple.com443TCPiOS, iPadOS, tvOS, macOSCertificate validationApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleClassroom and Schoolworkcls-ingest.itunes.apple.com443TCPiPadOS onlySchoolwork handout serviceApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleClassroom and Schoolworkcls-iosclient.itunes.apple.com443TCPiPadOS onlySchoolwork handout serviceApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleClassroom and Schoolworkpg-bootstrap.itunes.apple.com443TCPiPadOS onlySchoolwork handout serviceApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleClassroom and Schoolworkplay.itunes.apple.com443TCPiPadOS, macOSClassroom and Schoolwork device verificationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleClassroom and Schoolworks.mzstatic.com443TCPiPadOS, macOSClassroom and Schoolwork device verificationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleClassroom and Schoolworkws-ee-maidsvc.icloud.com443TCPiPadOS, macOSClassroom and Schoolwork class roster serviceApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleClassroom and Schoolworkws.school.apple.com443TCPiPadOS, macOSClassroom and Schoolwork class roster serviceApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleContent caching - Clientlcdn-locator.apple.com443TCPiOS, iPadOS, tvOS, macOSContent caching locator serviceApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleContent caching - Clientserverstatus.apple.com443TCPmacOS onlyContent caching client public IP determinationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleContent caching - Serverlcdn-registration.apple.com443TCPmacOS onlyServer registrationApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleContent caching - Serversuconfig.apple.com80TCPmacOS onlyConfigurationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleContent caching - Serverxp-cdn.apple.com443TCPmacOS onlyReportingApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleDevice managementsetup.icloud.com443TCPiOS, iPadOSRequired to log in with a Managed Apple ID on Shared iPadApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleDevice management*.push.apple.com443, 80, 5223, 2197TCPiOS, iPadOS, tvOS, macOSPush notificationsApple Endpoint <-> Device-Yeshttps://support.apple.com/en-bh/HT210060https://support.apple.com/en-bh/HT210060#apns
AppleDevice managementdeviceenrollment.apple.com443TCPiOS, iPadOS, tvOS, macOSDEP provisional enrollmentApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleDevice managementdeviceservices-external.apple.com443TCPiOS, iPadOS, tvOS, macOSApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleDevice managementgdmf.apple.com443TCPiOS, iPadOS, tvOS, macOSUsed by an MDM server to identify which software updates are available to devices that use managed software updatesApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleDevice managementidentity.apple.com443TCPiOS, iPadOS, tvOS, macOSAPNs certificate request portalApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleDevice managementiprofiles.apple.com443TCPiOS, iPadOS, tvOS, macOSHosts enrollment profiles used when devices enroll in Apple School Manager or Apple Business Manager through Device EnrollmentApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleDevice managementmdmenrollment.apple.com443TCPiOS, iPadOS, tvOS, macOSMDM servers to upload enrollment profiles used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accountsApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleDevice managementvpp.itunes.apple.com443TCPiOS, iPadOS, tvOS, macOSMDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a deviceApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleDevice setupsq-device.apple.com443TCPiOS, iPadOSeSIM activationApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleDevice setuptime-ios.apple.com123UDPiOS, iPadOS, tvOSUsed by devices to set their date and timeApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleDevice setupalbert.apple.com443TCPiOS, iPadOS, tvOS, macOSDevice activationApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleDevice setupcaptive.apple.com443, 80TCPiOS, iPadOS, tvOS, macOSInternet connectivity validation for networks that use captive portalsApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleDevice setupgs.apple.com443TCPiOS, iPadOS, tvOS, macOSApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleDevice setuphumb.apple.com443TCPiOS, iPadOS, tvOS, macOSApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleDevice setupstatic.ips.apple.com443, 80TCPiOS, iPadOS, tvOS, macOSApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleDevice setuptbsc.apple.com443TCPiOS, iPadOS, tvOS, macOSApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleDevice setuptime.apple.com123UDPiOS, iPadOS, tvOS, macOSUsed by devices to set their date and timeApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleDevice setuptime-macos.apple.com123UDPmacOS onlyUsed by devices to set their date and timeApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleDomain Name System resolutiondoh.dns.apple.com443TCPiOS, iPadOS, tvOS, macOSUsed for DNS over HTTPS (DoH)Apple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleiCloudmask-api.icloud.com443TCPiOS, iPadOS, macOSiCloud Private RelayApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleiCloudmask-h2.icloud.com443TCPiOS, iPadOS, macOSiCloud Private RelayApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleiCloudmask.icloud.com443UDPiOS, iPadOS, macOSiCloud Private RelayApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleiCloud*.apple-cloudkit.com443TCPiOS, iPadOS, tvOS, macOSiCloud servicesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleiCloud*.apple-livephotoskit.com443TCPiOS, iPadOS, tvOS, macOSiCloud servicesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleiCloud*.apzones.com443TCPiOS, iPadOS, tvOS, macOSiCloud services in ChinaApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleiCloud*.cdn-apple.com443TCPiOS, iPadOS, tvOS, macOSiCloud servicesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleiCloud*.gc.apple.com443TCPiOS, iPadOS, tvOS, macOSiCloud servicesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleiCloud*.icloud-content.com443TCPiOS, iPadOS, tvOS, macOSiCloud servicesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleiCloud*.icloud.apple.com443TCPiOS, iPadOS, tvOS, macOSiCloud servicesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleiCloud*.icloud.com443TCPiOS, iPadOS, tvOS, macOSiCloud servicesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleiCloud*.icloud.com.cn443TCPiOS, iPadOS, tvOS, macOSiCloud services in ChinaApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleiCloud*.iwork.apple.com443TCPiOS, iPadOS, tvOS, macOSiWork documentsApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleSiri and search*.smoot.apple.com443TCPiOS, iPadOS, macOSSearch services, including Siri, Spotlight, Lookup, Safari, News, Messages and MusicApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleSiri and searchguzzoni.apple.com443TCPiOS, iPadOS, macOSSiri and dictation requestsApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesupdates-http.cdn-apple.com80TCPiOS, iPadOS, tvOS, macOSSoftware update downloadsApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesupdates.cdn-apple.com443TCPiOS, iPadOS, tvOS, macOSSoftware update downloadsApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesxp.apple.com443TCPiOS, iPadOS, tvOS, macOSApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesgdmf.apple.com443TCPiOS, iPadOS, tvOS, watchOS, macOSSoftware update catalogApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesgg.apple.com443, 80TCPiOS, iPadOS, tvOS, watchOS, macOSiOS, iPadOS, tvOS, watchOS, and macOS updatesApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesgs.apple.com443, 80TCPiOS, iPadOS, tvOS, watchOS, macOSiOS, iPadOS, tvOS, watchOS, and macOS updatesApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesmesu.apple.com443, 80TCPiOS, iPadOS, tvOS, watchOS, macOSHosts software update catalogsApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesappldnld.apple.com80TCPiOS, iPadOS, watchOSiOS, iPadOS, and watchOS updatesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesns.itunes.apple.com443TCPiOS, iPadOS, watchOSApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesconfiguration.apple.com443TCPmacOS onlyRosetta 2 updatesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesig.apple.com443TCPmacOS onlymacOS updatesApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesoscdn.apple.com443, 80TCPmacOS onlymacOS RecoveryApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesosrecovery.apple.com443, 80TCPmacOS onlymacOS RecoveryApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesskl.apple.com443TCPmacOS onlymacOS updatesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesswcdn.apple.com443, 80TCPmacOS onlymacOS updatesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesswdist.apple.com443TCPmacOS onlymacOS updatesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesswdownload.apple.com443, 80TCPmacOS onlymacOS updatesApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleSoftware updatesswscan.apple.com443TCPmacOS onlymacOS updatesApple Endpoint <-> DeviceYeshttps://support.apple.com/en-bh/HT210060
AppleTap to Pay on iPhonehumb.apple.com443TCPiOS onlyTap to Pay on iPhone setupApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleTap to Pay on iPhonephonesubmissions.apple.com443TCPiOS onlyOptional analytics sharingApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
AppleTap to Pay on iPhonepos-device.apple.com443TCP, UDPiOS onlyTap to Pay on iPhoneApple Endpoint <-> DeviceYesYeshttps://support.apple.com/en-bh/HT210060
JamfAdministrator Workstation Connections (outbound)client device548, 445AFP/SMBiOS, iPadOS, macOSThe Jamf Admin application can upload new software packages to AFP or SMB distribution points.Jamf Admin to distribution pointsYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfAdministrator Workstation Connections (outbound)client device8443, 443HTTPSiOS, iPadOS, macOSAdministrators perform management tasks by logging in to the Jamf Pro server using a web browser and the Jamf Pro apps (Jamf Admin). When the default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443.Administrator workstations to the Jamf Pro serverYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf AD CS Connector ConnectionsJamf ADCS Server135 and 49152-65535DCOMWindowsThe Jamf AD CS Connector uses Microsoft Distributed Component Object Model (DCOM) to communicate with AD CS.Jamf AD CS Connector to AD CSYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf AD CS Connector ConnectionsJamf ADCS Server443HTTPSWindowsJamf Pro sends certificate signing requests and retrieves completed certificates by opening a connection to the Jamf AD CS Connector, typically on TCP port 443.Jamf Pro to Jamf AD CS ConnectorYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf AD CS Connector ConnectionsJamf ADCS Server8443, 443HTTPSWindowsIf your organization uses in-house apps developed with the Jamf Certificate SDK, connections to the Jamf Pro server will be via HTTPS. When default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443.Mobile device apps to the Jamf Pro serverYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Infrastructure Manager - Healthcare Listener ConnectionsJIM Server2575HL7Windows2575 is an assigned port that can be used for HL7 communications, but the Healthcare Listener can be configured to use any preferred port 1024 or greater.HL7 interface to Jamf Infrastructure Manager hostYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Infrastructure Manager - Healthcare Listener ConnectionsJIM Server8443, 443HTTPSWindowsThe Healthcare Listener informs the Jamf Pro Management Server when an action is needed on a device. When the default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443.Jamf Infrastructure Manager host to the Jamf Pro serverYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Infrastructure Manager - LDAP Proxy ConnectionsJIM Server8081HTTPWindowsThe LDAP Proxy service can expose this port to enable Healthcheck endpoint for verification of LDAP Proxy Server status. The default port is 8081 but can be changed by your administrator.External service to Jamf Infrastructure Manager hostYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Infrastructure Manager - LDAP Proxy ConnectionsJIM Server8443, 443HTTPSWindowsJamf Infrastructure Manager instances connect to the Jamf Pro server when they are enrolled and periodically thereafter to confirm their operating status and retrieve updated settings. When the default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443.Jamf Infrastructure Manager host to the Jamf Pro serverYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Infrastructure Manager - LDAP Proxy ConnectionsJIM Server389, 636LDAP or LDAPSWindowsThe LDAP Proxy service receives lookup requests from the Jamf Pro server and forwards them to the directory service you have configured in Jamf Pro's LDAP settings. LDAP typically runs on port 389. If you encrypt your LDAP communications (e.g., LDAP over SSL/LDAPS), port 636 is commonly used. Your directory services administrator can tell you which port is used in your environment.Jamf Infrastructure Manager/LDAP Proxy to LDAP server/Domain controllerYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Infrastructure Manager - LDAP Proxy ConnectionsJIM Server8389, 8636LDAP or LDAPSWindowsAll Jamf Pro LDAP lookups are sent via the Jamf Pro server. Jamf Pro can be configured to send LDAP queries to a Jamf Infrastructure Manager LDAP Proxy instance rather than directly to an LDAP host. The port on which the LDAP Proxy will listen for these incoming requests is configured when enrolling with the Jamf Pro server. On Linux, the port chosen should be at least 1024 because lower-numbered ports are reserved for more privileged services and users. Port 8389 might be chosen if running on LDAP, or port 8636 if running on LDAPS.Jamf Pro server to the Jamf Infrastructure Manager hostYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (inbound)[yourserver].jamfcloud.com or on-prem hostname80, 8080, 443HTTP or HTTPS-Some advanced installations may include a load balancer or reverse proxy. In this case, the Jamf Pro server URL’s host name will resolve to the IP address of the proxy. If SSL is terminated at the proxy, traffic is forwarded to the Jamf Pro server over HTTP (typical ports are 80/8080). Or, traffic may be re-encrypted or passed using HTTPS (often over port 443.Load balancer or proxy to the Jamf Pro serverYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (inbound)[yourserver].jamfcloud.com or on-prem hostname8443 or 443HTTPS-Connections to the Jamf Pro web app use HTTPS. When default settings are used, on-premise Jamf Pro servers use port 8443, and Jamf Cloud-hosted servers use port 443.
Note: HTTPS Interception (SSL Inspection) is not supported for connections to Jamf Pro. If client HTTPS traffic traverses a web proxy, you must disable HTTPS Interception for connections to Jamf Pro.		Managed computers or mobile devices, administrator workstations, and other services to the Jamf Pro serverYesYeshttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname80HTTP-App Store app information can be retrieved from the App Store.Jamf Pro server to AppleYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname80, 443HTTP or HTTPS-The Jamf Pro server connects to Pendo if Engage is enabled in Jamf Pro. Jamf Engage data is compressed to approximately 100KB and loads asynchronously. Data is securely transmitted via SSL and each transmission is less than 2KB.Jamf Pro server to *.jamfcloud.comYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname80, 443HTTP or HTTPS-The Jamf Pro server connects to Microsoft via the Microsoft Graph API if the connection between Jamf Pro and Microsoft Intune is configured. For more information, see the following documentation from Microsoft: Network endpoints for Microsoft IntuneJamf Pro server to the following domains:
login.microsoftonline.com
graph.microsoft.com
*.manage.microsoft.com		Yesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname80, 443HTTP or HTTPS-If you are deploying SCEP certificate configuration profiles with a dynamic challenge, or using Jamf Pro's SCEP proxy services, the Jamf Pro server connects to your SCEP Enrollment server to obtain an enrollment challenge password and/or retrieve generated certificates on behalf of managed devices.
Note: In a clustered environment, requests related to the SCEP Proxy are handled by the web app that receives the request. Therefore, it is important that all web apps are able to communicate with the configured SCEP service.		Jamf Pro server to SCEP Enrollment serverYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname443HTTPS-The Jamf Pro server can integrate with Apple-hosted services such as Device Enrollment (formerly Device Enrollment Program), Volume Purchasing (formerly Volume Purchase Program), and Global Service Exchange (GSX).Jamf Pro server to AppleYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname443HTTPS-The Jamf Pro server can access hosted schema to populate Application & Custom Settings options.Jamf Pro server to prod-custom-setting-schemas.s3.amazonaws.comYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname443HTTPS-The Jamf Pro server can connect to Jamf-hosted utilities and services including:
Retrieving information about newly released software and version updates from Jamf's patch reporting database, hosted at https://jamf-patch.jamfcloud.com/
Apple Push Notification certificate signing requests (CSR)
Customer Experience Metrics information submitted to Jamf (optional)
Jamf Push Proxy communication with Jamf Self Service for iOS
Retrieving information from Jamf's hardware model name service, hosted at https://hw-model-names.services.jamfcloud.com (if configured)		Jamf Pro server to *.jamfcloud.com and *.jamf.comYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname443HTTPS-The Jamf Pro server connects to Jamf-hosted services via the Cloud Services Connection.Jamf Pro server to the following domains:
https://csa.services.jamfcloud.com
https://ics.services.jamfcloud.com		Yesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname443HTTPS-A cloud distribution point (Amazon S3 or CloudFront, Akamai, RackSpace, or Jamf Cloud Distribution Service) can be used to host your software packages for distribution to managed clients. The Jamf Pro server connects to these services to perform initial configuration, to upload packages added via the Jamf Pro web app or Jamf Admin, and as needed to request content access tokens and URL signatures.Jamf Pro server to cloud hosting providerYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname443HTTPS-Jamf Pro can be configured to send webhook notifications for a variety of events (device enrollment, inventory updates, etc.) to support workflow automation and data integrations.Jamf Pro server to event listener application serverYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname443HTTPS-The Jamf Pro server connects to TeamViewer via TeamViewer API if connection between Jamf Pro and TeamViewer is configured. For more information, see TeamViewer Integration in the Jamf Pro Documentation-Yesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname2195, 2196HTTPS-Ports 2195/2196 are used only for legacy binary Apple Push Notification (APNs) service protocol until Jamf Pro deprecates the binary protocol or Apple no longer supports it. Notifications are sent to Apple on port 2195 and delivery feedback is solicited on port 2196.Jamf Pro server to Apple APNs 17/8 IP rangeYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname443, 2197HTTPS-The Jamf Pro server uses Apple Push Notification service (APNs) to prompt managed devices to check in for mobile device management (MDM). Port 443 is used by default for the HTTP/2 connections. Port 2197 can be used only in on-premise environments.
Note: Allow outbound connections to and redirects from Apple's 17.0.0.0/8 block over TCP port 5223 / 443 from all client networks and on port 2197, where applicable, from Jamf Pro servers to ensure APNs will function correctly on your network.		Jamf Pro server to Apple APNs 17/8 IP rangeYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname389, 636LDAP, Start TLS, or LDAPS-Directory service integration via LDAP (389), LDAP over TLS (Start TLS/389) or LDAP over SSL (LDAPS/636) can be used for user authentication, device assignment, and user information and group membership lookups.
Note: All Jamf Pro server LDAP connections will originate from the Jamf Pro server. For information about LDAP Proxy connections, see the "Jamf Infrastructure Manager – LDAP Proxy Connections" section in this document.		Jamf Pro server to LDAP/Domain controllerYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname11211memcached-Memcached data access acceleration services can help reduce database load in multi-server Jamf Pro configurations.Jamf Pro servers to Memcached serversYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname3306MySQL-The Jamf Pro server connects to a MySQL database.Jamf Pro server to MySQL databaseYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname25, 465, 587SMTP-Email integration via an SMTP gateway can be used for administrative notifications, user messaging, and enrollment invitations. The SMTP port depends on the service provider and type of encryption supported.
Note: To help keep data and communications as secure as possible, port 25 is blocked in Jamf Cloud. Jamf recommends using port 587 with TLS.		Jamf Pro server to SMTP gateway hostYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfJamf Pro server (outbound)[yourserver].jamfcloud.com or on-prem hostname514Syslog-Change Management logs can be written to log files and to a Syslog server.Jamf Pro server to Syslog serverYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfManaged Computer and Mobile Device Connections (outbound)client device548AFPiOS, iPadOS, macOSSoftware packages can be downloaded by Mac computers from an Apple File Protocol (AFP) server.Mac computers to AFP serversYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfManaged Computer and Mobile Device Connections (outbound)client device5223, 443APNsiOS, iPadOS, macOSThe Jamf Pro server will send a message to the Apple Push Notification service when it has an MDM profile or command awaiting delivery to an enrolled device. Mac computers and iOS devices maintain a persistent connection to APNs when connected to a network so they will receive new notifications quickly. End user devices connect to APNs using port 5223 by default, but will fail over to port 443 when connecting via Wi-Fi.Managed devices to APNsYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfManaged Computer and Mobile Device Connections (outbound)client device80, 443HTTP and HTTPSiOS, iPadOS, macOSMac computers can download software packages from an HTTP and HTTPS server such as Apple macOS Server, Apache, and Microsoft IIS.Managed computers to HTTP/HTTPS distribution pointYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfManaged Computer and Mobile Device Connections (outbound)client device80, 443HTTP and HTTPSiOS, iPadOS, macOSThe Apple ecosystem relies on many Internet-based systems maintained by Apple and their content distribution network (CDN). Examples include Apple Software Update, the App Store, Device Enrollment (formerly Device Enrollment Program), Volume Purchasing (formerly Volume Purchase Program).Managed devices to Apple/CDNYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfManaged Computer and Mobile Device Connections (outbound)client device443HTTPSiOS, iPadOS, macOSMac computers can download software packages from a cloud distribution point (Amazon S3 or CloudFront, Akamai, RackSpace, or Jamf Cloud Distribution Service).Managed computers to a cloud distribution pointYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfManaged Computer and Mobile Device Connections (outbound)client device443HTTPSiOS, iPadOS, macOSiOS devices can download in-house apps and ebooks from the Jamf Cloud Distribution Service.Managed mobile devices to JCDSYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfManaged Computer and Mobile Device Connections (outbound)client device443HTTPSiOS, iPadOS, macOSManaged computers send crash logging and some anonymized usage statistics to Jamf's Sentry server. For more information, see the Sentry Crash Logging and Usage Analytics Integrations article.Managed computers to sentry.pub.jamf.buildYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfManaged Computer and Mobile Device Connections (outbound)client device8443, 443HTTPSiOS, iPadOS, macOSMac computers and iOS devices connect to the Jamf Pro server when:
Prompted to enroll in mobile device management by Apple’s Device Enrollment (formerly Device Enrollment Program)
Enrolling via user-initiated enrollment in a web browser
Running the jamf agent (Mac computers only)
Running Self Service Mobile for iOS
Running Self Service for macOS
Responding to an MDM push notification
When the default settings are used, on-premise Jamf Pro servers use port 8443 and the Jamf Cloud managed-hosting option uses port 443.		Managed devices to the Jamf Pro serverYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfManaged Computer and Mobile Device Connections (outbound)client device445, 137–139SMBiOS, iPadOS, macOSSoftware packages can be distributed to Mac computers using a Windows SMB (CIFS) distribution point.Managed computers to SMB serversYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfSCCM Plug-In ConnectionsSCCM Proxy Service80, 443HTTP/HTTPSWindowsThe SCCM Proxy Service will transmit updated device inventory information to the Microsoft Configuration Manager API.SCCM Plug-In host to SCCM serverYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfSCCM Plug-In ConnectionsSCCM Proxy Service8443, 443HTTPSWindowsThe SCCM Proxy Service queries the Jamf Pro server via a REST API to obtain information about your managed devices. When the default settings are used, on-premise Jamf Pro servers use port 8443, and the Jamf Cloud-hosted servers use port 443.SCCM Plug-In host to the Jamf Pro serverYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
JamfSingle Sign-On Connections (bidirectional)client devicecustomcustomiOS, iPadOS, macOSTo implement single sign-on in on-premise environments, two-way communication on TCP ports between the Identity Provider and Jamf Pro server is required.IdP <-> DeviceYesunclearhttps://learn.jamf.com/bundle/technical-articles/page/Network_Ports_Used_by_Jamf_Pro.html
MicrosoftOffice Appsclient devicesee documentationsee documentationiOS, iPadOS, macOSThis is a link to the macadmins.software website run by Paul Bowden @microsoft and the PDF he already has with the endpoints used by Office apps on macOS---https://macadmins.software/docs/Network_Traffic.pdf
MicrosoftSSO Plug-in*.cdn-apple.comunclearuncleariOS, iPadOS, macOSFor the SSO plug-in to function properly, Apple devices should be allowed to reach to both identity provider URLs and its own URLs without additional interception. This means that those URLs need to be excluded from network proxies, interception and other enterprise systems.device <-> hostUnclearYeshttps://learn.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin#required-network-configuration
MicrosoftSSO Plug-in*.networking.appleunclearuncleariOS, iPadOS, macOSFor the SSO plug-in to function properly, Apple devices should be allowed to reach to both identity provider URLs and its own URLs without additional interception. This means that those URLs need to be excluded from network proxies, interception and other enterprise systems.device <-> hostUnclearYeshttps://learn.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin#required-network-configuration
MicrosoftSSO Plug-inlogin-us.microsoftonline.comunclearuncleariOS, iPadOS, macOSFor the SSO plug-in to function properly, Apple devices should be allowed to reach to both identity provider URLs and its own URLs without additional interception. This means that those URLs need to be excluded from network proxies, interception and other enterprise systems.device <-> hostUnclearYeshttps://learn.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin#required-network-configuration
MicrosoftSSO Plug-inlogin.chinacloudapi.cnunclearuncleariOS, iPadOS, macOSFor the SSO plug-in to function properly, Apple devices should be allowed to reach to both identity provider URLs and its own URLs without additional interception. This means that those URLs need to be excluded from network proxies, interception and other enterprise systems.device <-> hostUnclearYeshttps://learn.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin#required-network-configuration
MicrosoftSSO Plug-inlogin.microsoft.comunclearuncleariOS, iPadOS, macOSFor the SSO plug-in to function properly, Apple devices should be allowed to reach to both identity provider URLs and its own URLs without additional interception. This means that those URLs need to be excluded from network proxies, interception and other enterprise systems.device <-> hostUnclearYeshttps://learn.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin#required-network-configuration
MicrosoftSSO Plug-inlogin.microsoftonline.comunclearuncleariOS, iPadOS, macOSFor the SSO plug-in to function properly, Apple devices should be allowed to reach to both identity provider URLs and its own URLs without additional interception. This means that those URLs need to be excluded from network proxies, interception and other enterprise systems.device <-> hostUnclearYeshttps://learn.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin#required-network-configuration
MicrosoftSSO Plug-inlogin.microsoftonline.usunclearuncleariOS, iPadOS, macOSFor the SSO plug-in to function properly, Apple devices should be allowed to reach to both identity provider URLs and its own URLs without additional interception. This means that those URLs need to be excluded from network proxies, interception and other enterprise systems.device <-> hostUnclearYeshttps://learn.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin#required-network-configuration
MicrosoftSSO Plug-inlogin.partner.microsoftonline.cnunclearuncleariOS, iPadOS, macOSFor the SSO plug-in to function properly, Apple devices should be allowed to reach to both identity provider URLs and its own URLs without additional interception. This means that those URLs need to be excluded from network proxies, interception and other enterprise systems.device <-> hostUnclearYeshttps://learn.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin#required-network-configuration
MicrosoftSSO Plug-insts.windows.netunclearuncleariOS, iPadOS, macOSFor the SSO plug-in to function properly, Apple devices should be allowed to reach to both identity provider URLs and its own URLs without additional interception. This means that those URLs need to be excluded from network proxies, interception and other enterprise systems.device <-> hostUnclearYeshttps://learn.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin#required-network-configuration
MicrosoftTenant Restrictionslogin.microsoft.comunclearuncleariOS, iPadOS, macOSProxy configuration and requirements:
The following configuration is required to enable tenant restrictions through your proxy infrastructure. This guidance is generic, so you should refer to your proxy vendor's documentation for specific implementation steps.

Prerequisites:
The proxy must be able to perform TLS interception, HTTP header insertion, and filter destinations using FQDNs/URLs.
Clients must trust the certificate chain presented by the proxy for TLS communications. For example, if certificates from an internal public key infrastructure (PKI) are used, the internal issuing root certificate authority certificate must be trusted.
Microsoft Entra ID P1 or P2 1 licenses are required for use of tenant restrictions.		device <-> hostYesNohttps://learn.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions#urls-and-ip-addresses
MicrosoftTenant Restrictionslogin.microsoftonline.comunclearuncleariOS, iPadOS, macOSProxy configuration and requirements:
The following configuration is required to enable tenant restrictions through your proxy infrastructure. This guidance is generic, so you should refer to your proxy vendor's documentation for specific implementation steps.

Prerequisites:
The proxy must be able to perform TLS interception, HTTP header insertion, and filter destinations using FQDNs/URLs.
Clients must trust the certificate chain presented by the proxy for TLS communications. For example, if certificates from an internal public key infrastructure (PKI) are used, the internal issuing root certificate authority certificate must be trusted.
Microsoft Entra ID P1 or P2 1 licenses are required for use of tenant restrictions.		device <-> hostYesNohttps://learn.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions#urls-and-ip-addresses
MicrosoftTenant Restrictionslogin.windows.netunclearuncleariOS, iPadOS, macOSProxy configuration and requirements:
The following configuration is required to enable tenant restrictions through your proxy infrastructure. This guidance is generic, so you should refer to your proxy vendor's documentation for specific implementation steps.

Prerequisites:
The proxy must be able to perform TLS interception, HTTP header insertion, and filter destinations using FQDNs/URLs.
Clients must trust the certificate chain presented by the proxy for TLS communications. For example, if certificates from an internal public key infrastructure (PKI) are used, the internal issuing root certificate authority certificate must be trusted.
Microsoft Entra ID P1 or P2 1 licenses are required for use of tenant restrictions.		device <-> hostYesNohttps://learn.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions#urls-and-ip-addresses
--------------------------------------------------------------------------------