├── .gitignore
├── 1114 - Decoding SAML - How to set up SSO quickly in Jamf Pro
    ├── Enrollment Customizations and Jamf Connect with Azure.pdf
    ├── Enrollment_Customizations_and_Jamf_Connect_with_Ok.pdf
    └── JNUC 1114 - Decoding SAML Runes.pdf
├── 1196 - Remediating security events with Jamf Pro Jamf Protect and Jamf Connect
    ├── 1196 - Remediating security events with Jamf Pro, Jamf Protect and Jamf Connect.pdf
    ├── DEPNotify Remediation Script.sh
    ├── InfosecOnlyWallpaper
    │   └── InfosecOnlyWallpaper.jpeg
    ├── Jamf Connect Password Change via Self Service Policy.sh
    ├── Jamf Helper_ High Level.sh
    ├── Jamf Protect_ Malware Clearing.txt
    ├── ProtectRemediationNotification.sh
    ├── SSH Detection Notification for Protect.sh
    └── remediate_password_with_connect_and_protect.sh
├── LICENSE
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | 
2 | .DS_Store
3 | 


--------------------------------------------------------------------------------
/1114 - Decoding SAML - How to set up SSO quickly in Jamf Pro/Enrollment Customizations and Jamf Connect with Azure.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sean-rabbitt/Jamf-2021-Sessions/a0a1d95dfb41c9464bd21a5d1ecb892a512d1e59/1114 - Decoding SAML - How to set up SSO quickly in Jamf Pro/Enrollment Customizations and Jamf Connect with Azure.pdf


--------------------------------------------------------------------------------
/1114 - Decoding SAML - How to set up SSO quickly in Jamf Pro/Enrollment_Customizations_and_Jamf_Connect_with_Ok.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sean-rabbitt/Jamf-2021-Sessions/a0a1d95dfb41c9464bd21a5d1ecb892a512d1e59/1114 - Decoding SAML - How to set up SSO quickly in Jamf Pro/Enrollment_Customizations_and_Jamf_Connect_with_Ok.pdf


--------------------------------------------------------------------------------
/1114 - Decoding SAML - How to set up SSO quickly in Jamf Pro/JNUC 1114 - Decoding SAML Runes.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sean-rabbitt/Jamf-2021-Sessions/a0a1d95dfb41c9464bd21a5d1ecb892a512d1e59/1114 - Decoding SAML - How to set up SSO quickly in Jamf Pro/JNUC 1114 - Decoding SAML Runes.pdf


--------------------------------------------------------------------------------
/1196 - Remediating security events with Jamf Pro Jamf Protect and Jamf Connect/1196 - Remediating security events with Jamf Pro, Jamf Protect and Jamf Connect.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sean-rabbitt/Jamf-2021-Sessions/a0a1d95dfb41c9464bd21a5d1ecb892a512d1e59/1196 - Remediating security events with Jamf Pro Jamf Protect and Jamf Connect/1196 - Remediating security events with Jamf Pro, Jamf Protect and Jamf Connect.pdf


--------------------------------------------------------------------------------
/1196 - Remediating security events with Jamf Pro Jamf Protect and Jamf Connect/DEPNotify Remediation Script.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | # Version 1.0.0
  3 | ##########################################################################################################
  4 | # Script by Sean Rabbitt, Jamf Senior Sales Engineer and Kelli Conlin, Jamf Security Solutions Specialist 
  5 | ##########################################################################################################
  6 | 
  7 | JAMF_PATH=$(which jamf)
  8 | echo "Jamf Path is $JAMF_PATH"
  9 | 
 10 | LOGGED_IN_USER=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
 11 | 	
 12 | echo "Logged in user is $LOGGED_IN_USER"
 13 | 
 14 | LOGGED_IN_UID=$(/usr/bin/id -u "$LOGGED_IN_USER")
 15 | echo "Logged in user UID is $LOGGED_IN_UID"
 16 | 
 17 | # Remove DEP Notify log if present 
 18 | if [[ -f /var/tmp/depnotify.log ]]; then
 19 | 	echo "Existing DEPNotify file found, deleting"
 20 | 	rm /var/tmp/depnotify.log
 21 | fi
 22 | 
 23 | # DEP Notify for Jamf Protect
 24 | if [[ -f "/Applications/Utilities/DEPNotify.app/Contents/MacOS/DEPNotify" ]]; then
 25 | 	echo "DEPNotify Found - starting"
 26 | 	launchctl asuser $LOGGED_IN_UID open -a "/Applications/Utilities/DEPNotify.app" --args -fullScreen
 27 | else
 28 | 	echo "DEP Notify Not Present.. downloading and installing"
 29 | 	curl "https://files.nomad.menu/DEPNotify.pkg" -o /private/tmp/DEPNotify.pkg
 30 | 	/usr/sbin/installer -pkg /private/tmp/DEPNotify.pkg -target /
 31 | 	echo "DEPNotify Found - starting"
 32 | 	launchctl asuser $LOGGED_IN_UID open -a "/Applications/Utilities/DEPNotify.app" --args -fullScreen
 33 | fi
 34 | 
 35 | # Update DEPNotify Icon
 36 | echo "Command: Image: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns" >> /var/tmp/depnotify.log
 37 |  
 38 | # Update DEPNotify Title
 39 | echo "Command: MainTitle: Jamf Protect Remediation" >> /var/tmp/depnotify.log
 40 |  
 41 | # Update DEPNotify Main Body Text
 42 | echo "Command: MainText: Jamf Protect has detected malicious activity on this computer.\n\nYou may resume using your Mac once the malicious incident has been isolated.\n\n If this screen remains for longer than five minutes, please call the IT Department using the number on the back of your ID badge." >> /var/tmp/depnotify.log
 43 |  
 44 | # Update the DEPNotify progress bar
 45 | echo "Command: DeterminateManual: 5" >> /var/tmp/depnotify.log
 46 | echo "Command: DeterminateManualStep: 1" >> /var/tmp/depnotify.log
 47 | 
 48 | # Update DEPNotify Status Message
 49 | echo "Status: Remediation in progress..." >> /var/tmp/depnotify.log
 50 | sleep 3
 51 |  
 52 | # Update DEPNotify Status Message
 53 | echo "Status: Compressing forensic artifacts..." >> /var/tmp/depnotify.log
 54 | echo "Command: DeterminateManualStep: 1" >> /var/tmp/depnotify.log
 55 | sleep 3
 56 | 
 57 | # Capture the date & time
 58 | dateStamp=$(date +%Y_%m_%d-%H_%M_%S)
 59 | 
 60 | # Check for and remove a LaunchDaemon if found
 61 | if [[  -f /Library/LaunchDaemons/com.celastradepro.plist ]];then
 62 | 	launchctl bootout system /Library/LaunchDaemons/com.celastradepro.plist
 63 | 	rm -rf /Library/LaunchDaemons/com.celastradepro.plist
 64 | fi
 65 |  
 66 | # Zip the Malware
 67 | cd /Library/Application\ Support/JamfProtect/Quarantine/*; zip -r -X "../Malware-$dateStamp.zip" *
 68 | 
 69 | # Update DEPNotify Status Message
 70 | echo "Status: Moving forensic artifacts..." >> /var/tmp/depnotify.log
 71 | echo "Command: DeterminateManualStep: 1" >> /var/tmp/depnotify.log
 72 | sleep 3
 73 | 
 74 | # Move Malware to a new location, Default is /Users/Shared
 75 | cd /Library/Application\ Support/JamfProtect/Quarantine/; mv "Malware-$dateStamp.zip" /Users/Shared/
 76 |  
 77 | # Remove the Quarantined Malware
 78 | rm -R /Library/Application\ Support/JamfProtect/Quarantine/*
 79 | 
 80 | # Clear DEPNotify Status Message
 81 | echo "Command: DeterminateManualStep: 1" >> /var/tmp/depnotify.log
 82 | echo "Status: " >> /var/tmp/depnotify.log
 83 | 
 84 | # DEPNotify app Completed Title 
 85 | echo "Command: MainTitle: Remediation Complete" >> /var/tmp/depnotify.log
 86 | 
 87 | # DEPNotify app Completed Icon 
 88 | echo "Command: Image: /Applications/JamfProtect.app/Contents/Resources/AppIcon.icns" >> /var/tmp/depnotify.log 
 89 | 
 90 | # DEPNotify app Completed Text Body
 91 | echo "Command: MainText: The malicious element was isolated. Thank you for your patience.\n\nAs a reminder, your security is of the utmost importance. If you receive any unusual emails or phone calls asking for your username, password, or any other requests, please call the IT Department using the number on the back of your ID badge." >> /var/tmp/depnotify.log
 92 |  sleep 4
 93 |  
 94 | # Quit the DEPNotify app
 95 | echo "Command: Quit" >> /var/tmp/depnotify.log
 96 | 
 97 | # Remove the DEPNotify log file
 98 | rm /var/tmp/depnotify.log
 99 | 
100 | # Remove Forensic Artifact from the computer
101 | rm -rf /Users/Shared/Malware*.zip
102 | 
103 | # Remove Jamf Protect Extension Attribute 
104 | rm /Library/Application\ Support/JamfProtect/groups/*
105 | # Quit DEPNotify app if the quit command failed
106 | pkill DEPNotify
107 | 
108 | # Remove DEPNotify.app
109 | # rm -R /Applications/Utilities/DEPNotify.app
110 |  
111 | exit 0
112 | 
113 | 
114 | 


--------------------------------------------------------------------------------
/1196 - Remediating security events with Jamf Pro Jamf Protect and Jamf Connect/InfosecOnlyWallpaper/InfosecOnlyWallpaper.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sean-rabbitt/Jamf-2021-Sessions/a0a1d95dfb41c9464bd21a5d1ecb892a512d1e59/1196 - Remediating security events with Jamf Pro Jamf Protect and Jamf Connect/InfosecOnlyWallpaper/InfosecOnlyWallpaper.jpeg


--------------------------------------------------------------------------------
/1196 - Remediating security events with Jamf Pro Jamf Protect and Jamf Connect/Jamf Connect Password Change via Self Service Policy.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # Manged Password Change with DEPNotify and Jamf Connect
  4 | #
  5 | # April 13 2021 - Sean Rabbitt, Kelli Conlin, Catherine McKay
  6 | 
  7 | # USE CASE: Your organization has a URL to change passwords.  Could be the
  8 | #	password change on Azure, could be an Okta domain, could be a custom page
  9 | #	because you have a funky custom OIDC app tied to Shibboleth through
 10 | # 	a nightmare of custom code.
 11 | #
 12 | #	BUT, you want people to change the password on your domain and change the 
 13 | #	password with Jamf Connect NOW and in a pretty way.
 14 | #
 15 | # HOW TO DEPLOY: Modify this script to add your CHANGEPASSWORDURL
 16 | #	below.  Then, upload the script to Jamf Pro and create a policy that will:
 17 | #	* Install DEPNotify (version 1.1.7 or higher)
 18 | #	* Run the script AFTER DEPNotify has installed
 19 | #	* Make the policy available in Jamf Pro Self Service and scope to
 20 | #		all machines that have Jamf Connect and set Execution Frequency to 
 21 | #		Ongoing.  
 22 | #	* Capture the Policy URL found at the bottom of the Self Service tab in
 23 | #		the Jamf Pro policy payload
 24 | #	* Set the ChangePasswordURL key in com.jamf.connect to the Policy URL like:
 25 | 
 26 | # 	<key>IdPSettings</key>
 27 | #	<dict>
 28 | #		<key>ChangePasswordURL</key>
 29 | #		<string>jamfselfservice://content?entity=policy&amp;id=42&amp;action=execute</string>
 30 | #	</dict>
 31 | 
 32 | #	* Change the user timeout below - set to 30 seconds to change the local 
 33 | #		password to match the IDP password.
 34 | 
 35 | # HOW IT WORKS: When a user selects "Change Password" from the Jamf Connect
 36 | #	menu bar app, the Self Service app opens and executes the policy to
 37 | # 	change the password.  Users are informed as to what is going to happen via
 38 | # 	a full screen DEPNotify window.  The URL is opened in a webkit view.
 39 | #	The user then closes the web view and Jamf Connect opens to authenticate the
 40 | #	user.  Because the password doesn't match the local password, user will
 41 | # 	be prompted to update the local password to match.  If the user doesn't
 42 | #	change the local password by hitting cancel or other things they think is 
 43 | #	cute, we'll do a network check every passwordTimeout seconds to pop the
 44 | #	Jamf Connect login up again.
 45 | 
 46 | # MIT License
 47 | #
 48 | # Copyright (c) 2020 Jamf Software
 49 | 
 50 | # Permission is hereby granted, free of charge, to any person obtaining a copy
 51 | # of this software and associated documentation files (the "Software"), to deal
 52 | # in the Software without restriction, including without limitation the rights
 53 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 54 | # copies of the Software, and to permit persons to whom the Software is
 55 | # furnished to do so, subject to the following conditions:
 56 | #
 57 | # The above copyright notice and this permission notice shall be included in all
 58 | # copies or substantial portions of the Software.
 59 | #
 60 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 61 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 62 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 63 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 64 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 65 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 66 | # SOFTWARE.
 67 | 
 68 | 
 69 | # PASSWORD CHANGE URL:
 70 | # Here's some sample URLs for password changes with the most common IdPs
 71 | # 
 72 | #CHANGEPASSWORDURL="https://sampledomain.okta.com/enduser/settings"
 73 | #CHANGEPASSWORDURL="https://sampledomain.okta.com/signin/forgot-password"
 74 | #CHANGEPASSWORDURL="https://myaccount.microsoft.com/?tenantId=your_domain_name"
 75 | #CHANGEPASSWORDURL="https://domain.onelogin.com/profile2/password"
 76 | #
 77 | # Pick your URL and define CHANGEPASSWORDURL by uncommenting from above.
 78 | CHANGEPASSWORDURL="https://jamfse.okta.com/enduser/settings"
 79 | 
 80 | # PASSWORDTIMEOUT: User has this many seconds to change their local password
 81 | #	before Jamf Connect will do a Network Check again and force another login
 82 | passwordTimeout=30
 83 | 
 84 | 
 85 | #requires depnotify 1.1.7 or higher
 86 | DEPNOTIFY_PATH="/Applications/Utilities/DEPNotify.app"
 87 | 
 88 | # Get current logged in user's shortname
 89 | loggedinUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')	
 90 | echo "Logged in user is $loggedinUser"
 91 | 
 92 | # Path to the preference with our current user's shortname
 93 | jamfConnectStateLocation="/Users/$loggedinUser/Library/Preferences/com.jamf.connect.state.plist"
 94 | echo "jamfConnectStateLocation"
 95 | 
 96 | # Read the preference key from the .plist with PlistBuddy.  If no preference, LastSignIn will be "No record found"
 97 | lastSignIn=$(/usr/libexec/PlistBuddy -c "Print :LastSignIn" "$jamfConnectStateLocation" || echo "No record found")
 98 | 
 99 | #Set up our while loop in case a user gets cute on us.
100 | currentSignIn=$lastSignIn	
101 | 
102 | rm /var/tmp/depnotify.log
103 | rm /var/tmp/com.depnotify.webview.done
104 | rm /var/tmp/com.depnotify.provisioning.done
105 | 
106 | # Open DEPNotify in full screen mode:
107 | sudo -u $loggedinUser open -a "$DEPNOTIFY_PATH" --args -fullScreen
108 | 
109 | ### TEXT IN THIS AREA CAN BE CHANGED TO SUIT YOUR ORG NEEDS:
110 | echo "Command: Determinate: 3"  >> /var/tmp/depnotify.log
111 | echo "Command: Image: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Sync.icns" >> /var/tmp/depnotify.log
112 | echo "Command: MainTitle: Change Password" >> /var/tmp/depnotify.log
113 | echo "Command: MainText: Our organization's password change website will now load.  After you change your password, you will be prompted by your Mac to sign in and change your local password to match your new organizational password." >> /var/tmp/depnotify.log
114 | echo "Status: " >> /var/tmp/depnotify.log
115 | sleep 3
116 | echo "Command: SetWebViewURL: $CHANGEPASSWORDURL" >> /var/tmp/depnotify.log
117 | echo "Command: ContinueButtonWeb: Start Password Change" >> /var/tmp/depnotify.log
118 | 
119 | # Hold the script until the webview is closed by the user.
120 | while [ ! -f "/var/tmp/com.depnotify.webview.done" ]; do
121 | 	echo "$(date "+%a %h %d %H:%M:%S"): Waiting for user to finish web."
122 | sleep 1
123 | done
124 | 
125 | ### TEXT IN THIS AREA CAN BE CHANGED TO SUIT YOUR ORG NEEDS:
126 | echo "Command: Image: /Applications/Jamf Connect.app/Contents/Resources/AppIcon.icns" >> /var/tmp/depnotify.log
127 | echo "Command: MainTitle: Local Password Update" >> /var/tmp/depnotify.log
128 | echo "Command: MainText: Jamf Connect will now launch.  You will be prompted to update your local password.\n\nIf you have any questions, contact the Security telephone number on the back of your employee badge." >> /var/tmp/depnotify.log
129 | echo "Status: " >> /var/tmp/depnotify.log
130 | echo "Command: ContinueButton: Change Local Password" >> /var/tmp/depnotify.log
131 | 
132 | # Hold the script until the webview is closed by the user.
133 | while [ ! -f "/var/tmp/com.depnotify.provisioning.done" ]; do
134 | 	echo "$(date "+%a %h %d %H:%M:%S"): Waiting for user to close continue button."
135 | 	sleep 1
136 | done
137 | 
138 | # Force a sign in.  This will both check the password AND set the PasswordCurrent
139 | #	flag to make sure the local password is in sync with the IdP.
140 | open jamfconnect://signin
141 | 	
142 | # Check to see if the password is currently in sync with the IDP
143 | passwordCurrent=$(/usr/libexec/PlistBuddy -c "Print :PasswordCurrent" "$jamfConnectStateLocation" || echo "No record found")
144 | echo "PasswordCurrent is set to $passwordCurrent"
145 | while [[ "$passwordCurrent" = FALSE  ]]; do
146 | 	echo "Sleeping for $passwordTimeout"
147 | 	sleep $passwordTimeout
148 | 	open jamfconnect://networkcheck
149 | 	passwordCurrent=$(/usr/libexec/PlistBuddy -c "Print :PasswordCurrent" "$jamfConnectStateLocation" || echo "No record found")
150 | 	echo "the password is not current: $passwordCurrent"
151 | 	# if you want to do something to trigger the script again after x number of attempts here
152 | 	# go for it
153 | done
154 | 	
155 | 	
156 | #Clean up after ourselves
157 | rm /var/tmp/com.depnotify.webview.done
158 | rm /var/tmp/com.depnotify.provisioning.done
159 | 
160 | exit 0;
161 | 


--------------------------------------------------------------------------------
/1196 - Remediating security events with Jamf Pro Jamf Protect and Jamf Connect/Jamf Helper_ High Level.sh:
--------------------------------------------------------------------------------
 1 | 
 2 | #!/bin/bash
 3 | # Jamf Helper Script for Jamf Protect (High Threat Level)
 4 | 
 5 | jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
 6 | 
 7 | #Header for Pop Up
 8 | heading="IT Security Notification"
 9 | #Description for Pop Up
10 | description="Your computer may be infected with malware. Your network connection has been disabled. Please power down your Mac and call your IT administrator immediately at 888-867-5309"
11 | #Button Text
12 | button1="Ok"
13 | #Path for Icon Displayed
14 | icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns"
15 | 
16 | userChoice=$("$jamfHelper" -windowType utility -heading "$heading" -description "$description" -button1 "$button1" -icon "$icon")
17 |         
18 |         if [[ $userChoice == 0 ]]; then
19 |                 echo "user clicked $button1"
20 |                 exit 0 
21 | fi


--------------------------------------------------------------------------------
/1196 - Remediating security events with Jamf Pro Jamf Protect and Jamf Connect/Jamf Protect_ Malware Clearing.txt:
--------------------------------------------------------------------------------
1 | #Zip Malware
2 | cd /Library/Application\ Support/JamfProtect/Quarantine/*; zip -r -X "../Malware-$(date +%Y_%m_%d-%H_%M_%S).zip" *
3 | 
4 | #Move Malware
5 | cd /Library/Application\ Support/JamfProtect/Quarantine/; mv Malware*.zip /Users/Shared
6 | 
7 | #Remove the Malware
8 | rm -R /Library/Application\ Support/JamfProtect/Quarantine/*


--------------------------------------------------------------------------------
/1196 - Remediating security events with Jamf Pro Jamf Protect and Jamf Connect/ProtectRemediationNotification.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # DEP Notify for Jamf Protect
 4 | 
 5 | if [ -f "/Applications/Utilities/DEPNotify.app/Contents/MacOS/DEPNotify" ]; then
 6 | 	/Applications/Utilities/DEPNotify.app/Contents/MacOS/DEPNotify -fullScreen &
 7 | else
 8 | 	exit 1;
 9 | fi
10 | 
11 | echo "Command: Image: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns" >> /var/tmp/depnotify.log
12 | echo "Command: MainTitle: Jamf Protect Remediation" >> /var/tmp/depnotify.log
13 | echo "Command: MainText: Malicious activity on this computer has been detected by Jamf Protect.\nIf this screen appears for longer than 30 seconds, call the IT Department on the back of your badge to create a help desk ticket.\n \nControl will return when the malicious software has been isolated." >> /var/tmp/depnotify.log
14 | echo "Status: Isolating malicious software..." >> /var/tmp/depnotify.log
15 | echo "Command: Determinate: 2" >> /var/tmp/depnotify.log
16 | 
17 | # Here's where you would put your Jamf policy command
18 | # /usr/local/bin/jamf policy -event kelliRocks
19 | sleep 2
20 | 
21 | echo "Status: The malicious software has been isolated." >> /var/tmp/depnotify.log
22 | echo "Command: DeterminateManualStep" >> /var/tmp/depnotify.log
23 | sleep 2 # Optional sleeps...
24 | 
25 | echo "Command: MainTitle: Remediation Complete" >> /var/tmp/depnotify.log
26 | echo "Command: Image: /Library/Application Support/JamfProtect/JamfProtect.app/Contents/Resources/AppIcon.icns" >> /var/tmp/depnotify.log
27 | echo "Command: MainText: The malicious software has been isolated. Reboot is recommended.\n \nSave your work and reboot your computer.\n\nPhishing attempts are the biggest risk to organization data.  If you receive any unusual emails or phone calls asking for access to your user name, password, requests to install software, or start screen sharing to your computer, contact the IT Security Department by calling the number on the back of your badge. \nHave your Employee ID ready when you call." >> /var/tmp/depnotify.log
28 | echo "Command: DeterminateManualStep" >> /var/tmp/depnotify.log
29 | echo "Status: " >> /var/tmp/depnotify.log
30 | echo "Command: ContinueButton: Continue" >> /var/tmp/depnotify.log
31 | 
32 | # Alternative Command to force a restart:
33 | #echo "Command: ContinueButtonRestart: Restart" >> /var/tmp/depnotify.log
34 | 
35 | rm /var/tmp/depnotify.log 
36 | rm /var/tmp/com.depnotify.provisioning.done
37 | # If forcing a restart
38 | #rm /var/tmp/com.depnotify.provisioning.restart


--------------------------------------------------------------------------------
/1196 - Remediating security events with Jamf Pro Jamf Protect and Jamf Connect/SSH Detection Notification for Protect.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | #Check for SSH Activity 
 3 | sshcheck=$(lsof -i | grep ssh)
 4 | echo "$sshcheck"
 5 | if [ -z "$sshcheck" ] ; then
 6 | 	echo "No Active SSH Activity"
 7 | else 
 8 | 	jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
 9 | 	#Header for Pop Up
10 | 	heading="IT Security Notification"
11 | 	#Description for Pop Up
12 | 	description="There is unusal activity happening on your device. Have you authorized SSH communication recently?"
13 | 	#Button Text
14 | 	button1="Yes"
15 | 	button2="No"
16 | 	#Path for Icon Displayed
17 | 	icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns"
18 | 	userChoice=$("$jamfHelper" -windowType utility -heading "$heading" -description "$description" -button1 "$button1" -button2 "$button2" -icon "$icon")
19 | 		if [[ $userChoice == 0 ]]; then
20 | 			echo "<result>No Suspicious SSH</result>"
21 | 		else
22 | 			echo "<result>Unwanted SSH</result>"		
23 | 		fi	
24 | fi


--------------------------------------------------------------------------------
/1196 - Remediating security events with Jamf Pro Jamf Protect and Jamf Connect/remediate_password_with_connect_and_protect.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | #requires depnotify 1.1.7 or higher
 4 | 
 5 | DEPNOTIFY_PATH="/Applications/Utilities/DEPNotify.app"
 6 | CHANGEPASSWORDURL="https://www.jamf.com"
 7 | 
 8 | # Get current logged in user's shortname
 9 | loggedinUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')	
10 | echo "Logged in user is $loggedinUser"
11 | 
12 | # Path to the preference with our current user's shortname
13 | jamfConnectStateLocation="/Users/$loggedinUser/Library/Preferences/com.jamf.connect.state.plist"
14 | echo "jamfConnectStateLocation"
15 | 
16 | # Read the preference key from the .plist with PlistBuddy.  If no preference, LastSignIn will be "No record found"
17 | lastSignIn=$(/usr/libexec/PlistBuddy -c "Print :LastSignIn" "$jamfConnectStateLocation" || echo "No record found")
18 | 
19 | #Set up our while loop in case a user gets cute on us.
20 | currentSignIn=$lastSignIn	
21 | 
22 | rm /var/tmp/depnotify.log
23 | rm /var/tmp/com.depnotify.webview.done
24 | rm /var/tmp/com.depnotify.registration.done
25 | 
26 | sudo -u $loggedinUser open -a "$DEPNOTIFY_PATH" --args -fullScreen
27 | 
28 | echo "Command: DeterminateOff:"  >> /var/tmp/depnotify.log
29 | echo "Command: Image: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns" >> /var/tmp/depnotify.log
30 | echo "Command: MainTitle: Jamf Protect and \nJamf Connect Password Remediation" >> /var/tmp/depnotify.log
31 | echo "Command: MainText: You must change your organizational password.  Change your password, and you will be prompted to update your local passowrd on this Mac.\n\nIf you have any questions, contact the Security telephone number on the back of your employee badge." >> /var/tmp/depnotify.log
32 | echo "Status: " >> /var/tmp/depnotify.log
33 | sleep 2
34 | echo "Command: SetWebViewURL: $CHANGEPASSWORDURL" >> /var/tmp/depnotify.log
35 | echo "Command: ContinueButtonWeb: Launch Password Change" >> /var/tmp/depnotify.log
36 | 
37 | while [ ! -f "/var/tmp/com.depnotify.webview.done" ]; do
38 | 	echo "$(date "+%a %h %d %H:%M:%S"): Waiting for user to finish web."
39 | sleep 1
40 | done
41 | 
42 | echo "Command: Image: /Applications/Jamf Connect.app/Contents/Resources/AppIcon.icns" >> /var/tmp/depnotify.log
43 | echo "Command: MainTitle: Local Password Update" >> /var/tmp/depnotify.log
44 | echo "Command: MainText: Jamf Connect will now launch.  You will be prompted to update your local password.\n\nIf you have any questions, contact the Security telephone number on the back of your employee badge." >> /var/tmp/depnotify.log
45 | echo "Status: " >> /var/tmp/depnotify.log
46 | echo "Command: ContinueButton: Change Local Password" >> /var/tmp/depnotify.log
47 | 
48 | open jamfconnect://signin
49 | 	
50 | currentSignIn=$(/usr/libexec/PlistBuddy -c "Print :LastSignIn" "$jamfConnectStateLocation" || echo "No record found")
51 | while [[ $currentSignIn == $lastSignIn ]]; do
52 | 	echo "Sleeping for 30"
53 | 	sleep 30
54 | 	open jamfconnect://networkcheck
55 | 	currentSignIn=$(/usr/libexec/PlistBuddy -c "Print :LastSignIn" "$jamfConnectStateLocation" || echo "No record found")
56 | 	echo "$currentSignIn and last was $lastSignIn"
57 | 	# if you want to do something to trigger the script again after x number of attempts here
58 | 	# go for it
59 | done
60 | 	
61 | 	
62 | #Clean up after ourselves
63 | rm /var/tmp/com.depnotify.webview.done
64 | rm /var/tmp/com.depnotify.registration.done	
65 | 		
66 | #and here is where you put the code to erase the Jamf Protect directory to drop the device out of the
67 | #smart computer group


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 Sean Rabbitt
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Jamf-2021-Sessions
2 | Contains the session notes, keynote slides, errata, and any sample code referenced in this year's Jamf Nation User Conference sessions
3 | 


--------------------------------------------------------------------------------