Tip for testing the new Jamf Pro 10.3 enrollment workflow

As you've probably seen from the release notes of Jamf Pro 10.3, the enrollment style has changed for Macs on 10.13.0+ to prompt to install profiles rather than install the QuickAdd (which then installed the profile). This way the MDM profile is user-approved, because the user has to accept the installation themselves prior to the rest of the enrollment happening.

This is a Good Thing(tm).

What's worth noting for those of us that test on VMs, however, is that if you just set up a vanilla VM (with VMware Fusion, Parallels, VirtualBox, or your virtual tool of choice, whatever it is) is that a device without a recognized Apple hardware model ID is going to be treated as a generic "Mobile Device" and not be recognized as a Mac. It'll do a big ol' "wft mate" during enrollment and cause some weirdness. And as a result, the profiles won't install correctly.

If you use VMs to test, my recommendation is to use AutoDMG+vfuse to build it. This is comparable to this post by Ross D about testing DEP with VMs. Really the concept is the same. Fortunately if you're just evaluating user-approved MDM enrollment (not specifically DEP enrollment) for this change in Jamf Pro 10.3 the s/n can be random (though can't include special characters!), but a model ID must be defined.

Using vfuse to build the VM will look something like this:
/path/to/vfuse -i /path/to/osx_custom_autodmg.apfs.dmg -o /path/to/save/location/  -s random --hw-model "iMacPro1,1" -n "macOS 10.13.3 mdm tester"

--hw-model can be whatever, as long as it's a real Apple model ID. A list of currently-shipping model IDs can be found here. I would also strongly recommend using vfuse to define a random serial number rather than letting VMware (for this example at least), because vfuse's -s random will make sure special characters are not used. Special characters can wreak havoc on MDM management as well.

TBH it's probably something we should all do anyway, to ensure consistent testing with VMs. Or use an actual physical machine to test. But VMs are faster. ymmv. Good night and good luck.

ETA: for the Parallels crew, check out this post on Jamf Nation.

Reusable script for updating EA values in Jamf Pro with the API

Not all extension attributes (EAs) are created equally. Sometimes you want to snag information off of a client Mac, and for that a small script to grab the info and report it up to the Jamf Pro Server is great. Other times you just need to set a simple value for a Mac on demand for reporting purposes. One of the handiest ways to set info ad hoc is with a pop-up menu extension attribute.

So let's say the help desk staff notices that some Macs that come by are really smelly. You can't really write a script to pull smell status off of a Mac. (Maybe you can?) So you make a pop-up menu EA for techs to mark if a Mac smells on the computer record in Jamf Pro.

See if your Jamf-managed Macs have installed today's #iamroot fix

So… the last 24 hours have been pretty fun, right? You may have heard about some shenanigans involving blank passwords and the root account yesterday; Apple certainly did. And they fixed it today with an update available only to 10.13.1 High Sierra machines. If you manage your Macs with Jamf and want a quick smart group to see who has installed it, whip one up that looks for the receipt for the update. It's pretty easy.

That receipt name is com.apple.pkg.update.os.10.13.1Supplemental.17B1002.

Naturally this smart group won't be all that accurate until you give machines time to update inventory. If you're not super concerned with bandwidth you can find your inventory update policy and flush all logs so the next time a machines checks in it will run a fresh recon.

Worth noting, there are other ways to do this too. This is one quick way to build your smart group.


On November 30th, Apple pushed out a second security update to fix some issues their other security update caused. The macOS team at Apple is having a fun week I'm sure. This secondary update is being pushed automatically to 10.13 and 10.13.1 machines, and the receipt for the installer is com.apple.pkg.update.os.10.13.1Supplemental.17B1003. I'm not sure if there is a different installer for 10.13.0 so I'm unable to check for a receipt name for that. If someone knows if the update for 10.13 has a different receipt let me know in the comments and I can update this post.

Your smart group will want to be modified to include this second update as well.

I have yet to see a 10.13.0 machine install the update so I'm not sure if their updater has a different receipt, nor am I sure what OS build number a 10.13.0 machine will have after installing it. Feel free to comment below if you have that information.

Update 2: 

It's being reported on Jamf Nation that the package receipt for 10.13.0 machines is com.apple.pkg.update.os.10.13Supplemental.17A501, which implies the build number after the installation is 17A501.

Introducing the Awesome Macadmins Tools List

I don't know about you, but I love a good screensaver. The best macOS screensaver list out there is the Awesome macOS Screensavers list, which was inspired by the Awesome List. This in turn inspired me; I have given a few small talks about Mac admin tools that folks should know at meetups, and others have as well. Why not have our own Awesome List?

So the Awesome Macadmins Tools list was born.

The idea was to focus on some of the core focuses/responsibilities of being a Mac admin and list out some of the awesome tools out there to get the job done. This is also a great opportunity for folks that haven't contributed to GitHub projects before to try out pull requests and forks to add new content, help me fix typos and other issues (it happens y'all), and perfect making great screenshots for documentation purposes.

If you'd like to contribute, check out the contribution guide.

Share it far and wide, and submit some PRs if there are tools to add.

AutoPkgr for Dummies 2: Trust your recipes

So you've set up AutoPkgr. Good job! But now you're like "why do I keep getting these FAIL_RECIPES_WITHOUT_TRUST_INFO errors"? Something I didn't cover in my previous guide is the introduction of verifying and trusting recipes in autopkg 1.x (because that didn't exist at the time). From the introduction to this feature:
AutoPkg encourages the use of recipes created and shared by others. You can leverage the hard work done by other admins without having to re-invent the wheel yourself. You can add "repos" of other people's recipes using the autopkg repo-add command.

But there is an element of risk in using other people's recipes -- a bad actor could create a malicious recipe, or a well-meaning admin could introduce an error into a recipe that causes unexpected issues.

You should audit any third-party recipes you use, especially if you do not know the recipe creator/maintainer. This means becoming familiar enough with AutoPkg recipes to be able to read and understand them.
By default, AutoPkg (and by extension, AutoPkgr) will stop runs for recipes without trust info set. To set trust info, you need to create a recipe override and store that trust info in your override. The override recipes should then be the recipes you run on a schedule with AutoPkgr. Here's a quick overview on how that works.

Fave Friday

Quiet night at home club from Threadless

Getting Warmer cowl by Espace Tricot on Ravelry

Flower Mr. Saturn by SaradaBoru on RedBubble

Gremlins tank from H&M

Love Me More layered tulle skirt and A Fan of Bowknot crop top from Chicwish

Have a great weekend!

Branding Self Service 10

If you live under a rock you may not have heard that Jamf released Jamf Pro 10 this week. It is a giant overhaul of the user interface of the web interface and Self Service, so you can basically chuck all of my old branding the JSS/Self Service stuff in the bin. Phew.

The new dashboard and UI for Jamf Pro 10.
Self Service 10

The dashboard is way more visually appealing now, and the use of space of the tiles on the dashboard flows much better than the version 9 JSS. It's a huge change, as you can probably tell by looking at the above. So is Self Service, and something you may have noticed in the stock imagery above is the icon and name within the application are for a company, not just the default Jamf Self Service icon. This is because Jamf has built in branding the application into the Jamf Pro server. No need to download and hack and upload and deploy manually with every update. Hooray!

In Jamf Pro 10, all you need to do is head to Settings > Computer Management > Self Service, and you'll see a page with Configuration and Branding settings. The very first option is to change the name of the application. If you do this, it will automatically deploy (assuming you have auto-install turned on) the Self Service app with the name of your choice.