Fall, spring, and testing VMs

This post is just a quick follow-up to the panel I co-presented this past JNUC called "Fall, spring, and everything in between." During that talk I very quickly went through the process of using tools like installinstallmacos.py, AutoDMG, and vfuse to build VMs for MDM and DEP testing purposes. Time was limited so I skipped a few details that people had questions about afterwards, so I thought I'd break some of that down below.

A look back at a busy year

Today is my one year anniversary at The Home Depot (come work with me!), so this seemed like a good opportunity to reflect on the past year (and change) and what's been going on for me and my family in what has been an incredibly busy year.

Help other Mac admins find your scripts on GitHub with Topics

So you've made some scripts for managing your Macs and you threw them on Github. Awesome! But Github is huge and filled with lots of code and content, so how can you help people find your scripts?

Try tagging your repos with Topics.

Topics are a way to help categorize your code repositories on Github to make them more easily discoverable by others. All you need to do is click on Manage topics under your repo description and start typing. Github will have some recommendations for you, and as you start typing other options will populate that you can select from. Once you have topics on your repo, anyone that clicks on that topic on any repo on Github will be presented with a list of repos that are categorized with that topic.

Keep the topics short and to the point, and include the name of the management framework you're working with if applicable. This will go a long way in helping others find the code you put the time and effort into sharing with the world.

Sharing is caring. ❤️

Tip for testing the new Jamf Pro 10.3 enrollment workflow

As you've probably seen from the release notes of Jamf Pro 10.3, the enrollment style has changed for Macs on 10.13.0+ to prompt to install profiles rather than install the QuickAdd (which then installed the profile). This way the MDM profile is user-approved, because the user has to accept the installation themselves prior to the rest of the enrollment happening.

This is a Good Thing(tm).

What's worth noting for those of us that test on VMs, however, is that if you just set up a vanilla VM (with VMware Fusion, Parallels, VirtualBox, or your virtual tool of choice, whatever it is) is that a device without a recognized Apple hardware model ID is going to be treated as a generic "Mobile Device" and not be recognized as a Mac. It'll do a big ol' "wft mate" during enrollment and cause some weirdness. And as a result, the profiles won't install correctly.

If you use VMs to test, my recommendation is to use AutoDMG+vfuse to build it. This is comparable to this post by Ross D about testing DEP with VMs. Really the concept is the same. Fortunately if you're just evaluating user-approved MDM enrollment (not specifically DEP enrollment) for this change in Jamf Pro 10.3 the s/n can be random (though can't include special characters!), but a model ID must be defined.

Using vfuse to build the VM will look something like this:
/path/to/vfuse -i /path/to/osx_custom_autodmg.apfs.dmg -o /path/to/save/location/  -s random --hw-model "iMacPro1,1" -n "macOS 10.13.3 mdm tester"

--hw-model can be whatever, as long as it's a real Apple model ID. A list of currently-shipping model IDs can be found here. I would also strongly recommend using vfuse to define a random serial number rather than letting VMware (for this example at least), because vfuse's -s random will make sure special characters are not used. Special characters can wreak havoc on MDM management as well.

TBH it's probably something we should all do anyway, to ensure consistent testing with VMs. Or use an actual physical machine to test. But VMs are faster. ymmv. Good night and good luck.

ETA: for the Parallels crew, check out this post on Jamf Nation.

Reusable script for updating EA values in Jamf Pro with the API

Not all extension attributes (EAs) are created equally. Sometimes you want to snag information off of a client Mac, and for that a small script to grab the info and report it up to the Jamf Pro Server is great. Other times you just need to set a simple value for a Mac on demand for reporting purposes. One of the handiest ways to set info ad hoc is with a pop-up menu extension attribute.

So let's say the help desk staff notices that some Macs that come by are really smelly. You can't really write a script to pull smell status off of a Mac. (Maybe you can?) So you make a pop-up menu EA for techs to mark if a Mac smells on the computer record in Jamf Pro.

See if your Jamf-managed Macs have installed today's #iamroot fix

So… the last 24 hours have been pretty fun, right? You may have heard about some shenanigans involving blank passwords and the root account yesterday; Apple certainly did. And they fixed it today with an update available only to 10.13.1 High Sierra machines. If you manage your Macs with Jamf and want a quick smart group to see who has installed it, whip one up that looks for the receipt for the update. It's pretty easy.

That receipt name is com.apple.pkg.update.os.10.13.1Supplemental.17B1002.

Naturally this smart group won't be all that accurate until you give machines time to update inventory. If you're not super concerned with bandwidth you can find your inventory update policy and flush all logs so the next time a machines checks in it will run a fresh recon.

Worth noting, there are other ways to do this too. This is one quick way to build your smart group.


On November 30th, Apple pushed out a second security update to fix some issues their other security update caused. The macOS team at Apple is having a fun week I'm sure. This secondary update is being pushed automatically to 10.13 and 10.13.1 machines, and the receipt for the installer is com.apple.pkg.update.os.10.13.1Supplemental.17B1003. I'm not sure if there is a different installer for 10.13.0 so I'm unable to check for a receipt name for that. If someone knows if the update for 10.13 has a different receipt let me know in the comments and I can update this post.

Your smart group will want to be modified to include this second update as well.

I have yet to see a 10.13.0 machine install the update so I'm not sure if their updater has a different receipt, nor am I sure what OS build number a 10.13.0 machine will have after installing it. Feel free to comment below if you have that information.

Update 2: 

It's being reported on Jamf Nation that the package receipt for 10.13.0 machines is com.apple.pkg.update.os.10.13Supplemental.17A501, which implies the build number after the installation is 17A501.

Introducing the Awesome Macadmins Tools List

I don't know about you, but I love a good screensaver. The best macOS screensaver list out there is the Awesome macOS Screensavers list, which was inspired by the Awesome List. This in turn inspired me; I have given a few small talks about Mac admin tools that folks should know at meetups, and others have as well. Why not have our own Awesome List?

So the Awesome Macadmins Tools list was born.

The idea was to focus on some of the core focuses/responsibilities of being a Mac admin and list out some of the awesome tools out there to get the job done. This is also a great opportunity for folks that haven't contributed to GitHub projects before to try out pull requests and forks to add new content, help me fix typos and other issues (it happens y'all), and perfect making great screenshots for documentation purposes.

If you'd like to contribute, check out the contribution guide.

Share it far and wide, and submit some PRs if there are tools to add.