https://nwstrauss.com/ Recent content on Nathaniel Strauss Hugo -- gohugo.io en-us Wed, 19 Jun 2024 14:30:00 -0600 https://nwstrauss.com/posts/2024-06-19-autopkg-processor-security/ Wed, 19 Jun 2024 14:30:00 -0600 https://nwstrauss.com/posts/2024-06-19-autopkg-processor-security/ This post explores how custom AutoPkg processors are potentially vulnerable when used as pre/post-processors. While one of AutoPkg’s main advantages is its secure by default design, there is a gap when dealing with custom processors used as command line arguments. https://nwstrauss.com/posts/2024-05-20-totalvirus-reporter/ Tue, 21 May 2024 07:55:00 -0600 https://nwstrauss.com/posts/2024-05-20-totalvirus-reporter/ Today I’m introducing VirusTotalReporter, an AutoPkg processor designed to return file report information from VirusTotal. Heavily inspired by the well loved and widely used VirusTotalAnalyzer by Hannes Juutilainen, VirusTotalReporter’s goal is to provide as much detection data as possible to make informed decisions within AutoPkg recipes and workflows. https://nwstrauss.com/posts/2023-05-18-seedutil-beta-programs/ Thu, 18 May 2023 08:00:00 -0600 https://nwstrauss.com/posts/2023-05-18-seedutil-beta-programs/ Starting in macOS 13.4, there is no longer a way for Mac admins to programmatically manage beta program enrollments. During the 13.4 beta cycle it was announced seedutil is deprecated, to be removed entirely in a future release, and the only path forward to enroll in beta programs being Apple IDs. https://nwstrauss.com/posts/2023-01-12-safer-secrets-autopkg-ci/ Fri, 13 Jan 2023 10:00:00 -0600 https://nwstrauss.com/posts/2023-01-12-safer-secrets-autopkg-ci/ In the past, when working with static Mac hardware, I would add secrets to recipe overrides and keep them only locally on the Mac used to run AutoPkg. While still mostly insecure, at least those secrets weren’t also available in a code repo, and less prone to being compromised. With ephemeral CI runs though, this isn’t possible. A secret store which can be referenced at runtime, outside of the repo becomes necessary. Thankfully my colleagues at Gusto had encountered this before and already had a solution to avoid committing plain text secrets. https://nwstrauss.com/posts/2021-02-25-easy-sysdiagnose/ Thu, 25 Feb 2021 18:06:56 -0600 https://nwstrauss.com/posts/2021-02-25-easy-sysdiagnose/ Troubleshooting technology issues this past year has been especially challenging due to the distance coronavirus has forced upon us. Getting good data to help our users has been more difficult when it’s not possible to be in front of their computer. Mac admins who have worked with Apple support or filed feedback know the very first data point usually requested is a sysdiagnose. No logs, no help. A sysdiagnose contains a voluminous amount of log files which can help pinpoint exactly what’s gone wrong with a Mac. https://nwstrauss.com/posts/2021-02-15-managed-airdrop/ Mon, 15 Feb 2021 18:06:56 -0600 https://nwstrauss.com/posts/2021-02-15-managed-airdrop/ I’m going to try something different for this post. Instead of solving a technical problem or analzying an element of Apple device management, I’m going to propose a new feature. This particular feature has been on my mind since 2018 when I first opened an Apple enterprise support case asking product engineering to consider it for their future roadmap. Of course that’s mostly wishful thinking. What I want is not what everyone wants. Even years later though, I can’t shake the feeling this would help in a variety of scenarios. What I’m proposing is a managed AirDrop feature, and I hope after reading through why you’ll file feedback too. https://nwstrauss.com/posts/2021-01-28-managing-authorizationdb/ Thu, 28 Jan 2021 14:06:56 -0600 https://nwstrauss.com/posts/2021-01-28-managing-authorizationdb/ Authorization rights on macOS determine are a core part of the security model which determine who can and can’t access specific functions. For example, system.preferences.datetime determines authentication required to modify Date & Time settings under System Preferences. A curious power user could cause a lot of harm changing authorization rights, and for the most should be left well alone. However, modifying authorization rights is particularly useful in granting standard users access to areas only admins can go by default. https://nwstrauss.com/posts/2021-01-19-activation-lock-notes/ Tue, 19 Jan 2021 14:06:56 -0600 https://nwstrauss.com/posts/2021-01-19-activation-lock-notes/ Apple silicon has made Mac exciting again. Exiting for consumers who can run most everyday tasks at near ludicrous speed. Exciting for IT admins as the rules for managing this new era of Mac shift around them. There’s a new normal, and what worked with Intel Macs might not work on Apple silicon. In this post we’ll look at Activation Lock. The good, the bad, and what’s actually true. https://nwstrauss.com/posts/2021-01-13-malwarebytes-pppc/ Tue, 12 Jan 2021 14:06:56 -0600 https://nwstrauss.com/posts/2021-01-13-malwarebytes-pppc/ Malwarebytes has required full disk access on macOS Catalina and later since at least March 2020, but I only noticed recently as I was testing for Big Sur compatibility. https://nwstrauss.com/posts/2021-01-10-rebuildkernelcache/ Sun, 10 Jan 2021 14:06:56 -0600 https://nwstrauss.com/posts/2021-01-10-rebuildkernelcache/ This post mainly exists to shamelessly promote my Jamf feature request to add support for RebuildKernelCache. Before jumping into the details, go upvote that feature request. You can always go backtrack later to downvote me if by the end you decide it’s not worth the support. https://nwstrauss.com/posts/2021-01-06-bigsur-userswitching/ Wed, 06 Jan 2021 14:06:56 -0600 https://nwstrauss.com/posts/2021-01-06-bigsur-userswitching/ While some organizations went full steam ahead with Big Sur, in K12 education land we’re usually a few months behind. While testing our Big Sur deployment I found managing fast user switching using MultipleSessionEnabled in a GlobalPreferences profile payload is broken. https://nwstrauss.com/posts/2020-12-30-big-sur-chonky/ Thu, 31 Dec 2020 14:06:56 -0600 https://nwstrauss.com/posts/2020-12-30-big-sur-chonky/ Like many of us during the pandemic, Big Sur has gotten a bit chonky. Not including the over 12 GB installer, it takes 35 GB to upgrade from a previous OS to Big Sur. https://nwstrauss.com/posts/2020-12-17-apple-silicon-lock-command/ Wed, 16 Dec 2020 16:06:56 -0600 https://nwstrauss.com/posts/2020-12-17-apple-silicon-lock-command/ Consider filing feedback after reading this post! Voice your opinion by referencing AppleCare enterprise case 101264025284. Talk with your Apple SE, account manager, or vendor. DeviceLockCommand As Apple silicon documentation slowly trickles in, the Apple admin community learns more about changes impacting MDM and other functions intended for enterprise. https://nwstrauss.com/posts/2020-12-05-native-logout-dialog-pyobjc/ Tue, 15 Dec 2020 16:06:56 -0600 https://nwstrauss.com/posts/2020-12-05-native-logout-dialog-pyobjc/ Recently I wanted to find a friendly way to prompt for logout or restart using the dialog prompts people were already used to. As part of a workflow users had to restart, but the only solutions I found to programmatically accomplish this were to force something like… https://nwstrauss.com/posts/2020-12-04-chrome-signin-bypass/ Mon, 14 Dec 2020 17:01:58 -0600 https://nwstrauss.com/posts/2020-12-04-chrome-signin-bypass/ Bypass force sign in for fun and profit! Managing Google Chrome can be a bear sometimes. With dozens of policies to comb through for any given need, it’s a platform unto itself. https://nwstrauss.com/posts/2020-11-28-download-apple-silicon-mac-ipsws/ Sat, 28 Nov 2020 22:28:57 -0500 https://nwstrauss.com/posts/2020-11-28-download-apple-silicon-mac-ipsws/ Admins who have worked with non-Mac Apple devices for a long time are already familiar with IPSW (iPod software) files. IPSWs are the OS installers for iOS, iPadOS, tvOS, and other variations in the iDevice family. https://nwstrauss.com/posts/2020-11-05-deploying-relay-with-jamf-pro/ Thu, 05 Nov 2020 22:28:57 -0500 https://nwstrauss.com/posts/2020-11-05-deploying-relay-with-jamf-pro/ One of the most common questions on the MacAdmins Slack #lightspeed channel is, “How do I install the Relay smart agent on Macs?” Lightspeed provides a little guidance and a decent overview, and that works most of the time, except when it doesn’t. https://nwstrauss.com/posts/2020-08-19-big-sur-beta-fail/ Wed, 19 Aug 2020 22:28:57 -0500 https://nwstrauss.com/posts/2020-08-19-big-sur-beta-fail/ Two months into the beta cycle, Big Sur is still not education ready. Today marks the release of beta 5 and Apple has not implemented a way for standard users to enable screen recording. https://nwstrauss.com/posts/2020-08-11-mitigating-mac-enrollment-failures/ Tue, 11 Aug 2020 22:28:57 -0500 https://nwstrauss.com/posts/2020-08-11-mitigating-mac-enrollment-failures/ While working to enroll 1,000+ Macs to prep for the start of school, we found a large number were failing to get an enrollment configuration during Setup Assistant. There were three distinct ways the process failed. https://nwstrauss.com/posts/2019-05-27-allow_local_only/ Mon, 27 May 2019 22:28:57 -0500 https://nwstrauss.com/posts/2019-05-27-allow_local_only/ There are times when you may want to only allow local account logins, but also bind to a directory service like AD. Though mobile accounts are a thing of the past and should be avoided, binding in your environment could still have a place. https://nwstrauss.com/archives/ Tue, 28 May 2019 00:00:00 +0000 https://nwstrauss.com/archives/ https://nwstrauss.com/posts/2019-05-13-nolo-jamfpro-ea/ Mon, 13 May 2019 12:40:49 -0500 https://nwstrauss.com/posts/2019-05-13-nolo-jamfpro-ea/ My previous posts about NoMAD Login + Jamf Pro deployment workflows assumed that once a local account is provisioned NoMAD Login will be uninstalled. From then on out users would use the stock macOS login window they’re used to. https://nwstrauss.com/posts/2019-05-11-jamf_cat_report/ Sat, 11 May 2019 17:40:43 -0500 https://nwstrauss.com/posts/2019-05-11-jamf_cat_report/ jamf_cat_report.py is a Python tool to output Jamf Pro mobile device app catalog info in a nicely formatted CSV. Here’s an example CSV of the type of data you’ll get. https://nwstrauss.com/posts/2018-10-01-nomad-nolo-keychainadd/ Mon, 01 Oct 2018 12:30:00 -0500 https://nwstrauss.com/posts/2018-10-01-nomad-nolo-keychainadd/ Integrating with NoMAD has been one of the most requested features since NoMAD Login was first released. More specifically, the ability to securely pass a user’s credentials so that user is automatically signed into NoMAD. https://nwstrauss.com/posts/2018-09-29-using-authchanger-nolo/ Sat, 29 Sep 2018 20:06:55 -0500 https://nwstrauss.com/posts/2018-09-29-using-authchanger-nolo/ NoMAD Login offers up two flavors of installer package - NoMADLogin.pkg and NoMADLogin-authchanger.pkg. This post aims to explain what authchanger does, differences between those two packages, and how to deploy NoMAD Login using authchanger. https://nwstrauss.com/posts/2018-05-22-nomlad-login-jamf-dep-workflows/ Tue, 22 May 2018 20:06:55 -0500 https://nwstrauss.com/posts/2018-05-22-nomlad-login-jamf-dep-workflows/ NoMAD Login is a login window replacement for macOS that allows you to authenticate to Active Directory to create a local account mirroring AD credentials. It’s often used in conjunction with NoMAD as a way to access AD features without requiring an actual bind. https://nwstrauss.com/about/ Mon, 01 Jan 0001 00:00:00 +0000 https://nwstrauss.com/about/ I’m a client platform engineer doing IT related things. This blog is primarily geared towards Apple device management. I hope sometimes the things I write are useful to you. Social Media Twitter LinkedIn GitHub @nstrauss on MacAdmins Slack.