Dealing with Our Jamf Pro’s Awkward Teenage Years

Earlier this year I decided I wanted to upgrade our DEP Enrolment workflow, which involved quite a lot of work on the JSS. As I set to work, I found Jamf Pro painfully slow to deal with, and slight changes would result in Macs not enrolling correctly. After much Googling and many tickets to the very patient and helpful support staff at Jamf (Hey Gaurav, Matt, Jamie, it’s me again!) Jamf determined the only way to fix our server was a massive and time consuming clean up. At it’s peak, our Jamf Pro Database was 18gb – for the size of our organisation it should have been about 4gb.

Our smart groups were out of control; there were literally hundreds of smart groups that should’ve been Saved Searches (and Jamf, we need a button that converts smart groups into saved searches) and far too many Matryoshka doll smart groups; groups nested on groups nested on groups. Then there were groups based on Macs not being in other groups. Groupception.

Not only that, Macs were checking in every 15 minutes, and sending back an inventory every day.

No one was to blame here, and I recognised the same issues in my previous role. It seems that way too many smart groups and complex, nested smart groups are a natural outcome of a growing Jamf Server – the awkward teenage years.

When you first start with Jamf, there’s not a lot of overhead you need to worry about, and smart groups seem the most useful way of sorting your fleet. The “wouldn’t it be cool if we knew how many Macs have x” becomes any new reason to create a new smart group. And well, if we have a smart group for Macs with x, we should have another for Macs without x!

But as the fleet grows, you quickly feel the strain of these constantly updating groups. Our poor lil On Prem Jamf Server couldn’t cope.

Finally, I accepted Jamf’s recommendation I began the tedious task of Smart Group clean up. The first thing to look for are any polices that may trigger based on Smart Group membership, you don’t want random policies firing off on a Mac because a smart group it was in no longer exists. Search for policies scoped to recurring check in. 

Nested smart groups create the biggest strain, and we had a doozy. Our Labs smart group was made up of 20 something individual smart groups based on Lab name. Then there was a Staff smart group, which was scoped as “Not a Member of the Labs smart group.” I was able to get both down to a single item – based on how the Mac was Prestaged.

I later changed that to an EA that was dropped at Enrolment, and pushed to all current Macs, but that’s for another post. 

Then we had “Installed” and “Not Installed” smart groups for every single software title in Jamf Pro. As a university, that is a hell of a lot of smart groups. Thanks to the Reinstall button in Jamf 10, I felt there was no reason to keep these groups, as their main function was to make an App in Self Service disappear after a user installed it. 

I deleted each one, but noticed that if i deleted too many Smart Groups in a single setting, the JSS started behaving badly, and I was seeing Self Service and Enrolment issues. So I began deleting overnight – I’d delete about 20 groups a night, then immediately run a database clean up. 

On a Windows Server, that is:

Open Command Prompt with admin privilege and type the following:

cd c:\program files\MySQL\path\to\bin

and hit enter and now we are on mysql bin

c:\program files\MySQL\path\to\bin>mysqlcheck -u root -p –repair jamfsoftware

It will ask for root password, so specify it and hit enter.

Then optimise: 
c:\program files\MySQL\path\to\bin>mysqlcheck -u root -p –optimize jamfsoftware

Another thing to watch out for – make sure your Jamf Scheduled back ups are running, and check them regularly. Jamf cleans up the database during a backup, so you want to make sure it’s cleaning up as you go. 


Also, whenever you find yourself on the Jamf server, run this command to delete any push notifications that are stuck on the server. If your push notifications build up, (and if you have multi-user computers like Labs you will) then enrolment can dramatically slow down.

mysql>delete from mobile_device_management_commands where command IN ("DeviceInfoAccountHash","DeviceInfoITunesActive","ProfileList") and apns_result_status="" and device_object_id=12;

I also changed Inventory to run just once a week, and removed recon from any policy I didn’t think needed it. Thankfully, Jamf no longer allows you to create a policy with recon, if it is set as “Ongoing” on check in. Follow that advice.

All up, the clean up reduced our server database down  to just over 3gb, and Jamf Pro is so much snappier.

Configuring Apple Remote Desktop at Setup Assistant

 

This post was originally written August 21. Then, on August 22nd, Apple broke kickstart intentionally with a Mojave beta. Many Mac Admins filed radars, and the feature seems to have made a welcome return in the release version of Mojave.

I expect the kickstart ARD setting below will be replaced soon with Configuration Profile from an MDM. Until then, you can use this, and it takes just a few minutes to set up, so it’s worth doing until Apple kills it again.

Apple’s DEP set up is fantastic, except for one small issue. Apple don’t give Sysadmins the ability to skip the first few screens of the Set Up Assistant, making “imaging” (for lack of a better word) a pain in the butt.

Apple have improved the situation recently by adding new flags to the Installer – the “–eraseinstall” flag is really handy, but still you need to have someone physically in front of a newly erased Mac to jump through those first few screens.

To get past that, Cameron Kay at UNSW created a simple workflow that adds an ARD agent to the Mac, so you can remote in and click-through those first few screens. I’ve been testing his excellent work, and will share the documentation here.

The Script

The script is a very simple bash script – just change the names and password as you wish. This script also renames the computer to “Setup – Serial Number” – I’ve kept this in mine so I can create a Jamf smart group of Macs at Setup, because our DEP enrolment scripts rename the computer anyway. The script is available here.

Packaging it for Jamf

This takes just a few seconds, using Rich Trouton’s Payload Free Packager

Upload to your server

Upload this to your management system of choice. We use Jamf, so the examples here will be Jamf. You’ll also need the latest macOS Installer as a package. Upload both, then create a policy

Create a policy

My policy is a very simple policy with two packages; the macOS installer, and the ARD at Setup Package. It is scoped to all computers, but only support staff can see it. It is available in self service or via the -eraseward trigger. All very basic, but here are the screenshots.

Important: Set the ARD at Setup Package to cache, rather than install!

The secret sauce that makes the policy work is under Files and Processes – using the –eraseinstall and –installpackages flags. 

Here, I’m searching for the process “Self Service” and killing it (so self service quits, allowing the Mac to reboot. And under Execute Command:

/Applications/Install\ macOS\ High\ Sierra.app/Contents/Resources/startosinstall --eraseinstall --newvolumename "Macintosh HD" --agreetolicense --installpackage "/Library/Application Support/JAMF/Waiting Room/ard-at-setup.pkg"

We cached the Ard at Setup package earlier, so it’s in the folder “JAMF/Waiting Room”.

Now, when you run that policy, the Mac will download the installer, then erase and install macOS, and when it reboots, you’ll be able to remote to the Mac via ARD. Simple!

Obviously you can also use this as a policy to erase a whole lab at once if you want, but start testing within Self Service.

 

Missing the SD card reader in your MacBook? Don’t buy a dock

I’ve tested every damn dock with an SD Card reader and they all suck, and they get super hot in use. Get this instead, one cable that can go from your camera to your computer, no crappy adaptors or docks in between.

I’ve been using one for over a year, and it’s much better solution. And gosh, some cameras even have USB-C now.

Buy: ORICO Type-C to Micro USB Charge & Sync Cable (MCU) (MCU-10-BK) | Centre Com : Best PC Hardware Prices!

Modular Mac Pro is a 2019 Product

“We want to be transparent and communicate openly with our pro community, so we want them to know that the Mac Pro is a 2019 product. It’s not something for this year.”

In addition to transparency for pro customers, there’s also a larger fiscal reason behind it.“

We know that there’s a lot of customers today that are making purchase decisions on the iMac Pro and whether or not they should wait for the Mac Pro,” says Boger.This is why Apple wants to be as explicit as possible now, so that if institutional buyers or other large customers are waiting to spend budget on, say iMac Pros or other machines, they should pull the trigger without worry that a Mac Pro might appear late in the purchasing year.

Source: Apple’s 2019 Mac Pro will be shaped by workflows | TechCrunch

Steve Jobs on privacy – 8 Years ago

I love Kara Swisher’s little “you here, Mark?” joke at the start of this question…

I really hope Apple can do something about Facebook at the iOS level, but of course, if they piss off Facebook too much, the company can tell it’s 1 Billion users to switch to Android for the best experience.

Introducing Anchor Videos for Web 

Earlier this year we launched Anchor 3.0, the easiest way to make podcast, ever. As part of our mission to democratize audio, we believe it’s important to innovate on how that audio is shared. It’s always been a chore to visualize audio segments for social media, and with our new web tools, it’s easier than ever.

With Anchor 3.0, the company matched everything Soundcloud was doing, but for free. Now they’re overtaking Soundcloud. It really makes me want to cast some pods again.

Source: Introducing Anchor Videos for Web – Anchor – Medium

Samsung AR Emoji are NQR

Looking at the Samsung AR emoji created by a bunch of tech journos, there was something odd about them I just couldn’t put my finger on. Then it dawned on me; it makes everyone thin. Just like Bitmoji before it, Samsung are too worried they’ll offend you by making your avatar chunky, so everyone ends up thinner virtually than they are in real life. Apple sidestepped this by making their Animoji, well, animals. What a  bizarre world we live in.

 

Apple Is Planning Its First Education-Related Event Since 2012 – Bloomberg

Its last education-related event took place in New York City in 2012. The company said in an invitation Friday that it will share “creative new ideas for teachers and students” at the affair, which will take place at Lane Tech College Prep High School.
— Read on www.bloomberg.com/news/articles/2018-03-16/apple-to-make-education-related-announcement-on-march-27

This is pretty exciting – we saw some great new classroom features come to the iPad in iOS 11 – I’m hoping to see more of that, and as a Mac Sys admin working at a University right now, a few more tools for the Mac would be welcomed, too. The most intriguing rumours are around Apple’s laptop line – with talk of a possible rev to the education workhorse, the MacBook Air.