Skip to content

Category: Apple

MacBook Air (2018) review: a welcome but unexciting upgrade

When announcing the long overdue refresh to the MacBook Air, Apple CEO Tim Cook described the laptop as “the most beloved notebook”. Personally, it was my most beloved notebook. I held onto one for five years, long after my manager told me it was out of warranty and no longer supported, waiting for the laptop to receive an upgrade. (read more)

Let them use Macs: IBM CIO on the importance of giving staff a choice

Three years ago at Jamf Nation User Conference, a little known Apple admins event in Minneapolis, Fletcher Previn gave a presentation describing his role in introducing Macs to staff at IBM. He made headlines in tech circles, in part due to the novelty of Apple creeping into IBM — a company synonymous with the PC — but also thanks to the size and scope of the rollout. (read more)

Hands on with Apple’s new Macs and iPads

For the first time in recent memory, Apple has held an event full of surprises. Sure, we all expected the iPad Pro to receive an update, and there were rumours of new Macs coming, but no specifics leaked. No supply chain photographs, no product names popping up in iOS firmware. The famously secretive company managed to keep its secrets. (read more)

Dealing with Our Jamf Pro’s Awkward Teenage Years

Earlier this year I decided I wanted to upgrade our DEP Enrolment workflow, which involved quite a lot of work on the JSS. As I set to work, I found Jamf Pro painfully slow to deal with, and slight changes would result in Macs not enrolling correctly. After much Googling and many tickets to the very patient and helpful support staff at Jamf (Hey Gaurav, Matt, Jamie, it’s me again!) Jamf determined the only way to fix our server was a massive and time consuming clean up. At it’s peak, our Jamf Pro Database was 18gb – for the size of our organisation it should have been about 4gb.

Our smart groups were out of control; there were literally hundreds of smart groups that should’ve been Saved Searches (and Jamf, we need a button that converts smart groups into saved searches) and far too many Matryoshka doll smart groups; groups nested on groups nested on groups. Then there were groups based on Macs not being in other groups. Groupception.

Not only that, Macs were checking in every 15 minutes, and sending back an inventory every day.

No one was to blame here, and I recognised the same issues in my previous role. It seems that way too many smart groups and complex, nested smart groups are a natural outcome of a growing Jamf Server – the awkward teenage years.

When you first start with Jamf, there’s not a lot of overhead you need to worry about, and smart groups seem the most useful way of sorting your fleet. The “wouldn’t it be cool if we knew how many Macs have x” becomes any new reason to create a new smart group. And well, if we have a smart group for Macs with x, we should have another for Macs without x!

But as the fleet grows, you quickly feel the strain of these constantly updating groups. Our poor lil On Prem Jamf Server couldn’t cope.

Finally, I accepted Jamf’s recommendation I began the tedious task of Smart Group clean up. The first thing to look for are any polices that may trigger based on Smart Group membership, you don’t want random policies firing off on a Mac because a smart group it was in no longer exists. Search for policies scoped to recurring check in. 

Nested smart groups create the biggest strain, and we had a doozy. Our Labs smart group was made up of 20 something individual smart groups based on Lab name. Then there was a Staff smart group, which was scoped as “Not a Member of the Labs smart group.” I was able to get both down to a single item – based on how the Mac was Prestaged.

I later changed that to an EA that was dropped at Enrolment, and pushed to all current Macs, but that’s for another post. 

Then we had “Installed” and “Not Installed” smart groups for every single software title in Jamf Pro. As a university, that is a hell of a lot of smart groups. Thanks to the Reinstall button in Jamf 10, I felt there was no reason to keep these groups, as their main function was to make an App in Self Service disappear after a user installed it. 

I deleted each one, but noticed that if i deleted too many Smart Groups in a single setting, the JSS started behaving badly, and I was seeing Self Service and Enrolment issues. So I began deleting overnight – I’d delete about 20 groups a night, then immediately run a database clean up. 

On a Windows Server, that is:

Open Command Prompt with admin privilege and type the following:

cd c:\program files\MySQL\path\to\bin

and hit enter and now we are on mysql bin

c:\program files\MySQL\path\to\bin>mysqlcheck -u root -p –repair jamfsoftware

It will ask for root password, so specify it and hit enter.

Then optimise: 
c:\program files\MySQL\path\to\bin>mysqlcheck -u root -p –optimize jamfsoftware

Another thing to watch out for – make sure your Jamf Scheduled back ups are running, and check them regularly. Jamf cleans up the database during a backup, so you want to make sure it’s cleaning up as you go. 


Also, whenever you find yourself on the Jamf server, run this command to delete any push notifications that are stuck on the server. If your push notifications build up, (and if you have multi-user computers like Labs you will) then enrolment can dramatically slow down.

mysql>delete from mobile_device_management_commands where command IN ("DeviceInfoAccountHash","DeviceInfoITunesActive","ProfileList") and apns_result_status="" and device_object_id=12;

I also changed Inventory to run just once a week, and removed recon from any policy I didn’t think needed it. Thankfully, Jamf no longer allows you to create a policy with recon, if it is set as “Ongoing” on check in. Follow that advice.

All up, the clean up reduced our server database down  to just over 3gb, and Jamf Pro is so much snappier.

iPhone XR review: the better value Apple phone

Apple disappointed some with the announcement of the iPhone XR back in September. Rumours leading up to the event suggested the XR would be a low cost, entry level device pitched like the iPhone 5C before it; sporting older technology in a cheaper design. Instead, the iPhone XR launched as a premium device with a premium price. (read more)

Leave your phone at home: Podcasts come to Apple Watch

Cast your mind back to 2005, the year podcasts debuted on iTunes and iPods around the world. It’s hard to remember the countless articles about iPod zombies, isolating themselves from the world in their white ear-bud bubbles. Now, as we end a decade of collectively staring at our smartphones, the thought of mere audio as a distraction seems almost quaint. (read more)

Configuring Apple Remote Desktop at Setup Assistant

 

This post was originally written August 21. Then, on August 22nd, Apple broke kickstart intentionally with a Mojave beta. Many Mac Admins filed radars, and the feature seems to have made a welcome return in the release version of Mojave.

I expect the kickstart ARD setting below will be replaced soon with Configuration Profile from an MDM. Until then, you can use this, and it takes just a few minutes to set up, so it’s worth doing until Apple kills it again.

Apple’s DEP set up is fantastic, except for one small issue. Apple don’t give Sysadmins the ability to skip the first few screens of the Set Up Assistant, making “imaging” (for lack of a better word) a pain in the butt.

Apple have improved the situation recently by adding new flags to the Installer – the “–eraseinstall” flag is really handy, but still you need to have someone physically in front of a newly erased Mac to jump through those first few screens.

To get past that, Cameron Kay at UNSW created a simple workflow that adds an ARD agent to the Mac, so you can remote in and click-through those first few screens. I’ve been testing his excellent work, and will share the documentation here.

The Script

The script is a very simple bash script – just change the names and password as you wish. This script also renames the computer to “Setup – Serial Number” – I’ve kept this in mine so I can create a Jamf smart group of Macs at Setup, because our DEP enrolment scripts rename the computer anyway. The script is available here.

Packaging it for Jamf

This takes just a few seconds, using Rich Trouton’s Payload Free Packager

Upload to your server

Upload this to your management system of choice. We use Jamf, so the examples here will be Jamf. You’ll also need the latest macOS Installer as a package. Upload both, then create a policy

Create a policy

My policy is a very simple policy with two packages; the macOS installer, and the ARD at Setup Package. It is scoped to all computers, but only support staff can see it. It is available in self service or via the -eraseward trigger. All very basic, but here are the screenshots.

Important: Set the ARD at Setup Package to cache, rather than install!

The secret sauce that makes the policy work is under Files and Processes – using the –eraseinstall and –installpackages flags. 

Here, I’m searching for the process “Self Service” and killing it (so self service quits, allowing the Mac to reboot. And under Execute Command:

/Applications/Install\ macOS\ High\ Sierra.app/Contents/Resources/startosinstall --eraseinstall --newvolumename "Macintosh HD" --agreetolicense --installpackage "/Library/Application Support/JAMF/Waiting Room/ard-at-setup.pkg"

We cached the Ard at Setup package earlier, so it’s in the folder “JAMF/Waiting Room”.

Now, when you run that policy, the Mac will download the installer, then erase and install macOS, and when it reboots, you’ll be able to remote to the Mac via ARD. Simple!

Obviously you can also use this as a policy to erase a whole lab at once if you want, but start testing within Self Service.

 

Apple Watch Series 4 review: running unopposed

The evolution of the smartwatch has been fascinating to track. The first modern smartwatch was arguably the Pebble (rest in peace), unveiled back in 2012. Sony and Samsung were in the race early too, but Google brought the idea into the mainstream and really defined what a modern smartwatch should be in 2014, with the release of Android Wear. (read more)