Skip to content

macOS Device Compliance

I use two Smart Groups in Jamf to define how many devices are in compliance in regards to macOS version. The Smart Groups are pretty simple: The problem is that only gives us a snapshot of a moment in time, rather than historical data. My solution was to log that data in a Google Sheet. I created a new Okta Workflow. The Workflow kicks off once a day at 1 am PST. I want to store the date and time, so I need to convert it into the appropriate format. This will give me 2024-04-09 and 10:49:00 PST (based on time I’m writing this). It stores that values as dateReturn… Read More »macOS Device Compliance

Automating MDM Renewals Using Jamf and Okta Workflows

Hi, We have some computers that are in Jamf. Sometimes Jamf doesn’t like to play nice and renew the MDM on the device. To start you’re going to need an Advanced Computer Search in Jamf. The fortunately have a criterion called “MDM Profile Expiration Date” and we set that to less than 11 days. Alright, you got that? Great! Next you need to get the ID for that Advanced Computer Search. You can find that in the URL In the example above, it’s 888. In Okta Workflows, create a new flow, give it a name and tell it that it’s a Scheduled Flow. I’m not explaining every little thing. Here’s… Read More »Automating MDM Renewals Using Jamf and Okta Workflows

Toronto Mac Admins Meetup

We had a Toronto Mac Admins meetup this past Tuesday (January 30, 2024). I’m gonna embed the video for you folks.

Mac Admins @ Penn State University

I was recently at Penn State University in State College, PA for the annual MacAdmins conference. I was there with my co-worker Rebecca. The two of use presented two topics and they’ve made their way to YouTube.

Running GlobalProtect CLI only on Linux

I just spent 3 hours on a Zoom with a colleague trying to figure out what the issues our Linux users were facing when running GlobalProtect. To install the CLI-only version, you must first you download the files, untar/detar/whatever it… Then you run the installer script Woo hoo! It’s installed! Kinda, there’s a few things missing. Default Browser In the document /opt/paloaltonetworks/globalprotect/pangs.xml, add the following line in the <settings> section… Point to your Portal In the document /opt/paloaltonetworks/globalprotect/pangs.xml, add the following line in the <PanSetup> section… Save the document and exit. Reboot You don’t need me to tell you how to do that… reboot your computer. globalprotectcallback: URLs Create the… Read More »Running GlobalProtect CLI only on Linux

Custom Commands for Mosyle

Hat Tip to another Adam. I recently discovered these when poking around in Adam Codega’s Github. There’s a couple especially I want to draw attention to. BatteryHealthCA.sh This little script will get the battery service level, plus tell you the number of power cycles the battery has had. It will appear as something like “Normal (256)”. Battery condition is normal and has had 256 cycles. From there in Mosyle, you can create a Smart Device Group where the criteria is for that field is like “Service Recommended” as you can see below. Here’s the direct link. KernelPanicCA.sh This script will tell you how many kernel panics a device has had… Read More »Custom Commands for Mosyle

fdesetup

I’ve used a few different MDMs in my time as a MacAdmin, I’ve written about my transition from WorkspaceONE to Mosyle and I really much prefer it. I noticed today that one user isn’t using FileVault. I have a deferral set to 5 times. Which now I’m thinking might be a bit high. I was wondering how many times that user has deferred FileVault. I saw you could use fdesetup to see info about deferral. So I made a quick and dirty script for that. I used Mosyle to blast it out to all devices with Filevault off (that required having a smart group), and told it to run on… Read More »fdesetup

AutoPKG storage on external drive

Ran into a quick problem that I thought I’d quickly blog about. AutoPKG’s data folders are all sitting on an external drive. First off, “Ignore ownership on this volume” was checked off, and AutoPKG doesn’t like that. That was a first for me, I’ve always had AutoPKG running on the internal drive. I turned that on, gave myself ownership and read & write and then propagated permissions down. On the next run I got: Got some quick help from MacAdmins #AutoPKG channel. Suggested I give python full disk access. That solved the problem. Python was already in the PPPC panel for Full Disk Access, so I checked it off, but… Read More »AutoPKG storage on external drive

Broken Admin Account

Text I type is green, computer replies are purple. I had a weird issue this morning. A teacher brought in her school Mac. She was unable to authorize the computer to allow screen sharing in Zoom. Everything in our MDM was set properly. Standard users were allowed to make their own decisions for screen capture1. I clicked on the lock icon to authenticate there. It wouldn’t accept my credentials as the admin user. A bit about our workflow. Device in Apple School Manager and assigned to our MDM (Mosyle) Computer turns on and goes through Automated Device Enrollment (ADE) and hands off to Mosyle Authenticate to Mosyle via Google Mosyle… Read More »Broken Admin Account

Hosting Munki in an S3 bucket from Wasabi

Why I’m writing this I wasn’t originally planning to write a blog post about this. I am not on the bleeding edge and others have done it, but I hit some roadblocks along the way and I couldn’t find good answers. In addition, Orlando asked me in #toronto on MacAdmins Slack if I was going to, and how can I say no? Why I did it During the pandemic I found that it was a bit painful to get a new Mac up and ready to go out of the box for our teachers at home. While I’m hoping that we will be spending all of the 2021-2022 school year… Read More »Hosting Munki in an S3 bucket from Wasabi