managing macos - bigfix and mdm...airwatch. • yay! server-stored configurations manipulates...
Post on 13-Jul-2020
6 Views
Preview:
TRANSCRIPT
Managing macOS: BigFix and MDM
Andrew LaurenceOffice of Information Technology
University of California, Irvine
BigFix at UC Irvine• 6,500 Endpoints
• 3,500 at OIT
• 3,000 at client departments
• Mostly user endpoints
• Mostly Windows
• Patch Management
• Power
• Custom Content
• Application Deployment
• Trust but verify
• Nessus Agents
OIT Desktop Support
• Windows history
• Active Directory
• Group Policy
• BigFix for patching, power
Endpoint Management
Rapid Deployment
Application Deployment
Patching
Policy Management
Usecase / Organization
OIT Desktop Support
Rapid Deployment
Application Deployment
Patching
Policy Management
Usecase / Organization
Windows
MDT
MDT / BigFix
BigFix
Group Policy
…applied to macOS
Rapid Deployment
Application Deployment
Patching
Policy Management
Usecase / Organization
Windows
MDT
MDT / BigFix
BigFix
Group Policy
macOS
Deploy Studio
Deploy Studio / BigFix
BigFix
MDM
MDM arrives
• Needed by a client department
• Short deployment timeline
• Peer organization had completed an evaluation, selected Airwatch.
• Yay!
Server-stored configurations
Manipulates OS-native APIs & Settings
Server-stored deployment scoping
Agent built into OS
Can execute binaries / scripts
Configurations actually XML-based files.
Mobile Device Management
Airwatch / Workspace ONE
Blackberry / Good
Intune
JAMF
MaaS360
MobileIron
Mobile Device Management
How to support macOS?
Technology
How is this platform different?
What is the state of the art?
What methods or tools are common?
Organization
What tools do we have?
What expertise do we have?
Build vs buy?
macOS Tools
Rapid Deployment
Application Deployment
Patching
Policy Management
Deploy Studio
Deploy Studio / BigFix
BigFix
Airwatch
NetBoot | Deploy Studio• Imaging Workflow
• Partition, install “factory” macOS
• Installs standard configuration
• Applications
• scripts
• `softwareupdate`
• Post-boot finishing
• Airwatch, BigFix
BigFix
• root shell robot
• Desired state configuration in patch management clothing.
• If you can do it in the shell, you can do it in BigFix.
BigFix• Fixlets install various
applications.
• Baseline bundles together the standard suite.
• Enroll into Airwatch via `profiles` command
Airwatch Policies• Active Directory
• Enterprise Connect
• Firewall
• Login Window
• Restrictions
• Security & Privacy
Airwatch Policies• Active Directory
• Enterprise Connect
• Firewall
• Login Window
• Restrictions
• Security & Privacy
Common Gaps, Common Workarounds
• BigFix
• Relevance inspectors for scoping.
• Inspectors don’t cover everything.
• Actions + script output => files
• Relevance reads files for data, properties, client settings.
• Airwatch
• Scoping gaps filled by Custom Attributes.
• Output from shell scripts, saved as data.
• JAMF
• Scoping gaps filled by Extension Attributes.
• Output from shell scripts, saved as data.
BigFix on macOS• Fixlet templates for install scenarios
• .pkg file
• .pkg inside .dmg
• .app contained within .dmg
• {application} inspector can result in fixlet “fail”
• reliant on Spotlight, can be slow to return
• {(application of folder "/Applications") whose(name of it is “foo.app”)}
macOS Upgrade via BigFix• startosinstall
• 10.12 or later
• —installpackage
• Flat package(s), install after Setup Assistant
• —converttoapfs
• 10.13 or later
• —eraseinstall
• 10.13.4 or later
• requires APFS
What about…• Apple’s DEP
• Procurement to delivery
• Automated MDM enrollment
• Can install packages
• Must be flat packages
• (just like —installpackage)
macOS’ Tightening Security Profile | DEP
• System Integrity Protection
• root is no longer root
• BigFix runs as root
• User Authorized MDM
• Enrollment grandfathered from pre-10.13.4 MDM enrollment
• User Authorized Kernel Extension Loading
• Privacy Preferences Policy Control
Boundaries• inspectors don’t cover
everything
• need for OS groups on not-Windows
• SIP on Mojave is restricted further
• relevance for group .plist now fails
• `output of` inspector would be useful
• Constrained?
• `dscl read`
• `system_profiler`
• `diskutil [list|info]`
• `profiles -list -all`
In Summary
• Know your tools
• Know your endpoint OS
• Know your organization
atlauren@uci.edu
top related