Managing Macs at Scale


Getting the currently logged-in user's ID (UID) for launchctl

Many scripted macOS workflows require determining the username of the currently logged-in user. Whether you wish to execute a command as that user via su or you just want to log the username during your script’s execution, you may need to query macOS for this information.

This is a solved problem, and Armin Briegel’s excellent article on Getting the current user in macOS outlines the best method.

In addition to determining the logged-in user’s username, you may also need their user ID number, or UID. For example, loading a LaunchAgent as a specific user requires providing that user’s UID.

Previous solutions involved grabbing the logged-in user’s username, then feeding that to id -u $loggedInUser – but you can get the currently logged-in user’s UID in one step.

Continue reading ❭

Renaming Computers via Snipe-IT using Jamf Pro

A couple of years ago, I shared a method to set a Mac’s hostname via a Google Sheet. It’s worked well at my organization (as well as many others!) and helped us keep our computer names consistent.

We’ve since moved to using Snipe-IT for asset management. Snipe is a fantastic open-source tool that simplifies inventory tracking for our whole IT shop. It also includes a robust API that allows us to integrate with external systems and processes.

I’m now using the Snipe API to script our computer naming process. We treat Snipe as the system of record for all inventory, and any change made to a computer’s hostname in Snipe can be reflected on both the client system and in Jamf Pro. Here’s how.

Continue reading ❭

Sending Autopkg and JSSImporter Notifications to Google Hangouts Chat

Although Slack has seemingly taken over the world of workplace chat, my organization is a G Suite shop and we use Hangouts Chat for a majority of our internal communication. It’s included as a “core” G Suite app, so why not use the product we already have, right?

I wanted a way to post notifications to Hangsouts Chat rooms when autopkg downloads new software, or makes changes to our Jamf Pro server via JSSImporter. No solution existed. Building on the excellent Slack-centric work of both Graham R Pugh and Rich Trouton, I’ve made two different autopkg postprocessors to send autopkg notifications to Google Hangouts Chat.

Continue reading ❭

Helping Your Users Reset TCC Privacy Policy Decisions

Taking a cue from iOS, Mac OS X 10.8 “Mountain Lion” introduced new systems to help users manage access requests to potentially sensitive and private personal information. When an app required access to a user’s Contacts, for instance, a consent prompt appeared on screen asking the user to allow or disallow this access.

Broadly, this system is known as TCC or transparency, consent and control.

With each version of macOS, Apple broadens the scope of privacy controls. The upcoming release of macOS Mojave expands these controls such that many previously-permitted interactions will require user consent. Prompts for consent appear only once when an action first requires approval.

With more to manage and only a single prompt to allow or disallow access, it can be opaque for users to understand the state of their system. Actions may fail with no clear indication as to why; a decision to disallow access is easily forgotten after many weeks or months.

Let’s create an easy method to reset these decisions to allow for a fresh start.

Continue reading ❭

Signing Configuration Profiles

Apple has made it clear; MDM is the future.

As the preferred method of device management moves more and more to Configuration Profiles, administrators must turn their focus toward digital security.

Signing configuration profiles provides assurance of their origin, and an assertion their contents have not been modified in transit.

Continue reading ❭

Express Setup, Location Services, Time Zone, and High Sierra

I recently ran into a snag with our Device Enrollment Program (DEP) workflow. Users were not being prompted to enable Location Services to automatically set the time zone, nor was the explicit Time Zone selection screen displayed during Setup Assistant.

The result was that devices wound up configured with the default Cupertino, CA location, and a Pacific time zone. We’re on the East coast – so we’d have to script a change of settings, or worse, have the user manually modify them.

As it turns out, this is an effect of the new “Express Setup” option in macOS High Sierra.

Continue reading ❭

Wait, is my Mac Up to Date?

So you’ve trained your users to use Jamf Pro’s Self Service to install third-party software, but how can we encourage users to self-manage macOS operating system updates?

Let’s create a user-centric, Self Service workflow for checking the status of available software updates.

Continue reading ❭