With the release of OS High Sierra 10.13.4, I have found myself with notification prompting about allowing Kernel Extension for certain applications (Cylance,etc..)
Since I mostly use JAMF, the recent release of JAMF Pro 10.3 enables us to deploy a profile that will allow us to handle this prior to installation and for the user.
Following instructions from a post of Graham Gilbert, I was able to easily pull the IDs I needed from a computer that had successfully enabled the kernel extension.
Launch Terminal: sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
Then: SELECT * FROM kext_policy;
Once you have the IDs (It will be a 10 characters string), go into the Configuration Profiles in JAMF Pro and Click New
In General, Enter the name of your choosing i.e Approved Kernel Extensions
We also want to make sure it’s installed at the computer level
Once we have finished with General, let’s head to the bottom of the payload page and select Approved Kernel Extensions Payload
Click Configure, on the new displayed page we will enter the ID under Team ID, I would also use the display name to match the app we are enabling so here Cylance, Inc. and then enter the Team ID.
If you want to be more restrictive in allowing only some kernel extensions, use the kernel extension bundle option where you will enter the bundle specific information i.e com.Cylance.CyProtectDrvOSX
and with this, only the bundle specific will be approve should there be more bundle under the same Team ID
Repeat for all the Kernel Extensions you would like to approve and once done, scope it to the users you want and save to push it.
Having started in the industry as a Help Desk, I often found one of the responsibilities has always been asset tracking and management.
While many tools do provide asset syncing and reporting tool for computers serial,etc I found them lacking for the other pieces such as display monitors.
I set out to solve that void in my shop by helping our Help Desk easily identify and solve the problem.
The idea was to retrieve the serial number of a connected monitor each time a computer submitted and inventory update.
With a few lines of code, I was able to achieve just that.
The code parses through system Profiler and retrieves the display serial numbers, should there be more than 1 display attached, the result will grow and show all the serial numbers it finds.
The first displayed serial represents the main display and the rest follows.
This code has been very useful in my shop to easily identify who had what display.
The serial number is only revealed when the monitor is connected via HDMI, Thunderbolt or DVI, sorry no VGA.
The code is available on my github and while it is ready to be deployed into Casper, it can easily be tweaked for other reporting tools.
One thing I wished Casper could do is remove users from the Users section after an asset is deleted from Casper.
Granted this may not be a situation for everyone but for me, I end up with lots of disabled users still showing up in my Users section.
While I can manually remove them, doing it every time, a hundred times is not ideal. Continue reading
While wondering about ways to increase our visibility on clients, we came to the realization that we were clueless about Virtual Machines.
We could tell who had virtualization software installed (Parallels,VMware Fusion,VirtualBox) but beyond that nothing. Continue reading
One thing I have always wondered has been removing the error and the manual out of our imaging process.
While Deploystudio does offer many tools to automate the process and design workflows to achieve completion, I still needed to come up with a way to deal with computer names and the computer records that are stored in Deploystudio.
Thankfully, Deploystudio has a REST API which can be used. Continue reading
It’s that time again and the dates are out….
The other day, I tried to ssh into a client and to my surprise, I couldn’t. Now if you are the guy in charge of managing macs and you can’t get into a mac that you clearly should be able to, you start asking yourself some questions. Continue reading
Casper can be used for software updates but I felt something was missing (I am talking about me here!), so I went about writing something to help.
I wanted to once a week be able to install os x updates on all my clients and prompt them to restart while giving them a grace period if they couldn’t do it at the time of the prompt. Continue reading
Upon many talks from and within the Mac Admin community about XProtect and Gatekeeper updates, it was pointed out that within a few scenarios, the updates don’t apply. Continue reading
Part of client management is often protecting your users from exposure caused by themselves. As such, I went on a journey (more like a tour) to identify what I could do and as I walked, it occurred to me that I needed to ensure the screensaver settings I had set in place were always in place. Continue reading