Approve Kernel Extension via profile

With the release of OS High Sierra 10.13.4, I have found myself with notification prompting about allowing Kernel Extension for certain applications (Cylance,etc..)
Since I mostly use JAMF, the recent release of JAMF Pro 10.3 enables us to deploy a profile that will allow us to handle this prior to installation and for the user.

Following instructions from a post of Graham Gilbert, I was able to easily pull the IDs I needed from a computer that had successfully enabled the kernel extension.

TL;DR
Launch Terminal: sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
Then: SELECT * FROM kext_policy;

Once you have the IDs (It will be a 10 characters string), go into the Configuration Profiles in JAMF Pro and Click New
In General, Enter the name of your choosing i.e Approved Kernel Extensions
We also want to make sure it’s installed at the computer level

Once we have finished with General, let’s head to the bottom of the payload page and select Approved Kernel Extensions Payload

Click Configure, on the new displayed page we will enter the ID under Team ID, I would also use the display name to match the app we are enabling so here Cylance, Inc. and then enter the Team ID.
If you want to be more restrictive in allowing only some kernel extensions, use the kernel extension bundle option where you will enter the bundle specific information i.e com.Cylance.CyProtectDrvOSX
and with this, only the bundle specific will be approve should there be more bundle under the same Team ID

Repeat for all the Kernel Extensions you would like to approve and once done, scope it to the users you want and save to push it.

That’s it.

Advertisements

Monitor Serial Number retrieval via Casper

Having started in the industry as a Help Desk, I often found one of the responsibilities has always been asset tracking and management.
While many tools do provide asset syncing and reporting tool for computers serial,etc I found them lacking for the other pieces such as display monitors.
I set out to solve that void in my shop by helping our Help Desk easily identify and solve the problem.
The idea was to retrieve the serial number of a connected monitor each time a computer submitted and inventory update.
With a few lines of code, I was able to achieve just that.
Screen Shot 2015-06-08 at 12.53.03 PM

The code parses through system Profiler and retrieves the display serial numbers, should there be more than 1 display attached, the result will grow and show all the serial numbers it finds.

Screen Shot 2015-06-08 at 12.59.26 PM

The first displayed serial represents the main display and the rest follows.
This code has been very useful in my shop to easily identify who had what display.
The serial number is only revealed when the monitor is connected via HDMI, Thunderbolt or DVI, sorry no VGA.

The code is available on my github and while it is ready to be deployed into Casper, it can easily be tweaked for other reporting tools.

Cheers…..

Automate naming computers in Deploystudio

One thing I have always wondered has been removing the error and the manual out of our imaging process.
While Deploystudio does offer many tools to automate the process and design workflows to achieve completion, I still needed to come up with a way to deal with computer names and the computer records that are stored in Deploystudio.
Thankfully, Deploystudio has a REST API which can be used. Continue reading