Last Friday I was feeling a little jealous of the San Francisco area Mac Admin’s group Macbrained on getting a group of individuals together to discuss new items in the Apple world (Mavericks and iOS7). I know many Mac Admin’s in the DC Metro area and believe that a DC group would thrive! I was venting my frustrations to @natewalck on ##osx-server of which he replied: “make one!”. Tom happened to be in the channel as well… and in about 10 minutes we purchased a domain, established email accounts, and created a twitter user for future broadcasts.
We are still in the beginning stages, but we are targeting to find a good location in January to host the first meeting. At this time, we need to find out the level of interest from the DC, MD, VA (DMV) area so we can find a suitable venue. If there are items you would like to discuss, let us know! Anything is open! iOS 7 changes, Mavericks changes, security, CLI, Government (or other high security requirement areas) focus topics… you name it, lets talk about it.
So please sign up for more information at MacDMV, or email/tweet Tom or myself with questions or concerns.
Over the weekend of September 28th, 2013 I had the opportunity to do the Berryman Adventure race with my Brother-in-law Shawn which is a multi-sport race for Run, Bike, and Canoe… BUT you have to take everything with you. Food, water, clothes, paddles, etc. The Berryman Adventure races is an orienteering race where the night before we get a list of lat/long locations that we have to find using traditional methods of locating things; a map and a compass. Between each checkpoints you do not have the luxury of nice foot paths that are carved to take you from point “A” to point “B”. You have to “Bushwhack” your way through trees, streams, animals, twigs, brush, poison ivy, etc, and make your own path.
“The Berryman Adventure is a TRUE backwoods, old school adventure race - offering a single course taking teams 12 to 16 hours to complete”.
While we were bushwhacking, biking, and canoeing through the Mark Twain National Forest, I was trying to keep a mental list of all the interesting items we experienced or witnessed throughout the day. However, once I started reviewing the list… I soon realized that I was creating a list of misery, horror, and epic proportions of PAIN which would most likely scare anyone from trying to do these types of races in the future. So while you are reading a list, just remember I’m glad these things happened and that I was able to overcome the obstacles and finish the race.
List of in order of time to the best of my memory:
To the guys who cranked the Licensed to Ill Beasty Boys album at 6am, THANKS! The loud music blasting from your truck set the fun atmosphere and attitude for the rest of the day.
Upon “GO”, it was interesting to watch 57 teams comprising of almost 150 people split into two different directions. Over the past year doing Triathlons where there is only one way to go… this was different.
And in about 15 seconds our mass group split again with one taking the gravel car path while we, team Roadkill, decided to jump off that path and bushwhack straight up the hilltop.
While bushwhacking I was educated in what poison ivy looks like. No not the bad way, but just that it was everywhere. Also, when you are attacked by a swarm of bees (and not SyncServer mac nerds) you don’t care how you dance, or sound when you scream (not us, but witnessed).
We finished the first five checkpoints (of 39 checkpoints total) in about an hour, and that is when I realized that waterproof socks are required. Running in wet socks (and shoes) is a perfect mix to generate blisters on your feet, and I felt it starting after the first hour. Luckily we came to the section of the multi-sport where I felt confident I could excel, the bike.
I thought Missouri was flat. I was wrong.
Once we were finished with the 18 mile ride, we got to the canoes. We had to arrange our bikes on the canoe and TAKE THEM WITH US to the next several checkpoints.
From this point we had done all three sports, the rest of the trip went
It was great to finish. However the downpour at 4pm really put a damper on the spirits and at that time the goal shifted to “just finish the race” vs. catching more checkpoints. Maybe I should looking into doing a Half Ironman now that I know I can take an entire day of physical (and mental) punishment.
I just remembered a couple of items that I did learn from my first race that I wanted to write down so I can review for next year:
In-addition to some waterproof socks, if you want to do ANY night work get a decent front headlight on your bike to see the roads. Are there ones with Fog options? Bring a hand flashlight along with the headlamp.
Need better pants to protect my legs. The compression socks did OK (better than nothing), but I’m still in ITCHING HELL from my knees to my ankles.
To the guy that passed us peddling uphill, JEALOUS! FYI; he has a “42” on his rear cog. That would be nice.
If you want to see a map of our adventure, it’s available via this Google Map link. You’ll notice at the beginning the GPS tracker had a little trouble finding us while we were standing still… but once we started moving on the bikes it locked on.
Also, if you want to read about the race from other racers, I found:
In the last article Casper Suite 9: Cloud and JDS Distribution Points I gave you information about things to take into consideration before installing a JAMF Distribution Server (JDS) into your Casper Suite 9 environment. In this article I’ll take you through an example install of a JDS in Ubuntu.
JAMF Distribution Server (JDS) Install
I’m going to measure my success in this example by the brevity of the article. So here it goes!
Step 1; Get an install of Ubuntu
I am using Ubuntu Server 12.04 LTS as it’s one of the items identified that is supported for a JDS. You can install the JDS on:
I then used the ISO to create a new VM, and YES Fusion could make this easy for me, but I like going through the steps of the installer so I can set the hostname and configure other detailed options that are prompted for me (such as installing SSH at the end).
Step 2; Run the script
Once your VM is running (with proper networking, DNS, hostname), copy JAMF’s JDS Linux install script file to your server and run!
There you go! I did this twice (JDS1 and JDS2) and now my JSS reports both distribution points.
The output gist log has some very interesting output items and shows you how much JAMF is working for you to make things easy.
Validating JDS is being installed on a supported OS
Hidden from the display output, the script is also doing:
Utilizing machine based SSL certificates for Secure JSS/Client to JDS communication
Installing the jamfds binary
If you really want to go digging, once your run the script and are prompted for your JDS name… STOP. Search in the same directory and you’ll find a new directory called “base”. Inside that is all the scripts that are emebedded into JAMF’s “.run” file.
Red Hat Linux (RHL) Support is something new for JAMF. ↩
The Casper Suite has been able to provide installation packages to Managed OS X clients by AFP, SMB, and/or HTTP(s) for a long time, but now JAMF Software has introduced two new methods to provide packages: JAMF Distribution Server (JDS) and Cloud Distribution Point (CDP). Both of these DP installation methods make deploying web based package distribution EXTREMELY easy and quick to stand up in a test or production environment vs. needing to configure multiple services in a Windows or OS X Server setting.
Cloud Distribution Points (CDP)
Cloud Distribution Points are easy to describe as they utilize a Cloud hosting provider to store your DMG or PKG to install on your client machines no matter where they are located. JDS servers are ideal for locations that have security restrictions on port forwarding through a firewall, who don’t want to have non-rack-mountable Mac Mini Server in their DMZ, or a physically diverse workforce where it doesn’t make sense to host installation packages in-house. There are a couple of limitations and requirements for a CDP as follows:
You can only have one CDP in your environment. This makes sense as you are trying to get something available outside of your internal network. You need to pick a cloud hosting provider that can support the bandwidth requirements for the number of devices you are trying to support. At this time you have three choices
Amazon Web Services (S3 and CloudFront)
All communication between your JSS, your CDP, and your clients will be over HTTPS (port 443) to ensure a proper secure environment.
You can only store Packages, in-house iOS apps, and in-house eBooks (no scripts). Scripts can now be stored in the “jamfsoftware” database so you don’t really need to have them as a flat file to download.
CDP can be the Master Distribution Point, or you can selectively sync items to your cloud storage.
JAMF Distribution Server (JDS)
A JDS is something very new. From the Admin guide JAMF Software describes a JDS as “instance is a distribution point that is managed by the JAMF Software Server (JSS), similar to a computer or mobile device”. A JDS is a completely separate server that you install on OS X Server (10.6 or greater) or Linux (Ubuntu 10.04 LTS, 12.04LTS, and Red Hat). Some items to note are:
JDS can be installed multiple times. In this respect it is like a traditional Distribution Point vs. the one install of a CDP.
The first install is your root install. This is important! All additional JDS will be “fed” from the root JDS as the primary source of packages (you can change which server is the ROOT at a later time if you wish).
This is being done with WebDAV and SSL Certificates. So you want to make sure you know what your are doing with your environment. Either start buying from a third-party vendor (Network Solutions, Verisign, StartSSL) OR make sure you know how to install your internal ROOT CA and Intermediate CA into your JDS Server. 1
A JDS has a complete copy of items to be installed within it’s local repository, therefore it doesn’t make sense to have a traditional Distribution Point a JDS installed on the same server, so pick one: JDS or traditional Distribution Point. You find the file locations of a JDS on JAMF’s kbase Components Installed on JDS Instances.
When moving your scripts and packages to your new JDS, there are some special characters that can’t be used in the file name: / : ? < > \ * | ” [ ]. All scripts are now stored within the jamfsoftware MySQL database vs. a flat “.sh/.py/.perl/.rb” file. There are also a couple of “gotchas” when using the JDS as listed in JAMF’s kbase Migrating Packages and Scripts
- You must use the script editor in the JSS to make changes to the contents of scripts. - You are no longer able to use scripts in the AppleScript format. - You are no longer able to deploy non-flat PKGs using Casper Imaging v8.5 or earlier, or Casper Remote v8.x.
I haven’t got a chance to test out an internal CA yet, but it sounds fun! This may be a future article. ↩
Casper Admin Guide PDF within the Casper Suite 9 DMG
Hopefully you had time to review my last article on how Apple’s Push Notification System (APNS) works when managing OS X and iOS devices. It’s not required reading to comprehend, but it does provide an an overview on how complicated APNS is AND the beauty in its architecture to make everything happen in an instant! What I now want to discuss is not when APNS works, but when it doesn’t “What are the common things I check when APNS is not working”. Most of these debuging steps are for the initial setup of your APNS environment, if this were working “fine” but now nothing works… there may be something else at hand.
Network APNS issues
First and foremost, when APNS doesn’t work I’m blaming your network. Are you allowing the proper ports out of your environment; specifically ports 2195, 2196, and 5223? You can do some testing for 2195 and 2196 be trying using the ’nc’ command gateway.push.apple.com and feedback.push.apple.com over port 2195 and 2196 respectively, and this needs to happen FROM your MDM (JSS specifically regarding the Casper Suite). Below are successfully examples using the nc command:
nc test for APNS
justinrummel@JRummel-MBPr ~> /usr/bin/nc -z -4 -w 10 gateway.push.apple.com 2195
Connection to gateway.push.apple.com 2195 port [tcp/*] succeeded!
justinrummel@JRummel-MBPr ~> /usr/bin/nc -z -4 -w 10 feedback.push.apple.com 2196
Connection to feedback.push.apple.com 2196 port [tcp/*] succeeded!
The second item is your devices connecting to APNS network over 5223. This is the network element that would allow your devices (OS X or iOS), to talk to Apple.
nc test for Push client initialization server
justinrummel@JRummel-MBPr ~> /usr/bin/nc -z -4 -w 10 init-p01st.push.apple.com 80
Connection to init-p01st.push.apple.com 80 port [tcp/http] succeeded!
When running these test be sure to perform them their perspective network segments. Most networks are NOT flat except inside your house/home. Server networks may have tighter requirements than WiFi networks for your iPads. Remember, all three of these sessions are being established from the inside to the outside world. Most firewalls are setup to allow this type of network communication as most people are worried about people getting in, not going out of the network environment. Lastly, if your network administrator starts thinking WE HAVE A GIANT DOOR FOR THINGS TO GO OUT ON THREE PORTS! OMG!, request that these ports are only valid for the 17.x.x.x Class A network. Apple owns the whole class A block.
It goes without saying that DNS needs to work from the Server and your clients. I have been in some situations where the ONLY DNS available in the server room is for the internal domain, this way virus cannot find the “command central” and spread their diseased infested “ones and zeros” throughout the servers (this is a lie, but whatever). With no DNS, PUSH commands will never be sent. May need to move your MDM to a DMZ.
Along with DNS, there may be certificate issues. With Certificates you MUST use the Fully Qualified Domain Name (FQDN). Sorry… I know “server1” is much easier than “server1.domain.tld”, but that doesn’t work when you need certificates to validate. USE the FQDN. In fact, ALWAYS use FQDN in any setting on the JSS with the exception for NetBoot server, and that is a requirement because the bless command is looking for an IP address.
Lastly I want to bring up a strange issue that I discovered some time ago when testing OS X 10.8 and the Casper Suite by creating multiple Virtual Machines with VM Ware Fusion. I hope this was an issue because I created 10 VMs on my MacBook Pro Retina, Mid 2012 and started enrolling them into my test JSS. With the help of JAMF Support we discovered at some point my VM’s were not getting a token from Apple. The way I found this was by searching inside the MySQL database. 1
searching for tokens in MySQL
sadmin@auto:~$ sudo mysql -u root -p
[sudo] password for sadmin:
mysql> use jamfsoftware
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
mysql> select computer_name, computer_id, apn_token from computers;
| computer_name | computer_id | apn_token |
| osxs1 | 2 | at3cspak ts6mneko ob5gosst sag2poow nug1tyda lee4bluu aro3ogty hep5erbj |
| osxs2 | 3 | ax8cucai zag8splr te6pijig en0pykvi hy9avkha yi7ergrb nem5splo of5efkis |
| mo | 4 | jaz5jori sw7rhtic qu7mesgi mug4paia el6boosu pol8lecd av2pieok sv6ursqg |
| nemo | 15 | mi7iaknr tom7idoo log5hyad upl1agrr ol0olsib lea3hitb gyp8tenr sk6lamjo |
| Lion | 13 | |
| Composer | 16 | |
6 rows in set(0.00 sec)mysql>
You can see there are two computers that I enrolled into my JSS, however, they never received an APNS token. The end result is these computers will never receive any PUSH commands because Apple has no way of finding the devices. My initial clue that something was wrong was after the two computers were successfully enrolled, I looked for them to assign a Configuration Profile. They were missing in the “Individual Computers” list. It must be a MySQL command that requires the apn_token be return in order to populate the list.
No these are not my real APNS tokens! You think I would publish that… on the INTERNET!? Randomly generated by [rand] ↩