managing macos - bigfix and mdm...airwatch. • yay! server-stored configurations manipulates...

Managing macOS: BigFix and MDM

Andrew LaurenceOffice of Information Technology

University of California, Irvine

BigFix at UC Irvine• 6,500 Endpoints

• 3,500 at OIT

• 3,000 at client departments

• Mostly user endpoints

• Mostly Windows

• Patch Management

• Power

• Custom Content

• Application Deployment

• Trust but verify

• Nessus Agents

OIT Desktop Support

• Windows history

• Active Directory

• Group Policy

• BigFix for patching, power

Endpoint Management

Rapid Deployment

Application Deployment

Patching

Policy Management

Usecase / Organization

OIT Desktop Support

Rapid Deployment

Application Deployment

Patching

Policy Management

Usecase / Organization

Windows

MDT

MDT / BigFix

BigFix

Group Policy

…applied to macOS

Rapid Deployment

Application Deployment

Patching

Policy Management

Usecase / Organization

Windows

MDT

MDT / BigFix

BigFix

Group Policy

macOS

Deploy Studio

Deploy Studio / BigFix

BigFix

MDM

MDM arrives

• Needed by a client department

• Short deployment timeline

• Peer organization had completed an evaluation, selected Airwatch.

• Yay!

Server-stored configurations

Manipulates OS-native APIs & Settings

Server-stored deployment scoping

Agent built into OS

Can execute binaries / scripts

Configurations actually XML-based files.

Mobile Device Management

Airwatch / Workspace ONE

Blackberry / Good

Intune

JAMF

MaaS360

MobileIron

Mobile Device Management

How to support macOS?

Technology

How is this platform different?

What is the state of the art?

What methods or tools are common?

Organization

What tools do we have?

What expertise do we have?

Build vs buy?

macOS Tools

Rapid Deployment

Application Deployment

Patching

Policy Management

Deploy Studio

Deploy Studio / BigFix

BigFix

Airwatch

NetBoot | Deploy Studio• Imaging Workflow

• Partition, install “factory” macOS

• Installs standard configuration

• Applications

• scripts

• `softwareupdate`

• Post-boot finishing

• Airwatch, BigFix

BigFix

• root shell robot

• Desired state configuration in patch management clothing.

• If you can do it in the shell, you can do it in BigFix.

BigFix• Fixlets install various

applications.

• Baseline bundles together the standard suite.

• Enroll into Airwatch via `profiles` command

Airwatch Policies• Active Directory

• Enterprise Connect

• Firewall

• Login Window

• Restrictions

• Security & Privacy

Airwatch Policies• Active Directory

• Enterprise Connect

• Firewall

• Login Window

• Restrictions

• Security & Privacy

Common Gaps, Common Workarounds

• BigFix

• Relevance inspectors for scoping.

• Inspectors don’t cover everything.

• Actions + script output => files

• Relevance reads files for data, properties, client settings.

• Airwatch

• Scoping gaps filled by Custom Attributes.

• Output from shell scripts, saved as data.

• JAMF

• Scoping gaps filled by Extension Attributes.

• Output from shell scripts, saved as data.

BigFix on macOS• Fixlet templates for install scenarios

• .pkg file

• .pkg inside .dmg

• .app contained within .dmg

• {application} inspector can result in fixlet “fail”

• reliant on Spotlight, can be slow to return

• {(application of folder "/Applications") whose(name of it is “foo.app”)}

macOS Upgrade via BigFix• startosinstall

• 10.12 or later

• —installpackage

• Flat package(s), install after Setup Assistant

• —converttoapfs

• 10.13 or later

• —eraseinstall

• 10.13.4 or later

• requires APFS

What about…• Apple’s DEP

• Procurement to delivery

• Automated MDM enrollment

• Can install packages

• Must be flat packages

• (just like —installpackage)

macOS’ Tightening Security Profile | DEP

• System Integrity Protection

• root is no longer root

• BigFix runs as root

• User Authorized MDM

• Enrollment grandfathered from pre-10.13.4 MDM enrollment

• User Authorized Kernel Extension Loading

• Privacy Preferences Policy Control

Boundaries• inspectors don’t cover

everything

• need for OS groups on not-Windows

• SIP on Mojave is restricted further

• relevance for group .plist now fails

• `output of` inspector would be useful

• Constrained?

• `dscl read`

• `system_profiler`

• `diskutil [list|info]`

• `profiles -list -all`

In Summary

• Know your tools

• Know your endpoint OS

• Know your organization

atlauren@uci.edu