Apple Deployment Programs Updated

These are my notes from WWDC 2017 session "What's New in Device Configuration, Deployment, and Management" They can seem quite scattered. I did want to share them and provide a reference for myself other than Evernote.

Enrollment

Apple TV - now be enrolled in Device Enrollment Program

Add Personally Owned Devices to DEP

  • Add devices purchased outside of supported channels to DEP
  • Devices with iOS 11 or tvOS 11
  • Apple Configurator 2.5

Requires Supervision and MDM is mandatory.

  • When you add a device to DEP, it erases the device
  • 30-day provisional period - provisional period starts when the device is activated
  • User can remove the device from DEP during the Setup Assistant or Settings (within the 30 days)
  • Both during and after the provisional period all DEP features are available

In Apple Configurator 2, when selecting “Prepare” - option to add device to Device Enrollment Program

DEP

  • Unsupervised is deprecated
  • Optional MDM is deprecated

Apple School Manager

appleschoolmanager.png

 

Security enhancements for MDM

  • In iOS 10.3, Certificate partial-trust was enabled for manually installed certificates and certificate  profiles
  • A certificate has partial-trust for all purposes except for SSL
  • Automatic installation: Full trust
  • Manually installed then it receive partial trust at first. The users can go to Settings -About-Certificate Trust Settings and enable full trust. This provides an appropriate additional warning.
  • If a certificate is manually installed by a profile and contains an MDM payload then that certificate is given full trust

ATS

In 2018, MDM’s will require “App Transport Security" (ATS) - set of security requirements for secure communication.

  • ATS requires additional security protocols to enhance security communications
  • If ATS is not supported by MDM then the client will refuse to communicate with it

In 2018 APNs Service tokens will increase in size. MDMs must support up to 100 byte APNs tokens


macOS

  • Certificate pairing - checks the server URL and for the check-in URL
  • Hard revocation checking of pinned certificates - trust evaluation fails if the device can not get a positive response from the Revocation server for any reason

Best practices for Admins

  • Shared iPad - Enable diagnostics submission command
  • Shared iPad - User storage quota on APFS - A user quote sets a maximum amount of users that can store data on the device. Ensures users are not consuming too much space which would crowd out other users - The upgrade to iOS 10.3 the storage quota was disabled - require admins to enable storage quota 

* User profiles command line tool for startup profiles - in the man page for “profiles” command

Troubleshooting Tips

  • Get logs using Console or Apple Configurator 2
  • For iOS filter the logs by:
  • Profiles and certificate installation: profiled
  • Restrictions: profiled
  • MDM: mdmd, dmd
  • Apps: mdmd, mdm, appstored (installs and removes apps), itunesstored( (if the apps come from iTunes)

macOS - don’t filter results by processes but by subsystem com.apple.ManagedClient


Distribution

Apple School Manager

VPP integrated in Apple School Manager

  • Integrated, updated UI
  • Easier management of purchases
  • License transfer between locations. Content managers will no longer need to share credentials

VPP in Apple School Manager - purchases associated with location

  • Content Managers buy for location
  • Single token needed for each location
  • Content Managers manage all licenses at location

Licenses can be transferred from one location to another

  • Apple School Manager now shows number of available licenses
  • Available licenses that are currently available and not assigned can be transferred - licenses already assigned can not be transferred - must revoke licenses to transfer

Release of new VPP features later this summer

tvOS

  • Enterprise apps can be installed
  • Managed app configuration


Management

iOS
The enrollment and app profiles take a significant amount of Wi-Fi resources

  • To solve - new option for all MDM commands allowing the admin specifying the device can be connected to a wired network like Internet Sharing or USB or an ethernet connection to perform a command
  • Combined with “Content Caching” in macOS should improve the setup experience for iOS

MDM already has the ability Have to install software updates on DEP devices without a passcode
Added support:

  • Passcode locked Supervised devices
  • Non-DEP Supervised devices
  • Preserve data plan when erasing devices
  • The deletion of system app removal

Data Protection

  • Join only Wi-Fi networks configured by policies
  • Exemption of carrier profiles (Supervise)
  • Diable users from creating their own VPN (Supervise)
  • Exchange and mail - Control S/MIME signing and encryption independently

Classroom Manager for Supervised devices

  • Unprompted screen observation
  • Unprompted app and device lock
  • Automatic joining of classes

AirPrint

  • Custom port
  • Require TLS
  • Disable iBeacon discovery for printers (Supervise)
  • Disable AirPrint credentials being stored in Keychain
  • Disable AirPrint

Networking

  • DNS proxy extension (Bundle ID) (Supervise)
  • Internet Protocol version(s) for cellular connections


macOS

Setup

  • System Migration Payload can be configured to select customer migration paths from Windows to Mac
  • Smart card configuration
  • Ability to provide a default configuration for any 802.1x Ethernet config for ports that do not have an explicit configuration
  • Software update delay for up to 90 days (Supervise)
  • Deferred updates query info (Supervise)

Firmware

  • Firmware passwords are analogues to Activation Lock on iOS
  • The Firmware password can be completely managed using an MDM server
  • Admin can set password
  • Query password status
  • Verify password
  • Must restart is required when Firmware password is changed

Account Management

  • Querying List of Users
  • Delete user accounts
  • Unlock user accounts

Data Protection

  • New Extensions payload can used to configure white and black lists of extensions
  • Disable all extensions
  • Query active extensions for a user
  • Escrow FileVault personal recovery keys to a custom server
  • Recover recovery key using MDM server
  • Disable iCloud desktop and documents

tvOS

  • Erase device (using Configurator or MDM)
  • Enroll Apple TV into DEP
  • Specify TV name
  • Modifying TV Name
  • Show/Hide apps
  • Home Screen Layout

Conference Room (Supervise)

  • Display custom message on screen
  • Restrict users to only access Apple TV to share their displays
  • AirPlay Security - 1 time passcode, passcode each time, a custom passcode

Kiosks and Dashboard

  • Single App Mode
  • Disable remote app pairing
  • Disable AirPlay

iOS, macOS, tvOS - Shared

  • VPN IKEv2, Wi-Fi-min/max TLS versions
  • Installed app list consistent
  • Restart (Supervise)

Assessments

  • Activity continuation
  • Universal Clipboard
  • Dictation
  • Smart punctuation
  • Classroom screen observation

Restriction starting in 2018 - only enabled for Supervised

  • App installation
  • App removal
  • FaceTime
  • Safari
  • iTunes
  • Explicit content
  • iCloud documents and data
  • Multiplayer gaming
  • Add GameCenter friends


Tools Update

  • Apple Configurator 2.5
  • Profile Manager in Server 5.4
  • Classroom
  • Content caching
  • Roster Simulator

Classroom 2

  • Teacher created classes
  • Document transfer between teacher and student
  • Mute devices

Classroom 2.1

  • Managed class behavior for teacher-created classes on supervised devices
  • Student activity view

Caching Service is no longer relegated to the macOS Server

  • “Content Caching” is built-in to macOS 10.13 High Sierra

Tethered caching UI

  • Introduced in Spring 2017 with macOS 10.12.4
  • Consists of the three main pieces
  • It provides a wired internet connection to all connected iOS USB devices
  • Provides “Content Caching” service on the Mac
  • Funnels all network traffic from the tethered devices through the “Content Caching” service when downloading catchable Apple content

To enable this feature:

In System Preferences click “Sharing”.

Click “Content Caching” currently only on macOS 10.13 Beta.



Select “Share Internet Connection” which states: Share this computer’s Internet connection and cached content with iOS devices connected using USB.

Clicking "Options" provides a UI that is similar to what is found in macOS Server

 


iOS devices can be plugged in any time during the process

When an enrolled MDM iOS device becomes tethered it automatically checks-in to the MDM server to check if there are any commands to process
If a command requires the network it will use the USB interface instead of Wi-Fi
USB and Wi-Fi connections are required to process the download command
The asset needs to download from the internet and then is pushed to the device via USB  

Questions I had regarding "Content Caching" is once the content is cached then Wi-Fi is no longer used?
Is Wi-Fi required for the first download to begin of the app? What about subsequent downloads?

Microsoft SSH Server for Windows.

Being able to connect to Windows PCs using SSH is very useful. It opens a new world of tools that simply did not work prior to Windows 10 “Anniversary update” released last August. I will outline the basic steps for enabling SSH and connecting to a Windows computers using SSH.

Open "Settings". Click "Updates & Security"

Under “Updates and Security” click “For Developers”.

Enable “Developer Mode”. This will change the configuration to install any signed app and used advanced development features.

If prompted to restart, then do it.

Upon restart return to “Updates and Security” and click “For Developers”.

You can turn on “Device discovery” which adds mDNS support for Windows.

This will enable the “SSH Server Broker” and “SSH Server Proxy” background services. Depending on your Firewall settings this will allow the service to listen for coming connections from both private and public networks.

On my Mac, I opened “Terminal” and in my case connected via SSH using the command SSH daniel@10.0.1.5. I’m prompted with the RSA key fingerprint. Type “yes” to continue connecting.

Boom! I’m logged in to Windows.

Notice I am logged in to the “Command Prompt” by default and not the Bash shell for Windows. I can type either bash or powershell to continue using my preference.

Note: Currently, there are no brute-force login protections built in to “Microsoft SSH Server for Windows”. A remote attacker can make continual guesses of your login credentials. You can limit your risk of a brute force attack by disabling login from remote networks. 

Disable public remote network logins:

Open “Control Panel” - “System Security” - “Windows Firewall” - “Allowed apps”

Select “Change Settings”

In the list, locate “Ssh server” and disable “Public”

This limits the service to accept logins from what is identified in Windows as a local and private network source.

Set a FileVault recovery key for Mac computers in your institution

This article is based off Apple’s instructions for setting up an institutional recovery key.

Apple products are continuing to be pushed in the enterprise market. This means different expectations are placed on computers and devices compared with a consumer product. I want to show you to implement full disk encryption (FileVault) and then deploying this to our computers using an MDM solution. This process will be similar no matter what MDM you are using. For a common reference point, I will be using Profile Manager.

 I am starting on a random client computer.

1. Start by creating a master password and private recovery key on one of your Mac computers:

2. Open System Preferences and then click Users & Groups.

3. Click the Lock button and authenticate with an administrative name and password.

4. From the Actionpop-up menu, choose Set Master Password.

5. Enter and verify your master password, then click OK.

6. Open Finder and navigate to /Library/Keychains/

You will notice four files in the Keychains folder. The two to focus on are “FileVaultMaster.cer” and “FileVaultMaster.keychain”.

7. Copy the file at /Library/Keychains/FileVaultMaster.keychain to a safe location, such as an external drive or encrypted disk image on another physical disk. This FileVault master keychain contains the private FileVault recovery key. You can use this private key to unlock the startup disk of any Mac computer that uses your deployed FileVault master keychain. 

8. Unlock the Keychain we just created. Open Terminal and run the following command:

sudo security unlock-keychain /Library/Keychains/FileVaultMaster.keychain

The second prompt: “password to unlock /Library/Keychains/FileVaultMaster.keychain:” is the password you used as the Master password.

9. Double-click “FileVaultMaster.keychain” in Finder. This will open “Keychain Access”. It’s important that “FileVaultMaster” under “Keychains” is unlocked.

10. Select FileVaultMaster from the Keychains section of the sidebar.

11. Select FileVault Master Password Key from the list of keys. 

For demonstration purposes I have my server set-up as .local. In a production environment you will have a FQDN.

For demonstration purposes I have my server set-up as .local. In a production environment you will have a FQDN.

 

12. Press Delete, then click the Enter to confirm.

13. Double-click “FileVault Recovery Key”. Since the root certificate is not trusted then toggle the option next to “When using this certificate:” to “Always Trust”

The certificate is marked as trusted for all users

We have a trusted Recovery key.

14. Right-click “FileVault Recovery Key” and export the certificate. Choose a location that will be best for deploying via MDM.

For demonstration purposes I have my server set-up as .local. In a production environment you will have a FQDN.

For demonstration purposes I have my server set-up as .local. In a production environment you will have a FQDN.

15. Make a copy of the file at /Library/Keychains/FileVaultMaster.keychain, but don't replace the identically named private recovery key that you copied earlier. That private key is not for distribution.

If you are deploying manually or using something like Apple’s “Remote Desktop” follow the directions below:

Put the updated FileVaultMaster.keychain file in the /Library/Keychains/ folder of each Mac. The file's ownership and permissions should be -rw-r--r--, which you can set with these Terminal commands:

sudo chown root:wheel /Library/Keychains/FileVaultMaster.keychain

sudo chmod 644 /Library/Keychains/FileVaultMaster.keychain

Turn on FileVault on each Mac

After deploying the FileVault master keychain, turn on FileVault on each client Mac. 

 

I am going to deploy using MDM. For reference purposes, I am using Apple’s “Profile Manager”.

Note: You must be running the “Server” app and have enabled “Profile Manager”

16. In a web browser open mydomainname.com/profilemanager. Please use your own domain.

Also,”Device Management” will need to be enabled if you want to create a “Device Group” as I will be demonstrating.

 

In Profile Manager’s Web portal click “Device Groups” and create an applicable name.

17. Click “Settings” and then “Edit” to begin creating a profile.

 

18. Under “macOS and iOS” in the sidebar, click “Certificates”

19. Click to “Add Certificate”. 

20. Select the certificate exported from “Keychain Access” earlier in the tutorial.

21. In Profile Manager’s Web portal click “Security and Privacy” along the sidebar under macOS. 

22. Click “Configure” then “FileVault”.

23. Enable “Require FileVault”

You are presented with three options depending if you want the institution only to retain the recovery key, create a personal FileVault recovery key, or use an institutional recovery key and create a personal FileVault recovery key. I am selecting the third since that will allow my users to have the personal recovery key while my team will have access to it’s own unique recovery key.

24. Under “Certificate”, select the certificate we have been using.

25. Click “OK”.

26. Add the computers you have ready to include in this scope by clicking “Members” then “Add Devices” and/or “Add Device Groups”. If you are enrolled in Apple's "Device Enrollment Program" then you may have computers already listed versus adding them manually. If you haven't enrolled in DEP then do it. It makes adding computers to your device groups much simpler.

There are numerous variables that will depend on your environment. This article is a basic template.