Microsoft SSH Server for Windows.

Being able to connect to Windows PCs using SSH is very useful. It opens a new world of tools that simply did not work prior to Windows 10 “Anniversary update” released last August. I will outline the basic steps for enabling SSH and connecting to a Windows computers using SSH.

Open "Settings". Click "Updates & Security"

Under “Updates and Security” click “For Developers”.

Enable “Developer Mode”. This will change the configuration to install any signed app and used advanced development features.

If prompted to restart, then do it.

Upon restart return to “Updates and Security” and click “For Developers”.

You can turn on “Device discovery” which adds mDNS support for Windows.

This will enable the “SSH Server Broker” and “SSH Server Proxy” background services. Depending on your Firewall settings this will allow the service to listen for coming connections from both private and public networks.

On my Mac, I opened “Terminal” and in my case connected via SSH using the command SSH daniel@10.0.1.5. I’m prompted with the RSA key fingerprint. Type “yes” to continue connecting.

Boom! I’m logged in to Windows.

Notice I am logged in to the “Command Prompt” by default and not the Bash shell for Windows. I can type either bash or powershell to continue using my preference.

Note: Currently, there are no brute-force login protections built in to “Microsoft SSH Server for Windows”. A remote attacker can make continual guesses of your login credentials. You can limit your risk of a brute force attack by disabling login from remote networks. 

Disable public remote network logins:

Open “Control Panel” - “System Security” - “Windows Firewall” - “Allowed apps”

Select “Change Settings”

In the list, locate “Ssh server” and disable “Public”

This limits the service to accept logins from what is identified in Windows as a local and private network source.

Set a FileVault recovery key for Mac computers in your institution

This article is based off Apple’s instructions for setting up an institutional recovery key.

Apple products are continuing to be pushed in the enterprise market. This means different expectations are placed on computers and devices compared with a consumer product. I want to show you to implement full disk encryption (FileVault) and then deploying this to our computers using an MDM solution. This process will be similar no matter what MDM you are using. For a common reference point, I will be using Profile Manager.

 I am starting on a random client computer.

1. Start by creating a master password and private recovery key on one of your Mac computers:

2. Open System Preferences and then click Users & Groups.

3. Click the Lock button and authenticate with an administrative name and password.

4. From the Actionpop-up menu, choose Set Master Password.

5. Enter and verify your master password, then click OK.

6. Open Finder and navigate to /Library/Keychains/

You will notice four files in the Keychains folder. The two to focus on are “FileVaultMaster.cer” and “FileVaultMaster.keychain”.

7. Copy the file at /Library/Keychains/FileVaultMaster.keychain to a safe location, such as an external drive or encrypted disk image on another physical disk. This FileVault master keychain contains the private FileVault recovery key. You can use this private key to unlock the startup disk of any Mac computer that uses your deployed FileVault master keychain. 

8. Unlock the Keychain we just created. Open Terminal and run the following command:

sudo security unlock-keychain /Library/Keychains/FileVaultMaster.keychain

The second prompt: “password to unlock /Library/Keychains/FileVaultMaster.keychain:” is the password you used as the Master password.

9. Double-click “FileVaultMaster.keychain” in Finder. This will open “Keychain Access”. It’s important that “FileVaultMaster” under “Keychains” is unlocked.

10. Select FileVaultMaster from the Keychains section of the sidebar.

11. Select FileVault Master Password Key from the list of keys. 

For demonstration purposes I have my server set-up as .local. In a production environment you will have a FQDN.

For demonstration purposes I have my server set-up as .local. In a production environment you will have a FQDN.

 

12. Press Delete, then click the Enter to confirm.

13. Double-click “FileVault Recovery Key”. Since the root certificate is not trusted then toggle the option next to “When using this certificate:” to “Always Trust”

The certificate is marked as trusted for all users

We have a trusted Recovery key.

14. Right-click “FileVault Recovery Key” and export the certificate. Choose a location that will be best for deploying via MDM.

For demonstration purposes I have my server set-up as .local. In a production environment you will have a FQDN.

For demonstration purposes I have my server set-up as .local. In a production environment you will have a FQDN.

15. Make a copy of the file at /Library/Keychains/FileVaultMaster.keychain, but don't replace the identically named private recovery key that you copied earlier. That private key is not for distribution.

If you are deploying manually or using something like Apple’s “Remote Desktop” follow the directions below:

Put the updated FileVaultMaster.keychain file in the /Library/Keychains/ folder of each Mac. The file's ownership and permissions should be -rw-r--r--, which you can set with these Terminal commands:

sudo chown root:wheel /Library/Keychains/FileVaultMaster.keychain

sudo chmod 644 /Library/Keychains/FileVaultMaster.keychain

Turn on FileVault on each Mac

After deploying the FileVault master keychain, turn on FileVault on each client Mac. 

 

I am going to deploy using MDM. For reference purposes, I am using Apple’s “Profile Manager”.

Note: You must be running the “Server” app and have enabled “Profile Manager”

16. In a web browser open mydomainname.com/profilemanager. Please use your own domain.

Also,”Device Management” will need to be enabled if you want to create a “Device Group” as I will be demonstrating.

 

In Profile Manager’s Web portal click “Device Groups” and create an applicable name.

17. Click “Settings” and then “Edit” to begin creating a profile.

 

18. Under “macOS and iOS” in the sidebar, click “Certificates”

19. Click to “Add Certificate”. 

20. Select the certificate exported from “Keychain Access” earlier in the tutorial.

21. In Profile Manager’s Web portal click “Security and Privacy” along the sidebar under macOS. 

22. Click “Configure” then “FileVault”.

23. Enable “Require FileVault”

You are presented with three options depending if you want the institution only to retain the recovery key, create a personal FileVault recovery key, or use an institutional recovery key and create a personal FileVault recovery key. I am selecting the third since that will allow my users to have the personal recovery key while my team will have access to it’s own unique recovery key.

24. Under “Certificate”, select the certificate we have been using.

25. Click “OK”.

26. Add the computers you have ready to include in this scope by clicking “Members” then “Add Devices” and/or “Add Device Groups”. If you are enrolled in Apple's "Device Enrollment Program" then you may have computers already listed versus adding them manually. If you haven't enrolled in DEP then do it. It makes adding computers to your device groups much simpler.

There are numerous variables that will depend on your environment. This article is a basic template.

Packaging Part 2: Autopkg

Use of Autopkg is mostly done in the command-line. If you are a mostly GUI user then look at the end of this post for AutoPkgr

https://github.com/autopkg/autopkg

Autopkg distributed as an installer package, and it's recommended to also install Git for the purpose of installing and updating community recipes. AutoPkg requires 10.6 or later.

Requirement - the above command requires “git" to be installed. Also, Xcode or use the Xcode command line if you don’t need the full 4.47 GB (as of this writing) application suite.

Installing Xcode command line:
Prompt the system to install them simply by typing the git command, or
xcode-select —install.

Note: You must agree to the Xcode license agreement.

Recipes

Recipes are backbone of autopkg. Recipes can:

  • Find the latest version of a software item.
  • Download pkgs/dmgs.
  • Package (or repackage) downloads).
  • Used to import into software management system (Munki, Jamf Pro, Absolute Manage, etc)

How to find recipes:

https://github.com/autopkg

Browse recipes repositories

How to add Recipes

Default recipes for autopkg

autopkg repo-add <URL>

or

autopkg repo-add recipes

Once Autopkg is installed run the following command.

autopkg repo-add recipes

You will receive something similar. I apologize for the formatting. Getting command-line to format properly can be a challenge.

Attempting git pull...
Updating 8332edc..d49d9fe
Fast-forward
Adium/Adium.download.recipe                        |  17 +-
Adium/Adium.munki.recipe                           |   4 -
AdobeAIR/AdobeAIR.download.recipe                  |   4 +-
AdobeAIR/AdobeAIR.pkg.recipe                       |   4 +-
AdobeAIR/AdobeAir.munki.recipe                     |   4 +-
.../AdobeAcrobatProUpdateInfoProvider.py           |   6 +-
.../AdobeAcrobatProXUpdate.download.recipe         |  11 +-
AdobeFlashPlayer/AdobeFlashPlayer.download.recipe  |   2 +-
AdobeFlashPlayer/AdobeFlashPlayer.install.recipe   |   2 +-
AdobeFlashPlayer/AdobeFlashPlayer.munki.recipe     |   2 +-
AdobeFlashPlayer/AdobeFlashPlayer.pkg.recipe       |   2 +-
AdobeFlashPlayer/AdobeFlashURLProvider.py          |   2 +-
AdobeReader/AdobeReaderDC.pkg.recipe               |  44 ++++-
AdobeReader/AdobeReaderUpdates.download.recipe     |   8 +-
AdobeReader/AdobeReaderUpdates.munki.recipe        |   2 +-
AdobeReader/AdobeReaderUpdatesURLProvider.py       |  41 +++++
Barebones/BBEdit_Scripts/postinstall               |   2 +-
Evernote/Evernote.download.recipe                  |   2 +-
Evernote/Evernote.munki.recipe                     |   2 -
GoogleChrome/GoogleChrome.install.recipe           |   5 +-
GoogleEarth/GoogleEarth.download.recipe            |  19 +-
Handbrake/Handbrake.download.recipe                |   3 +-
MSOfficeUpdates/MSExcel2016.download.recipe        |  13 +-
MSOfficeUpdates/MSExcel2016.munki.recipe           |  16 +-
MSOfficeUpdates/MSOffice2011UpdateInfoProvider.py  |  23 ++-
.../MSOffice2011Updates.download.recipe            |  11 +-
MSOfficeUpdates/MSOffice2011Updates.munki.recipe   |   6 +-
MSOfficeUpdates/MSOffice2011Updates.pkg.recipe     |   9 +-
.../MSOffice2016URLandUpdateInfoProvider.py        | 185 ++++++++++++-------
MSOfficeUpdates/MSOneNote2016.download.recipe      |  13 +-
MSOfficeUpdates/MSOneNote2016.munki.recipe         |  16 +-
MSOfficeUpdates/MSOutlook2016.download.recipe      |  13 +-
MSOfficeUpdates/MSOutlook2016.munki.recipe         |  16 +-
MSOfficeUpdates/MSPowerPoint2016.download.recipe   |  13 +-
MSOfficeUpdates/MSPowerPoint2016.munki.recipe      |  16 +-
MSOfficeUpdates/MSWord2016.download.recipe         |  13 +-
MSOfficeUpdates/MSWord2016.munki.recipe            |  16 +-
Mozilla/Firefox.download.recipe                    |  15 +-
Mozilla/Thunderbird.download.recipe                |  15 +-
OmniGroup/OmniFocus2.download.recipe               |  16 +-
OmniGroup/OmniFocus2.install.recipe                |  42 +++++
OmniGroup/OmniGraffle.download.recipe              |  19 ++
OmniGroup/OmniGraffle.munki.recipe                 |  23 +--
OmniGroup/OmniGraffle.pkg.recipe                   |  23 +--
OmniGroup/OmniGraffle6.download.recipe             |  33 ++++
OmniGroup/OmniGraffle6.munki.recipe                |  23 +--
OmniGroup/OmniGraffle6.pkg.recipe                  |  23 +--
OmniGroup/OmniGrafflePro.download.recipe           |  19 ++
OmniGroup/OmniGrafflePro.munki.recipe              |  23 +--
OmniGroup/OmniGrafflePro.pkg.recipe                |  23 +--
OmniGroup/OmniGraphSketcher.download.recipe        |  19 ++
OmniGroup/OmniGraphSketcher.munki.recipe           |  23 +--
OmniGroup/OmniGraphSketcher.pkg.recipe             |  23 +--
OmniGroup/OmniGroupProduct.download.recipe         |   4 +-
OmniGroup/OmniOutliner.download.recipe             |  21 +++
OmniGroup/OmniOutliner.munki.recipe                |  25 +--
OmniGroup/OmniOutliner.pkg.recipe                  |  25 +--
OmniGroup/OmniOutliner4.download.recipe            |  33 ++++
OmniGroup/OmniOutliner4.munki.recipe               |  50 +++++
OmniGroup/OmniOutliner4.pkg.recipe                 |  85 +++++++++
OmniGroup/OmniOutlinerPro.download.recipe          |  21 +++
OmniGroup/OmniOutlinerPro.munki.recipe             |  23 +--
OmniGroup/OmniOutlinerPro.pkg.recipe               |  23 +--
OmniGroup/OmniPlan.download.recipe                 |  21 +++
OmniGroup/OmniPlan.munki.recipe                    |  25 +--
OmniGroup/OmniPlan.pkg.recipe                      |  25 +--
OmniGroup/OmniPlan3.download.recipe                |  33 ++++
OmniGroup/OmniPlan3.munki.recipe                   |  50 +++++
OmniGroup/OmniPlan3.pkg.recipe                     |  85 +++++++++
OracleJava/OracleJava8.download.recipe             |   5 +-
OracleJava/OracleJava8.munki.recipe                |   5 +-
OracleJava/OracleJava8.pkg.recipe                  |   5 +-
Panic/Coda2.download.recipe                        |   2 +-
Panic/Transmit.download.recipe                     |   2 +-
Puppetlabs/Facter.download.recipe                  |  17 +-
Puppetlabs/Puppet.download.recipe                  |  17 +-
SampleSharedProcessor/SampleSharedProcessor.recipe |   2 +-
.../SassafrasK2Client.download.recipe              |   2 +-
Silverlight/Silverlight.download.recipe            |  19 +-
Silverlight/Silverlight.install.recipe             |   9 +-
Silverlight/Silverlight.munki.recipe               |   6 +-
Silverlight/Silverlight.pkg.recipe                 |  25 +--
Skype/Skype.download.recipe                        |   4 +-
Skype/Skype.install.recipe                         |  11 +-
Skype/Skype.munki.recipe                           |   2 +-
Skype/Skype.pkg.recipe                             |   2 +-
Spotify/Spotify.download.recipe                    |   2 +-
Spotify/Spotify.munki.recipe                       |   2 -
TextMate/TextMate2.download.recipe                 |   2 +-
TextMate/TextMate2.munki.recipe                    |   2 +-
TextMate/TextMateURLProvider.py                    |   2 +-
The Unarchiver/TheUnarchiver.download.recipe       |  72 +++++---
The Unarchiver/TheUnarchiver.munki.recipe          |  17 +-
The Unarchiver/TheUnarchiver.pkg.recipe            |   7 +-
XQuartz/XQuartz.download.recipe                    |   4 +-
munkitools/GitHubReleasesInfoProvider.py           | 192 --------------------
munkitools/MunkitoolsPkgsFinder.py                 |  89 ---------
munkitools/MunkitoolsURLProvider.py                |  99 ----------
munkitools/munkitools.munki.recipe                 | 201 ---------------------
munkitools/munkitools2-autobuild.munki.recipe      |  41 ++++-
munkitools/munkitools2.munki.recipe                |  43 ++++-
101 files changed, 1263 insertions(+), 1125 deletions(-)
create mode 100644 OmniGroup/OmniFocus2.install.recipe
create mode 100644 OmniGroup/OmniGraffle.download.recipe
create mode 100644 OmniGroup/OmniGraffle6.download.recipe
create mode 100644 OmniGroup/OmniGrafflePro.download.recipe
create mode 100644 OmniGroup/OmniGraphSketcher.download.recipe
create mode 100644 OmniGroup/OmniOutliner.download.recipe
create mode 100644 OmniGroup/OmniOutliner4.download.recipe
create mode 100644 OmniGroup/OmniOutliner4.munki.recipe
create mode 100644 OmniGroup/OmniOutliner4.pkg.recipe
create mode 100644 OmniGroup/OmniOutlinerPro.download.recipe
create mode 100644 OmniGroup/OmniPlan.download.recipe
create mode 100644 OmniGroup/OmniPlan3.download.recipe
create mode 100644 OmniGroup/OmniPlan3.munki.recipe
create mode 100644 OmniGroup/OmniPlan3.pkg.recipe
delete mode 100644 munkitools/GitHubReleasesInfoProvider.py
delete mode 100755 munkitools/MunkitoolsPkgsFinder.py
delete mode 100644 munkitools/MunkitoolsURLProvider.py
delete mode 100644 munkitools/munkitools.munki.recipe

Updated search path:
  '.'
  '~/Library/AutoPkg/Recipes'
  '/Library/AutoPkg/Recipes'
  '/Users/daniel/Library/AutoPkg/RecipeRepos/com.github.autopkg.recipes'
  '/Users/daniel/Library/AutoPkg/RecipeRepos/com.github.autopkg.scriptingosx-recipes'
  '/Users/daniel/Library/AutoPkg/RecipeRepos/com.github.autopkg.jss-recipes'

If we know the recipe name we are looking for then we don’t need to browse the repos. In this example, I am searching for a recipe you will probably use later: fetch

 

daniel$ autopkg search fetch


If we know the recipe name we are looking for then we don’t need to browse the repos. In this example, I am searching for a recipe you will probably use later: fetch
daniel$ autopkg search fetch
 

I broke down and took a screenshot.

I broke down and took a screenshot.

Notice the command comes back with different names often referred to as recipe variants

Examples:

Fetch.install.recipe    -   To fetch and install the searched for recipe

screenFetch.munki.recipe   -  Specific to using Munki

Fetch.jss.recipe    -   you guessed it. Specific to using Jamf’s JSS

Fetch.pkg.recipe   - I often use this to to extract/create/recreate an Installer package

At this stage it’s becoming obvious that we can download and recreate packages in various ways. However, it’s important to have a common place to store these packages to retrieve for later use. It’s important to have a repo for this purpose. Munki is a great option for cost and support purposes. It’s open source and has a large community supporting it. If your organization has the money to roll with JAMF then autopkg has progressively improved their support for Casper.

For Munki, it’s recommended you have macOS Server app purchased/installed. Documentation for setup is at https://github.com/munki/munki/wiki/Demonstration-Setup

Keep it simple and demonstrate creating a package:

Ok. I hear you. To receive the latest package of Firefox type the following in Terminal.

autopkg run Firefox.pkg

Processing Firefox.pkg...

The following packages were built:

    Identifier               Version  Pkg Path                                                                                  

    ----------               -------  --------                                                                                  

org.mozilla.firefox.pkg  49.0.2   /Users/daniel/Library/AutoPkg/Cache/com.github.autopkg.pkg.Firefox_EN/Firefox-49.0.2.pkg  

The following new items were downloaded:

    Download Path                                                                                

    -------------                                                                               /Users/daniel/Library/AutoPkg/Cache/com.github.autopkg.pkg.Firefox_EN/downloads/Firefox.dmg

Using Finder I can follow the path to view the package that was built:

/Users/daniel/Library/AutoPkg/Cache/com.github.autopkg.pkg.Firefox_EN/Firefox-49.0.2.pkg 

Firefox-49.0.2.pkg - is a flat package that we can use for deployment.


If you prefer to use .dmg for deployment purposes then look in “downloads”

AutoPkgr

 

Too much command-line for you? Ok. Let's talk about using the a tool created by The Linde Group. 

http://www.lindegroup.com/autopkgr

To use AutoPkgr, you will need to have the following pre-requisites:

1. OS X 10.9.x or higher

2. Xcode and/or the Xcode Command Line Tools installed

3. Acceptance of the Xcode license agreement.

4. A logged-in user to run the AutoPkgr application in. This user can be a standard user or have admin rights. As of macOS 10.12.1, AutoPkgr will not install properly when double-clicking to launch the app. This is mostly likely due to Apple's tightening control of what is able to be launched using System Integrity Protection. If you are an admin, simply right-click the application and select "Open". However, it may be the VM I'm working on.

"Install" You can (it's required) to install "git" and the latest version of Autopkg.

"Repos & Recipes" search in specific repos for recipes you want to include. It the repo is not pre-populated in the list then you add in manually.

In "Schedule" you can select how you want to check and install for the most up-to-date packages. This is very important and keep you from having to manually search each application's site for the latest version. Also, allow the app using autopkg to notify you via email when the newest packages are available.

"Folders & Integration". I recommend you stick with the default folders unless you have good reasons not to. This pane allows you to select "Munki" integration. Also, you will see the ability to integrate using "Casper Suite Integration" recently renamed "JAMF Pro". Select which "Distribution Point" you need to use. As a side note, you must have either an on-site JSS or cloud-based JSS set-up for this to be an option.

My sincere hope is this helps you on the journey to understand the power of packaging and some great tools created to better manage them. Check back for a dive into macOS default tool "pkgutil".