Category: Mac

Managing Macs like they’re iPads

Over the last year, we have been migrating all of our iPads over to Jamf School, which has gone really rather well. Jamf School’s focus on education really pays off I believe, making lots of things you might need to do or manage in a school really easy. Given this wonderful success, could we move over our Mac fleet as well, migrating those computers from from Jamf Pro?

The case for moving the iPads was easy: it was a little bit cheaper (which adds up when you’re doing a school-wide 1:1 project), it had some neat education features like Jamf Teacher, and it was the direction that Jamf seemed to be taking things in the education space. What about then for the Mac?

In terms of price, Jamf School costs the same whether you’re managing an Apple TV, an iPad or a Mac, so this makes for nearly a 50% saving over Jamf Pro. Whilst that doesn’t add up to huge amounts of money as we don’t have the same number of Macs as we do iPads, every little helps in these days of inflation.

But what about functionality? Jamf Pro is a mature and fully-featured product, with a long history of wrangling the consumer-centric Mac into some sort of enterprise compliance, and has all sorts of hooks and tricks for getting Macs to do what you want. Whereas Jamf School is basically just the MDM side with a basic scripting add-on and a Jamf School ‘self service’ menubar extension that allows users to install apps, profiles, documents and natty wallpapers.

The question then became, could we set up our Macs the way we wanted them, basically using the same tools available for managing iPads? Here is a bit of my adventure and some things I’d love for Jamf to fix!

Adventure Highlights

  • Plugging the Macs into Device Enrollment was pretty straight forward. This allows Macs to be supervised over the air, with users unable to remove the supervision profile. One neat thing about this is that we could preload asset numbers and device names into Jamf School, meaning that we didn’t need to run any fancy scripts post install to gather that information. Rather than manually adding in the Mac’s location in the school once the device was enrolled, I included that in the machine’s name instead.
  • Getting Jamf Connect working wasn’t quite as straight forward as on Jamf Pro. It basically just involved installing the various Jamf Connect packages and then building a configuration profile using the tool that Jamf provide.
  • Mac App Store app installation is super easy. 3rd-party apps were less straight forward, depending on how complex the installer packages were. I was able to sort out most common apps (Chrome, Office etc) with help from support when I got stuck.
  • Creating configuration profiles was reasonably straightforward. And joy of joys, I was able to create a profile for the dock within Jamf School (looking at you Jamf Pro). For custom profiles, I found iMazing to be a very powerful tool.

Wish List

Here are some features I’d love for Jamf to add:

  • Better Jamf Connect integration. A single button in settings would be sweet!
  • Better 3rd party app management. And it turns out that my wish is their command, as Jamf have just added App Installers, a list of packages that Jamf maintains and updates. Amazing!
  • Onboarding screens. The highly skilled out there are able to weave together beautiful onboarding screens when first setting up a Mac. I’ve had a look, but it seems to require a lot of scripting, so I would love it if Jamf could build such a thing into their product. I can but dream…

Is it worth it?

Having been through the switch, which did involve wiping and setting up again all of the Macs in the school, I would say that it has been worth while. Managing all of our devices in one place is great, and the simplicity of Jamf School is also a bonus. If you have a simpler Mac set up then Jamf School is definitely worth a look.

Ventura, Safari and Dock Master

Apple don’t like Mac admins tinkering with the dock. For Apple, the dock is a space for the user to customise and tweak to their heart’s desire, not for some technical overlord to control.

But in a school setting, setting the contents of the dock is actually really handy. If people are moving around the school and could potentially log into any given Mac, having all the dock items in the same place makes it more familiar for staff.

Unfortunately, Jamf Pro doesn’t really offer quite the right tools for doing this. It is possible to add and remove dock items using ‘policies’, but this is prone to error and still allows users to move things around however they like. Or you can create a ‘profile’ for the dock, but only if it includes default apps and not things like Keynote, Word or Slack.

Thankfully, Michael Page has created ‘Dock Master’, an online tool that allows for the creation of customisable dock profiles with whichever apps your heart desires. Just set it up as you want, download the profile and then upload that to your MDM of choice.

When Ventura was released, I started upgrading some Macs to it and then noticed that Safari would have a little alias arrow in the left corner of the app icon in the dock. Very strange!

After a little bit of digging, I discovered that this was because Safari actually now lives in

System/Cryptexes/App/System/Applications/Safari.app

and not in the Applications folder at all. So once I put in the correct path in Dock Master, it all worked fine. Yay!

Jamf Connect

Since, like, forever, we have had our Macs at school bound to our Active Directory. Initially this was to try and match the experience people were used to with logging into PCs, with a shared drive and a network ‘home’. But as we started to migrate to the cloud, the jobs of the trusty (or not) Windows server were increasingly given away elsewhere, e.g. using Google Drive for our shared drives and so on. This left the Macs just using network accounts purely to authenticate users. Was there a way to log onto the Macs using cloud credentials?

Defining the benefits

‘Moving to the cloud’ is something that is spoken of as an untrammelled good, but it’s useful to articulate the advantages. What would be the benefit of moving away from logging in on-premises Active Directory?

  1. A service is the cloud is a service that is someone else’s problem if it breaks. Before we moved to Google Drive, all of the school’s really important documents just lived on a hard drive on a server in a cupboard. Whilst the data was backed up, it still was a rather fragile single point of failure. If the running of the server is handed over to people who actually know what they’re doing (e.g. Microsoft or Google), this is one less thing for a school to worry about.
  2. A job that’s handled by the cloud is one less job for an on-premises server. Hopefully, if enough jobs can be given away, we can get rid of the server altogether!
  3. Unifying the sign-in experience. We use Microsoft accounts in an ever-increasing variety of places, such as with federated Managed Apple IDs and as part of the initial setup process on an iPad, so if teachers are used to using the Microsoft account every day on the Macs, this will help them become more familiar with it.
  4. Giving a more reliable experience. Whilst binding to AD has been part of the Mac since OS X and before, it feels like directory access is something that randomly breaks as the OS updates or upgrades. So if we just move beyond it, this removes one more point of failure.
  5. Allowing remote users to log into their Macs. Since the COVID pandemic, there’s been an increasing number of users in school who need to be able to log into their Macs when not on the school network. If the Mac is still bound to the AD, this isn’t necessarily possible.
  6. Moving with where things are going. Back in 2015, we moved from managing our Macs with a Mac Server running Workgroup Manager (those were the days) to an MDM approach with Jamf Pro. Workgroup Manager continued ‘working’ for several more years of macOS updates after that before being discontinued with Yosemite, but it was good to be ahead of the curve and avoid running in a brick wall. Moving away from binding to AD feels like the same sort of thing.

Enter Jamf Connect

So, what to replace network accounts with? In 2018, Jamf acquired NoMAD, which was an open-source alternative to using Apple’s directory tools for authenticating users. It then turned into Jamf Connect, a paid solution that offers it’s own login screen and a menu bar tool. How does it work?

  • Installation of Jamf Connect requires a ‘jump start’, a remote support session from a Jamf technician to set it all up in your environment. A great way to get it all working!
  • There is a Jamf Connect Configuration Tool that is required to set up the different settings, such as which identity provider you’re going to use as well as a plethora of different options.
  • We then set up the login screen (complete with custom wallpaper) so that users were required to sign into the Mac using their Microsoft account. If an existing AD account was already there, this was converted from a ‘mobile‘ account to a standard Mac user account. The login process then asks for the user to enter their password for a second time, which then unlocks the account on the Mac itself.
  • Once logged in, we configured it so that the Jamf Connect menu bar item was automatically logged in with the Microsoft account, which then kept the local Mac password in sync with the cloud password.

Once we had installed the Jamf Connect software and configuration options, and told staff what to expect on their new login screen, it seemed to work just fine!

Things to watch out for

It wasn’t entirely a plain sailing from this point however. The way Macs are set up at school is that, whilst a particular Mac may only be used by a subset of users, it could potentially be logged into by any member of the staff team. If a user had changed their password since logging into a Mac and then returned to that Mac, the local password would be the old one. When using network accounts, the Mac would happily log in using the new password and then would prompt the user for the old password to update the keychain password. If the user didn’t know their old password, the old keychain would be replaced with a new password.

With Jamf Connect, this scenario gets more complicated. If the user’s account is still a ‘mobile’ account and has not been converted to a ‘standard’ account as part of the initial login with Jamf Connect, the Mac can still talk to Active Directory to at least still let the user into the local account before it is then ‘demobilised’. (Please see Jamf’s documentation for more information about this.) For this reason, it’s important to not unbind the Macs from the Active Directory until you’re sure there are no remaining ‘mobile’ accounts on it. I found some handy ‘extension attribute’ scripts that will tell you which Macs on Jamf Pro still have network accounts on them.

If a user’s account is a normal ‘standard’ account, either because they’ve demobilised an existing network account or have just signed in fresh with Jamf Connect, and they then change their password outside of using the Mac and return to the Mac, there thankfully is a solution to getting back into this account. I found a handy blog post that explains the commands you can use to change the password on a given user account. I turned this into a script that can be run from Self Service, which prompts the user for the username of the account you’re trying to change the password of. You need to actually be logged into a machine to do this, which can be done with a local admin account or something like that. In the script I made it change the password to something that only your tech team can know, preventing any unscrupulous users changing the password of another account and then trying to log in! The next time the user logs in via Jamf Connect, they can then enter the temporary password as the known local account password, which Jamf Connect will then change to the user’s cloud password once they’re logged in.

Below is the script in question:

#!/bin/bash
#Freddie Cox for Knox County Schools
#Edited by Tim Lings
#2021
set -x

sleep 1

userName=`/usr/bin/osascript <<'EOT'
 tell application "System Events"
    activate
    set userName to text returned of (display dialog "Please enter affected username:" default answer "" with icon 2)
end tell
EOT`

#Reset local password
/usr/bin/dscl . -passwd /Users/"$userName" temporarypassword

One last thing we discovered is that some users had figured out that they could click ‘local account’ the login screen and then login with their normal AD credentials, rather than having to put in their cloud Microsoft account. It is possible to set the configuration for the Jamf Connect login window using ‘DenyLocal’ to prevent this happening (with the option to also specify local admin logins that you still want to allow).

Quicker and Easier on iPad

At the end of last year, we did some monitoring about how Showbie was being used in our school. One of the insights from that was all of the work that was done in Computing could be done quicker and easier on iPad rather than using an iMac.  In our school, children have a timetabled ‘Computing’ slot when they get to go and use the iMac suite.  The children do enjoy it, but in this increasingly mobile age, children are just not as familiar with using a mouse and keyboard, let alone using an arguably more complex desktop operating system that is OSX. Perhaps they just need the practice, but actually the iPad allows children to achieve remarkably complex things (visual programming, video creation and editing etc.) with relative ease.  If we add in the simple but powerful e-portfolio workflow that Showbie offers for iOS, iPad increasingly comes up tops when compared to Mac.

So, what apps do we use for Computing on Mac and how can iPad replace/improve them?  Is it possible to go ‘iPad Only’ with Computing?

Email

We use LGfL’s London Mail to provide safe and restricted access to email for students during certain Computing units. It’s hosted by Microsoft and is accessed via a web browser.  It works fine on Mac as well as iPad, but on iPad it’s super easy to screenshot learning and add it into Showbie.

Visual Programming

We already use Hopscotch, Kodable, A.L.E.X. and Daisy the Dinosaur on iPad to teach coding using pre-programmed blocks.  On the Mac, we use Scratch, a great coding environment created by MIT. There is a (literally) junior version of it called Scratch Jnr, which is suitable for younger children but unfortunately they haven’t released a full iPad version yet.  However, there are other alternatives out there, such as Tynker.

Typed Coding

When we developed our Computing curriculum a few years ago, we included a strand which focused on getting children to type in computer code, starting with learning to type, then moving onto languages such as LOGO and Python. You can get typing apps for iPad, and even ones for LOGO and Python. Fun as it has been to introduce these to children, I think that they might be just a bit too tricky for Primary aged kids, so instead we’re going to introduce some more fun iPad coding apps.  Like Floors (which allows you to design your own platform games…)!

iWork

Pages, Numbers and Keynote are as fully-featured on iOS as a Primary school kid would need, so no contest there.  And are arguably easier to use.

iLife

iMovie on OSX is powerful, but it does add so many steps to the movie-making process: capture video on another camera, then import into Mac, then edit. iMovie for iPad is so simple and easy to use to use, with the advantage of being able to do everything on one device.

LEGO WeDo

The only sticking point was LEGO WeDo, a simple programmable LEGO kit.  WeDo 1.0 runs of a wired USB hub to connect the motor/tilt sensor/motion sensor.  However, LEGO have recently announced WeDo 2.0, which connects via Bluetooth to an iPad…yay!  I recently had a play with it at BETT and it was really great.

So, I think that going all-in on iPad for Computing can work!

Appreciating Apple TV

At our school, we’ve mostly used Reflector as the way of doing AirPlay mirroring from our iPads into a large projected image. This has worked well when using old-fashioned VGA projectors and a 4:3 image. However, the connection can sometimes be unreliable, which is probably down to network/wifi issues. But, due to the advantages I’ve previously outlined, Reflector seemed a better choice than the main alternative: Apple TV.  Apple TV is a little black box that works (amongst other things) as an AirPlay receiver for content from your Mac or iOS device.

However, after some discussion with some fellow ADEs, I’ve come to appreciate the advantages that Apple TV has over Reflector.

  • It’s Apple’s AirPlay mirroring solution, rather than a third-party reverse-engineered hack, so that means it’s more likely work more reliably.
  • If connecting to an HD device via HDMI, setup is super simple.
  • You can have one-time device authentication, where a new AirPlay connection requires entering the on-screen passcode. This stops accidental AirPlay connections (thank you Early Years!) without having to remember or share a password.
  • Peer-to-peer. Which is amazing! With a lightning connector iPad, it uses Bluetooth to set up a direct wifi connection to the Apple TV, thus bypassing the local network and so reducing the network load.
  • Modern macs can AirPlay to Apple TV. I’m interested what impact this will have on its use in the classroom, is it makes it the same class citizen as the iPad.

Here are some things I’ve discovered to make setup easier:

  1. Turn on Conference Mode so that it shows instructions for AirPlay mirroring, rather than the normal grid of video apps.
  2. Turn on device authentication to make peer-to-peer AirPlay connection work.
  3. Have a wired Ethernet connection to the Apple TV to reduce load on your wifi.
  4. Do a restart on the Apple TV after setup to make the changes take effect.
  5. Make sure it’s an HDMI HD display your connecting to, either a projector or a TV. It just doesn’t work very nicely with old school VGA projectors, even widescreen ones.

The State of Mac Management

In the glory bygone days, managing Macs was easy: just setup a OSX Server, get Workgroup Manager working and then configure users preferences to your heart’s delight. There were ways to easily tweak settings using a GUI, or you could import whatever .plist file you wanted to and have a custom preference.

Now, it wasn’t all a bed of roses: the Mac had to be bound to the OSX Server for these managed preferences to work, meaning things got rather ugly if the server got taken down for any reason. Plus, you had to find other solutions for imaging Macs, deploying and updating software and remote access. But there were tools for this (Deploy Studio, Munki, Apple Remote Desktop), so we were happy.

Then along came Lion. As part of taking everything Apple had learnt from iOS ‘back to the Mac‘, Configuration Profiles were introduced. These were just the same as the profiles used to manage iPhones and iPads, offering ways to lock down certain things and setup accounts like email etc. The other cool thing was that these lightweight profiles could be pushed out to a Mac from an MDM server, removing the need to have the Mac permanently bound to a server. Instead, the Mac would keep hold of its profiles until the server gave it some new ones. Macs and iPads could all be managed from one place: one MDM to rule them all!

Workgroup Manager continued to be updated by Apple, but with very little attention given to it. The last version released was for 10.9 server: it still works in 10.10, but has officially been retired and any future support for it is quite unlikely.

As someone who likes to live at the bleeding edge of technological change, did I adopt it straight away? Not for want of trying! Apple offered their own ‘free’ version of an MDM as part of their Server app, called Profile Manager. We couldn’t even get it to work in 10.7, finally got it working with some iPads in 10.8 and then gave up on it in 10.9 (after suffering email profiles being pulled off every teacher iPad due to some weird Active Directory issue).

The issue with it boiled down to how Configuration Profiles just aren’t the same as Managed Preferences. In the ‘walled garden’ of iOS, we just accepted that certain things just weren’t manageable (like position of apps on the home screen or the initial setup of apps etc). Whereas Managed Preferences had given the Mac administrator the taste of absolute control – you shall have the settings I give you! Plus, they also had the fine-grained option of setting preferences to ‘once’, ‘often’ (ie every time you logged in) or ‘always’… with profiles, everything was just ‘forced’.

So, the questions are: what actually needs to be managed? what are the ways of doing it?

Things that need to be managed:

  • First run settings on stuff like Office
  • Mounting shared drives
  • Tweaking the UI as required, eg right click on Apple Mouse, sidebar defaults etc
  • Licence keys for apps
  • Setting keyboard, location etc
  • Managing the dock
  • Installing new software and patching existing software
  • Imaging new Macs
  • Running Apple Software Update

So what are the tools?

  • Using a Configuration Profile, either for the settings Apple gives you, or importing a custom plist – only works if you don’t mind it being ‘always’. Tim Sutton has a command line tool for converting a .plist file into a profile. An MDM server can push out profiles over the air and Munki can now install profiles too.
  • Tweaking the preferences in the default user template. Composer as part of Casper Suite has a handy feature for doing this as well as filling existing users’ preferences as well.
  • Running various scripts on startup/login/logout. Our Apple reseller has a way of running various scripts like this, and Casper can manage his too. You can also make payload-free packages which just run a script when installed and can be distributed with Munki.

So how do you choose the right tool? The factors are:

  • Cost: MDM servers aren’t cheap necessarily, nor is spending money on getting an Apple reseller to set things up for you.
  • Experience: are you savvy with scripting and dealing with the command line? If not, a solution with a GUI might be better.
  • Continuity: I work in a primary school where high turn-over of staff is quite common. Does the solution need to keep working even if you go?
  • Time: do you have time to learn and understand the intricacies, or do things need to work ‘out of the box’? I am in the fortunate position of being able to give time to figure some things out, but most primary schools aren’t.

At my school, we’ve gone for Casper Suite as a way to have a GUI for managing Macs that doesn’t rely on me being a complete Mac system admin with lots of experience in scripting etc., whilst also moving away from Managed Preferences and leveraging Configuration Profiles instead. Let’s hope it works!

Casper Suite

We’ve just had Casper Suite installed at my school. Part of the installation process is a three-day ‘Jump Start‘ where a highly experienced trainer (in our case, two, as we had someone shadowing) guides you through installing the software and the processes involved in setting up and running it.

So why Casper suite? Over the years, we’ve ended up using a range of different systems and technologies to manage the Macs and iPads in school. The Macs have been managed with an OSX Server running Workgroup Manager, plus a few scripts written by our Apple Reseller and the use of Munki for managing software installs and updates. With iOS, we’ve used Meraki, making use of the VPP programme and managed distribution, as well as Apple Configurator for class sets of iPads.

This has worked pretty well, but I knew we needed to move away from Workgroup Manager. Since 10.7 Lion, Apple has pushed the use of Configuration Profiles instead of Managed Preferences. Technology-wise, it isn’t a straight swap, as there are things you can do with MCX that you can’t do with profiles, and vice versa. But with 10.10, Workgroup Manager no longer even exists (even though the 10.9 version still works!), so I knew we had to do something. Casper suite was well spoken of, properly supported OSX as well as iOS, and seemed to have some cool features.

The main drawback of Casper Suite is the cost: as an educational customer, you only pay for support per device, which works out pretty cheap. But you have to pay for the three days of ‘Jump Start’ before you begin, which is not cheap! However, I calculated that it works out about the cost of a case per device, which isn’t so bad. An iPad without a case is pretty hobbled, and I’m sure Casper will add a depth and richness to our deployment.

The Jump Start went pretty well, and we managed to get everything working by the end of the three days. I did finish the three days feeling overwhelmed with everything there is to do (sorting out all the configuration of the Macs then imaging them all, plus redoing all the iPads), but I think it will come together over the next half term.

Here are some of the highlights so far:

  • Casper Focus: allows a teacher lock all the iPads in a class to a particular app or webpage
  • Self service: dishing up apps, books and in fact most things to users
  • Deployment Enrollment Programme (DEP): iPads get automatically enrolled to Casper and tied to a certain user out of the box
  • Composer: a powerful way to package up Mac apps, including the ability to fill the user template and existing users’ preferences
  • JSS: the fact it runs as a web service, meaning that Macs don’t have to be bound to an OSX server any more
  • JAMF Nation: a community of helpful geeks who are there to help find solutions to problem

I’m not sure it’s the right solution for small primary schools, or places without an onsite Mac geek, but I think it’s going to work really well for us.

Yosemite won’t boot

Since upgrading our Macs to OS X 10.10 Yosemite, we’ve had an issue where Macs won’t boot up properly. They start up and show the grey loading bar, but it gets to 50% and then gets stuck there. Some hacks and tricks would sometimes help (like resetting the PRAM and repairing the disk and permissions), but not always. I hoped that 10.10.2 would fix things, but alas it has not.

It turns out that the problem was to do to with having the Mac bound to an Active Directory. Thankfully, I found a solution on the JAMF support pages from the contributor Chris Hotte. He suggests editing the rc.server file as follows:

  1. Boot into single user mode
  2. Type ‘mount -uw /’
  3. Type ‘/usr/bin/nano /etc/rc.server’ to edit the file
  4. Type in the following code.

    #!/bin/sh
    /bin/echo BootCacheKludge Beta 1.0 – Chris Hotte 2015 – No rights/blame reserved.
    /usr/sbin/BootCacheControl jettison

Hope that helps someone! You can find the original post here.
You can read the post here. Hope that helps someone!

What’s the point of iPad?

If you go to any sort of Apple in Education event/conference/briefing, they often say that you should be really clear about the aims of any sort of technology deployment. This way you can then evaluate whether your deployment is working well or not.

Here are some of the aims (sometime conscious, sometimes unconscious) for the different stages of our technology rollout in school.

iMacs

Purpose: provide computers that could do movie-editing and just generally worked (didn’t get viruses/fail to turn on most days).
Success?  Tick!

Teacher Mac Minis

Purpose: extend familiarity of OS X to teachers and therefore children, provide a bit more reliability.  Whilst supporting 4:3 screen ratios and not being too expensive.
Success? Mainly. The fact they had to run with ageing monitors/smartboards/projectors/sound systems made the experience rather less that wonderful.

Teacher 1:1 iPads

Purpose: familiarity with iOS, teacher exploration of new apps.
Success? Yes! Plus the bonus of teachers using email much, much more often.  And we got to try out the Great Smartboard Experiment.

Class sets of iPad minis

Purpose: more provision of computers to enable use of ICT across the curriculum.
Success? Moderate. It is happening, but not as much as it could.

So, how do we take our iPad deployment (for the kids) to the next level?

Some ideas…

  • Work out exactly how can iPad help with learning in English and Maths
  • Do some staff training on that
  • Support teachers

We’ve got a day with Julian Coultas in a week or so (courtesy of Toucan) where I’m hoping we can work out how to best move things forward.  Stay tuned!

GarageBand Pricing

I love this time of year. Not only does the latest release of iOS mean that I have an oodle of iPads to get updated (which takes varying degrees of time depending on how much free space is required to install the update), but a month after the mega IPHONE announcement, Apple calmly release a slew of other updates for the Mac and iLife/iWork. Yay. Last year’s came with quite a few headaches (such as the way iWork didn’t play nicely at all with SMB shares) but hopefully they won’t repeat this year. I’ve already tried saving a file over SMB with newest iWork, and it seems to work fine. The ‘proper’ file format they have finally created I’m sure is to thank for that.

Last year, GarageBand threw in a bit of a curveball by being free but requiring an in-app purchase to unlock all of the functionality. This is a system admin’s worst nightmare, as there is no decent way to do this upgrade on a whole school’s worth of iPads and apps.

Thankfully, it seems that this year Apple have rescinded on the in-app upgrade option and have slapped a price on instead. For new devices, you get the app free and on existing apps you get a free upgrade.

A few questions though:

  • What happens with Apple Configurator? Do we have to have app codes to install the app? Or even just to sync existing iPads with Configurator?
  • If we now need app codes, can we still apply for free ones on iPads bought in the last year?
  • What about codes for Macs?

    • I hope to make some investigations this week to find out more…