Monday, June 10, 2024

Unified Logging on macOS

What is Unified Logging?

Unified Logging is Apple’s systemwide logging mechanism introduced with macOS Sierra (10.12). It centralises and standardises logging across the operating system and all applications, providing a comprehensive and consistent way to capture, store, and analyse logs.


Why is Logging Useful to a Sysadmin?

Logging is crucial for system administrators because it provides insights into system and application behavior. It helps in:

Troubleshooting: Diagnosing issues and identifying root causes.

Monitoring: Keeping track of system performance and activities.

Auditing: Ensuring compliance with security policies.

Maintenance: Predicting and preventing potential issues.


Why is Unified Logging Useful for Security?

Unified Logging enhances security by offering:

Comprehensive Visibility: Logs from all parts of the system in one place.

Realtime Monitoring: Immediate detection of suspicious activities.

Detailed Records: Granular logs that can aid in forensic analysis.

Controlled Access: Secure and managed access to log data.


Location on Mac the Logs are Stored

Logs in macOS are stored in various directories, but Unified Logging specifically uses the following paths:

  • /var/db/diagnostics
  • /var/log
  • /Library/Logs

 `log` Command


The `log` command is the primary tool for interacting with the Unified Logging system. It allows you to view, filter, and manage logs.


Basic Syntax

log show [options]

log stream [options]


Example: Viewing Logs for a Specific Process


log show predicate 'process == "Finder"' info


Predicates

Predicates allow you to filter log entries based on specific criteria.


 Example: Show Logs Within a Given Time Frame



log show predicate 'eventMessage contains "error"' info start "20230601 00:00:00" end "20230601 23:59:59"


 Log Levels

 default: Standard log messages.

 info: Informational messages.

 debug: Debugging information.

 error: Errors that need attention.

 fault: Severe errors that likely lead to a crash.


Specified Log Level

Filter logs by their level (default, info, debug, error, fault).


Example: Filter by Log Level


log show predicate 'messageType == error'


Log Stats


The `log stats` command provides statistical information about log entries.


Example: Viewing Log Statistics


log stats overview


Subsystems and Categories

Logs can be categorised by subsystems and categories, helping to organise log data.


 Example: Filtering by Subsystem


log show predicate 'subsystem == "com.apple.network"'


Log Archive

To create a log archive for the further analysis


log collect --output <path_to_logarchive>.logarchive


Syslog

`syslog` is the traditional logging system that Unified Logging supersedes but remains available for compatibility.


 Example: Viewing Syslog


syslog k Sender Finder


SystemLogging

SystemLogging is the background process that handles the logging infrastructure. Understanding its functionality can help in managing and troubleshooting logging issues.


Sysdiagnose

`sysdiagnose` is a powerful tool that collects extensive system diagnostics, including logs.


Example: Running Sysdiagnose


sudo sysdiagnose f /path/to/output


Profiles and Logs


Profiles (configuration profiles) can be used to manage logging settings across multiple systems, ensuring consistent logging policies.


Example: Applying a Configuration Profile


sudo profiles I F /path/to/profile.mobileconfig



Unified Logging on macOS offers a powerful and flexible system for managing log data, essential for effective system administration and security. By mastering the `log` command and understanding the structure and storage of logs, sysadmins can greatly enhance their ability to monitor, troubleshoot, and secure macOS systems.

Thursday, January 18, 2024

Releasing Devices in Apple Business Manager


Say goodbye to unwanted devices cluttering your Apple Business Manager! Releasing devices is a crucial part of managing your fleet, allowing you to remove devices sold, lost, or simply beyond repair. This blog dives into the steps for releasing devices and sheds light on which roles have the authority to do so.

Why Release Devices?

Releasing devices offers several benefits:

  • Clean Up Your Inventory: Keep track of active devices and avoid confusion.
  • Compliance Check: Ensure you're not managing devices you no longer own, adhering to Apple Business Manager Agreement terms.
  • Security Clearance: Prevent unauthorized access to your network and data by wiping released devices.

Who Can Release the Devices?

Only two user roles in Apple Business Manager can initiate device release:

  • Administrator: The all-powerful role, with full control over devices, users, and settings.
  • Device Enrollment Manager: Responsible for device enrollment and management, also authorized to release them.

Release Steps Simplified:

Sign In: Access Apple Business Manager with your valid Administrator or Device Enrollment Manager credentials.



Device Selection: Choose "Devices" from the sidebar. You can search for specific devices or view the entire list.

Target the Unwanted: Select the device(s) you want to release by clicking the checkbox next to their names.




Release Actions: Click the "Release" button at the top right corner.




Confirmation: A confirmation window will appear. Double-check the selected devices and click "Release".



Note: Releasing a device removes it from Apple Business Manager and you will need to wipe the device.

Bonus Tip: You can configure Apple Business Manager to allow only specific users within the Device Enrollment Manager role to release devices. This adds an extra layer of control and accountability.

By following these steps and understanding the authorised roles, you can say goodbye to unwanted devices and maintain a clean, efficient Apple Business Manager environment. So, go forth and release those digital ghosts with confidence!

Remember: This information is accurate as of January 18, 2024. Apple may update its processes or release new features,so always refer to the official Apple Business Manager documentation for the latest guidance.

Feel free to leave comments below if you have any questions or additional insights on device release in Apple Business Manager!

For more information please contact us at https://brilyant.com/contact/

Friday, January 5, 2024

Enhancing Mac Security: A Comprehensive Guide to the macOS Security Module

In the dynamic landscape of cybersecurity, ensuring the security of your Mac devices is paramount. As technology advances, so do the threats that seek to exploit vulnerabilities in your system. To fortify your Mac's defences, it's crucial to implement a robust Mac Security Module. In this blog post, we'll delve into the key components of Mac security, covering baseline settings, CIS benchmarks, Apple's best practices, company security policies, and the macOS Security Compliance Project.


What Should We Consider?

When embarking on the journey to enhance Mac security, it's essential to consider a holistic approach. Assessing potential risks, understanding the latest threats, and tailoring security measures to your organization's specific needs are vital. Key considerations include:

1. Threat Landscape Analysis: Stay informed about the latest cybersecurity threats targeting macOS to proactively adapt your security measures.

2. User Education and Awareness: Educate users about security best practices, including avoiding phishing scams, using strong passwords, and recognising suspicious activities.

3. Regular Security Audits: Conduct regular security audits to identify and address vulnerabilities in your Mac environment.


Baseline Security Settings:


Establishing a solid foundation for Mac security begins with configuring baseline settings. This involves:

1. Firewall Configuration: Enable the built-in firewall on macOS to monitor and control incoming and outgoing network traffic.

2. FileVault Encryption: Utilise FileVault to encrypt your Mac's hard drive, safeguarding sensitive data in case of theft or unauthorised access.

3. Gatekeeper Settings: Configure Gatekeeper to allow only trusted applications from the App Store or identified developers, reducing the risk of malware.

4. System Updates: Keep macOS and all installed software up-to-date to patch vulnerabilities and protect against known threats.


CIS Benchmarks:


The Center for Internet Security (CIS) provides a set of benchmarks for securing macOS. These benchmarks offer a comprehensive guide to enhancing security, covering areas such as system configurations, network settings, and user account controls. Adhering to CIS benchmarks ensures a standardised and secure configuration for your Mac devices.

Account Policies:

Configuring strong password policies and limiting unnecessary account privileges.

System Integrity Protection (SIP):

Ensuring SIP is enabled to protect critical system files from unauthorized modifications.

Network Configuration:

Applying secure network configurations, such as disabling unnecessary services and using secure protocols.


Apple Best Practices:

Apple, the creator of macOS, provides its own set of security best practices. Key recommendations include:

1. System Integrity Protection (SIP): Do not disable SIP, as it protects critical system files and processes from being tampered with.

2. XProtect and MRT: Keep XProtect and MRT (Malware Removal Tool) updated to defend against known malware threats.

3. Gatekeeper and Notarisation: Leverage Gatekeeper and App Notarisation to verify the integrity of applications before installation.


Company Security Policies:

Tailoring security policies to your organisation's needs is essential. Develop comprehensive security policies that address:

1. Device Usage Policies: Define guidelines for the use of company-issued Mac devices, including acceptable use and security protocols.

2. Access Controls: Implement strict access controls, ensuring that only authorized personnel can access sensitive data and systems.

3. Incident Response Plan: Develop an incident response plan to swiftly and effectively address security incidents, minimising potential damage.


macOS Security Compliance Project:


Participating in the macOS Security Compliance Project ensures alignment with industry standards and best practices. This collaborative effort aims to create a framework for assessing and enhancing macOS security. By actively engaging in this project, organisations can contribute to the development of effective security measures for the broader Mac community.

Security Auditing:

Regularly auditing security configurations to ensure compliance with established standards.

Continuous Monitoring:

Implementing continuous monitoring mechanisms to detect and respond to security incidents in real-time.

Documentation and Reporting:

Maintaining comprehensive documentation of security configurations and generating reports to assess and demonstrate compliance.

Conclusion:

Securing your Mac devices is a multifaceted endeavour that requires a combination of baseline settings, adherence to industry benchmarks, and collaboration with both Apple's best practices and wider security initiatives like the macOS Security Compliance Project. By considering the holistic approach outlined in this guide, organizations can fortify their Mac security and stay ahead of evolving cybersecurity threats.


Reference Links:

1. CIS Apple macOS Benchmarks

2. Apple Security Overview

3. macOS Security Compliance Project

4. Apple Security Research 

5. Apple Endpoint security

6. Apple Device Management Git hub Repo

7. Apple Developer Device management 

8. Apple Platform Deployment

9. Jamf Compliance Baseline

Feel free to leave comments below if you have any questions

For more information please contact us at https://brilyant.com/contact/

Tuesday, January 2, 2024

Exploring Apple's Lockdown Mode: A Closer Look at Enhanced Security

In the ever-evolving landscape of digital security, Apple has consistently been at the forefront of innovation. One notable feature that underscores the company's commitment to user privacy and protection is the Lockdown Mode. Introduced in recent iOS and macOS updates, this security feature offers an additional layer of defence against unauthorised access and potential threats. In this blog post, we will delve into the details of Apple's Lockdown Mode, understanding its functionality, its implications for users, and its role in safeguarding personal information.


Understanding Lockdown Mode:


Lockdown Mode is a security feature integrated into Apple's devices, such as macOS, iPhones and iPads. It provides users with a means to enhance the security of their devices in situations where there is a potential threat or unauthorized access. When activated, Lockdown Mode restricts various functionalities of the device, limiting access to sensitive information and protecting the user's privacy.


Activation and Usage:


Activating Lockdown Mode is a straightforward process. Users can enable it manually or configure it to activate automatically in specific scenarios. To enable Lockdown Mode navigate to settings / system settings (on mac )> privacy > lockdown mode. Once activated, the device's interface changes, signalling that the device is in a more secure state.


Automatic activation of Lockdown Mode can be configured in the device settings. For example, users may choose to enable it when their device is connected to a computer or when the device recognizes an untrusted accessory attempting to establish a connection.


Key Features and Limitations:


1. Biometric and Passcode Protection:

   Lockdown Mode reinforces the device's existing security measures, ensuring that biometric authentication methods like Face ID or Touch ID, as well as passcodes, remain required for access. This adds an extra layer of protection beyond the standard lock screen.


2. USB Access Restriction:

   One notable aspect of Lockdown Mode is its impact on USB connectivity. When activated, the device restricts USB access, preventing data transfers and other interactions with connected devices. This is particularly crucial in preventing unauthorized access by third-party tools that may attempt to exploit vulnerabilities.


3. App Notifications:

   Users in Lockdown Mode receive notifications, providing them with information about the status of their devices. This ensures transparency and allows users to stay informed about any potential security incidents or unauthorized access attempts.


4. Emergency Calls and Medical ID:

   Lockdown Mode does not compromise essential features such as making emergency calls or accessing the Medical ID information. Users can still reach out for help or provide critical medical information even when their device is more secure.


Conclusion:


As our lives become increasingly intertwined with digital technology, the importance of robust security measures cannot be overstated. Apple's Lockdown Mode exemplifies the company's dedication to user privacy and data protection. Whether activated manually or configured to engage automatically in specific situations, Lockdown Mode serves as a powerful tool to thwart unauthorized access and potential threats, offering users peace of mind in an interconnected world. As technology continues to advance, it is reassuring to see companies like Apple actively investing in features that prioritize user security and privacy.


For more information please contact us at https://brilyant.com/contact/

Tuesday, December 26, 2023

Zero Touch Setup with DEPNotify

DEPNotify is an application that will guide end-users through the process of enrolling a computer with Automated Device Enrollment. 

An organization can choose to install critical applications after enrollment with MDM, but without a tool such as DEPNotify, end users may not be aware of the process. This application can also ask the end users for information that can be input and then used by administrators for future management.


Two Major components we need to configure for DEPNotify: 

  1. the application 
  2. the starter script


Note: While deploying the Application package and any other resources related to it should designed with an Apple Developer certificate (if deployed via Jamf, a Jamf Pro Built-in CA certificate can be used).


Download DEPNotify: https://gitlab.com/Mactroll/DEPNotify 


DEPNotify supports a wide range of configurations. These include:

  • Customisable text
  • Images
  • User input fields which can be used for extension attributes
  • EULAs
  • The ability to open webpages or play a YouTube video
  • Full-screen or windowed display
  • Progress bars


DEPNotify is completely controlled via echoing text to its control file. By default, this is:


“  /var/tmp/depnotify.log “ but can be changed with the -path flag


To Learn about Application flags:  https://gitlab.com/Mactroll/DEPNotify#application-flags


Commands:

You can customise the DEPNotify window with Commands for user Interaction, notification and completion information.


Main Window Setup: https://gitlab.com/Mactroll/DEPNotify#main-window-configuration

Interaction: https://gitlab.com/Mactroll/DEPNotify#interaction

Notification: https://gitlab.com/Mactroll/DEPNotify#interaction

Completion: https://gitlab.com/Mactroll/DEPNotify#completion


If you would like to add advanced workflow, we can write a plist “  menu.nomad.DEPNotify.plist “With this file you can configure various things like the EULA window, registration window, status text alignment and help bubbles.


Ref: https://gitlab.com/Mactroll/DEPNotify#depnotify-plist


DEPNotify starter Script:

The DEPNotify Starter Script is very lengthy but is heavily commented on to help you understand the available settings and how to configure them.


DEPNotify-Starter Github repo contains both starter script and reset script for DEPNotify:

 https://github.com/jamf/DEPNotify-Starter


you can also use the application DEPNotify Set-up Helper to configure the script for you. 

https://github.com/BIG-RAT/DEPNotify-Set-up-Helper 

 


EULAs and images for DEPNotify should not be included in the DEPNotify package but instead can be placed in a package of their own. 


Any package installed during Automated Device Enrollment must be signed with a certificate that can be trusted by the Mac


Deployment Plan with Jamf:

Assuming the Apple Business Manager is well-integrated


Prestage Enrollment: 

You can go computers: Prestage Enrollments create a setting of prestage.

General > apply setting as per your requirement

Configuration Profile add your DEPNotify Configuration

Enrollment Packages add DEPNotify and any EULA or images package (Note both packages should be signed).

when creating a Prestage enrollment, it is best to use the minimum critical settings


Smart Computer Group:

Create a Smart computer Group with Criteria Enrollment Method: Prestage enrollment operator (is) and value Zero Touch


Configuration Profiles:

If any configuration Profile is you would like to deploy during the Zerotouch scope it with the smart Computer Group you created.


Policies:

Create a policy for the DEPNotify starter script and any packages you need to deploy during the DEPprocess set the as “Ongoing” and with a custom trigger with unique to each policy and scope to this smart Group you created before.


Testing on a Local Enrolled Mac:

Before deploying to production you can test the DEPNotify setting function on you enrolled Mac computer.


To Test open terminal and run the command :

sudo jamf policy -event enrollmentComplete


If all has been configured correctly, you should see the DEPNotify application open and a simulation of your workflow. With the testing flag set to "true", your policies and registration information will not execute.


For more information please contact us at https://brilyant.com/contact/