Releasing Devices in Apple Business Manager

Say goodbye to unwanted devices cluttering your Apple Business Manager! Releasing devices is a crucial part of managing your fleet, allowing you to remove devices sold, lost, or simply beyond repair. This blog dives into the steps for releasing devices and sheds light on which roles have the authority to do so.

Why Release Devices?

Releasing devices offers several benefits:

• Clean Up Your Inventory: Keep track of active devices and avoid confusion.
• Compliance Check: Ensure you're not managing devices you no longer own, adhering to Apple Business Manager Agreement terms.
• Security Clearance: Prevent unauthorized access to your network and data by wiping released devices.

Who Can Release the Devices?

Only two user roles in Apple Business Manager can initiate device release:

• Administrator: The all-powerful role, with full control over devices, users, and settings.
• Device Enrollment Manager: Responsible for device enrollment and management, also authorized to release them.

Release Steps Simplified:

Sign In: Access Apple Business Manager with your valid Administrator or Device Enrollment Manager credentials.

Device Selection: Choose "Devices" from the sidebar. You can search for specific devices or view the entire list.

Target the Unwanted: Select the device(s) you want to release by clicking the checkbox next to their names.

Release Actions: Click the "Release" button at the top right corner.

Confirmation: A confirmation window will appear. Double-check the selected devices and click "Release".

Note: Releasing a device removes it from Apple Business Manager and you will need to wipe the device.

Bonus Tip: You can configure Apple Business Manager to allow only specific users within the Device Enrollment Manager role to release devices. This adds an extra layer of control and accountability.

By following these steps and understanding the authorised roles, you can say goodbye to unwanted devices and maintain a clean, efficient Apple Business Manager environment. So, go forth and release those digital ghosts with confidence!

Remember: This information is accurate as of January 18, 2024. Apple may update its processes or release new features,so always refer to the official Apple Business Manager documentation for the latest guidance.

Feel free to leave comments below if you have any questions or additional insights on device release in Apple Business Manager!

For more information please contact us at https://brilyant.com/contact/

Enhancing Mac Security: A Comprehensive Guide to the macOS Security Module

In the dynamic landscape of cybersecurity, ensuring the security of your Mac devices is paramount. As technology advances, so do the threats that seek to exploit vulnerabilities in your system. To fortify your Mac's defences, it's crucial to implement a robust Mac Security Module. In this blog post, we'll delve into the key components of Mac security, covering baseline settings, CIS benchmarks, Apple's best practices, company security policies, and the macOS Security Compliance Project.

What Should We Consider?

When embarking on the journey to enhance Mac security, it's essential to consider a holistic approach. Assessing potential risks, understanding the latest threats, and tailoring security measures to your organization's specific needs are vital. Key considerations include:

1. Threat Landscape Analysis: Stay informed about the latest cybersecurity threats targeting macOS to proactively adapt your security measures.

2. User Education and Awareness: Educate users about security best practices, including avoiding phishing scams, using strong passwords, and recognising suspicious activities.

3. Regular Security Audits: Conduct regular security audits to identify and address vulnerabilities in your Mac environment.

Baseline Security Settings:

Establishing a solid foundation for Mac security begins with configuring baseline settings. This involves:

1. Firewall Configuration: Enable the built-in firewall on macOS to monitor and control incoming and outgoing network traffic.

2. FileVault Encryption: Utilise FileVault to encrypt your Mac's hard drive, safeguarding sensitive data in case of theft or unauthorised access.

3. Gatekeeper Settings: Configure Gatekeeper to allow only trusted applications from the App Store or identified developers, reducing the risk of malware.

4. System Updates: Keep macOS and all installed software up-to-date to patch vulnerabilities and protect against known threats.

CIS Benchmarks:

The Center for Internet Security (CIS) provides a set of benchmarks for securing macOS. These benchmarks offer a comprehensive guide to enhancing security, covering areas such as system configurations, network settings, and user account controls. Adhering to CIS benchmarks ensures a standardised and secure configuration for your Mac devices.

Account Policies:

Configuring strong password policies and limiting unnecessary account privileges.

System Integrity Protection (SIP):

Ensuring SIP is enabled to protect critical system files from unauthorized modifications.

Network Configuration:

Applying secure network configurations, such as disabling unnecessary services and using secure protocols.

Apple Best Practices:

Apple, the creator of macOS, provides its own set of security best practices. Key recommendations include:

1. System Integrity Protection (SIP): Do not disable SIP, as it protects critical system files and processes from being tampered with.

2. XProtect and MRT: Keep XProtect and MRT (Malware Removal Tool) updated to defend against known malware threats.

3. Gatekeeper and Notarisation: Leverage Gatekeeper and App Notarisation to verify the integrity of applications before installation.

Company Security Policies:

Tailoring security policies to your organisation's needs is essential. Develop comprehensive security policies that address:

1. Device Usage Policies: Define guidelines for the use of company-issued Mac devices, including acceptable use and security protocols.

2. Access Controls: Implement strict access controls, ensuring that only authorized personnel can access sensitive data and systems.

3. Incident Response Plan: Develop an incident response plan to swiftly and effectively address security incidents, minimising potential damage.

macOS Security Compliance Project:

Participating in the macOS Security Compliance Project ensures alignment with industry standards and best practices. This collaborative effort aims to create a framework for assessing and enhancing macOS security. By actively engaging in this project, organisations can contribute to the development of effective security measures for the broader Mac community.

Security Auditing:

Regularly auditing security configurations to ensure compliance with established standards.

Continuous Monitoring:

Implementing continuous monitoring mechanisms to detect and respond to security incidents in real-time.

Documentation and Reporting:

Maintaining comprehensive documentation of security configurations and generating reports to assess and demonstrate compliance.

Conclusion:

Securing your Mac devices is a multifaceted endeavour that requires a combination of baseline settings, adherence to industry benchmarks, and collaboration with both Apple's best practices and wider security initiatives like the macOS Security Compliance Project. By considering the holistic approach outlined in this guide, organizations can fortify their Mac security and stay ahead of evolving cybersecurity threats.

Reference Links:

1. CIS Apple macOS Benchmarks

2. Apple Security Overview

3. macOS Security Compliance Project

4. Apple Security Research 

5. Apple Endpoint security

6. Apple Device Management Git hub Repo

7. Apple Developer Device management 

8. Apple Platform Deployment

9. Jamf Compliance Baseline

Feel free to leave comments below if you have any questions

For more information please contact us at https://brilyant.com/contact/

Exploring Apple's Lockdown Mode: A Closer Look at Enhanced Security

In the ever-evolving landscape of digital security, Apple has consistently been at the forefront of innovation. One notable feature that underscores the company's commitment to user privacy and protection is the Lockdown Mode. Introduced in recent iOS and macOS updates, this security feature offers an additional layer of defence against unauthorised access and potential threats. In this blog post, we will delve into the details of Apple's Lockdown Mode, understanding its functionality, its implications for users, and its role in safeguarding personal information.

Understanding Lockdown Mode:

Lockdown Mode is a security feature integrated into Apple's devices, such as macOS, iPhones and iPads. It provides users with a means to enhance the security of their devices in situations where there is a potential threat or unauthorized access. When activated, Lockdown Mode restricts various functionalities of the device, limiting access to sensitive information and protecting the user's privacy.

Activation and Usage:

Activating Lockdown Mode is a straightforward process. Users can enable it manually or configure it to activate automatically in specific scenarios. To enable Lockdown Mode navigate to settings / system settings (on mac )> privacy > lockdown mode. Once activated, the device's interface changes, signalling that the device is in a more secure state.

Automatic activation of Lockdown Mode can be configured in the device settings. For example, users may choose to enable it when their device is connected to a computer or when the device recognizes an untrusted accessory attempting to establish a connection.

Key Features and Limitations:

1. Biometric and Passcode Protection:

   Lockdown Mode reinforces the device's existing security measures, ensuring that biometric authentication methods like Face ID or Touch ID, as well as passcodes, remain required for access. This adds an extra layer of protection beyond the standard lock screen.

2. USB Access Restriction:

   One notable aspect of Lockdown Mode is its impact on USB connectivity. When activated, the device restricts USB access, preventing data transfers and other interactions with connected devices. This is particularly crucial in preventing unauthorized access by third-party tools that may attempt to exploit vulnerabilities.

3. App Notifications:

   Users in Lockdown Mode receive notifications, providing them with information about the status of their devices. This ensures transparency and allows users to stay informed about any potential security incidents or unauthorized access attempts.

4. Emergency Calls and Medical ID:

   Lockdown Mode does not compromise essential features such as making emergency calls or accessing the Medical ID information. Users can still reach out for help or provide critical medical information even when their device is more secure.

Conclusion:

As our lives become increasingly intertwined with digital technology, the importance of robust security measures cannot be overstated. Apple's Lockdown Mode exemplifies the company's dedication to user privacy and data protection. Whether activated manually or configured to engage automatically in specific situations, Lockdown Mode serves as a powerful tool to thwart unauthorized access and potential threats, offering users peace of mind in an interconnected world. As technology continues to advance, it is reassuring to see companies like Apple actively investing in features that prioritize user security and privacy.

For more information please contact us at https://brilyant.com/contact/

Zero Touch Setup with DEPNotify

DEPNotify is an application that will guide end-users through the process of enrolling a computer with Automated Device Enrollment. 

An organization can choose to install critical applications after enrollment with MDM, but without a tool such as DEPNotify, end users may not be aware of the process. This application can also ask the end users for information that can be input and then used by administrators for future management.

Two Major components we need to configure for DEPNotify: 

1. the application 
2. the starter script

Note: While deploying the Application package and any other resources related to it should designed with an Apple Developer certificate (if deployed via Jamf, a Jamf Pro Built-in CA certificate can be used).

Download DEPNotify: https://gitlab.com/Mactroll/DEPNotify 

DEPNotify supports a wide range of configurations. These include:

• Customisable text
• Images
• User input fields which can be used for extension attributes
• EULAs
• The ability to open webpages or play a YouTube video
• Full-screen or windowed display
• Progress bars
  

DEPNotify is completely controlled via echoing text to its control file. By default, this is:

“  /var/tmp/depnotify.log “ but can be changed with the -path flag

To Learn about Application flags:  https://gitlab.com/Mactroll/DEPNotify#application-flags

Commands:

You can customise the DEPNotify window with Commands for user Interaction, notification and completion information.

Main Window Setup: https://gitlab.com/Mactroll/DEPNotify#main-window-configuration

Interaction: https://gitlab.com/Mactroll/DEPNotify#interaction

Notification: https://gitlab.com/Mactroll/DEPNotify#interaction

Completion: https://gitlab.com/Mactroll/DEPNotify#completion

If you would like to add advanced workflow, we can write a plist “  menu.nomad.DEPNotify.plist “With this file you can configure various things like the EULA window, registration window, status text alignment and help bubbles.

Ref: https://gitlab.com/Mactroll/DEPNotify#depnotify-plist

DEPNotify starter Script:

The DEPNotify Starter Script is very lengthy but is heavily commented on to help you understand the available settings and how to configure them.

DEPNotify-Starter Github repo contains both starter script and reset script for DEPNotify:

 https://github.com/jamf/DEPNotify-Starter

you can also use the application DEPNotify Set-up Helper to configure the script for you. 

https://github.com/BIG-RAT/DEPNotify-Set-up-Helper 

 

EULAs and images for DEPNotify should not be included in the DEPNotify package but instead can be placed in a package of their own. 

Any package installed during Automated Device Enrollment must be signed with a certificate that can be trusted by the Mac

Deployment Plan with Jamf:

Assuming the Apple Business Manager is well-integrated

Prestage Enrollment: 

You can go computers: Prestage Enrollments create a setting of prestage.

General > apply setting as per your requirement

Configuration Profile add your DEPNotify Configuration

Enrollment Packages add DEPNotify and any EULA or images package (Note both packages should be signed).

when creating a Prestage enrollment, it is best to use the minimum critical settings

Smart Computer Group:

Create a Smart computer Group with Criteria Enrollment Method: Prestage enrollment operator (is) and value Zero Touch

Configuration Profiles:

If any configuration Profile is you would like to deploy during the Zerotouch scope it with the smart Computer Group you created.

Policies:

Create a policy for the DEPNotify starter script and any packages you need to deploy during the DEPprocess set the as “Ongoing” and with a custom trigger with unique to each policy and scope to this smart Group you created before.

Testing on a Local Enrolled Mac:

Before deploying to production you can test the DEPNotify setting function on you enrolled Mac computer.

To Test open terminal and run the command :

sudo jamf policy -event enrollmentComplete

If all has been configured correctly, you should see the DEPNotify application open and a simulation of your workflow. With the testing flag set to "true", your policies and registration information will not execute.

For more information please contact us at https://brilyant.com/contact/

Revolutionising IT Support: A Deep Dive into Jamf Remote Assist

In the fast-paced world of technology, efficient IT support is crucial for businesses to thrive. Jamf, a leading provider of Apple device management solutions, has introduced a game-changing tool – Jamf Remote Assist. This innovative solution is designed to enhance customer support, streamline troubleshooting, and provide a seamless experience for both IT professionals and end-users.

Benefits

Jamf Remote Assist offers benefits for both IT teams and end-users, making it a valuable asset in the realm of IT support.

1. Efficient Issue Resolution:

   - Enables IT professionals to troubleshoot issues remotely, reducing downtime and increasing productivity.

   - Facilitates faster problem-solving, ensuring a seamless user experience.

2. User Empowerment:

   - Allows end-users to request support and receive assistance promptly, enhancing overall satisfaction.

   - Promotes user independence by providing step-by-step guidance for common issues.

3. Enhanced Productivity:

   - Minimizes the need for in-person support, saving time for both IT teams and end-users.

   - Improves workflow efficiency by addressing issues without disrupting the user's work environment.

1. 4. Time Savings:
   

   By eliminating the need for physical presence during troubleshooting, IT professionals can resolve issues swiftly, resulting in significant time savings for both support teams and end-users.

2. 
   

   5. Reduced Costs:
   

   Lower travel expenses, decreased downtime, and efficient issue resolution contribute to cost savings for organizations utilizing Jamf Remote Assist, making it a cost-effective solution.

What Problem Does it Solve?

Jamf Remote Assist addresses several common challenges faced by IT support teams:

1. Limited Accessibility:

   - Overcomes geographical barriers by allowing IT professionals to provide support from anywhere in the world.

2. Resolution:

   - Speeds up the troubleshooting process, reducing the time it takes to resolve technical issues.

3. Resource Optimization:

   - Optimizes IT resources by minimizing the need for on-site visits and maximizing remote support capabilities.

Setup

Configure the Cloud Service Connection: Settings → Global → Cloud services connection

Enable Automatic Distribution of the PPPC Settings for Jamf Remote Assist in Jamf Pro by Nagavating to settings → Computer management →Security                                                         ( On Premises : The first time enabling the Jamf Remote Assist PPPC profile, the administrator must select the data storage location. Options are United States, Asia-Pacific and Europe. Make sure to choose this region carefully. Jamf cannot migrate data between regions at this time.)

Initiate a Jamf Remote Assist session from Jamf Pro: Search Inventory  → Select your Mac  → Management  → Management Commands  → Remote Assist 

Jamf Remote Assist Network Communication Ports:

Jamf Remote Assist utilizes port 5555 over TCP and port 443 for WebSocket Secure (WSS) network communication.

Jamf Remote Assist Components:

Three primary elements make up Jamf Remote Assist:

1. The viewer - A web application that is started in a new tab within the admin computer’s browser whenever a session is requested. This is the tool Jamf Pro admins interact with when viewing and interacting with a remote assist session.

2. The Jamf Remote Assist app - A native application deployed to all computers by Jamf Pro that is responsible for delivering screen and file data to The Viewer. This element is also the part that manages notifications, prompts, and user experience elements displayed on remote computers when sessions are initiated, in progress, or when ended.
   
   Four processes make up the Jamf Remote Assist feature that run on managed computers:
   
   Two processes run as the root user:
   jamfRemoteAssistConnector
   jamfRemoteAssist
   
   Two processes run as the logged-in user:
   jamfRemoteAssistConnectorUI
   jamfRemoteAssist

Conclusion

Jamf Remote Assist emerges as a transformative solution in the realm of IT support, offering a comprehensive set of features to streamline issue resolution and enhance the overall user experience. 

Reference link:

Jamf Blog:  Jamf Remote Assist: Enhancing remote Desktop Sessions in Jamf Pro 

Documentation: Jamf Guide

For more information please contact us at https://brilyant.com/contact/