Zero Touch Setup with DEPNotify

DEPNotify is an application that will guide end-users through the process of enrolling a computer with Automated Device Enrollment. 

An organization can choose to install critical applications after enrollment with MDM, but without a tool such as DEPNotify, end users may not be aware of the process. This application can also ask the end users for information that can be input and then used by administrators for future management.

Two Major components we need to configure for DEPNotify: 

1. the application 
2. the starter script

Note: While deploying the Application package and any other resources related to it should designed with an Apple Developer certificate (if deployed via Jamf, a Jamf Pro Built-in CA certificate can be used).

Download DEPNotify: https://gitlab.com/Mactroll/DEPNotify 

DEPNotify supports a wide range of configurations. These include:

• Customisable text
• Images
• User input fields which can be used for extension attributes
• EULAs
• The ability to open webpages or play a YouTube video
• Full-screen or windowed display
• Progress bars
  

DEPNotify is completely controlled via echoing text to its control file. By default, this is:

“  /var/tmp/depnotify.log “ but can be changed with the -path flag

To Learn about Application flags:  https://gitlab.com/Mactroll/DEPNotify#application-flags

Commands:

You can customise the DEPNotify window with Commands for user Interaction, notification and completion information.

Main Window Setup: https://gitlab.com/Mactroll/DEPNotify#main-window-configuration

Interaction: https://gitlab.com/Mactroll/DEPNotify#interaction

Notification: https://gitlab.com/Mactroll/DEPNotify#interaction

Completion: https://gitlab.com/Mactroll/DEPNotify#completion

If you would like to add advanced workflow, we can write a plist “  menu.nomad.DEPNotify.plist “With this file you can configure various things like the EULA window, registration window, status text alignment and help bubbles.

Ref: https://gitlab.com/Mactroll/DEPNotify#depnotify-plist

DEPNotify starter Script:

The DEPNotify Starter Script is very lengthy but is heavily commented on to help you understand the available settings and how to configure them.

DEPNotify-Starter Github repo contains both starter script and reset script for DEPNotify:

 https://github.com/jamf/DEPNotify-Starter

you can also use the application DEPNotify Set-up Helper to configure the script for you. 

https://github.com/BIG-RAT/DEPNotify-Set-up-Helper 

 

EULAs and images for DEPNotify should not be included in the DEPNotify package but instead can be placed in a package of their own. 

Any package installed during Automated Device Enrollment must be signed with a certificate that can be trusted by the Mac

Deployment Plan with Jamf:

Assuming the Apple Business Manager is well-integrated

Prestage Enrollment: 

You can go computers: Prestage Enrollments create a setting of prestage.

General > apply setting as per your requirement

Configuration Profile add your DEPNotify Configuration

Enrollment Packages add DEPNotify and any EULA or images package (Note both packages should be signed).

when creating a Prestage enrollment, it is best to use the minimum critical settings

Smart Computer Group:

Create a Smart computer Group with Criteria Enrollment Method: Prestage enrollment operator (is) and value Zero Touch

Configuration Profiles:

If any configuration Profile is you would like to deploy during the Zerotouch scope it with the smart Computer Group you created.

Policies:

Create a policy for the DEPNotify starter script and any packages you need to deploy during the DEPprocess set the as “Ongoing” and with a custom trigger with unique to each policy and scope to this smart Group you created before.

Testing on a Local Enrolled Mac:

Before deploying to production you can test the DEPNotify setting function on you enrolled Mac computer.

To Test open terminal and run the command :

sudo jamf policy -event enrollmentComplete

If all has been configured correctly, you should see the DEPNotify application open and a simulation of your workflow. With the testing flag set to "true", your policies and registration information will not execute.

For more information please contact us at https://brilyant.com/contact/

Revolutionising IT Support: A Deep Dive into Jamf Remote Assist

In the fast-paced world of technology, efficient IT support is crucial for businesses to thrive. Jamf, a leading provider of Apple device management solutions, has introduced a game-changing tool – Jamf Remote Assist. This innovative solution is designed to enhance customer support, streamline troubleshooting, and provide a seamless experience for both IT professionals and end-users.

Benefits

Jamf Remote Assist offers benefits for both IT teams and end-users, making it a valuable asset in the realm of IT support.

1. Efficient Issue Resolution:

   - Enables IT professionals to troubleshoot issues remotely, reducing downtime and increasing productivity.

   - Facilitates faster problem-solving, ensuring a seamless user experience.

2. User Empowerment:

   - Allows end-users to request support and receive assistance promptly, enhancing overall satisfaction.

   - Promotes user independence by providing step-by-step guidance for common issues.

3. Enhanced Productivity:

   - Minimizes the need for in-person support, saving time for both IT teams and end-users.

   - Improves workflow efficiency by addressing issues without disrupting the user's work environment.

1. 4. Time Savings:
   

   By eliminating the need for physical presence during troubleshooting, IT professionals can resolve issues swiftly, resulting in significant time savings for both support teams and end-users.

2. 
   

   5. Reduced Costs:
   

   Lower travel expenses, decreased downtime, and efficient issue resolution contribute to cost savings for organizations utilizing Jamf Remote Assist, making it a cost-effective solution.

What Problem Does it Solve?

Jamf Remote Assist addresses several common challenges faced by IT support teams:

1. Limited Accessibility:

   - Overcomes geographical barriers by allowing IT professionals to provide support from anywhere in the world.

2. Resolution:

   - Speeds up the troubleshooting process, reducing the time it takes to resolve technical issues.

3. Resource Optimization:

   - Optimizes IT resources by minimizing the need for on-site visits and maximizing remote support capabilities.

Setup

Configure the Cloud Service Connection: Settings → Global → Cloud services connection

Enable Automatic Distribution of the PPPC Settings for Jamf Remote Assist in Jamf Pro by Nagavating to settings → Computer management →Security                                                         ( On Premises : The first time enabling the Jamf Remote Assist PPPC profile, the administrator must select the data storage location. Options are United States, Asia-Pacific and Europe. Make sure to choose this region carefully. Jamf cannot migrate data between regions at this time.)

Initiate a Jamf Remote Assist session from Jamf Pro: Search Inventory  → Select your Mac  → Management  → Management Commands  → Remote Assist 

Jamf Remote Assist Network Communication Ports:

Jamf Remote Assist utilizes port 5555 over TCP and port 443 for WebSocket Secure (WSS) network communication.

Jamf Remote Assist Components:

Three primary elements make up Jamf Remote Assist:

1. The viewer - A web application that is started in a new tab within the admin computer’s browser whenever a session is requested. This is the tool Jamf Pro admins interact with when viewing and interacting with a remote assist session.

2. The Jamf Remote Assist app - A native application deployed to all computers by Jamf Pro that is responsible for delivering screen and file data to The Viewer. This element is also the part that manages notifications, prompts, and user experience elements displayed on remote computers when sessions are initiated, in progress, or when ended.
   
   Four processes make up the Jamf Remote Assist feature that run on managed computers:
   
   Two processes run as the root user:
   jamfRemoteAssistConnector
   jamfRemoteAssist
   
   Two processes run as the logged-in user:
   jamfRemoteAssistConnectorUI
   jamfRemoteAssist

Conclusion

Jamf Remote Assist emerges as a transformative solution in the realm of IT support, offering a comprehensive set of features to streamline issue resolution and enhance the overall user experience. 

Reference link:

Jamf Blog:  Jamf Remote Assist: Enhancing remote Desktop Sessions in Jamf Pro 

Documentation: Jamf Guide

For more information please contact us at https://brilyant.com/contact/

Configuring Account-Driven Enrollment and Enrolling a Personal Device in Jamf Pro

 In today's mobile-driven world, organisations need efficient and secure ways to manage employee devices. Apple's Account-Driven Enrollment (ADE) offers a streamlined solution, allowing users to enroll their personal devices in mobile device management (MDM) using their existing Managed Apple IDs. This article explores the benefits of ADE and guides you through the steps of configuring it with Azure Active Directory (AD) and Jamf Pro.

Benefits of Account-Driven Enrollment:

• Simplified User Experience: Users can enroll their devices using familiar credentials, eliminating the need for dedicated enrollment profiles.
• Reduced IT Overhead: Organisations no longer need to create and manage individual enrollment profiles for each user.
• Enhanced Security: Federated authentication provides an additional layer of security, leveraging existing user credentials.
• Improved BYOD Support: ADE facilitates BYOD programs by allowing users to enroll their personal devices for work purposes.

Prerequisites:

• Apple Business Manager
• Microsoft Azure AD subscription
• Jamf Pro MDM solution
• Access to the organization’s web host

Safeguarding Enterprise Data on Mobile Devices on the Go: The Crucial Role of MDM and Jamf Mobile Threat Defense

In today's digital age, the workforce is increasingly mobile, with employees relying on smartphones and tablets to carry out their daily tasks on their own devices. As enterprises embrace this shift towards mobile productivity, the need to secure sensitive company data on these devices becomes paramount. we'll explore how enterprise data resides on mobile devices and delve into the significance of Mobile Device Management (MDM) and Mobile Threat Defense (MTD) solutions, specifically focusing on Jamf Protect for Mobile security.

 Enterprise Data on Mobile Devices:

Mobile devices have become an integral part of the modern workplace, enabling employees to work remotely, collaborate seamlessly, and access critical information on the go. However, this convenience comes with inherent risks, as enterprise data often resides on these devices, making them potential targets for cyber threats and unauthorized access. Whether it's proprietary business information, customer data, or intellectual property, safeguarding this sensitive data is crucial for maintaining trust, compliance, and the overall security posture of an organisation.

What is MDM and Its Key Role in Data Protection:

Mobile Device Management (MDM) is a comprehensive solution designed to manage, monitor, and secure mobile devices within an enterprise. MDM systems empower IT administrators with the tools to enforce policies, configure settings, and ensure compliance across a fleet of mobile devices. Key features of MDM include remote device wiping, app management, and the ability to track device locations, providing a centralized approach to device security.

MDM plays a vital role in data protection by:

1. Policy Enforcement: MDM allows organisations to establish and enforce security policies, ensuring that devices accessing company data adhere to predefined standards.

2. Data Encryption: MDM solutions often include encryption features, protecting data stored on devices from unauthorised access.

3. Remote Management: In case of loss or theft, administrators can remotely wipe sensitive data from the device, preventing it from falling into the wrong hands.

 Introduction to Mobile Threat Defense (MTD) and Jamf Protect for Mobile security:

Mobile Threat Defense (MTD) is a specialized solution focused on identifying and mitigating mobile-specific security threats. With the increasing sophistication of mobile malware and phishing attacks, having a dedicated MTD solution becomes crucial for a comprehensive security strategy.

Jamf Protect for Mobile security is a leading MTD solution designed specifically for Mobile devices, providing advanced threat detection and real-time response capabilities. It offers:

1. Threat Detection: Jamf Mobile Threat Defense employs advanced algorithms to detect and respond to mobile-specific threats, such as malicious apps and network vulnerabilities.

2.  Zero-Day Threat Prevention: The solution proactively identifies and blocks threats, even those that exploit vulnerabilities not yet known to the security community.

3.  Integration with MDM: Jamf Mobile Threat Defense seamlessly integrates with MDM solutions, creating a holistic approach to mobile device security.

Below is a feature table of  Jamf Protect for Mobile security, Mobile Device Management (MDM), and Mobile Application Management (MAM):

Feature	Jamf Protect for Mobile security	Mobile Device Management (MDM)	Mobile Application Management (MAM)
Security	Provides advanced threat detection and remediation for iOS and Android	Focuses on device-level security, enforcing policies, encryption, and compliance.	Concentrates on securing and managing individual applications, ensuring data protection.
Threat Detection	Identifies and mitigates mobile threats, malware, and vulnerabilities in real-time.	Monitors and manages device security, but may not offer advanced threat detection.	Primarily concerned with securing and managing the applications rather than threat detection.
Device Policies	Limited to threat defence policies, ensuring a secure environment.	Enforces a wide range of device-level policies such as passcodes, encryption, and restrictions.	Focuses on application-level policies, controlling how applications interact with data and other apps.
App Deployment	Primarily focused on threat defence; may not handle app  deployment.	Centralized deployment and management of apps on devices.	Manages the distribution, updating, and removal of applications on individual devices.
Device Configuration	Limited device configuration options, mainly related to security settings.	Offers comprehensive device configuration settings for a wide range of parameters.	Primarily concerned with configuring how individual applications operate on devices.
User Authentication	May integrate with existing authentication systems for enhanced security.	Enforces user authentication and access controls to the device.	Focuses on securing access to and within individual applications, often using single sign-on (SSO).
Containerization	May utilise containerisation for isolating and securing apps and data.	Generally focuses on device-level containerization for work and personal data separation.	Leverages containerization to isolate and protect individual applications and their data.
Data Protection	Emphasises threat defence for data protection against malicious activities.	Enforces encryption and policies to protect data on the device.	Concentrates on securing data within individual applications, often through app-specific policies.
Device Inventory	Limited device inventory features; primarily focused on threat-related information.	Provides detailed device inventory, tracking hardware and software details.	Offers basic information on devices, but emphasizes more on app-related details.
Platform Support	Typically focused on iOS, Android, Windows and Mac devices.	Supports a wide range of mobile operating systems, including iOS, Android, and others.	Works across various platforms, ensuring compatibility with different operating systems.

Comparing the Cybersecurity Capabilities of MDM, MAM and Jamf Mobile Threat Defense

Cybersecurity Capability	Jamf Protect for Mobile security	MDM (Mobile Device Management)	MAM (Mobile Application Management)
Device Security	Comprehensive protection against known and unknown threats, including malware, phishing, and network attacks.	Device-level control and policy enforcement, ensuring devices comply with security standards.	Focuses on application-level security, limiting access to sensitive data and functionality.
Data Encryption	Strong encryption protocols for data at rest and in transit, safeguarding sensitive information.	Device-centric encryption to protect data stored on devices, reducing the risk of data breaches.	Emphasizes encryption and secure transmission of data within mobile applications, protecting sensitive data.
Access Control	Granular control over device access, user authentication, and authorization, reducing the risk of unauthorized access.	Centralized control over device access, user roles, and permissions to manage access points effectively.	Application-specific access controls to restrict user access based on roles and responsibilities.
App Security	Monitors and secures applications against malicious activities, ensuring only approved and secure apps are allowed.	Controls app installation and updates, preventing the use of unauthorized or outdated applications.	Focuses on securing individual applications, often using containerization to isolate app data and functionality.
Network Security	Proactive threat detection and prevention for network-based attacks, safeguarding device communications.	Manages network configurations and connections to prevent unauthorized access, reducing the risk of network-related threats.	Prioritizes securing data transmitted between mobile apps and corporate servers, minimizing the risk of data interception.
Threat Intelligence	Integration with threat intelligence feeds for real-time updates on emerging threats, enhancing proactive defence mechanisms.	Limited threat intelligence integration, relying on periodic updates and manual security assessments.	Utilizes threat intelligence to assess risks associated with specific mobile applications, focusing on app-level threats.
Compliance Management	Comprehensive compliance tracking and reporting to ensure devices adhere to regulatory and organizational security requirements.	Enforces compliance policies to meet regulatory standards, with centralized reporting for audit purposes.	Focuses on application compliance, ensuring that mobile apps adhere to security policies and regulatory standards.
Security Policy Enforcement	Enforces security policies at the device and application levels, ensuring consistent adherence to security standards.	Centralized enforcement of security policies to maintain a standardized security posture across all devices.	Implements policies specific to application behaviour, enhancing control over app-level security configurations.

Security Gaps:

• Limited Visibility: MDM and MAM solutions often lack comprehensive visibility into app activity, making it difficult to detect malicious behaviour or data breaches.
• Limited Control: MDM and MAM solutions may not have sufficient control over personal devices, making it difficult to enforce security policies and prevent data leakage.
• Limited Protection: MDM and MAM solutions often offer limited protection against sophisticated threats, such as zero-day attacks and advanced malware.

Why Choose MDM and Jamf Mobile Threat Defense:

1. Comprehensive Protection: The combination of MDM and Jamf Protect for Mobile security provides end-to-end security, addressing both device management and threat detection on Mobile devices.

2. User Productivity: By ensuring the security of mobile devices, organisations can foster a productive and collaborative work environment without compromising on data safety.

3. Regulatory Compliance: MDM and  Jamf Protect for Mobile security help organisations meet regulatory requirements for data protection and privacy, reducing the risk of legal consequences.

Mitigation Strategies:

• Implement Mobile Device Management (MDM): MDM solutions provide basic security features, such as device lock/wipe, app blacklisting and password policies.
• Use Mobile Application Management (MAM): MAM solutions offer more granular control over app behaviour and data access.
• Utilize Mobile Threat Defense (MTD): MTD solutions provide advanced threat detection and protection capabilities.
• Implement strong password policies and multi-factor authentication.
• Educate users on mobile security awareness and best practices.
• Utilize encryption at rest and in transit.
• Implement data loss prevention policies.
• Enforce BYOD policies and provide secure alternatives for accessing corporate resources.

Note: The specific capabilities and gaps may vary based on the versions and configurations of the mentioned solutions. It is recommended to refer to the latest documentation and consult with vendors for the most accurate and up-to-date information.

For more information please contact us at https://brilyant.com/contact/