MacStealer malware: A growing threat to macOS users
Month: March 2023
Author: March 30, 2023 by Jamf Threat Labs
Source: https://www.jamf.com/blog/macstealer-malware-macos-threat/
As cybersecurity threats continue to evolve, a new macOS malware called MacStealer has emerged, posing a significant risk to users. This malicious software, discovered by the Uptycs threat research team, is capable of extracting sensitive data, documents and login credentials from macOS systems. It uses Telegram for its command and control operations. In this blog post, we will provide an overview of MacStealer, how it works and how Jamf Protect ensures your macOS devices are protected against this threat.
Threat: MacStealer
A new macOS malware variant, dubbed MacStealer, has been discovered and linked to a threat actor distributing the malicious code via the dark web. This stealer can extract a variety of files, browser cookies, and login information from a victim’s system. It also has the ability to collect passwords, cookies and credit card data from popular browsers like Firefox, Google Chrome and Brave.
Affects:
MacStealer targets macOS systems running Catalina and subsequent versions on Intel, M1 and M2 CPUs. It is expected to become more widespread due to its high demand among threat actors.
Prevented by:
Jamf Protect threat prevention blocks the execution of MacStealer, effectively safeguarding your macOS devices from this malicious software. It is essential to keep your Mac systems up-to-date with the latest updates and patches and only install files from trusted sources.
Malicious URLs:
MacStealer communicates with command and control servers via Telegram channels, utilizing the popular messaging platform — known for its privacy protections — for its operations.
Conclusion
MacStealer is a growing threat to macOS users and it’s crucial to stay informed about the latest cybersecurity risks. Jamf Protect ensures your macOS devices are protected against this malware, allowing you to maintain the security of your systems. Keep your Mac devices updated with the latest patches and exercise caution when installing files from untrusted sources to minimize the risk of falling victim to MacStealer and other cyber threats.
IOCs (as discovered by Uptycs)
SHA1 Hashes:
e7c4e72e90598f420d6835a14c110c297a47a2c3
e0d9612798689222d7ebaa21c9c4b49f9bd21650
bdf6b96bd4d45098b6385f1256b06faa9477bc5e
a8e9153fc23cef19c4aa225821d6f523edea303d
a7c58c071996942fe7880d0dbb9475291245de8c
81200436f70520748ff86bfdd9d3e5af333d00c6
d11f331ecc7a86d23d00a820439a68f47c8a7ff5
6f2c2bc491a0434ebbd712d90f571b688d552860
5cde0edebd82017a8f3f174fdf9143ad4a37f060
85d3a862d286922eba70c527c05f16e6da4caba5
f3b536ab7d7f11b1ccae0134b42f59b165cb378f
4e3ccb34f8d1b9f536b47707a6b65a9aea78bf7e
aa020e54b0d6f7647bb64e5091d3b8cd9246890f
aee1dfd19e6b378fd5986a5a2dade8c1be1a3c00
e6d09476dc51924c8c3b93c1d4d596043ff13584
b209e9197698be2eec85d37fc3923ba16c1e96ff
hxxp[:]//mac[.]cracked23[.]site/uploadLog
C2 domain:
mac[.]cracked23[.]site
Telegram channels:
hxxps[:]//t[.]me/macos_stealer_2023
hxxps[:]//t[.]me/macos_logsbot
Don’t wait until an incident occurs to look into getting the best-of-breed endpoint security for Apple.
Try out Jamf Protect and start securing your devices, users and data today…they’ll all thank you for it!
Mastering security compliance for Mac and mobile devices
Month: March 2023
Author: March 29, 2023 by Laurie Mona
Source: https://www.jamf.com/blog/security-compliance-mac-mobile-devices/
As more organizations bring Apple devices into the workplace, it’s essential to develop a solid plan to ensure you can maintain compliance with IT policies and meet industry security benchmarks and regulations.
In our webinar, Optimizing Mac and Mobile Compliance, Aaron Webb, Jamf Security Product Marketing Manager, discusses various forms of security compliance and how to effectively implement controls for both corporate-owned and Bring Your Own Devices (BYOD) in your organization.
What does compliance mean?
Compliance in security means adhering to laws, industry standards and data and security requirements. An organization’s compliance management strategy is largely dependent on their industry, their device and data use cases and legal requirements.
When thinking about compliance in the data security space, it’s critical for organizations to understand that if compliance is not met you risk:
- Data breaches and leakage
- Monetary loss: fines or settlements
- Loss of customers, accounts or jobs
- Loss of reputation
Benefits of compliance
Besides the monetary fines and sanctions, following security compliance in an organization brings several benefits such as:
- Protecting your company’s reputation
- Mitigating security risks
- Enhancing customer confidence
- Improving operational efficiency
- Staying ahead of the competition
Compliance frameworks
There are three popular compliance frameworks that organizations use to ensure that they meet certain security and regulatory standards.
- CIS (Center for Internet Security) Benchmarks: Guidelines designed to help organizations secure their networks and systems. They focus on practical, actionable steps that organizations can take to mitigate common cyber threats.
- NIST (National Institute of Standards and Technology: Comprehensive guide to managing cybersecurity risk based on five core functions: identify, protect, detect, respond and recover. Emphasizes the importance of risk assessment and management, as well as continuous monitoring and improvement.
- ISO (International Organization for Standardization): ISO 27001 is a standard for information security management systems (ISMS). Covers a wide range of security controls, including physical security, access control and incident management.
Many regulated industries are also required to implement a security benchmark, such as:
- Healthcare organizations need to meet HIPAA (Health Insurance Portability and Accountability Act) requirements
- Retail or e-commerce companies who process credit card transactions may have systems subject to PCI DSS (Payment Card Industry Data Security Standard)
- Schools and colleges need to apply protections for ensuring the privacy of the student education records under the Family Educational Rights and Privacy Act (FERPA)
Compliance Best Practices
With compliance and benchmarks established, you need to consider best practices for optimizing compliance on macOS and mobile devices.
- Security baselines and benchmarks: Organizational agreement to configure set controls on devices, with continual verification that devices remain in compliance
- Use device management tools: A mobile device management (MDM) solution like Jamf Pro can automate configuration and deployment, manage apps, inventory all devices and enforce configuraitons and policies to ensure compliance
- Ensure all devices are updated: Keep operating systems, apps, and software up-to-date
- Implement encryption and password policies: Enable full-disk encryption on all devices and require strong passcodes or biometric authentication.
- Educate end users: Train users on security best practices. According to the 2021 Data Breach Investigations Report by Verizon, 85% of data breaches were due to the “human element”, which shows the importance of training the workforce.
Better together: MDM and Endpoint Security
Endpoint Security solutions are critical tools for enforcing compliance policies on macOS and mobile devices. MDM and Endpoint Security go hand in hand and these technologies help organizations ensure that their employees’ devices are secure, up-to-date and in compliance with relevant regulations.
Balancing security and privacy: mobile BYOD
Jamf offers workflows that streamline the way end users enroll their personally-owned devices and separates personal data from corporate data. This provides “just right” management and security for IT and maintains personal privacy for the user.
Unique considerations: Mac and regulated industries
The macOS Security Compliance Project (mSCP) aims to ensure that Apple’s operating system, macOS, is secure and compliant with various security standards and regulations.
This open-source effort provides a programmatic approach to generating security guidance and is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA) and Los Alamos National Laboratory (LANL).
By implementing security controls, configuring settings, and monitoring the system, organizations can reduce the likelihood of security incidents and ensure that they are meeting their security obligations.
The Jamf Compliance Editor is a tool built on the foundations of the macOS Security Compliance Project that provides macOS system administrators with an easy way to establish and manage compliance baselines on their fleet of macOS devices.
Complete compliance with Trusted Access
The transformation of the modern workplace to an ever-more connected mobile workforce makes the protection and security of your data and devices a critical concern.
With the rise of Apple technology in organizations, how can you ensure complete compliance with faster onboarding, application-specific policy enforcement, and a simple, streamlined user experience that is consistent for employees, contractors, and third parties alike?
Jamf specializes in helping organizations manage and secure Apple at work with an approach we call Trusted Access.Trusted Access combines and connects the best elements of device management, identity and access workflows as well as endpoint security.
With Trusted Access, your employees can be productive on the devices they love while ensuring that your organization can verify and trust every user, every device and every connection made to work resources.
Ready to optimize your Apple device security compliance?
Do you really need Apple Business Manager?
Month: March 2023
Author: March 28, 2023 by Felix Peters
Source: https://www.jamf.com/blog/do-you-really-need-apple-business-manager/
At Jamf we often hear the question, “Do I really need Apple Business Manager (ABM) to manage my Apple devices if I already have mobile device management (MDM)?” Though it depends on your current situation and what you’d like to achieve, the short answer is yes if you want to get the most from your Apple devices.
To get into the long answer, ABM not only adds useful security options and supervision possibilities, but the whole out-of-the-box user experience is unmatched. Alongside your MDM solution to fill the gaps, ABM (as well as Apple School Manager, or ASM) provides a solid set of features to make managing your fleet easier.
When do I need ABM?
For example, think about these three different scenarios in which Apple Business Manager could lend a hand:
- You are purchasing new devices or refreshing old ones
- You want to be prepared even if you’re not planinng a device refresh for a while
- You are constantly increasing your company’s Apple hardware or you expect a steep increase in the near future
All three scenarios can be reasons to combine Apple Business Manager and MDM to ease IT pain points, control and remediate problems, create efficient onboarding experiences and improve end-user productivity. Apple Business Manager alone isn’t a fix-all magic wand, but it integrates useful solutions and add-ons to save time, stress and effort.
What can ABM do?
ABM is a free tool that functions as a database of your Apple purchases. It not only keeps track of devices, but also your App Store Apps and Apple IDs. Because of this, you can deploy apps to any Apple device without the need for an Apple ID or by having a Managed Apple ID on these devices (a standard Apple ID works as well).
All new devices show up in Apple Business Manager right after they are purchased so these devices can be assigned a Name, User, Groups, Apps etc., before even being shipped to your location, or even better, direct to the end user’s home. The end user can receive their new device, unpack it and start it up — all without you ever having to touch it.
For the Mac, the use of Jamf Connect can be helpful at this stage, to create a local user account based on your Identity Provider (IdP). The user will therefore have the same user credentials and password for their Mac as for every other app or resource within the company, all in sync with your IdP.
Meanwhile Apple Business Manager will have already forwarded the serial number to your MDM, and the rest is like magic. Apps, restrictions, settings, even PDFs seamlessly install while the end user logs in for the first time so they can start working right away.
Even if you are not investing in new Apple hardware right now, you can still apply for Apple Business Manager, set it up, configure it and link it to your MDM to prepare yourself for future additions to your fleet. Don’t forget that if a device gets wiped, it will always reconnect to your Apple Business Manager after reinstalling the OS and, therefore, will always be in your company’s control and equipped with the right tools.
Maybe a device has gone missing? If it is powered on and reinstalls the OS, it will automatically add itself to your MDM instance and will be under company control again.
Think about a company continuously growing their headcount, and in turn, growing their device count. With Apple Business Manager they don’t need to add every single device manually to their management system — it appears right after purchase.
Note that iOS, iPadOS and macOS devices can be added to ABM afterwards through an app called Apple Configurator. This app needs to be installed on an admin’s iPhone. This is not the preferred method, but it does help, if you want to have all your devices in ABM to ensure the same level of security and management can be applied to all company-owned devices.
So, when it comes down to it, yes, you can use a MDM tool without ABM, but you will be missing out on a ton of useful features. This is also a two-way street: you can have ABM without MDM, but then Apple Business Manager will only function as a serial number database. In summary, a combination of both will give you the best experience.
Realize you’re lacking Apple Business Manager? Reach out to your Apple representative to get things in place.
Or maybe you’ve got ABM and are looking to fully empower yourself with mobile device management?
Try setting up a trial of Jamf to see all the features in action.
Jamf School how-to: Renew APNS certificates and ASM Tokens
Share me
Month: March 2023
You must have a push certificate in Jamf School to manage devices with Jamf School. Devices enrolled prior to May 2, 2017 are managed by a push certificate in Jamf School. To check if your devices are managed by Jamf School, navigate to Settings > Apple Push Notification Service. If the Push Topic is “com.apple.mgmt.XServer.01ab0995-0663-4e2d-a001-25e9ef3eaf9e”, the devices are currently managed by Jamf School. You must create your own certificate for future enrollments. If a new certificate is created, enrolled mobile devices will not be able to receive MDM commands unless they are re-enrolled. Apple requires the Apple Push Notification service (APNs) certificate to be renewed every year.
Important:
If the original Apple push certificate expires or is deleted, you must manually re-enroll all managed devices.
If you are renewing a push certificate that was originally obtained from Apple’s iOS Developer Program (iDEP), you must use the Apple ID for the iDEP Agent account used to obtain the certificate.
Note: Apple recommends that you use one corporate Apple ID for push certificates and a separate one for Apple School Manager.
Renewing an Apple Push Certificate
- In Jamf School, navigate to Organization > Settings in the sidebar.
- Click the Apple Push Notification Service payload.
- Click Renew Push Certificate.
- On the pop-up dialog, click Download Certificate Signing Request. The certificate signing request (.csr) downloads.
- In a new window or tab, navigate to the Apple Push Certificates Portal: https://identity.apple.com/pushcert
- Log in to the portal with your Apple ID.
- Click Renew next to the current Jamf School certificate.
- Upload the certificate signing request you downloaded from Jamf School.
- Click Upload, and then click Download. The Apple push certificate (.pem) will download.
- Return to the Jamf School tab in your browser. In the pop-up dialog, upload the Apple push certificate.
- Click Apply.
Renewing or Replacing a Service Token from Apple School Manager
- Log in to Apple School Manager at https://school.apple.com.
- Click on your account name in the lower-left corner, and then choose “Preferences”from the pop-up menu.
- Click Payments and Billing.
- Under the Apps and Books tab, click the correct server location token. The token downloads to the Downloads folder on your computer.
- Navigate back to Jamf School and upload the server token.
- In Jamf School, navigate to Settings in the sidebar.
- Click the Content (Volume Purchasing) payload.
- Click Replace
on the token you want to renew. - Upload the token file (.vpptoken) that you downloaded from Apple School Manager.
- Click Apply.
Jamf Pro or Jamf Business plan: which is right for you?
Month: March 2023
Author: March 27, 2023 by Haddayr Copley-Woods
Source: https://www.jamf.com/blog/apple-devices-jamf-business-plan/
Jamf Pro already packs a powerful punch.
Designed to automate mobile device management Jamf Pro is the Apple device management tool offers unified ecosystem management for Apple devices. From that very first power-on and throughout the device lifecycle, Jamf Pro offers customizable set up and device management beyond configuration profiles. It offers customizable device management, automated and secure app management, and automated inventory management of hardware, software and security configuration details.
Want to simplify and increase your reach?
Learn more about the Jamf Business plan.
Jamf Pro’s secure features
While Jamf Pro isn’t an endpoint protection solution, it does offer quite a few ways to harden your organization’s security posture.
- Zero-touch deployment can provision devices to meet the needs of the user and continue to keep Apple device and apps up-to-date, including support for secure BYOD programs
- Jamf’s Self Service app offers end-users the chance to install and update secure and vetted apps from your own catalog, ensuring they download only trusted and the most up-to-date version of apps
- Manage Apple’s built-in security features that can restrict malicious software remotely and automatically patch apps with device settings and configurations
Jamf AND: the Jamf Business plan
You can automate device deployment, management and security with the Jamf Business plan that combines Jamf Pro, Jamf Connect and Jamf Protect. With the Jamf Business plan, you can manage your entire Apple ecosystem, connect users securely and protect each Apple endpoint from vulnerabilities.
Manage devices
You’ll receive automated enrollment and configuration for personalized zero-touch deployment, robust device management and a centralized location to license, deploy and automate app management. In addition to Self Service, admins can see everything through customizable inventorydashboards, advanced search and alerts.
Secure data and endpoints
Security with the Jamf Business plan offers:
- Modern remote access to applications and resources based on cloud-identity credentials, Zero Trust Network Access, complete with multi-factor authentication and password sync
- Endpoint security, compliance monitoring and behavioral and macOS-specific threat detection
- Prevention of cyber attacks like phishing
- Automated, enforceable content filtering and data consumption management
The Jamf Business plan is particularly well-suited to power your organization’s Bring Your Own Device (BYOD) plan, as Jamf admins can secure corporate data while protecting end-user privacy, configuring work-only settings separate from personal settings, and ensuring only authorized users on enrolled devices can access works apps and data. All right at their fingertips, in one place.
Have simpler needs?
You might want to consider the Jamf Fundamentals plan that provides enhanced management, core identity elements and cutting-edge security within Jamf Now’s intuitive platform. If you need help deciding between the two plans, read this blog post comparing Jamf Business plan and Jamf Fundamentals.
Still unsure about whether a product or plan is best for your business?
Learn how Jamf Now, Jamf Pro, the Jamf Fundamentals plan and Jamf Business plan compare in our detailed Jamf management product and plan comparison.
Want the whole shebang? Try Jamf Business plan free today.
Your Mac admin journey from zero to hero
Month: March 2023
Author: March 27, 2023 by Tim Herr
Source: https://www.jamf.com/blog/mac-admin-skills-development/
Is macOS device management a new area for you? Whether you’re just new to Mac or completely starting from scratch as an admin, there is a lot of Apple-specific knowledge that you may feel like you’ll take years to absorb. But the good news is that getting started as a Mac admin doesn’t have to be as intimidating as it might sound. We offer the resources you can use to get the basic concepts down first and then start moving into progressively more advanced techniques and tools of the trade. If you like what you see here, feel free to bookmark this page and return to it as you grow into your Mac management role.
Start learning the ropes of Mac management
There are a lot of elementary concepts to understand when you start working on device management, and if you come from a management background with non-macOS devices, you’ll already have a head start in understanding these. But no worries either way! Our handy “Mac Management for Beginners” webinar and e-book are great resources to refer back to often in these early days, as you’re gradually starting to absorb what these fundamentals mean and how they relate to each other.
As a beginner, you’ll be learning about things such as:
- Configuration profiles and management commands
- Client management functions
- Helpful Apple services and programs
- Lifecycle management stages
- Mac deployment and provisioning
- Configuration management
- App management
- macOS inventory
- Mac security
- User empowerment
Mastering these basics will soon have you performing zero-touch deployments, building on native Apple security and otherwise enjoying the power and flexibility that comes with Mac management. You’ll probably be surprised at how much progress you can make in a short amount of time.
Start experimenting with scripting and automation
Were you hoping that this would be a little farther down the list? The truth is that you don’t need to worry about becoming a scripting wizard right away; even learning a few basic commands can help you to automate repetitive tasks and do your job more quickly and efficiently. Once you start reaping the benefits, you’ll likely feel motivated to further increase your scripting knowledge. Our beginning scripting guide for Apple admins and our “Scripting 101” and “Scripting 102” videos are great places to start learning Terminal syntax and useful commands so you can let automation do the tedious parts of your job for you.
Join the Mac Admins and Jamf Nation communities
No matter how detailed the documentation and training resources that you use, there are going to be times – and probably sooner rather than later – when real-world problems leave you stumped. The good news is that there are Mac admins all over the world tinkering with equivalent workflows, and it’s overwhelmingly likely that someone out there has dealt with a similar enough problem to be able to help.
The Mac Admins community started on Slack and soon added a popular podcast and a repository of popular community projects on GitHub, eventually starting a 501(c)(3) charitable organization in order to promote sustainable and equitable growth. This is a wonderful place to network with your more experienced peers and find help with navigating the unpredictable roadblocks you’ll encounter in your work. The Mac Admins Foundation also works with Apple to subsidize training and certification for aspiring admins who need financial help.
Note: Up to this point, we’ve focused on resources that will be helpful to all Mac admins, regardless of what mobile device management (MDM) solution you use to do your job. The remaining content on this page is dedicated to advanced support for Jamf admins. If you’re not already using Jamf for Mac management and you’d like to try it out, then follow the link at the bottom of this post to request a free trial!
Mac admins who use a Jamf MDM solution will find additional support in Jamf Nation, the largest peer-led community of Apple IT, security and education professionals. The perfect complement to Jamf Support, Jamf Nation can help with troubleshooting, automation and more. You can also make new friends and meet up with them either virtually or in person at our annual Jamf Nation User Conference! Once you start to really feel like part of a community, solving problems and learning new techniques can become simple, social activities.
Get to know one of the Jamf APIs
Jamf’s MDM solutions use Application Program Interfaces (APIs) to communicate with other systems, and a major benefit of using the Jamf platform is the wealth of integrations available for third-party applications and major ecosystems like Microsoft and Google. Familiarizing yourself with a Jamf API can empower you to develop more advanced management workflows. To get started, you can consult our documentation on “Which API should I use?” and proceed to the Classic API overview or Jamf Pro API overview.
As one great example, you can use Apple’s Swift programming language with the Jamf Pro API to get greater efficiency out of command-based tasks targeting managed devices. Admins who want to learn about and experiment with this connection can check out our expert blog series (Parts 1, 2, 3, 4and 5) for step-by-step instructions on unlocking new workflows.
Access specialized tools for Jamf admins
Jamf’s mission is to help organizations with Apple, but can anyone help admins with Jamf? Rocketman is a company that offers the Jamf Toolkit, a collection of scripts and documentation designed specifically to aid Jamf admins at work. With these or other scripts and tools offered by outside organizations or Mac admins you encounter online, there are many opportunities to tighten up your workflows and save time for the most important and fulfilling parts of your job.
We hope this helps you to advance in your career and face your fears as you progress from Mac management novice to seasoned pro. Check out our huge collection of online resources for more, or sign up for training if you want some extra help to hit the ground running. We believe in you!
Ready to get the most out of Mac management with Jamf?
Sign up for a free trial today!
What is Mobile Application Management (MAM)?
Month: March 2023
Author: March 23, 2023 by Haddayr Copley-Woods
Source: https://www.jamf.com/blog/mdm-mam-mem-and-emm/
What is Mobile Application Management?
What does mobile application management do?
Mobile application management (MAM) allows IT to control enterprise applications on corporate- and personally-owned mobile devices.
MAM software allows IT administrators to apply and enforce corporate policies on mobile apps and limit the sharing of corporate data among apps and enables the separation of business apps and data from personal content on the same device, but the powers of MAM are limited.
Learn about mobile device and app management for your BYOD program.
Read Jamf and Apple: BYOD Programs Done Better.
What are the limitations of MAM?
On its own, MAM has some drawbacks.
MAM without an MDM:
- Cannot configure WiFi and email or automatically install apps
- Relies on users downloading their own apps
- Can frustrate users with slow VPN connections or an awkward user experience
- Can have limited app availability
- Can struggle with offering a seamless experience in an OS specifically built for
What is Mobile Device Management (MDM)?
Mobile device management allows IT to automate, manage, and deploy policies on devices connected to an organization’s network.
A good MDM like Jamf Pro will allow you to offer personalized devices that help employees do their best work most efficiently. An MDM automates repetitive management tasks and boosts security by eliminating human error.
Jamf’s MDM products offer:
- Zero-touch deployment for seamless onboarding and configuration
- Automated inventory collection that alerts IT of needed updates
- App management with Self Service where users access the vetted apps they need
And many more.
- To learn more about MDM, read our e-book “Apple Device Management for Beginners.”
What is the difference between MAM and MDM?
tl;dr: MAM focuses exclusively on apps; MDM can work with a MAM or manage apps on its own as part of a much larger offering.
While MAM can partition apps on a user-owned device, it’s not able to manage or secure the work portion of the mobile device. An MDM can.
And the most user-friendly, secure choice for employees —whether they use corporate-owned devices or their own— is Apple.
An Apple-first MDM such as Jamf Pro leverages Apple’s iron-clad privacy protections and seamless partitioning of mobile devices into work volumes and personal volumes to offer a seamless app experience while still keeping the data absolutely separated.
Can an MDM manager see personal apps on a BYOD device?
Absolutely not.
With Apple and Jamf, MDM admins are categorically unable to view employees’ private photos, texts or even what apps they have loaded. While from a user’s point of view all of their apps are available side-by-side, from a Mac admin’s point of view, there are only work-related apps and data.
Putting it all together
While MAM is a specific tool for managing apps and partitioning employee-owned devices, you’ll need an MDM to enable the whole package: Enterprise Mobility Management.
What is Enterprise Mobility Management?
Enterprise Mobility Management is a truly complete system for managing and securing devices, networks, users and data.
An EMM such as Jamf builds on MDM capabilities with fully-integrated endpoint protection, threat prevention and remediation, identity and access management, Zero Trust Network Access (ZTNA)and more.
Apple and Jamf
For the most secure, useable, efficient and private Enterprise Mobility Management: you need to start with Apple. Apple’s legendary stability, privacy protections, efficiency and native security features are simply unmatched.
If you want to continue offering employees the excellent user experience they’ve come to expect from an iPhone or iPad, you need an organization that has been working with Apple for decades. Jamf has in-depth experience no one can equal, and we offer purpose-built solutions for Apple that just . . . as we like to say . . . work.
Try the best BYOD experience you can offer your employees.
Apple and Jamf help airline employees spread their wings
Month: March 2023
Author: March 23, 2023 by Hannah Hamilton
Source: https://www.jamf.com/blog/apple-devices-in-airline-industry/
It’s old news that our workforce is becoming more mobile and remote, and the aviation industry is as mobile as it comes. Employees are constantly moving, whether they’re a below-wing employee maintaining various planes or an above-wing one starting their day in California and ending it in South America.
The 24/7/365 nature of airports combined with the rising need for mobility means that any technology implemented by airlines needs to be reliable, robust and secure. Airlines need to ensure that their employees are able to perform their job functions efficiently and cost-effectively. This is made even more complex when airlines have to consider conditions beyond their control, like WiFi or 5G bandwidth at the airport.
So what’s the solution? This blog will dive into how Jamf and Apple can give airlines the secure and flexible technology solutions for their organization.
Why Apple?
Airlines choose Apple because Apple simplifies work. Using a single platform eliminates the complexity of multiple operating systems, hardware conflicts and multiple developers. Apple Business Manager and Volume Purchasing Program makes obtaining and deploying devices simple and convenient for IT teams and employees by enabling zero-touch deployment, putting ready-to-use devices in employee hands without IT having to touch the device.
Apple’s built-in security features like Touch ID and Rapid Security Response mean devices are more difficult to access for bad actors and are kept updated with the latest security patches. And Apple’s robust developer tools allow for organizations to develop custom applications tailored for their business, improving performance and efficiency.
Managing shared devices
Shared devices can be helpful for a variety of roles. Airline mechanics, pilots, gate agents and flight attendants can use Apple devices for their responsibilities. Mechanics can enjoy the portability and flexibility of iPads when referring to manuals. Flight attendants can provide point-of-sale terminals to customers and access their airline’s portal. Gate agents can search the portal while dealing with customers, keeping operations running more smoothly. And pilots can replace hefty aircraft checklists, navigational charts, operation manuals and flight planning tools with a single iPad-hosted Electronic Flight Bag.
Shared devices can pose security risks if not handled with proper care. After all, that device has access to your company resources, including private, confidential or proprietary information. This is why it’s critical to have an in-depth understanding of how your devices are being used, and by whom.
That’s where Jamf comes in. By adding your devices into Jamf’s mobile device management (MDM) platform, you can:
- Keep inventory of your devices
- Use Jamf Setup to customize devices specifically for a given role
- Use Jamf Reset to ensure devices are refreshed when moving to the next worker
- Simplify login to shared devices by integrating with cloud-identity providers
- Lock or erase devices if they are lost or stolen
Device usage outside the airport
For employees that have their own company-owned devices, Jamf can provide more transparency into devices statuses. IT teams can manage these devices enrolled in the Jamf platform, giving them the power to:
- Enforce data policies to limit data usage
- Keep devices updated and in compliance
- Limit access to company data and apps
- Enforce Acceptable Use Policies
Like Apple, Jamf prioritizes user privacy. When employees are using company-managed devices as personal devices, they want to know they aren’t being surveilled. Devices enrolled into Jamf are partitioned into “personal” and “business” volumes—data doesn’t travel between the two. This means personal data remains personal, while corporate data is kept safely contained and available only when the identity of the user is strictly confirmed.
Securing endpoints
On average, a data breach in 2022 cost the transportation industry 3.59 million USD. Beyond a financial hit, a data breach can shut down operations, causing numerous flight delays and unhappy travellers. Not to mention, if airlines are found responsible—even by neglect—for the data breach, they can face even more fines.
With social engineering driving 82% of data breaches in 2022, securing your endpoints is critical for preventing data breaches. Users make mistakes; keeping devices in compliance with your security policies mitigates the impact these mistakes can have. Jamf Protect helps secure your endpoints by:
- Providing full same-day support when a new OS is released
- Detecting malicious applications, scripts and user actions in real time
- Using the MITRE ATT&CK framework to identify known threats and AI to detect unknown vulnerabilities before they’re exploited
- Quarantining known threats
- Giving IT and security teams real-time visibility into device health
- Enforcing CIS benchmarks
Key takeaways
- Apple’s unified platform simplifies deployment, management and use of devices for your mobile fleet
- Shared devices give employees the tools they need on the go—Jamf can make sure these devices are customized to each role and are clean for the next employee to use
- Jamf can help company-owned devices stay in compliance, restrict data usage, and enforce AUPs while maintaining security and user privacy
- Jamf Protect helps keep your devices secure while providing IT with transparency about device health
Ready to take flight? Jamf Pro can help.
Apple Business Manager and device management explained
Month: March 2023
Author: March 22, 2023 by Hannah Hamilton
Source: https://www.jamf.com/blog/apple-business-manager-and-device-management-explained/
What is the role of ABM in Apple device management?
Apple Business Manager isn’t a replacement for third-party MDMs. But these are just that: third party. ABM interfaces with your MDM while giving you direct access to Apple services, allowing you to:
- Deploy iPhone, iPad, Mac and Apple TV without requiring IT to touch the device
- Automate device enrollment into your MDM with volume purchasing
- Create Managed Apple IDs specific to your organization
- Distribute volume-purchased App Store apps
Why you need a device management server
Apple Business Manager makes it simple to enroll devices into your device management server and deploy Apple apps. Many organizations need to have more control of applications, updates, the enrollment process, account management and more— this is where your MDM comes in.
Managed Apple IDs
The ability to create Managed Apple IDs makes Apple Business Manager an especially useful tool. This company-specific managed ID means employees maintain privacy and separation from their personal Apple IDs. Organizations can then take advantage of Apple at Work’s single sign-on capabilities that make access to company apps simpler and more secure.
How to add devices to Apple Business Manager
Apple keeps track of what devices your organization purchases. ABM requires your Apple Customer Number and/or your Apple Authorized Reseller needs to have your Organization ID and their Reseller Number in your account. Your devices need to be assigned to your MDM server in order for the device to be enrolled in your MDM and added to ABM.
macOS scripting and so-called Artificial Intelligence
Month: March 2023
Author: March 21, 2023 by Armin Briegel
Source: https://www.jamf.com/blog/chatgpt-macos-scripting/
Establishing communication
I had mostly ignored the initial wave of excitement because I am busy enough chatting and talking with real humans most of the time. But when I saw more and more people who lauded ChatGPT’s skill at explaining and even teaching how to write code, I had to see for myself.
To be honest, this was not the first contact I’ve had with this new generation of Artificial Intelligence (AI). My first? An app that claims to specialize in writing macOS bash scripts called SudoSolverAI. My experience with this app was not a ringing endorsement of the new technology, but it did pique my curiosity enough that I signed up for ChatGPT and tested it using the same questions as I used with the former app…only with very different and more intriguing results.
While ChatGPT can’t fully replace admins, learn how to create admin scripts on your own.
Let’s chat
What makes ChatGPT’s coding advice so compelling is that it does not just spit out sample code but rather it explains what the code does as well. In this example, the bot provided a script for Linux, from a previous prompt. When I asked specifically about macOS, it retained the context and gave me a script for macOS with explanations on each step and how to use it, as highlighted in the excerpt below.
Q: Does this work on macOS? A: The script I provided is specific to Linux and may not work as expected on macOS. The reason is that macOS uses a different command to manage user groups and privileges than Linux. In macOS, the command to remove a user from the admin group is: sudo dseditgroup -o edit -d -t user admin Therefore, a modified script for macOS would look like: #!/bin/bash # Check if user is an administrator if ! id -Gn | grep -q "admin"; then echo "You are not an administrator." exit 1 fi # Remove the user from the admin group sudo dseditgroup -o edit -d $(whoami) -t user admin echo "Admin privileges removed for $(whoami)" You can save the script with a ".sh" extension, make it executable with "chmod +x remove-admin-privileges.sh", and run it with "./remove-admin-privileges.sh" on macOS.
This script works when you run it in Terminal, but if you tried to run this as a management script from Jamf Pro, it would fail. The whoami command will return a response as the user the process is running as, however when running as part of a Jamf policy script, that “user” is root.
When I tried to coax ChatGPT towards the solution with more specific questions, the replies reflected my questions but did not provide new information toward a proper solution. I got ChatGPT to walk in circles, rotating between recommending whomai, id -un, and the variable $USER as “improved” solutions to return the currently logged-in user — even though they all return the same value.
Note: for those that cannot bear the suspense, here are two safe ways to determine the currently logged-in user on macOS.
Does not compute
When asked how the script would look if I wanted to deploy it using Jamf Pro, it gave me detailed instructions on how to create a Jamf Pro policy utilizing the faulty script. Sadly, the instructions were wrong and did not match the actual workflow required to successfully add a script to a Jamf Pro policy.
Aside from the method to determine the current user, the script received from ChatGPT contains another very subtle error. The way this script checks whether a user is a member of the Administrators group will also return a false positive for users that are a member of the _lpadmin group. On macOS, membership of the _lpadmin group provides the ability to manage printers without requiring full administrative privileges. This is a solution that you will likely only encounter on managed Macs.
In this script, the error would only lead to an erroneous attempt to remove the user from the Administrators group — which would fail — causing no further harm. But if you reused that code in another context, it could have unexpected side effects — even resulting in far worse outcomes.
Some users claim that to obtain the best information from ChatGPT, the prompts should be properly formulated. Without any clear indication as to what exactly constitutes proper prompt formulations, this supposed skill has received the designation of “prompt engineer” by users online. As a programmer, if I need to learn special “incantations” to communicate with your language model, then I would say your AI is failing at its intended purpose of learning from its users.
Despite the rising popularity of Macs, most of the people who need to write shell scripts are not using macOS. Mac users who need to write shell scripts need them for tasks other than managing Macs. Only a subset of those that do need scripts to manage Macs are Jamf Pro administrators. The skill set of managing Macs with Jamf Pro, package installers, profiles and scripts can be argued as a niche within a niche within a niche.
As their name implies, the large language models that feed ChatGPT and its siblings rely on a large quantity of input, which allows them to statistically predict which words make sense in that context. That this approach works for code as well as human language, is amazing. But human communication has a lot of redundancy and resiliency built in.
Computer code does not.
Information ≠ Facts
Take for example the FAQ for ChatGPT which states that its data model is based on articles and posts that are older than September 2021. This is problematic for Mac-specific solutions because we all know that macOS — much like any technology — can change and evolve (and often does so) a lot within two years. This is especially true of management tasks.
The FAQ also warns that the information provided by ChatGPT “may not be factual”. The language model is based on statistical models of words. It has no concept of the actual meaning of those words and even less of what is factual or not. It should not surprise that a statistic generated by AI that is based on millions of online posts is incapable of admitting it doesn’t know the answer and will confabulate nonsense instead.
During my short experience with ChatGPT, initial replies are usually quite solid, though often displaying some minor flaws. But when you start pushing into the details, you will quickly reach the point where the bot starts to make things up, a process OpenAI has coined “hallucination”. When you are asking a chatbot for help on something you have no background in, you might not be able to tell when it is moving its responses from true statements into non-factual territory.
In general, it may be best to treat information from a chatbot in much the same way you would treat the results of a web search. Do not trust anything you get from the internet initially, but rather, evaluate the responses and their context. On a webpage, you can verify the source. For example, ask yourself is the information from a well-known MacAdmin? Or perhaps a developer who is transparent about running their scripts in different environments? Also, the age of a post can often be a tell-tale sign. Consider if the script was created for an unsupported OS, like Snow Leopard. if so, chances are low that it still works as written. Sometimes digging a little deeper will provide better or more current information from the comments and replies left recently by users. Each of these actions allows users to make better judgments as to the validity of the information.
Alas, for now, ChatGPT does not show the sources of its knowledge, though it looks like the new AI-powered searches from Bing and Google address this concern by including links to sources, which will be a huge improvement on this front.
That said, a conversation with an AI bot may be useful to provide pointers on where to focus further research and experimentation. But you would be prudent to remain skeptical and careful. Conversations with real humans, in person and in online forums and over messaging apps still provide better quality information and advice. Speaking with humans could also challenge you to “take a step back and explain what you want to achieve”, which is often an important step in actually finding the solution you are looking for.
Destination unknown
Despite all my reservations, I acknowledge that this new generation of chatbots represents a significant improvement over what’s come before. I am reminded of using Google for the first time in the late 1990s. Google search results were a huge leap forward from the results of its predecessors. I also remember concerns that Google search would completely disrupt education and work, making several categories of human professions completely obsolete. In hindsight, while the improved web search that Google introduced had a significant impact on how we learn and work, the perception that our lives would come to revolve around it did not turn out to be the case either.
Similar excitement was more recently attached to the emergence of voice assistants, like Siri. Yet in the end, after over a decade of use, they have remained mostly underwhelming too apart from a few specific use cases.
ChatGPT might be the start of one of those exponential growth curves we sometimes get in technology, with the next few years potentially bringing even more dramatic changes. More likely though, improvements from the past years, algorithms, hardware and data have all aligned to create an impressive step forward…leaving us to wait another decade or two for further breakthroughs.
Try out Jamf today!!