How to Build an NBI with OS X 10.11 El Capitan

Updated video posted here: https://appleintheenterprise.com/2016/08/12/landesk-mac-management-part-7-building-a-netboot-image-for-os-deployment/

Introduction

OS X El Capitan introduced several changes to the System Image Utility when creating a NetInstall Image.  This white paper will walk through the required steps to successfully build a NBI file LANDESK can use to provision a Mac with LANDESK Management Suite.

Watch the how-to video here.

Overview

Beginning in LANDESK Management Suite 9.6, LANDESK changed the process to build NBI files.  We now leverage Apple’s System Image Utility to create bootable NBI file.  LANDESK has created a stamper utility that will subsequently inject the needed LANDESK information, while at the same time, reducing the NBI file down in size.  One of the major benefits of this process, is the NBI you have to push over the wire will be in the 500-600 MB size range as opposed to 6 GB+.

Prepare the OS X El Capitan Machine

1. The first thing needed is the OS X El Capitan Installer. Download it and place it into the Applications Folder.
2. The LANDESK Mac agent also needs to be installed on the device. Make sure you use an agent that is 9.6 SP2 or later.  For more information on how to deploy an agent, see https://community.landesk.com/support/docs/DOC-30016
3. Download the LANDESK Startup Disk Stamper Utility from https://community.landesk.com/support/docs/DOC-33695
4. An administrative account on the box

Build the NetInstall Image with Apple’s System Image Utility

1. Launch System Image Utility from the Mac. Use the Spotlight Search to find it as it’s buried in an Applications folder under System > Library > CoreServices
2. From the source dropdown picker, select Install OS X El Capitan and click Next. If you don’t see Install OS X El Capitan from the options menu, quit the System Image Utility, download the installer and put it into the Applications folder and then re-launch.
3. Select the option NetInstall Image and click Next
4. Agree to the License Agreement if prompted
5. At this time, we don’t need to add any configuration options, as all of that will be built inside the provisioning process within the LANDESK Console. For the next 4 screens, just click Next with no items added or changed from the defaults.  Stop when you get to the Image Settings screen.
6. Provide a Network Disk name to your liking. You’ll be asked to create a second name for the NBI file LANDESK’s stamps, so for me, I always put Apple in the name so I can be sure to differentiate the two.  Also, each image file needs to have a unique image index.  Feel free to choose whichever option best suits your environment.  I personally assign my indices so I can ensure a unique value.  Also, just by way of note, you’ll need to assign another unique ID when you use the LANDESK stamper.
7. Select the computer models you want your NBI to support and click Next.
8. Pay special attention to the Filter Clients by MAC Address window. This pane essentially creates a whitelist or blacklist of client devices allowed to boot from your NBI file.  If you’re more security conscious, leave the radio button set to Allow and provide an import of all of the MAC addresses you care about.  Just know as you receive new machines, this will have to rebuild your NBI.  If you’re less concerned about unknown machines NetBooting from your NBI file, change the radio button to Deny and click Next.
9. Finally, provide the path to where the Apple NBI file will be created and click the Save button. For ease of use when using the LANDESK stamper, I select the desktop.
10. Enter your admin credentials on the box and wait for the NBI to be generated.

IMPORTANT NOTE: In OS X 10.11 El Capitan, Apple has introduced their new System Integrity Protection feature which affects how you are able to NetBoot devices. If you have need to NetBoot across subnets, you’re going to need to customize the NBI and add in your approved NetBoot server’s IP addresses.  To do this, prior to clicking next on step 8, make sure you set your desired filter state and then click Customize.

Once inside the Automater tool, you need to scroll down through the list of actions until you find the Bless NetBoot Server action.  Once you find it drag it to the far right, upper panel and drop it prior to the Create Image action.  Click on the + object for the Bless NetBoot Server and add in the IPs of your PXE representatives or your OS X NetBoot Servers as well as the IP of the Core Server.

Using this method, you’ll also need to finalize the name of your NBI file and the location to save it inside of the Create Image action.  When you have everything configured, click the Run button at the top right.  It’ll take it a couple of minutes to write the NBI file.  When it’s finished, go ahead and close both the Automator app as well as the System Image Utility app.

For more information on the SIP restrictions and the NetBoot process, see: http://community.landesk.com/support/docs/DOC-35984

Stamp the Apple NBI File with LANDESK’s Startup Disk Stamper

1. Launch the LANDESK Startup Disk Stamper. You can find the download link in the Overview section if you have not yet pulled it down from the LANDESK Community.
2. Click the Choose button in the NBI Source panel and select the Apple NBI file previously generated
3. Although a bit hidden in the dialog box, you can change the desktop background displayed during the NetBoot process by selecting the Choose button in the Agent Source panel. This step is optional.
4. Set your destination type.
   1. If you intend to boot your NBI from the network, select the NetBoot Image radio button and push the Choose button to name your LANDESK NBI file and to indicate where you would like to save it.
   2. If you need to build a bootable USB drive, select the Removable Drive option and select the Device from the Finder window.
5. Set a second unique index. Since LANDESK is generating it’s own NBI file, you’ll want this value to be different from the value selected in step 6 for the System Image Utility NBI creation.
6. Provide a description if desired and click Create
7. Enter your admin credentials on the box and wait for the LANDESK NBI to be generated.

Note:  If you see ?? marks in any of the panels, the tool has not been properly configured or a 9.6 SP2 or later LANDESK Mac agent has not been installed.

 

 

How to Distribute Mac App Store Apps with LANDESK Management Suite

Introduction

Installing an OS X application purchased with a VPP token can require a lot of man power. Due to digital rights management, Apple ID’s and user agreements, it’s not easy to just deploy an application as can be done for an application you have the installer for. This whitepaper will discuss how an application installer found in the Mac App Store (MAS) can be captured and used to deploy to your OS X devices.

Overview

The LANDESK Management Suite Mac agent is capable of supporting many different package types, such as dmg, pkg, mpkg, shell scripts, a simple .app, mobileconfig and even .workflow scripts built within Automator.  While this flexibility works in most scenarios, you’ll notice that it requires access to the install files.  If a developer only releases their application via the Mac App Store, such as the iWork suite developed by Apple.  However, with a little bit of work, you can capture the installers from the Mac App Store and subsequently push those applications out.

Pre-Requisites

The LANDESK administrator will need to have access to an OS X device that has purchased the application that is intended to be distributed, yet that does not have the application currently installed.  A VM set aside just for downloading Apps may be an efficient method for the ongoing software distribution.

Note: Ensure you have adequate license coverage via a VPP purchase prior to distributing your application.

Enable Debug Mode for the Mac App Store (MAS)

When an application is downloaded from the MAS, the installer file is downloaded, executed and then promptly removed.  By enabling debug mode for the MAS, we can create a link to the downloaded installer(s) allowing for future use on more than just the machine currently downloading the app.

1. Quit the Mac App Store if currently opened
2. Open Terminal and run the command ‘defaults write com.apple.appstore ShowDebugMenu -bool true’

Note: To disable debug mode, use the following command: ‘defaults write com.apple.appstore ShowDebugMenu -bool false’

Download the Installer for the App to Patched

Once the debug mode is enabled, it will be possible to capture the download installer file for later use in patching.

1. Launch the App Store App (notice you should now have a Debug menu item) and navigate to the Purchased tab.  Sign in if prompted.
2. Select the app to be patched and click Install
3. Once the install process shows visible progress in the download process, hit the pause button
4. From the Debug menu, select the option Show Download Folder
5. Finder will open and you’ll need to navigate inside the com.apple.appstore folder
6. Locate the folder with a string of numbers, this should be your app, and navigate inside of it

You now need to create a hard link between the randomly named download to a file name and path of where to store the installer.  You’ll do this by opening Terminal and use the ‘ln’ command followed by the path of the installer from the Mac App Store and then the path to where you want to save your copy of the installer that won’t be deleted as soon as . The easiest way to enter the path of the randomly named installer is to drag and drop it into terminal after typing ‘ln’

1. Launch Terminal and type ln /path/to/macappstore.pkg /path/to/savedinstaller.pkg
2. Return to the Mac App Store purchased tab and resume the download
3. When the installation for your app finishes, you’ll have a signed installer from Apple to use to update your fleet of Mac devices

Automating for Multiple Concurrent Downloads

If the manual linking process described above seems a bit burdensome when in need of downloading many applications, Max Schlapfer has created a script to not only automate the creation of the hard links, but it also has the capability to download multiple files at once.  To download Max’s AppStoreExtract script, see https://github.com/maxschlapfer.  These next steps are not requisite, if you have all of the installers you desire, skip to the next section.

Note: You do not need the Debug mode enabled for the Mac App Store, as outlined above, for this script to work.

1. Download Max’s script from Github and extract it to a folder location of choice
2. Open terminal and execute the script by typing in ‘./path/to/script/AppStoreExtract.sh’ and hitting Return
   1. Note: Do not run this script as root.                                                                                                       
3. Launch the App Store App and navigate to the Purchased tab.  Sign in if prompted.
4. Click Install on all of the Apps you want to create installers for and wait for them to complete the install process
5. When the installation process has finished, return to the Terminal window and hit any key to finish the script.  When asked to finalize the packages, type Y.
6. The script will name the output files according the product and version and then convert them to DMG files and store them in the /Users/Shared/AppStore_Packages folder

Creating LANDESK Management Suite Mac Packages

Now that you have the installers downloaded from the Mac App Store, creating the LANDESK Mac package is the easy part.  You just need to copy all of the installers you’ve created to your package share.  If you have a .pkg file, make sure you zip it prior to copying into a Windows file share.  If you have dmg files, you can copy those directly to your package location.

1. Open the LANDESK Console
2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
4. On the Distribution menu bar, press the New Package button and select New Macintosh Package.
5. Give the package a name
6. Provide a description as well as any metadata information desired               
7. Set the primary file to the zip or dmg  file you previously transferred to your software distribution folder
8. Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
9. Save the package

Creating a Scheduled Mac Software Distribution Task

1. Right click on the Mac software distribution package created and select Create Scheduled Task
2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
3. Now, right click on the task and select properties
4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push
5. Set the radio button in the Portal Settings to either Recommended or Optional if you desire to put the package into Workspaces.  If you’d like to automatically deploy the app, select Run automatically
6. Change the Reboot Settings or Distribution and Patch settings if desired
7. Set the schedule task settings with the appropriate start time

How to Patch Mac App Store Apps with LANDESK Patch’s Manual Definitions

Introduction

Patching OS X applications can be quite the adventure.  Due to digital rights management, Apple ID’s and user agreements, not all content found inside of Apple’s Mac App Store for OS X is available for redistribution by LANDESK.  This white paper will discuss how an application installer found in the Mac App Store (MAS) can be captured and used to patch applications deployed on your OS X devices.

Overview

LANDESK has a team of engineers that write content for many of the common applications in use on the OS X platform.  This content can be downloaded by anyone with a LANDESK Patch Manager or LANDESK Security Suite license.  However, unless the application is patched by Apple’s update servers, the content provided by LANDESK will have a “manual” appended to the title of the definition file.

This “manual” indication in the title is to inform you that LANDESK cannot redistribute the content for that particular object. In order to do more than just detection for that vulnerability, the application will need to be manually downloaded.  By reviewing the Description tab on the Properties panel, you’ll find the note: “The patches for these applications should be downloaded from the Apple network by the LANDESK administrator. The respective patches should then be compressed into individual packages for each patch and named as *-version.zip (for example, Pages-5.0.zip). The last step would be to copy the zip package to the path \\coreservername\ldlogon\patch” or wherever your patch repository is located.

 

Pre-Requisites

The LANDESK administrator will need to have access to an OS X device that has purchased the application that is intended to be patched, but that does not have the application currently installed.  A VM set aside just for downloading Apps may be an efficient method for the ongoing patch process.

Enable Debug Mode for the Mac App Store (MAS)

When an application is downloaded from the MAS, the installer file is downloaded, executed and then promptly removed.  By enabling debug mode for the MAS, we can create a link to the downloaded installer(s) allowing for future use on more than just the machine currently downloading the app.

1. Quit the Mac App Store if currently opened
2. Open Terminal and run the command ‘defaults write com.apple.appstore ShowDebugMenu -bool true’

Note: To disable debug mode, use the following command: ‘defaults write com.apple.appstore ShowDebugMenu -bool false’

Download the Installer for the App to be Patched

Once the debug mode is enabled, it will be possible to capture the download installer file for later use in patching.

1. Launch the App Store App (notice you should now have a Debug menu item) and navigate to the Purchased tab.  Sign in if prompted.
2. Select the app to be patched and click Install
3. Once the install process shows visible progress in the download process, hit the pause button
4. From the Debug menu, select the option Show Download Folder
5. Finder will open and you’ll need to navigate inside the com.apple.appstore folder
6. Locate the folder with a string of numbers, this should be your app, and navigate inside of it

You now need to create a hard link between the randomly named download to a file name and path of where to store the installer.  You’ll do this by opening Terminal and use the ‘ln’ command followed by the path of the installer from the Mac App Store and then the path to where you want to save your copy of the installer that won’t be deleted as soon as . The easiest way to enter the path of the randomly named installer is to drag and drop it into terminal after typing ‘ln’

1. Launch Terminal and type ‘ln /path/to/macappstore.pkg /path/to/savedinstaller.pkg’                           
2. Return to the Mac App Store purchased tab and resume the download
3. When the installation for your app finishes, you’ll have a signed installer from Apple to use to update your fleet of Mac devices

Automating for Multiple Concurrent Downloads

If the manual linking process described above seems a bit burdensome when in need of downloading many applications, Max Schlapfer has created a script to not only automate the creation of the hard links, but it also has the capability to download multiple files at once.  To download Max’s AppStoreExtract script, seehttps://github.com/maxschlapfer.  These next steps are not requisite, if you have the installers you need to patch, skip forward to Configuring the Output Installers for LANDESK Patch.

Note: You do not need the Debug mode enabled for the Mac App Store, as outlined above, for this script to work.

1. Download Max’s script from Github and extract it to a folder location of choice                                                
2. Open terminal and execute the script by typing in ‘./path/to/script/AppStoreExtract.sh’ and hitting Return
   1. Note: Do not run this script as root.                                                                                            
3. Launch the App Store App and navigate to the Purchased tab.  Sign in if prompted.
4. Click Install on all of theApps you want to create installers for and wait for them to complete the install process
5. When the installation process has finished, return to the Terminal window and hit any key to finish the script.  When asked to finalize the packages, type Y.
6. The script will name the output files according the product and version and then convert them to DMG files and store them in the /Users/Shared/AppStore_Packages folder

Configuring the Output Installers for LANDESK Patch

There is a good chance that LANDESK has already created the definitions needed to properly detect and repair the application of choice, you simply need to zip up the installer and name it according to what the definition file expects.  Refer to the description tab for each piece of content for specifics, but in general, you’ll want to name the zip file by the productname-version.zip.  If LANDESK has not already created the content, feel free to reach out to your local support representative and request the content be generated. Alternatively, you can create your own custom definitions as well.  See https://community.landesk.com/support/docs/DOC-6041 for more information on creating your own vulnerability definitions.

1. Rename each installer according to productname-version.zip as defined in the definition file.  Make sure artifacts such as .dmg or .pkg are removed from the zip file name as well as any underscores “_” where LANDESK patch content may be expecting a dash “-.”    If you want to verify you have properly named your installer, go to the properties panel for the detection rule within the vulnerability definition and highlight the Patch Information menu tree item. TheUnique Filename provided will tell you the exact name it is expecting.                                    
2. Copy the installers to your LANDESK patch repository
   1. Typically, the path to the LANDESK patch repository will be \\coreservername\ldlogon\patch.  However, this can be changed by an administrator.  If you’re unsure, go to the Patch and Compliance tool within the console and hit the Download Updates icon from the tool’s menu bar.  From there, click on the Patch location tab and validate your UNC path.

Note:  The individual patch content will not show as downloaded until the next scheduled patch download or if you manually attempt to download the patch.  At that point, it will see the file and change the status to yes.

Repair Your OS X Devices Using LANDESK Patch

Now that you have the installers for your content, you can repair your devices by either scheduling a repair task or by setting the content to be repaired by Autofix.

Autofix

1. Open the Patch and Compliance tool within the LANDESK console
2. Ensure your desired content is in the Scan folder
3. Right click on the definition and select Autofix > Enable global autofix or Enable autofix for all scopes.
   1. If you prefer to only enable autofix for a couple of scopes, go to the prosperities panel, select the Autofix tab and  check the boxes for the desired scopes.

For more information on Autofix, see: https://community.landesk.com/support/docs/DOC-33690

Scheduled Repair

1. Open the Patch and Compliance tool within the LANDESK console
2. Ensure your desired content is in the Scan folder
3. Right click on the definition and select Repair
4. From the Add targets select on the Repair settings task panel, select Add all affected computers                             
5. In the Tasks settings panel, set your desired Task type.
6. Ensure the Display in portal option for the portal settings panel is set to Run automatically (unless you want your users to update their own apps)
7. Schedule the task to start when desired from the Schedule task panel
8. Save the task

 

For additional information on how to use LANDESK Patch Manager, see: https://community.landesk.com/support/docs/DOC-32250

How to Add Apps to Launchpad inside of iOS Workspaces

Overview

The Launchpad feature inside of Workspaces for iOS can handle much more than just URL links, however, this process has not been documented and is a bit rough around the edges when it comes to the usability. Nevertheless, by adding the deep link path or URI information into the launch path of an app, once installed on the mobile device, Launchpad will display a tile for the app and if you’re lucky (dependent on the app vendor) an icon associated to the app.

In the screenshot of Workspaces below, I have created a deep link to the app Evernote, Hootsuite, LetMobile, iOS Mail, Salesforce1 and Twitter. I also have standard links to the LANDESK Community and one other site. If I were to click on Salesforce1, it would initially prompt me to allow (this only takes place the first time), and then open up into Salesforce1. However, because it was launched from Workspaces, you’ll see at the top left of Salesforce1 there is a link back to LANDESK.
As such, using this method, one could theoretically create a whitelist of approved apps and links, put an iOS device in supervised mode and only allow Workspaces to run. So doing would allow the admin complete control over the device and what is allowable to execute.

Mobile Deep Linking

Mobile deep linking consists of using a hyperlink that links to a specific piece of content within an app or to just the app itself. For example, the deep link for Twitter is twitter://. Putting twitter:// into the launch path will open the app Twitter to it’s default home page. However, if you add twitter://timeline it will open up the app to the timeline feature. This deep link needs to be added to the Launch path section of the iOS software payload. For more in deep linking, see: Mobile deep linking – Wikipedia, the free encyclopedia

Configuring AOD for Deep Linking

Setting up a software package to be deep linked is quite simple. All you need to do is put the deep link into the Launch path on the software payload for the app. See the screenshot below for Hootsuite. However, if the app you’re trying to deep link is included within iOS, such as iOS Mail, you’ll need to use a Link Payload inside of AOD under the iOS and Android section.

Figuring out what the deep link is for a given app is going to require some patience as they’re not always published and not exactly obvious. You’ll need to employ a “try and see” approach or maybe even contact the vendor. In my limited testing, I was not able to discover Cisco AnyConnect or Cisco WebEx. As a tip, I would attempt to find the URI by searching for the name of the app combined with iOS to pull up the itunes web link. That web link will contain the app’s full name as well as the ID. I would take that full name and attempt to combine words to discover what the URI might be. This helped me figure out that 1Password’s URI is onepassword:// and not 1password://.

The deep links I’m aware of are:

• 1Password – onepassword://
• Audible – audible://
• Apple Mail – message:// (this needs to be created as a Link package inside of AOD for iOS and Android and not a software package)
• Ebay – ebay://
• Evernote – evernote://
• Facebook – fb://
• Hootsuite – hootsuite://
• LetMobile – letmobile://
• Twitter – twitter://
• Salesforce 1 – salesforce1://
• Strava – strava://
• YouTube – YouTube://