How to Bind a Mac to Active Directory using Profile Manager and LANDESK

Below is a somewhat brief overview of how you can build a payload with the settings to bind a Mac to a domain.

In order to build this Directory payload, you’ll need to download and install macOS Server.  Your clients won’t need access to the macOS Server, so you can put this on a virtual machine that you start just when you need to build a new profile.

You’ll also need LANDESK Management Suite 9.6 or greater.

Remotely Enroll a macOS Device with LANDESK MDM

With the release of LANDESK Management Suite 2016.3, LANDESK can now manage a Mac using an MDM profile in addition to the traditional LANDESK agent.  One of the main benefits of enrolling with the Mac the MDM service, in addition to already having your regular agent installed, is that you’ll be able to push a VPP app to the Mac.

This blog will walk you through the process of creating a package to install the LANDESK MDM Enroller app on your Mac and then subsequently running a script to enroll the Mac with the MDM service.

Part 1 – Create a LANDESK MDM Enroller Bundle Package Folder

  1. Open the LANDESK Management Suite Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. Right click on the selected folder and click on New Package Bundle
  5. Provide your desired package bundle name, I used LANDESK MDM Packages

Part 2 – Create a LANDESK MDM Enroller Package

  1. Download the LANDESK MDM Enroller app from the Community page and copy it to your file share
  2. Right click on your package bundle, hover over New Macintosh Package and select Macintosh Agent
  3. Give the package a name
  4. Browse to the Enroller App file you previously saved and select it from within the Primary File window
  5. Provide a description and any metadata information if desired
  6. Save the package

Part 3 – Create the LANDESK Enrollment Script

The script is pretty basic, you just need to call the command line utility with a -u for username, -p for password and -m for the enrollment server.  The script has been built with variables, so just adjust the variables and you’ll be set.

  1. On a Mac device, save the Enroller script from GitHub as a .sh file or use the script pasted at the bottom of the blog
  2. Open the .sh file with your text editor and edit the variables for the username, password and enrollment server
  3. Save the file
  4. Set the execute permissions by running chmod +x /script/path/name.sh
  5. Compress the .sh file
  6. Copy the .sh file to your package share

Note: The script is calling the command line utility built inside of the LANDESK MDM Enroller application.  That means that in order for this script to properly execute, the LANDESK MDM Enroller must already be installed.  To ensure this takes place, we are bundling the packages together and will tell LANDESK which package to execute first.

Part 4 – Create the Enrollment Script Package

  1. Right click on your package bundle again, hover over New Macintosh Package and select Macintosh Agent
  2. Give the package a name
  3. Browse to the zipped script file you previously copied to your package share and select it from within the Primary File window
  4. Provide a description and any metadata information if desired
  5. Save the package

Part 5 – Deploy the Enrollment Package Bundle

  1. Right click on your package bundle and select Properties
  2. Select the Bundle Package Settings from the menu tree
  3. Use the Up / Down buttons to make sure your packages are listed in the appropriate order, with the MDM Enroller app being first and the script being second; clicking Save when you’re finished
  4. Right click on the bundle package one final time and select Create Scheduled Task(s)…
  5. Right click on the newly created Scheduled Task and click on the Properties option
  6. Add your desired targets
  7. Set your desired Task and Portal settings
  8. Schedule the task
#!/bin/sh

#  mdmAutomaticEnrollment.sh
#  Created by Bennett Norton on 11/1/16.
#  This script will enroll a LANDESK Management Suite managed macOS device with an additional MDM profile for support with features like VPP

# NOTE: This script assumes the Mac to be enrolled with an MDM profile is currently under management within LANDESK Management Suite, with a valid agent, and that the Mac has already installed the LANDESK MDM Enrollment Application found at https://community.landesk.com/docs/DOC-42347


#Script Variables
#change the variables to match with a valid LANDESK Management Suite user, corresponding password and enrollment server URL.  The server URL format should be the fully qualified name of the Cloud Service Appliance / LANDESK Server name.

landeskUserAccount="landeskadmin"
landeskPassword="adminpassword"
enrollmentServerURL="fullyqualified.cloudserviceappliance.com/landeskServerName"


#Enroll the managed Mac device with MDM

/Applications/LANDESK\ MDM\ Enroller.app/Contents/MacOS/ldmdmenroll -u "$landeskUserAccount" -p "$landeskPassword" -m "$enrollmentServerURL"

Configure LANDESK Management Suite 2016.3 for iOS and macOS MDM Management

LANDESK announced their 2016.3 Management Suite release this week and with it comes a number of enhancements to mobility management, including a number of enhancements to the iOS/macOS platforms for MDM management.  Included in the 2016.3 release is the ability to integrate with Apple’s Device Enrollment Program (DEP) and Apple’s Volume Purchase Program (VPP); including supporting multiple VPP tokens.

Luckily, LANDESK has the documentation already available for this configuration.  For ease, I’m going to aggregate all of the needed information to get up and running with LANDESK MDM in one spot.

Architecture Requirement #1 – Cloud Service Appliance

The LANDESK Mobility Device Management does require a LANDESK Cloud Service Appliance.  This can be either a physical appliance you host in your DMZ or a virtual appliance.  If you do not have a CSA, contact your sales representative.  They’re inexpensive and give you the ability to manage devices off your network.

  1. Configure the LANDESK Cloud Service Appliance as discussed in the how-to articles on the LANDESK community page
  2. Ensure your on build 179 or greater – to do this login to your CSA by browsing to https://csa.fqdn/gsb and hit the System Tab on the left hand side.  Then select the Updates tab from the main page and hit Scan For Updates and apply the latest screen-shot-2016-10-20-at-11-27-05-am
  3. Purchase and apply a valid 3rd party SSL certificate for your CSA; see https://community.landesk.com/docs/DOC-32498

Architecture Requirement #2 – LANDESK Management Suite

  1. Install LANDESK Management Suite 2016.3 – https://community.landesk.com/docs/DOC-42261
  2. Import Apple’s APNS certificate to the Core Server – https://community.landesk.com/docs/DOC-39856

Optional Architecture Configurations

  1. Configure the Core server for DEP (optional) – https://community.landesk.com/docs/DOC-42090
  2. Configure the Core server for VPP (optional) – https://appleintheenterprise.com/2016/10/18/import-apples-vpp-token-into-landesk-management-suite/
  3. Configure a DNS TXT entry for easier enrollment (optional) – https://community.landesk.com/docs/DOC-39871

Adjust the LANDESK Mac SDCache Purge Schedule

In my previous post, I discussed how you could push down a script to a Mac to clean up the LANDESK SDCache folder, potentially recovering precious hard drive space.

This script process described previously, while quick and efficient, is more of a band-aid and doesn’t necessarily address the problem of binaries being kept too long on the Mac – especially those with super small hard drives.

While having an SDCache folder full of binaries can be helpful, especially on bandwidth constrained networks as other clients can pull directly from that local Mac as opposed to the source file share, you may find you just need to shorten the number of days some of your Macs keep files within the SDCache folder to save yourself the headaches from the help desk calls complaining that their machine is out of hard drive space.

The XML file that controls the schedule for the SDCache purge is located in the /Library/Application Support/LANDesk/scheduler folder and is titled ldcron-sdclean.xml.

scheduler

If you crack that file open with a text editor, you’ll notice it contains the same command line text we used to purge the SDCache folder manually.

find /Library/Application\ Support/LANDesk/sdcache/* -mtime +45 -exec rm -rf {} \;

All you need to do is copy off the ldcron-sdclean.xml file from one of your machines or download an example from my GitHub repository, and adjust the -mtime +45 to align with your needs.  Setting a value of +10 will tell LANDESK to purge any file within the SDCache folder older than 10 days, +3 would purge any file older than 3 days and so on.  So set the appropriate value, using your favorite text editor, and then save the updated file to one of your file repository shares.

Now we need to create a Mac package to deploy out the updated ldcron-sdclean.xml file to all of the Macs that need to be updated.  I’ve written a script, again available on my GitHub page, titled changeSDCachePurgeTime.sh that will do exactly that. Basically, it uses the LANDESK sdclient tool to download the XML file and place it into the /Library/Application Support/LANDesk/scheduler folder.

In order for you to use the script, you just need to change the fileToCopy variable path to match the location you saved your ldcron-sdclean.xml file to.  Other than that, it should be totally ready to go.

#!/bin/sh

# changeSDCachePurgeTime
# Created by Bennett Norton on 9/21/16.
# This script will copy the updated SDCache XML to the target machine with the updated sdcache time purge


#Script Variables
#change the IP address to match your http package share hosting the updated ldcron-sdclean.xml file
fileToCopy="http://192.168.29.13/SoftwareDist/MacPackages/ldcron-sdclean.xml"
destinationLocation="/Library/Application Support/LANDesk/scheduler"


#sdclient downloads the license key and the kav addkey applies the key
/Library/Application\ Support/LANDesk/bin/sdclient -noinstall -package "$fileToCopy" -destdir "$destinationLocation"

If you decide to write your own script, just make sure you set the execute permissions on the file prior to copying it to your file share.

sudo chmod +x /path/to/script.sh

Now you’re ready to create your Mac package and deploy.  The directions to so do are below.

Creating LANDESK Management Suite Mac Packages

  1. Open the LANDESK Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select New Macintosh Package.
  5. Give the package a name
  6. Provide a description as well as any metadata information desired
  7. Set the primary file to the script file you previously transferred to your package share
  8. Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
  9. Save the package

Creating a Scheduled Mac Software Distribution Task

  1. Right click on the Mac software distribution package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push
  5. Set the radio button in the Portal Settings to either Recommended or Optional if you desire to put the package into Workspaces.  If you’d like to automatically deploy the app, select Run automatically
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time

Problem totally solved, right?

Well, not quite.  If at any time in the future you redeploy the LANDESK Mac agent, the ldcron-scheduler.xml file will be overwritten with the default +45 day value.  You could always write a custom definition, if you’re a LANDESK Patch customer, and watch for that value and remediate if detected.  However, that may be more work than its worth to you, if you only have a couple of machines you’re concerned about.  So just be cognizant that an agent deployment will reset the value and redeploy your package if need be.

 

Recover Hard Drive Space by Purging the LANDESK SDCache Folder

Whenever a Mac is told to perform a software distribution or patch task, the LANDESK agent will download the binaries for that task and store them in the sdcache folder found under /Library/Application Support/LANDesk. By default, the LANDESK agent will purge any file older than 45 days, so in most scenarios, there is little need to pay attention to what is in that folder.

full-sdcache

However, if you find that your Mac is short on hard drive space, perhaps due to the GB’s worth of patch binaries that were placed on it after having recently updated to the 64-bit version of Microsoft Office, you might find the little purgeSDCache.sh script available on my GitHub site or pasted below a beneficial tool to have in ready in your arsenal of LANDESK packages.

#!/bin/sh

# purgeSDCache.sh
# Created by Bennett Norton on 9/16/16.
# This script will delete all non-standard files/folders from the LANDESK sdcache folder
# Change the path variables


#Script Variables
#change these variables to match your token and desired destination paths
landeskPath="/Library/Application Support/LANDesk/sdcache"


#Check to see if destination path exists and if it does, delete the files older than x number of days old
#The +10 after the -mtime switch tells the command to delete everything older than 10 days. You can adjust that number.
if [ -d "$landeskPath" ]; then
 echo "LANDESK Agent present, deleting and recreating the sdcache folder. "
 find "$landeskPath"/* -mtime +10 -exec rm -rf {} \;
fi

So what does this script do?  It is quite simple really, the script does a search inside the SDCache folder and deletes any and all files older than “10 days.” You can easily adjust age of the files to keep and there is no reason you can’t set that value to 0 days and essentially purge everything.  Just adjust the number after the -mtime switch to whatever suites you.

Now you just have to create the package and deploy to the machines that are short on hard drive space.  Just remember to set the execute permissions on your script prior to copying it to your file share.  You do that by opening Terminal and running the command below:

sudo chmod +x /path/to/script.sh

Creating LANDESK Management Suite Mac Packages

  1. Open the LANDESK Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select New Macintosh Package.
  5. Give the package a name
  6. Provide a description as well as any metadata information desired
  7. Set the primary file to the script file you previously transferred to your package share
  8. Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
  9. Save the package

Creating a Scheduled Mac Software Distribution Task

  1. Right click on the Mac software distribution package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push
  5. Set the radio button in the Portal Settings to either Recommended or Optional if you desire to put the package into Workspaces.  If you’d like to automatically deploy the app, select Run automatically
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time

Silently Install Cylance Protect with LANDESK Management Suite

Overview

Cylance Protect is a next generation anti-virus product and seems to be taking the OS X world by storm.  The product marketing aspect verbiage states Cylance “blocks threats in real time BEFORE they ever cause harm.”

As a result of Cylance’s success, I’ve recently received a number of requests from customers asking how they can silently install the product with their specific, company-unique token.

Luckily, accomplishing  a silent install of Cylance Protect is a fairly simple process.  I’ve written a basic script that will accomplish the task for you.  One particular customer sent a reply back to me after using this script, stating the “Cylance deployments went great!!!”  Hopefully your deployments can go as smooth as theirs.

Furthermore, because this script leverages the LANDESK SDClient tool for the download,  you will still benefit from bandwidth controls and  you’ll be able to leverage the peer sharing if your store your package file into the sdcache folder.

For simplicity, I’ve chosen to write my package to the same folder as where I’ll write my token file.  Because the token file can be read with any text editor, I’ve chosen to store my data in a private folder; which means I will only benefit from LANDESK’s bandwidth controls, but I figured it was a good tradeoff for me.  I just didn’t want to put the license key into a folder that people might be accustom to look at.

Cylance Protect Script

Break out your favorite Text Editor (TextWrangler or XCode is what I use) and let’s get started.  I’ll break the script down into sections for easy understanding.  The first part of the script contains your obligatory declaration indicating it’s a shell script as well as some comments as to what I named the script, when I created the script and what it does. Besides the very first line, everything is optional.

#!/bin/sh
#  CylanceSilentInstall.sh
#  Created by Bennett Norton on 8/30/16.
#  This script will copy a file from the source destination and place it on the Mac into the destination folder

The next part is where you’ll set the variables used throughout the script.  You’ll need to supply the custom Cylance token, the package name, the location of where the package will be stored on your HTTP share and the location to where you’ll want to store the package and Cylance token on the client.

It’s likely that you’ll be able to leave the cylancePackageName and cylancePackageAndTokenDestination variables as is, only modifying the cylanceToken and cylancePackageLocation variables.  Just repalce the text betweent the quotes.

#Script Variables
#change these variables to match your token and desired destination paths

cylanceToken="cylanceCustomToken"
cylancePackageName="CylancePROTECT.zip"
cylancePackageLocation="http://ldserver.ldlab.org/SoftwareDist/MacPackages/Cylance/"
cylancePackageAndTokenDestination="/private/tmp/Cylance"

The next section of the script detects if the folder for where we will store the package file on the client exists and if it does not, creates it.  You may want to enhance this part of the script on your own to delete any files inside if it does exist, I have not added that in, but it may be a good idea.

#Check to see if destination exists and if not, create it

if [ ! -d "$cylancePackageAndTokenDestination" ]; then
echo "Location doesn't exist.  Creating directory"
mkdir $cylancePackageAndTokenDestination
echo "$cylancePackageAndTokenDestination created"
fi

You shouldn’t need to adjust anything within the next phase of this script.  This step is simply creating an output file of the token to be used during the install.

#Output token to file
#You shouldn't need to make any changes here

echo "$cylanceToken" > "$cylancePackageAndTokenDestination/cyagent_install_token"

The next step within our script is to download the installer package.  This piece is specifically tailored to LANDESK Management Suite and uses SDClient as the downloader.  If you don’t have LANDESK Management Suite, alter this part of the script to use CURL.

#Download package installer

/Library/Application\ Support/LANDesk/bin/sdclient -noinstall -package "$cylancePackageLocation/""$cylancePackageName" -destdir "$cylancePackageAndTokenDestination"

We now need to unzip the package file and install the package using OS X commands, which means this code is generic, not specific to LANDESK Management Suite.

#unzip package installer

unzip "$cylancePackageAndTokenDestination/""$cylancePackageName" -d "$cylancePackageAndTokenDestination"

#Install Cylance

sudo installer -pkg /private/tmp/Cylance/CylancePROTECT.pkg -target /

Finally, let’s clean up after ourselves.  The final command in our script will delete the entire /tmp folder.  

#Delete Cylance folder

rm -rf "$cylancePackageAndTokenDestination"

As I mentioned with the folder detection, you may want to do some detection logic to see if the application exists in the Application folder prior to deleting the folder, that’s up to you.

And that’s it, you now have a fully functioning script you can use to silently deploy Cylance Protect in your environment.  For ease in the copy and paste process, here is the entire script.

#!/bin/sh
#  CylanceSilentInstall.sh
#  Created by Bennett Norton on 8/30/16.
#  This script will copy a file from the source destination and place it on the Mac into the destination folder


#Script Variables
#change these variables to match your token and desired destination paths

cylanceToken="cylanceCustomToken"
cylancePackageName="CylancePROTECT.zip"
cylancePackageLocation="http://ldserver.ldlab.org/SoftwareDist/MacPackages/Cylance/"
cylancePackageAndTokenDestination="/private/tmp/Cylance"

#Check to see if destination exists and if not, create it

if [ ! -d "$cylancePackageAndTokenDestination" ]; then
echo "Location doesn't exist.  Creating directory"
mkdir $cylancePackageAndTokenDestination
echo "$cylancePackageAndTokenDestination created"
fi

#Output token to file
#You shouldn't need to make any changes here

echo "$cylanceToken" > "$cylancePackageAndTokenDestination/cyagent_install_token"

#Download package installer

/Library/Application\ Support/LANDesk/bin/sdclient -noinstall -package "$cylancePackageLocation/""$cylancePackageName" -destdir "$cylancePackageAndTokenDestination"

#unzip package installer

unzip "$cylancePackageAndTokenDestination/""$cylancePackageName" -d "$cylancePackageAndTokenDestination"

#Install Cylance

sudo installer -pkg /private/tmp/Cylance/CylancePROTECT.pkg -target /

#Delete Cylance folder

rm -rf "$cylancePackageAndTokenDestination"

At this point, you need to save your file to an OS X machine, if you’re not already on a Mac. Make sure your file extension is .sh as well, I saved mine as CylanceSilentInstall.sh.

After your shell script is saved, you then need to open up Terminal and give the script execute permissions.  Don’t skip this step or your script will not execute when using LANDESK.  Once Terminal is open, run the following command:

chmod +x /path/to/your/script/name.sh

You should now be able to test your script manually.  Find a test machine or VM, if the Mac you’re using is not viable, open Terminal on it and run the following command:

sudo /path/to/your/script/name.sh

Assuming all goes well and Cylance Protect installs, you’re ready to zip up your script and copy it to your HTTP package share.  Now you just need to build a LANDESK Mac package and deploy the package to your target machines.

Create a LANDESK Mac Software Package

  1. Open the LANDESK Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select New Macintosh Package.
  5. Give the package a name
  6. Provide a description as well as any metadata information desired
  7. Set the primary file to the zip file you previously transferred to your software distribution folder
  8. Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
  9. Save the package

Create a Scheduled Mac Software Distribution Task

  1. Right click on the Mac software distribution package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push
  5. Set the radio button in the Portal Settings to either Recommended or Optional if you desire to put the package into Workspaces.  If you’d like to automatically deploy the app, select Run automatically
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time

 

 

 

LANDESK Mac Management Part 8: Building a Gold Image using AutoDMG

In part 8 of the LANDESK Mac Management video series, we’ll download a couple of freeware utilities to assist us in creating a gold image for Provisioning.  The first tool we’ll use is AutoDMG.  This is an image builder tool created by Per Olofsson and can be downloaded from https://github.com/MagerValp/AutoDMG/releases.  AutoDMG builds an actual image file directly from an OS X installer, precluding the need to build out an actual machine and capture the image from it.  There are a lot of benefits in going with this approach and is our recommended approach at LANDESK.

Furthemore, AutoDMG, as part of the build process, allows you to bundle in deployment packages as well.  While LANDESK recommends that you exclude bundling software packages directly into your image in most scenarios, there are a couple of configuration packages you may want to bundle in order to make the provisioning process more streamlined.  One of those packages might be the creation of an admin account and setting it to auto-login.  CreateUserPKG, again another utility written by Per Olofsson, is one I recommend.  The video walks you through creating an admin account and setting it to autologin.  See http://magervalp.github.io/CreateUserPkg/ for the utility download.

You may also want to track down other configuration packages to assist you as well, such as Rich Trouton’s recommendations on disabling Apple’s Diagnostics and Usage utility (https://derflounder.wordpress.com/2014/11/21/controlling-the-diagnostics-usage-report-settings-on-yosemite/)  or the iCloud confirmation window (https://derflounder.wordpress.com/2014/10/16/disabling-the-icloud-and-diagnostics-pop-up-windows-in-yosemite/).

 

LANDESK Mac Management Part 7: Building a NetBoot Image for OS Deployment

In part 7 of the LANDESK Mac Management video series, we’ll prepare for an operating system deployment by creating a NetBoot image, the equivalent of a WinPE image for the Windows world, to boot the OS X devices into a pre-boot environment.  The video will demonstrate how to use Apple’s System Image Utility and LANDESK’s Startup Disk Stamper to accomplish this task.

 

 

 

LANDESK Mac Management Part 6: Create and Deploy an OS X Upgrade Package

In part 6 of the LANDESK Mac Management video series, I discuss how to use a freeware utility called CreateOSXInstallPkg, available at https://github.com/munki/createOSXinstallPkg, to build an upgrade package that can be easily deployed with LANDESK Management Suite 2016.  While this can be done as a required package, this video will walk through the process using Workspaces; focussing in on the end user experience via a self-guided upgrade.