LANDESK Mac Management Part 4: Patching OS X and 3rd Party Applications

In part 4 of this LANDESK Mac Management series, we’ll demonstrate how you can patch the Mac OS, walking through the reboot process as well as patching 3rd party application titles on the machine; which typically don’t require a reboot to take place.

How to Build an NBI with OS X 10.11 El Capitan

Updated video posted here: https://appleintheenterprise.com/2016/08/12/landesk-mac-management-part-7-building-a-netboot-image-for-os-deployment/

Introduction

OS X El Capitan introduced several changes to the System Image Utility when creating a NetInstall Image.  This white paper will walk through the required steps to successfully build a NBI file LANDESK can use to provision a Mac with LANDESK Management Suite.

Watch the how-to video here.

Overview

Beginning in LANDESK Management Suite 9.6, LANDESK changed the process to build NBI files.  We now leverage Apple’s System Image Utility to create bootable NBI file.  LANDESK has created a stamper utility that will subsequently inject the needed LANDESK information, while at the same time, reducing the NBI file down in size.  One of the major benefits of this process, is the NBI you have to push over the wire will be in the 500-600 MB size range as opposed to 6 GB+.

NBI Overflow copy.png

Prepare the OS X El Capitan Machine

  1. The first thing needed is the OS X El Capitan Installer. Download it and place it into the Applications Folder.
  2. The LANDESK Mac agent also needs to be installed on the device. Make sure you use an agent that is 9.6 SP2 or later.  For more information on how to deploy an agent, see https://community.landesk.com/support/docs/DOC-30016
  3. Download the LANDESK Startup Disk Stamper Utility from https://community.landesk.com/support/docs/DOC-33695
  4. An administrative account on the box

Build the NetInstall Image with Apple’s System Image Utility

  1. Launch System Image Utility from the Mac. Use the Spotlight Search to find it as it’s buried in an Applications folder under System > Library > CoreServices
  2. From the source dropdown picker, select Install OS X El Capitan and click Next. If you don’t see Install OS X El Capitan from the options menu, quit the System Image Utility, download the installer and put it into the Applications folder and then re-launch.Choose a Source
  3. Select the option NetInstall Image and click Next
  4. Agree to the License Agreement if prompted
  5. At this time, we don’t need to add any configuration options, as all of that will be built inside the provisioning process within the LANDESK Console. For the next 4 screens, just click Next with no items added or changed from the defaults.  Stop when you get to the Image Settings screen.
  6. Provide a Network Disk name to your liking. You’ll be asked to create a second name for the NBI file LANDESK’s stamps, so for me, I always put Apple in the name so I can be sure to differentiate the two.  Also, each image file needs to have a unique image index.  Feel free to choose whichever option best suits your environment.  I personally assign my indices so I can ensure a unique value.  Also, just by way of note, you’ll need to assign another unique ID when you use the LANDESK stamper.
  7. Select the computer models you want your NBI to support and click Next.FilterClient
  8. Pay special attention to the Filter Clients by MAC Address window. This pane essentially creates a whitelist or blacklist of client devices allowed to boot from your NBI file.  If you’re more security conscious, leave the radio button set to Allow and provide an import of all of the MAC addresses you care about.  Just know as you receive new machines, this will have to rebuild your NBI.  If you’re less concerned about unknown machines NetBooting from your NBI file, change the radio button to Deny and click Next.
  9. Finally, provide the path to where the Apple NBI file will be created and click the Save button. For ease of use when using the LANDESK stamper, I select the desktop.
  10. Enter your admin credentials on the box and wait for the NBI to be generated.

IMPORTANT NOTE: In OS X 10.11 El Capitan, Apple has introduced their new System Integrity Protection feature which affects how you are able to NetBoot devices. If you have need to NetBoot across subnets, you’re going to need to customize the NBI and add in your approved NetBoot server’s IP addresses.  To do this, prior to clicking next on step 8, make sure you set your desired filter state and then click Customize.

Once inside the Automater tool, you need to scroll down through the list of actions until you find the Bless NetBoot Server action.  Once you find it drag it to the far right, upper panel and drop it prior to the Create Image action.  Click on the + object for the Bless NetBoot Server and add in the IPs of your PXE representatives or your OS X NetBoot Servers as well as the IP of the Core Server.

Using this method, you’ll also need to finalize the name of your NBI file and the location to save it inside of the Create Image action.  When you have everything configured, click the Run button at the top right.  It’ll take it a couple of minutes to write the NBI file.  When it’s finished, go ahead and close both the Automator app as well as the System Image Utility app.

Bless

For more information on the SIP restrictions and the NetBoot process, see: http://community.landesk.com/support/docs/DOC-35984

Stamp the Apple NBI File with LANDESK’s Startup Disk Stamper

  1. Launch the LANDESK Startup Disk Stamper. You can find the download link in the Overview section if you have not yet pulled it down from the LANDESK Community.
  2. Click the Choose button in the NBI Source panel and select the Apple NBI file previously generated
  3. Although a bit hidden in the dialog box, you can change the desktop background displayed during the NetBoot process by selecting the Choose button in the Agent Source panel. This step is optional.
  4. Set your destination type.
    1. If you intend to boot your NBI from the network, select the NetBoot Image radio button and push the Choose button to name your LANDESK NBI file and to indicate where you would like to save it.
    2. If you need to build a bootable USB drive, select the Removable Drive option and select the Device from the Finder window.LANDESK Stamper
  5. Set a second unique index. Since LANDESK is generating it’s own NBI file, you’ll want this value to be different from the value selected in step 6 for the System Image Utility NBI creation.
  6. Provide a description if desired and click Create
  7. Enter your admin credentials on the box and wait for the LANDESK NBI to be generated.

Note:  If you see ?? marks in any of the panels, the tool has not been properly configured or a 9.6 SP2 or later LANDESK Mac agent has not been installed.

 

 

Force LANDESK Antivirus for Mac to Update its License File

I recently had to install LANDESK AV directly from the Mac Client package on a machine, but unfortunately, the machine was not connected to the Core server’s network nor the Internet.  I’m not sure if that is a required step in order to pull down the license file or if it was just circumstantial, nonetheless, I couldn’t get the client to pull down the license even after I connected it to the Core’s network and to the Internet.

As I always do in these types of situations, I pulled up my browser and hit the LANDESK Community site.  I quickly found an article titled How to refresh the Mac AV license key on client machines and was quite hopeful the answer would be found therein.  I was in luck!  The prescribed solution written by Bryce worked like a champ.

Within minutes I had a custom script written in the Manage Scripts portion of the LANDESK Console, a task created and targeted with a successful result returned.  The Mac I was working with was able to update to the latest pattern files letting me get back to the problem at hand.

Now, while the script did indeed work as described in the how to community article, the ldkahuna command to download files is old and outdated within the modern LANDESK Mac agent.  It works, it hasn’t been completely deprecated, but there is a better way and that better way is to use sdclient.

Using sdclient instead of ldkahuna has a number of advantages.  First off, it has access to the bandwidth controls built into the agent.  It also has a -dest switch allowing you to not only download but to specify the location of where you want the files to be placed.  Furthermore, rumor has it, that in the next LANDESK Management Suite release, sdclient will become peer aware like the Windows agent.

Who wants to use the old stuff anyway, when you can use the new stuff?  If Steve Goodrich uses it when he needs to download stuff, I’ll use it as well.

The best part, the switch is quite straight forward.  Let’s look at how we would write it with ldkahuna and how it would be written with sdclient.

Old Code:

REMEXEC01=ldkahuna http://%CUSTJOBHOSTIP%/ldlogon/avclient/install/key/ldav.key</pre>

New Code:

REMEXEC01=sdclient –noinstall –package http://%CUSTJOBHOSTIP%/ldlogon/avclient/install/key/ldav.key</pre>

Pretty simple change, right?  I thought so.  Now just schedule out your Managed Script and target those stubborn Macs that won’t update their license file.  In short order, you’ll be back in business.

If You Eat All of Your Vegetables…Then Deploy the LANDESK Agent

If this…then that.

As human beings, we’ve been dealing with if/then conditional statements since our childhood. “If you clean your room, then you can go play,” or “if you eat all of your vegetables, then you can have desert.”

You’ve just had terrible flashbacks of being forced to consume all of the broccoli on your plate, haven’t you?

Well, as we grow up, the “if/then” conditions don’t go away. We may or may not know it, but nearly every application we use has some sort of conditional statement buried into the code. It’s how programmers can provide an experience to us as we make decisions interacting with their applications.

A programmer will provide us an option to choose from and based on the outcome of that choice, code has been written to provide the experience to match our choice.

When it comes to systems management, well, we love conditional statements just as much as Mom and Dad did. We have all sorts of scenarios we need to evaluate and then take action based on the results.

One of the most common scenarios of an if/then, when it comes to systems management, is simply verifying if a machine has the systems management agent installed. If it does, great, don’t do anything. If it doesn’t, well then install it.

Not too hard, right?

Well, life is never easy. There is always going to be some sort of exception to any process. You may have been able to discover 80% of your machines and push an agent installer to it. Perfect, you’re 80% there. For the other 20% though, that’s where all of the work is.

To help us in our scenario of getting machines enrolled into our systems management tool, let’s just write a little script that will detect to see if a LANDESK agent is installed or not. If it is, the script can simply exit out or provided feedback and then exit out. If an agent is not installed, then the outcome will be to download the agent, install it, and then clean up all of the install files. Ultimately, the end result is, you can run the detections on every machine and only effect change on those ever elusive twenty-percenters.

I’ve written an example script below that will detect to see if the LANDESK agent has been installed and then proceed appropriately, however, since the script contains variables; you’ll see that it is quite portable and could be adapted to many other types of scenarios.

#!/bin/bash
## replace “coreserver.mycompany.com” with your core server FQDN
## replace “MacAgent.mpkg.zip” with your agent name, remembering to appropriately handle spaces in the name if applicable.
CORE=”http://coreserver/mycompany.com/ldlogon/mac&#8221;
AGENTNAME=”MacAgent.mpkg.zip”

## detect if the agent is already installed
if [ -d “/Library/Application Support/LANDESK” ]; then
echo ‘The LANDESK Agent is Installed’
exit 1

else echo ‘The LANDESK Agent Needs to be Installed’

## download the agent
curl -# -O $CORE/$AGENTNAME

## unzip the downloaded agent
unzip $AGENTNAME

## install the agent
sudo installer -allowUntrusted -pkg “LDMSClient.mpkg” -tgt LocalSystem

## delete the files downloaded
rm $AGENTNAME
rm -rf “LDMSClient.mpkg”
exit 0
fi

For this script to function in your environment, copy it into a text editor such as TextWrangler or Notepad++. Modify the CORE variable as well as the AGENTNAME variable and then save it out as a .sh file. Then, leveraging a login process, such as a Group Policy login, or whatever tool or process you have, deploy out the script to all of your machines (after careful test validation of course). Since it’s a shell script, it just needs to be executed with a “./” command with superuser privileges.

In my environment, I saved the file as LDAgentInstall.sh. As such, for me to execute it, I ran “sudo ./LDAgentinstall.sh” and as can be seen in the screenshot, it returned the phrase “The LANDESK Agent is Installed.”

Screen Shot 2015-06-22 at 4.16.04 PM