Distributing Enterprise Applications to macOS devices using MDM

Distributing Enterprise Applications to macOS devices using MDM

In an earlier blog post, Bennett described how to create and deploy VPP software packages to macOS and iOS devices using LANDESK Management Suite 2016.3 and later. You may have noticed a radio button in the console UI that, at the time, was ignored:

manifest-url-package

Yep, you can deploy your own software packages using LDMS MDM, not just those software applications available on the App Store.

If you select the Manifest URL button, you get some additional UI:

mdm-properties

The additional UI allows you to enter the URL of a manifest plist file, and the Bundle ID and version of the application being installed. This can seem pretty daunting. Thank goodness Apple has provided a web page documenting the requirements for software distribution via MDM. It’s a good read, and answers a lot of questions, but, at least for me, it didn’t get to the point of being able to create something I could distribute via MDM. But let me summarize:

To distribute software or other things (like fonts for example), you need:

  1. Create an installer package (a .pkg file) created with the productbuild command-line tool, and signed with the root certificate of your mdm solution.
  2. A manifest file in the form of a property list (.plist) which describes and points to the installer package in very specific ways (see the above link for a sample)
  3. A webshare, accessible from your intranet or the Internet. You can place the package and manifest file in a hidden directory or in any location that’s readable using https. It must be readable using https, and using a non-self-signed certificate, since Apple URL services will not connect via https to a server with a self-signed cert.

Once you have these three things, you can fill out the Manifest URL UI to create an LDMS package to distribute to enrolled macOS devices using MDM.

The installer package

Creating an installer package for an application you want to install can be as easy as running the command line tool product build. For example, to create an installer package on my external drive “Work” for Google Chrome, which is sitting in my Applications folder, the following terminal command will do the trick:

productbuild --component "/Applications/Google Chrome.app" "/Applications", "/Volumes/Work/Google Chrome.pkg" --sign identity-name

You will need to replace identity-name with the name of a valid signing certificate on your computer. If you have enrolled your macOS device in the LDMS MDM service, you can find the certificate for the MDM service in your system keychain. This is a valid signing certificate for deployment with our MDM solution.

The manifest file

If you read the Apple documentation (see above), you were given an example manifest file to fill out with our package-specific info (I’ve simplified this by removing some items that are not applicable to the LANDESK environment:

Sample macOS content manifest file for an application bundle
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
     <dict>
         <key>items</key>
         <array>
              <dict>
                   <key>assets</key>
                   <array>
                       <dict>
                            <key>kind</key>
                            <string>software-package</string>
                            <key>md5-size</key>
                            <integer>10485760</integer>
                            <key>md5s</key>
                            <array>
                                 <string>41fa64bb7a7cae5a46bfb45821ac8b99</string>
                                 <string>51fa64bb7a7cae5a46bfb45821ac8b98</string>
                                 <string>61fa64bb7a7cae5a46bfb45821ac8b97</string>
                            </array>
                            <key>url</key>
                            <string>https://www.example.com/apps/myapp.pkg</string>
                       </dict>
                   </array>
                   <key>metadata</key>
                   <dict>
                       <key>bundle-identifier</key>
                       <string>com.example.myapp</string>
                       <key>bundle-version</key>
                       <string>1.0</string>
                       <key>items</key>
                       <array>
                            <dict>
                                 <key>bundle-identifier</key>
                                 <string>com.example.myapp-unique</string>
                                 <key>bundle-version</key>
                                 <string>1.7.4</string>
                            <dict>
                       </array>
                       <key>kind</key>
                       <string>software</string>
                       <key>sizeInBytes</key>
                       <string>26613453</string>
                       <key>title</key>
                       <string>Example My App Package</string>
                   </dict>
              </dict>
         </array>
     </dict>
</plist>

Things to know about if you are planning to do this by hand:

Once we have the package built as above, to fill out this manifest file, the application needs to know:

  1. The location of the the installer package on the https server. Replace “https://www.example.com/apps/myapp.pkg” with the actual name and location of the hosted package.
  2. The md5-hash of each 1 megabyte chunk of the installer package file. Replace the array of md5 hash (labeled “md5s” above) with the actual hashes.
  3. The bundle identifier and version of the application you are installing. Replace the strings labeled “bundle-identifier” and “bundle-version” above with those strings.
  4. The size in bytes of the application package. Replace the string labeled “sizeInBytes” above with this.

When the manifest file (“something.plist”) has been successfully created, it needs to be moved to the same server that is actually serving the installer package. Best practice is probably to place both the manifest plist file and the installer package file in a directory appropriately named on the https server. So, for example, if our application was named “Example.app”, we might have Example.pkg and manifest.plist files sitting on the server in a directory named “Example”.

The LDMS Manifest Package UI

Once we have the package and manifest file build correctly and hosted on our https server of choice, filling out the LDMS Manifest Package UI is pretty simple. I paste the manifest file url into a web browser, load it up, and copy and paste the bundle id and version into the LDMS Manifest Package UI, along with the manifest file url.

Conclusion

Well, there you go, you now have all of the information you need to be able to build your own manifest distribution packages for the LDMS MDM solution. I can vouch for these instructions, as they have allowed me to attain nearly a 25% success rate manually setting things up. I’m sure you can do even better…

But we couldn’t get anywhere getting our own work done without starting to automate some of the pieces of this task, and at this point we’ve managed to produce an early version of an app we’re calling Manifester, which you can point at an application bundle, or a directory with an application bundle, put in your signing cert, and have it create a directory with an installer package and manifest file in it that you can just copy to the correct location on your https server:

manifester

Manifester will create a .manifestation folder which you then upload to the location on your https webshare that you specified in the Manifester UI.

manifest-output

Manifester currently supports creating manifest distribution for macOS applications. We will be enhancing it as we get time to support other file types (probably fonts will be first). It should be available through the LANDESK Community site soon after the first of the year.

 

 

 

Assigning DEP Enabled Devices to an Apple MDM Server

The Holy Grail

Zero-touch configuration for IT, the holy grail of device management!  This is the promise of a DEP enabled device.  Just buy it and turn it on, it’ll pull down your designated management profile once the device has an established Internet connection and all of the associated settings and applications assigned will be deployed to the device.

Easy, right?  For the most part, yes it is.  All you need to do is make sure your DEP enabled devices, purchased from Apple or from an authorized DEP reseller, are associated with an Apple MDM server.  In turn, that Apple MDM server needs to be configured with your MDM management service.  To configure LANDESK as your preferred MDM server, see my previous blog post.

Today’s discussion will simply focus on getting those Apple devices enrolled with Apple’s MDM server.  While the process only takes a few minutes, it is a required step for that zero-touch configuration; so don’t skip it.

Adding an Apple Device to an Apple MDM Server

  1. Browse to https://deploy.apple.com from your browser of choice deplogin
  2. Provide your Apple ID associated with your DEP account – enroll with Apple here if you have not yet performed this step
  3. Provide your two-factor authentication verification code; this is required by Apple for DEP management2factor
  4. From the menu bar on the left, select Manage Devices
  5. Select your desired radio button to add devices by Serial Number, Order Number or via a CSV Uploadserialnumber-assign
  6. Select the action Assign to Server under Step 2 and find your appropriate server from the drop down list and hit OKassign-complete

And that’s it.  Now when you unbox your shiny new Apple device, whether it be an iOS or macOS device, once it has an Internet connection (the touch part in the zero-touch process 🙂 ), it’ll pull down the assigned profile from your MDM server.  Then, anytime the device is reset, the process will re-enage, ensuring that device always has your MDM profile assigned.

Set and Maintain a Desired Security State for MDM Managed Devices

LANDESK Management and Security Suite 2016.3 has MDM management built into its core functionality.  Once a device is enrolled, you’ll have access to apply a number of different “Agent Settings” commonly known as Configuration Profiles in the Apple world.

LDMS 2016.3 has 4 out-of-the-box editable agent settings that can be built and assigned to a Mac or iOS device; Mobile Compliance, Mobile Connectivity, Mobile Exchange/Office 365 and Mobile Security.  You’ll find all of these profile in the Agent Settings tool within the Configuration toolbar of the Management Suite console.

Mobile Compliance can be used to ensure the device’s integrity.  For example, you can enable a compliance rule to detect if the device has been jailbroken and if it has, choose to selectively wipe it removing access to everything you’ve deployed to the device. mdm-mobilecompliance

Mobile Connectivity is where you would upload certificates to be used to bind to WiFi as well as the appropriate settings for the device to access your corporate WiFi. mdm-wifi-cert

Mobile Exchange/Office 365 should be self-explanatory.  Within this setting you’ll configure how your MDM devices will be configured to access your corporate email. mdm-o365

Mobile Security has the real meat and potatoes for the agent settings.  You can set a password policy, restrict the device functionality such as access to FaceTime, block access to the iTunes store, set the accessible ranges for content and ratings, control the behavior of iCloud and even block TouchID from unlocking the device.  mdm-mobilesecurity

Mix and match the agent settings as desired, when deploying them out you do not need to employ a “one-size-fits-all approach.”   When you create your Agent Settings task, you can select one of each to deploy at, giving you a ton of available combinations of configurations.

Once you have all of your Agent Settings created as desired, just create a Change Agent Settings task and target your MDM devices.

  1. While still in the Agent Settings window, click on the Calendar/Clock icon, it’s the second one in the menu bar and then select Change Settings.change-settings
  2. Give your task an appropriate name, I named mine “Passcode”
  3. Find the “Mobile …” from the list on the right hand side of the panel and click on the corresponding Keep agent’s current settings window area.
  4. Find your newly created Mobile Agent Setting and select it.mdm-changeagentsettings
  5. Now set your desired Task Settings (policy, push, policy supported push) and desired portal settings (required, recommended, optional). I used a policy-supported push and required.
  6. Add in your Targets
  7. Schedule your Change Settings task

Once a device is added to a task and the task is started, every time the device “syncs” with the LANDESK Management Suite server, it will compare itself against the current scheduled tasks on the core with what it currently has applied and will add/remove profiles accordingly.  So don’t delete your task once you’ve successfully applied an agent setting, so doing would in effect tell LANDESK to remove the agent setting from the device the next time it syncs.

Remotely Enroll a macOS Device with LANDESK MDM

With the release of LANDESK Management Suite 2016.3, LANDESK can now manage a Mac using an MDM profile in addition to the traditional LANDESK agent.  One of the main benefits of enrolling with the Mac the MDM service, in addition to already having your regular agent installed, is that you’ll be able to push a VPP app to the Mac.

This blog will walk you through the process of creating a package to install the LANDESK MDM Enroller app on your Mac and then subsequently running a script to enroll the Mac with the MDM service.

Part 1 – Create a LANDESK MDM Enroller Bundle Package Folder

  1. Open the LANDESK Management Suite Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. Right click on the selected folder and click on New Package Bundle
  5. Provide your desired package bundle name, I used LANDESK MDM Packages

Part 2 – Create a LANDESK MDM Enroller Package

  1. Download the LANDESK MDM Enroller app from the Community page and copy it to your file share
  2. Right click on your package bundle, hover over New Macintosh Package and select Macintosh Agent
  3. Give the package a name
  4. Browse to the Enroller App file you previously saved and select it from within the Primary File window
  5. Provide a description and any metadata information if desired
  6. Save the package

Part 3 – Create the LANDESK Enrollment Script

The script is pretty basic, you just need to call the command line utility with a -u for username, -p for password and -m for the enrollment server.  The script has been built with variables, so just adjust the variables and you’ll be set.

  1. On a Mac device, save the Enroller script from GitHub as a .sh file or use the script pasted at the bottom of the blog
  2. Open the .sh file with your text editor and edit the variables for the username, password and enrollment server
  3. Save the file
  4. Set the execute permissions by running chmod +x /script/path/name.sh
  5. Compress the .sh file
  6. Copy the .sh file to your package share

Note: The script is calling the command line utility built inside of the LANDESK MDM Enroller application.  That means that in order for this script to properly execute, the LANDESK MDM Enroller must already be installed.  To ensure this takes place, we are bundling the packages together and will tell LANDESK which package to execute first.

Part 4 – Create the Enrollment Script Package

  1. Right click on your package bundle again, hover over New Macintosh Package and select Macintosh Agent
  2. Give the package a name
  3. Browse to the zipped script file you previously copied to your package share and select it from within the Primary File window
  4. Provide a description and any metadata information if desired
  5. Save the package

Part 5 – Deploy the Enrollment Package Bundle

  1. Right click on your package bundle and select Properties
  2. Select the Bundle Package Settings from the menu tree
  3. Use the Up / Down buttons to make sure your packages are listed in the appropriate order, with the MDM Enroller app being first and the script being second; clicking Save when you’re finished
  4. Right click on the bundle package one final time and select Create Scheduled Task(s)…
  5. Right click on the newly created Scheduled Task and click on the Properties option
  6. Add your desired targets
  7. Set your desired Task and Portal settings
  8. Schedule the task
#!/bin/sh

#  mdmAutomaticEnrollment.sh
#  Created by Bennett Norton on 11/1/16.
#  This script will enroll a LANDESK Management Suite managed macOS device with an additional MDM profile for support with features like VPP

# NOTE: This script assumes the Mac to be enrolled with an MDM profile is currently under management within LANDESK Management Suite, with a valid agent, and that the Mac has already installed the LANDESK MDM Enrollment Application found at https://community.landesk.com/docs/DOC-42347


#Script Variables
#change the variables to match with a valid LANDESK Management Suite user, corresponding password and enrollment server URL.  The server URL format should be the fully qualified name of the Cloud Service Appliance / LANDESK Server name.

landeskUserAccount="landeskadmin"
landeskPassword="adminpassword"
enrollmentServerURL="fullyqualified.cloudserviceappliance.com/landeskServerName"


#Enroll the managed Mac device with MDM

/Applications/LANDESK\ MDM\ Enroller.app/Contents/MacOS/ldmdmenroll -u "$landeskUserAccount" -p "$landeskPassword" -m "$enrollmentServerURL"

Create and Deploy a VPP Software Package to a macOS or iOS Device

Creating and deploying a VPP software package to either a macOS or iOS device is a very simple process within LANDESK Management Suite 2016.3.  See the instructions below or watch the short video vignettes to be off and racing down the VPP software distribution track.

macOS VPP Package Creation and Deployment

  1. Open the LANDESK Management Suite Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select Macintosh > Macintosh MDM macmdmbutton
  5. Give the package a name
  6. Press the arrow button surrounded by the blue circle next to your Token alias mdmpackagecreation
  7. Highlight the desired VPP app and hit the Select button – note only macOS apps will display in this window mdmpackage
  8. Save the package
  9. Right click on the resultant package and select Create Scheduled Task(s)…
  10. Add one or more macOS devices that have been enrolled with MDM
  11. Start the task

 

iOS VPP Package Creation and Deployment

The iOS package creation is nearly identical, so I won’t include screenshots in these steps.

  1. Open the LANDESK Management Suite Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select Mobile > iOS
  5. Give the package a name
  6. Select the VPP radio button in the right hand pane, select the appropriate token alias if you have more than one VPP token and then click the arrow within the blue circle
  7. Press the arrow button surrounded by the blue circle next to your Token alias
  8. Highlight the desired VPP app and hit the Select button – note only iOS apps will display in this window
  9. Save the package
  10. Right click on the resultant package and select Create Scheduled Task(s)…
  11. Add one or more iOS devices that have been enrolled with MDM
  12. Start the task

How To Enroll into LANDESK Management Suite’s MDM for both iOS and macOS

As mentioned in my previous post, LANDESK announced their 2016.3 release for Management Suite and with it comes the ability to completely manage macOS and iOS via via an MDM profile.  If you’re lucky enough to have all of your macOS and iOS devices participating in Apple’s DEP, getting the devices enrolled into the LANDESK Management Suite server will be pretty straight forward.  In a later blog post, I’ll cover how to configure DEP within LANDESK

If you’re asking how you place your devices into Apple’s DEP, it may be too late.  As discussed in Apple’s DEP FAQ, in order for a device to be enrolled into the DEP program, it’ll need to be purchased directly from Apple or from an authorized DEP reseller. Which means it’s likely that ship has already sailed for you.

Alas, all is not lost.  You can manually enroll any device into LANDESK, whether or not it’s participating in Apple’s DEP program.

Before you get started, make sure you have all of the architecture pieces in place as outlined here.  Also, if your Macs already have a LANDESK agent installed, at this time, do not place an additional MDM profile on it as well.

macOS Enrollment Steps

  1. Download the enrollment app here or get the latest and greatest version from the LANDESK Community and install it on the desired Macs.  In the future, we will place the enrollment app in the ldlogon/mac directory and possibly even have it available on the Mac App Store if Apple permits it.
  2. Enter a valid Active Directory user account and password.  If you’ve properly configured the DNS TXT entry, it should automatically discover the server URL.  If the enrollment app prompts for a server, enter “fully.qualified.cloudserviceappliancename/coreservername” enrollment-screen
  3. Enter an administrative username and password on the local Mac

iOS Enrollment Steps

  1. Download the LANDESK enrollment app from the iTunes store
  2. Enter a valid Active Directory user account and password.  If you’ve properly configured the DNS TXT entry, it should automatically discover the server URL.  If the enrollment app prompts for a server, enter “fully.qualified.cloudserviceappliancename/coreservername” img_0002

 

 

Configure LANDESK Management Suite 2016.3 for iOS and macOS MDM Management

LANDESK announced their 2016.3 Management Suite release this week and with it comes a number of enhancements to mobility management, including a number of enhancements to the iOS/macOS platforms for MDM management.  Included in the 2016.3 release is the ability to integrate with Apple’s Device Enrollment Program (DEP) and Apple’s Volume Purchase Program (VPP); including supporting multiple VPP tokens.

Luckily, LANDESK has the documentation already available for this configuration.  For ease, I’m going to aggregate all of the needed information to get up and running with LANDESK MDM in one spot.

Architecture Requirement #1 – Cloud Service Appliance

The LANDESK Mobility Device Management does require a LANDESK Cloud Service Appliance.  This can be either a physical appliance you host in your DMZ or a virtual appliance.  If you do not have a CSA, contact your sales representative.  They’re inexpensive and give you the ability to manage devices off your network.

  1. Configure the LANDESK Cloud Service Appliance as discussed in the how-to articles on the LANDESK community page
  2. Ensure your on build 179 or greater – to do this login to your CSA by browsing to https://csa.fqdn/gsb and hit the System Tab on the left hand side.  Then select the Updates tab from the main page and hit Scan For Updates and apply the latest screen-shot-2016-10-20-at-11-27-05-am
  3. Purchase and apply a valid 3rd party SSL certificate for your CSA; see https://community.landesk.com/docs/DOC-32498

Architecture Requirement #2 – LANDESK Management Suite

  1. Install LANDESK Management Suite 2016.3 – https://community.landesk.com/docs/DOC-42261
  2. Import Apple’s APNS certificate to the Core Server – https://community.landesk.com/docs/DOC-39856

Optional Architecture Configurations

  1. Configure the Core server for DEP (optional) – https://community.landesk.com/docs/DOC-42090
  2. Configure the Core server for VPP (optional) – https://appleintheenterprise.com/2016/10/18/import-apples-vpp-token-into-landesk-management-suite/
  3. Configure a DNS TXT entry for easier enrollment (optional) – https://community.landesk.com/docs/DOC-39871

Import Apple’s VPP Token into LANDESK Management Suite

With the release of 2016.3, LANDESK Management Suite supports deploying Volume Purchased Applications (VPP) directly within the LANDESK Management Suite console.

To configure LANDESK Management Suite, you need to download your VPP token and import it into the Software Distribution tool.  The directions below will you walk you through each step of this process.

Part 1 – Download Your Token from Apple

  1. Browse to https://vpp.itunes.apple.com/ and login to your appropriate store; either the Business or Education store
  2. Login with your appropriate Apple ID
  3. Press the dropdown button with your appleID at the top right corner and select Account Summary vpptokendownload1
  4. Once on the Account Summary page, click the Download Token link from the Managed Distribution sectionvpptokendownload2

Part 2 – Import your VPP Token into LANDESK Management Suite

  1. Launch the LANDESK Management Suite Console
  2. Go to Tools > Distribution > Distribution Packages and select the second to last icon from the menu bar titled Volume Purchase Program Configuration vpptokenconfig
  3. Click on the Add VPP Token button at the bottom right
  4. Provide an appropriate alias token name.  Since you can import more than one token, make sure your alias helps you identify the difference between your tokens
  5. Click on the ellipsis to import your token you downloaded from Apple’s site
  6. Click the add button vpptokenconfig2

Part 3 – Review Your Purchases and See Available Licenses

You should automatically see all of your purchases and available licenses after clicking the Add button.  If at any point in the future you need to see where you stand, you can open the Volume Purchase Program Configuration utility in SWD or check your Software License Monitoring as all VPP token information is imported into SLM. VPPTokenConfig3.png