Force the Removal of a Specific macOS Configuration Profile

We’ve all done it.  We installed something without fully vetting it out and now we need to get it off – of all of our machines.  Whoops!

The other day, I received a question from a customer asking how he could remove a configuration profile from all of his machines at once – without having to log in to each machine.

Apple actually makes such a task quite easy as viewing, installing and removing a profile from a Mac is inherently built into the operating system itself.  Therefore, with a short script we can detect whether the profile is installed and then remove it if it is.

To manually check the status of a machine’s profiles, you can run, inside of Terminal, the following command.

View All Profiles

sudo /usr/bin/profiles -P

So doing should give you a report out of both the machine and user based profiles installed.

profiles -P.png

In the screenshot above, all 3 profiles are computer based profiles.  If I wanted to remove all of the profiles listed above, all I need to do is use the ‘profiles -D’ command and call the respective profileIdentifier.

Remove All Profiles

sudo /usr/bin/profiles -D

However, removing all profiles is probably a bit forceful, often a little precision can help us in the long run.  In our example above, we may choose to only remove one of the profiles instead of all of them.  To do this, we just need to specify that we’re removing a profile and what the profile identifier name is.

Remove a Single Profile

sudo /usr/bin/profiles -R -p com.landesk.profile

-R is the command to remove the profile and -p specifies we’re removing it by the identifier name.  There are actually quite a few other options available as well, so check out the man page for more info.  For example, you may need to add in the password to remove so the user doesn’t get prompted.  This switch is -z.

Automation

Now, let’s use LANDESK Management Suite to create a custom patch definition that will detect the machines that have a given profile and remove it if you choose to repair it. You can download the custom definition I built on my GitHub site here or build it yourself using the scripts below.

Custom Patch Detection Logic

Just change the variable profileIdentifier to match your desired profile identifier.

#!/bin/sh

# singleConfigurationProfileDetection.sh
# Created by Bennett Norton on 2/6/17.
# Detects the whether a specific profile exists on a machine

# Profile Identifier Name Variable
# Change this name to match the profile identifier you want to remove
# Find the name by typing sudo /usr/bin/profiles -P in Terminal

profileIdentifier="com.landesk.profile"

#  create an output variable with the the potential profile from the machine
#  grep filters all of the results to only show that which matches our desired configuration profile
#  awk allows us to pull just the data we're looking for from the command line

discoveredProfileIdentifier=( $( sudo /usr/bin/profiles -P | grep "$profileIdentifier" | awk '{print $4}') )


if [[ $profileIdentifier != $discoveredProfileIdentifier ]] ; then
 echo "Found: Configuration profile $profileIdentifier was not found on the machine."
 echo "Reason: $profileIdentifier not intalled."
 echo "Expected: $profileIdentifier to not exist."
 echo "Detected: 0"
 exit 0
else
 echo "Found: Configuration profile $discoveredProfileIdentifier was found on the machine."
 echo "Reason: $discoveredProfileIdentifier intalled."
 echo "Expected: $discoveredProfileIdentifier to not exist."
 echo "Detected: 1"
 exit 1
fi

Custom Definition Repair Script

Just as in the first script, you need to change the variable profileIdentifier to match your desired profile identifier.

#!/bin/sh

# singleConfigurationProfileDeletion.sh
# Created by Bennett Norton on 2/6/17.
# Deletes a specific profile on a machine

# Profile Identifier Name Variable
# Change this name to match the profile identifier you want to remove
# Find the name by typing sudo /usr/bin/profiles -P in Terminal

profileIdentifier="com.landesk.profile"

# Delete
sudo /usr/bin/profiles -R -p "$profileIdentifier"


 

Silently Install Cylance Protect with LANDESK Management Suite

Overview

Cylance Protect is a next generation anti-virus product and seems to be taking the OS X world by storm.  The product marketing aspect verbiage states Cylance “blocks threats in real time BEFORE they ever cause harm.”

As a result of Cylance’s success, I’ve recently received a number of requests from customers asking how they can silently install the product with their specific, company-unique token.

Luckily, accomplishing  a silent install of Cylance Protect is a fairly simple process.  I’ve written a basic script that will accomplish the task for you.  One particular customer sent a reply back to me after using this script, stating the “Cylance deployments went great!!!”  Hopefully your deployments can go as smooth as theirs.

Furthermore, because this script leverages the LANDESK SDClient tool for the download,  you will still benefit from bandwidth controls and  you’ll be able to leverage the peer sharing if your store your package file into the sdcache folder.

For simplicity, I’ve chosen to write my package to the same folder as where I’ll write my token file.  Because the token file can be read with any text editor, I’ve chosen to store my data in a private folder; which means I will only benefit from LANDESK’s bandwidth controls, but I figured it was a good tradeoff for me.  I just didn’t want to put the license key into a folder that people might be accustom to look at.

Cylance Protect Script

Break out your favorite Text Editor (TextWrangler or XCode is what I use) and let’s get started.  I’ll break the script down into sections for easy understanding.  The first part of the script contains your obligatory declaration indicating it’s a shell script as well as some comments as to what I named the script, when I created the script and what it does. Besides the very first line, everything is optional.

#!/bin/sh
#  CylanceSilentInstall.sh
#  Created by Bennett Norton on 8/30/16.
#  This script will copy a file from the source destination and place it on the Mac into the destination folder

The next part is where you’ll set the variables used throughout the script.  You’ll need to supply the custom Cylance token, the package name, the location of where the package will be stored on your HTTP share and the location to where you’ll want to store the package and Cylance token on the client.

It’s likely that you’ll be able to leave the cylancePackageName and cylancePackageAndTokenDestination variables as is, only modifying the cylanceToken and cylancePackageLocation variables.  Just repalce the text betweent the quotes.

#Script Variables
#change these variables to match your token and desired destination paths

cylanceToken="cylanceCustomToken"
cylancePackageName="CylancePROTECT.zip"
cylancePackageLocation="http://ldserver.ldlab.org/SoftwareDist/MacPackages/Cylance/"
cylancePackageAndTokenDestination="/private/tmp/Cylance"

The next section of the script detects if the folder for where we will store the package file on the client exists and if it does not, creates it.  You may want to enhance this part of the script on your own to delete any files inside if it does exist, I have not added that in, but it may be a good idea.

#Check to see if destination exists and if not, create it

if [ ! -d "$cylancePackageAndTokenDestination" ]; then
echo "Location doesn't exist.  Creating directory"
mkdir $cylancePackageAndTokenDestination
echo "$cylancePackageAndTokenDestination created"
fi

You shouldn’t need to adjust anything within the next phase of this script.  This step is simply creating an output file of the token to be used during the install.

#Output token to file
#You shouldn't need to make any changes here

echo "$cylanceToken" > "$cylancePackageAndTokenDestination/cyagent_install_token"

The next step within our script is to download the installer package.  This piece is specifically tailored to LANDESK Management Suite and uses SDClient as the downloader.  If you don’t have LANDESK Management Suite, alter this part of the script to use CURL.

#Download package installer

/Library/Application\ Support/LANDesk/bin/sdclient -noinstall -package "$cylancePackageLocation/""$cylancePackageName" -destdir "$cylancePackageAndTokenDestination"

We now need to unzip the package file and install the package using OS X commands, which means this code is generic, not specific to LANDESK Management Suite.

#unzip package installer

unzip "$cylancePackageAndTokenDestination/""$cylancePackageName" -d "$cylancePackageAndTokenDestination"

#Install Cylance

sudo installer -pkg /private/tmp/Cylance/CylancePROTECT.pkg -target /

Finally, let’s clean up after ourselves.  The final command in our script will delete the entire /tmp folder.  

#Delete Cylance folder

rm -rf "$cylancePackageAndTokenDestination"

As I mentioned with the folder detection, you may want to do some detection logic to see if the application exists in the Application folder prior to deleting the folder, that’s up to you.

And that’s it, you now have a fully functioning script you can use to silently deploy Cylance Protect in your environment.  For ease in the copy and paste process, here is the entire script.

#!/bin/sh
#  CylanceSilentInstall.sh
#  Created by Bennett Norton on 8/30/16.
#  This script will copy a file from the source destination and place it on the Mac into the destination folder


#Script Variables
#change these variables to match your token and desired destination paths

cylanceToken="cylanceCustomToken"
cylancePackageName="CylancePROTECT.zip"
cylancePackageLocation="http://ldserver.ldlab.org/SoftwareDist/MacPackages/Cylance/"
cylancePackageAndTokenDestination="/private/tmp/Cylance"

#Check to see if destination exists and if not, create it

if [ ! -d "$cylancePackageAndTokenDestination" ]; then
echo "Location doesn't exist.  Creating directory"
mkdir $cylancePackageAndTokenDestination
echo "$cylancePackageAndTokenDestination created"
fi

#Output token to file
#You shouldn't need to make any changes here

echo "$cylanceToken" > "$cylancePackageAndTokenDestination/cyagent_install_token"

#Download package installer

/Library/Application\ Support/LANDesk/bin/sdclient -noinstall -package "$cylancePackageLocation/""$cylancePackageName" -destdir "$cylancePackageAndTokenDestination"

#unzip package installer

unzip "$cylancePackageAndTokenDestination/""$cylancePackageName" -d "$cylancePackageAndTokenDestination"

#Install Cylance

sudo installer -pkg /private/tmp/Cylance/CylancePROTECT.pkg -target /

#Delete Cylance folder

rm -rf "$cylancePackageAndTokenDestination"

At this point, you need to save your file to an OS X machine, if you’re not already on a Mac. Make sure your file extension is .sh as well, I saved mine as CylanceSilentInstall.sh.

After your shell script is saved, you then need to open up Terminal and give the script execute permissions.  Don’t skip this step or your script will not execute when using LANDESK.  Once Terminal is open, run the following command:

chmod +x /path/to/your/script/name.sh

You should now be able to test your script manually.  Find a test machine or VM, if the Mac you’re using is not viable, open Terminal on it and run the following command:

sudo /path/to/your/script/name.sh

Assuming all goes well and Cylance Protect installs, you’re ready to zip up your script and copy it to your HTTP package share.  Now you just need to build a LANDESK Mac package and deploy the package to your target machines.

Create a LANDESK Mac Software Package

  1. Open the LANDESK Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select New Macintosh Package.
  5. Give the package a name
  6. Provide a description as well as any metadata information desired
  7. Set the primary file to the zip file you previously transferred to your software distribution folder
  8. Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
  9. Save the package

Create a Scheduled Mac Software Distribution Task

  1. Right click on the Mac software distribution package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push
  5. Set the radio button in the Portal Settings to either Recommended or Optional if you desire to put the package into Workspaces.  If you’d like to automatically deploy the app, select Run automatically
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time

 

 

 

LANDESK Mac Management Part 9: Creating an OS X Provisioning Template

In part 9 of the LANDESK Mac Management video series, we more or less get to bring together everything we’ve done up to this point, agent deployment, software deployment, configuration profile deployment which can include binding the machine to the domain , patch deployment and even FileVault deployment; all in a chained template experience when we provision a new device.

I created slides for our Interchange event explaining each step of the provisioning template build process, available here, but for many of you, the video below may be more beneficial.

LANDESK Mac Management Part 6: Create and Deploy an OS X Upgrade Package

In part 6 of the LANDESK Mac Management video series, I discuss how to use a freeware utility called CreateOSXInstallPkg, available at https://github.com/munki/createOSXinstallPkg, to build an upgrade package that can be easily deployed with LANDESK Management Suite 2016.  While this can be done as a required package, this video will walk through the process using Workspaces; focussing in on the end user experience via a self-guided upgrade.

LANDESK Mac Management Part 5: FileVault Hard Drive Encryption and Key Management

In part 5 of this LANDESK Mac Management series, we’ll use Apple’s FileVault and a LANDESK Security Suite license to enable encryption on the hard drive as well as to collect the individual recovery key from the machine; storing that key in a unique database table on the core server independent from the computer record.

Note: This feature is only enabled with a LANDESK Security Suite license.

LANDESK Mac Management Part 4: Patching OS X and 3rd Party Applications

In part 4 of this LANDESK Mac Management series, we’ll demonstrate how you can patch the Mac OS, walking through the reboot process as well as patching 3rd party application titles on the machine; which typically don’t require a reboot to take place.

LANDESK Mac Management Part 2: Creating and Deploying Configuration Profiles

Today’s video demonstration illustrates how you can build a configuration profile, leveraging Apple’s Profile Manager.

Apple’s Profile Manager allows you, as an administrator, to control the behavior of an OS X machine.  You can push certificates, supply email and Wi-Fi settings, bind the machine to a domain, secure the data on the device by restricting settings such as iCloud backups and more, much more.  For additional details about what Profile Manager can do, see  Apple’s documentation here.

Once you have your desired settings configured in profile manager, the video will show you how to import the output file into LANDESK Management Suite and deploy it out via a Change Agent Settings task.

UEMB260 – Define and Maintain a Desired State Configuration on your Macs Using Custom Scripts and LANDESK Patch

Slides: https://appleintheenterprise.files.wordpress.com/2016/05/desired-state-management-os-x-interchange-16.pptx

GitHub: https://github.com/northice/LDMS-Scripts

 

 

Efficiently Transfer Files to an OS X Device with SDClient

Have you ever needed to copy a file from a share to a more than one Mac in your environment?  My guess is the answer to that is yes, I know it was for the potential customer I spoke with on the phone today.  Whether you’re trying to apply a configuration file for a package, settings for a proxy server, VPN configuration files or any of the myriad of other reasons, what you’re transferring isn’t the important question, it’s how do you do it.

Luckily sdclient, the tool that is the brains behind all things software distribution for the Mac, has a bunch of goodness via command line switches that can be used to download files and place them into specific locations; all the while still taking advantage of the download technologies built into the agent.

To leverage sdclient, we’ll write a shell script that will tell sdclient what file to download and where to place it.  The entire script is very short.  There will be two variables, one for the source file location and the second for the destination location.

The only thing you need to really pay attention to in regards to the source location is to ensure the file is accessible via http.  You can setup a variable or just supply the location.  I like to create a variable so that the code can be better documented and easier to read for others.  Here is my source variable.

fileToCopy="http://ldserver.ldlab.org/SoftwareDist/MacPackages/ExampleFile.txt"

We’ll repeat the process for the destination location.

destinationLocation="/Path/To/Your/Destination/Folder"

In addition to the destination variable, the script will include a quick check to ensure the destination folder exists on the end node and if not, create it.

if [ ! -d "$destinationLocation" ]; then
echo "Location doesn't exist.  Creating directory"
mkdir $destinationLocation
echo "$destinationLocation created"
fi

The actual download and placement of the file will be done by sdclient with three switches: -noinstall, -package and –destdir.  The switch names are pretty self-explanatory, the –noinstall tells sdclient to not execute the file that will be downloaded.  The –package switch is where you insert the path to the source file available, again available on the http share.  Lastly, the –destdir switch tells sdclient where to place the file on the Mac client.

All done, your command sdclient command should look something like:

/Library/Application\ Support/LANDesk/bin/sdclient -noinstall -package "$fileToCopy" -destdir "$destinationLocation"

Here is the entire example script.

#!/bin/sh
#  FileTransfer.sh
#  Created by Bennett Norton on 5/16/16.
#  This script will copy a file from the source destination and place it on the Mac into the destination folder
#  Change the path variables

#File to copy
#change this to match your hosted path, it needs to be http
fileToCopy="http://ldserver.ldlab.org/SoftwareDist/MacPackages/ExampleFile.txt"

#Location to copy file to
#change this to match your destination path
destinationLocation="/Path/To/Your/Destination/Folder "

#Check to see if destination exists and if not, create it
if [ ! -d "$destinationLocation" ]; then
echo "Location doesn't exist.  Creating directory"
mkdir $destinationLocation
echo "$destinationLocation created"
fi

#Download and execute command
#You shouldn't need to make any changes here
#-noinstall ensure the package does not get executed
#-package is the source url path
#-destdir is the destination url path
/Library/Application\ Support/LANDesk/bin/sdclient -noinstall -package "$fileToCopy" -destdir "$destinationLocation"

As discussed in previous posts, save this file as a .sh file and set the execute permission on it by running the command below.

sudo chmod +x /path/to/script.sh

Once you’ve set the execute permissions, copy the script to your package repository and create a LANDESK Software Distribution package to deploy.

Creating LANDESK Management Suite Mac Packages

  1. Open the LANDESK Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select New Macintosh Package.
  5. Give the package a name
  6. Provide a description as well as any metadata information desired
  7. Set the primary file to the script file you previously transferred to your package share
  8. Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
  9. Save the package

Creating a Scheduled Mac Software Distribution Task

  1. Right click on the Mac software distribution package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push
  5. Set the radio button in the Portal Settings to either Recommended or Optional if you desire to put the package into Workspaces.  If you’d like to automatically deploy the app, select Run automatically
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time