Cisco Anyconnect Jamf

| 02-05-2021
[RAND-1-100] Comments



MacTech Groups Agenda
Tue, Feb 9, 2021
2:30 to 4:30 pm
meet.google.com/aie-ypji-pqd

  1. Cisco Anyconnect Jamf
  2. Cisco Anyconnect Jamf Login
  3. Cisco Anyconnect Jamf Software
  4. Jamf Cisco Anyconnect Profile

Hi support for iOS 14, Admins can also configure 1. If the user — Hi, I Cisco AnyConnect, Can Jamf Jamf Pro - Installing + VPN + ISE automatically load the network Hi Experts. I am trying + VPN + ISE. Is as follows: 1. Name into a VPN extensions without receiving Finally, Netflix and the BBC are snap kill.

Cisco Anyconnect Jamf

  1. The Cisco AnyConnect VPN allows you to connect to Mason networks allowing access to restricted services as if you were on campus. To connect to the VPN from your Mac computer, you need to install the Cisco AnyConnect VPN client. The following instructions are for computers NOT on Jamf Pro (Mason Self Service). If your computer is on Mason Self.
  2. AnyConnect Pre-Deployment Package (Windows 10 ARM64) - includes individual MSI files Login and Service Contract Required anyconnect-win-arm64-4.10.00093-predeploy-k9.zip 08-Apr-2021.
  3. For any general AnyConnect or Roaming Security module issues, refer to the Cisco AnyConnect Secure Mobility Client Administrator Guide. We will also ask you to run a DART report for diagnostic purposes.
  4. What: Cisco AnyConnect VPN client version update. When: Tuesday, November 10, 6:30 a.m. Information Technology Services (ITS) will enable the auto-update feature. The AnyConnect VPN client should update to version 4.9 during the next attempt to establish a VPN connection to sslvpn.uncg.edu or vendorvpn.uncg.edu. If a message to.
Jamf

Announcements – 5 min

OIT only supports macOS 10.14.6 or newer
Status page for jamfcloud.com services see http://status.jamfsoftware.com
OIT Macintosh Support Web Site go.ncsu.edu/mac for updates.
Slack group ncstateit.slack.com #macintosh
Apple Sales: Paul Petrogeorge-paulpetro@apple.com & Sys Eng: Dave Andersen-andersen1@apple.com
macOS versions that shipped with Intel Hardware: support.apple.com/kb/HT1159
Vintage and Obsolete Apple Products: support.apple.com/kb/HT1752
Apple Education Support Line 800-800-2775 use this number only. Always verify Applecare Coverage.
Antivirus for university owned devices – go.ncsu.edu/antivirus
Unity Macintosh MultiUser Workflow uses NoLoAD configuration with local home directory at /Users/$uid$
OIT supports only Apple, Intel (i386) hardware for Mac OS and software. Only unmodified iOS is supported.
Please remember to verify prices at www.apple.com/education/pricelists/ with NC State Marketplace
Authorized NC State personnel wanting to get training and tools for Apple Certified Technician should request invitation by opening a help desk ticket at help@ncsu.edu Must login to GSX monthly!!
JAMF Pro Enterprise service go.ncsu.edu/jamf, go.ncsu.edu/jamfinfo and go.ncsu.edu/uwc for details
JAMF Pro Cheat Sheet at go.ncsu.edu/jamfcheat for details on common configuration management tasks

Training – 5 min (any course available via Meet/Zoom upon request)

OIT-iOS Mobile Device Security – TBA reporter.ncsu.edu/link/courseview?courseID=OIT-iOSMob-Security&deptName=OIT

OIT-Managing Apple Devices with Jamf Pro – Feb 11, 2021 – 1:30 to 4:30 pm
reporter.ncsu.edu/link/instanceview?courseID=OIT-JPro01-JPro01&deptName=OIT&instanceID=000006

OIT-Jamf Pro Best Practices for Packagers – Mar 11, 2021 – 1:30-4:30 pm
reporter.ncsu.edu/link/instanceview?courseID=OIT-JPro03-JPro03&deptName=OIT&instanceID=000005

OIT-Advanced Apple Device Management with Jamf Pro – Apr 8, 2021 – 1:30 -4:30 pm
reporter.ncsu.edu/link/instanceview?courseID=OIT-JPro02-JPro02&deptName=OIT&instanceID=000005

CrashPlan for Sub-Org Administrators – Request – reporter.ncsu.edu/link/courseview?courseID=OIT-CPlan1-CPlan1&deptName=OIT

Local Based Commercial Training – training.computertree.com/course/

JAMF Pro Training – www.jamf.com/training/

Service Updates – 30 min

Configuration Management – Jamf Pro production is 10.26.0 Jamf Pro 10.27.0 in test on nccloudtest, and there is no current beta. Jamf Pro is the only approved Configuration Management system for macOS, iOS/iPadOS, and tvOS. See oit.ncsu.edu/it-security/eps-implementation/config-mgt-systems/

Patch Definition Management – No change. Kinobi has stated they are in progress of integrating with Jamf Pro.

Backup for Endpoints – The Code42 production service is at version 8.5.0 Existing clients are automatically updated from the cloud server. For New installs only the package in JAMF is “NCSU-Campus-Install Code42-850.pkg”. The “NCSU-Campus-Install Code42CrashPlan License and Config.pkg” is required in the policy as before for new installs.
The default Sub-Org “hopping” issue is fixed.

Internet Recovery – For Intel Macs: https://support.apple.com/en-us/HT204904.
For ASi Macs: https://mrmacintosh.com/restore-macos-firmware-on-an-apple-silicon-mac-boot-to-dfu-mode/
Apple Silicon devices running macOS are more like iPads now and have several recovery options including:
macOS Recovery
System Recovery – Will boot automatically if macOS Recovery is unavailable
macOS Big Sur USB Installer Drive – External boot for macOS Installers is enabled by default on ASi
Apple Configurator 2 REVIVE – reinstalls macOS Recovery retaining user data on the drive
Apple Configurator 2 RESTORE – reinstalls macOS Recovery, ERASES drive!! and reinstalls macOS

Software Packaging – No change. Still having to fix update failures manually. Most recipes have not been updated to pull installers for Universal versions yet.

AntiMalware – No change. DetectX Swift (intel) is still available and should be installed see oit.ncsu.edu/help-support/apple/jamf-pro/detectx-setup-in-jamf-pro/

Sensitive Data Discovery – OIT S&C is requesting we remove the product. See discussion below. Use the Jamf Pro package NCSU-Campus-Uninstall_Spirion.pkg to remove both Spirion and older Identity Finder.

Apple School Manager – No change. REMINDER: For device management ALWAYS use Edit Device Management and NOTHING ELSE!!

Cisco Anyconnect Jamf

AppleCare for Enterprise – Still on hold pending Apple being able to add to MarketPlace.

Endpoint Protection Standard – Phase 2 deadline- Was Dec 31, 2020.
See Jamf Pro Cheat Sheet at: go.ncsu.edu/jamfcheat

15-inch MacBook Pro Battery Recall Program – 5 min
I just want to remind everyone (thank Rick J) that Apple has a battery recall on some 15” MacBook Pro models due to fire hazard. A few of these have been found on campus. Seehttps://support.apple.com/15-inch-macbook-pro-battery-recall to check serial numbers and see the replacement process. Also check all of Apple’s current Service Programs at https://support.apple.com/exchange_repair
Discussion

Cisco Anyconnect Jamf

Animate and Flash – 5 min
Hopefully the removal of Flash plugins is nearly complete. In testing please note that Adobe Animate continues to use the Flash Player.app and installation of Animate after removal of flash may re-install the app. Discussion.

Impact of Future Jamf Pro changes – 10 min
With today’s release of Jamf Pro 10.27.0 some of the warnings about future changes in the release notes(https://docs.jamf.com/10.27.0/jamf-pro/release-notes/Deprecations_and_Removals.html) may affect planning by Site managers:
1) “Patch management software titles—The Jamf patch management software titles will be updated in a future release. Some existing software titles will be marked as deprecated and replaced with updated software titles. No action is required at this time. More information will be made available soon.” This is likely a result of Jamf buying kinobi.io (which we already have as a service). Be aware that this means you will have to recreate some patch titles and repopulate them with packages.
2) “Logout policy trigger—The “Logout” policy trigger will be removed in a future release. This feature is being removed because Apple has deprecated logout hook functionality.” This means policies that use the Logout event trigger will stop working and will need to be edited for another trigger.

Discussion.

Adobe Package distribution changes – 10 min
OIT Software Licensing has moved to a new distribution schedule and license for all Adobe products. New, full install packages for each individual product will be produced 4 times per year. The install package will be pre-licensed as shared device licensed products so no additional license installer will be required. These installers will not allow updates of the apps and new apps will not be installable in the Adobe Desktop app.
Discussion.

VPN “head end” version update – 10 min
ComTech will be updating the macOS version of Cisco Anyconnect VPN delivered automatically to all clients when they connect some time in late Feb or early March 2021. The current version available for update in Jamf Pro is 4.9.06037 and the package name is NCSU-Campus-Cisco_Secure_AnyConnect4.9.06037.pkg. Most clients are currently running some version of 4.8.x. We have tested the 4.9.06037 version with both intel and arm64 macOS devices both new installs and installs over 4.8.x version with no issues found.
Also be aware that the kinobi.io Patch Title Definition service has a Title for “Cisco AnyConnect Secure Mobility Client” that can be used for continuous patching. Discussion.

macOS 11.x installer issues – 10 min
Be aware that the Mr. Macintosh site is tracking an issue with the macOS 11.x installers not checking for free space reliably. This may cause serious issues on FileVaulted systems. See https://mrmacintosh.com/big-sur-upgrade-not-enough-hd-space-serious-issue-possible-data-loss/
Discussion.

Reminder about Change – 5 min
Just a reminder that changes to 3rd party apps are new affecting us on nearly a daily basis. Some of this is due to Apple changing processors, some due to “vendor lag” supporting macOS 11.x and a lot is due to security patching of late. I would encourage everyone to review their polices, and patch titles at least to be sure that they reflect the best and safest software experience for the end users of your Site.
Discussion.

Q&A – 15 min
You ask we try to answer

Next meeting:

MacTech – Tue. Mar 9, 2021 Virtual via Google Meet.
MacTech – 2nd Tuesday each month: Jan, Feb, Mar, Apr, May, Jun, Aug, Sep, Oct, Nov, Dec
MacTech does not meet in July.
Meetings usually held in B16-B Hillsborough Bld.
Please mark your calendar.

Overview

The Prisma GlobalProtect VPN client is available for deployment in Jamf Pro. There are two versions available to deploy: the default installer and a customized on-demand installer.

Log

The customized installer has a few enhancements that are useful for automated deployment:

  • It is preconfigured with the MIT portal URL.
  • The installer is silent and will not auto-launch on installation.
  • It will not attempt to auto-connect on each login. Users will instead need to launch it from /Applications to connect, similar to using the Cisco AnyConnect client.

Cisco Anyconnect Jamf Login

You can find the latest customized installer in Jamf Pro under the name 'GlobalProtect on-demand-<version-number>.pkg'.

The default installer is also available under the name 'GlobalProtect-<version-number>.pkg'. This is the same package you would get from the Software Grid.

Installing GlobalProtect with Jamf Pro

The End User Computing (EUC) team maintains a policy to install the latest supported version of GlobalProtect with a simple custom trigger. To use this in your site, follow these steps:

  • Create a new policy.
  • Set the scope and triggers as appropriate for your site.
  • Scroll down to the 'Files and Processes' payload and click Configure.
  • In the 'Execute Command' field, enter `sudo jamf policy -event euc-install-globalprotect`.
  • Optional: in the Maintenance payload, click Configure and check the Update Inventory box.

This will install silently and is preconfigured with MIT's portal URL.

Cisco

Self Service installation

The latest supported version of GlobalProtect is available in Self Service on all computers enrolled in Jamf Pro. This will install the customized package with the portal URL preconfigured.

See Also

Cisco Anyconnect Jamf Software

Have Questions or Still Need Help?

Jamf Cisco Anyconnect Profile

Contact the End User Computing team at euc-help@mit.edu