Mac Sys Admin 2013 – Day Four

Notes from day 4 (the last day) of the European Macintosh System Administrator conference in Gothenburg Sweden. Additional talks were presented that we were not allowed to comment on publicly, and this was a short day compared to days 1 through 3 … and yes, I posted this nearly two months AFTER the conference. (Did I not listen to Charles Edge when he suggested timeliness is important?)

"Planning for iOS 7 and OS X Mavericks" by Arek Dreyer of Dreyer Network Consultants

EVERYONE DO THIS

  1. Backup iOS device.
  2. Activation Lock – Enable Find my iPhone (iCloud account and iOS 7 required)

NOTICE:

  • Configurator 1.3.1 requires a Wipe to put in Supervision mode. If Find My iPhone is on, then device cannot activate without knowing the appropriate Apple ID.
  • What if an Organization owned device is reclaimed from an employee or student and Find My iPhone is enabled? Then the employee’s or student’s Apple ID is REQUIRED to activate the phone.

Other Links:

A Few New MDM Options:

  • AppleTV supported.
  • Enterprise Single Sign On. a
  • Automatic (Silent) installs (Supervised devices only).
  • Caching Server 2, adds iOS.
  • Open in management. Restrict “Open in…” to and from managed applications
  • Per app VPN. Manage per app VPN for any mobile application on iOS devices.

OS X MAVERICKS CORE TECHNOLOGIES OVERVIEW

Very brief. Could not go into too much detail due to Apple NDA and because Mavericks was not yet available at the time of the talk.

  • Compressed Memory.
  • Power Efficiency.
  • App Nap.
  • Timer Coalescing.
  • Gate Keeper and SandBoxing (Opinion that it’s now OK to run as Admin user. Debated.)
  • Ability to enable what type of apps your users can run.
  • AirPlay and Multiple Monitors (even use an Apple TV).
  • SMB 2 (Apple says it will work much better than the previous versions :)

"Demystifying Technical Writing" by Charles Edge of 318 and krypted.com

Things we write… Books and eBooks, Magazines, Website and Blogs, Work Documentation (2 pages per day), Code, Presentations..

The Charles Edge Patented Process for Producing Pages of Composed Particulars

  • Agile Documentation. Sprint style. Learn a lot, then write fast.
  • De-clutter. Free your mind. The rest will follow. Reset and switch from the multi-tasking of the day to the focus of writing. No interruptions.
  • Pick your actors.
  • Who? Define who you’re talking to. (Write for Home Users, way more of them than us!)
  • What? Define what you want to say. Say it in one sentence or less. Focus. If it’s multiple sentences then it probably needs multiple books (writings).
  • Where? (where will it be published?)
  • Get Started … brainstorming session. what do I want to say? result is a list of topics. Tag Cloud. Rough list (not too organized).
  • Get Organized (Outline). Things need to flow. Use notecards for visuals.
  • Expand on the outline. (More Depth). Move your organized outline into the software you’re going to use to build your book.
  • Write the introduction. It’s a contract. Tell the reader what you’re going to tell them. It all starts with a paragraph (the mission statement).
  • Restate who the book is for (picture them as you write). Tell the reader who they are.
  • State how it’s laid out (Chapters)
  • Add Section Intros (contract fulfillment) every section should have a purpose … or delete it.
  • Convert the outline to pseudo-text. (Did you fulfill your contractual obligation?) Keep the flow.
  • Add segues between sections (ease a reader into moving to the next chapter/heading. Should section be rearranged?
  • Figure out what you don’t know (Gap Analysis)
  • Figure out what you need (Lab time). hardware software, gear.
  • Learn Stuff. learn the process(es) end-to-end before writing.
  • Fill in Some Blanks. Continue to work on the flow.
  • Pet Peeve of editors. Never have a Header then another header without saying something in between.
  • Write the conclusion. Still structure only. Not writing the text yet. Recap contract and add parting thoughts.
  • -he Junk Drawer. Do you need to take things out to clean things up?
  • Finish the text. The easy part. (No walk through yet). The writing will flow from you after establishing the flow
  • Add walkthroughs (visual how to)
  • Review the Intro and the conclusion. Make edits if necessary. Does it still make sense?
  • Editing. Ask others.
  • Measure Twice. Cut once. Be deliberate and structured for a faster flow in your own writing.

Additional Comments from Mr Edge…

  1. Blogging … I will frequently draft 10 titles at one sitting. Then later go back and write the 10 articles.
  2. “Punching in the face and stabbing” were recommended methods when dealing with publishers.
  3. O’Reilly Rough Cuts, pre-release books released in-process online.
  4. Moving to XML is very beneficial.
  5. Discussion of iBooks Author vs. DocBook (used by O’Reilly).
  6. Timeliness (rate of change) is important in technical writing.

November 14, 2013   /   Comment

Mac Sys Admin 2013 – Day Three

Notes from day three of the European Macintosh System Administrator conference in Gothenburg Sweden. (Additional talks were presented that we are not allowed to comment on publically.)

"Your Little Linux Litterbox" by Gary Larizza of Puppet Labs

  • Gary’s favorite singer and video.
  • Create development environments quickly with Vagrant
  • Day One, Jenkins and Macminicolo: Using a Mac server to coordinate a team of developers and avoid the sombrero – http://macminicolo.net/dayone

"Deployment Workflows" by Duncan McCracken of Mondada

Software Release Cycles are growing out of control! You need a strategy … that’s valid for you.

Imaging Techniques

  • Monolithic imaging is DEAD!
  • Modular imaging, better
  • Thin Imaging is much better (create a baseline image — what is on a factory system — to use as needed.)
  • No Imaging when you can is ideal. It’s counterproductive and a waste of time to take Apple’s factory image off and put your own back on again with a new machine.

Items to Manage:

  • OS
  • Settings (profiles)
  • User accounts
  • Directory binding
  • Applications
  • Updates

MISC NOTES

  • Every time you touch something it cost time and money (and is at risk of human error). Use a management agent to save money!
  • Package Creation Service – http://www.mondada.com.au/
  • You can stop a internet booted volume from restarting and put it into TDM. Grab the downloaded image. WarningL it will ONLY work on that hardware.
  • Keep it modular.
  • Distinguish between installations and updates.
  • Keep in logical building blocks. Adopt these methods to reduce duplication and doing things more than once.
  • Serial number on mother board MUST be correct to work with the new caching server! (ask Arek Dreyer). This is why virtualized OS X Sever will probably not work for Caching Server 2.

"Becoming Crucial" by Jody Rodgers of JAMF Software (formerly Adobe)

Jody high-five everybody in the audience and this didn’t really leave time for much else.

  • Google: Stefan Sagmeister TED talk on happiness
  • Be a user-centric IT admin (vs tech or infrastructure centric) Optimize for the end-user.
  • Ask how can we help our users (clients) be more productive?
  • How to tune Photoshop CS6 for peak performance (not CC ready yet), http://blogs.adobe.com/crawlspace/2012/10/how-to-tune-photoshop-cs6-for-peak-performance.html

"Automation Enterprise Wireless Deployments" by Zack Smith of Puppet Labs

Three A’s
1. Authentication
2. Authorization
3. Auditing

"Modern Trends in Apple Management" by Kevin White of Macjutsu

What and why to manage. Stop trying to fight against Apple. (You don’t buy a Porsche 911 to go caravanning.) Be mindful of Apple’s primary goal … to provide the best possible customer experience. “Create moments of surprise and delight.” The USER is Apple’s customer! so get out of the way.

  • The importance of focus. Learn to say no.
  • OS X Installer. Millions of customers use it, why can’t you?
  • The OS X Installer CAN be part of your managed deployment.
  • HT559 apple support article. Use caution with “Install ESD” – http://forums.macrumors.com/showthread.php?t=1614422
  • Why is re-imaging still considered the deployment standard? Every Mac already has a perfectly fine copy of OS X installed.
  • NetBoot is now NetInstall (serious change) Not NetRestore. The word Apple chose was netINSTALL.
  • When does imaging make sense? When it’s the best solution. Image the core OS only (when you need to).
  • OS X and iOS Setup Assistant. This is THE out of the box experience Apple expects.Use it. Reset this to work in your workflow with OS X. Setup assistant can be part of your managed workflow.
  • Admin Account or Standard User. There is no admin account on iOS. (Admin vs Standard was debated.)
  • Note the Setup Assistant order. What comes first? Apple ID. Default is iCloud on, with several features turned on BEFORE setting up a local COMPUTER account. The account is not you … it gets you in. The authoritative source is not your password, it’s your Apple ID.
  • Directory binding. (You can bind BEFORE Setup Assistant). Is binding the BEST solution? maintaining the bind is not important. It’s getting the credentials. New Mavericks SSO can be done without binding! GE has 5,000 Macs and no binding.
  • Home folder syncing … do NOT do it.
  • Apple IDs mostly not designed for institutional use. apple.com/legal (iCloud too). Institutional Apple IDs created for users is not a solution. See apple.com/ios/education (for children under age 13) … when the child turns 13 it becomes the child’s ID.

When is sharing Apple IDs appropriate?

  • GSX Program Facilitator
  • Enterprise Developer Facilitators
  • VPP Program Admin and Facilitators
  • APNS Certificate Creation

MORE NOTES

  • Find my Apple Device … intended for personal use only. (Apple’s Ts&Cs). Solution: HR Policy.
  • Let go of your hate of the App Store (Ts&Cs says … individual, personal, non-commercial use that you own or control). Apple recommends the Layered Ownership model (iOS, EDU). Personal and Org owned apps living together.
  • VPP2 assign while keeping control over licenses. Employees can enroll with their personal apple ids without providing it to their company. iOS, Mac apps and Books.
  • App Store updates. Apple really, really means automatic. ON a Mac check the defaults for Software Updates. Auto updates might not need admin authentication in future versions of OS X?
  • Caching Server 2 … don’t discount it just because you can’t control it.

MDM … “Modern Deployment and Management”? Forget MCX.

  1. Get enrolled.
  2. The device is managed.
  3. There is no step three.
  • User enrollment CAN be part of your managed deployment.
  • Supervision (required for all the cool new MDM options.) Casper Focus used in Apple Stores to keep the iPads “locked”. Supervision wipes/erases a device. You can do this BEFORE setup assistant. Supervision proves that you should be allowed to control it. You must physically plug it in and wipe the device, thus proving that you have the right to control the device.You don’t want your spouses iPhone accidentally supervised!
  • Streamlined MDM Enrollment … during activation … coming soon from Apple. This *might* only work for new devices purchased by you.
  • New Find my iPhone in iOS 7 allows for device reset and activation lock! (Supervision by Apple, proof of ownership!) Future version, over the air prove that we own a device?

"The Girl With The Guy With The Dragon Tattoo" by Adrina Kelly of Bell Media

Stolen Mac turned up online, in the management console, with a new name, a few months after being stolen. Process for locating it and getting it back…

What to do differently? Bell Media debated and decided that Security (and the info on the machine) is more important (more costly) than getting the notebook back. So … Use FileVault to protect the data. Without FileVault the Mac could have remote wiped … but only if it came online.

Firmware passwords used in the past, but not now because it’s possible to work around them. UPDATE … you can NOT circumvent the Open Firmware password. But you can take the disk out, where the data is unencrypted. FileVault2 is safe for data at rest (because active data … logging in turns off the encryption).

September 20, 2013   /   Comment

Mac Sys Admin 2013 – Day Two

Notes from day two of the European Macintosh System Administrator conference in Gothenburg Sweden. (Additional talks were presented that we are not allowed to comment on publically.)

"Carrot or stick?" by Marko Jung of University of Oxford

SUMMARY: You need a carrot AND a stick :)

The University of Oxford has a very large install base with a lot of data … 88.3TB of daily backup totaling 1.6 PB of storage … and over 660 registered IT staff who support students and staff. IT operates as an internal profit center.

Do you Grant Users Admin rights? Oxford does NOT. Either way, explain why you do this and SELL it! Sell it to staff why Standard Accounts are best, or sell to IT Security why Admin accounts are OK.

No Admin rights for end users improves the user experience and makes management easier. They take a “light touch” approach. They take away App store and replace it with JAMF Self Service (available with Robot Cloud). They did this primarily because of Apple’s usage rules. Educate users. explain the rules and license terms. Use a KB to explain the details. Oxford doesn’t forbid stuff. These are the rules and here’s why we do it this way. When users ask “Why can’t I use this file? Why can’t I use tool foo it is way better than bar?” IT says, “Have you tried this product that is allowed?” plus, there is always ~/Applications for the majority of apps.

- IT deploys in /Applications. Users in ~/Applications.
- In house App store using JAMF Self Service (same as Robot Cloud).

Self Service Groupings include
- Getting Started
- Help (reinstall authorized printers, mount authorized server shares, and many more)
- Knowledge BAse
- Latest Software Updates

Dealing with Updates

  • Define your update cycle.
  • Facilitate auto-update features.
  • Suppress update notifications.
  • Remind your suppliers about it’s importance. (File a bug report if you have an app you can’t control the update cycle. It’s unacceptable to not have this feature today!)
  • Ensure this becomes part of every procurement decision.

Oxford partitions their Macs into Two Volumes

  1. Macintosh HD: Oxford IT owns this and only they can control this volume. There is no backup of this partition.
  2. /Users: lives on second volume. Only this volume is backed up using Tivoli

If something is wrong first try to fix it. If it can’t be fixed, then report it.

OS X Related Scripts developed at Oxford (using Casper)
https://github.com/ox-it/mac-scripts (send us any modifications)

Users don’t have to worry about updates. This is a major productivity gain. Auto app updates are turned off. Oxford IT works very hard to get rid of these productivity annoyances (so does Robot Cloud), and explain to end users why they do things.

How to explain things to IT

We offer Whole lifecycle management

  • Procurement.
  • Deployment.
  • Configuration and patching and backup.
  • Decommission (not just recycle. Also secure data wipes. Automated process to help wipe).

Commissioning

  1. Registration (enrollment into JSS).
  2. NetBoot (end-user, or IT, unpack and plugs into network). Partition, script and minimal base image with branding.
  3. First Local Boot (nice screen that says we’re still installing and updating)
  4. Reboot for daily use. Ready for login.

Weekly Maintenance is an agreed time slot. Predictable. Others can schedule around this window. Users knows this too. They might be asked to restart the browser or the Mac. No random interruptions. Make it predictable.

Use Release Channels (Week 1, Week 2, etc.)

  • Unstable – Firefox 24.1 (wk 1) IT only test.
  • Testing – Firefox 24.1(wk 2) Early adopters test. Sell the Testing as early access. They must report issues.
  • Stable – Firefox 24.1 (wk 3) replaces Firefox 24.0

User can opt out of maintenance and updates for up to 4 weeks (while running special projects, so as not to touch/change the Mac during this project).

Everything we believe should be on a machine is installed from the beginning, then it’s patched and maintained.

Java … JRE 7 is default, but user can change to JRE 6 using KB (from Self Service)
Script to disable Java browser plugin. Run after every installation of Java. During inventory check the version and status of java browser plugin status. See photo. Java Web Plugin Master Switch in Self Service to Enable Java Web Plug-in (that gets turned off again each night)

IT Staff summary

  • Out of box experience
  • Controlled update process
  • Know what to expect
  • Scheduled
  • Self Service

Oxford does not allow BYOD. However they do provide configuration profiles to users from a secure location. They work around no BYOD with excellent documentation and a lot of short cuts.

"Building an Enterprise Mac Client" by Daniel Svensson of IKEA

80,000 clients across 500 sites in 30 countries. 600 Macs in stores for communication signage and documents. IKEA Communication for catalog.

IKEA Common Client Mac (ICCM) 10.6-10.8
- IKEA Base Pack
- Filewave client
- Applications. They publish a release schedule on a web site.

Change Request Process:

  1. Incoming request
  2. Analyze (what impact)
  3. Decision Meeting.
  4. Develop
  5. New release
  6. Deploy

Global Netboot
An cascading workflow from central to local location. Netboot is always local, restore is always from closest available server. Built on an existing platform using Linux servers and OS X Netboot.

Automated Configuration
- web start page = inside.ikea.com
- web proxy server = x.x.x
- citrix server = x.x.x
- keyboard = Australian
- language = English
- locale = xxx

Make it simple for the end-user. IKEA IT developed a way to present only the appropriate file shares — only the shares each person has access to — from a total of 3,500 shares! Non-IT managers can make access (privileges) changes to server shares without IT involvement. It’s all managed by the users. Delegate to those who know who should have access to this share. Tied to AD. Mac or Windows can use File Manager.

"Managing Updates – The Next Level" by Greg Neagle of Walt Disney Animation Studios

Installing software is only step one, because there are a LOT of updates! Therefor everyone needs an update strategy to Reduce Repetitive Tasks:

  • Finding
  • Downloading
  • Transforming
  • Importing

aamporter, by tim sutton at github, https://github.com/timsutton/aamporter
- Adobe Application Manager Importer
- Works with CS 5.0 and newer, including Creative Cloud
- Tight integration with munki (auto importing of the Adobe update files)

autopkg by Per Olofson, https://github.com/autopkg/autopkg and https://github.com/autopkg/autopkg/wiki (can we build this to auto import into our JSS? Greg says it’s possible.)
- Runs recipes
- https://github.com/keeleysam/recipes
- https://github.com/Jaharmi/autopkg_recipes
- https://github.com/hjuutilainen/autopkg-recipes

Jenkins by Kohsuke Kawaguchi, http://jenkins-ci.org/
- Like cron, with a web GUI
- Auto download lots of different updates.
- Schedule a job to run every day at 8am. One to start all other jobs and one to finish (rebuild) the repository for the next day’s jobs.
- Setup for email alerts or Twitter feed.
- Demo: Run “Managed Software Update” on a Mac (part of Munki).

See … http://managingosx.wordpress.com/

Next Disney animated movie is “Frozen” (featuring a girl named Elsa)

"FileVault 2" by Rich Trouton of Howard Hughes Medical Institute

IMPORTANT: Protect and securely store your File Vault recovery key … and recovery questions, if you store with Apple (which is recommended).

Demonstration of how to use an institutional recovery key, FileVaultMaster.keychain

Integrates with JAMF:
- http://www.jamfsoftware.com/latest/video-managing-filevault-2-os-x-mountain-lion-casper-suite
- https://jamfnation.jamfsoftware.com/discussion.html?id=7219

FileVault Setup.app OS X Login hook

https://github.com/dayglojesus/filevaultsetup

Rich’s presentation:
- Keynote: tinyurl.com/MacSysAd2013PDF
- PDF: tinyurl.com/MacSysAd2013key

September 19, 2013   /   Comment

Mac Sys Admin 2013 – Day One

Brief, biased, and unedited, “armchair quarterback” view of Mac Sys Admin 2013.

SWEDEN — The European Macintosh System Administrators meeting 2013 opened with a welcome from the leader and organizer, Tycho Sjogren. Mr Sjogren also promoted several other Mac/iOS related conferences, including, MacTech (Los Angeles, CA), Mac IT (San Francisco, CA), JAMF NUC (Minneapolis, MN) and Penn State Mac Admins (State College, PA). By the end of 2013, Forget Computers will have attended all but Penn State Mac Admins (something for our to-do list in 2014).

The first session of the day was presented by a confidential speaker from a confidential fruit company regarding topics that are so confidential I can not speak of them. The very fact that I’ve said so much already has put me at risk of not making it home safely, and potentially disappearing from this earth completely.

Kudos to Mr Sjogren for keeping on schedule (to the minute) and having a nice flow of information and socialization.

"Mobile Strategy and security in a changing world" by Rick Wylie of Key Options

Some really good procedures here that I want to document in more detail and roll into Robot Cloud’s MDM. Until then, my notes are below.

Rick Wylie quickly ran through data showing 1.4 billion smart phones in use in the world (294 million are iOS). These devices bring with them new risks and require new strategies. He focused on three key areas Sys Admins will want to address when dealing with smart phones:

  1. Mobile Strategy: Policies, procedures, and technology put in place to make this work properly (See, http://www.dsd.gov.au/publications/iOS5_Hardening_Guide.pdf )
  2. Mobile Security: Data in motion and at rest. Physical security. Secure messaging. Location Management (more on that later) and secure video.
  3. Risk Management: This is a two-way street. IT needs to be responsible in securing what is necessary AND end-users need to be responsible in how they use the device. When talking about Risk Management it’s a good idea to perform a risk assessment to discover the likelihood of something happening and the impact that this occurrence may have.

Mr Wylie went into detail on the basic process for building a mobile strategy:

  • Gather information at all levels.
  • Report and develop the plan (v1)
  • Look at current and future policies.
  • Do the Risk Assessment.
  • Develop the policy guide.
  • Get the balance right (security vs usability).
  • Get Human Resource buy in!
  • Get IT Security buy in!
  • Develop and trial your MDM policies (Robot Cloud can vet this).
  • Get CIO sign off.
  • Adjust and fine tune.

How to make BYOD a success?

  • Spend time developing and testing profiles (we do this a lot with Robot Cloud).
  • Become a master of Apple Configurator (hopefully the newest version is easier to master).
  • Choose an MDM (consider Robot Cloud :)

Compliance Considerations

  • Encryption enforced.
  • Passcode policies.
  • Compromised detection.

Set some Rules in Place!

  • Enroll only those devices you want to enroll.
  • Make ALL policies very clear.
  • Make sure email policies are clear.
  • To copy or not to copy that is the question … allow or disallow copy and paste between accounts.
  • Make enrollment simple.
  • Leverage Self Service.

Next Big Thing: Personal Location Security
Contextual security … who what where when … contextual mobility. Geo-fencing. Dynamic Profile Management based on what Zone you’re in.

  • Zone 1, at home = all access.
  • Zone 2, company parking lot = camera disabled.
  • Zone 3, In the office = WiFi enforced.
  • Zone 4, board room = camera, microphone disabled.

See Air Patrol Zone Defense http://airpatrolcorp.com/

"The Future" by Edward Marczak of Google

Edward Marczak presented a very entertaining and creative presentation on “The Future”. A rather vague topic that I’m sure was a challenge to present. As historical caricatures from 1975 (Geek Squad with wide tie and overstuffed pocket protector), 1985 (Miami Vice sport coat over t-shirt — with mullet wig!) and 1995 (all black attire), Mr Marczak presented real products and predictions from each decade. New, unbelievable, 1K RAM chips! 10MB hard drives at the incredible low price of $3,400 each. “Hacking” on the rise — but easy enough to squelch. lighter than ever 34 pound portable computers. He mixed in some hollywood movie clips depicting “The Future” (Soylent Green, Logan’s Run, Blade Runner, Terminator) and spent a fair amount of time proving that these real examples seem pretty absurd with today’s hindsight. His presentation became a lead up to his point that we can not trust anything he predicts and we should take comfort in knowing that experts who predict the future (especially in their area of speciality) are rarely correct.

I give Mr Marczak credit for putting himself out there creatively. He performed well. I simply wish he had made *some* predictions (and shortened his lead up). He did leave us with a couple bits of advice… One, attack a problem with a “beginners mind” (influence form Zen Buddhism). Two, become generalists. Learn as much as you can (about other products) so you can apply this knowledge to your specialty. He closed by encouraging us all to document and automate our jobs so we can move on to doing the really cool stuff of inventing the future! This is the real takeaway. Documentation and automation are two things we focus on very much at Forget Computers and I often find this area lacking when collaborating with other IT teams.

"Apple — Managed by Microsoft" by Sebastian Bredsdorff and Anders Meinert of Atea

Excellent information and example of how Microsoft SCCM 2012 SP1 can work to manage Macs. Full disclosure, Forget Computers runs on Robot Cloud and Robot Cloud runs on the very mature and sophisticated architecture of JAMF’s Casper Suite. SCCM looks like a bratty little baby in comparison. Therefore, we have no plan to use SCCM. Plus, JAMF makes a SCCM plugin, so if we really want to stuff some mature information down the throat of the bratty little baby we can. It was very interesting for me to learn the areas where SCCM falls short. All of these items SCCM can NOT accomplish (and we can. :)

  • No User Preferences supported (other than with scripting).
  • Only works when the client is online.
  • Silent install is not an option (You’ll see it listed, but it doesn’t work).
  • Limited hardware and software inventory objects.

"The Internet" by Nurani Nimpuno of Netnod

Nurani Nimpuno brought us up to speed on the history of the Internet and how it operates today. She included the eye-opening facts that a large portion of the world either does not have Internet or does not have affordable access to the Internet. (The US is a spoiled country in many ways.) To be fair, I used this time to catch up on my emails and did not take full advantage of this talk. There was some mention of the pending IPv6 changes that are coming (something we’ve been “warned” about for the past several years at various conferences). However, I feel that I’m still waiting for someone to tell me exactly what I’m really suppose to do about IPv6. Actionable items please! :)

"FileWave v6" (Infomercial) by John DeTroye of FileWave

As with SCCM, until FileWave can wire money into my account, or figure out a way to automate the mundane management tasks of my life, we have no plans to switch from Casper. Now might be a good time to step out and prepare for dinner. But wait! Mr Marczak urged us all to learn about other products so I stayed. FileWave looks like a nice solution. The one area where it excels is cross-platform management. If I wanted to managed Windows it looks to be an acceptable solution. Of course I don’t want to do this. There are so many Windows PC management solution out there, why compete? We are focused on Mac and iOS one hundred percent and that focus allows us to be very good at what we do. We will continue to learn about other products so we can bring that knowledge back to our focus (thank you Mr Marczak for this reminder).

September 18, 2013   /   Comment

Stop Time Machine

We have an article on how to cleanup the unnecessary alerting of Time Machine in Device Scout. Today we’ve made it even easier with a Self Service item. Ask your users to run this Policy, or run it for them. Contact us if you want to run this on several Macs at once.

Self Service > Managed Preferences >

wpid370-media_1375483035578.png

August 2, 2013   /   Comment

Track Status of Redundant Server Clones

We at Robot Cloud enjoy having the redundancy of server hard drive clones that we can boot from within a few minutes of hardware failure. Because problems with a server OS can also be cloned we’ve found that nightly and weekly clones work best. To this end we send alerts on the health of daily and weekly clone volumes. When we first enabled this feature we found two locations with broken clones that we assumed were working. Fixed. Hooray! Here’s how it works — and how you can make it work for you!

Setup

  1. Name two volumes attached to a Server, "Daily Clone" and "Weekly Clone". (The names must match exactly.)
  2. Use Carbon Copy Cloner to set up your cloning schedule as best fits your needs. (The entire boot volume must be cloned.)
  3. Once per day Robot Cloud will check to see if your clone volumes are healthy.

Alerts

If Robot Cloud finds problems with your clones, an alert will be sent. There are two problematic conditions that we check for:

  1. The clone volumes physically exist but they do not appear to be set up.
  2. The clone volumes differ by more than 20GB (in either direction) from the Server HD.

July 10, 2013   /   Comment

Robot Cloud Relay – Local Distribution Point for OS X

Macs running OS X Server are great. We use them extensively for a variety of hosted services: file sharing, centralized backup, directory services, NetBoot, software updates and more.

However, in some offices a Mac running OS X server can be too much. Many small offices are moving to cloud based systems that replace in-house servers. In addition, large organizations with a minority of Mac clients often run entirely on Windows and don’t need a Mac server. These types of locations can still benefit from a local distribution point. At Forget Computers we require our clients to have a local distribution point to qualify for Flat-Rate pricing.

A local distribution point allows organizations to host a copy of the Robot Cloud updates and installers on a local server in their environment. Hosting locally reduces the amount of bandwidth coming in and out of each location. Updates are pulled once and then distributed to each Mac through the local area network. A local distribution point is essential for executing large Robot Cloud policies. Plus, all policies execute more efficiently when a local distribution point is present.

A local distribution point requires a Mac running OS X Server 10.6 or greater. For organizations that don’t have a Mac Server we built the low cost, power efficient, plug-and-play, Robot Cloud Relay!

wpid359-Robot-Cloud-Pi.png

Features and Benefits

  • Highly reliable, all flash storage.
  • Plug-and-play simplicity.
  • Power efficient. The Relay uses 25x less power than a Mac Mini Server.
  • Small form factor: 3.9 x 2.5 x 1.23 inches and only 3 ounces!
  • Silent (no moving parts means no sounds).
  • Greatly improve the software installation experience. For example, Adobe CS 6 Design Standard can take over an hour to install through the Internet and only 6 minutes via the Robot Cloud Relay.
  • Remove WAN congestion by moving software maintenance and installations to the local area network.
  • Much less expensive than a Mac Server (if all you need is a local distribution point).
  • Option to be used as a cloud VPN appliance! Reduce the need for travel to an office with secure remote access for employees and IT. Improve the remote support experience. Eliminate the need for more expensive and complicated VPN solutions.

VPN Appliance Option

Robot Cloud Relay can also act as a VPN gateway using LogMeIn’s Hamachi solution. The gateway functionality of LogMeIn Hamachi requires a Windows PC so most Mac offices can’t take advantage of this feature — until now! With a Robot Cloud Relay, Mac-only organizations can leverage the LogMeIn Hamachi solution to create a virtual networking service for secure remote access to their business network from anywhere the Internet is available (up to 5 VPN clients and 256 network members).

Once a single, secure VPN connection is established to an office running a Robot Cloud Relay, IT administrators can leverage Apple Remote Desktop (ARD) to remotely access multiple Macs on the network simultaneously. Remote users can even leverage office Bonjour services like printing, file sharing, Airplay, Home Sharing and Apple TV!

 

Requirements

  • Standard, U.S. 110v electrical outlet.
  • 100Base-T Ethernet connection to the local network (Ethernet cable not included).
  • Internet access over ports 443 and 22 to m.robotcloud.net (see Robot Cloud and Hamachi details).
  • One, static, private IP address.
  • A Robot Cloud subscription.

Pricing

The Robot Cloud Relay is exclusive to Robot Cloud customers and is a subscription device. Forget Computers retains ownership and if the device ever breaks, we send you a new one! Shipping is included anywhere in the US.

  • $149 per device per year, local distribution point only.
  • $199 per device per year, local distribution point and VPN relay.
  • Quantity discounts available.
  • Subscribe today!

May 15, 2013   /   Comment

Robot Cloud Upgrades

Some of the Robot Cloud Alerts were too aggressive in sending duplicate notifications (via email and SupportMenu). This has been improved so alerts now trigger a second time only if the situation that prompted the original alert gets worse.

In addition, some alerts now trigger a notification when a problem is fixed! For example, memory errors, POST errors and hardware RAID errors all trigger confirmation notifications when the issue is resolved. It’s nice to know when an issue is resolved. :)

wpid332-Screen_Shot_2013-05-03_at_8.38.52_PM.png

May 3, 2013   /   Comment

Sample BYOD User Policy

BYOD is short for Bring Your Own Device and refers to personally owned devices used in the workplace. Having a BYOD Policy in place allows an employee to use personal devices at work while protecting the interests of the business. A BYOD Policy accomplishes this by clearly stating the personal-business relationship of the device and what is expected of the user and the business in this relationship.

The following policy has been adapted from an article written by Sandra Gittlen for Network World titled, A sampling of BYOD user policies. You’ll want to replace FORGET COMPUTERS with your company name and make additional edits to fit your environment.

Of course, here at Forget Computers we use Robot Cloud to manage our company owned and BYOD devices. Please contact us if you would like to most efficiently manage and secure your Mac and iOS devices!

Forget Computers Personal Device Policy

byod-hero_lockup2.png

The use of a personal device (smartphone, notebook, iPad, etc.) in connection with the FORGET COMPUTERS business and technology infrastructure is a privilege granted to employees through approval of their management. FORGET COMPUTERS reserves the right to revoke these privileges in the event that users do not abide by the policies and procedures set forth below.

The following policies are aimed to protect the integrity of FORGET COMPUTERS data and ensure it remains safe and secure under FORGET COMPUTERS control.

  • Your device will lock your account after 10 failed login attempts.
  • Your device will lock every 30 minutes requiring reentry of your password.
  • Your device will include password rotation every 90 days.
  • The password must be a minimum of six characters.
  • The password must contain at least one letter or number (except on devices that cannot accept alphanumeric passwords).
  • The password must not be one of your previous four passwords.
  • Your device will be remote wiped if:

            (i) you lose the device;
            (ii) you terminate employment with FORGET COMPUTERS;
            (iii) IT detects a data or policy breach or virus;
            (iv) if you incorrectly type your password 10 consecutive times.

  • Your device may allow for only the remote wipe of FORGET COMPUTERS data. This means your personal data is still vulnerable, and thus it is recommended you also set a device password and take additional security precautions.

In addition to the above security settings, all users are expected to use their device in an ethical manner. Using your device in ways not designed or intended by the manufacturer is not allowed. This includes, but is not limited to, “jailbreaking” your iPhone.

A personal device can be connected to the FORGET COMPUTERS infrastructure, but the user is personally liable for the device and any carrier service costs. Users of personal devices are not eligible for expense reimbursement for hardware or carrier services. Users of personal devices must agree to all terms and conditions in this policy to be allowed access to the FORGET COMPUTERS services.

Employees that purchase a device on their own that is not in line with our standard approved device list may not be allowed to have their devices added to the FORGET COMPUTERS business and technology infrastructure. It is highly recommended that the employee refer to the standard approved device list to review the devices that are being supported by IT. Users of personal devices are not permitted to connect to FORGET COMPUTERS infrastructure without documented consent from FORGET COMPUTERS IT. Furthermore, FORGET COMPUTERS and FORGET COMPUTERS IT reserve the right to disable or disconnect some or all services without prior notification.

Release of Liability and Disclaimer to Users of Personal Devices

FORGET COMPUTERS hereby acknowledges that the use of a personal device in connection with FORGET COMPUTERS business carries specific risks for which you, as the user, assume full liability. These risks include, but are not limited to, the partial or complete loss of data as a result of a crash of the OS, errors, bugs, viruses, and/or other software or hardware failures, or programming errors which could render a device inoperable.

FORGET COMPUTERS hereby disclaims liability for the loss of any such data and/or for service interruptions. FORGET COMPUTERS expressly reserves the right to wipe the entire device, or specifically managed applications, at any time as deemed necessary for purposes of protecting or maintaining the FORGET COMPUTERS service.

Furthermore, depending on the applicable data plan, the software may increase applicable rates. You are responsible for confirming any impact on rates as a result of the use of FORGET COMPUTERS supplied applications as you will not be reimbursed by FORGET COMPUTERS. Finally, FORGET COMPUTERS reserves the right, at its own discretion, to remove any FORGET COMPUTERS supplied applications from your device as a result of an actual or deemed violation of the FORGET COMPUTERS Device Policy.

April 19, 2013   /   Comment

Mar 2013 – What’s New…

We’ve been so busy making improvements to Robot Cloud we’ve neglected our news postings! Here’s a quick summary of what’s new with everyone’s favorite robot.

  • We opened a Twitter account dedicated to @Robot_Cloud.
  • A new, self-serve Robot Cloud Demo is available for the Mac.
  • ClamXav is now a standard Policy for installation and patching.
  • A new Alert reports if the total installed RAM increases or decreases. (Yes, RAM can sometimes go “missing”!)
  • Virtual Memory Inventory has been improved for more accurate reporting on the worst virtual memory offenders.
  • Several Alerts have been reformatted to appear less technical and more useful to end-users.
  • Robot Cloud now checks the health of Daily and Weekly Clone volumes! (We’ll post more info on this soon.)
  • Workload Alerting (Paging Ratio and CPU Load trending over 7 days) has been improved. (See the example screen shot from Device Scout below.)
wpid320-Screen_Shot_2013-03-22_at_2.59.09_PM.png

March 22, 2013   /   Comment