Thursday, September 13, 2018

Automating Legacy Application Installation with Powershell and Startup Scripts

I recently had cause to install an old piece of software on 20 computers in a lab, and was looking for a way to automate this installation to reduce the tedium and opportunity for mistakes inherent in such a repetitive task.

Optimally, of course, the software would have come with a .MSI installer, and I would have just used wmic or Powershell to copy the the MSI and run it with the /quiet switch for a silent install. However, this application's installer was created with Clickteam Install Creator, so takes the form of a standard .EXE - and, what's more, it was created with the non-Pro version, so there is no silent installation switch. I tried all the standard tricks, including opening the installer in 7Zip to see if it simply hid an MSI (like some InstallShield installers), but it seemed like nothing was going to work. So, I got creative.

In the past, I have used AutoIt to script mouse movements and clicks. This would work in my use case, but I did not want to install the program just to install one other program, so it was out. Then, I realized that everything in the installer could be maneuvered with a combination of presses of the Tab, Enter, and arrow keys, and that if I could write a batch or Powershell script to send those keys to the installer application, I could do it with no additional software required. It wouldn't be a silent install, and would require logging in to the computer to start the script, but it would be more-or-less automated.

It turns out that, as of this writing, Powershell does not have a native cmdlet or other provision to send keys to another application. Luckily, there are two different methods to use Powershell for this: the Windows Script Host COM object, or a .NET assembly. In our case, because our other techs are more familiar with WSH scripting than with .NET, I chose to use that option.

The Windows Script Host COM component can provide a shell object that allows you to send keystrokes to a window, which behaves just as if a user had physically pressed the keys. To create the shell object and send a keystroke, you can use the following code:

$wshell = New-Object -ComObject wscript.shell
$wshell.AppActivate("name of window to send keystrokes to")
$wshell.SendKeys("keystrokes to send")

For the most part, I only needed to send Tab, Enter, and arrow key strokes, whose codes are, respectively, {TAB}, {ENTER}, {UP}, {DOWN}, {LEFT}, and {RIGHT}. Many other keycodes are available for other use cases. I found that several of the SendKeys commands in order were in fact going too fast for the installer to keep up, so I inserted some Powershell pauses between them:

Start-Sleep -s 1

to make sure that the installation proceeded correctly, as well as some longer pauses to allow the actual installations to take place before the final screen and "Finish" button keypresses.

Now, the installation was automated, but I would still need to log in to each computer, navigate to the script, right-click to Run as Administrator, and click "Allow." I wanted to automate this as much as possible, so I didn't stop there. I created a batch file that would run my installer script as an administrator user automatically:

powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process Powershell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\install.ps1""' -Verb RunAs}"

and placed it in the Start Up folder so that it would run automatically on login:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

I then added a line to the installer script to delete this startup script when the installation was complete, so that it would not re-install the program on each login.

With this setup in place, the once-laborious install was reduced to:
1. Copy the installer application, install script, and startup script to the appropriate locations on the remote computer, using the \\computername\C$ share (also done via Powershell with a for loop).
2. Log in to each machine as an administrator user.
3. Click "Allow" on the UAC prompt.
4. Wait until the install finishes.
Before automation, installing this software on all 20 lab computers might have taken around 40 minutes; after automation, the whole-lab install took about 10 minutes, and considerably reduced the chances that an incorrect option may have been selected in the installer on some machines.

Tuesday, September 11, 2018

Mac Administration with JAMF, Part 3: Configuration Profiles

Configuration Profiles are Apple's somewhat newer, MDM-esque management solution for Macs, similar to how iPads and iPhones are managed. While Policies in JAMF are mainly focused on accomplishing a task, like installing a program or running a script, Configuration Profiles center around enforcing certain settings as determined by the administrator. What's more, while a change made by a Policy could be undone by a user with the correct permissions, a setting enforced by a Configuration Profile is more or less set in stone while it is applied.

While Configuration Profiles are scoped similarly to Policies, they do not offer any of the same control as to when they apply, or how often. Configuration Profiles are pushed to managed devices via APNS, so they may take several minutes to apply, and you cannot choose for them to only apply within a certain window of time or dates. You can, however, choose to have them apply automatically, or to make them available in the Self Service app, so that users or techs can choose when they should apply from the device itself.

Unlike Policies, Configuration Profiles have two levels at which they may apply: the Computer Level, which has payloads affecting computer-wide settings, and at the User Level, with payloads affecting per-user profile settings.

Computer-level Configuration Profile payloads include:

Passcode
The Passcode payload allows you to require all users on the computer to have a password that meets the restrictions you specify. Some of these restrictions are the usual ones that could be placed on passwords - disallowing repeating characters, requiring numbers or special symbols, and specifying a minimum length.

Other, more interesting restrictions, include things like Maximum auto-lock, which controls how long the Mac can go unused before it locks itself (1 - 5 minutes), and Maximum grace period for device lock, which gives the user up to four hours before they must set the password after the Configuration Profile applies.

One of the restrictions, Maximum number of failed attempts, is confusing in a desktop Mac context. The description states that this is the number of times a user may enter an incorrect password before the device is locked. On a mobile device, this would require connecting it to iTunes to unlock it, so it is unclear what actually happens on, say, an iMac when this takes effect.

Network
The Network payload specifies which of the various interfaces on the computer should be used, and if Wi-Fi, to which SSID should be used.

For Ethernet networks, you may specify various authentication protocols (TLS, TTLS, LEAP, PEAP, or EAP-FAST) that can be used for 802.1x network authentication, and you may also choose to use the login window as the network login screen. This is similar to how AD authentication on the login screen works, but backwards - with AD authentication, a network login authenticates the user to the computer, while with this setting, a computer login authenticates the user to the network.

For Wi-Fi networks, you may similarly specify what security type the network uses (WEP, WPA/WPA2 Personal, WPA/WPA2 Enterprise, etc.), and may either specify the credentials to use, or to have the login window authenticate the user to the network. Quality of Service (QoS) options are also available, including the option to mark certain applications for Fast Lane service.

VPN
The VPN payload supports both machine-wide VPN settings and per-app VPN settings. Supported connection types for machine-wide VPN connections are L2TP, PPTP (only supported up to Mac OS 10.11), IPSec, Cisco AnyConnect, Juniper SSL, F5 SSL, SonicWALL Mobile Connect, Aruba VIA, Check Point Mobile VPN, and Custom SSL (for all other VPN types). For per-app VPN connections, L2TP, PPTP, and IPSec are not supported.

Each supported connection type has its own set of inputs, too numerous to describe here, to cover the authentication types, account names, pre-shared keys/secrets, etc. relating to each. Settings entered as part of this Configuration Profile will automatically apply to the computer when the configuration profile is applied, and will not be changeable by the user, making this a good payload for enforcing data security in transit over an untrusted medium.

Certificate
This payload allows you to install X.509 certificate credentials to be used by various encryption protocols. This is convenient to do with a Configuration Profile, which can be applied no matter where a device is, as compared to via Policy, which requires the device to be connected to a network from which the JAMF server is available. Multiple X.509 certificates may be installed with one Configuration Profile.

SCEP
The SCEP payload specifies the SCEP server(s) that the computer will look to for certificates. Available options include the static challenge password to use (if any), the number of times to retry requests and how long to wait before retries, the number of days after which to display certificate expiration notifications, and key size in bits of certificates. This payload also allows you to add a X.509 certificate as well.

Directory
The Directory payload allows you to enforce Active Directory or Open Directory/LDAP bindings on the computer. Both binding types have options to specify the directory server, along with a username and password, as well as the client ID for the device.

The Active Directory option for the payload adds some AD-specific fields, including:

  • Whether accounts created with AD credentials should be "mobile accounts"
  • Whether such accounts should have a local home directory created on the startup disk
  • Whether they should use the UNC home folder path from Active Directory to allow the folder to be mounted, and to automatically add it to the Dock
  • The protocol (SMB or AFP) that should be used to mount the network home directory
  • The default user shell (defaults to /bin/bash)
You can choose to map the user's UID, the user's GID, and the user's group's GID to AD attributes, as well as to allow members of certain AD groups to act as administrators on the computer. Packet signing and encryption are supported, and you may specify the number of days after which the computer trust account password will be changed.

We have found that, in our environment, this payload is not necessarily reliable. During the imaging process, the Configuration Profile may apply at most any time, or may take hours after imaging to complete. In our environment, where we sometimes must reimage Macs between classes on occasion, we prefer the reliability of a Policy to enforce this instead.

Software Update
This payload allows you to specify the URL of the update server(s) from which the Mac should download and install updates, as well as whether the computer should be allowed to install beta releases of macOS.

Restrictions
The Restrictions payload is where much of the functionality of Configuration Profiles may be found. This payload allows you to enable or disable sections of the System Preferences application, as well as to control the settings therein. There are several tabs for different sections of this Payload:
  • Preferences - enable or disable System Preference Panes. For example, if you did not want users to be able to change the Energy Saver settings on the device, you could disable that pane completely.
  • Applications - enable or disable the Game Center app, allow App Store app adoption, allow Safari AutoFill, require an administrator password to install/update apps, restrict the App Store to managed apps and software updates only, and even to restrict which apps users may open. The last option can be used to create locked-down, kiosk-esque devices for classroom use or other such restrictive environments.
  • Widgets - enable or disable Dashboard widgets. As Dashboard becomes less and less well-supported by Apple in newer versions of Mac OS, the usefulness of this option will be reduced.
  • Media - control access settings for network, internal, and disk media. You may specify whether AirDrop is enabled, as well as whether CDs, DVDs, and/or recordable disks are allowed to be used, as well as whether internal and external disks may be connected or accessed, and whether Disk Images may be opened. For all of these, you may choose to allow them, require administrator authentication for their use, or to limit them to read-only access. Furthermore, you may require that all removable media are ejected at logout. From an infosec perspective, this is one of the most useful payloads for a Configuration Profile.
  • Sharing Services - enable or disable items in the Share right-click menu. As of JAMF 9.101, this list includes AirDrop, Facebook, LinkedIn, Twitter, Mail, Messages, Notes, Reminders, "Video Services - Flickr, Vimeo, Tuduo, and Youku", Photos, Aperture, Reading List, and Sina Weibo. You may also choose to allow new sharing services to be automatically added to the Share menu on devices as they become available.
  • Functionality - allow or disallow various actions that the user may take, including locking the desktop picture, allowing Touch ID to lock the device, allowing iCloud to be used, and whether to defer software updates for 90 days. 
Font
This payload allows you to install TrueType (.ttf) or OpenType (.otf) fonts to be installed on the device.

AirPlay
You may choose to restrict AirPlay to certain destinations, which you may specify in the payload, as well as the passwords for those destinations to enable auto-connection.

Login Items
This payload allows you to specify applications that should open when users log in, as well as files and folders to open automatically, and network shares to mount automatically (which you can choose to have mounted, but not visible to the user). You can also allow or disallow the user to hold "Shift" during login to keep these items from opening, which might be useful if a full-screen app should cover the normal desktop interface.

Login Window
This payload allows you to alter the appearance and functionality of the main login window. You can enter a message to be displayed above the login prompt, as well as whether the login window should take the form of a list of users, or a username/password box.

Also controlled by this payload are a few settings related to the first-time login experience for new users. You can choose whether new users should be allowed to associate their account with an Apple ID on login, as well as whether they should be allowed to set up Siri.

Other login-related options available in this payload include enabling/disabling Fast User Switching, setting an automatic inactivity logout (minimum 3 minutes) and screensaver timeout, as well as to allow or disallow the Guest User. If you use LDAP for authentication, and integrate it into JAMF as well, you can even choose to allow or deny access based on the user's group in JAMF. (Unfortunately, this feature does not extend to AD authenticated users and groups.)

Dock
This payload allows you to customize the Dock for all users, including changing its size, choosing the magnification mode, and adding applications, files, and folders. You may choose to have the selected Dock items replace or merge with the user's Dock.

Mobility
This payload allows you to add to Open Directory/LDAP network-authenticated accounts features ordinarily only available to Active Directory-authenticated accounts, including automatic mobile account creation, home folder encryption, and network home folder location. In addition, you can specify a number of days after which the mobile account will be deleted (useful for loaner devices that change hands often), as well as rules as to when the mobile account's local data should be synchronized to the network home directory.

Printing
The Printing payload allows you to add printers, and to choose a default printer for all users. Optionally, you may choose to lock the printer list so that none can be added without administrator authentication.

Parental Controls
You can choose to hide profanity in the Dictionary and Dictation apps, and to turn on the web content filter, either using a default "adult websites" filter, or by specifying a list of allowable/denied URLs that will be used to filter all web traffic. You can also set daily or weekly limits on the number of hours that the computer may be used, as well as curfews, or times between which the computer cannot be used.

Security and Privacy
This payload exposes the options available in the Security and Privacy pane of the System Preferences application. You can choose the Gatekeeper setting, allowing Mac App Store apps only, Store apps plus those from identified developers, or anywhere. Additionally, you can choose to require a password immediately after the screen saver turns on as well as whether the user should be able to change their login password.

This payload also controls FileVault 2, allowing you to require the device to be encrypted (with either an institutional recovery key, created in JAMF with a known certificate, or with an individual device recovery key, which can be set to escrow to JAMF for retrieval if necessary), as well as whether the user must enter the FileVault 2 password when the device wakes up from hibernation (versus only on cold boot.)

Furthermore, the firewall is controllable in this payload. You can choose to have the firewall block all incoming connections, or to specify a list of apps with individual control over each one's ability to communicate on the network.

AD Certificate
This payload allows you to specify the certificate server from which other payloads above seek AD certificates. You may choose to set a certificate expiration notification threshold (defaults to 14 days), and may specify the username and password that the device will use to authenticate to this server. Alternatively, you may choose to have the payload prompt for credentials, but this requires manual installation of the configuration profile outside of the JAMF system. You can choose whether all applications should be allowed to access the certificate (or only JAMF), as well as whether an administrator user can export the certificate private key from the Keychain on a Mac.

Energy Saver
The Energy Saver payload exposes the options available in the Energy Saver preference pane. Two sets of identical power options are available, one for desktop computers and one for portable computers, with portable computers having plugged-in and on-battery profiles.

The options available to each power profile are:

  • Period of inactivity after which to put the computer to sleep (1 minute to 3 hours)
  • Period of inactivity after which to put the display(s) to sleep (1 minute to 3 hours)
  • Whether to put the hard disk(s) to sleep to save additional power
  • Whether to wake for Ethernet network administrator access (Wake on LAN)
  • Whether the power button should put the computer to sleep when pressed
  • Whether the computer should automatically restart after a power failure is detected
In addition, this payload allows you to specify days and times that the computer should automatically wake up or power on, as well as days and times that it should automatically shut itself down. We use this function of the payload in our update system, to ensure that all Macs wake up or turn on each night to check for and install approved updates.

Custom Settings
This payload allows you to upload a custom .plist file with properties for most anything on the Mac (settings, applications, etc.), even those not exposed in a preference pane. For example, to disable the 32-bit application warnings on High Sierra and above, a custom .plist with {CSUIDisable32BitWarning=true} must be uploaded for the .GlobalPreferences domain.

Identification
This payload allows you to specify, or to indicate that the user must enter, information that will be stored in the Keychain and used to customize certain applications. To have the payload prompt the user for this information, the Configuration Profile must be installed manually, as with the AD Certificate payload described above.

Time Machine
The Time Machine payload allows you to specify a network location to which Time Machine backups should be saved, to choose to enable automatic backups (but not to specify the backup interval), and to specify what paths should and should not be backed up.

Finder
This payload provides access to the normal Finder application preferences, including which items should be shown on the desktop (Hard disks/external disks, CD/DVDs, and connected servers), as well as whether a warning should be shown before emptying the trash. Additionally, you can specify which commands should be available to users from Finder, such as the Connect to Server dialog, to eject removable media, to burn a disc, or to restart or shut down the computer. This payload, like the Restrictions payload, allows you to help ensure no data is inappropriately exfiltrated from a computer by preventing the burning of CDs or connecting to network storage locations, and would also be useful for kiosk machines that should always remain turned on.

Accessibility
This payload allows you to configure visual, audio, and interactive aids to make the computer easier to use. You can enable screen zooming, and specify the minimum and maximum zoom levels (from 1x to 10x), ensuring that a user with assistive needs cannot make the computer too difficult for themselves to use, as well as forcing inverted colors, grayscale, or enabling VoiceOver. Similarly, you can choose to flash the screen when audible notifications occur, or to play stereo audio as mono, and you can enable or disable Sticky Keys, Slow Keys, and Mouse Keys.

Proxies
The Proxies payload allows you to specify HTTP, HTTPS, FTP, SOCKS, RTSP (streaming), and Gopher proxy information that the computer should use, as well as a list of hosts and domains that should bypass these proxies. You can enter an automatic proxy configuration URL, as well, and can force the use of Passive FTP Mode.

App-to-Per-App VPN Mapping
This works together with the VPN payload described above to implement per-app VPN connections. You choose an application, and then which per-app VPN should be used.

FileVault Recovery Key Redirection
This payload, functional only in 10.12 and below, allows you to specify a URL (or the JSS itself) to which FileVault 2 recovery keys should be sent when a device is encrypted, and optionally, a certificate that should be used to encrypt the keys. This helps to ensure that IT can always unlock a device, even if the user forgets their FileVault 2 password. The recovery key is viewable in the inventory page for a computer.

On 10.13 and above, this payload is no longer functional. Instead, use the FileVault 2 key escrow in the Security & Privacy payload, as described above.

Xsan
If your environment has an Xsan network, you can use this payload to enable Macs to authenticate to it. You can also specify file system name servers on the network by hostname or IP address.

SmartCard
This payload configures settings relating to Smart Card-based authentication schemes. You may choose to allow or disallow Smart Cards and user pairing, whether to verify the certificate for the Smart Card, and whether users should only be allowed one Smart Card, or multiple.

System Migration
The System Migration payload allows you to specify source and destination paths that should be used for the System Migration application to move user accounts from one Mac to another. This payload is somewhat analogous to the settings for the User State Migration Tool (USMT) or Windows Easy Transfer Tool used in Windows environments.

On the User-level Configuration Profile side, many of the same payloads are present. When applied at the user level, the settings will affect only the user logged on when the Configuration Profile applies; in this use case, you can scope the Profile by user, rather than computer name, in the Scope tab in JAMF.

Payloads only available in User-level Configuration Profiles are:

Mail
You can enter the IMAP or POP server information and credentials that should be used to set up the user's email account(s) in the default Mail application.

Exchange
Like the Mail payload, you can specify the Exchange server and credential information for the user, which will be used in Exchange-aware applications like Outlook.

LDAP
The LDAP payload allows you to specify account information for the user's LDAP account, as well as search settings for the user's default LDAP server.

Contacts
This payload allows you to specify the user's CardDAV credentials and server information so that their contacts will be available for use in enabled applications.

Calendar
Like the Contacts payload, this allows you to enter the user's CalDAV credentials for network calendar access.

Web Clips
Web Clips are widgets that display a portion of a web page in the Dashboard application. You can use this payload to add Web Clips to the user's Dashboard. One use case for this might be to add a link to the company's help desk page, or other such internal resources, so that the user need not even open a full web browser to get in touch with support.

Messages
You can enter the user's Jabber or AIM information (in JAMF version 9.101; later versions may have different options) to be used with the Messages or other similar applications.


As you can see by the sheer number of payloads, Configuration Profiles are where much of the functionality of JAMF lies, and, by the fact that Apple is pushing Mac OS toward a more MDM-friendly management environment, where most management functionality will be in the future.

Useful Things: systeminfo

The systeminfo command on Windows is a useful little tool that gives information about the operating system on either a systelocal or remote computer that may aid you in troubleshooting. For example, if I want to see information about a computer called "remotepc", I could run:

systeminfo /s remotepc

and I would get back something like this (identifying information removed):

But what if you only wanted part of that information, perhaps to use in a script? The systeminfo command can be piped to find, like so:

systeminfo /s remotepc | find "OS Version"

which, in the above screenshot, would return:
("OS Version", of course, also happens to match the tail end of "BIOS Version".)

Additionally, you can ask the systeminfo command to output its data in a few different formats using the /FO switch. The default option, which displays as in the screenshot above, is LIST; other available formats are TABLE, which displays, as the name indicates, a table in the command line (though all data is on one line, so it is very difficult to read in the cmd window), and CSV, which echoes a comma-separated version of the information. Redirecting this output to a .csv file (systeminfo /FO CSV | info.csv) makes for easy Excel- or script-based parsing.

Tableau, TabPy, and the Case of No Input Rows

 I haven't scientifically confirmed this or anything, but it sure seems like if you pass an empty dataframe to a TabPy script, then no m...