Script Writing For Mac Image Usiign Jamf

Menu

    Script Writing For Mac Image Usiign Jamf

      суббота 18 апреля
          24

    A Tkinter GUI that displays menu selections for iPhones.

    May 12, 2017  While there have been many write-ups and presentations on the impending doom of imaging, it’s not quite dead yet If you’re still an imaging shop, you may know that of all the wonderful things that jamf logs during the imaging process, the actual imaging configuration that is used during imaging is not one of them.

    Use

    At Jamf, staff use this script to select iPhones for IT to purchase on the corporate wireless account. Our version of this script generates a Service Desk ticket from the collected options using a service account's credentials passed as parameters in the Self Service policy ($4 and $5 respectively).

    If you wish to use this script within your organization you may copy the contents and customize it to work in your environment following the guide below.

    This script has no external dependencies and has been tested on macOS 10.10+.

    Customization

    The object MODEL_OPTIONS defines the contents of the GUI when it loads.

    For each model of iPhone you can define the color and storage size options that are available in the drop-downs. Each model in this object will be a menu option in the GUI that will update the color and storage menus when selected.

    The URLs currently in the script that link to Dropbox are not guaranteed to work - you are encouraged to use your own hosting options for these images!

    The following syntax shows how to define each model.

    Multiple colors can be defined for each model. Each color needs an image available at a reachable URL to load. The images must meet the following specifications:

    • GIF Format (Tkinter only supports this format by default)
    • 300 × 355 pixels
    • Background color #F0F0F0 (Tkinter does not render transparency)

    Below MODEL_OPTIONS there is a create_ticket() function where you will write the code to handle passing the user's selections into your ticketing system. The following data will be available to generate the ticket's contents from:

    • request_type
    • model_name
    • model_color
    • model_storage

    A global variable named LOGGED_IN_USER is available to obtain the username of who is running the script. When run from Self Service, this variable can be one of two values:

    1. Self Service requires authentication - it will be the authenticated username, or
    2. Self Service does not require authentication - it will be the username of the local Mac user account.

    Testing

    To run this script locally, type the path to the system's Python interpreter and pass three values after the filename to fill in the needed parameters (the script uses $3 to obtain the username):

    The script will log the user's actions in the GUI as it runs and print the selected information at the end:

    License

    It is entirely possible to silently upgrade users from Office 2016 VL to Office 365/2019 without user interaction, provided they are already using Outlook with an Office email account. The only thing your users will see, is a window informing them Office is being activated the first time they start one of the Office applications after the upgrade. It only takes a few seconds.

    The upgrade will happen in the background and the user can keep using the machine while it is being performed. If users try to start an app while it is being updated, they will get a user friendly message telling them the app will start after the update is complete.

    Unlicensing Office 2016 before upgrading is unnecessary, as the new license is backwards compatible. With this method it is not necessary to uninstall the previous version first or have users approve a non-graceful application quit either.

    Users may be asked for permission to quit an app to perform an upgrade, but it can be postponed. Also it will be Microsoft’s own AutoUpdate system that quits the app, which is the most graceful way to do it.

    These are the steps you need to achieve a silent upgrade using Jamf:
    First, distribute the most recent version of the Microsoft AutoUpdate package from macadmins.software to all clients using a policy or Patch Management.

    Then register Microsoft AutoUpdate afterwards by running a script running the two lsregister commands below (see Paul Bowden’s RegMAU tool) as the logged in user on clients, to pre-approve the popup asking users to approve the first run of Microsoft’s update daemon when it starts along with an app.

    Distributing Microsoft AutoUpdate this way will not conflict with the installations of users who have not yet been upgraded from Office 2016, so both of these steps can be done ahead of time.

    Distribute Paul Bowden’s Jamf Controller for Microsoft AutoUpdate configuration profile to clients that are running Mojave (so Jamf has the right permissions to control msupdate in a script). This can be done using a smart group containing all clients running 10.14, and can also be done ahead of time without conflicting with the current installation. The unsigned .mobileconfig can be uploaded directly into a new Jamf configuration profile, Jamf will sign it before distribution.

    When you are ready to update a client, set the following preferences, using a configuration profile:
    com.microsoft.office OfficeAutoSignIn TRUE
    com.microsoft.office OfficeActivationEmailAddress jane.doe@example.com
    com.microsoft.office DefaultEmailAddressOrDomain jane.doe@example.com

    Replace jane.doe@example.com with the correct Office 365 account. In Jamf, you can use $EMAIL instead of the actual address in a configuration profile. Jamf will fill in the email address from Jamf on a per-user-basis before distributing the profile. Provided the email is correct in Jamf, this will work. The address can be populated from AD on enrollment or in production, but that is beyond the scope of this article. You could also try Paul Bowden’s SignInHelper script and set the above values using a plist instead, or script it yourself using the Jamf API. The DefaultEmailAddressOrDomain preference is incorrectly documented as an Outlook preference on macadmins.software, by the way.

    To make the upgrade as silent as possible, block popups informing the user what’s new with each update:

    com.microsoft.office ShowWhatsNewOnLaunch FALSE

    Set these autoupdate preferences in the same configuration profile:

    com.microsoft.autoupdate2 HowToCheck AutomaticDownload
    com.microsoft.autoupdate2 StartDaemonOnAppLaunch TRUE
    com.microsoft.autoupdate2 UpdateCheckFrequency 60
    com.microsoft.autoupdate2 AcknowledgedDataCollectionPolicy RequiredDataOnly
    com.microsoft.autoupdate2 DisableInsiderCheckbox TRUE
    com.microsoft.autoupdate2 EnableCheckForUpdatesButton TRUE
    com.microsoft.autoupdate2 SendAllTelemetryEnabled FALSE

    By setting the update interval to 60 minutes, you make sure the Office applications are updated relatively swiftly.

    Also add the Office 2019 App Array from Paul Bowden’s GitHub to the above preference domain, removing apps you are not distributing from the array. This is the essential step that will make sure that msupdate upgrades to Office 2019. Make sure you include the AutoUpdate app in the array. Some of these preferences are not strictly necessary, but recommended to prevent unnecessary popups and ensure the process goes smoothly.

    Add this Outlook preference:
    com.microsoft.Outlook TrustO365AutodiscoverRedirect TRUE

    Repeat the preferences below for Word, Excel, Powerpoint and OneNote (see macadmins.software for the correct keys). The last two preferences might not be necessary, but will make sure we keep in line with the acknowledged data collection policy preference above, which disables that pop-up as well, and block other potential annoyances.

    com.microsoft.Outlook kFREIntelligenceServicesConsentV2Key TRUE
    com.microsoft.Outlook PII_And_Intelligent_Services_Preference FALSE     (or TRUE, if you want to enable these features)
    com.microsoft.Outlook NSRequiresAquaSystemAppearance TRUE (disables Dark Mode in Office, which will otherwise be enabled on update for users who have it turned on in Mojave)
    com.microsoft.Outlook SendAllTelemetryEnabled FALSE
    com.microsoft.Outlook SendASmileEnabled FALSE

    Set these (Outlook only) to disable a few more popups/distractions that may make the process less silent:

    com.microsoft.OutlookHideCanAddOtherAccountTypesTipText TRUE
    com.microsoft.Outlooko365GroupsOobePromoTriggeredPref TRUE
    com.microsoft.OutlookgooglePromoTriggeredPref TRUE

    If you want to disable as much telemetry as possible, you need to set SendAllTelemeteyEnabled to FALSE for a few other applications as well:
    com.microsoft.Office365ServiceV2 SendAllTelemetryEnabled FALSE
    com.microsoft.autoupdate.fba SendAllTelemetryEnabled FALSE
    One way of creating the profile quickly is by using Erik Berglund’s ProfileCreator app to make it, modify and clean it up using Xcode, then upload the useful parts into the custom section of a new Jamf configuration profile. If ProfileCreator saves the profile as a .mobileconfig, rename it to .plist before opening it in Xcode. Use the Preferences section of the macadmins.software website and Paul Bowden’s app array as a reference. The app array for Microsoft AutoUpdate that ProfileCreator makes differs slightly from the one from Bowden. In that specific case, use the one from Bowden.

    Make sure all your users have been assigned the correct Office 365 license in Microsoft’s administration system, and that their Office username is the same as the email address set in the preferences described here. The assigned license needs to be one that supports the use of local Office applications.

    Mac

    The apps will start updating as soon as the new profile is in place and Microsoft AutoUpdate runs, which it will when a user starts one of the Office applications. Pokemon bank sprites.

    You can also trigger the update using a modified version of Paul Bowden’s msupdatehelper script, which leverages Microsoft’s msupdate command-line tool. Make sure a new profile containing the correct app array is in place, then run the script on clients using a Jamf policy.

    To modify the script so it works correctly in this use case, replace the old version codes (ie. MSWD15 for Word) with the correct ones for Office 2019/365 (MSWD2019 for Word) in the latter section of the script. See the Office 2019 App Array above for the correct codes. Then, set the apps you will not update to false (usually the three last ones) in the upper section of the script. Lastly, replace the versions to update to (“latest” in the example script) with the exact version number for the Office 365 apps you will update to, also in the upper section of the script. You can find the version numbers on macadmins.software. As of the time of writing, the latest version for the main Office 2019/365 apps is 16.27.19071500.
    Instead of running Bowden’s script, you could probably make a shorter script running msupdate in the context of the logged in user, specifying to download the latest version by its’ version number. Let me know if you have tried doing it this way, in the comments below.

    If you already have a profile for Office 2016 in place, make sure you distribute the new one before removing the old one, as it is imperative that Outlook knows what email address the user has for the mailbox to function correctly.

    If you want to update one client or a small group of clients at a time, you can use a static computer or user group to specify the computers that will receive the update. Add the group to the list of exclusions for the old profile, while including it in the scope of the new profile. Create a policy running the modified msupdatehelper script on clients that have gotten the new profile.

    You can also use smart groups to make sure the policies and profiles are only applied to computers that have the updated version of Microsoft AutoUpdate. Having clients report inventory once a day might be a good idea to keep things moving in a sensible pace.

    Do not enable the preference that disables the Office 365 activation dialog on first launch, and test with each new preference you set to make sure everything still works as desired.

    If you need OneDrive and Teams, you can distribute these using Patch Management or policies initially, while distributing the full Office 365 BusinessPro suite including these apps to new users. There isn’t currently a good solution to prefilling credentials in these apps, unfortunately (OneDrive prefill can be scripted, but it might be better to wait until Microsoft comes up with something that works more smoothly).

    Users who are not using Outlook might get prompted for their Office 365 user password. Some configurations might require the user to manually activate the software in the top menu. Let me know your experience with this in the comment section.

    The next version of Office 2019/365 will be released on August 13th and will feature a revamped set of privacy keys. Make sure you check the macadmins.software website regularly to keep up with the latest changes.