Using Meraki Systems Manager to Distribute Management Profiles for OS X Over the Air

This article came out of my frustration with Apple's Profile Manager (APM).  I had been successfully running APM for about a year, but over the summer was cleaning up device groups. APM then went sideways.  Profile updates stopped being pushed out unless I rebooted the system and even then systems wouldn't update the profile information.

I have always been a big fan of Meraki's System Manager.  It is free, works in the cloud and for the most part is very reliable.  Before considering Meraki,  I had read some excellent articles (here  and here ) about how to use Apple Remote Desktop (ARD) to push out configuration profiles.  These articles show you how to use ARD to remove and install management profiles.

So, then I thought,  what about using Meraki as the delivery method?  You can create mobile profiles for OS X in APM,  and use Meraki to distribute them.

The following steps assume:

• You have a functioning Meraki Systems Management setup.
• You have installed the Meraki client on your OS X system.  You can install the client pkg through ARD,  so it's not too hard. 
• You have Apple Profile Manager running to the extent you can create management profiles.
• You have created an Apple MDM push certificate and uploaded it to your Meraki dashboard. (See MDM > Add devices > Apple profile setup and Apple push certificate status) 

1. Create Mobile Profiles using Apple’s Profile Manager.
2. Download those profiles, create a profile in Meraki System Manager (MDM > Profiles > Add New > Configuration > choose "Upload a custom iOS/OS X configuration), and upload the profile you created in Apple Profile Manager. (see figure 3)
3. Remove any existing profiles and copy the desire mobile profiles using these steps:
• Download your Meraki Mobile profile:  using any browser (except Safari) go to m.meraki.com and enter your network ID. (You can find your network ID by logging into your Systems Manager > MDM > Add Device > OS X
• Create this ARD UNIX task to run as root: profiles -D -f | rm -R /var/db/ConfigurationProfiles/Setup/ | mkdir /var/db/ConfigurationProfiles/Setup/ (see figure 1)
• Create an ARD task to run to copy the mobile profile you downloaded to /var/db/ConfigurationProfiles/Setup/  (Click the dropdown next to “Place items in” in the task and choose “Specify Full Path.”)(see figure 2)
• Reboot the system.
• Repeat steps 2-4 to add other systems to Meraki mobile management.
4. Tag systems in Meraki for which you wish to assign your newly create profiles.

It takes sometimes several hours for the profiles to install, sometimes a matter of minutes.


Figure 1:

Figure 2:

Figure 3:

Running a Cloud Print Server for a Macintosh Environment

Introduction:  Macintosh OS X Server 10.6 was the last OS X that provided an easily configured print server.  Even then,  the print server was prone to stalling out and required a lot of monitoring.

Enter Google and Cloud Print.   Using Cloud Print you can have a reliable print server that you can access from anywhere.  There are limitations vs. a native print server but for providing print services to students using GAFE (Google Apps for Education) it is a viable solution.


Setup:

Using a Windows 7 system (virtual or real):

• Install Google Cloud Print Service. 
• Setup Cloud Printer User: setup a user in your GAFE to handle the sharing. You can use something like cloudprint@yourdomain.com.  Login to this user on this Windows system.
• Setup printers as you would normally setup for a Windows computer (Start > Devices and Printers > Add a printer.  The printers can be legacy printers.  Any printers installed on the system will automatically be published as Cloud Print printers. 
• Use Post Script Drivers: If setting these printers up for use with Macintosh computers make sure you use the postscript drivers (and not the PCL print drivers).  Macs like postscript and not PCL.
• Naming the Printers: when naming the printers I put "cp" as the first 2 characters for "Cloud Print."  So,  cp_2nd_Floor_HP4100 for example. It doesn't matter what you name it, but the more descriptive the better because that is what the end user will see when selecting the printers. 
• Sharing the Printers: make your cloudprint@yourdomain.com user a member of all the groups for which you want to share printers.  So, add the user to the class of 2016 group (2016@yourdomain.com).  To share login with your cloudprint@yourdomain.com and go to www.google.com/cloudprint and click on printer you want to share and click the green share button.  Add the groups and users you wish to share the printer with and you are done.

Limitations:

• You may not be able to take advantage of advanced printing features such as duplexing and multiple copies or collation.
• Printing from Chrome and Google Drive is simple and direct (even from iOS) but printing from other apps such Microsoft Word or Keynote or any non-Chrome or Google Drive app is tougher but not impossible.  End users go to https://www.google.com/cloudprint in their Google account and click the red "Print Button" and choose "Upload file."  You can then navigate to your Word or Keynote file and upload it and direct it to a Cloud Printer.

Other:

• Papercut print system does support Cloud Print now.  See: http://www.papercut.com/products/ng/manual/ch-google-cloud-print.html

Beta Bot on Windows

Thank goodness for OpenDNS.  I have to admit I am more adept at managing Macintosh systems.  I do managed an Active Directory based Windows setup.  I have endpoint security with Sophos and have installed CryptoPrevent and GPO's to prevent Crypto Locker.

I have installed the Umbrella client on all my desktop and laptops under management both Mac's and Windows systems.  I noticed a Windows 7 system trying to phone home to these web addresses: fapncam.com, frizzcams.com and update-silo.com.  Googling these sites didn't show much but pointed me to a trojan called BetaBot as being the culprit.  In particular it pointed to safpdndnn.exe being installed.  

Neither Malware Bytes or Sophos detected it.  I used SpyHunter to find it but I wouldn't recommend that program.  It wants to mess with your systems DNS settings.

Here's how I removed it:
1. Use PartedMagic (or you could use any Linux Live Distro) and boot into it.  (Try this article on how to do this if you need help.)
2. Navigate to C:\ProgramData\\m9dt73hfbjh\safpdndnn.exe and delete the file.

The kicker is after giving the user a new clean system the infection showed up again.  I had never gotten to the bottom of what caused the original infection.  My bad for sure.  It turned out to be a resume downloaded from Craig's List.  How fun.  

Not to hate on Microsoft products but how frustrating.  Yes,  the end user shouldn't have downloaded .doc files from questionable sources.  Macros should be locked down.   For whatever feelings you have about Google Docs at least for the time being,  they are not an infection vector.

Fun with VMWare Fusion - Using SuperDuper! and Parallels to solve Fusion Issues

VMWare Fusion is my virtual hypervisor of choice.   You can leverage OS X's awesome ability to copy a running system with Carbon Copy Cloner and thus easily backup your virtual machines for a low cost.  For my situation, a K-8 school,  daily backups of the virtual machines are more than enough.  Data is stored on Google Drive for students so really I just have virtual machines that server out Munki, or profile manager or Deploy Studio and the like.


Carbon Copy Cloner won't copy the .vmdk of a virtual machine.
The specific error was "An error occurred while CCC was Reading data from the source   . . . {path to the virtual machine} Virtual Disk-000001.vmdk."   I had created a snapshot of this VM.   So, I thought I could merge the snapshots and clear out the problem.  No dice.  I couldn't even copy the file.  I did the usual, disk utility on the host machine and the VM and no issues.  I also ran a privilege repair.  Nothing was working.  

So, the clue that helped me figure this out was about a month ago I had converted a physical 10.6.8 OS X server I had setup to run Deploy Studio and Munki on.  I had backed up this system using SuperDuper! to an external hard drive.  I attached that hard drive to the VM host and then to a generic OS X VM I had setup.  Inside the VM I created another blank virtual disk and ran SuperDuper! and copied the physical backup to the new virtual disk inside the generic VM.  After cloning the drive, I changed the boot drive to my newly cloned virtual disk and success.

So,  with my current problem of the corrupted and uncopyable virtual disk I did a similar maneuver.   This time I created a new virtual disk inside this troublesome VM, cloned one virtual hard drive to another booted up to the new hard drive and success.  I could simply delete the old troublesome .vmdk file and now CCC could copy.


Fusion P2V Fails to Copy Windows Physical System

In this case,  I was trying to use Fusion 6 to copy a physical system to virtual system.  I kept getting network errors despite removing anti-virus, and turning off the Windows 7 firewall.   Parallels to the rescue.  I fired up Parallels and successfully copied over the Windows 7 physical computer to a Parallels virtual system.  I then copied over the Parallels VM over to my Fusion host.  From Fusion I chose File > Import and successfully imported the Parallels VM over to Fusion.


Conclusion
Don't be afraid to use other tools to solve your issues.  Remember,  even though you are working in a virtual environment.  tools like SuperDuper! still work inside a virtual system.  Or if one VM host software P2V tools don't work then try another VM host software to help solve your issues.

What hard drive should I buy?

Backblaze is an online backup storage company.  They use tens of thousands of hard drives and have been able to collect data as to failure rates for various makes of hard drives.

Here is what Backblaze found:  http://blog.backblaze.com/2014/01/21/what-hard-drive-should-i-buy/