Jamf Pro in a Virtual Box

Overview

Jamf Pro server can be a funny and fickle beast. When testing different policies that are unique or upgrading to a new version of Jamf Pro, it’s best not to try it on the production server first. Sometimes the process of testing a new release or beta can easily break, and having an automated process to quickly rebuild a macOS test environment can save you tons of time and frustration. These instructions are built using macOS but the methodology might be able to be applied to other operating systems.

Tools

To get started there is a few tools that are needed for the process.

AutoDMG, creates never booted images.

CreateUserPkg, builds a preconfigured user package.

vfuse, converts the image from disk image to virtual machine.

VMware Fusion, runs the virtual machine.

Jamf Nation account with access to Jamf Pro Assets.

Configure Jamf Pro, automatically configures a Jamf Pro instance.

AutoDMG and CreateUserPkg are tools developed by Per Olofsson. AutoDMG builds a never-booted disk image that can be used to image Macs. To build the image it uses the latest macOS installer to find any updates that need to be applied and any custom packages. CreateUserPkg creates packages to deploy macOS user accounts.

vfuse is a open source command line tool developed by Joseph Chilcote. vfuse takes a disk image and converts it to a virtual machine for use in VMware Fusion.

Configure Jamf Pro is a script that I wrote that to mimic the Jamf Pro installer process, but without all the prompts. The script will configure and start both MySQL and Tomcat. To configure MySQL, I needed to know what the admin password was without prompting the user. I found that when I removed /usr/local/mysql/data/mysql/db.frm and ran the initialize command again, MySQL would create a new password and return it. With the password in hand I can set the root password for MySQL and configure the database to the specifications of Jamf Pro. For Tomcat, I had to create the self-signed certificate that the computer uses to authenticate to the Jamf Pro server. Tomcat also needed some specific logging directories to be created before it would start.

Building Jamf Pro in a Virtual Box

Step 1: Download and create packages

Before we can build an image we will need to download and create a few custom packages:

Most of these packages you can download from the above links. There are a few packages that will need to be created from scratch. Java Cryptography Extension (JCE) & MySQL are packages that will need a custom installer and be recreated with each new release. The MySQL installer calls System Events to display a dialog box of the admin password. The post install script has to be removed, then the contents of the MySQL package need to be recreated. When the Configure Jamf Pro script runs, it recreates the admin password for the MySQL Server. The Java JCE doesn’t need any additional customization, the files just need to be put into a package for installation.

To create a flat package we will be using pkgbuild. pkgbuild is a system utility that you can use to build basic installer packages.

Topher% pkgbuild -h Usage: pkgbuild [options] --root [--component-plist ] Build a package from an xcodebuild destination root Usage: pkgbuild --analyze --root Create template component plist from an xcodebuild destination root Usage: pkgbuild [options] {--component } Build a package from one or more previously-built bundles See pkgbuild(1) for details. 1 2 3 4 5 6 7 8 9 10 11 Topher% pkgbuild -h Usage: pkgbuild [options] --root [--component-plist ] Build a package from an xcodebuild destination root Usage: pkgbuild --analyze --root Create template component plist from an xcodebuild destination root Usage: pkgbuild [options] {--component } Build a package from one or more previously-built bundles See pkgbuild(1) for details.

Create a directory that will serve as the project directory for this package.

topher$ mkdir AppleSetupDone_Package 1 topher$ mkdir AppleSetupDone_Package Inside of the project directory create another file but this time call it ROOT .

topher$ mkdir ROOT 1 topher$ mkdir ROOT Build out the directory structure to match where the files will go when installed.

topher$ mkdir -p AppleSetupDone_Package/var/db 1 topher$ mkdir -p AppleSetupDone_Package/var/db Place the files that need to be installed into the directories.

topher$ touch .AppleSetupDone topher$ ls -al total 0 drwxr-xr-x 3 root wheel 102 Jan 18 2017 . drwxr-xr-x 4 root wheel 136 Jan 18 2017 .. -rw-r--r-- 1 root wheel 0 Jan 18 2017 .AppleSetupDone 1 2 3 4 5 6 topher$ touch .AppleSetupDone topher$ ls -al total 0 drwxr-xr-x 3 root wheel 102 Jan 18 2017 . drwxr-xr-x 4 root wheel 136 Jan 18 2017 .. -rw-r--r-- 1 root wheel 0 Jan 18 2017 .AppleSetupDone Include any pre- and post-flight install scripts that need to be executed during installation. However, we won’t need any for this package. Change the permissions on the ROOT folder inside of the project folder to be owned by the root user.

topher$ chown -R root:wheel ROOT/ topher$ ls -al total 32 drwxr-xr-x 5 u0495452 staff 170 Aug 8 15:31 . drwxr-xr-x 44 u0495452 staff 1496 Aug 11 15:22 .. drwxr-xr-x 4 root wheel 136 Jan 18 2017 ROOT 1 2 3 4 5 6 topher$ chown -R root:wheel ROOT/ topher$ ls -al total 32 drwxr-xr-x 5 u0495452 staff 170 Aug 8 15:31 . drwxr-xr-x 44 u0495452 staff 1496 Aug 11 15:22 .. drwxr-xr-x 4 root wheel 136 Jan 18 2017 ROOT Build the package using this command:

pkgbuild --root ROOT --identifier com.your.domain.applesetupdone --version xx AppleSetupDone.pkg

topher$ pkgbuild --root ROOT --identifier edu.utah.applesetupdone --version 1.0 AppleSetupDone.pkg pkgbuild: Inferring bundle components from contents of ROOT pkgbuild: Wrote package to AppleSetupDone.pkg 1 2 3 topher$ pkgbuild --root ROOT --identifier edu.utah.applesetupdone --version 1.0 AppleSetupDone.pkg pkgbuild: Inferring bundle components from contents of ROOT pkgbuild: Wrote package to AppleSetupDone.pkg The package will be located in the project folder.



Now it’s ready to be installed on a computer to prevent the Apple Setup dialog boxes displaying when starting up the computer for the first time. MySQL, Java JCE and any other custom installers that need to be included can be built using the same process.

Step 2: Creating a never-booted disk image using AutoDMG

AutoDMG is a powerful tool for never-booted disk image creation. Leveraging the image creation of AutoDMG, we can create a never-booted disk image that can be passed to vfuse to convert to a virtual machine. AutoDMG has two sections of packages, the first section is for OS Updates that are pulled down by AutoDMG using the latest base installer. The second section is for custom packages. We will be putting all the packages that we just downloaded or created into that section.

To create a development macOS Jamf Pro server image:

Open AutoDMG .

Drop the OS X Installer into the top panel.

Download updates when available.

Add all the downloaded and created packages that were built in Section 1. Custom MySQL

Jamf Pro Installer

JDK 8

Custom Java JCE

Configure Jamf Pro

CreateUserPkg

Disable Apple iCloud Diagnostic and Siri Pop-Ups

AppleSetupDone

Start the image build process by clicking on “Build” and selecting a place to store the image. The process will take about 30 to 45 minutes to complete.

When finished, the never-booted disk image is a ready Jamf Pro development server. The disk image can be use to create virtual machines in VMware or image physical systems for testing and development work.

Step 3: Creating a virtual machine using a disk image

vfuse is a command line tool that interfaces with virtual machines. It has many features including monitoring, naming, creating a virtual machine from a disk image and other customizations can be made to the virtual machine.

Using the disk image we built with AutoDMG , we can input it into vfuse to build a virtual Jamf Pro development server for testing.

Topher% /usr/local/vfuse/vfuse -h usage: vfuse [-h] [-i INPUT] [-o OUTPUT] [-n NAME] [-w HW_VERSION] [-m MEM_SIZE] [-s [SERIAL]] [-t TEMPLATE] [-e] [-p PACKER] [--hw-model HW_MODEL] [--start [START]] [--stop STOP] [--reset RESET] [--use-qemu] Create and monitor VM from source DMG. optional arguments: -h, --help show this help message and exit -i INPUT, --input INPUT /path/to/dmg -o OUTPUT, --output OUTPUT /path/to/output/dir -n NAME, --name NAME Use a custom name -w HW_VERSION, --hw-version HW_VERSION VMware hardware version -m MEM_SIZE, --mem-size MEM_SIZE Memory Size in MB -s [SERIAL], --serial [SERIAL] Custom Serial number -t TEMPLATE, --template TEMPLATE Use a template -e, --esx Create pre-allocated ESX-type VMDK -p PACKER, --packer PACKER Populate a packer template --hw-model HW_MODEL Custom hardware model --start [START] Start monitoring of VM --stop STOP Stop monitoring of VM --reset RESET Reset monitored VM --use-qemu Use qemu-img intead of the Fusion CLI tools 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Topher% /usr/local/vfuse/vfuse -h usage: vfuse [-h] [-i INPUT] [-o OUTPUT] [-n NAME] [-w HW_VERSION] [-m MEM_SIZE] [-s [SERIAL]] [-t TEMPLATE] [-e] [-p PACKER] [--hw-model HW_MODEL] [--start [START]] [--stop STOP] [--reset RESET] [--use-qemu] Create and monitor VM from source DMG. optional arguments: -h, --help show this help message and exit -i INPUT, --input INPUT /path/to/dmg -o OUTPUT, --output OUTPUT /path/to/output/dir -n NAME, --name NAME Use a custom name -w HW_VERSION, --hw-version HW_VERSION VMware hardware version -m MEM_SIZE, --mem-size MEM_SIZE Memory Size in MB -s [SERIAL], --serial [SERIAL] Custom Serial number -t TEMPLATE, --template TEMPLATE Use a template -e, --esx Create pre-allocated ESX-type VMDK -p PACKER, --packer PACKER Populate a packer template --hw-model HW_MODEL Custom hardware model --start [START] Start monitoring of VM --stop STOP Stop monitoring of VM --reset RESET Reset monitored VM --use-qemu Use qemu-img intead of the Fusion CLI tools

How to use vfuse to build a virtual machine:

In terminal, cd to the directory that the virtual machine will be saved to. Run /usr/local/vfuse/vfuse -n devJSS_version -i /path/to/disk_image

/usr/local/vfuse/vfuse -n devJSS_9.100 -i ~/osx_custom_170814-10.12.6-16G29.hfs.dmg Mounting ~/osx_custom_170814-10.12.6-16G29.hfs.dmg macOS version is 10.12.6 Using VMware Fusion path: /Applications/Virtual Machines/VMware Fusion.app Converting DMG to VMDK Hiding file extension Populating VMX file Unmounting Base OS DMG VMware Fusion VM created at ~/devJamfPro_9.100.vmwarevm 1 2 3 4 5 6 7 8 9 /usr/local/vfuse/vfuse -n devJSS_9.100 -i ~/osx_custom_170814-10.12.6-16G29.hfs.dmg Mounting ~/osx_custom_170814-10.12.6-16G29.hfs.dmg macOS version is 10.12.6 Using VMware Fusion path: /Applications/Virtual Machines/VMware Fusion.app Converting DMG to VMDK Hiding file extension Populating VMX file Unmounting Base OS DMG VMware Fusion VM created at ~/devJamfPro_9.100.vmwarevm Boot the virtual machine.



Step 4: Initial start of the Jamf Pro server

The virtual machine will autologin to the user that you created using the CreateUserPkg tool. Once logged in, Safari will open the startup page for the Jamf Pro server. The virtual machine uses a self-signed certificate, accept it to continue to load the setup Jamf Pro server page. The first setup page is a license agreement. Read through and accept the license agreement.

Next, it is time to enter in the development activation code. To find your development Jamf Pro activation go to Jamf Nation, login in and select “My Assets”.

Select “Activation Code” on the Assets page.

On this page there will be two activation codes. One is for your production Jamf Pro Server and the other is for “Customer Test and Development”. We will use that code for the development Jamf Pro server. First, enter your organization name as it is listed on Jamf Nation. Now, enter the “Customer Test and Development” activation number.

Create a user to login to your Jamf Pro server with. You can always change it or connect to an LDAP server later.

Create a Jamf Pro server URL for your development server this will help avoid issues with the certificates using a fully-qualified domain name (FQDN). An FQDN is the complete domain name for a specific computer, or host. The FQDN consists of two parts: the hostname and the domain name.

An example of an FQDN would be https://dev-jamfpro.myschool.edu:8443/

The setup is now finished! Go out there and do some testing on your new development Jamf Pro server. Here is a short video of the whole process. It has been sped up from an hour to a minute and a half.

Importing a Production Server into the Development Jamf Pro Server

It may be useful to test with a clone of your production server, instead of a blank environment. Here is how you would go about making a copy of the production Jamf Pro server.

Export the production server. Open the JSS Database Utility by running: /Library/JSS/bin/JSSDatabaseUtil.jar

Click “Save Backup now”.

Backups can also be saved through the terminal. sudo java -jar /Library/JSS/bin/JSSDatabaseUtil.jar backup -saveBackupTo /save/to/path

Import the database into the development Jamf Pro server. Open the JSS Database Utility by running: /Library/JSS/bin/JSSDatabaseUtil.jar

Click “Restore Backup Now” and select the .sql.gz backup file. Depending on the size of Jamf Pro database the restore process will take about an hour.

Enrolling Clients to the Development Jamf Pro Server

When preforming some testing with the development Jamf Pro server, clients need to be enrolled to the development server and not to the production. Here are some steps to move your client from the production server to the development server.

Install the Casper Suite Applications. The Casper Suite should be located in “My Assets” on the Jamf Nation website

Open the disk image containing the Casper Suite Application and place them into Applications. Modify /Library/Preferences/com.jamfsoftware.jamf.plist Change the JSS_URL string to the URL of the development Jamf Pro server. The computer is very loyal to the production Jamf Pro server. Changing the Jamf Pro Address. In Recon, change the Jamf Pro Address to the URL of the development Jamf Pro server.



A window will come up stating that the Jamf Pro server address has been changed.

Creating a QuickAdd Package Recon will now connect to the development Jamf Pro server. This is the main screen, it displays the information about the computer Recon is currently running on. To begin testing with the development server, we will need to enroll the test computers. To do this we will need to create a QuickAdd Package.



Select QuickAdd Package



Fill out the information: Username: [LOCAL ADMIN ACCOUNT] Password: [LOCAL ADMIN PASSWORD]



Name the QuickAdd Package with the version of Jamf Pro that it is built for.

As a final check before using the QuickAdd Package for testing, open the package and look to make sure that the post install script has the development Jamf Pro server URL listed.

Test the QuickAdd Package on a test computer. Before enrolling the test computer to the development Jamf Pro, run jamf removeFramework . The command will remove all Jamf frameworks and preferences from the computer.

Topher# jamf removeFramework Removing scheduled tasks... Removing self service... Removing JAMF Preferences file... Removing JAMF Daemon Log files... 1 2 3 4 5 Topher# jamf removeFramework Removing scheduled tasks... Removing self service... Removing JAMF Preferences file... Removing JAMF Daemon Log files...

. The command will remove all Jamf frameworks and preferences from the computer. Install the QuickAdd package. There are conditions where the package can fail to install if enrollment scripts encounter errors. Check the installer log or /var/log/jamf.log for messages. Check the Jamf Pro binary by running jamf version to check it’s version. Make sure that the correct version is displayed.

Topher% jamf version version=9.100 1 2 Topher% jamf version version=9.100

to check it’s version. Make sure that the correct version is displayed. Check the Jamf Pro Server URL by running jamf checkjssconnection that it is pointing to the correct server.

Topher% jamf checkjssconnection Checking availability of https://dev-jamfpro.myschool.edu:8443/... The JSS is available. 1 2 3 Topher% jamf checkjssconnection Checking availability of https://dev-jamfpro.myschool.edu:8443/... The JSS is available. Run example policies on the test computer.

Future Updates

This is the initial release of Jamf Pro in a Virtual Box. I have many features that I am considering:

Reduce manual interaction with the script.

Implement AutoDMG command line tool for image & VM creation.

command line tool for image & VM creation. Move Jamf Pro server URL, user info and activation code into configuration file.

Automate adding self-signed certificate to the Keychain.

If there are any features that you would like, please comment below or create an issue on the GitHub page.