Everybody Staze...

Nobody leavz...

  • Home
  • About Me
    • LinkedIn
    • Lab
  • Contact
  • Links
  • Reviews
  • Sitemap
  • Weather
You are here: Home / Archives for Sys Admin

PrintNightmare is just the worst…

2026/04/24 By staze Leave a Comment

Just thought I’d throw this up there. Turns out, MS made some interesting choices closing the PrintNightmare (CVE-2021-34527, CVE-2021-1675) hole. We found one of those interesting choices earlier this week when a print server was just slammed at 100% CPU all day. For those that don’t know, I work in higher ed. And much to our dismay, we have a lot of print servers (currently over 20, when it should be like, 3?). Since PrintNightmare, you have to have a list of allowed print servers that computers are allowed to use. Great. So, we have a GPO that does this. What happens is computer is told to map a printer, and if the print server is on the list, it’s mapped, and if it isn’t, it isn’t. Simple, yea? Well here’s the rub: it checks the list AFTER it connects to the print server. Some may see where this is going…

Long ago, we realized GPOs to map printers are inconsistent. Especially on lab machines with lots of turnover. So, we moved to using a login script to do the work. So user logs in, script runs to map printer, if it can’t map the printer, it tries again (just to account for network issues, server outage, etc). This week, that resulted in a DDoS of the print server because someone changed the GPO to not include the print server in the GPO allowed list… and because MS made an odd choice.

Best I can tell, here’s what happens

  1. Computer gets told to map printer on print server
  2. Computer connects to print server to check for printer
  3. Computer checks approved list of print servers and either maps printer, or rejects

So, if you ask me, steps 2 and 3 are wrong. They should be reversed and the computer should check the approved list before it auths to the print server. In our case, with 800+ computers all hitting the print server over and over again, lsass VERY quickly was overwhelmed with auth requests and the print server would start alerting about CPU/memory.

Maybe I’m daft and MS had a reason for doing it this way, but damn does it just seem backward to me.

Filed Under: Sys Admin, Work Tagged With: Windows

The coming Jamf LAPS Enforcement

2024/01/08 By staze 2 Comments

Update 2024-01-26: Jamf has finally seen the concern and will no longer be forcing this change. See update on my Jamf Nation thread here: https://community.jamf.com/t5/jamf-pro/upcoming-change-will-enforce-laps-on-prestage-admin-accounts/m-p/308912/highlight/true#M269092

Happy new year, and sorry for being afk for so long.

Quick Definitions before diving into this.

LAPS: Local Admin Password Solution. Something initially created by Microsoft to solve the static local admin password problem (setting the same “sekritpassword1!” password on all your computers “administrator” accounts makes it super bad when that password gets compromised)
ADE/DEP: Automated Device Enrollment/Device Enrollment Program (former name is DEP). This is Apple’s system that allows registering a serial number on Apple’s systems so it automatically joins an MDM solution during Apple’s Setup Assistant.
MDM: Mobile Device Management. A somewhat antiquated term, but still used outside it’s initial intent. This is the management system used to manage/control both computers and mobile devices.
Jamf: Both a company (JAMF, NASDAQ), and a set of Products, in this case, shorthand for Jamf Pro.
Prestage Enrollment: Jamf’s configuration that leverages ADE/DEP assigned machines. Basically “What should I do with this computer that’s been assigned via ADE?”
Secure Token: The “permission” required to unlock FileVault on a FileVault protected computer.
Volume Ownership: An additional “permission” required to apply OS updates and upgrades on Apple Silicon computers
Bootstrap Token: A token escrowed with the MDM solution that can be used to grant a given user account Secure Token/Volume Ownership during OS login.
FileVault: Apple’s full disk encryption technology. Of note, FileVault prevents full OS boot, so the login window seen on a FileVaulted computer is PRE-OS boot. This means anything that requires network access cannot happen at the FileVault login. After FileVault login, that login information is usually passed to the OS so there isn’t a second login prompt.

With that out of the way…

I wanted to bring up that a big change is coming to Jamf soon and they (Jamf) seem to think it’ll be well received all around: forced LAPS for Prestage (ADE/DEP) admin accounts (See bullet 2 here, https://learn.jamf.com/bundle/jamf-pro-release-notes-current/page/Deprecations_and_Removals.html, “Functionality to specify the local administrator account for computers in a PreStage enrollment”).

On it’s face, this sounds great. Static passwords are bad. LAPS is good. Right? Right?!

So yes, Good LAPS is good. Bad LAPS is… bad. Very bad.

First, Jamf is using Apple’s inferior LAPS functionality via the MDM “SetAutoAdminPassword” (https://developer.apple.com/documentation/devicemanagement/set_the_local_administrator_password). This basically just pushes a new hashed password into the OS, which breaks Secure Token and Volume Ownership (due to Apple reality). So Prestage configured admin accounts will no longer have any Crypto permissions (no logging into a Filevaulted computer, Applying updates on Apple Silicon machines, etc.

Second, Jamf is also forcing their same 29 character passwords (like Recovery Lock). 

Jamf has said “you can use the management account!” but many of us with Jamf Pro infrastructures that span several years (with thousands of computers) have management accounts that were used for Jamf Remote, never actual login. Jamf remote is no more, and Jamf decided to repurpose this formerly invisible account to be some kind of “admin” account (I honestly don’t know who they’re talking to sometimes). Those accounts are named who knows what (because it wasn’t visible), have no secure token, and still would rely on Jamf’s immature LAPS.

So, you say, “Just ignore Prestage admin account!” Somewhat easier said than done. If you don’t have that account created via Prestage, you cannot skip account creation (which makes sense, why would you want a computer with no accounts). So, you make the Prestage admin account some throw away account name that you can delete, or use in an emergency with the FileVault recovery key. Then you have a policy create your _real_ admin account. Great (assuming enrollment policies actually run properly). You login, but now notice that that account doesn’t have secure token, and bootstrap hasn’t been escrowed (it’s unclear why this is happening, as the first user to login SHOULD get SecureToken, and bootstrap should escrow. However, having tested this several times on a current macOS 14.2.1 machine, I can confirm this is the behavior). So you have to do the whole “no accounts have secure token, so you can grant secure token to the account itself” (sysadminctl -secureTokenOn username -password “password” -adminUser “username” -adminPassword “password”), and then manually escrow bootstrap (profiles install -type bootstraptoken). All good, but more and more work to work around Jamf’s decisions. 

We’ve spent months trying to convince Jamf to make this change optional. As mentioned, we don’t disagree with LAPS, good LAPS is good. We use it across the fleet of several thousand machines (we used a product called EasyLAPS). We just think their (Jamf’s) implementation is sub-par (and certainly below the level of EasyLAPS, which we pay for because it’s a good product). 

I think Jamf has a blind spot on this, and they’re not properly alerting their users this change is coming, and coming SOON! (we’re being told it’s scheduled for 11.3, which is slated for February). And because they don’t hear anyone upset (other than us?), they think everyone is cool and happy with this change. But they’re also not about to alert everyone either (I’m sure many many Jamf admins don’t bother reading the Deprecations and Removals section of the release notes (note! you should read these! You should read ALL the release notes)). We’ve met more than once with the Project Manager that’s working on the LAPS rollout, and it goes no where (instead of listening to us, and our concerns, it turns into “how can we help you implement our LAPS solution?”). We’ve told Jamf this, but it’s honestly making us look at switching MDM vendors, which I’m sure you realize is a HUGE undertaking.

Filed Under: Sys Admin Tagged With: ADE, FileVault, Jamf, LAPS, MDM

Migrating Mail.app POP3 user to Exchange/IMAP

2017/06/07 By staze

My work, or University as a whole, has two email systems. One linux based, using Dovecot and Sendmail, and the other being Exchange 2013. In an effort to “simplify” things, IT units around campus are being tasked with migrating all employees over to Exchange. Since I had been doing this on my own for a while, when the call went out officially, I only had about 60 users to do. Sadly, of those 60 or so, 3 of them were using POP3 and Mail.app. After beating my head against a wall trying to automate this migration, I finally just did it manually for one user. Except then, a problem arose.

Apple Mail (Mail.app) uses the filesystem date/time as the “Date Received” in views. It doesn’t use the header in the message (that header is instead reflected in “Date Sent”). So all the mail I manually copied over had the wrong “Date Received” (it moved to the day I did the migration, not the date it was actually received). =(

Sadly, though, the solution isn’t free. I purchased an application called Emailchemy to do the worst part. The only other tool I used was imapsync to migrate the email. Here’s the basic workflow. Based on how we do migrations, this will be the quickest way to get them receiving new email while the rest of the stuff runs in the background.

[Read more…]

Filed Under: Sys Admin Tagged With: Emailchemy, Exchange, IMAP, imapsync, POP3

Next Page »

Weather

Categories / Archives

  • Apple
  • Coding
  • Electronics
  • Energy
  • Home Ownership
  • Miscellany
  • Politics
  • Prius
  • Sys Admin
  • Travel
  • Uncategorized
  • Work
  • June 2026
  • April 2026
  • August 2025
  • April 2025
  • January 2024
  • February 2021
  • July 2020
  • January 2020
  • April 2019
  • March 2018
  • February 2018
  • June 2017

Copyright © 2026 · Staze On Genesis Framework · WordPress · Log in