StrangerStrings

Nostalgia or Declarative Device Management

by Ulrik Aabye-Hansen  ·  TalkTech.dk  ·  macAD.uk

About the Session

Remember when managing a Mac meant SSH, shell scripts and a hope-and-pray cron job? Declarative Device Management (DDM) rewrites the rulebook. Devices proactively apply declarations, report their own status, and stop waiting to be poked.

This session walks through the components of Declaratice Device Management, what it actually does under the hood, and how it's being implemented by different Device Managent Vendors. Expect analogies, deep dives, nerdy demo with API calls, and an honest look at what we, the Apple Admins need to do, and what’s still missing.

About the Speaker

Ulrik Aabye-Hansen

Ulrik Aabye-Hansen is a Partner, Consultant and Entertrainer at TalkTech ApS. He spends a lot of the day babbling about Apple Device Management and loves to turn difficult-to-grasp topics into fun stories using modern pop-culture.

Presentation

Download Slide Deck (PDF)
Hawkins National Laboratory · Classified Demos

Demo Scripts & API Calls

Sanitized. Replace hosts, tokens, UUIDs before running

Assign an App license to device (App Store API)

zsh · curl

Use the App Store API to assign a device license. You need a VPP (sToken), create a location, purchase app and download from  Business > Settings > Payments and Billing > Content Tokens > [LOCATION] Fill in variables for your App's adamID, the path to your Token and the serial number of the device. 

# Replace PATH_TO_TOKEN and adamID and serial
  #!/bin/zsh
  
  # import bearer token downloaded from 
  #  Business > Settings > Payments and Billing > Content Tokens > [LOCATION]
  
  ##########################################################################
  #   VARIABLES
  ##########################################################################
  
  # The name of your sToken or path if in a different folder
  yourToken="PATH_TO_TOKEN"

  
  # Bring in the sToken as Bearer Token
  access_token=$(cat "$yourToken")
  
  
  curl --location 'https://vpp.itunes.apple.com/mdm/v2/assets/associate' \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer $access_token" \
  --data '{
     "assets": [
        {
         "adamId": "1548193893",
         "pricingParam": "STDQ"
        }
    ],
    "serialNumbers": [
            "DMPC50ALPV13"
    ]
}'

Verify License Assignent

ZSH • Curl

Verify that the license has been properly assigned to device (Not run in live demo, but good troubleshooting step).


#!/bin/zsh
# Replace PATH_TO_TOKEN and SERIALNUMBER
        
##########################################################################
#   VARIABLES
##########################################################################
        
        
# The name of your sToken or path if in a different folder
yourToken="PATH_TO_TOKEN"
# Serial number for the device you are assigning the license
deviceSerial="SERIALNUMBER"
        
        
# Bring in the sToken as Bearer Token
access_token=$(cat "$yourToken")
curl "https://vpp.itunes.apple.com/mdm/v2/assignments?serialNumber=$deviceSerial" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $access_token"

Look up Apps External Version ID

ZSH • Curl

The version of an App you want to to declare is based in the "External Version ID" Use the App Store API to find the information.


#!/bin/bash
        
# Find the External Version of an App for assign and possibly pinning a version number
# Replace ADAM_ID and US if you want to search a different Store
##########################################################################
#   VARIABLES
##########################################################################
        
# adamID is found after 'id=' in the URL of the app you are looking up 1548193893
adamID="1548193893"
# country code for the store in case it is not available in all stores
# try US if in doubt
storeFront="US"
        
curl -s "https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&id=${adamID}&p=mdm-lockup&caller=MDM&cc=${storeFront}" | jq -r '.results[].offers[].version.externalId'

Managed App Declaration

json · Custom Blueprint

The declaration to install your app on your device.This is very simple, but you can find and build more keys with the DDM Explorer. The UUID and the Server Token are generated by Blueprints and should not be included in the Custom Configuration

// com.apple.configuration.app.managed
        // replace ADAM_ID and VERSION
{
  "AppStoreID": "ADAM_ID",
  "UpdateBehavior": {
     "AutomaticAppUpdates": "AlwaysOn"
  },
  "InstallBehavior": {
    "Install": "Required",
    "License": {
      "Assignment": "Device"
        },
    "Version": VERSION
    }
}

Find a device’s DDM Management ID Locally

shell · CLI

Run on the managed Mac itself. Handy when you’re debugging a single device. In Jamf Pro, you can view logs for DDM in the API endpoint declarative-device-management

sudo profiles status -type enrollment
sudo /usr/libexec/mdmclient QueryDeviceInformation 2>/dev/null \
  | plutil -extract DDMManagementID raw -o - -

Get in Touch

Reach out if you are curious about our training offers.

If you are looking for help with training and enablement, TalkTech ApS are certified Apple and Jamf Trainers. Get in touch if you are looking to enable your teams.

Other Presentations

Podcast Appearances