John Straffin: Welcome, everybody, to the October Endpoint Management Meeting.
Gurpreet Hothi: Where are the cookies?
John Straffin: I got mine. Anybody else got theirs?
Gurpreet Hothi: I will go get mine.
John Straffin: You can come over and have some if you want, Gurpreet…
Gurpreet Hothi: Cool.
John Straffin: Windows patches… John Shaw is here so I’m going to pick on him a bit, since he shared information about this earlier in teams. I don’t remember the exact threat model that was going on, but there is a particular critical patch available and the US CERT has said that you want to patch this right away. That was a week ago, and the ITSO agreed with them, so, if you haven’t already, please get those Microsoft patches in place, because there is one that is particularly pernicious. John? Do you have any details handy?
John Shaw: The research groups dubbed it as “Bad Neighbor” and it was a worm-able bug. I think it was in Windows 10 and Server as a remote code RC vulnerability. The domain controller threat was “ZeroLogon”, which we did get patched. We have no unpatched domain controllers, as far as I’m aware, from checking the CrowdStrike console, so thanks everybody for all the efforts on that.
John Straffin: If you check out the “All University IT” Team and search on “Bad Neighbor”, I believe John Shaw posted something there. That was the only a notable item from the patches otherwise. Patch as you ordinarily do. I don’t know that we usually end up seeing a lot of patches not applied, so everybody seems to be doing a good job.
John Straffin: Tim or Al, who wants to go next?
Tim Smith: I can go. We’re going to update the Jamf servers. They’re coming out more and more and faster and faster with these upgrades. Jamf Pro version 10.25 was released. And then four days later they ran into an issue. Apparently, the server startup time after upgrading is taking quite a bit of time after some sort of database schema change on the mobile device installed applications table. And so they came out with a 10.25.1 version that corrected that. That’s all they say is they just fixed an issue with that.
John Straffin: You said it also came with some extras, right?
Tim Smith: Yeah, I’m looking at it now: two enhancements with the “point one” release, but it looks like it’s just more approved kernel extensions and privacy preference policy control additions that require Mac OS 11 or later. So it seems to me like they’re gearing up for the Big Sur upgrade with everything that’s coming out.
Tim Smith: So I’ve been postponing upgrading longer and longer just to wait for all the issues to get fixed, which is kind of funny because they release betas and a lot of customers sign up for the beta. You would think all that would kind of work out but apparently not because with the 10.25.1 release, they’ve already released a 10.26 beta for Jamf upgrade. I’m probably going to upgrade our test instance to 25.1 either today or tomorrow and, after seeing how that goes, I’ll probably do the production middle to end of next week. I will say some of the some of the features that are going to be coming out for iOS and Mac OS 11 kind of require Jamf Cloud and Azure AD. So, hopefully, we’ll soon be able to move Jamf into the cloud. That’s still in talks, it’s still being pushed, but it seems you know Jamf is doing the cloud-based feature first and then worrying about on-prem additions later. Hopefully, we can get up into the cloud sooner. I will say, though, with macOS 11, they’re doing an enhancement to the pre-stage enrollments. Hopefully—from the language that they’ve used—they’re doing an “auto-advance” feature which means using pre-stage, you can auto-advance all the way through the whole pre-stage setup, setup assistant, etc., and get right to the login screen. They don’t specifically say skipping the “MDM accept” screen, which is what I’m looking for because, if we can skip that screen, we can do remote wipes and reinstalls and let pre-stage do all the magic which would be fantastic for labs and so forth. I’d like to see how that works. And that, of course, requires Mac OS 11 to do the auto-advance, so, I’m sure, by the time everybody gets on Mac OS 11, we’ll hopefully be in Jamf Cloud and we’ll get all the rich features that come with that.
Tim Smith: I’ll probably send out an email tomorrow or beginning of next week about upgrading and all that kind of good stuff. That’s all I have.
Brad Arthur: I did have I did have one quick question for you, Tim. Maybe you’ve heard, but I have not heard any updates on this. I know, for a while, Jamf was saying that, if you were on Jamf Cloud, you were getting the new releases pretty much the microsecond they were available. With all these issues they’ve been having with their big number releases, are they backing down on the “You must get the upgrade immediately” premise?
Tim Smith: Well, that depends. If you’re a regular cloud customer, they put you on a scheduled upgrade. I think it’s like east coast, west coast, or wherever part of the world, right? And they kind of schedule those upgrades. But if you’re a premium cloud member, you can stop those automatic upgrades and you can determine or let them know when you want to upgrade, or upgrade yourself by a magic button or whatever. I’m not sure how that works. I’m in the Slack channel with the UNC system and I believe that they are on the regular scheduled upgrade because I’ve always seen them saying, “Hey, Jamf is upgrading our server at this time, on this date…look out for that”. I don’t know how that how that works if there is an issue. I have seen on Jamf Nation where, if there is an issue, they go ahead and say, “Okay, we’re upgrading again to that point release”, so they are pretty quick. I don’t think they’re saying “Alright… we’ve released in 25 and everybody gets it within a few minutes”. From what I’ve seen, there’s a schedule put in place by region for when those customers get upgraded in the cloud.
Brad Arthur: Okay, cool. Thank you.
Everybody:
John Straffin: No one else jumping in with a question for Tim, so it’s Al’s turn!
Alton Kearney: I just have a few items. Yesterday, I sent out an email about the new Windows 10 version, 20H2, made available in Configuration Manager for people who want to start testing that in deployments for their department. Soon we will make the 20H2 Feature Update available also. One of the advances, as the Windows versions continue to evolve, is the enablement packages which are much smaller and the upgrade process is a lot more lightweight. It may be more of a large monthly update: it would require a reboot, but it would be maybe 5 to 10 minutes as opposed to the 30 minutes that we were seeing for feature updates in the past.
Alton Kearney: I’m doing some work on the WSUS server. Once we get things working there, we will sync the 2004 update into Config Manager.
Alton Kearney: Also, we’re removing Windows 10 1809 and 1903 images from Config Manager. If you are referencing those in your task sequences, go ahead and update to at least 1909 in your task sequences. 2004 is out there, also, but I wouldn’t recommend that one as the support model is only 18 months. We’re recommending sticking with the fall releases.
John Straffin: Thankfully, if they actually keep to this naming schedule, we can simply say “H2” versus 09, 08, 07, or 10 or whatever it ends up being.
John Straffin: Somewhat related, I guess, apparently they’re doing something where they’re including the servicing stack updates in the cumulative updates now, to make that process easier for from an update standpoint. Previously, you had to have the servicing stack upgraded before you tried to push any of the cumulative updates and if you didn’t have it done in that order, it wouldn’t take. Now they’re just bundling it together in one so that you don’t have to worry about the install order. It just works.
John Straffin: Anything else?
Alton Kearney: [Shakes his head, “No”.]
John Straffin: Something came up this week from OIT EIS and Steve Gray. Microsoft is dropping support for Office for Mac 2016, not just “we won’t fix or patch your software anymore”, but they are also not supporting its continuing to be able to talk to Office 365 and Microsoft 365. They are have not said that they are breaking it, they’re just not supporting it. So, if any changes to the Office 365 infrastructure cause Office for Mac 2016 to have communications issues, it’s not going to be fixed.
John Straffin: That being said, Office for Mac 2016 isn’t supported anymore. It needs to be replaced. This is more than just “because it’s never being patched”. This is because it might just stop working from an email standpoint. I don’t know that we want to find out when that happens, suddenly having our users contacting us saying “my email doesn’t work anymore”.
John Straffin: We got a spreadsheet from OIT EIS of every Office for Mac useragent that is contacting our Office 365 instance, and there were 803 Office for Mac 2016, all of which are potentially at risk. Steve pointed out to me this morning that we don’t know how many of those might be home users versus Duke machines, there’s no way to tell. We just have a long list of email addresses and that’s one thing I really don’t feel like crunching…Oh, I think there’s an IdM tool that can help with that…maybe I will crunch that…
John Straffin: On the page that Microsoft has that speaks about Office for Mac 2016 EOL, they have a link for a license removal tool. Microsoft’s recommended course of action is to simply run the tool on the user’s machine which then causes Office to ask the user to log in. When they log in with their Duke credentials and check for updates—they would need to do that manually to have it happen right away, otherwise the Microsoft Update software will get around to it—it will go ahead and upgrade Office for Mac to the latest 2019 version from the 2016 version they’re running. No need to re-install any software; you simply yank the license, have them login (which is the new normal with Office 365: you use your user credentials to use one of your five licenses attached to your user on your computer), and the update process will update that. I just tested it on a laptop next to me here and that process took it, I believe, up to version 16.42 (2019) from the 16.16 (2016) version.
John Straffin: And Diane unmuted, which means she’s dying to say something. 🙂
Diane Scro: I was just gonna say that I haven’t actually tried it, but somebody else told me there’s not an easy way to search that in Jamf. Jamf doesn’t tell you the version. It’s just “Office”.
John Straffin: Okay…I do know that, if you recall, it was really weirdm, where Office 2016 is version 16.16 and lower and 2019 is 16.17 and higher…
Diane Scro: And you can’t get those version numbers in Jamf…it doesn’t give you that. Didn’t know if anybody knew of an easy way to identify.
John Straffin: We can do something to get that in there. I’m surprised it’s not pulling it as part of its inventory pull. Check Planisphere as well. I mean, it’s not going to do much for Smart Groups or larger reporting but, if you’re wondering about a particular machine, I know from BigFix, anyway, we’re definitely pulling the version number of the app itself, which should tell you the 16.42 or 16.16 or whatever it is.
Edward Mendoza Viera: Hey, can I say something?
John Straffin: I suppose…
Edward Mendoza Viera: Sorry. 🙂 I’m driving to campus. What I did was I created a Jamf Pro Smart Group looking for one of the Office apps—I think, in the one that I created, I was looking for Word—and I just used the “16.”numeration and it found me the 2016 versions. I can share more on that when I’m near the computer again. It seemed to work pretty well: we were able to identify six devices so it seems to be working.
John Straffin: And if you check the chat, John Carbuccia put together a video for folks to use Jamf Self Service to upgrade to macOS 10.14 and Office 2019 and there’s a Box link, so check that out. Thank you, John!
[CHAT: John Carbuccia: I made a 2 minute video for folks to use Self Service to upgrade to 10.14 & Office 2019. Here’s the link in case you’d like to use it: https://duke.box.com/s/gwhduz0w1cxif4elfxzz0ayzxwv6cwjq ]
John Straffin: The one thing I did note with mine: Once I yanked the license, logged in with my ID, checked for updates, and had it do the update check, the Microsoft Update tool still was throwing a little error-style comment about my applications. Even though it also said “up to date”, it still had the little yellow triangles and some red text until I rebooted. Once I rebooted, those were cleared. I don’t know what the Microsoft Update app was stuck on but it definitely updated to the latest version while still saying there were issues until I rebooted. The Microsoft Update software saw the same version, but didn’t say that there were issues any longer.
Diane Scro: Do you have the link for that thing that pulls out the license?
John Straffin: I can find it in short order, because, if I search on “Office for Mac 2016 EOL”, I believe it’s the first link you find. Of course it wasn’t the first link I found on that search…greaaaaaat.
[CHAT: John Straffin: https://support.microsoft.com/en-us/office/end-of-support-for-office-2016-for-mac-e944a907-bbc8-4be5-918d-a514068d0056 ]
Alton Kearney: John has his hand raised.
John Straffin: Which John?
John Shaw: I feel like there was some conversation around the updated client, the new experience? Some folks were finding that, from a security perspective, the “Report a Phish to Duke” button was not necessarily clearly visible on the ribbon, but it is possible to customize the ribbon and add the “Report a Phish” button. I was looking to see if we had already made an update to the KB, but I just wanted to highlight that that, if we’re not finding that “Report a Phish” button, it is possible to customize the ribbon and add it back into clear view. Rather than having to click on the ellipses to find that button, you can just customize it so it stays on the ribbon.
John Straffin: Good catch, John. Thank you.
John Straffin: So, one thing to be aware of: in that particular support document (linked in Chat, above) at the very end there’s a section about Office 2016 for Mac license and point #1 is “download and run the license removal tool”. When I ran it, it ran just like any other Mac app, so there’s no reason we couldn’t be able to put that into some sort of policy if we wanted to do that centrally, but there is user interaction required. So, this may be something that, like John Carbuccia is pointing out, we strictly want to do through Jamf Self Service so the user is aware of what’s going on and they know that they need to take further steps.
John Straffin: I didn’t run any numbers…how’s the fight against unsupported operating systems going? Anyone have any successes to share? Or woes of finding 23 more machines got kicked off the network by surprise?
John Straffin: No one wants to own up. Okay, that was boring.
Diane Scro: If we ignore it, it’ll go away, right? 🙂
John Straffin: No! It would not go away! 🙂
Dan Cantrell: I’ll jump in with a little bit of an issue on the Health System side, pushing out the NAC changes. We had some people drop off the network, just briefly, but not too many issues from our side because so many people work remotely.
John Straffin: One thing that is both a benefit and a hindrance somewhat in that these machines that are potentially being quarantined aren’t on Duke’s network anyway, so they’re not noticing at all. It gives us some wiggle room, definitely, but please do not take that as a “pause” button. It’s just a “slow down a little bit” button, possibly, but we definitely still want to keep going and getting these taken care of, whether they’re on campus or not.
John Straffin: And with that, that’s all I had on my list of things to talk about. Anyone have anything of interest that they want to share or ask, and…I see Diane!
Diane Scro: Well, you’re not gonna like it.
John Straffin: Go ahead.
Diane Scro: When are you gonna do some training for Planisphere?
John Straffin: That’s for next month. And I said it out loud, so now it has to be!
Diane Scro: Okay. It just would be nice.
Blaine Ott: Isn’t this security month? Shouldn’t it have been done this month?
John Straffin: I’m gonna mute Blaine.
Quincy Garbutt: Whatever training you do for Planisphere, hopefully it’ll be recorded. If folks can’t attend, they can go back and see that.
John Straffin: Nah… it’s going to be in-person only. We’re going to get a great big hall and everybody sits six feet apart.
Quincy Garbutt: That’s awesome. And you can be that super spreader. I’ll pass on that.
John Straffin: Fantastic! No… we’ll definitely have it on Zoom and have it recorded as well.
Quincy Garbutt: Alright, thanks.
John Straffin: Guess I know what I’m doing on vacation next week: writing training.
Quincy Garbutt: Well, you didn’t say how early in the month. Granted, November’s a short month…
John Straffin: Okay, so, on Black Friday, I’m going to be running the training.
Quincy Garbutt: Okay.
John Straffin: Blaine, there’s nothing BigFix to chat about is there. I haven’t noticed anything…
Blaine Ott: Not that I’m aware of.
Edward Mendoza Viera: Can I ask something to the group?
John Straffin: Sure! Please do!
Edward Mendoza Viera: Has anybody had issues with the VPN client, after the upgrade? We had quite a bit, but I’m not aware of what everybody else looks like.
George Bowen: It just automatically updated, didn’t it?
John Straffin: It automatically updated, but what Edward and I and some others were seeing was that, for older operating systems like Windows 7 and even some older Windows 10 versions, the automatic update process was uninstalling the old client and then failing to reinstall the new clients. You were left with a machine with no VPN client installed. There appears to be a registry key that is set as part of the process. Edward, do we have any idea if that key was set already or is that being sent by the process?
Edward Mendoza Viera: I meant to go back and look to see if the key is already there with the client running or not. I checked on my machine but I’m running Windows 10 2004 so I don’t have that key in my registry. We did find of number of fixes and I think one that worked a little better was cleaning up the registry of some of those registry keys that the client puts there with the drivers. I think that seems to be the fix that actually works a little better than the rest of them that we outlined on that message [posted to Teams earlier in the week].
John Straffin: Okay. I was gonna also ask Edward in a longer question: what we were seeing from a Windows 10 standpoint, was that versions that were supposed to be out of support already, but had support extensions, were actually still having problems. We were supposing that it was Cisco saying “if you’re running an unsupported operating system, we’re not installing the agent”. But then we made those registry fixes and it seemed to work. Not that I want this to actually work on Windows 7, but for people who are actually seeing this issue on Windows 7, do we know if the registry key fixes that, as well?
Edward Mendoza Viera: To be honest, I haven’t had any Windows 7 machines that we support that I can play with.
John Straffin: Honestly, I don’t really want to test it, because I don’t care if it works on Windows 7 because Windows 7 isn’t supported anymore and it should be running anywhere.
Edward Mendoza Viera: The interesting thing is that, from looking at the reporting, we did have clients on 1803 and 1809 that received the updates and updated fine. I think, from the numbers that we crunched, about 5% of them were failing and then, from those 5%, maybe 1% or 2% were having another issue where nothing that we tried was allowing us to install the VPN client.
John Straffin: Edward, where did you share that information that I saw where you outlined what you had tried and Kim had tried, etc.?
Edward Mendoza Viera: I was in the “All University IT” Teams channel. [LINK]
John Straffin: So, everybody can check for that there if you’re having issues with VPN clients auto updating. There’s a list of possible solutions that George and Kim and Edward from CDSS all came up with (on their own, I believe) and they all seem to work with varying degrees of success. So there’s multiple ways you can try to get this taken care of.
John Carbuccia: This may be unrelated or not relevant, but I’m using the Big Sur beta version and I have Outlook installed on it and the new Outlook button that appears on my Catalina version of the OS does not show up on the…never mind. It’s there now.
John Straffin: I’m glad I could help, John. You’re welcome. 🙂
John Carbuccia: I swear it wasn’t there a minute ago!
John Straffin: Are we talking about the fish button or…?
John Carbuccia: No, no, the new Outlook button. Yeah, the fishing button is not there, and you had to add it to the toolbar like Edward said.
John Straffin: I would love to find out if that can be scripted some way because we really need to make sure that it’s front and center for everybody, instead of just something they need to go find. Wonder if that’s in a plist or something.
Quincy Garbutt: We had an interesting fish that popped up the other day that was mimicking an executive here at Duke indicating “hey can you send me … can you text me your number please?”. And I promptly told my constituents “please go ahead and report that”…
John Straffin: Yes, please.
Quincy Garbutt: ..and then someone did see it actually disappear from their inbox and they’re like, “hey, we saw it and it disappeared”. I said “that’s what should happen”.
John Straffin: Yes, yes! If you weren’t aware, it’s part of a new hire orientation presentation that the IT Security Office does every two weeks for new hires coming in, but when you submit that using the “Report Phish to Duke” button and it’s found to be a phish, it doesn’t just delete it from your mailbox. It deletes it from every single Duke mailbox that message is also in. These phishing attacks are rarely if ever single emails to single individuals. There are dozens, if not hundreds, of emails sent to try to snag as many people as possible. And when even one person submits that to “Report a Phish to Duke” and it gets judged to be malicious, every single one of those copies ends up disappearing from people’s mailboxes. So, as I say in the presentation, you’re not just protecting yourself; you’re helping to protect all of Duke
Quincy Garbutt: Exactly.
Diane Scro: That is cool. I didn’t know that. Our users, we really push them to use the web version of Outlook and the button is always…you can do the same thing, you can put the button on the top. But if Duke has added that button into the web version, it seems like they should somehow be able to push it up to the top.
John Straffin: You would think so. I think that’s just the limits of what we can do with the web based UI versus local UIs.
Diane Scro: I have created instructions for users to put it up the top but you know users. They don’t care.
John Shaw: Can I add something? Just to point out: Microsoft also has a button that leverages their anti-spam/anti-phishing services that we’re not using, so for users that do report using that, they’ll get a message back that says to kindly use the appropriate button which is the “Report a Phish to Duke” button. So just to throw that out there as well that there is some confusion for those that are using the web, I believe, if I’m not mistaken to Diane’s point though you have to scroll past the you look past the Microsoft button to get to the duke button if you will.
Diane Scro: Yes, that’s true. That’s why I was like, “can’t we move it up at least?”.
John Shaw: And I believe we’ve had conversations with OIT EIS, with Jeremy Hopkins and if we could, I believe we would have definitely, to your point, done that.
John Straffin: So, possibly Diane, maybe we need to take your instructions and make them a little more widely available to say “everybody should do this”.
Diane Scro: Yeah, I think I actually found it in a KB article or something. But then I put it in our Wiki. I can get a copy out to you.
John Straffin: That’d be awesome.
John Straffin: Is that what John Shaw just pasted into the chat?
[CHAT: John Shaw: KB0031840 – https://duke.service-now.com/kb_view.do?sys_kb_id=53af8865dbc8a010580f9846db9619bd ]
John Shaw: I’m not sure if that’s one Diane’s referring to, but…
Diane Scro: Yes, this is the KB article that I found. And then I had rewritten it just sent an HR user. So yeah, this is perfect, because people don’t realize…
John Straffin: What I like in the actual knowledge base article, if you’re looking at the “Outlook on the Web” part, it shows you how long that huge menu is and right under the “Mark as Phishing” that you’re not supposed to use, it gives you the option to “Block Jeremy Hopkins”. I need that option in my mail. 🙂 Yeah definitely need to add that to the ribbon.
John Straffin: Very cool, thank you John and Diane!
Everyone:
John Straffin: Hearing, nothing else…
John Straffin: Alright, I think that’s it then. If no one else has any other questions, we can certainly give you a whole bunch of your day back. Enjoy everyone! Let’s get (particularly) that Bad Neighbor patch pushed out. Let’s check for those Office for Mac 2016 installs and take care of those before they become a problem instead of waiting for them to be a problem. And as always, unsupported operating systems are evil and need to go.
[CHAT: Patrick Daniels: Any new advancements to talk about re Duke Unlock? ]
Alton Kearney: Hey, Patrick just pasted something in the chat about Duke Unlock. I know the ITSO people are here. I don’t know if anyone wants to give any update on that.
John Straffin: Someone can correct me. I know with the improvements in iOS 14 it now works on the iPhones. And are we expecting… does it work on the latest Catalina or is that going to work in Big Sur?
Nick Tripp: Big Sur. It requires Big Sur.
John Straffin: That’s what I thought.
Nick Tripp: That’s Apple’s decision, not ours, unfortunately.
John Shaw: And, John, to your point about as long as you’ve upgraded to iOS 14 and higher: It also requires that the iPhone has Face ID or Touch ID.
[CHAT: John Shaw: https://unlock.duke.edu/ – iOS (14+) with Touch ID or Face ID enabled, running Safari ]
John Straffin: I can’t use my old iPhone 6?
John Carbuccia: I was trying to configure some new computers for folks a week or two ago here in Trinity and I was trying to configure this unlock with face ID and/or fingerprint and I got a message across the top that said “this feature is being controlled by your administrator”. Is that something that Duke is doing as a whole or just Trinity?
John Straffin: On what platform?
John Carbuccia: Windows. Windows 10 face unlock and fingerprint would not work at all.
John Straffin: What you’re falling afoul of is that Microsoft made the, in my opinion, wise, maybe?… better than worst? decision that once a Windows computer is joined to the domain, the Windows Hello stuff, the windows biometrics, is disabled by default. They’re expecting that, if you’re part of a domain, that decision is likely being made at a domain level. You don’t have to do it at a domain level, though. You can go into the local security policy and make the necessary changes to have it be effective. But whereas ordinarily it’s simply disabled if you haven’t enabled it, adding a machine to a domain automatically disables that function unless it’s enabled through a policy. It can be local policy or a central policy. So there’s no Duke central policy turning it off; It’s Microsoft turning it off if you’re on a domain, because they’re expecting you to turn it on by policy if you’re in a domain.
John Carbuccia: So then that means Windows Hello… I mean, I’m sorry, “unlock” and Duke Unlock will not work on Windows devices unless the domain policy has been modified.
John Straffin: Again, you can make that policy change locally on the computer. And very, very little if anything is actually done from a central domain policy standpoint, simply because not everybody necessarily wants that kind of thing enabled. So, it’s definitely on an OU by OU, IT group by IT group basis to either enable that locally on the machines that need that capability or to put in a group policy that enables it on all of the machines in their OUs.
John Carbuccia: So, since his Trinity’s merging with OIT, anyone have any input on that from OIT as far as globally enabling it?
Patrick Daniels: John, the policies can be put together in a really quick script that you can run lots of different ways to do that. I’ll find the note here and send that to you.
Edward Mendoza Viera’s child: La la la la la la la la la…
John Straffin: That was awesome.
Patrick Daniels: I like the way Edward sounds, now. That was really good.
John Straffin: Forward that to me, too, Patrick, because if we don’t already have one—I think we may, but if we don’t have one—we’ll make a central policy that’s not going to be applied globally, but you can use that central policy on your own OUs to put that in place on all the machines you have that are in the domain.
Blaine Ott: And I think I’ll speak for Trinity that we probably will not apply that globally to Trinity. I think that’s a local setting that you should set on a machine by machine basis.
Edward Mendoza Viera: I was gonna say that CDSS did some testing a while back and we did develop a Group Policy. We actually enabled it on all of our devices already since a couple months back. Maybe March, actually. So, John, If you want I can give you the policy we created…
John Straffin: Yeah, we’ll check that out. We’ll talk about it offline. Thank you.
[CHAT: Patrick Daniels: There are about three local security policies that have to be turned on. https://social.technet.microsoft.com/Forums/en-US/15d0a491-feed-49fe-811d-8d8248bf9e15/pin-and-fingerprint-signin-options-unavailable-greyed-out-in-windows-10-1709-enterprise?forum=win10itprogeneral ]
John Straffin: SLG was cancelled and Nick was asked if there were any security issues. He says [from chat] “No major security news to share on the endpoint front. In a holding pattern waiting for the macOS 11 release. Hoping to have some Planisphere news before the end of the year.”
Patrick Daniels: Regarding macOS 11, are people feeling confident that that’s going to be something that can be upgraded to pretty much straight out of the gate or people anticipating delaying again?
John Straffin: Who all is messing with the beta to speak to its effectiveness in our environment. I just saw Brad and Dan unmute…go, guys.
Brad Arthur: So the testing I’ve done so far has been kind of hit or miss. Some of the beta releases have worked really, really well. Others have been absolute nightmares and there’s no rhyme or reason with that. But the ones that work well do work quite well. If we can get lucky and they incorporate those features into the final release, I think we can jump to it fairly quickly.
Dan Cantrell: Yep, that’s a great summary I totally agree. That’s what I’m seeing too.
John Straffin: So a definite maybe from both of you.
Dan Cantrell: We’ll know within the first two weeks of the official GM
Patrick Daniels: So, I guess the question that I have is when it immediately gets released and we have a rash of professors asking to upgrade, are we doing our standard “postpone until it’s been cleared”?
Brad Arthur: So, for our site in Jamf, I do already have a block in place for Big Sur just to prevent people from leaping on day one, but I think the way Apple’s been going, we’re going to have to turn it loose pretty quickly, because, even for versions of iMovie and Final Cut, they’re requiring not just the latest big release, but the latest point release as well, in order to run properly. So, I think, Apple’s forcing our hands more and more on that now.
Patrick Daniels: And I don’t mind that. But I guess I’m looking for more of united “okay guys, it’s opened up” so that we’re not fighting different fires in different locations.
John Straffin: I honestly think it’s going to be up to those who have experience with it to make that decision for the departments they support, and it may be that we need to take even into account just the individual users skill level that things are definitely changing that we want to plop macOS 11 right down on a person that is less comfortable with change like that without having a better understanding of how those changes are going to affect workflows and user experience.
Patrick Daniels: So the reason I’m asking this is because we delayed on Catalina, and that creates all sorts of follow up repercussions in terms of the timing for upgrades.
John Straffin: Well, the Catalina delays were because certain apps just weren’t working anymore, wasn’t it? It wasn’t just things are different, wah-wah.
Brad Arthur: It was the app issues and also some general stability issues we were seeing with the earlier builds of it.
John Straffin: Are those app issues resolved on Catalina or maybe they expected to still be there, or have they been fixed on Big Sur?
Brad Arthur: Well, I mean, the app issues, the core compatibility issues are all fixed now. The problems we’re still running into is professors who are still running versions of Netscape on their systems, that can’t use it on Catalina.
John Straffin: Please tell me you’re kidding.
Brad Arthur: Ahhh…sort of.
John Straffin: Nice.
Patrick Daniels: I’ve still got Netscape running on my Windows 95 machine.
John Straffin: I still actually have a Quarterdeck Mosaic floppy.
Dan Cantrell: I’ll just chime in. I think the timing, we expect with macOS 11 is going to be latter half of November, since the rumors right now are there’s a November 17th planned or expected macOS announcement. So, if you look at that timing, with Thanksgiving and finals, I think on the University side, it’s easiest just to tell everybody “do not upgrade until after finals” and then that’s only two weeks.
Patrick Daniels: Yeah. And then after Thanksgiving, they’ll have free time on their hands and can destroy their machines…
Dan Cantrell: Exactly right. So, I think the messaging could be really clear in that way.
John Straffin: I think the messaging should be really clear in that “This is still 2020…do you really want to upgrade your OS this year?”. You could just wait until January 1 and do it then.
Dan Cantrell: And it is the 64-bit jump. So yes, any really old software may, well, will not work. So, if people are doing a three-version jump, that means rebuying software in some cases which people are highly adverse to, so that solves itself: they won’t upgrade.
Blaine Ott: That requires a lot of forethought, to recognize, “Oh wait, you mean these applications don’t work now that I’ve upgraded already?”.
Dan Cantrell: Exactly.
Brad Arthur: And I will say for Linux people out there, Big Sur has a very Gnome-like feel to it, so might get some converts there.
Patrick Daniels: Does Big Sur do the same thing as Catalina, sort of giving a summary of the things that didn’t make the upgrade when you do it?
Brad Arthur: I’ve had one release that didn’t do it when I tested it, but the rest of them have all prompted me for incompatible software/possible issues.
Patrick Daniels: So we’re expecting that to be in a final release, then?
Brad Arthur: You would hope so.
Patrick Daniels: I do.
Kelli Snyder: Patrick?
Patrick Daniels: Yes?
Kelli Snyder: You asked where to download the Security background?
Patrick Daniels: Yes, and John [Shaw] sent that to me. I grabbed it from the bottom of the page, nice high resolution.
Kelli Snyder: Okay. I just shared the link with everyone.
[CHAT: Kelli Snyder: https://security.duke.edu/news-alerts/thinksecure-october ]
Patrick Daniels: Thank you.
Kelli Snyder: You’re welcome.
Patrick Daniels: I’m kind of disappointed. There’s not a pumpkin in it somewhere.
John Straffin: There is. It’s right behind the middle, you can’t see it.
Patrick Daniels: It’s up in the bell tower somewhere.
Everyone:
John Straffin: I guess to try to inspire more questions. I just need to say we’re going to go again. So…
Blaine Ott: You want to announce Planisphere is going offline this afternoon? Any change in that plan?
John Straffin: No, there’s not change in there, it’s being migrated from one platform to another. So it’s going to necessarily be out of service for, I think, a two hour window, but it should take less than that.
Blaine Ott: I have 2:00 to 4:00 on my calendar.
John Straffin: I believe I believe Sean said it shouldn’t take the full two hours, but, of course, with anything like that, you want to allow for issues and the resolution of those issues in the in the window.
John Straffin: Has anybody playing with the Big Sur beta tossed BigFix on it and seen it reporting correctly? Or Blaine, are we seeing Mac OS 11 betas in the in the console? I know Jamf Pro wasn’t, but is now capable of handling Big Sur.
Blaine Ott: I have not looked recently, but I can look real quick here now.
John Straffin: I have a slate of test MacBooks next to me and, unfortunately, they are all old enough that the Big Sur installer says nuh-uh, ain’t gonna happen. So I can’t really test Big Sur on those. Tried doing it in a VM and that was just unpleasant.
Blaine Ott: I see three “10.16”s
John Straffin: Awesome.
Blaine Ott: Is that what we’re looking for.
John Straffin: So, wait a minute…It reports internally as being 10.16 but it’s being called 11?
Dan Cantrell: Both. It’s used in various places as either
Blaine Ott: That’s why I assumed it was 10.16 and then somebody said, “No, no, it’s 11” I’m like “that’s not…”
John Straffin: Not according to the version numbers inside the software!
John Straffin: Great. I’ll take that as indication that BigFix is ready to go with it, too.
Blaine Ott: I’m not sure that those are fresh, and, based on the machine names, I’m guessing a couple of those at least are upgraded machines, so that may or may not make a difference.
John Carbuccia: Do you see mine in there? It’s 239ML?
Blaine Ott: No, I see FHI-9020 with you logged in.
John Carbuccia: [glances down towards the floor]
John Straffin: As John says, “oh, there’s that machine, down there!”
Blaine Ott: I see Tom with a machine from September from TTS-190265ML.
Blaine Ott: And CDSS-5092, is that George?
John Straffin: George is shaking his head “no” but I think he’s lying to us…
Blaine Ott: Who’s Hernandez
John Straffin: Ha ha ha! I’ll tell you what, I’ll tell you about Hernandez later.
Blaine Ott: Okay. We are being recorded, so, you know…
John Straffin: Yeah, exactly. And I did do the cloud recording with transcription, so that should be working now and we should have a transcript out post-haste. And THAT being said, I’m finally going to put this meeting out of its misery. Thank you everybody for joining. If you have any other questions, feel free to shoot them to the endpoints list. If you have any sort of support issues, feel free to send it to oitde@duke.edu or endpoints-request@duke.edu. See ya!
Everybody: [Bye!]
John Straffin: I love how people who haven’t talked the whole time unmute just to say “bye!”
Alton Kearney: Okay. Time for the real meeting, now.
John Straffin: Exactly…The Shadow Cabinet is meeting.
Kelli Snyder: [giggles]
John Shaw: The post-meeting-meeting? Are you still recording this, John?
Blaine Ott: I was gonna say, is this where we turn off the recording?