As discussed in yesterdays’ Endpoint Management Meeting, beware of jumping too many versions of macOS at a time without uninstalling the CrowdStrike Falcon Sensor first! Upgrading from one supported version of macOS to another should be fine, but going from an unsupported version of macOS (for example, macOS 10.15 Catalina) to the latest available version (currently macOS 13 Ventura) will cause problems.

The last supported version of the Falcon Sensor for a given version of macOS is generally set by CrowdStrike approximately 180 days before that OS’s expected retirement date. The minimum Falcon Sensor version required for a newly released version of macOS is determined much closer to the OS’s release date, usually a few weeks. This means that the version required for the newly released macOS will be greater than the last supported version for the soon-to-be-retired macOS. For example, the last supported version of the CrowdStrike Falcon Sensor for macOS 10.15 Catalina is 6.41, while the minimum required version for macOS 13 Ventura is 6.45. This makes going from Catalina to Ventura without first removing the CrowdStrike Falcon Sensor a problematic situation.

To remedy this, once a “last supported version” for a soon-to-be-retired macOS is identified, Duke creates a CrowdStrike Sensor Update Policy to both (a) hold the Falcon Sensor at that version for that OS and (b) allow the removal of the Falcon Sensor without the need for a Maintenance Token in order to more easily facilitate the upgrade to a newer OS. The best practice would be to update macOS more frequently, before the upgrade path becomes so broad. Alternatively, one could also still upgrade in steps, going, for example, from Catalina to Big Sur or Monterey, waiting for CrowdStrike to self-update to the latest version (instead of holding at the last version supported on Catalina), then upgrading to Ventura. However, if it is desired to go from an unsupported version of macOS to the latest available version, you’ll want to uninstall CrowdStrike first.

For more information, please contact OIT Device Engineering via ServiceNow (“Device Engineering – OIT”) or email at oitderequest@duke.edu.

Considering recent issues IT Admins have reported with using Shared Network Adapters (or SNAs), we’d like to clarify a few things as well as share what OIT Device Engineering is doing to help:

– The Shared Network Adapter registration process does not eliminate the need to also register the adapter for use on the Duke Network in DukeReg. OIT Device Engineering has no special rights in DukeReg and cannot register a network adapter to any Support Group other than our own. The Shared Network Adapter help page in Planisphere has been updated to remind IT admins of this.

– As with all DukeReg registrations, six months of inactivity will result in the registration’s deletion from DukeReg. If your Shared Network Adapter goes unused for more than six months, you will need to re-register it to use it on the Duke Network. To avoid this, make sure to use your Shared Network Adapter–be it a dongle, dock, or multi-function monitor–at least once every few months. OIT Device Engineering is working on a Planisphere API script to identify SNAs nearing 180 days of inactivity.

– Shared Network Adapters will show up in Planisphere’s MAC address history of the devices they are used with AND the SNA’s Planisphere record will collect a list of names those devices have reported to DHCP while in use. This is expected behavior and is the same as any other network adapter. Shared Network Adapters will NOT, however, be used as a common characteristic to gather separate Planisphere records into a single entity. Avoiding *this* is why we register SNAs.

– As the Shared Network Adapter registration process has undergone changes recently and OIT Device Engineering has recently gained new members, we have discovered inconsistencies with both the process and the results. Most notably, we’ve found that some SNAs have not been added to the special lists within Microsoft Configuration Manager and Jamf Pro that prevent them from being used as unique identifiers within those systems. OIT Device Engineering is currently reviewing the registration process, automating it where possible, and reviewing the state of existing entries, making corrections where necessary.

As always, if you have any questions or concerns, please feel free to contact us via ServiceNow (“Device Engineering – OIT”), our new “OIT Device Engineering (Public)” Team in Microsoft Teams, or via e-mail at oitde@duke.edu. Thanks!

Early Adopters Test Group

With OIT Device Engineering expanding our efforts to provide uniform solutions to the university IT community, we need to expand out testing capabilities beyond our own computers and virtual machines. As we create and manage application installers, feature updates, settings changes, and OSD task sequences, we can only test them so far. Our internal testing environment cannot fully reflect the variety of Duke’s computing environment and our access and experience cannot reflect the access and experience of Duke’s users.

What we need is for individuals throughout Duke University to make their computers and their time available as part of the Early Adopters Test Group. These users will assist in testing the solutions offered by OIT DE to the Duke IT community for managing user endpoint devices to ensure that these solutions are effective and efficient. Individuals that are invited to participate should be both comfortable with technology and forgiving of the occasional tech hiccup, ideally having a good rapport with their IT Support Group. While solutions sent to computers used by these individuals will have already gone through at least two levels of prior testing, it would be foolish to assume that issues will never arise. We are looking for the users that can recognize those issues and report them, being willing to possibly participate in the issue’s resolution.

Again, these users will ideally represent a wide variety of computing needs and areas of responsibility; one or two people from each department, doing different tasks with different software and (if possible) different hardware. While we’ll be testing widespread solutions like Microsoft Office installs and upgrades or CrowdStrike Protection Policy changes, we’ll also occasionally need to make sure that a Perceptive Content upgrade works properly or that a Group Policy targeting an obscure setting operates as expected. With a large and diverse group, we hope that at least a portion of that group would receive and use the solution to be tested.

IT Alpha Test Group

In addition, all Duke University IT staff are encouraged to enroll at least one device as a participant in an IT Alpha Test Group. This group of computers will receive solutions to be tested before the Early Adopters Test Group, but after those solutions have gone through individual and departmental OIT DE testing. There are also solutions that will never make it to the Early Adopters Test Group as those solutions are intended for IT use only…OSD Task Sequences, for example. We need the help of every Duke IT staff person, if possible, to help us find as many issues with our solutions as possible before exposing them to Duke users.

Joining

Computers will be added to the test groups by putting a CrowdStrike Falcon Sensor Tag of either “CANARY” or “ALPHA” in place on their computer. This was chosen as the method as CrowdStrike is installed everywhere and the Sensor Tags are visible by other Endpoint Management systems to populate their own testing groups. One setting for all systems

More information on joining a device can be found at the Endpoints Wiki.

Communications

Participation in these groups should come as a surprise to nobody. Users should be actively invited to participate, with the risks explained beforehand.

Participants of both the Early Adopters and IT Alpha Test Groups will be expected to join and participate in the “Early Adopters Test Group” in Microsoft Teams. All announcements of upcoming tests will be made there, and all feedback and assistance will be expected there.

Also, in the Files section of the Team, there are sample messages that departments can use to invite and inform users of what they’d need to do as a group participant.

Test Plans

Unlike typical IT QA testing efforts, there will be no “test plans” for anyone to follow. Participants will simply use the solutions and/or affected software as they would in the ordinary day-to-day activities of their job.

Any issues that may arise during testing, if they cannot be quickly remediated in place, will result in the rolling back of the solution, to include the possible uninstallation and reinstallation of the affected software.

Timing?

There are regular times of month and year that updates occur (“Patch Tuesday”, Windows and macOS updates in October/November each year) and any updates during those times will be announced in the Team well in advance. There are also, however, regular times of month and year that critical university tasks occur (end of budget year, end of semester grading) and, with appropriate forewarning, we will not push any changes to be tested during those times.

FAQ

Q: What exactly are we testing?
A: Everything! If OIT DE develops and supports it, it should be tested before pushing it to production: monthly patches, application installs/upgrades, settings changes, etc.

Q: Is there a minimum level of hardware or software to participate?
A: No! If the configuration exists in Duke’s computing environment, it should participate in testing.

Q: Is there a maximum level of Duke administration that should participate?
A: Maybe! While all users are welcome, it may make sense to avoid higher-level faculty and staff to avoid more significant impacts of issues that may arise.

Q: Do we need to let OIT DE know that we’ve added a user?
A: No. Simply add the appropriate Sensor Tag to the computer and have the user join the Team.

Q: How many participants do you need?
A: Anyone we can get to participate will be helpful. That said, there should be no more than one or two from any department so that any serious issues do not bring down an entire group.

The recording of the May 19  Endpoint Management Meeting is now available (Duke NetID required):

Also available as video (MP4), audio (M4A), transcript (VTT), and chat (TXT) in the Endpoints Box Share.

Items of note:

Many of us are used to using Microsoft Teams on Microsoft Windows by now and are coming to understand its similarities and differences with other communication and collaboration platforms. However, you may not be aware of two important distinctions between the way Teams works and how other software works when it comes to deployment and maintenance:

1. Microsoft Teams installs differently¹.
2. Microsoft Teams updates differently¹.

(¹ …on Windows. Microsoft Teams behaves just like other applications, for the most part, on macOS and Linux.)

Let’s take a look at each of these in a bit more detail…

Microsoft Teams installs differently

Microsoft Teams is a “user” application rather than a “system” application. Like apps installed from the Microsoft Store and other apps like web browsers and web conferencing clients, Microsoft Teams installs itself into the “C:\Users\<username>\AppData\Local\” directory rather than a “Program Files*” directory. No special rights are required to install, update, or uninstall these applications and only the user who installed them can use them.

However…

While many non-Store-based user applications (like web browsers and web conferencing clients) have “Enterprise” versions that can be installed for all users of a computer as a “system” application, Teams does not. The MSI files that Microsoft makes available to centrally deploy Teams to multiple computers does not install the software…it installs an installer that runs for each user that logs on afterwards. This means that, if the MSI is installed by (or for) a user while they are logged in, the user will have to log out and log back in again to actually have the Teams software installed and usable. While this particular scenario is not particularly likely–the software is usually already installed by IT before the user first logs in–it is something to be aware of and is the reason for the second difference…

Microsoft Teams updates differently

The Microsoft Store App settings enables App updates by default

As a user application, updating the Teams software becomes the responsibility of the user. As stated in Microsoft’s official documentation, “Teams doesn’t give admins the ability to deploy updates through any delivery mechanism.” For Store-based applications, the Microsoft Store handles these updates. For other user apps with enterprise installers, a system application replaces the user application and can be centrally managed like most other system applications.

For Microsoft Teams, according to the aforementioned documentation, “the desktop client updates itself automatically. Teams checks for updates every few hours behind the scenes, downloads it, and then waits for the computer to be idle before silently installing the update.” However, this process only updates the Teams application itself and not the installer that runs at user logon. With Microsoft typically updating the Teams software every month, this means that any user logging in for the first time to a computer that had the Teams MSI installer deployed more than a month ago will almost certainly have to update the software. It also means that any user logging in for the first time to a computer that received a Teams MSI installer that was packaged more than a month ago will also almost certainly have to update the software.

Additionally, the Teams self-update process only runs for the user that’s logged in. With Teams configured to auto-run at logon by default, if a user logs into a computer that they’ve not used in some time (or ever before in the case of a shared computer), they will likely need to update the Teams software. Similarly, if an IT Admin logs into a user’s computer, they will likely need to update the Teams software.

Microsoft Teams: expect to see updates

It’s unlikely that the Microsoft Teams MSI installer will be treated any differently in Duke’s endpoint management environment than other operating systems and applications. Installers will be periodically updated, but not with every update, expecting the existing software update mechanisms to do their job. But, Microsoft Teams on Windows is…different. Even if we were to update the Teams MSI installer deployments on a monthly basis, depending on when it was deployed, you’d still likely see Teams needing updates on that first launch.

It’s that or have the user install it themselves from the Microsoft Store. 😉

On Thursday, May 26, at 5:00PM, we will be upgrading the Configuration Manager environment from 2111 to 2203. During this time all Configuration Manager services will be unavailable. Let us know if there are any questions or concerns.

Post Upgrade:
• Clients will update automatically
• Console on RemoteApp server will be updated

New Features:
• ADR scheduling improvements for deployments
• Console and user experience improvements
• Custom icon support for task sequences and packages

The recording of the April 21 Endpoint Management Meeting is now available (Duke NetID required):

Also available as video (MP4), audio (M4A), transcript (VTT), and chat (TXT) in the Endpoints Box Share.

Items of note:

The recording of the March 17 Endpoint Management Meeting is now available (Duke NetID required):

Also available as video (MP4), audio (M4A), transcript (VTT), and chat (TXT) in the Endpoints Box Share.

Items of note:

The recording of the February 17 Endpoint Management Meeting is now available (Duke NetID required):

Also available as video (MP4), audio (M4A), transcript (VTT), and chat (TXT) in the Endpoints Box Share.

Items of note: