macOS Upgrades vs CrowdStrike

As discussed in yesterdays’ Endpoint Management Meeting, beware of jumping too many versions of macOS at a time without uninstalling the CrowdStrike Falcon Sensor first! Upgrading from one supported version of macOS to another should be fine, but going from an unsupported version of macOS (for example, macOS 10.15 Catalina) to the latest available version (currently macOS 13 Ventura) will cause problems.

The last supported version of the Falcon Sensor for a given version of macOS is generally set by CrowdStrike approximately 180 days before that OS’s expected retirement date. The minimum Falcon Sensor version required for a newly released version of macOS is determined much closer to the OS’s release date, usually a few weeks. This means that the version required for the newly released macOS will be greater than the last supported version for the soon-to-be-retired macOS. For example, the last supported version of the CrowdStrike Falcon Sensor for macOS 10.15 Catalina is 6.41, while the minimum required version for macOS 13 Ventura is 6.45. This makes going from Catalina to Ventura without first removing the CrowdStrike Falcon Sensor a problematic situation.

To remedy this, once a “last supported version” for a soon-to-be-retired macOS is identified, Duke creates a CrowdStrike Sensor Update Policy to both (a) hold the Falcon Sensor at that version for that OS and (b) allow the removal of the Falcon Sensor without the need for a Maintenance Token in order to more easily facilitate the upgrade to a newer OS. The best practice would be to update macOS more frequently, before the upgrade path becomes so broad. Alternatively, one could also still upgrade in steps, going, for example, from Catalina to Big Sur or Monterey, waiting for CrowdStrike to self-update to the latest version (instead of holding at the last version supported on Catalina), then upgrading to Ventura. However, if it is desired to go from an unsupported version of macOS to the latest available version, you’ll want to uninstall CrowdStrike first.

For more information, please contact OIT Device Engineering via ServiceNow (“Device Engineering – OIT”) or email at

Posted in Uncategorized | Comments Off on macOS Upgrades vs CrowdStrike

Macs and Binding

On October 11, 2022, some security patches for Microsoft Windows Domain Controllers went from being optional to being enforced. With this change, we may see some issues and changes with our Apple/Mac systems binding to Active Directory. We wanted to share with all of you what we know, what we don’t know, and what we’ve tried so far as alternatives.

What we know:

This security patch has been on the books for a long time and delayed several times. It is CVE-2021-42287. I’ll put a link to this and a few other things at the bottom here for you all to review if you like.

The short version is this: Microsoft is putting in some important security enhancements to on-prem Domain Controllers. Unfortunately, Apple has decided they will not be patching macOS to support these new changes and at that point, it will most likely be impossible for Apple devices to bind to AD at all and may result in some user accounts (network accounts, mobile accounts should still be ok) being unable to login.

What we don’t know:

There was a mention that Microsoft had instituted changes in this patch that would correct the issue, but most folks online in smaller setups who have tested it, have had to back out of the changes after their Mac’s stopped binding. There is a small chance this is a false alarm, but most likely we’re about to see a very real, seismic change in how we’ve deployed and managed our Apple systems. I wish we could give you a hard list of things that will and will not work, but in this case that just hasn’t been possible. Because testing this would require Duke to patch ALL of its production Domain Controllers, this is not something we nor any other large Enterprise has been able to experiment much with prior to enforcement.

What we’ve tried:

Because over half our Duke systems are bound to our on-prem AD, we’ve been looking at various alternatives that would not only replace the features that binding gives us but also add some much-needed bonus feature and enhancements. Many of these products didn’t work due to Duke’s infrastructure. We are working with IdM to see if it’s possible to tweak them so we have a more robust and unified response, but the work is still on-going and we have no guarantees at present.

  1. Apple Kerberos Extension (TL;DR: doesn’t work): When Apple sunset the “Enterprise Connect” package you could buy, they very quietly moved all the features into macOS itself, starting with Catalina. The way the Apple documents were written, we thought this could at least provide a partial fix, and we were able to get it setup and partially working, but all of the features we would need like password synchronization, just-in-time account creation, were either missing or not supported due to Shibboleth.
  2. Jamf Connect (TL;DR: doesn’t work): Jamf Connect is a paid product that we got a trial of for testing. It integrates with Azure and would handle account creation and password syncing from that. All-in-all, a magic bullet solution…or so we thought. Shibboleth was again an issue getting this to work.
  3. Xcreds by TwoCanoes Software (TL;DR: doesn’t work), exact same issue as Jamf Connect. Very easy to setup and seems a valid solution but doesn’t integrate with Shibboleth
  4. NoMAD (TL;DR: it works…for now): NoMAD was a standalone product made by a company called Orange Grove. Jamf bought them back in 2018 and turned the NoMAD product into Jamf Connect. The freeware versions available up until the time of purchase are still available for download. As an emergency stopgap to keep the computer labs going, we rolled out NoMAD in the OIT and Trinity computer labs this past summer in-lieu of binding. So far it has worked very well, but two big caveats: A. It only works with on-prem AD Domain Controllers so there isn’t any hope of utilizing it for Zero Touch for off campus faculty/staff. B. The freeware version we are using hasn’t been updated since 2018 when Jamf bought them. It is possible a future macOS update will kill this product. There are no guarantees on how long it will work for. If you want to try NoMAD we have everything setup and would be happy to work with you on a test.
  5. The final one we have not tested yet is the SSO extensions that will be built into macOS Ventura when it comes out in a few weeks. In theory this does support SAML2 protocol that Shibboleth uses, but detailed information is sketchy right now on how this works. This will have to be something we try on release day.

This is where we stand right now. When we started testing the various products it was our hope to be able to hand a bundled/working solution to you along with the news about binding. This unfortunately is not the case. It has required a much more complex solution than we ever thought it would.

As we get new information on possible alternatives, we’ll of course share them out to everyone.

If you encounter any issues after this change is enforced, wand to try NoMAD, or need help converting network/mobile accounts to local ones, please open a ticket, we’ll be glad to help you out in any way we can.



macOS Kerberos SSO extension:


Jamf Connect:


macOS 13 Ventura SSO:

Recent issues with Shared Network Adapters

Considering recent issues IT Admins have reported with using Shared Network Adapters (or SNAs), we’d like to clarify a few things as well as share what OIT Device Engineering is doing to help:

– The Shared Network Adapter registration process does not eliminate the need to also register the adapter for use on the Duke Network in DukeReg. OIT Device Engineering has no special rights in DukeReg and cannot register a network adapter to any Support Group other than our own. The Shared Network Adapter help page in Planisphere has been updated to remind IT admins of this.

– As with all DukeReg registrations, six months of inactivity will result in the registration’s deletion from DukeReg. If your Shared Network Adapter goes unused for more than six months, you will need to re-register it to use it on the Duke Network. To avoid this, make sure to use your Shared Network Adapter–be it a dongle, dock, or multi-function monitor–at least once every few months. OIT Device Engineering is working on a Planisphere API script to identify SNAs nearing 180 days of inactivity.

– Shared Network Adapters will show up in Planisphere’s MAC address history of the devices they are used with AND the SNA’s Planisphere record will collect a list of names those devices have reported to DHCP while in use. This is expected behavior and is the same as any other network adapter. Shared Network Adapters will NOT, however, be used as a common characteristic to gather separate Planisphere records into a single entity. Avoiding *this* is why we register SNAs.

– As the Shared Network Adapter registration process has undergone changes recently and OIT Device Engineering has recently gained new members, we have discovered inconsistencies with both the process and the results. Most notably, we’ve found that some SNAs have not been added to the special lists within Microsoft Configuration Manager and Jamf Pro that prevent them from being used as unique identifiers within those systems. OIT Device Engineering is currently reviewing the registration process, automating it where possible, and reviewing the state of existing entries, making corrections where necessary.

As always, if you have any questions or concerns, please feel free to contact us via ServiceNow (“Device Engineering – OIT”), our new “OIT Device Engineering (Public)” Team in Microsoft Teams, or via e-mail at Thanks!

Posted in Uncategorized | Comments Off on Recent issues with Shared Network Adapters

OIT Device Engineering needs Testers!

Early Adopters Test Group

With OIT Device Engineering expanding our efforts to provide uniform solutions to the university IT community, we need to expand out testing capabilities beyond our own computers and virtual machines. As we create and manage application installers, feature updates, settings changes, and OSD task sequences, we can only test them so far. Our internal testing environment cannot fully reflect the variety of Duke’s computing environment and our access and experience cannot reflect the access and experience of Duke’s users.

What we need is for individuals throughout Duke University to make their computers and their time available as part of the Early Adopters Test Group. These users will assist in testing the solutions offered by OIT DE to the Duke IT community for managing user endpoint devices to ensure that these solutions are effective and efficient. Individuals that are invited to participate should be both comfortable with technology and forgiving of the occasional tech hiccup, ideally having a good rapport with their IT Support Group. While solutions sent to computers used by these individuals will have already gone through at least two levels of prior testing, it would be foolish to assume that issues will never arise. We are looking for the users that can recognize those issues and report them, being willing to possibly participate in the issue’s resolution.

Again, these users will ideally represent a wide variety of computing needs and areas of responsibility; one or two people from each department, doing different tasks with different software and (if possible) different hardware. While we’ll be testing widespread solutions like Microsoft Office installs and upgrades or CrowdStrike Protection Policy changes, we’ll also occasionally need to make sure that a Perceptive Content upgrade works properly or that a Group Policy targeting an obscure setting operates as expected. With a large and diverse group, we hope that at least a portion of that group would receive and use the solution to be tested.

IT Alpha Test Group

In addition, all Duke University IT staff are encouraged to enroll at least one device as a participant in an IT Alpha Test Group. This group of computers will receive solutions to be tested before the Early Adopters Test Group, but after those solutions have gone through individual and departmental OIT DE testing. There are also solutions that will never make it to the Early Adopters Test Group as those solutions are intended for IT use only…OSD Task Sequences, for example. We need the help of every Duke IT staff person, if possible, to help us find as many issues with our solutions as possible before exposing them to Duke users.


Computers will be added to the test groups by putting a CrowdStrike Falcon Sensor Tag of either “CANARY” or “ALPHA” in place on their computer. This was chosen as the method as CrowdStrike is installed everywhere and the Sensor Tags are visible by other Endpoint Management systems to populate their own testing groups. One setting for all systems

More information on joining a device can be found at the Endpoints Wiki.


Participation in these groups should come as a surprise to nobody. Users should be actively invited to participate, with the risks explained beforehand.

Participants of both the Early Adopters and IT Alpha Test Groups will be expected to join and participate in the “Early Adopters Test Group” in Microsoft Teams. All announcements of upcoming tests will be made there, and all feedback and assistance will be expected there.

Also, in the Files section of the Team, there are sample messages that departments can use to invite and inform users of what they’d need to do as a group participant.

Test Plans

Unlike typical IT QA testing efforts, there will be no “test plans” for anyone to follow. Participants will simply use the solutions and/or affected software as they would in the ordinary day-to-day activities of their job.

Any issues that may arise during testing, if they cannot be quickly remediated in place, will result in the rolling back of the solution, to include the possible uninstallation and reinstallation of the affected software.


There are regular times of month and year that updates occur (“Patch Tuesday”, Windows and macOS updates in October/November each year) and any updates during those times will be announced in the Team well in advance. There are also, however, regular times of month and year that critical university tasks occur (end of budget year, end of semester grading) and, with appropriate forewarning, we will not push any changes to be tested during those times.


Q: What exactly are we testing?
A: Everything! If OIT DE develops and supports it, it should be tested before pushing it to production: monthly patches, application installs/upgrades, settings changes, etc.

Q: Is there a minimum level of hardware or software to participate?
A: No! If the configuration exists in Duke’s computing environment, it should participate in testing.

Q: Is there a maximum level of Duke administration that should participate?
A: Maybe! While all users are welcome, it may make sense to avoid higher-level faculty and staff to avoid more significant impacts of issues that may arise.

Q: Do we need to let OIT DE know that we’ve added a user?
A: No. Simply add the appropriate Sensor Tag to the computer and have the user join the Team.

Q: How many participants do you need?
A: Anyone we can get to participate will be helpful. That said, there should be no more than one or two from any department so that any serious issues do not bring down an entire group.

Posted in Uncategorized | Comments Off on OIT Device Engineering needs Testers!

Endpoint Management Meeting – May 19, 2022

The recording of the May 19  Endpoint Management Meeting is now available (Duke NetID required):

Also available as video (MP4), audio (M4A), transcript (VTT), and chat (TXT) in the Endpoints Box Share.

Items of note:

  • Patching:
    • Windows Patches out, no known issues or urgent concerns, apply according to the regular schedule (test within 1 week, deploy within 2).
    • A few lesser-known Adobe app and Thunderbird patches… does anyone use TBird anymore?
    • Many outdated Firefox and Chrome installs. Browsers need patches, too!
  • Configuration Manager: Update to v2203 on Thursday, May 26.
  • Jamf Pro updates:
    • Update waiting on MySQL and CentOS Stream 8 upgrades
    • DEP tokens renewal…Don’t wait! Act now! (OIT DE can help if you need.)
    • Tomcat clustering project under discussion.
    • Extension Attribute (and other) cleanup continues.
    • OIT DE has received approval to remove rogue Jamf Pro agent software via BigFix where available
    • Dave Andersen (Apple Rep) demo day?
  • BigFix:
    • Investigating MS SQL server upgrade
    • “Updates for Win Apps Extended” site: 100+ apps, updated weekly. Criteria is app must be publicly downloadable and silently installable.
  • EOL OS update…
  • Microsoft Teams on Windows is…different.
  • Other discussion…
Posted in Uncategorized | Comments Off on Endpoint Management Meeting – May 19, 2022

Microsoft Teams on Windows is…different…

Many of us are used to using Microsoft Teams on Microsoft Windows by now and are coming to understand its similarities and differences with other communication and collaboration platforms. However, you may not be aware of two important distinctions between the way Teams works and how other software works when it comes to deployment and maintenance:

  1. Microsoft Teams installs differently1.
  2. Microsoft Teams updates differently1.

(1 …on Windows. Microsoft Teams behaves just like other applications, for the most part, on macOS and Linux.)

Let’s take a look at each of these in a bit more detail…

Microsoft Teams installs differently

Microsoft Teams is a “user” application rather than a “system” application. Like apps installed from the Microsoft Store and other apps like web browsers and web conferencing clients, Microsoft Teams installs itself into the “C:\Users\<username>\AppData\Local\” directory rather than a “Program Files*” directory. No special rights are required to install, update, or uninstall these applications and only the user who installed them can use them.


While many non-Store-based user applications (like web browsers and web conferencing clients) have “Enterprise” versions that can be installed for all users of a computer as a “system” application, Teams does not. The MSI files that Microsoft makes available to centrally deploy Teams to multiple computers does not install the software…it installs an installer that runs for each user that logs on afterwards. This means that, if the MSI is installed by (or for) a user while they are logged in, the user will have to log out and log back in again to actually have the Teams software installed and usable. While this particular scenario is not particularly likely–the software is usually already installed by IT before the user first logs in–it is something to be aware of and is the reason for the second difference…

Microsoft Teams updates differently

Microsoft Store App settings

The Microsoft Store App settings enables App updates by default

As a user application, updating the Teams software becomes the responsibility of the user. As stated in Microsoft’s official documentation, “Teams doesn’t give admins the ability to deploy updates through any delivery mechanism.” For Store-based applications, the Microsoft Store handles these updates. For other user apps with enterprise installers, a system application replaces the user application and can be centrally managed like most other system applications.

For Microsoft Teams, according to the aforementioned documentation, “the desktop client updates itself automatically. Teams checks for updates every few hours behind the scenes, downloads it, and then waits for the computer to be idle before silently installing the update.” However, this process only updates the Teams application itself and not the installer that runs at user logon. With Microsoft typically updating the Teams software every month, this means that any user logging in for the first time to a computer that had the Teams MSI installer deployed more than a month ago will almost certainly have to update the software. It also means that any user logging in for the first time to a computer that received a Teams MSI installer that was packaged more than a month ago will also almost certainly have to update the software.

Additionally, the Teams self-update process only runs for the user that’s logged in. With Teams configured to auto-run at logon by default, if a user logs into a computer that they’ve not used in some time (or ever before in the case of a shared computer), they will likely need to update the Teams software. Similarly, if an IT Admin logs into a user’s computer, they will likely need to update the Teams software.

Microsoft Teams: expect to see updates

It’s unlikely that the Microsoft Teams MSI installer will be treated any differently in Duke’s endpoint management environment than other operating systems and applications. Installers will be periodically updated, but not with every update, expecting the existing software update mechanisms to do their job. But, Microsoft Teams on Windows is…different. Even if we were to update the Teams MSI installer deployments on a monthly basis, depending on when it was deployed, you’d still likely see Teams needing updates on that first launch.

It’s that or have the user install it themselves from the Microsoft Store. 😉

Posted in Uncategorized | Comments Off on Microsoft Teams on Windows is…different…

Configuration Manager upgrade to version 2203

On Thursday, May 26, at 5:00PM, we will be upgrading the Configuration Manager environment from 2111 to 2203. During this time all Configuration Manager services will be unavailable. Let us know if there are any questions or concerns.

Post Upgrade:
• Clients will update automatically
• Console on RemoteApp server will be updated

New Features:
• ADR scheduling improvements for deployments
• Console and user experience improvements
• Custom icon support for task sequences and packages

Posted in Uncategorized | Comments Off on Configuration Manager upgrade to version 2203

Endpoint Management Meeting – April 21, 2022

The recording of the April 21 Endpoint Management Meeting is now available (Duke NetID required):

Also available as video (MP4), audio (M4A), transcript (VTT), and chat (TXT) in the Endpoints Box Share.

Items of note:

  • Patching: Windows Patches out, no known issues or urgent concerns, apply according to the regular schedule (test within 1 week, deploy within 2).
  • Configuration Manager: Nothing to report.
  • Software discussion:
    • Microsoft Project and Visio
      • Neither is part of Duke’s Microsoft 365 license. The apps shown at can open documents, but not create (or edit?).
      • Both can be purchased per device from the Duke Technology Center which holds its own volume license for the software.
      • OITDE manages deployments and a collection for each package in Configuration Manager. Contact via ServiceNow to have a device added.
      • For project management, there are other software and services already licensed by Duke: MeisterTask, MS Planner, Asana(?).
      • Before suggesting other alternatives (ClickUp?), software has to be approved by both Duke ITSO and Procurement before being used to host Duke data.
    • Any plans to include Microsoft Loop in Duke’s license? Will try to find out for next meeting.
  • Jamf Pro updates:
    • Need to renew the DEP tokens for each org – this is responsibility of each Jamf Site Admin. Help available from DE if they need it.
    • Some old config profiles are causing a looping issue… Tim cleared a lot out of the database. If you see this, purge first and see if they come back, then let OITDE know.
    • Month or two out… will be adding a couple of new tomcat nodes to increase performance
    • We have error logs where computers are no longer in the console but are trying to check in. Tickets have been sent out…
    • How to re-enroll if needed
  • BigFix: Pushed release candidate last week. Mostly went smooth, just a few weird problems with machines that might have been off. Production updates pushed out.
  • CrowdStrike: Certificate Rotation coming at end of July, looking for computers that are not updating.
  • Perceptive Content: Al is working on a collection (package) for upgrading to new client.
  • EOL machines: Important!!! Upgrade!!! Update on numbers next month…
  • Zoom – May 17th10.1 – requirement current 5.10.3
    • Packages in SCCM and BigFix have been updated. Software Center needs update or tweaking. Al will look into this.
    • Some issues caused by Zoom’s decision to install 64-bit on 64-bit machines though 32-bit runs fine. OITDE worked with BigFix to correct issues with their Fixlets.
  • Spring Cleaning – Expect more tickets!!
    • Install Endpoint Management and Security software only on Duke-owned computers, OITDE and ITSO end up having to clean it up.
    • The pruning of Jamf Pro Extension Attributes continues.
    • Old legacy packages in ConfigMgr and Jamf Pro will be removed as part of general cleanup.Spring Cleaning – Expect more tickets!!
  • Kelly Snyder added a blurb to DukeReg to discourage incorrect registration.
  • Be aware: The Duke ITSO is starting to block ports.
  • Discussion: New Apple Studio Display presentation, more info to come? Apple will demo displays and high-end Mac Studio units. Bring intensive/heavy workloads, see how it runs.
Posted in Uncategorized | Comments Off on Endpoint Management Meeting – April 21, 2022

Endpoint Management Meeting – March 17, 2022

The recording of the March 17 Endpoint Management Meeting is now available (Duke NetID required):

Also available as video (MP4), audio (M4A), transcript (VTT), and chat (TXT) in the Endpoints Box Share.

Items of note:

  • Patching: Windows Patches out, no known issues or urgent concerns, apply according to the regular schedule (test within 1 week, deploy within 2).
  • Config Manager: Testing 22.03, will likely update production within the next month.
  • Jamf Pro updates:
    • Holding off on upgrading to the next version due to MySQL version update requirement.
    • Tomcat logs are very large, investigating and a ticket is open with Jamf.
    • Initial log investigation revealed many unmanaged computers and deleted computer still trying to communicate. Tickets will go out for much of these.
    • Extension Attribute cleanup information has been sent out and is shared in the Endpoints wiki. Cleanup to start Friday, March 18.
  • BigFix: No update.
  • macOS Firmware bug:
    • Solutions to help with Windows and macOS upgrades exist within ConfigMgr and Jamf Pro.
    • Remove CrowdStrike from macOS 10.14 Mojave before upgrading as the last Mojave-compatible version will not run on macOS 11 or higher. Reinstall after upgrade (or let EPM do it).
Posted in Uncategorized | Comments Off on Endpoint Management Meeting – March 17, 2022

Endpoint Management Meeting – February 17, 2022

The recording of the February 17 Endpoint Management Meeting is now available (Duke NetID required):

Also available as video (MP4), audio (M4A), transcript (VTT), and chat (TXT) in the Endpoints Box Share.

Items of note:

  • Patching: Windows Patches out, no known issues or urgent concerns, apply according to the regular schedule (test within 1 week, deploy within 2).
  • Config Manager: Upgraded to 21.11 and installed hot fix. New “Application Groups” feature. Testing in-place Windows OS upgrades, need assistance from the Duke IT community.
  • Jamf Pro update: Upgrade coming soon, features to include “self healing” client, better GSX information gathering. Extension Attribute cleanup project continues, requests for feedback to be sent soon.
  • OIT ScreenConnect update: After the extended outage on February 3, 2022, we have reviewed and optimized the service, reducing the database size by 98%(!!), and upgraded the VM. Restarts now take minutes instead of hours.
  • BigFix: No update.
  • Unsupported operating systems: Over 4000 computers running macOS 10.15 (EOL Nov) or Windows 10 (2009) (EOL May) or older should be updated as soon as possible!
  • Minimum required Zoom client version will be updated to 5.9.3 on Marsh 15. Updated “DUKE” Fixlet has been added to BigFix. As always, Windows computers can also be configured to auto update (via BigFix and Group Policy).
  • Discussion: Changes to Planisphere Quarantine notifications and timings.
  • Discussion: Weirdness with Login to macOS domain bound. Some folks can and some folks can’t login. M1 Macs.
  • Discussion: Using Planisphere Status on individual devices; entering and reporting shared network adapters.
Posted in Uncategorized | Comments Off on Endpoint Management Meeting – February 17, 2022