Apple Resources from our Sales Engineer

From Apple Systems Engineer Dave Andersen:

Thanks again to all of you for your participation in last week’s Apple IT Update sessions. I appreciate the opportunity to visit with the Duke end point management team.

As mentioned, below please find the resource links to support your further investigation of macOS Big Sur and Apple Silicon Macs.

Apple Support Articles: Big Sur-related
Installing macOS:
Kernel Extensions:
Apple Remote Desktop/Kickstart: and
Changes to Server:
Bash to ZSH:
Remote Login and Apple Events:

Other Useful Sources & Tools
MDM Commands Documentation:
MDM Settings for IT:
Deployment Reference for Mac:
Apple Platform Security:
Apple Platform Privacy:
AppleCare Professional Support:
AppleSeed for IT:

Enterprise features in Apple fall OS releases
What’s new for enterprise in iOS 14:
What’s new for enterprise in iPadOS 14:
What’s new for enterprise in macOS Big Sur:

Microsoft 365 (Microsoft Office)
Universal app support for Macs with M1 is here

Apple Silicon Macs: Recent support articles
If you get a personalization error when reinstalling macOS:
Safe Mode on Apple Silicon Macs:
Use macOS Recovery on a Mac with Apple silicon:
Revive or restore a Mac with Apple Silicon using Apple Configurator 2:
Download Apple Configurator 2:
Transfer files between a Mac with Apple silicon and another Mac:
If you need to install Rosetta on your Mac:
How to Reinstall macOS on your Apple Silicon Mac. Everything you Need to Know:

Apple & Machine Learning
Leveraging ML Compute for Accelerated Training on Mac:

Third Party Performance Reviews/Analysis
Accelerating TensorFlow Performance on Mac:
Mac mini and Apple Silicon M1 review: Not so crazy after all
“The M1 is amazingly fast. More importantly, it’s a compatibility slam dunk”
Hands-on with the Apple M1—a seriously fast x86 competitor
“I feel confident in saying that this truly is a world-leading design—you can get faster raw CPU performance, but only on power-is-no-object desktop or server CPUs. Similarly, you can beat the M1’s GPU with high-end Nvidia or Radeon desktop cards—but only at a massive disparity in power, physical size, and heat.”
MacBook M1 benchmarks are in — and they destroy Intel

Posted in Uncategorized | Comments Off on Apple Resources from our Sales Engineer

macOS 11 and CrowdStrike/AnyConnect UPDATE

It has come to our attention that macOS 11.0 apparently has a bug in the new Network Extensions framework that is causing kernel panics in applications that use this feature, including CrowdStrike Falcon and Cisco AnyConnect, among others. The bug has reportedly been fixed in macOS 11.1, which is currently in beta and is being tested by OIT Device Engineering with positive results so far.

In the meantime, due to these issues with mission-critical software, the Duke IT Security Office and OIT Device Engineering request that systems *not* be upgraded to macOS 11.0, waiting instead until the release of macOS 11.1. If you have already upgraded to macOS 11.0 and are experiencing difficulties with either of these applications, this is unfortunately to be expected as part of the “early adopter” experience.

Currently, our best advice is to not upgrade to macOS 11.0 on production devices, waiting at least until macOS 11.1 is released and only installing macOS 11.0 on test devices. Please reach out to OIT Device Engineering for assistance via the “Device Engineering – OIT” ServiceNow queue if you need assistance with trying to work around these issues.

Thank you.

Posted in Uncategorized | Comments Off on macOS 11 and CrowdStrike/AnyConnect UPDATE

Windows 10 Pro 1809 EOL NEXT WEEK


While the presence of Windows 10 Pro variants on campus is low, it’s not zero. With that said, the various non-Enterprise flavors of Windows 10 1809 are going End-of-Life *next week* on November 10, 2020 (1). This is already a 180-day extension from the original EOL date of May 12, 2020. According to Planisphere, there are a large handful of devices (~20 or so) “on campus” that are running some flavor of Windows 10 Pro 1809 that should be upgraded to a newer version of Windows 10 Pro (or, better yet, “uplifted” to Windows 10 Enterprise using our MAK) as soon as possible.

Please check the status of your supported devices in Planisphere, perhaps by using the **recently added “OS Unsupported Date” column** that, when set to “14 days”, will show you any OSes you have that will fall out of support in the next two weeks (along with those that are already unsupported).

– Go to
– Select “Devices”, then select “Devices I Support” (if not already selected)
– Select “Columns”, then select “OS Unsupported Date”, then select “Apply Filters”
– Change the “OS Supported Date” column setting to “days”, then enter “14” in the box next to that, then select “Apply Filters” again
– Marvel at the wonders of technology!

As always, please let us know if you have any questions or issues by contacting (or or, submitting a request to our ServiceNow “Device Engineering-OIT” queue, or by discussing it with all of us at, depending on the nature of the question/issue.


(1) –

– John Straffin
Endpoint Security Liaison
Duke University OIT/ITSO

Posted in Uncategorized | Comments Off on Windows 10 Pro 1809 EOL NEXT WEEK

October Endpoint Management Meeting Transcript

John Straffin: Welcome, everybody, to the October Endpoint Management Meeting.

Gurpreet Hothi: Where are the cookies?

John Straffin: I got mine. Anybody else got theirs?

Gurpreet Hothi: I will go get mine.

John Straffin: You can come over and have some if you want, Gurpreet…

Gurpreet Hothi: Cool.

John Straffin: Windows patches… John Shaw is here so I’m going to pick on him a bit, since he shared information about this earlier in teams. I don’t remember the exact threat model that was going on, but there is a particular critical patch available and the US CERT has said that you want to patch this right away. That was a week ago, and the ITSO agreed with them, so, if you haven’t already, please get those Microsoft patches in place, because there is one that is particularly pernicious. John? Do you have any details handy?

John Shaw: The research groups dubbed it as “Bad Neighbor” and it was a worm-able bug. I think it was in Windows 10 and Server as a remote code RC vulnerability. The domain controller threat was “ZeroLogon”, which we did get patched. We have no unpatched domain controllers, as far as I’m aware, from checking the CrowdStrike console, so thanks everybody for all the efforts on that.

John Straffin: If you check out the “All University IT” Team and search on “Bad Neighbor”, I believe John Shaw posted something there. That was the only a notable item from the patches otherwise. Patch as you ordinarily do. I don’t know that we usually end up seeing a lot of patches not applied, so everybody seems to be doing a good job.

John Straffin: Tim or Al, who wants to go next?

Tim Smith: I can go. We’re going to update the Jamf servers. They’re coming out more and more and faster and faster with these upgrades. Jamf Pro version 10.25 was released. And then four days later they ran into an issue. Apparently, the server startup time after upgrading is taking quite a bit of time after some sort of database schema change on the mobile device installed applications table. And so they came out with a 10.25.1 version that corrected that. That’s all they say is they just fixed an issue with that.

John Straffin: You said it also came with some extras, right?

Tim Smith: Yeah, I’m looking at it now: two enhancements with the “point one” release, but it looks like it’s just more approved kernel extensions and privacy preference policy control additions that require Mac OS 11 or later. So it seems to me like they’re gearing up for the Big Sur upgrade with everything that’s coming out.

Tim Smith: So I’ve been postponing upgrading longer and longer just to wait for all the issues to get fixed, which is kind of funny because they release betas and a lot of customers sign up for the beta. You would think all that would kind of work out but apparently not because with the 10.25.1 release, they’ve already released a 10.26 beta for Jamf upgrade. I’m probably going to upgrade our test instance to 25.1 either today or tomorrow and, after seeing how that goes, I’ll probably do the production middle to end of next week. I will say some of the some of the features that are going to be coming out for iOS and Mac OS 11 kind of require Jamf Cloud and Azure AD. So, hopefully, we’ll soon be able to move Jamf into the cloud. That’s still in talks, it’s still being pushed, but it seems you know Jamf is doing the cloud-based feature first and then worrying about on-prem additions later. Hopefully, we can get up into the cloud sooner. I will say, though, with macOS 11, they’re doing an enhancement to the pre-stage enrollments. Hopefully—from the language that they’ve used—they’re doing an “auto-advance” feature which means using pre-stage, you can auto-advance all the way through the whole pre-stage setup, setup assistant, etc., and get right to the login screen. They don’t specifically say skipping the “MDM accept” screen, which is what I’m looking for because, if we can skip that screen, we can do remote wipes and reinstalls and let pre-stage do all the magic which would be fantastic for labs and so forth. I’d like to see how that works. And that, of course, requires Mac OS 11 to do the auto-advance, so, I’m sure, by the time everybody gets on Mac OS 11, we’ll hopefully be in Jamf Cloud and we’ll get all the rich features that come with that.

Tim Smith: I’ll probably send out an email tomorrow or beginning of next week about upgrading and all that kind of good stuff. That’s all I have.

Brad Arthur: I did have I did have one quick question for you, Tim. Maybe you’ve heard, but I have not heard any updates on this. I know, for a while, Jamf was saying that, if you were on Jamf Cloud, you were getting the new releases pretty much the microsecond they were available. With all these issues they’ve been having with their big number releases, are they backing down on the “You must get the upgrade immediately” premise?

Tim Smith: Well, that depends. If you’re a regular cloud customer, they put you on a scheduled upgrade. I think it’s like east coast, west coast, or wherever part of the world, right? And they kind of schedule those upgrades. But if you’re a premium cloud member, you can stop those automatic upgrades and you can determine or let them know when you want to upgrade, or upgrade yourself by a magic button or whatever. I’m not sure how that works. I’m in the Slack channel with the UNC system and I believe that they are on the regular scheduled upgrade because I’ve always seen them saying, “Hey, Jamf is upgrading our server at this time, on this date…look out for that”. I don’t know how that how that works if there is an issue. I have seen on Jamf Nation where, if there is an issue, they go ahead and say, “Okay, we’re upgrading again to that point release”, so they are pretty quick. I don’t think they’re saying “Alright… we’ve released in 25 and everybody gets it within a few minutes”. From what I’ve seen, there’s a schedule put in place by region for when those customers get upgraded in the cloud.

Brad Arthur: Okay, cool. Thank you.


John Straffin: No one else jumping in with a question for Tim, so it’s Al’s turn!

Alton Kearney: I just have a few items. Yesterday, I sent out an email about the new Windows 10 version, 20H2, made available in Configuration Manager for people who want to start testing that in deployments for their department. Soon we will make the 20H2 Feature Update available also. One of the advances, as the Windows versions continue to evolve, is the enablement packages which are much smaller and the upgrade process is a lot more lightweight. It may be more of a large monthly update: it would require a reboot, but it would be maybe 5 to 10 minutes as opposed to the 30 minutes that we were seeing for feature updates in the past.

Alton Kearney: I’m doing some work on the WSUS server. Once we get things working there, we will sync the 2004 update into Config Manager.

Alton Kearney: Also, we’re removing Windows 10 1809 and 1903 images from Config Manager. If you are referencing those in your task sequences, go ahead and update to at least 1909 in your task sequences. 2004 is out there, also, but I wouldn’t recommend that one as the support model is only 18 months. We’re recommending sticking with the fall releases.

John Straffin: Thankfully, if they actually keep to this naming schedule, we can simply say “H2” versus 09, 08, 07, or 10 or whatever it ends up being.

John Straffin: Somewhat related, I guess, apparently they’re doing something where they’re including the servicing stack updates in the cumulative updates now, to make that process easier for from an update standpoint. Previously, you had to have the servicing stack upgraded before you tried to push any of the cumulative updates and if you didn’t have it done in that order, it wouldn’t take. Now they’re just bundling it together in one so that you don’t have to worry about the install order. It just works.

John Straffin: Anything else?

Alton Kearney: [Shakes his head, “No”.]

John Straffin: Something came up this week from OIT EIS and Steve Gray. Microsoft is dropping support for Office for Mac 2016, not just “we won’t fix or patch your software anymore”, but they are also not supporting its continuing to be able to talk to Office 365 and Microsoft 365. They are have not said that they are breaking it, they’re just not supporting it. So, if any changes to the Office 365 infrastructure cause Office for Mac 2016 to have communications issues, it’s not going to be fixed.

John Straffin: That being said, Office for Mac 2016 isn’t supported anymore. It needs to be replaced. This is more than just “because it’s never being patched”. This is because it might just stop working from an email standpoint. I don’t know that we want to find out when that happens, suddenly having our users contacting us saying “my email doesn’t work anymore”.

John Straffin: We got a spreadsheet from OIT EIS of every Office for Mac useragent that is contacting our Office 365 instance, and there were 803 Office for Mac 2016, all of which are potentially at risk. Steve pointed out to me this morning that we don’t know how many of those might be home users versus Duke machines, there’s no way to tell. We just have a long list of email addresses and that’s one thing I really don’t feel like crunching…Oh, I think there’s an IdM tool that can help with that…maybe I will crunch that…

John Straffin: On the page that Microsoft has that speaks about Office for Mac 2016 EOL, they have a link for a license removal tool. Microsoft’s recommended course of action is to simply run the tool on the user’s machine which then causes Office to ask the user to log in. When they log in with their Duke credentials and check for updates—they would need to do that manually to have it happen right away, otherwise the Microsoft Update software will get around to it—it will go ahead and upgrade Office for Mac to the latest 2019 version from the 2016 version they’re running. No need to re-install any software; you simply yank the license, have them login (which is the new normal with Office 365: you use your user credentials to use one of your five licenses attached to your user on your computer), and the update process will update that. I just tested it on a laptop next to me here and that process took it, I believe, up to version 16.42 (2019) from the 16.16 (2016) version.

John Straffin: And Diane unmuted, which means she’s dying to say something. 🙂

Diane Scro: I was just gonna say that I haven’t actually tried it, but somebody else told me there’s not an easy way to search that in Jamf. Jamf doesn’t tell you the version. It’s just “Office”.

John Straffin: Okay…I do know that, if you recall, it was really weirdm, where Office 2016 is version 16.16 and lower and 2019 is 16.17 and higher…

Diane Scro: And you can’t get those version numbers in Jamf…it doesn’t give you that. Didn’t know if anybody knew of an easy way to identify.

John Straffin: We can do something to get that in there. I’m surprised it’s not pulling it as part of its inventory pull. Check Planisphere as well. I mean, it’s not going to do much for Smart Groups or larger reporting but, if you’re wondering about a particular machine, I know from BigFix, anyway, we’re definitely pulling the version number of the app itself, which should tell you the 16.42 or 16.16 or whatever it is.

Edward Mendoza Viera: Hey, can I say something?

John Straffin: I suppose…

Edward Mendoza Viera: Sorry. 🙂 I’m driving to campus. What I did was I created a Jamf Pro Smart Group looking for one of the Office apps—I think, in the one that I created, I was looking for Word—and I just used the “16.”numeration and it found me the 2016 versions. I can share more on that when I’m near the computer again. It seemed to work pretty well: we were able to identify six devices so it seems to be working.

John Straffin: And if you check the chat, John Carbuccia put together a video for folks to use Jamf Self Service to upgrade to macOS 10.14 and Office 2019 and there’s a Box link, so check that out. Thank you, John!

[CHAT: John Carbuccia: I made a 2 minute video for folks to use Self Service to upgrade to 10.14 & Office 2019. Here’s the link in case you’d like to use it: ]

John Straffin: The one thing I did note with mine: Once I yanked the license, logged in with my ID, checked for updates, and had it do the update check, the Microsoft Update tool still was throwing a little error-style comment about my applications. Even though it also said “up to date”, it still had the little yellow triangles and some red text until I rebooted. Once I rebooted, those were cleared. I don’t know what the Microsoft Update app was stuck on but it definitely updated to the latest version while still saying there were issues until I rebooted. The Microsoft Update software saw the same version, but didn’t say that there were issues any longer.

Diane Scro: Do you have the link for that thing that pulls out the license?

John Straffin: I can find it in short order, because, if I search on “Office for Mac 2016 EOL”, I believe it’s the first link you find. Of course it wasn’t the first link I found on that search…greaaaaaat.

[CHAT: John Straffin: ]

Alton Kearney: John has his hand raised.

John Straffin: Which John?

John Shaw: I feel like there was some conversation around the updated client, the new experience? Some folks were finding that, from a security perspective, the “Report a Phish to Duke” button was not necessarily clearly visible on the ribbon, but it is possible to customize the ribbon and add the “Report a Phish” button. I was looking to see if we had already made an update to the KB, but I just wanted to highlight that that, if we’re not finding that “Report a Phish” button, it is possible to customize the ribbon and add it back into clear view. Rather than having to click on the ellipses to find that button, you can just customize it so it stays on the ribbon.

John Straffin: Good catch, John. Thank you.

John Straffin: So, one thing to be aware of: in that particular support document (linked in Chat, above) at the very end there’s a section about Office 2016 for Mac license and point #1 is “download and run the license removal tool”. When I ran it, it ran just like any other Mac app, so there’s no reason we couldn’t be able to put that into some sort of policy if we wanted to do that centrally, but there is user interaction required. So, this may be something that, like John Carbuccia is pointing out, we strictly want to do through Jamf Self Service so the user is aware of what’s going on and they know that they need to take further steps.

John Straffin: I didn’t run any numbers…how’s the fight against unsupported operating systems going? Anyone have any successes to share? Or woes of finding 23 more machines got kicked off the network by surprise?

John Straffin: No one wants to own up. Okay, that was boring.

Diane Scro: If we ignore it, it’ll go away, right? 🙂

John Straffin: No! It would not go away! 🙂

Dan Cantrell: I’ll jump in with a little bit of an issue on the Health System side, pushing out the NAC changes. We had some people drop off the network, just briefly, but not too many issues from our side because so many people work remotely.

John Straffin: One thing that is both a benefit and a hindrance somewhat in that these machines that are potentially being quarantined aren’t on Duke’s network anyway, so they’re not noticing at all. It gives us some wiggle room, definitely, but please do not take that as a “pause” button. It’s just a “slow down a little bit” button, possibly, but we definitely still want to keep going and getting these taken care of, whether they’re on campus or not.

John Straffin: And with that, that’s all I had on my list of things to talk about. Anyone have anything of interest that they want to share or ask, and…I see Diane!

Diane Scro: Well, you’re not gonna like it.

John Straffin: Go ahead.

Diane Scro: When are you gonna do some training for Planisphere?

John Straffin: That’s for next month. And I said it out loud, so now it has to be!

Diane Scro: Okay. It just would be nice.

Blaine Ott: Isn’t this security month? Shouldn’t it have been done this month?

John Straffin: I’m gonna mute Blaine.

Quincy Garbutt: Whatever training you do for Planisphere, hopefully it’ll be recorded. If folks can’t attend, they can go back and see that.

John Straffin: Nah… it’s going to be in-person only. We’re going to get a great big hall and everybody sits six feet apart.

Quincy Garbutt: That’s awesome. And you can be that super spreader. I’ll pass on that.

John Straffin: Fantastic! No… we’ll definitely have it on Zoom and have it recorded as well.

Quincy Garbutt: Alright, thanks.

John Straffin: Guess I know what I’m doing on vacation next week: writing training.

Quincy Garbutt: Well, you didn’t say how early in the month. Granted, November’s a short month…

John Straffin: Okay, so, on Black Friday, I’m going to be running the training.

Quincy Garbutt: Okay.

John Straffin: Blaine, there’s nothing BigFix to chat about is there. I haven’t noticed anything…

Blaine Ott: Not that I’m aware of.

Edward Mendoza Viera: Can I ask something to the group?

John Straffin: Sure! Please do!

Edward Mendoza Viera: Has anybody had issues with the VPN client, after the upgrade? We had quite a bit, but I’m not aware of what everybody else looks like.

George Bowen: It just automatically updated, didn’t it?

John Straffin: It automatically updated, but what Edward and I and some others were seeing was that, for older operating systems like Windows 7 and even some older Windows 10 versions, the automatic update process was uninstalling the old client and then failing to reinstall the new clients. You were left with a machine with no VPN client installed. There appears to be a registry key that is set as part of the process. Edward, do we have any idea if that key was set already or is that being sent by the process?

Edward Mendoza Viera: I meant to go back and look to see if the key is already there with the client running or not. I checked on my machine but I’m running Windows 10 2004 so I don’t have that key in my registry. We did find of number of fixes and I think one that worked a little better was cleaning up the registry of some of those registry keys that the client puts there with the drivers. I think that seems to be the fix that actually works a little better than the rest of them that we outlined on that message [posted to Teams earlier in the week].

John Straffin: Okay. I was gonna also ask Edward in a longer question: what we were seeing from a Windows 10 standpoint, was that versions that were supposed to be out of support already, but had support extensions, were actually still having problems. We were supposing that it was Cisco saying “if you’re running an unsupported operating system, we’re not installing the agent”. But then we made those registry fixes and it seemed to work. Not that I want this to actually work on Windows 7, but for people who are actually seeing this issue on Windows 7, do we know if the registry key fixes that, as well?

Edward Mendoza Viera: To be honest, I haven’t had any Windows 7 machines that we support that I can play with.

John Straffin: Honestly, I don’t really want to test it, because I don’t care if it works on Windows 7 because Windows 7 isn’t supported anymore and it should be running anywhere.

Edward Mendoza Viera: The interesting thing is that, from looking at the reporting, we did have clients on 1803 and 1809 that received the updates and updated fine. I think, from the numbers that we crunched, about 5% of them were failing and then, from those 5%, maybe 1% or 2% were having another issue where nothing that we tried was allowing us to install the VPN client.

John Straffin: Edward, where did you share that information that I saw where you outlined what you had tried and Kim had tried, etc.?

Edward Mendoza Viera: I was in the “All University IT” Teams channel. [LINK]

John Straffin: So, everybody can check for that there if you’re having issues with VPN clients auto updating. There’s a list of possible solutions that George and Kim and Edward from CDSS all came up with (on their own, I believe) and they all seem to work with varying degrees of success. So there’s multiple ways you can try to get this taken care of.

John Carbuccia: This may be unrelated or not relevant, but I’m using the Big Sur beta version and I have Outlook installed on it and the new Outlook button that appears on my Catalina version of the OS does not show up on the…never mind. It’s there now.

John Straffin: I’m glad I could help, John. You’re welcome. 🙂

John Carbuccia: I swear it wasn’t there a minute ago!

John Straffin: Are we talking about the fish button or…?

John Carbuccia: No, no, the new Outlook button. Yeah, the fishing button is not there, and you had to add it to the toolbar like Edward said.

John Straffin: I would love to find out if that can be scripted some way because we really need to make sure that it’s front and center for everybody, instead of just something they need to go find. Wonder if that’s in a plist or something.

Quincy Garbutt: We had an interesting fish that popped up the other day that was mimicking an executive here at Duke indicating “hey can you send me … can you text me your number please?”. And I promptly told my constituents “please go ahead and report that”…

John Straffin: Yes, please.

Quincy Garbutt: ..and then someone did see it actually disappear from their inbox and they’re like, “hey, we saw it and it disappeared”. I said “that’s what should happen”.

John Straffin: Yes, yes! If you weren’t aware, it’s part of a new hire orientation presentation that the IT Security Office does every two weeks for new hires coming in, but when you submit that using the “Report Phish to Duke” button and it’s found to be a phish, it doesn’t just delete it from your mailbox. It deletes it from every single Duke mailbox that message is also in. These phishing attacks are rarely if ever single emails to single individuals. There are dozens, if not hundreds, of emails sent to try to snag as many people as possible. And when even one person submits that to “Report a Phish to Duke” and it gets judged to be malicious, every single one of those copies ends up disappearing from people’s mailboxes. So, as I say in the presentation, you’re not just protecting yourself; you’re helping to protect all of Duke

Quincy Garbutt: Exactly.

Diane Scro: That is cool. I didn’t know that. Our users, we really push them to use the web version of Outlook and the button is always…you can do the same thing, you can put the button on the top. But if Duke has added that button into the web version, it seems like they should somehow be able to push it up to the top.

John Straffin: You would think so. I think that’s just the limits of what we can do with the web based UI versus local UIs.

Diane Scro: I have created instructions for users to put it up the top but you know users. They don’t care.

John Shaw: Can I add something? Just to point out: Microsoft also has a button that leverages their anti-spam/anti-phishing services that we’re not using, so for users that do report using that, they’ll get a message back that says to kindly use the appropriate button which is the “Report a Phish to Duke” button. So just to throw that out there as well that there is some confusion for those that are using the web, I believe, if I’m not mistaken to Diane’s point though you have to scroll past the you look past the Microsoft button to get to the duke button if you will.

Diane Scro: Yes, that’s true. That’s why I was like, “can’t we move it up at least?”.

John Shaw: And I believe we’ve had conversations with OIT EIS, with Jeremy Hopkins and if we could, I believe we would have definitely, to your point, done that.

John Straffin: So, possibly Diane, maybe we need to take your instructions and make them a little more widely available to say “everybody should do this”.

Diane Scro: Yeah, I think I actually found it in a KB article or something. But then I put it in our Wiki. I can get a copy out to you.

John Straffin: That’d be awesome.

John Straffin: Is that what John Shaw just pasted into the chat?

[CHAT: John Shaw: KB0031840 – ]

John Shaw: I’m not sure if that’s one Diane’s referring to, but…

Diane Scro: Yes, this is the KB article that I found. And then I had rewritten it just sent an HR user. So yeah, this is perfect, because people don’t realize…

John Straffin: What I like in the actual knowledge base article, if you’re looking at the “Outlook on the Web” part, it shows you how long that huge menu is and right under the “Mark as Phishing” that you’re not supposed to use, it gives you the option to “Block Jeremy Hopkins”. I need that option in my mail. 🙂 Yeah definitely need to add that to the ribbon.

John Straffin: Very cool, thank you John and Diane!


John Straffin: Hearing, nothing else…

John Straffin: Alright, I think that’s it then. If no one else has any other questions, we can certainly give you a whole bunch of your day back. Enjoy everyone! Let’s get (particularly) that Bad Neighbor patch pushed out. Let’s check for those Office for Mac 2016 installs and take care of those before they become a problem instead of waiting for them to be a problem. And as always, unsupported operating systems are evil and need to go.

[CHAT: Patrick Daniels: Any new advancements to talk about re Duke Unlock? ]

Alton Kearney: Hey, Patrick just pasted something in the chat about Duke Unlock. I know the ITSO people are here. I don’t know if anyone wants to give any update on that.

John Straffin: Someone can correct me. I know with the improvements in iOS 14 it now works on the iPhones. And are we expecting… does it work on the latest Catalina or is that going to work in Big Sur?

Nick Tripp: Big Sur. It requires Big Sur.

John Straffin: That’s what I thought.

Nick Tripp: That’s Apple’s decision, not ours, unfortunately.

John Shaw: And, John, to your point about as long as you’ve upgraded to iOS 14 and higher: It also requires that the iPhone has Face ID or Touch ID.

[CHAT: John Shaw: – iOS (14+) with Touch ID or Face ID enabled, running Safari ]

John Straffin: I can’t use my old iPhone 6?

John Carbuccia: I was trying to configure some new computers for folks a week or two ago here in Trinity and I was trying to configure this unlock with face ID and/or fingerprint and I got a message across the top that said “this feature is being controlled by your administrator”. Is that something that Duke is doing as a whole or just Trinity?

John Straffin: On what platform?

John Carbuccia: Windows. Windows 10 face unlock and fingerprint would not work at all.

John Straffin: What you’re falling afoul of is that Microsoft made the, in my opinion, wise, maybe?… better than worst? decision that once a Windows computer is joined to the domain, the Windows Hello stuff, the windows biometrics, is disabled by default. They’re expecting that, if you’re part of a domain, that decision is likely being made at a domain level. You don’t have to do it at a domain level, though. You can go into the local security policy and make the necessary changes to have it be effective. But whereas ordinarily it’s simply disabled if you haven’t enabled it, adding a machine to a domain automatically disables that function unless it’s enabled through a policy. It can be local policy or a central policy. So there’s no Duke central policy turning it off; It’s Microsoft turning it off if you’re on a domain, because they’re expecting you to turn it on by policy if you’re in a domain.

John Carbuccia: So then that means Windows Hello… I mean, I’m sorry, “unlock” and Duke Unlock will not work on Windows devices unless the domain policy has been modified.

John Straffin: Again, you can make that policy change locally on the computer. And very, very little if anything is actually done from a central domain policy standpoint, simply because not everybody necessarily wants that kind of thing enabled. So, it’s definitely on an OU by OU, IT group by IT group basis to either enable that locally on the machines that need that capability or to put in a group policy that enables it on all of the machines in their OUs.

John Carbuccia: So, since his Trinity’s merging with OIT, anyone have any input on that from OIT as far as globally enabling it?

Patrick Daniels: John, the policies can be put together in a really quick script that you can run lots of different ways to do that. I’ll find the note here and send that to you.

Edward Mendoza Viera’s child: La la la la la la la la la…

John Straffin: That was awesome.

Patrick Daniels: I like the way Edward sounds, now. That was really good.

John Straffin: Forward that to me, too, Patrick, because if we don’t already have one—I think we may, but if we don’t have one—we’ll make a central policy that’s not going to be applied globally, but you can use that central policy on your own OUs to put that in place on all the machines you have that are in the domain.

Blaine Ott: And I think I’ll speak for Trinity that we probably will not apply that globally to Trinity. I think that’s a local setting that you should set on a machine by machine basis.

Edward Mendoza Viera: I was gonna say that CDSS did some testing a while back and we did develop a Group Policy. We actually enabled it on all of our devices already since a couple months back. Maybe March, actually. So, John, If you want I can give you the policy we created…

John Straffin: Yeah, we’ll check that out. We’ll talk about it offline. Thank you.

[CHAT: Patrick Daniels:  There are about three local security policies that have to be turned on. ]

John Straffin: SLG was cancelled and Nick was asked if there were any security issues. He says [from chat] “No major security news to share on the endpoint front. In a holding pattern waiting for the macOS 11 release. Hoping to have some Planisphere news before the end of the year.”

Patrick Daniels: Regarding macOS 11, are people feeling confident that that’s going to be something that can be upgraded to pretty much straight out of the gate or people anticipating delaying again?

John Straffin: Who all is messing with the beta to speak to its effectiveness in our environment. I just saw Brad and Dan unmute…go, guys.

Brad Arthur: So the testing I’ve done so far has been kind of hit or miss. Some of the beta releases have worked really, really well. Others have been absolute nightmares and there’s no rhyme or reason with that. But the ones that work well do work quite well. If we can get lucky and they incorporate those features into the final release, I think we can jump to it fairly quickly.

Dan Cantrell: Yep, that’s a great summary I totally agree. That’s what I’m seeing too.

John Straffin: So a definite maybe from both of you.

Dan Cantrell: We’ll know within the first two weeks of the official GM

Patrick Daniels: So, I guess the question that I have is when it immediately gets released and we have a rash of professors asking to upgrade, are we doing our standard “postpone until it’s been cleared”?

Brad Arthur: So, for our site in Jamf, I do already have a block in place for Big Sur just to prevent people from leaping on day one, but I think the way Apple’s been going, we’re going to have to turn it loose pretty quickly, because, even for versions of iMovie and Final Cut, they’re requiring not just the latest big release, but the latest point release as well, in order to run properly. So, I think, Apple’s forcing our hands more and more on that now.

Patrick Daniels: And I don’t mind that. But I guess I’m looking for more of united “okay guys, it’s opened up” so that we’re not fighting different fires in different locations.

John Straffin: I honestly think it’s going to be up to those who have experience with it to make that decision for the departments they support, and it may be that we need to take even into account just the individual users skill level that things are definitely changing that we want to plop macOS 11 right down on a person that is less comfortable with change like that without having a better understanding of how those changes are going to affect workflows and user experience.

Patrick Daniels: So the reason I’m asking this is because we delayed on Catalina, and that creates all sorts of follow up repercussions in terms of the timing for upgrades.

John Straffin: Well, the Catalina delays were because certain apps just weren’t working anymore, wasn’t it? It wasn’t just things are different, wah-wah.

Brad Arthur: It was the app issues and also some general stability issues we were seeing with the earlier builds of it.

John Straffin: Are those app issues resolved on Catalina or maybe they expected to still be there, or have they been fixed on Big Sur?

Brad Arthur: Well, I mean, the app issues, the core compatibility issues are all fixed now. The problems we’re still running into is professors who are still running versions of Netscape on their systems, that  can’t use it on Catalina.

John Straffin: Please tell me you’re kidding.

Brad Arthur: Ahhh…sort of.

John Straffin: Nice.

Patrick Daniels: I’ve still got Netscape running on my Windows 95 machine.

John Straffin: I still actually have a Quarterdeck Mosaic floppy.

Dan Cantrell: I’ll just chime in. I think the timing, we expect with macOS 11 is going to be latter half of November, since the rumors right now are there’s a November 17th planned or expected macOS announcement. So, if you look at that timing, with Thanksgiving and finals, I think on the University side, it’s easiest just to tell everybody “do not upgrade until after finals” and then that’s only two weeks.

Patrick Daniels: Yeah. And then after Thanksgiving, they’ll have free time on their hands and can destroy their machines…

Dan Cantrell: Exactly right. So, I think the messaging could be really clear in that way.

John Straffin: I think the messaging should be really clear in that “This is still 2020…do you really want to upgrade your OS this year?”. You could just wait until January 1 and do it then.

Dan Cantrell: And it is the 64-bit jump. So yes, any really old software may, well, will not work. So, if people are doing a three-version jump, that means rebuying software in some cases which people are highly adverse to, so that solves itself: they won’t upgrade.

Blaine Ott: That requires a lot of forethought, to recognize, “Oh wait, you mean these applications don’t work now that I’ve upgraded already?”.

Dan Cantrell: Exactly.

Brad Arthur: And I will say for Linux people out there, Big Sur has a very Gnome-like feel to it, so might get some converts there.

Patrick Daniels: Does Big Sur do the same thing as Catalina, sort of giving a summary of the things that didn’t make the upgrade when you do it?

Brad Arthur: I’ve had one release that didn’t do it when I tested it, but the rest of them have all prompted me for incompatible software/possible issues.

Patrick Daniels: So we’re expecting that to be in a final release, then?

Brad Arthur: You would hope so.

Patrick Daniels: I do.

Kelli Snyder: Patrick?

Patrick Daniels: Yes?

Kelli Snyder: You asked where to download the Security background?

Patrick Daniels: Yes, and John [Shaw] sent that to me. I grabbed it from the bottom of the page, nice high resolution.

Kelli Snyder: Okay. I just shared the link with everyone.

[CHAT: Kelli Snyder: ]

Patrick Daniels: Thank you.

Kelli Snyder: You’re welcome.

Patrick Daniels: I’m kind of disappointed. There’s not a pumpkin in it somewhere.

John Straffin: There is. It’s right behind the middle, you can’t see it.

Patrick Daniels: It’s up in the bell tower somewhere.


John Straffin: I guess to try to inspire more questions. I just need to say we’re going to go again. So…

Blaine Ott: You want to announce Planisphere is going offline this afternoon? Any change in that plan?

John Straffin: No, there’s not change in there, it’s being migrated from one platform to another. So it’s going to necessarily be out of service for, I think, a two hour window, but it should take less than that.

Blaine Ott: I have 2:00 to 4:00 on my calendar.

John Straffin: I believe I believe Sean said it shouldn’t take the full two hours, but, of course, with anything like that, you want to allow for issues and the resolution of those issues in the in the window.

John Straffin: Has anybody playing with the Big Sur beta tossed BigFix on it and seen it reporting correctly? Or Blaine, are we seeing Mac OS 11 betas in the in the console? I know Jamf Pro wasn’t, but is now capable of handling Big Sur.

Blaine Ott: I have not looked recently, but I can look real quick here now.

John Straffin: I have a slate of test MacBooks next to me and, unfortunately, they are all old enough that the Big Sur installer says nuh-uh, ain’t gonna happen. So I can’t really test Big Sur on those. Tried doing it in a VM and that was just unpleasant.

Blaine Ott: I see three “10.16”s

John Straffin: Awesome.

Blaine Ott: Is that what we’re looking for.

John Straffin: So, wait a minute…It reports internally as being 10.16 but it’s being called 11?

Dan Cantrell: Both. It’s used in various places as either

Blaine Ott: That’s why I assumed it was 10.16 and then somebody said, “No, no, it’s 11” I’m like “that’s not…”

John Straffin: Not according to the version numbers inside the software!

John Straffin: Great. I’ll take that as indication that BigFix is ready to go with it, too.

Blaine Ott: I’m not sure that those are fresh, and, based on the machine names, I’m guessing a couple of those at least are upgraded machines, so that may or may not make a difference.

John Carbuccia: Do you see mine in there? It’s 239ML?

Blaine Ott: No, I see FHI-9020 with you logged in.

John Carbuccia: [glances down towards the floor]

John Straffin: As John says, “oh, there’s that machine, down there!”

Blaine Ott: I see Tom with a machine from September from TTS-190265ML.

Blaine Ott: And CDSS-5092, is that George?

John Straffin: George is shaking his head “no” but I think he’s lying to us…

Blaine Ott: Who’s Hernandez

John Straffin: Ha ha ha! I’ll tell you what, I’ll tell you about Hernandez later.

Blaine Ott: Okay. We are being recorded, so, you know…

John Straffin: Yeah, exactly. And I did do the cloud recording with transcription, so that should be working now and we should have a transcript out post-haste. And THAT being said, I’m finally going to put this meeting out of its misery. Thank you everybody for joining. If you have any other questions, feel free to shoot them to the endpoints list. If you have any sort of support issues, feel free to send it to or See ya!

Everybody: [Bye!]

John Straffin: I love how people who haven’t talked the whole time unmute just to say “bye!”

Alton Kearney: Okay. Time for the real meeting, now.

John Straffin: Exactly…The Shadow Cabinet is meeting.

Kelli Snyder: [giggles]

John Shaw: The post-meeting-meeting? Are you still recording this, John?

Blaine Ott: I was gonna say, is this where we turn off the recording?

Posted in Uncategorized | Comments Off on October Endpoint Management Meeting Transcript

Malwarebytes Incident Response now available!

As mentioned in the last Endpoint Management Meeting, an officially licensed version of Malwarebytes is now available for use. The Malwarebytes Incident Response product is a different experience than the freely-downloadable home-use product, but we are already scanning and cleaning almost 800 endpoints and have seen plenty of malware being removed. Please see the Malwarebytes IR page on this site and the Endpoints wiki for more information.

Posted in Uncategorized | Comments Off on Malwarebytes Incident Response now available!

Windows 7/2008/R2 quarantines to start NEXT WEEK

With only one week until Microsoft releases patches that are *not* freely available to Windows 7/2008/R2 devices, there are still plenty of managed devices running these operating systems at Duke. As seen by Planisphere in the last 24 hours, there are:

302 Windows 7 devices with an assigned Support Group (of which only FOUR have Quarantine Exemptions)
51 Windows 2008/R2 devices with an assigned Support Group (of which only TWO have Quarantine Exemptions)

Please do not wait until next week! Make any requests for Quarantine Exemptions (along with the date by which you expect to have these devices remediated or retired) to the IT Security Office as soon as possible. The best way to do this is to submit a ServiceNow Request to “Security-University” with as much information as you can give. This also applies to devices that cannot be migrated and will need to have long-term compensating measures put in place. Do not assume a previous conversation or e-mail thread is enough; if you do *not* see that your non-upgradable legacy device has been granted a Quarantine Exemption in Planisphere, submit a ServiceNow Request for it to receive a Quarantine Exemption as soon as possible.

Posted in Uncategorized | Comments Off on Windows 7/2008/R2 quarantines to start NEXT WEEK

Duke University Unsupported OS Quarantine UPDATE

(tl;dr: Windows 7/2008/R2 quarantines delayed to February 11, 2020. Pre-existing EOL OS quarantines to start July 31, 2020. We still have a lot of work ahead.)

Instead of the previously announced date of January 30, 2020, quarantines of Windows 7/2008/R2 devices from the Duke University network will now begin on *February 11, 2020*. This rescheduling is based on two factors:

  1. The true threat to Windows 7/2008/R2 will come on the “Patch Tuesday” *after* the EOL date for the OSes, which is this next “Patch Tuesday” on February 11. It is at this time, when Microsoft ostensibly releases patches that affect vulnerabilities in *supported* versions of Windows, that individuals will then look for the same vulnerabilities in *unsupported* versions of Windows, likely finding that some do indeed exist and can be exploited.
  2. The previous ITSO policy regarding quarantines of Windows XP/2003/R2 from the Duke University network was scheduled using this same logic.

Please note that the ITSO reserves the right to immediately quarantine devices running unsupported operating systems if a vulnerability of significant severity is announced before the scheduled quarantine date.

In addition, as hinted at previously, quarantines for operating systems that have already reached EOL (but had not been widely discussed) will start on July 31, 2020. This allows six months to plan and remediate these older unsupported operating systems over summer before the Fall Semester starts in August.

As promised in last week’s Endpoint Management Meeting, below is the information from the slide presentation with numbers and dates for both currently and soon-to-be unsupported operating systems on the Duke University network. The numbers are from January 16, but they likely haven’t changed much since then (in fact, due to reporting changes, some have gone *up*!). We’ve cleaned up a few discrepancies and added quarantine dates to the slide information.

Unsupported Operating Systems
It’s worse than you think. O_O
Unsupported NOW (Quarantine Date: February 11, 2020)
– 558 Windows 7 devices
– 97 Windows Server 2008/R2 devices
– Viewable as “running an unsupported Operating System” in your Planisphere Dashboard right now.
ALSO Unsupported NOW (Quarantine Date: July 31, 2020)
– 10 Windows XP/Vista devices
– 98 Fed29/RHEL5/Deb8/Ubu14 and older
– 262 Windows 10 (1511), (1607), (1703), Home/Pro (1709), Home/Pro (1803)
– 1035 macOS 10.12 and older
– ALSO viewable as “running an unsupported Operating System” in your Planisphere Dashboard right now.
Unsupported in 2020 (Quarantine Date: Approximately 30 Days After EOL)
– 281 Windows 10 Enterprise (1709) (14 April, Quarantine: 12 May)
– 160 Windows 10 Home/Pro (1809) (12 May, Quarantine: 9 June)
– 1036 macOS 10.13 (End of September-ish, Quarantine: End of October-ish)
– 2090 Windows 10 Enterprise (1803) (10 November, Quarantine: 8 December)
– 785 Windows 10 Ent/Home/Pro (1903) (8 December, Quarantine: 12 January 2021)
– ALL THE LINUX 6s!!! (763) (30 November, Quarantine: 31 December)
Unsupported in 2021 (Quarantine Date: Approximately 30 Days After EOL)
– 2916 Windows 10 Enterprise (1809) (11 May)
– 94 Windows 10 Home/Pro (1909) (Also 11 May)
– 74 Ubuntu 16.04 (25 April)
-3058 macOS 10.14 (End of September-ish)
So, What NOW?!
– Finish Windows 7/2008/R2 efforts
– Start “catch-up” efforts with older OSes
– ALSO Start on Win10 (1709), macOS 10.13, Linux 6
– BE READY to keep this up. Windows and macOS OSes should be upgraded EVERY TWO YEARS.
– With Windows XX09 builds on a 30-month support cycle and macOS on a 36-month support cycle–both starting in or around early October–IT groups should get used to upgrading 27-month-old OSes starting in January. Whether IT groups install the new 3-month-old OS (allowing for a two-year refresh cycle) or the tested 15-month-old OS (requiring a one-year refresh cycle) is up to them. Participating in the Apple Beta program or Windows Insider program can give IT groups time to test *before* the new OS is released.
– ALL Windows 10 Home/Pro builds have an 18-month support cycle. ALL Windows 10 Enterprise XX03 builds have an 18-month support cycle. Unless IT groups are prepared to commit to a one-year refresh cycle for even a subset of their devices, *nobody* should be installing (or leaving installed) Windows 10 Home/Pro or Windows 10 Enterprise XX03 builds in general production.
– We’re working on a way to get “warning” information in Planisphere, but in the meantime, please reference the above schedule, which shouldn’t change much if at all.

Thanks! Let us know if you have any questions or concerns.

Posted in Uncategorized | Comments Off on Duke University Unsupported OS Quarantine UPDATE

AppleCare OS Support at Duke

Did you know that Duke University has an AppleCare OS Support Select Agreement? We do! In addition to handling requests related to Apple OS, IOS and other products, Apple will work though this agreement to resolve issues related to Apple deployments managed via our Jamf Pro instance as well. A brief overview of the program details as well as the methods for getting tickets submitted can be found at the Duke Endpoints wiki.

Posted in Uncategorized | Comments Off on AppleCare OS Support at Duke

To LTSB or not to LTSB? It depends…

Effective use of Windows 10 Enterprise LTSB will depend on your specific needs and the needs of your users.

With the release of Windows 10 in 2015, Microsoft introduced a new sub-edition of Windows 10 Enterprise called “Long Term Servicing Branch” or “LTSB”. Each release of Windows 10 Enterprise LTSB will remain relatively unchanged–receiving only security updates and bug fixes, but no feature updates–through a 10-year lifespan.

To date, Microsoft has delivered two releases of Windows 10 Enterprise LTSB (2015 and 2016) with the next expected in 2019. While, according to Microsoft, LTSB was “designed for special-purpose PCs such as those used in point-of-sale systems or controlling factory or medical equipment”, some in IT have deployed it to common end-user computers, citing the benefit of having no Windows Store apps (which includes Microsoft Edge and Cortana) and no semi-annual feature updates to deal with.

However, recent articles and an updated Microsoft FAQ point out that, as released versions of Windows 10 Enterprise LTSB will not receive newer features, they will also not be supported on newer computer processors (such as Intel’s eighth-generation “Kaby Lake Refresh” architecture, released in August, 2017) . This introduces a potential down-side to deploying LTSB, but it’s not a new concept, as both Windows 7 and Windows 8.1, both still fully supported by Microsoft on older hardware, are only partially supported on Intel’s sixth-generation “Skylake” processors and are not supported on the seventh-generation “Kaby Lake” processors.

So, should we be deploying Windows 10 Enterprise LTSB here at Duke? That’s a question each group will have to answer for themselves. There are no security reasons to not deploy LTSB. There are no system management reasons to not deploy LTSB. There are only functionality and hardware requirements to be considered, and those requirements will be different from department to department and, in some cases, from user to user.

You should not deploy Windows 10 Enterprise 2016 LTSB if…

  • …the user requires Windows Store apps (which includes Microsoft Edge and Cortana).
  • …the user requires core Windows 10 functionality that’s been introduced since the latest LTSB release (Windows Subsystem for Linux, for example).
  • …the user has a new computer running on an Intel eighth-generation “Kaby Lake Refresh” or newer processor.
  • …your environment requires that all computers be running the exact same operating system.

You might want to consider deploying Windows 10 Enterprise 2016 LTSB if…

  • …none of the previously stated requirements apply to your users or your environment.
  • …you would like to completely opt out of Microsoft’s “Windows as a service” twice-per-year feature upgrade cycle.
  • …you would like to opt out of the optional Windows Store software pre-loaded onto other Windows 10 editions.
  • …you can support having multiple editions of Windows 10 in production on newer hardware.

With Windows 10 Enterprise 2016 LTSB, Microsoft provides a more stable and business-like environment, but at the expense of cutting-edge functionality and compatibility. Whether or not LTSB is right for you and your users is for you to decide. For some (like the author), the benefits outweigh the cost.

Posted in Uncategorized | Comments Off on To LTSB or not to LTSB? It depends…