March 20, 2017

Techno Bits vol. 97: Your Imaging Workflow Is Probably On Fire

I'm saying this mostly for myself, but today is the Equinox, and if you're in the Northern Hemisphere that means it's now officially Spring, and sunlight hours are now longer than 12 hours per day. This means I beat another winter back, beat another dark period back, and it's time to get to the work of enjoying the sunny half of the year.

A couple of big projects are underway here at Technolutionary. We're moving a creative department from 10.11.6/CC 2015 to 10.12.3/CC 2017, and that's been using a lot of my bandwidth as we deploy the applications for the first time, and get the design staff used to the new workflow options available to them through Creative Cloud. In addition, we're preparing for another new season at Merriweather Post Pavilion, and we're now down to the last three weeks. We're finally replacing the last of our 5-year-old APs with modern APs, which means we can upgrade the firmware across the organization, which is exciting for a couple of reasons, least of all performance increases in the more recent builds.

The Big News: MDM +  Munki

At least two MDM vendors are going to be supporting the `InstallApplication` verb in the MDM Specification for the Mac. Why does this matter? As Apple encourages the adoption of MDM and DEP together for configuring user machines, the Munki community (and for that matter, the Puppet and Chef community) saw a path forward that didn't include our favorite open source software installation agent. 

Enter SimpleMDM's revelation that they will support installing your Munki agent. Couple that with the ability to use profile management services to establish the necessary preference keys for Munki to run, and you have the ability to deploy a DEP-enrolled machine to a user as part of a no-image workflow.

Erik Gomez from Pinterest has also been cracking this particular nut, and has been working with a major-but-unnammed-MDM Vendor to do the same thing for his team at Pinterest. His four-part blog series is absolutely worth your time, because it clearly lays out what the process is going to be to get this done within your organization, and what you're going to have to do as part of the process.

This isn't going away, the smoke is only growing, and it's a matter of time before we all see what's on fire. (The Answer is: Your Imaging Workflow)

I'll be trying to get SimpleMDM going for our org internally and setup with DEP in the not distant future. Happy thoughts!

I'm Concerned About The Security Of Your Shit

One of the trends that has developed in the IT world that I would really like to see reversed is the decrypting of all TLS traffic on a given corporate network in the name of security monitoring. So, apparently, is US-CERT who released a bulletin this week for everyone who's doing just that warning that you are probably making your users less secure. Their directive comes from a position of technical opinion, not because it's really just wrong, and it has to do with the settings a lot of these proxying systems use. 

So, generally, I recommend not decrypting your users' traffic, but if you have to, at least read that bulletin, OK? 

Links to Read