Auto-heal Wi-Fi on macOS

[dherder]

• prospect-numa: No Gong snippet.
• @noahtalerman: numa requested this because they want to run this script to re-connect end users to corporate Wi-Fi interface when certificates are being swapped out and something goes wrong. Offline script would be needed in order to remediate.
  • @nonpunctual: At one of my previous job's as an IT admin, if the device went offline, it ran an offline policy in Jamf which did some checking of local DNS & gateways to determine if the computer was trying to connect to an internal network & configured the local proxy settings. If all that passed, then, the idea was that assuming the device already had some cert installed to get authenticated to an 802.1x network, it would recover from being unable to join because of the block at the proxy
  • @allenhouchins: Instead of running this script, we think numa could be delivering the new certificate ahead of the old certificate expiring (aka prestaging). Then write a policy that runs a script on policy failure to delete the old certificate (if needed, no harm in it just staying on the device). If for whatever reason the new cert failed to deliver, the script could check this and deploy a new certificate. Today, when numa checks if the new cert failed to deliver, they're adding this device to a smart group which we think this smart group has some Jamf policy to retry deploying the new certificate. In Fleet, we'd write a policy that looks for the old certificate and then automate this script. If they're deploying the certificate with a .pkg, they could use Fleet's pre-install query to check if the the new certificate is missing. If it is, then the install proceeds.
    • @allenhouchins: customer-numa isn't the only Jamf user that is used using the "recon" feature (akin to refetch in Fleet) to make sure host vitals are up to date so a host gets put in the right smart group so that the right Jamf policy is triggered for the host. Instead if they wrote a Fleet policy, they wouldn't have to worry about a refetch because the policy would check for the host vital.
    • @noahtalerman: Is this the cert that comes from NDES? @allenhouchins: We're not sure
• @noahtalerman: numa requested this because they want to enforce an denylist of applications. Policy checks for the app and script removes the app. If the user installs the app and then goes offline then the remediation still occurs. We're assuming there's malicious intent in this use case. This means we want the application to be installed for as little time as possible.
  • @noahtalerman: In the interim numa would deploy a launch daemon that is watching specific file paths (or some other event/artifact on the device). They would also deploy the script to the device. If the file path is modified, the launch daemon immediately triggers the script. Device doesn't need to be online.
  • @allenhouchins: In the interim numa would deploy the new certificate prior to removing the old one. This is the best practice.
  • @allenhouchins: In the interim numa could deploy a macOS configuration profile: ParentalControlsApplicationRestrictions. pathBlackList is deprecated.
• @ddribeiro: Probably looking for something similar to offline policies in Jamf. Host will run these once a day whether it's online or not.
  • @ddribeiro: For example, professors would go on a sabbatical and be off internet for 6 months. We would want to clean up sensitive files (ex. 1Password recovery kit) in the downloads folder.
  • @noahtalerman: We learned that numa doesn't use offline policies in Jamf.
• prospect-mozartia: TODO: include Gong link
• prospect-leiden: gong link
• @nonpunctual Users will expect when a Mac can't connect to a corporate wifi, this can be detected and fixed automatically.
  • @nonpunctual e.g., at an organization with explicit enterprise network / proxy / vpn settings an offline policy could ensure that network settings are correct. The need for remediating this offline is: if the config is not correct prior to connecting to the corporate network the device will be blocked from joining. This may result in having to contact the help desk to access corporate resources like email, SaaS apps, logins, etc.
  • @mikermcneil: Eventually Let's say there's a work computer that goes offline, and then travels to the north pole, where it remains offline, because one of our end users is actually Saint Nicholas. But let's say St. Nick is not supposed to be able to change his desktop background (TODO: think of better example). Well, when he tries to change it, even though he's offline, the policy could detect the failure and the associated script could automatically run. How? Because Fleet could ship down a manifest of all of the policy automations that are pointed at scripts to run on failure (or possibly let you pick which ones are offline-enforced- but do we need to let you pick? Or should they all just be offline, if they're using the "run a script" type of automation? Whatever is simpler, seems like.) e.g. In the help text for setting up a policy automation to trigger a script directly, there's something that says "Since this policy is configured to trigger a local script on failure, it will apply offline."

---

User stories

• Fleet Desktop > My device page: resend configuration profiles #26687

[noahtalerman]

Hey @dherder, @kennyb-222, and @williamtheaker what's an example of one of these scripts? As a guess, I'm thinking these are scripts that set and keep a host in a desired state. As an example script: "Linux - Turn Firewall on"

So, I'm guessing the expected behavior here is the CPE adds this script to Fleet and every 30 minutes the host runs the script w/o checking into the Fleet server.

Currently, the host has to checkin with the fleet server in order to get the instruction to run the script

@dherder the host has to checkin at least once to get the script it should run, right? And checkin at some interval to see if the script(s) changed.

So, I'm guessing the host should check in to the server every 30 minutes to see if the script changed or there are new scripts to run.

Does that sounds right?

[noahtalerman]

Hey @dherder heads up, I updated this issue to user story format and moved your original issue description below.

---

Problem

As a CPE, I want to declare a group of actions to run on hosts or groups of hosts (teams). Currently, the host has to checkin with the fleet server in order to get the instruction to run the script, which is not ideal. Similar to how we are planning to declare which version of software to pin on a host, declaring the list of scripts to run on a host is desired.