AWS Partner Network (APN) Blog

Automate the Enrollment of EC2 Mac Instances into Jamf Pro

By Mike Gillespie, Principal Solutions Architect – AWS
By Stephen Randolph, Sr. Partner Solutions Architect – AWS
By Travis Cynor, Sr. Product Manager – Jamf Pro
By Chris Potrebka – Apple Practice Principal Consultant – Wipro

Since the release of Amazon EC2 Mac instances, Amazon Web Services (AWS) customers have been able to access on-demand Apple Mac devices in the AWS Cloud.

By taking advantage of AWS’s scalable and elastic infrastructure, customers have been able to increase developer productivity and deliver macOS and iOS apps to market faster without the need to manage physical Mac infrastructure.

Until now, there wasn’t an easy way to integrate the EC2 Mac instances into the same device management as physical Apple devices. In collaboration with Jamf, an AWS Partner and leader in Apple device management, AWS has developed integration between the Amazon EC2 Mac instances and Jamf Pro to simplify managing, securing, and configuring EC2 Mac instances.

In this post, we show you how to configure AWS and Jamf accounts to automatically enroll EC2 Mac into Jamf Pro EC2 Mac instances when they are launched. Wipro, a leading global AWS services partner, was looking for an innovative way to help its customers manage their Apple devices. Learn how Wipro, AWS, and Jamf collaborated on a solution to manage customers’ Apple CI/CD pipelines.

Prerequisites

This post assumes you have knowledge of creating EC2 Mac instances and Jamf Pro. You’ll need to know the Jamf URL and have a Jamf username and password with enrollment privileges.

Why EC2 Mac and Jamf?

Amazon EC2 Mac instances allow you to run on-demand macOS workloads in the cloud to extend AWS’s flexibility, scalability, and cost benefits to all Apple developers. Moving to EC2 Mac instances can provide increased security, scalability, and delivery speeds while reducing the total cost of ownership (TCO) of Mac assets. With the recent general availability of Amazon EC2 M1 Mac instances, they have become even more powerful.

With the ability to effectively manage EC2 Mac instance configuration with Jamf Pro, customers can secure, inventory, and manage EC2 Mac instances with the same platform managing all of their enterprise Apple devices.

Automatic EC2 Mac instance enrollment into Jamf Pro allows IT teams to use the Jamf binary application to inventory and control devices with proven methods. It also enables end users to use Jamf Self-Service to set up EC2 Mac instances to meet their needs in accordance with their organization’s policies.

How Does it Work?

Jamf provides an agent that runs on the EC2 Mac instances, which communicates with the Jamf servers to coordinate the management of the device. The agent must enroll with Jamf in order for the Jamf service to be aware of the instance.

Following the launch of the EC2 Mac instance, the enrollment script must be executed on the instance itself. There are several approaches to doing this, such as an Secure Shell (SSH) session, EC2 user data script, or an EC2 macOS Init script.

This post uses an Amazon EventBridge event to execute the enrollment script via the AWS Systems Manager agent whenever a new EC2 Mac instance is launched. The benefit of this approach over using the EC2 instance metadata or an EC2 macOS Init script is that it automatically enrolls all EC2 Mac instances created in the account without requiring the user who creates the instances to configure a custom Amazon Machine Image (AMI) or other configurations.

This simplifies the management and ensures the EC2 Mac instances will be enrolled without the need for user intervention. From an end user perspective, they simply create the instance as they normally would through the AWS Management Console, AWS Command Line Interface (CLI), AWS Software Development Kit (SDK), or AWS CloudFormation, and the AWS account will coordinate the enrollment of the instance.

For more advanced AWS users, creating a custom AMI with the scripts in the EC2 macOS Init scripts would also provide similar automated enrollment.

Please note that, as of the publishing date of this post, the macOS support for AWS Systems Manager is limited to x86_64 versions of macOS in us-east-1, us-east-2, us-west-2, eu-west-1, and ap-southeast-1.

Account Setup

When an EC2 Mac instance enters the running state, EC2 will trigger an event in Amazon EventBridge. An EventBridge rule will route the event message to an AWS Systems Manager automation that executes an automated enrollment script on the instance. The provided CloudFormation script automates the deployment of this configuration.

To configure the automated enrollment, create a stack from the template via GitHub.

Jamf-Mac-EC2-1.1

Figure 1 – Amazon EventBridge to AWS Systems Manager.

Figure 1 shows the flow from the EC2 Mac instance sending the running status event to Amazon EventBridge, which forwards the message to AWS Systems Manager, which in turn executes a script on the original EC2 Mac instance.

The template creates an EventBridge rule that calls an AWS Systems Manager automation. This pulls instance data to determine if the instance is an EC2 Mac instances. If so, it checks to make sure there is an AWS Identity and Access Management (IAM) instance profile associated with the instance. This is needed for the Systems Manager agent to communicate to AWS.

If there’s no instance profile, one is attached to the instance. It then waits for the Systems Manager agent to connect and executes the enrollment script on the instance.

Jamf-Mac-EC2-2

Figure 2 – Enrollment workflow.

Figure 2 shows the EC2 instance state change to the Systems Manager automation service. The first step is to get the instance type and IAM instance profile via the ec2.DescribeInstance API call. If that instance type is EC2 Mac, then check the instance profile. If the EC2 Mac instance has no instance profile assigned, one is assigned via the AssociateIamInstanceProfile API.

The next step waits for the DescribeInstanceInformation API to return the PingStatus value of “Online.” The step after that executes the Invitation script followed by the Enrollment script. The final step ends the automation.

Deploy the Instance

Once the CloudFormation stack has been created, you can verify the automation by creating an EC2 Mac instance. You can use the AWS console, CLI commands, or a CloudFormation template. If you use a custom AMI, be sure the Systems Manager agent is not removed.

When creating the instance, if you supply an instance profile, make sure it has access to AWS Systems Manager by adding the IAM managed policy AmazonSSMManagedInstanceCore to the role associated to the IAM instance profile. Learn more about setting up instance profiles in the AWS documentation.

Connect to the Instance

Once the EC2 Mac instance is available, connect to it using virtual network computing (VNC) or the macOS Screen Sharing app. Learn more about accessing EC2 Mac instances through a graphic user interface.

Manage the Instance with Jamf Pro

Now that you have connected to the instance, open your Jamf Pro console.

To find your EC2 Mac instances, click the Computers toolbar and click Search Inventory. In the filter text box, type in the instance ID and click Enter. The computer will show up in the inventory list.

Jamf-Mac-EC2-3

Figure 3 – Jamf console lists the inventory of computers.

Click on the instance ID to get the details on the instance. Jamf captures metadata on the hardware, operating system, and security.

On the Jamf Operating System screen:

  • Operating System: MacOS
  • Operating System Version: 12.4.0
  • Operating System Build: 21F79
  • Software Update Device ID: Empty
  • Active Directory Status: Not Bound
  • FileVault Users: 0/1

The Jamf console shows the hardware specs of the EC2 Mac instance:

  • Make: Apple
  • Model: Mac Mini (2018)
  • Model Identifier: Macmini8,1
  • Processor Speed: 3.20 GHz
  • Number of Processors: 1
  • Total Number of Cores: 6
  • Processor Type: 6-Core Intel Core i7
  • Apple Silicon: No
  • Architecture Type: x86_64
  • Bus Speed: Empty
  • Cache Size: 12 MB

The Jamf console also shows the security data about the EC2 Mac instance:

  •  System Integration Protection: Disabled
  • Gatekeeper: App Store and identified developers
  • XProtect Definitions Version: 2158
  • Disable Automatic Login: On
  • Remote Desktop Enabled: No
  • Activation Lock: Not Enabled
  • Recovery Lock: Not Enabled
  • Secure Boot Level: Collected for macOS 10.15.0 or later
  • External Boot Level: Collected for macOS 10.15.0 or later
  • Bootstrap Token Allowed: Collected for macOS 11 or later
  • Bootstrap Token Escrowed: Collected for macOS 11.0 or later
  • Firewall: Not Enabled

EC2 Mac instances Extension Attributes

The Jamf administrator may want additional details on the EC2 Mac instances in the environment such as the AWS region and Availability Zone (AZ) the instance is running. The Jamf admin can configure extension attributes to pull this data from the EC2 Mac instance.

To configure an extension attribute, go to the System Settings > Computer Management > Management Framework > Extension Attributes configuration page. For example, to capture the AWS region as an extension attribute, set the input type to script, and use the following script:

#!/bin/sh

dataPoint="placement/region"

TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -s -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
EC2ID=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -f -m 1 -s http://169.254.169.254/latest/meta-data/$dataPoint && echo || echo "Not an EC2 host.")

EC2Return="<result>"$EC2ID"</result>"

echo $EC2Return

exit 0;

This script uses the EC2 instance metadata version 2 to query the region the EC2 instance belongs to. If the computer is not an EC2 instance, the curl statement will fail and the result will be “Not an EC2 host.”

Enable Remote Desktop Access

The following walks through the steps to configure Jamf policies to enable remote desktop on EC2 Mac instances services through a script and policy in Jamf Pro. Start by logging into Jamf Pro and click the settings gear icon in the upper right. Go to the Computer Manager section and click Scripts. In the upper right, click the + icon to create a new script.

Enter the following information:

  • Display Name: EnableRemoteDesktop
  • Category: None
  • Information: <Default>
  • Notes: <Default>

On the script tab, select mode of Shell/Bash and paste the following code into the code editor:

sudo defaults write /var/db/launchd.db/com.apple.launchd/overrides.plist com.apple.screensharing -dict Disabled -bool false
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist

Next, click Save.

Jamf-Mac-EC2-6

Figure 4 – Create script in Jamf.

Once the script is created, click to the Computers button on the left side and click Policies and click + New.

Jamf-Mac-EC2-7

Figure 5 – Manage computer policies.

  • Display Name: EnableRemoteDesktop
  • Enabled: Checked
  • Category: None
  • Trigger: Enrollment Complete
  • Execution Frequency: Ongoing

Select the Scripts menu of the left side of the Policy edit page.

Jamf-Mac-EC2-8

Figure 6 – New policy.

Select Configure and click the Add button to add the EnableRemoteDesktop script to the policy. Once the script is added to the policy, click Save.

Change ‘ec2-user’ Password

When the EC2 Mac instance is created, the “ec2-user” user does not have a password, so you can use Jamf to set one.

Create another policy by clicking + New and provide the following values:

  • Display Name: ResetEc2UserPwd
  • Enabled: Checked
  • Category: None
  • Trigger: Enrollment Complete
  • Execution Frequency: Ongoing

On the left side of the Policy editor, click Local Accounts.

Select Reset Account Password and provide a username of “ec2-user” and click Save. This setting allows you to use Jamf to manage the local users on EC2 Mac instances.

Test VNC Access

Now that the policies are applied, create a new EC2 Mac instance and it will auto-enroll into Jamf. Once the enrollment scripts are complete, the instance is ready to connect. To make the VNC port available locally, establish an SSH connection to redirect port 5900 from the remote instance to the local machine and connect to localhost:5900 with a VNC client.

ssh -i keypair_file -L 5900:localhost:5900 ec2-user@192.0.2.0

Limitations

This method of automated enrollment uses the Jamf agent to execute shell commands on behalf of the system administrator. However, the Apple security model requires higher privilege commands, mobile device management (MDM) commands, and profiles be executed through Apple Push Notification Services.

While there is some overlap between MDM commands and shell commands, this approach does mean some commands that require MDM will not be executed by the Jamf agent.

Here is a list of actions on EC2 Mac that require MDM managed:

  • User-initiated enrollment
  • Automated device enrollment using a PreStage enrollment
  • Mass actions
  • Mac App Store apps
  • macOS configuration profiles
  • Remote commands for computers
  • Lock computer
  • Remove MDM profile
  • Renew MDM profile
  • Send blank push
  • Download and install updates
  • Unlock user
  • Remove user
  • Allow/disallow activation lock

Conclusion

This post demonstrated how to automate the enrollment of your EC2 Mac instances into Jamf, allowing you to manage your EC2 Mac instances with the Jamf. This enables you to have a single management system for both physical and virtual Apple Mac devices.

Jamf’s purpose is to simplify work by helping organizations manage and secure an Apple experience that end users love and organizations trust. Jamf provides complete management and security solutions for an Apple-first environment that’s enterprise secure and consumer simple while protecting personal privacy