Privacy and Consent changes in Microsoft Office 16.28

Microsoft Office 16.28, released Tuesday, includes a new privacy dialog for users and a number of changes to the preferences that control privacy and telemetry settings. This new dialog cannot be directly suppressed for Office 365 users, but can for those with a 2019 Volume License.

Microsoft has provided documentation, Use preferences to manage privacy controls for Office for Mac, of these new preferences and Paul Bowden provided a Keynote slide deck, Privacy and Consent Controls (PDF version), from a set of video conferences he hosted last week. (Unfortunately video recordings of the calls are not available.)

Thanks to the hard work of the Office for Mac team most of these preferences can be managed via configuration profiles. Read on for an overview of the changes and items of note.

Continue reading

Forcing Microsoft Office update deadlines with MAU

Microsoft AutoUpdate 4Microsoft AutoUpdate (MAU) version 4.13, released in mid-July, adds the ability to force update deadlines for Office applications. I was one of the MacAdmins who provided Microsoft developers with feedback starting last October and am happy to see the feature come to fruition.

This new functionality will definitely change how I handle updates as described in my post “A hybrid approach to managing Microsoft Office updates.”

The documentation Microsoft provided around the new feature is pretty good. But there has definitely been a lot of confusion in the MacAdmins Slack around getting it to work and there are some quirks to be aware of. If you are interested in the intricacies please read on.

Continue reading

Disabling Microsoft AutoUpdate’s new Required Data Notice in managed environments

Version 4.13 of Microsoft AutoUpdate for Mac, released on Tuesday, contains a new Required Data Notice that will pop up immediately upon installation and must be acknowledged before MAU will continue to function.

While the user experience is not great, thankfully Microsoft has provided us a way to suppress the new dialog on managed systems. Read on for the details.

Continue reading

Microsoft Teams notifications from MAU Caching Server

Back in February I wrote about Automating MAU Caching Server with Slack Notifications and it has been working great. Earlier this week a request was made on Github to add support for sending notifications to Microsoft Teams.

We don’t use Teams here at work but a quick search showed it supports messages via an incoming webhook, just like Slack, so I decided it give it a try. It didn’t take long to adjust the code and after realizing I could create a Teams workspace for free I got it tested in short order.

Paul Bowden merged my pull request so if you’d like to take advantage just grab version 2.6 of the MAUCacheAdmin script. If you are interested in the details read on.

Continue reading

Installing and registering DetectX Swift with a single package

Yesterday a colleague on the MacAdmins Slack asked for some help creating a package that would both install and register DetectX Swift (DTXS) all in one shot. He was having trouble getting it to work with Jamf Composer even though a couple of us agreed that in theory his method should be working.

While admins are able to easily register DTXS after installation using management tools, in my case Munki and in his Addigy, the goal was to create a package that could be installed manually by less savvy techs or sporadically as needed via Apple Remote Desktop (ARD).

I had a little time at lunch today and decided to give it a try as a basic package using pkgbuild. Thankfully it worked perfectly right out of the gate, read on if you’d like the details.

Continue reading

Automating Reposado with Slack Notifications

To know when Apple releases new updates that are downloaded by my Reposado server I’ve been depending on random checks via Margarita, emails from the Security-announce list or discussions on the MacAdmins Slack. Automating repo_sync runs is easy enough with a LaunchDaemon or cron job, but I want to automatically be notified whenever a new update is detected.

When searching to see if anyone had already done the work I found a script by Michael Stango on GitHub that sends email notifications when new updates are downloaded. Stango’s script even takes things a step further with the ability to automatically add new products to a testing branch. Awesome!

Since I have all my similar notifications (AutoPkg, MAU, etc.) feeding into Slack I wanted to send Reposado notifications there as well. I’ve been testing the updated bash script for a few weeks and am happy to share it, read on if you are interested in the details.

Continue reading

Working around failed Apple software updates with Munki

For at least a year MacAdmins have been dealing with Apple security updates failing if they are not installed soon after being downloaded. This is especially apparent to Munki admins who have Managed Software Center (MSC) configured to install Apple updates. Munki will invoke softwareupdate to download updates as soon as they are detected but users can defer the installation via MSC indefinitely by default.

If enough time has passed when the user finally decides to allow the logout / reboot for the update it will silently fail. The computer will reboot and the user will find themselves at the login window thinking the update completed successfully. However an hour or so later softwareupdate will again detect the update, download it and MSC will prompt the user to logout and install the same update they think they had just installed.

This is not a great user experience and has led to some frustration here at the newspaper. I’ve written a script that works around this behavior, read on if you are interested in the details.

Continue reading

Deploying Photo Mechanic 5 with Munki

Photo Mechanic 5Photo Mechanic (PM) has long been the software of choice for photojournalists worldwide. It has unrivaled speed for downloading, sorting and captioning images on deadline. I have been using PM for almost 17 years and it is an essential part in the workflow of our photographers here at the newspaper.

As our staff has grown so has the need to automate installations of software. In the past we simply emailed the registration information for PM to staff as needed. Of course this is an awful practice in regards to securing our paid licenses.

Thankfully we can programmatically activate and deactivate Photo Mechanic when employees install or uninstall the program via Managed Software Center (MSC). Read on for the details.

Continue reading

Automating MAU Caching Server with Slack Notifications

SlackIn the past I have always run MAUCacheAdmin manually. Microsoft Office updates are usually only released once per month so it is easy to know when another run is needed. Plus with no built-in way to move collateral files into the appropriate place automated downloads won’t automatically make updates available for clients.

However with more and more applications becoming Microsoft AutoUpdate (MAU) aware, and out-of-bound patches being released, I decided it was time to automate the checks and downloads to my MAU Caching Server. This is easy enough to accomplish with a LaunchDaemon but I still needed a way to be notified when MAUCacheAdmin found updated packages to download so that I could move the collateral files into place.

I decided to see if I could add Slack notifications and when I began to dig in was pleasantly surprised to see that Microsoft’s Paul Bowden had already coded HipChat notifications. Using that as a base it turned out to be much simpler than I expected to get it working with Slack. Read on for the details.

Continue reading

Apple Watch and macOS Auto Unlock in enterprise environments

The topic of wether or not to allow an employee to use their personal Apple Watch to unlock their work Mac is a discussion that has come up a couple times over the years in the MacAdmins Slack #security channel.

When I first saw the subject brought up I hadn’t used the feature myself. At the time I was still maintaining separate personal and work iCloud accounts to keep everything segregated. But since I could imagine receiving a request from users to enable the feature, I decided I had better start testing it out so a policy could be formed in advance.

Apple calls the feature Auto Unlock. I’ve been using it for a while now and don’t see any reason to block it for employee use. Here’s why:

Continue reading