{"id":1039,"date":"2021-01-16T17:15:00","date_gmt":"2021-01-16T15:15:00","guid":{"rendered":"https:\/\/macadmin.cz\/?page_id=1039"},"modified":"2021-01-29T14:07:16","modified_gmt":"2021-01-29T12:07:16","slug":"prace-pro-logicworks","status":"publish","type":"page","link":"https:\/\/macadmin.cz\/?page_id=1039","title":{"rendered":"Pr\u00e1ce pro Logicworks"},"content":{"rendered":"\n

Hromadn\u00e1 spr\u00e1va Apple za\u0159\u00edzen\u00ed<\/h1>\n\n\n\n

MDM<\/h2>\n\n\n\n

Dne\u0161n\u00ed spr\u00e1va Apple za\u0159\u00edzen\u00ed se to\u010d\u00ed kolem MDM \u0159e\u0161en\u00ed a Apple Bussiness Manager<\/a> port\u00e1lu. Pro z\u00e1kazn\u00edky \u0159e\u0161\u00edme p\u0159edev\u0161\u00edm produkty VMware Workspace ONE<\/a>, SimpleMDM<\/a> a Jamf Pro<\/a> zejm\u00e9na kv\u016fli jejich pou\u017eit\u00ed pro macOS. Potkal jsem i m\u00e9n\u011b progresivn\u00ed \u0159e\u0161en\u00ed jako Microsoft Intune, Mobile iron, Hexnode. Nelze zapomenou na sp\u00ed\u0161 nechvaln\u011b zn\u00e1m\u00fd Profile Manager od Applu.<\/p>\n\n\n\n

Pro jednoho z klient\u016f jsem zpracoval podrobnou srovn\u00e1vac\u00ed studii, kdy jsem proti s sobe postavil VMware Workspace ONE, Jamf Pro a Microsoft Intune.<\/p>\n\n\n\n

VMware Workspace ONE UEM sice obsahuje n\u00e1stroj Munki, ale pro n\u011bkter\u00e9 z\u00e1kazn\u00edky je prakti\u010dt\u011bj\u0161\u00ed provozovat Muni samostatn\u011b. Pro z\u00e1kazn\u00edky jsem napsal synchroniza\u010dn\u00ed n\u00e1stroj wso-munki-manifest-sync<\/a>, kter\u00fd pomoc\u00ed API z WSO zjist\u00ed vazby mezi po\u010d\u00edta\u010di, skupinami a u\u017eivateli a prom\u00edtne je do struktury manifest soubor\u016f v Munki repozit\u00e1\u0159i.<\/p>\n\n\n\n

Automated Device Enrollment<\/h2>\n\n\n\n

Automated Device Enrollment (d\u0159\u00edve sp\u00ed\u0161e zn\u00e1me pod akronymem DEP – Device Enrollment Program) je zlat\u00fdm gr\u00e1lem deploymentu Apple za\u0159\u00edzen\u00ed posledn\u00ed doby. U\u017eivatel\u00e9 vybal\u00ed nov\u00fd Mac, iPad nebo iPhone z krabice a ten se s\u00e1m automaticky zapoj\u00ed do firemn\u00ed spr\u00e1vy, kter\u00e1 zajist\u00ed v\u0161e pot\u0159ebn\u00e9. Kombinace ADE a MDM je v celku p\u0159\u00edmo\u010dar\u00e1 z\u00e1le\u017eitost. Ne v\u0161ak nutn\u011b v p\u0159\u00edpad\u011b macOS.<\/p>\n\n\n\n

Jeliko\u017e Macy lze hromadn\u011b spravovat i jin\u00fdmi n\u00e1stroji ne\u017e MDM a celkov\u011b nab\u00edzej\u00ed vy\u0161\u0161\u00ed flexibilitu p\u0159izp\u016fsoben\u00ed na m\u00edru situaci, m\u016f\u017ee b\u00fdt v jist\u00fdch p\u0159\u00edpadech pot\u0159eba, aby b\u011bhem ADE procesu do\u0161lo k instalaci dal\u0161\u00edch n\u00e1stroj\u016f. Konceptu se ob\u010das \u0159\u00edk\u00e1 custom DEP a cel\u00fd je podstaven na digit\u00e1ln\u011b podepsan\u00e9m bal\u00ed\u010dku poslan\u00e9ho z MDM na klienta. jeho obsahem m\u016f\u017ee b\u00fdt cokoliv, co na Macu spust\u00edte.<\/p>\n\n\n\n

Velmi popul\u00e1rn\u00ed n\u00e1stroj installapplications<\/a> zajist\u00ed se strany serveru jednozna\u010dn\u011b definovan\u00fd sekven\u010dn\u00ed po\u0159ad\u00ed krok\u016f, kter\u00e9 se na klientu vykonaj\u00ed. Komunikaci s u\u017eivatelem lze \u0159e\u0161it pomoc\u00ed oken nebo notifikac\u00ed nastaven\u00fdch skrz DEPNotify<\/a>. Sou\u010d\u00e1st\u00ed procesu m\u016f\u017ee b\u00fdt tak\u00e9 nap\u0159\u00edklad onboarding pr\u016fvodce Octory<\/a>.<\/p>\n\n\n\n

Open source n\u00e1stroje<\/h2>\n\n\n\n

Pro efektivn\u00ed spr\u00e1vu macOS schopnosti MDM ne v\u017edy sta\u010d\u00ed nebo nemus\u00ed b\u00fdt nejlep\u0161\u00edm \u0159e\u0161en\u00edm pro v\u0161echny \u00fakony. <\/p>\n\n\n\n

V Logicworks provozuji Munki<\/a> infrastrukturu pro na\u0161e z\u00e1kazn\u00edky. Soubory jsou poskytov\u00e1na pomoc\u00ed webserveru z v\u00edce uzl\u016f, vz\u00e1jemn\u011b synchronizovan\u00fdch n\u00e1strojem unison<\/a>. Klienti vyb\u00edraj\u00ed uzel pomoc\u00ed DNS load balancingu. Spojen\u00ed je v\u017edy zabezpe\u010den\u00e9 pomoc\u00ed TLS 1.2\/1.3. Munki repozit\u00e1\u0159 sd\u00edlen\u00fd mezi v\u00edce z\u00e1kazn\u00edky vy\u017eaduje odd\u011blen\u00ed n\u011bkter\u00fdch soubor\u016f na \u00farovni webserveru, co\u017e zaji\u0161\u0165uje autentizac\u00ed. Stahov\u00e1n\u00ed soubor\u016f m\u016f\u017ee b\u00fdt podstatn\u011b urychleno pou\u017eit\u00edm cache webserver\u016f v lok\u00e1ln\u00edch s\u00edt\u00edch z\u00e1kazn\u00edk\u016f a HTTP p\u0159esm\u011brov\u00e1n\u00ed. \u00dapravy repozit\u00e1\u0159e prob\u00edhaj\u00ed po s\u00edti z virtualizovan\u00e9ho macOS, kter\u00fd k dat\u016fm p\u0159istupuje skrz \u0161ifrovan\u00fd protokol SMB3 (Samba<\/a>). <\/p>\n\n\n\n

O automatick\u00e9 stahov\u00e1n\u00ed nejnov\u011bj\u0161\u00edch verz\u00ed instala\u010dn\u00edch bal\u00ed\u010dk\u016f software se star\u00e1 AutoPkg<\/a>. Ten b\u011b\u017e\u00ed jednou za den a zm\u011bny hl\u00e1s\u00ed emailem i do firemn\u00edho Slack kan\u00e1lu. Velkou \u010d\u00e1st recept\u016f v m\u00e9m autopkg repozit\u00e1\u0159i MichalMMac-recipes<\/a> jsem vytvo\u0159il pro pou\u017eit\u00ed v Logicworks.<\/p>\n\n\n\n

Instala\u010dn\u00ed bal\u00ed\u010dky pro macOS vytv\u00e1\u0159\u00edme p\u0159ev\u00e1\u017en\u011b n\u00e1strojem munki-pkg.<\/a> Na\u0161i technici pou\u017e\u00edvaj\u00ed instala\u010dn\u00ed bal\u00ed\u010dky pro zapojen\u00ed Mac\u016f do Munki u klient\u016f, kte\u0159\u00ed nemaj\u00ed MDM. Aby dostali digit\u00e1ln\u011b podepsan\u00fd a hlavn\u011b notarizovan\u00fd bal\u00ed\u010dek, roz\u0161\u00ed\u0159il<\/a> jsem munki-pkg o schopnost notarizace. Kv\u016fli po\u017eadavk\u016fm na notarizaci do\u0161lo i na podepisov\u00e1n\u00ed<\/a> Pythonu 3, kter\u00fd je p\u0159ibalen k Munki, na\u0161\u00edm v\u00fdvoj\u00e1\u0159sk\u00fdm certifik\u00e1tem.<\/p>\n\n\n\n

Macy monitorujeme webovou aplikac\u00ed MunkiReport<\/a>, kterou v na\u0161ich produktech najdete pod ozna\u010den\u00edm Sensei MacReport<\/a>. Po kolegovi jsem p\u0159evzal a z\u00e1sadn\u011b p\u0159ed\u011blal skript munkireport-parser<\/a>, kter\u00fd skrz API aplikace zji\u0161\u0165uje probl\u00e9mov\u00e9 za\u0159\u00edzen\u00ed, jejich\u017e seznam je zas\u00edl\u00e1n technik\u016fm.<\/p>\n\n\n\n

V p\u0159\u00edpad\u011b pot\u0159eby vyu\u017e\u00edvat v macOS funce Active Directory doporu\u010dujeme volnou integraci. T\u00e9 doc\u00edl\u00edme bu\u010f n\u00e1strojem NoMAD<\/a> nebo v nov\u011bj\u0161\u00ed macOS SSO dopl\u0148kem p\u0159\u00edmo v syst\u00e9mu. Ob\u011b mo\u017enosti maj\u00ed sv\u00e9 p\u0159ednosti.<\/p>\n\n\n\n

Dal\u0161\u00ed Apple slu\u017eby<\/h2>\n\n\n\n

Pro Logicworks jsem nasadil slu\u017ebu Content Caching<\/a> poskytuj\u00edc\u00ed \u010dasto stahovan\u00fd obsah z Apple CDN lok\u00e1ln\u011b z Macu, na kter\u00e9m b\u011b\u017e\u00ed. Na prvn\u00ed pohled se m\u016f\u017ee zd\u00e1t, \u017ee na tom p\u0159ece nic nyn\u00ed, kdy\u017e sta\u010d\u00ed zapnout jeden p\u0159ep\u00edna\u010d. Ve slo\u017eit\u011bj\u0161\u00ed s\u00edti v\u0161ak Content Caching vy\u017eaduje<\/a> o n\u011bco v\u00edce p\u00e9\u010de.<\/p>\n\n\n\n

Dokud nep\u0159i\u0161la pandemie, provozovala firma vcelku \u00fasp\u011b\u0161n\u011b p\u016fj\u010dovnu iPad\u016f. Pro jejich snadnou p\u0159\u00edpravu jsem p\u0159ipravil iMac s Apple Configurator 2<\/a>, s n\u00edm\u017e se iPady mazaly, aktualizovaly a zapojovaly do MDM skrz Automated Device Management.<\/p>\n\n\n\n

Linuxov\u00e1 infrastruktura<\/h1>\n\n\n\n

Na za\u010d\u00e1tku jsem zd\u011bdil starou infrastrukturu hostuj\u00edc\u00ed weby a maily vyu\u017e\u00edvaj\u00edc\u00ed OS X Server. Tu bylo nutn\u00e9 nahradit n\u011b\u010d\u00edm nov\u011bj\u0161\u00edm. \u010c\u00e1st funkcionality p\u0159evzaly slu\u017eby v cloudu (mail), ale n\u011bkter\u00e9 jsme si ponechali (webhosting). Nav\u00e1zal jsem na p\u0159edchoz\u00ed spolupr\u00e1ci<\/a> s Vojtou Myslivcem, kter\u00fd se z\u00e1sadn\u00ed m\u00edrou pod\u00edlel na zprovozn\u011bn\u00ed webhostingu a mailserveru.<\/p>\n\n\n\n

Config Management<\/h2>\n\n\n\n

Naprost\u00e1 v\u011bt\u0161ina v\u011bc\u00ed, kter\u00e9 v na\u0161\u00ed infrastruktu\u0159e d\u011bl\u00e1me, je vykon\u00e1na pomoc\u00ed Ansible<\/a> config management syst\u00e9mu. Jsem zast\u00e1nci filosofie infrastructure as code a po\u010det ad-hoc \u00fakon\u016f se sna\u017e\u00edme udr\u017eet na minimu. K\u00f3d je verzov\u00e1n v gitem<\/a> a diskutov\u00e1n v intern\u00edm GitLabu.<\/p>\n\n\n\n

VPN<\/h2>\n\n\n\n

eden z na\u0161ich posledn\u00edch projekt\u016f spo\u010d\u00edv\u00e1 ve vytvo\u0159en\u00ed vlastn\u00ed IKEv2 IPSec infrastruktury postaven\u00e9 na n\u00e1stroji Strongswan<\/a>. Vyu\u017e\u00edv\u00e1me IPsec tunely k propojen\u00ed firemn\u00edch s\u00edt\u00ed se s\u00edt\u011bmi n\u011bkter\u00fdch z\u00e1kazn\u00edk\u016f. Servery navazuj\u00ed \u0161ifrovan\u00e1 spojen\u00ed dynamicky podle pot\u0159eby. Rovn\u011b\u017e je implementovan\u00fd automatick\u00fd failover na z\u00e1lo\u017en\u00ed server v p\u0159\u00edpad\u011b v\u00fdpadku nebo \u00fadr\u017eby prim\u00e1rn\u00edho.<\/p>\n\n\n\n

Kone\u010dn\u011b m\u016f\u017eeme nahradit zastaral\u00e9 OpenVPN \u0159e\u0161en\u00ed za podstatn\u011b lep\u0161\u00ed IKEv2 IPSec. VPN je navr\u017eena pro split-tunnel a split-dns re\u017eim. Na za\u0159\u00edzen\u00edch VPN konfigurujeme za pomoci MDM, co\u017e n\u00e1m d\u00e1v\u00e1 dal\u0161\u00ed mo\u017enosti jako nap\u0159\u00edklad automatick\u00e9 navazov\u00e1n\u00ed spojen\u00ed (on-demand).<\/p>\n\n\n\n

Monitoring<\/h2>\n\n\n\n

Pro pot\u0159eby rozv\u00edjej\u00edc\u00ed se infrastruktury jsem nasadil monitorovac\u00ed syst\u00e9m Icinga 2<\/a>. Nejprve v re\u017eimu jednoho uzlu, kter\u00fd se p\u0159ipojuje na dozorovan\u00e9 syst\u00e9my pomoc\u00ed SSH. Pozd\u011bji byl syst\u00e9m p\u0159ed\u011bl\u00e1n na distribuovan\u00fd model, kdy na ka\u017ed\u00e9m uzlu b\u011b\u017e\u00ed Icinga 2 slu\u017eba a prob\u00edh\u00e1 komunikace v t\u0159\u00ed\u00farov\u0148ov\u00e9m modelu master <-> satellite <-> client.<\/p>\n\n\n\n

Stavy sledovan\u00fdch uzl\u016f a slu\u017eeb je mo\u017en\u00e9 administrovat ve webov\u00e9m rozhran\u00ed Icinga Web 2<\/a>. V\u00fdkonostn\u00ed data jsou ukl\u00e1d\u00e1ny do datab\u00e1ze influxDB<\/a>, odkud je do dashboard\u016f na\u010d\u00edt\u00e1 Grafana<\/a>.<\/p>\n\n\n\n

Syst\u00e9m monitorov\u00e1n\u00ed byl pozd\u011bji nasazen v druh\u00e9 instanci i do s\u00edti na\u0161ich klient\u016f. Server v roli satellite kontroluje zejm\u00e9na pomoc\u00ed SNMPv3 stav v\u0161emo\u017en\u00fdch s\u00ed\u0165ov\u00fdch prvk\u016f a server\u016f. Pro pot\u0159eby monitoringu udr\u017euji vlastn\u00ed sadu skript\u016f monitoring-scripts-logicworks<\/a>.<\/p>\n\n\n\n

DNS<\/h2>\n\n\n\n

V lok\u00e1ln\u00edch s\u00edt\u00edch pou\u017e\u00edv\u00e1me DNS server BIND 9<\/a> ve funkc\u00edch autoritativn\u00edho serveru poskytuj\u00edc\u00ed m\u00edstn\u00ed z\u00f3ny a resolveru pro klienty. Z\u00f3ny se automaticky replikuj\u00ed na z\u00e1lo\u017en\u00ed server a v n\u011bkter\u00fdch p\u0159\u00edpadech je pro n\u011b pou\u017eit ACL.<\/p>\n\n\n\n

Aplikace<\/h2>\n\n\n\n

Pro praktick\u00e9 pou\u017eit\u00ed m\u00e1me nasazeno v\u00edcero webov\u00fdch aplikac\u00ed. N\u011bkter\u00e9 jsou zm\u00edn\u011bny v jin\u00fdch sekc\u00edch, proto\u017ee \u00fazce souvis\u00ed s n\u011bjak\u00fdm syst\u00e9m. Mezi ty samostatn\u011bj\u0161\u00ed pat\u0159\u00ed:<\/p>\n\n\n\n