League of Champions: Q&A from November Q4-2024

ByBen Greiner

Our recent League of Champions webinar brought together a vibrant community of professionals discussing the latest in device management, security, and compliance. A huge thank you to everyone who attended and contributed questions! This Q&A roundup covers the most frequently discussed topics, providing insights you won’t want to miss.

Whether you’re exploring new Addigy features or looking to enhance your organization’s security and compliance workflows, these answers are packed with actionable information.

Managing Local Admin Users

  • Question: How can we better manage local admin users?
  • Answer: Creating a hidden admin account with a secure token is a recommended approach. This ensures IT can perform necessary actions without compromising overall security. If you’d like tailored advice, reach out to us at [email protected].
  • Question: What about more granular temporary admin privileges?
  • Answer: While macOS currently treats admin permissions as all-or-nothing, a smart workaround is creating a Self Service software item for end users to manage specific tasks, such as software installation.

Compliance and Security

  • Question: Are Cyber Essentials benchmarks on the roadmap?
  • Answer: Not yet. However, many customers customize CIS benchmarks to align with Cyber Essentials requirements. We’re actively exploring this direction.
  • Question: How does Addigy handle compliance remediation, and are these activities logged?
  • Answer: Addigy simplifies compliance remediation through auto-remediation, which automatically logs and addresses events per device. Here’s how it works:
    1. Auto-remediation: Logs remediation actions per device as they occur.
    2. Detailed Records: Each remediation action is logged at the device level, providing a comprehensive audit trail.
    3. Knowledge Base Resource: Step-by-step instructions and screenshots are available in our Knowledge Base: How to Manage Device Compliance with Addigy.
  • Question: Can we block the ChatGPT integration of Apple Intelligence?
  • Answer: Yes, you can now restrict the ChatGPT integration within Apple Intelligence. For instructions on implementing this restriction, please refer to Addigy Release AM-22759.
  • Question: Is there a workaround for the screen recording permission resetting after 30 days in macOS 15?
  • Answer: Apple introduced a new key in macOS 15.1 to address this issue. We’ve included it in our latest release: Add and Update macOS 15.1+ PPPC and Media Keys to Restrictions Payload.
  • Question:  What compliance baselines does Addigy support?
  • Answer: Addigy is continuously evaluating new baselines. As of this publication, we support the following:
    1. macOS, iOS, and iPadOS:
      • CIS – Level 1
      • DISA STIG
    2. macOS Only:
      • NIST – 800-53 – High 
      • CMMC – Level 1

Temporary Admin Capabilities

  • Question: Are user activities during TempAdmin sessions logged?
  • Answer: Absolutely. Logs are saved at /private/var/log/temp-admin, capturing activities like package installations and permission changes.
  • Question: Will TempAdmin be integrated into Self Service?
  • Answer: Yes! This is planned for an upcoming release. In the meantime, you can achieve similar functionality by deploying the following script through Self Service or as a Smart Software item. This script grants temporary admin rights for a 60-minute session:

Temp Admin Script for Self Service or Smart Software

#!/bin/bash

# Get the current macOS user
current_user=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')
echo $current_user

# Calculate the end time (60 minutes from now) in UTC
end_time=$(date -u -v+60M +"%Y-%m-%dT%H:%M:%SZ")
echo $end_time

# Original script
sudo /Library/Addigy/user-manager -temp-admin -promote -username=$current_user -end-time=$end_time

Apple MDM and OS Updates

  • Question: Why do DDM OS updates cause repeated notifications if a Mac is offline?
  • Answer: This is a known issue that Apple is reviewing. Using Feedback Assistant to report such problems will help expedite a solution!
  • Question: Will the ‘Return to Service’ feature work for Macs?
  • Answer: Unfortunately, no. It’s currently limited to iOS and iPadOS 17+ devices. We’re exploring alternative solutions for macOS.
  • Question: Does the ‘Return to Service’ feature require device supervision, and when will it be available?
  • Answer: No, device supervision is not required. To use this feature, you simply need an MDM profile, which is readily available in the Addigy UI. The feature is now live! For more details, see Addigy Release AM-21672.
  • Question: How does Addigy handle macOS updates with DDM, and where can I learn more?
  • Answer: Addigy’s DDM provides flexibility for scheduling macOS updates while minimizing disruption. Here’s how it works:
    1. Scheduling Updates: Updates can be scheduled for a specific local device time, ensuring they occur at a convenient moment for end users.
    2. User Notifications: While notifications are limited to Apple’s settings, users receive a 1-hour warning before an update begins. If the device is offline during the scheduled time, it will be notified and updated when back online.
    3. Learn More: For detailed guidance on managing updates with DDM, visit System Updates via MDM and DDM. For additional support, contact [email protected].

Addigy Assist

  • Question: Will Addigy Assist show error logs if a specific app fails to install?
  • Answer: Yes! Addigy Assist will provide additional visibility through new device facts that summarize its status. These device facts include the final result of Addigy Assist (e.g., success or failure) and detailed information in the device events log. This ensures IT teams can quickly understand deployment outcomes and troubleshoot as needed.
  • Question: Will Addigy Assist allow interaction with users (e.g., asking for their email)?
  • Answer: Not in the current version. However, please contact [email protected] to join the beta program and provide input for future iterations.

Enhancing the Addigy Experience

  • Question: Are more applications coming to the public library?
  • Answer: Definitely. We’re expanding the library continuously. Feel free to suggest apps via [email protected].
  • Question:  Is there work underway to improve support articles?
  • Answer: Yes, and your feedback is invaluable! Please flag outdated or unclear resources to our support team via [email protected], and we’ll prioritize updates.

Advanced Features and Best Practices

  • Question: Is there a plan for organizations to upload in-house .ipa files to Addigy for distribution?
  • Answer: This was discussed live. For more information on distributing custom apps, visit Apple’s Custom Apps resource.
  • Question: Is there a good place to find Addigy Certification prep materials?
  • Answer: This was covered live. Addigy has training and certification resources available through Addigy Academy. You can also reach out to your Addigy Customer Success Manager for guidance. For additional Apple resources, check out Learn How to Support Apple Devices.
  • Question: For compliance, should we erase new devices first?
  • Answer: This was addressed live. While erasing is often unnecessary, best practices depend on organizational policies. Consult with your compliance team to decide the best approach for your needs.

Stay Connected

Thank you again to everyone who participated in the League of Champions! These sessions are designed to help you stay up to date with all things Addigy and leverage the full potential of your Apple ecosystem.

If you’d like to dive deeper, don’t forget to:

Together, we’re building a stronger community of IT professionals equipped to drive innovation and success on the Apple platform. See you at the next webinar!

Summary
We’re committed to continuously evolving our solutions to meet the demands of modern IT environments. As we move forward, our focus remains on refining the Addigy platform to ensure it provides the flexibility, security, and efficiency required to support diverse Apple device ecosystems. If you have additional questions or feedback, please send them to [email protected].

If you’re new to Addigy, we invite you to Schedule a Demo or start a Free Trial.