ProfileCreator VS Ansible

> How many users have devices that they are really administrators of? Fewer and fewer.

As long as nobody has forced you to join your computer to a domain and accept the installation of group-policy overrides, you're still fundamentally an administrator of that machine.

You might not ever feel the need to administrate it, because the OS vendor is often co-administering the machine (see: Windows or macOS when you use a local account rooted in their cloud SSO) but the OS vendor hasn't restricted you from doing your own administration in the way that a corporation or institution administering the domain your device belongs to would restrict you. You still have the ambient authority to administer your machine, whether you ever bother to elevate yourself or not.

You can still install your own X.509 roots of trust. Even on, say, iOS! (You must administer the iOS device using tools — e.g. https://github.com/ProfileCreator/ProfileCreator — that run outside of the device on a "real computer"; but that's just a fact of history, to do with how system administrators generally prefer to interact with computers, not a property of the target device's security. A config profile is just a file format; if someone ever wanted to make a profile editor that ran on iOS itself, they could.)

(And if we're talking about a machine that is corporate or institutionally controlled? Well, then it's the responsibility of the people who manage your device — your IT department — to decide whether a given cert should be given trust.)

> What is the technical challenge of setting up your own HTTP server that can be browsed with an off the shelf browser on your local computer?

The approach where you run a proxy that wraps untrusted connections into trusted ones is fully general, but yes, only really applicable to the most advanced users. But then, only the most advanced users really need the full power of this approach. Only someone with a lot of experience in network security should consider themselves capable of vouchsafing a non-TLS HTTP connection as worth being trusted. You have to basically come up with an "attestation heuristic" for the remote yourself — that it stays on the same IP, that its DNS records haven't changed owner, that the server is still sending the same Server response header, etc.

If your needs are slightly weaker — if you can assume that every remote is at least using self-signed TLS certs rather than not using TLS at all — then the problem is vastly simplified: you can directly trust any cert by putting it that cert directly into your X.509 trust store (in effect making it a root-of-trust — though it doesn't have the X.509 property that enables other certs signed by the cert to be trusted transitively, so it's a leaf-node root-of-trust. A "stump of trust", if you will.) You don't need to run any local servers to do this.

I don't have much experience with Jamf specifically so I don't know if they have a tool for this, but you can you software like iMazingand ProfileCreator to create the profiles from a GUI and then push the profiles from to devices using Jamf. Using either of these apps, under "Restrictions", you'll be able to deselect whatever iCloud service you want to be blocked and then save it to a profile.

In Mosyle in the management profiles section you have an option called Certificates/Custom Profiles, there you can upload a .mobileconfig created with for example Profile creator: https://github.com/ProfileCreator/ProfileCreator which nicely includes the Nudge schema and other common used apps :-), this should be the same effect than in the JAMF video, its almost the same thing instead of cut an paste from the AJMF article, upload de .mobileconfig created by the App.

There are many examples and several ways to generate a profile that will grant the appropriate perms, personally I have used ProfileCreator: https://github.com/ProfileCreator/ProfileCreator

On a side note, you might try this for manually creating profiles. https://github.com/ProfileCreator/ProfileCreator

If you have a Mac available ProfileCreator works well as an alternative to Apple Configurator, and it has a few more options.

Ansible is an open-source IT automation tool that simplifies application deployment, cloud provisioning, and configuration management across diverse environments. It uses a declarative language to describe the desired state of the system, and then takes the necessary actions to achieve that state. Ansible has become incredibly popular due to its simplicity, agentless architecture, and extensive community support. Document: ansible.com, ansible basics

Ansible v2.16

Ansible is a tool used to help manage software automation processes, configuration management across machines, deployment as well as remote execution of commands and scripts. In sports, Ansible operates as the coach of your team by providing strategies (playbooks), and actions, and ensuring the smooth execution of tasks across your infrastructure, just like a coach guides and directs players (Servers)during a game.

They support for-if from python, too: https://jinja.palletsprojects.com/en/3.1.x/templates/#loop-f... but I haven't tried the "recursive" keyword to know if ansible supports that. I say "ansible supports that" because they don't just drop jinja2 into ansible and call it a draw, they have a bunch of custom execution integrations: https://github.com/ansible/ansible/blob/v2.16.3/lib/ansible/...

To manage a VM, you can use something as simple as just manual actions over SSH, or can use tools like Ansible, Hashicorp's Packer and Terraform or other automations. For an app where there is minimal load and security/reliability concern, VMs are still a great option that provide a lot of value for the buck

In this article's context, it is simply a tool that provides a declarative way to automate your machine/OS to configure the development machine as you want (install package, modify the configuration, etc). Examples of these tools are Ansible, Puppet, etc.

Now we're getting more tangential, but for years, Ansible releases were named for Van Halen songs (see old Changelog here: https://github.com/ansible/ansible/blob/v1.8.4/CHANGELOG.md)

In the lab to follow, we'll quickly provision a 3-node kubeadm cluster (1 master, 2 workers) on the cloud provider of your choice using an automation stack comprised of OpenTofu and Ansible, then deploy Rook Ceph using the official Helm charts and confirm that we are now able to successfully create CSI volume snapshots from PVCs by reusing the MinIO example from our last article.