Enable catalog settings in Fleetsmith
The Fleetsmith catalog offers a selection of apps and settings with multiple configuration options. When you add an app configuration to a profile, Fleetsmith downloads that catalog item on the Fleetsmith managed devices that belong to the profile. If the item already exists on a device, Fleetsmith keeps it up to date with your configured settings.
How updates work
Fleetsmith handles operating system updates two ways, through notifications and through enforcement.
Notify users of updates: You can choose to remind your users with Apple push notifications when the operating system version is out of date. This notification is visible in the Fleetsmith agent by clicking the dog icon in the menu bar.
Enforce latest version: Fleetsmith force restarts devices with outdated operating systems—even if the devices are in use—at a predetermined deadline. You can set the minimum version to be installed and the date and local time of the enforcement. When you choose to enforce an update, Fleetsmith handles notifying your users with macOS notifications to ensure they have enough time to prepare for the forced restart. Your users have the option to update early, so they can update at a time that’s more convenient for them.
Notify users of updates
In the Fleetsmith Admin Console, go to the Fleetsmith catalog, click an operating system, then choose the desired configuration.
If necessary, check “Enforce installation by,” then select the enforcement date and local device time.
Optionally, select the interval and local device time for notifications.
If an enforcement is about to take place, the Fleetsmith dog icon turns red and users see a 5-minute countdown.
An enforcement often requires an app (or a user’s computer) to be restarted. Fleetsmith notifies users before an enforcement takes place. Occasionally, however, these notifications can be missed if a user is working in Do Not Disturb Mode or has disabled macOS notifications.
Enforce macOS compliance policies
You can enforce compliance policies when your users create or change passwords.
In the Fleetsmith Admin Console, click Apps & Settings.
Select Add the Auth & Screen Lock setting, create an app configuration using the following options as necessary, then add it to a profile.
Setting
Description
Allow simple value
Permits users to use sequential or repeated characters in their passwords—for example, “3333” or “DEFG.”
Require alphanumeric value
Requires that the password contain at least one letter or number.
Minimum password length
Specifies the minimum number of characters a password can contain.
Minimum number of complex characters
Specifies the number of non-alphanumeric characters (such as $ and !) the password must contain.
Maximum password age (in days)
Requires users to change their password at the interval you specify. It can be set to “none,” or from 1 to 730 days.
Password history
The device refuses a new password if it matches a previously used password. You can specify how many previous passwords are remembered and compared. It can be set to “none,” or from 1 to 50 passwords.
Maximum number of failed attempts
The number of failed password attempts that can be made before an iPhone or iPad device is erased or a Mac is locked.
If you don’t change this setting, after six failed attempts, the device imposes a time delay before a password can be entered again.
The time delay increases with each failed attempt. After the final failed attempt, all data and settings are securely erased from the iOS or iPadOS device. A macOS device locks after the final attempt.
The password time delay begins after the sixth attempt, so if you set this value to 6 or lower, no time delay is imposed and the device is erased when the attempt limit is exceeded.
Execute a bash script
Custom bash scripts are one or a series of commands that can be deployed to your fleet from Fleetsmith to perform multiple tasks. Fleetsmith inserts #!/bin/bash
before any lines you write in the Fleetsmith Admin Console, so you don’t need to include it. There are two ways to run a custom bash script in Fleetsmith:
Scheduled: Executes a bash script on a regular schedule.
Run once: Runs a script a single time on each device. When the contents of the script are updated, another single run of the updated script is triggered to each device.
Run a bash script as a user
Because the root user is able to use sudo
to “become” any other user, the script can be deployed as the active user. The script running needs to know which user to sudo
to. Each command must start with sudo -u $CURRENTLY_LOGGEDON_USER
in order to be run as that user (not just once at the beginning of the script). For example:
CURRENTLY_LOGGEDON_USER=$(stat -f "%Su" /dev/console)
sudo -u $CURRENTLY_LOGGEDON_USER
Remove a custom bash script
Edit the script to be completely blank.
After you have saved a blank script, you can remove it from the profile.
When you remove a blank script, you protect against any accidental enabling of the script.
Remove a custom bash script that’s been reassigned to another profile
If a device is reassigned to a different profile (one that doesn’t have a custom bash script enabled), any scheduled scripts that were pushed to the device and managed by the previous profile continue to run.
Enable a blank custom bash script (Scheduled) to the new profile.
Save the blank script and allow the device to check in to Fleetsmith.
After the blank script is saved and the device has checked in, remove the custom bash script from the profile.