By Parvinder Singh, Partner Solutions Architect – AWS
By Dave Siederer, Sr. Specialist Solutions Architect for EC2 Mac – AWS
By Travis Cynor, Director, Product Management – Jamf

Jamf
Jamf-APN-Blog-CTA-2024

Amazon EC2 Mac instances are made to work with development tools and pipelines to create applications for iOS, macOS, visionOS, and more—any Apple operating system.

Making apps comes with dependencies like frameworks, scripts, and even other apps that are necessary for building, testing, and publishing. These dependencies range in complexity, with some interfacing with the OS at its lowest- or near-lowest level, requiring special permissions.

The macOS operating system limits what software can be automatically installed on an Apple device without interactive, user-granted permissions. This means automating applications that require privileged access to the OS also requires enrollment into Mobile Device Management (MDM).

MDM connects devices securely over-the-air by sending profiles and commands to enrolled devices. Commonly, MDM is used by employers to maintain, update, and secure devices, such as laptops, that have been provided to employees for work. On macOS, MDM has privileged access to allow for automated remote configuration and deployment and minimize actions from the user.

Without MDM, installation of these applications would require manual intervention on every Amazon EC2 Mac instance to install the software, which makes scaling the use of Amazon EC2 Mac difficult.

In this post, Jamf shares how to configure and enroll an Amazon EC2 Mac with an MDM profile installed using Jamf Pro. Although this process still requires a manual step to create the Amazon Machine Image (AMI), which provides the information required to launch an instance, it ultimately allows customers to scale the deployment of these instances without manual intervention once the AMI is created.

Jamf is an AWS Partner and AWS Marketplace Seller that provides enterprise services to help organizations succeed with Apple products and platforms. Its flagship product, Jamf Pro, is designed to automate MDM for Apple devices.

Steps to Create an Amazon EC2 Mac Instance

Before getting started, users will need to create an Amazon EC2 Mac instance to configure an MDM profile. Below are five steps to create the instance:

  • Log in to the AWS Management Console or create an account.
  • Identify which AWS regions and Availability Zones (AZ) you will use.
  • Identify the version of macOS to use: Mojave, Catalina, Big Sur, Monterey, Ventura, or Sonoma on x86; or Big Sur, Monterey, Ventura, or Sonoma on Apple Silicon.
  • Identify size (in GB) and throughput (in input/output operations per second, or IOPs) needed for your boot volume.
  • Allocate a Mac host. Since macOS is required by license to run on Apple hardware, allocating a host assigns a physical Mac mini and starts billing.
    • Mac1.metal hosts are x86 Mac mini computers with 32GB RAM.
    • Mac2.metal hosts are M1 Mac mini computers with 16GB RAM.
    • Mac2-m2.metal hosts are M2 Mac mini computers with 24GB RAM.
    • Mac2-m2pro.metal hosts are M2 Pro Mac mini computers with 32GB RAM.
  • Launch an instance onto the allocated host.

More detail for the steps outline above can be found in the AWS Samples GitHub.

Next, connect to an Amazon EC2 Mac instance with a Secure Shell Protocol (SSH) client for secure operations.

To do this, go to the Amazon EC2 console, select your recently launched instances, and then click the Connect button found under the Actions drop-down menu.

Jamf-EC2-Mac-API-1

Figure 1 – Where to find the “Connect” button in Mac EC2 instances.

Now, connect to the instance via SSH client using the steps in the dialog, which includes instructions on how to use key pair security credentials with an SSH client, as seen in Figure 2. If copying and pasting the commands, ensure you either specify the full path to your private key file or change directories to where the key file is.

SSH key pairs prevent passwords from being compromised, requiring a key file instead to connect and establish communications. As an alternative to key pairs, you can use AWS Systems Manager Session Manager to connect to your instance with an interactive one-click browser-based shell or the AWS Command Line Interface (AWS CLI).

Jamf-EC2-Mac-API-2

Figure 2 – SSH client instructions.

If using Terminal on macOS or another CLI (and not copying and pasting the example in the Connect dialog), execute the following command to connect via SSH to the Amazon EC2 Mac, replacing and with a path to the key pair of your launched instance and the public (or accessible) IP or DNS address, respectively:

ssh -i ec2-user@

Jamf-EC2-Mac-API-3

Figure 3 – What the command will look like on screen.

If using the AWS CLI and AWS Systems Manager, another option is to use the following code, replacing and with the respective details from the Amazon EC2 Mac instance found in the console:

aws ssm start-session --target= --region=

Next, enable graphical user interface (GUI) access with Apple Remote Desktop or Virtual Network Computing (VNC) by connecting to the Amazon EC2 Mac instance using SSH, as described above. Once connected, run the following command to start the Virtual Network Computing (VNC) screen-sharing service from the Amazon EC2 Mac instance:

sudo launchctl enable system/com.apple.screensharing ; sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist

Then, run the following command to set the password for the Amazon EC2 Mac user, replacing PASSWORD with the password you’d like to use for your instance:

sudo /usr/bin/dscl . -passwd /Users/ec2-user PASSWORD

Once that is complete, disconnect the existing SSH session by typing “exit” in the SSH session and pressing return.

Next, create an SSH tunnel to the VNC port. Ensure you’ve disconnected from your previous SSH session in the step above. Reconnect via SSH but with a slightly modified command, still replacing and with the path to the key pair file of your launched instance and the accessible IP or DNS address:

ssh -L 5900:localhost:5900 -i ec2-user@

The addition to this SSH command forwards port 5900 (used for VNC) through port 22, ensuring that only the SSH port needs to be accessible to connect to the GUI.

Using the screen-sharing application on your Mac, connect to localhost.

Jamf-EC2-Mac-API-4

Figure 4 – Connect to localhost.

If using a VNC client other than Screen Sharing, connect to localhost:5900, and then log in with the password you previously created. Screen Sharing is a built-in VNC client to macOS. Third-party VNC clients are available for Windows, Linux, and more.

Once finished, you’ll be connected remotely to the Amazon EC2 Mac instance.

To enroll your EC2 Mac instance into Jamf, start by following the instructions on the Amazon EC2 Mac MDM Enrollment repository. To get started, you’ll need the following:

  • Credentials for a Jamf Pro account or API user with the Create Computer Invitations permission. No other permission is required for this account.
  • Default credentials for an administrator user.

Next, enroll the instance into Jamf Pro to cache profiles. To enroll your Mac instance into Jamf manually, first run the following command in the SSH session for your Amazon EC2 Mac instance:

sudo defaults write /Library/Preferences/com.jamfsoftware.jamf is_virtual_machine 0

This command will prepare the instance for enrollment. This command is automatically applied if using the ec2-mdm-enroll script.

User-Initiated Enrollment must be enabled in Jamf Pro to enroll instances. To enroll your instance, log into your Jamf URL’s enrollment endpoint, usually https:///enroll. Log in with an account with a minimum of the Create computer invitations permission.

Jamf-EC2-Mac-API-5

Figure 5 – Downloading an MDM enrollment profile in Safari from a Jamf Pro server.

After the profile downloads, open System Settings (“System Preferences” in macOS Ventura and earlier), click Privacy and Security on the left side, and then scroll down on the right side and click Profiles at the end of the list.

Jamf-EC2-Mac-API-6

Figure 6 – Menu options to follow.

From there, double-click the profile in the list and click Install to install the MDM Profile and enroll your instance.

Jamf-EC2-Mac-API-7

Figure 7 – Pop-up to prompt MDM profile installation.

After being prompted for administrator information, enrollment will verify that all profiles have successfully downloaded and installed before continuing.

In Figure 8 below, Privacy & Security is chosen on the left pane and opened to the Profiles list which contains an MDM profile (highlighted), and several other profiles for restrictions, permissions and more are present in the list.

Jamf-EC2-Mac-API-8

Figure 8 – System Settings app.

Create an Amazon Machine Image

Once all of the required profiles appear on the list, create an image of the instance. Creating an image of an EC2 Mac instance allows you to launch new instances.

In the AWS console, click Amazon EC2, then Instances, and then the running instance in the list. Click Actions > Image > Templates, and finally the Create image button at the bottom right.

If No Reboot is checked, the instance will not reboot before creating the image and will create the image in the background. If Delete on termination is checked, new instances launched from this image will not have their root volume deleted when the instance is terminated.

Figure 9 shows the instance list of the EC2 section of the AWS console. An instance in the list is highlighted, and the Actions button has been clicked. The Image and templates menu has also been clicked, and Create image is highlighted in the submenu.

Jamf-EC2-Mac-API-9

Figure 9 – Create image is the option to create an AMI from an instance.

After clicking Create Image, you’ll receive a banner with an AMI ID, which can be clicked for more details. When the status changes from Pending to Available” you can launch a new instance from the newly-created AMI. It will contain the same profiles, restrictions, and apps deployed to the instance you were just working with.

Considerations for Subsequent Instances

This workflow will result in an Amazon EC2 Mac instance preconfigured with profiles, restrictions, and apps. Subsequent instances will not receive new updates to apps or over-the-air configuration or provisioning profiles.

To update an AMI with new profiles, a re-enrollment of the Amazon EC2 Mac instance is required. Alternately, this action and more are taken automatically by the ec2-mdm-enroll script, with instructions available in the AWS Samples GitHub.

Conclusion

In this post, we explained how to launch instances without further configuration from the new AMI. Starting new instances with the stored image of the Amazon EC2 Mac instance above ensures they are complete with all of the profiles your instances need.

With Jamf Pro, users benefit from the security and accessibility of Mobile Device Management (MDM) on Apple devices in a streamlined process designed for scale. This supports organizations that use Apple products across their workforces.

You can learn more about Jamf in AWS Marketplace.

.
Jamf-APN-Blog-Connect-2024
.


Jamf – AWS Partner Spotlight

Jamf is an AWS Partner that provides enterprise services to help organizations succeed with Apple products and platforms. Its flagship product, Jamf Pro, is designed to automate MDM for Apple devices.

Contact Jamf | Partner Overview | AWS Marketplace