Episode 291: Getting Caught Up on Configurator with Subhi Hashwa

Apple Configurator has been a part of the Apple Admin’s toolkit for some time. Initially built to help admins do more than what was available in iTunes it’s grown over the years to add options for the Mac, aid in supervision, and automate tasks further with the ability to script it. We’ll get caught up with how some of these features are working in today’s episode with Subhi Hashwa!

Hosts:

  • Tom Bridge, Principal Product Manager, JumpCloud – @tbridge777
  • Marcus Ransom, Senior Sales Engineer, Jamf – @marcusransom
  • Charles Edge, CTO, Bootstrappers.mn – @cedge318

Guests

  • Subhi Hashwa

Transcription of this episode brought to you by Meter.com

Click here to read the transcript

Meter is the easiest way for businesses to get internet, networking, and WiFi. Our full-stack approach combines hardware, software, and operations so that any company can seamlessly run on a reliable and modern network.

  • Streamlined installation: We take on the complexities to make designing and deployments easy, fast, and stress-free. We manage the entire installation process, and provide ongoing maintenance and support.
  • Network hardware, security & management: We design and build our own controllers, switches, and wireless access points. After the network is deployed, review your speed, usage, and security in one unified dashboard. No need to hire vendors in every location or have IT teams fiddle with manual configurations — everything is automated with our software.
  • Simple pricing: Pay one monthly rate with no up-front costs for installation, configuration, or hardware.

James Smith:
This week’s episode of the Mac Admins Podcast is brought to you by Kandji. Automation in IT is a hot topic, and for good reason. Automating repetitive tasks frees you to focus your skills on more strategic projects that move the needle for your organization. Kandji, the Apple device management and security platform, features over 150 pre-built automations to multiply your effectiveness and impact daily. To see how to take the repetition out of your to-do list, visit kandji.io. That’s K-A-N-D-J-I dot I-O.

Tom Bridge:
Hello and welcome to the Mac Admins Podcast. I’m your host, Tom Bridge. And Marcus, that shirt is striped. Are you a convict, or is it just Monday?

Marcus Ransom:
All of the above.

Tom Bridge:
Okay.

Marcus Ransom:
Which is always the best in multiple choice. So, yeah.

Tom Bridge:
And Charles, that looks like a very tasty cup of coffee. How are you?

Charles Edge:
I am good. The wind is blowing. I cleaned up the leaves on Thursday, Friday and Saturday, and it looks like I’ll be doing so on Sunday because they’re blowing right into the window that sits in front of my computer. So hopefully it doesn’t create background noise. How are you, Tom?

Tom Bridge:
I’m doing okay. We’ve got some unseasonable warmth here in DC, but we’re celebrating by making birria res on the stove, which smells amazing as I’m sitting here. But yeah, I was going to say, Charlie’s down with a cold, but getting better, and that’s a good thing. We’ve spent a long weekend. I was off on Friday for our company holiday, and I’ve spent a long weekend doing nothing, and it’s been everything I could dream it could be. We’ve got a fantastic guest. Welcome to the podcast, Subhi Hashwa.

Subhi Hashwa:
Hello. Thank you for having me.

Tom Bridge:
It’s great to meet you. Apple Configurator has been a part of the Apple admins toolkit for some time. It was initially built to help Mac admins do more than what was available in iTunes, but it’s grown over the years to add options for the Mac, aid and supervision, and automate tasks further with the ability to script it.
We’ll get caught up with some of how these features are working in today’s episode, but before we do that, big welcome to the podcast, Subhi. When we’ve got a new guest on the pod, we’d love to start the episode with a little background information about the guest. So would you mind giving us a little bit of your origin story and how you became an Apple admin?

Subhi Hashwa:
Okay, so I’ve been using computers since I was six, eight, started with Apple Tool, and obviously MS-DOS and yeah, everything else that’s basically was available at the time. So it’s been a long history. I haven’t been a Mac admin for that long, but I do have a long history of being admin for other things, so you can call me Swiss Army knife type person. Yeah, so.

Tom Bridge:
That’s fantastic. So what was your experience like getting started with Apple Configurator?

Subhi Hashwa:
So Apple Configurator, at work, I look after about 160,000 devices, give or take. So it’s a big chunk. Configurator is essential for that kind of scale. Obviously the MDM does the majority of the work, obviously, but when you do need to touch the device, Configurator is the go-to. The automation that Configurator gives you is unparalleled. You don’t want to sit with iTunes, restoring one iPad at a time or an iPhone at a time. You can scale to…
I mean, put it this way. In Configurator, we recycle about 1,000 devices through Configurator every year, and this year we’re looking up to 6,000. So that’s the kind of scale that Configurator can work to. Can I just say, for the purpose of the audience, there is two Configurators, just to confuse everyone. So there is the Apple Configurator, which used to be called Apple Configurator 2, so AC2. So when you’re googling and you see AC2, that’s the computer one, that’s the one on macOS, and there is the Configurator for iPhone. The purpose of that is to enroll devices, iPhones, iPads, and macOS into Apple Business Manager and Apple School Manager, so that is a baby version.

Marcus Ransom:
But a very good version nonetheless.

Subhi Hashwa:
It is. It is. It’s a single purpose. That’s what I’m trying to say. The one on the macOS is the sort of full fat version.

Tom Bridge:
As opposed to the skimmed down, makes your coffee just slightly lighter than it normally is, apple Configurator for mobile.

Charles Edge:
My coffee is pretty dark. I’m just saying. I do feel like, so TJ Houston and I wrote a book on Configurator in, I want to say 2013, and it was awesome to all of a sudden have this new tool that we could use to replace iTunes. Because back in the good old bad old days, it wasn’t like imaging, but it was kind of like imaging. You’d set up your machine or your iOS device just like you needed it, and then do a backup in iTunes and restore all the devices. And now you can restore in a lot of devices, maybe out of profile over time. But how has it changed since we’ve all been using it? Like that first. I mean, other than the obvious, the GUI is way better.

Subhi Hashwa:
Personally, what I like about Configurator are the command line tools. So you can do so many things with command line, that you can actually script it that you can do a lot of automation. To me, that’s my hot button. So the automation that the command line tool can give you is absolutely amazing. Detect the device, get the CR number, do all sorts of, it’s like stuff like that. And then have other tools sitting on top of that too. The heart of it is the Configurator. There are other things that Configurator still does, but it’s probably redundant with MDMs now. The MDM does a lot of the things that Configurator used to do.

Marcus Ransom:
The profile management.

Subhi Hashwa:
Yeah, absolutely. Absolutely. You can still, I mean, in some cases I still generate profiles, [inaudible 00:07:15] profiles with Configurator, and then up upload them to the MDM. That’s still the thing.

Marcus Ransom:
The early version of Configurator sort of had a bit of a personality crisis, really. It was trying to do things instead of MDM, or trying to do things that MDM very much wasn’t able to do at those days, especially the strange shared iPad workflows they had, which I know education got very excited about. But as a version one of a product, there were perhaps some challenges that made it not really a great path to go down. Did any of us here mess about with that side of the first iteration of Configurator?

Charles Edge:
Oh yeah. For sure. I mean, I think I always tried, if I was going to manage something through MDM that was available in Configurator, not to touch it in Configurator unless I had to had to, like deploying Wi-Fi SSIDs, or SSIDs. Sometimes you had to do that, but by and large, it’s like, well if you’re going to manage it in MDM, don’t touch it in Configurator or you might break it break it.

Marcus Ransom:
I know one of the biggest limitations I found was it was very much, I suppose it was profile manager esque in the way it had a database that just existed on the workstation that you’re using Configurator on. And it would be a shame if anything happened to that database or happened to that machine, which is where I saw organizations-

Charles Edge:
It didn’t [inaudible 00:09:05] properly while running.

Marcus Ransom:
Yeah. I saw organizations running Configurator workstations as NetBoot images to be able to deal with that, and no story [inaudible 00:09:18]-

Charles Edge:
[inaudible 00:09:18] the key chain.

Marcus Ransom:
Yeah.

Charles Edge:
Because that was [inaudible 00:09:22].

Tom Bridge:
Well, and all of that needed to get backed up through Time Machine, if memory services. A lot of the databases that existed out there, that was the way you could back them up. It was not a more straightforward, like export the configuration and save that safely. It was kind of a different environment.

Charles Edge:
Yeah. The good old bad old days are always good old bad old for a reason.

Marcus Ransom:
It did a good job at showing us how not to do things.

Charles Edge:
Yeah. Yeah. But I do feel like now it’s so easy, you just hit install on the app store, and you install the command line tools if needed, and then you start doing stuff. But before you get started, I guess there are some best practices regarding admin accounts, right?

Subhi Hashwa:
Yes. The admin accounts with Apple School Manager and Business Manager. I believe the best practice is still is that you should use the .appleid.com domain for these accounts. If anything happens to your domain, if anything happens to your federation, if anything happens, whatever, you still have that fallback account that you can rely on that Apple runs. You know it’s going to work. And it’s always good to use that as your administrator accounts. Obviously, there is still the limit of the five administrator accounts on Apple Business Manager and School Manager, but the lower accounts, you can give them all the permissions that an administrator have, except for accepting the terms of conditions, which is something you need to keep in mind every time there is a new macOS release. So every time there’s a new macOS release, there is new terms of conditions. The things have improved, so now you do get a heads-up email that everything will stop when the new macOS will be released until you actually accept the new terms and conditions, so you can prepare yourself.

Tom Bridge:
Yeah. Making sure that you’ve got a good plan to handle those kind of situations, especially when your organization maybe doesn’t let you be an admin that way, or sign agreements on behalf of the organization where you’ve got to go to counsel to do that, is always super important.

Marcus Ransom:
And I especially like the fact that these days, Apple Business Manager, Apple School Manager, actually warns you if you only have one administrator as well, to say, “This is probably not a good idea.” Have multiple administrator accounts. It’s good for them not to be the same person as well. People are allowed to go on holidays. People are allowed to…

Charles Edge:
Maybe in your organization, Marcus.

Marcus Ransom:
Yeah, so they’re fine. I remember doing an iOS onboarding, and the administrator of the school’s Apple School Manager account was at the beach. And so we’d have to wait for her to come back in from the surf to be able to respond to MFAs and those sorts of things. And trying to explain it. It’s like, rather than bothering her when she clearly needs to not be worrying about this, maybe we can just get her to create another admin account that we can use. Oh, no, no. This is easier. Maybe. Maybe not.

Subhi Hashwa:
One thing to keep in mind, if you’re using two [inaudible 00:12:52] accounts for Apple Business Manager, Apple School Manager, if you’re using team accounts or anything like that, you can add up to five MFA phone numbers to the account. And it’s always good to have, because one important thing, there is no recovery. So I think that goes back to your point that it gives you a warning of the one admin account, that you cannot recover it within. It’s like a normal Apple ID, there’s no such thing.

Marcus Ransom:
Yeah. Yeah. And another interesting observation about those multiple phone numbers you can have for MFA on the team is it only shows the last, I think it’s three digits of the phone number. Now, having been on a team where three of the five people in the team had the same last three digits in their phone number.

Charles Edge:
I don’t even know how that happens.

Marcus Ransom:
And it was completely coincidental as well because we’d all had them for years, so maybe it would’ve been better for us to have multiple admin accounts. But once again, we learn how not to do things by seeing great ideas manifest.

Charles Edge:
So speaking of Apple Business Manager and Apple School Manager, I feel like at one point in time it was really easy to accidentally populate information that wasn’t exactly maybe what we wanted end users to see if they started digging into what we were putting on their devices. For example, if we called the org, Marcus’ iMac. So for those who haven’t used Configurator in a hot minute, “organizations,” quote, unquote, is now autopopulated based on what’s in ABM and ASM. And I guess, what’s that process like to set up?

Subhi Hashwa:
So the Apple Business Manager, Apple School Manager, it’s the same process. So obviously the Apple School Manager is for education. The difference is you get classes. Do you get anything else? Roster? Yeah. Yeah. The only thing extra you get is classes. You also get 200 gigs in storage for managed Apple IDs, versus the five gigabytes for business accounts.

Tom Bridge:
Well, and the ability to import via SFTP, which is fascinating.

Subhi Hashwa:
Yes. Yes. Yes.

Tom Bridge:
But with the caveats that go with that.

Subhi Hashwa:
Correct. Correct. So importing via SFTP or you do the federation. Absolutely, yes, absolutely. Good shout. So how do you get an Apple Business Manager or Apple School Manager? I’m going to go with the Apple Business Manager account, so it’s easier that way. So the first thing you do is obviously for businesses, an individual cannot get an Apple Business Manager account. The way they verify this is via the D-U-N-S account, Duns and Bradstreets. So if you don’t know what your organization number is, google D-U-N-S and put your company details in, and they will give you what your D-U-N-S number is. You fill in the form. If you google register a Apple Business Manager account, I would recommend that even though you might not want to get your Apple devices registered now, the paperwork will take some time. So get yourself prepared, get your docs in order. So when you want to push the button and actually use it, it’s done for you. That homework and network is done.
So you register the account, you fill in the paperwork, who’s going to be at the legal end, what the legal entity is, which is the organization, and who is allowed to sign on behalf of the organization. Whoever is allowed to sign, that is the administrator, the very first administrator in the organization. Apple will phone up your company and they will speak to someone, so it’s actually a physical person who’s phoning up and verifying your details, and are you sure you want to register? Are you sure you want to do this? And if any of the answers is no or the person didn’t get through, guess what? You’re not going to get an ABM account. So it’s worth it.

Marcus Ransom:
And one of the things I’ve found in that scenario as well is they will call once and leave a message, and they generally won’t call back. So if you’re trying to get someone in senior management to have that phone call, or someone in the legal department, I’ve found, to streamline the process, actually arranging a time with them and say, “Hey, we’re just going to sit down together and we’re going to get an email from Apple, or a phone call from Apple. If it’s an inconvenient time, that’s fine, we’ll just arrange another time where we can sit down and you can call them back. It’ll take five minutes.”
And rather than, so I’ve seen, which some of you may have seen as well, waiting for weeks and everybody wondering why the process hasn’t stalled. And it’s because that phone call hasn’t taken place.

Charles Edge:
And I’ve been on, just last week, I was working with someone and we called them back, and the wonderful service rep on the other end of the line asked three or four questions and said, “Good day.” And immediately we got an email back. It was one of the best call center experiences I think I’ve ever had.

Tom Bridge:
Yeah, absolutely.

Charles Edge:
I felt honored.

Tom Bridge:
The teams that work on those verifications are on it. Don’t expect this to be the Inquisition. Expect it to have to verify some information. You’re going to need somebody who can sign a document on behalf of the company, but this isn’t a painful experience.

Subhi Hashwa:
Yeah, absolutely. And it is important because you have so much power when you actually get the device into ASM, into ABM, for instance. So an existing device that you’ve purchased through whatever channel you’ve purchased it through, and then you run it through Configurator for iPhone, and then it suddenly becomes an organizational own device with the supervision, et cetera. That gives you a higher level of control over the device than BYOD, which is what it was before getting registered. One thing about registering a device manually after you’ve purchased it through Configurator for iPhone, or the manual way of registering a device through Configurator for macOS, there is a grace period. So there is a month grace period. What that means is the user has the power and the right to break out of the MDM solution and the registration, so they can leave at any point within at least 30 days. If you want to enforce the registration, you register the device and you put it in a cupboard for a month before you issue it out. That’s one way of doing it.

Marcus Ransom:
That’s a great pro tip. I actually saw someone having a conundrum based on that, where they were confused that they were able to remove non-removable MDM, and eventually the penny dropped that they were using a device that had been manually added to their Apple Business Manager within the last 30 days. And as soon as those 30 days had expired, non-removable MDM did exactly what it said on the box.

Tom Bridge:
Yeah, the number of times we’ve had to explain that out is substantial. And it’s a great thing. I think I really love this as it’s set in, it’s almost like the profile hardens. And you kind of set this in place and it still works and it does all the things, but if you got a machine that you maybe bought the wrong way or got it another way, you’ve got some flexibility here, and it’s good to see this kind of option exist out there for them.

Marcus Ransom:
But you don’t want to make this your first port of call for your primary method for getting devices in there, getting it done through Apple or through your reseller is a lot more. We love automation. We love not having to sit there and manually boot up 100 machines and try and do this. It’s great that we can, but there are better ways.

Charles Edge:
Well, speaking of automation and doing it in different ways, Apple Configurator does do a pretty good job of coexisting with automated enrollment. So I guess to aid in automated enrollment, you can also add multiple MDM servers in Apple School Manager or Apple Business Manager, and then multiple MDM servers can then show up in Configurator. How well does that work?

Subhi Hashwa:
I personally haven’t actually tried that feature. We do have multiple MDMs on a single ASM or ABM instance, but we preassigned the MDM within Apple School Manager. So the automatic device… ASM and ABM always point to the right MDM for that particular device. Thinking about it now, it might not be the ideal way, but we know that basically the Apple TVs are going through one MDM, the iPads are going a different way, some iPads are going a third way for instance, because they serve a very particular purpose. And in that regard, personally I prefer to set it in, for my use case, I set it in Apple School Manager or Apple Business Manager, and then let the MDM decide which pre-stage or ADE it will actually use for that particular device.
And using the APIs within MDM, I can actually chop it and change it, or from the web interface of the MDM, I can move devices between the different paths. In terms of Configurator, I use Configurator for the automatic device enrollments, for instance, for the iPads. So I would set it, I would push the Wi-Fi profile to it, and then I would set it to enroll via MDM through Configurator using the Wi-Fi, using the shared internet connection of the laptop, for instance.

Tom Bridge:
We would frequently use this with our performing arts venues, and essentially we’d have two or three MDMs based on the device. The devices were largely disposable. And so if one went… I mean, they were also locked in frames, so it was not like, I mean, honestly if you want to rip the frame off the wall, you can have it. I will let you. That is fine. And you can take that device and use it in good health, even if I think that your application of it, maybe it was bad. But we would have different MDMs based upon different purposes. There would be an MDM for the point of sale system, there’d be an MDM for the signage system. And so the idea would be, hey, we got a brand new device, hook it up to the server in the closet that’s running Configurator, and then get it managed, get it onto the environment, get it supervised, get it into the right state, and send it on its way. And we’d have blueprints within Apple Configurator for both of those kind of workflows. They’d end up supervised, but they’d end up supervised with different MDMs.

Marcus Ransom:
One of the benefits I saw to having to do sort of bulk iOS enrollments were speaking to techs where they’d say, “Oh no, no, it’s all right. I’ve got an open SSID I use for enrollment, so I can do it just as fast.” And the real key for me was the fact that eliminating the two clicks where you’ve got to select the country and you’ve got to select the language, which my understanding is so that the device knows how to allow you to type the password to connect to whatever Wi-Fi you’re doing. But using Configurator, it will automatically choose those settings, the locale settings of the Configurator workstation. So if you have specific requirements of which particular locale you want your iPads to be set up with, then you may need to ensure that the Configurator workstation’s set accordingly. But for me, especially scaling to hundreds of devices, but even sometimes just doing five or 10, eliminating those two clicks again and again and again made a pretty ordinary job actually pretty straightforward.

Charles Edge:
Or trying to get a Apple TV on an 802.1X network or some of those other weird little edge cases where you just have to use it. There’s no other way. And yeah, you could create a IoT network or some. We got around it in a few weird ways in the days before Configurator did Apple TV. But I do feel like renaming devices, speaking of the blueprints, is one of the things, and I’ve had renaming scripts that got into hundreds of lines where you’re trying to do various topics or do various tasks based on logic. Obviously you can’t do that for iOS, but do you set up different groups for different blueprints to help with that or rely on serial numbers, or any best practices you can kind of illuminate the audience on based on how you rename devices as they’re in deployment?

Subhi Hashwa:
In our use case, we use serial numbers. In some installations, we actually use usernames as the device names they enroll, but that comes from the MDM rather than, and it uses webhooks and it’s fairly messy. Serial numbers with a prefix is, for me, is the way to go. And it seems to be sticking in the company. People are happy to use it that way. Serial numbers keep it unique. It doesn’t give out any serious information. I suppose you can find out the warranty expiry date from… I don’t know what information you can actually get out of serial number, but the renaming, I mean, it’s like that goes into convention and asset IDs and it was like, what would your setup be like? And is it worth the efforts? That what it comes down to. Serial number is just easy, straightforward, add a prefix to it, you know what it is.

Marcus Ransom:
And able to be determined programmatically as well, which is one of the things I like. Anybody who wants to use-

Charles Edge:
Well, not for Swift.

Marcus Ransom:
… an asset tag for their naming convention.

Charles Edge:
This is one of those funny places where the privacy controls kind of get in the way when you’re actually writing code code because it’s like, well I could get this from Bash, but I can’t get it from Swift. Let me just shell that out real quick.

Marcus Ransom:
When your onboarding method involves holding the iPad up to a mirror, taking a photo of the asset tag and then using OCR to…

Charles Edge:
So that you can zoom in.

Marcus Ransom:
Yeah. It’s like, no.

Charles Edge:
Man, I remember we did, in the early days of when they had just switched to the teeny tiny serial numbers on the back, we did one, and it was just painful to manually type those numbers in, because this was back when you had to manually type this stuff in. And we would actually take pictures and then zoom in on the serial number because to the naked eye you couldn’t discern a six from a zero or some of those. Yeah.

Marcus Ransom:
The trick that one of the Apple trainers showed me, which is unbelievable, is use the magnifier on your iPhone from control center, and put the blue yellow color filter on, which to me seems specifically designed to be able to read dark gray on light gray serial numbers. And it’s amazing. It’s like, wow, I can actually read that. None of this sort of try to hold the thing in the right light and get up close to it. It was like, that’s amazing. People need to do this.

Subhi Hashwa:
Does it work with the serial number is the one that’s inside the SIM tray?

Tom Bridge:
I bet it does. I mean, I was going to say, the other one that’s really a bear to read is the one on the inside of the AirPods case. Not that I’ve had to do that from experience, recently or not, but it’s definitely reminded me that my eyeballs are old.

Subhi Hashwa:
One thing, if anyone from Apple is listening to this, one thing I would really love for you to do is, on the hello screen, the little blue eye, just put a barcode. You have a certain number, just add a barcode to it please.

Marcus Ransom:
Or even if it’s one of those swirly cloud Apple codes or whatever they are. And the Configurator for iOS can then read that and convert it into something. It’s like, we don’t mind if it looks beautiful, just as long as it works.

Tom Bridge:
Yeah. The working part is the really important part of that.

Speaker 5:
Deploying, managing, and protecting Apple devices at work shouldn’t be difficult or require several solutions. Mosyle is the only Apple unified platform for business. By combining enhanced device management, endpoint security, internet privacy and security, single sig- on and enhanced and apps management into a single Apple only platform, businesses can now easily and automatically deploy, manage, and protect their Apple devices with one solution, and at an affordable price. With a solution for every business size and the best support in the market, request your free account today and see firsthand why Mosyle is more than an Apple MDM. Mosyle is everything you need to work with Apple. To learn more, visit business.mosyle.com. That’s business dot M-O-S-Y-L-E dot com.

Tom Bridge:
So there were a ton of companies out there that said they couldn’t roll out iOS devices unless they could manage the wallpaper on the device. Do people you’ve come across do a lot of wallpaper management at this point?

Subhi Hashwa:
Yes, I would love to do more with the wallpaper, but our clients, they only want a simple wallpaper. But the thing is with wallpapers on the iPads, you can do so much. From, again, my use case, the wallpapers can tell you a lot about the iPad that you’re actually ignoring. So this is a shared iPad. This is an iPad for this year group. This is an iPad for this particular use case. You can actually have the wallpaper tell you what the iPad is without having to unlock it, et cetera. And it doesn’t have to be anything. You don’t have to leak any information. It can be a blue background for this type of enrollment, a red background for this type of enrollment. So if you open the lid a mile away, you can say, “Hey, that’s this iPad, it shouldn’t be here, it should be in this place.” You can do that. You can do all sorts of really nice things.

Marcus Ransom:
You could even put a barcode of the serial number on the wallpaper if you wanted to leak information. [inaudible 00:33:05].

Charles Edge:
I guess with CFG, you chill.

Marcus Ransom:
Yeah. I’ve seen, not barcodes, but I’ve seen shared sets for schools, and the naming that Apple allows you to put in the lock screen using MDM is smaller than the serial number in terms of its size and smaller in its usability. Whereas having the wallpaper and the lock screen with the name of the iPad using colors or animals or things like that, exactly as you’re saying, to define it easily so that a teacher trying to quickly hand out iPads to younger kids or maybe academics in a higher education, the same level of competency, maybe even less, can really easily do that. And you can save a lot of time. Human interface.

Subhi Hashwa:
Absolutely. Absolutely. And you could do it to a lot of things like communal iPhones. It’s like the duty manager iPhone. You know the color is going to be this or whatever. You can do so much with a wallpaper. One of the things I would like to do, I haven’t go ahead for it yet, it’s change the wallpaper to red with a big warning sign. Upgrade yours iOS, now, today, please. Thank you very much.

Tom Bridge:
We’ve done that before. It works.

Subhi Hashwa:
Does it work?

Tom Bridge:
Oh yes.

Subhi Hashwa:
Yeah. Okay, good, good. Yeah.

Tom Bridge:
It works.

Marcus Ransom:
Especially if you can send repeated MDM commands so that every minute it changes from like GeoCities lime green to yellow and back again and…

Charles Edge:
GeoCities lime green. That was good stuff.

Subhi Hashwa:
[inaudible 00:34:50].

Marcus Ransom:
The most annoying color ever.

Subhi Hashwa:
[inaudible 00:34:56] database [inaudible 00:34:57] with the man digging this website [inaudible 00:34:59].

Charles Edge:
Exactly. So have you worked with multiple Configurator stations or is one generally enough for what you’re doing? And I guess a follow-on to that, given the history of multiple stations that we talked about earlier, at least backup and restore, are there any issues or best practices with using more than one?

Subhi Hashwa:
The way we use Configurator is to… In a way, it’s primitive. We do a lot of the stuff via the MDM. So the scripts that we have use the API and the MDM to do stuff that Configurator feeds into it. So the Configurator reads up the serial numbers, feeds it into a script that talks to the MDM. The MDM then says, “Okay, I’m moving this script, I’m moving this iPad from one pre-stage to another.” And then it updates the iOS on the iPad. It then enrolls the iPad into… It pushes the Wi-Fi configuration and then it enrolls it into the MDM, if it doesn’t have a username attached to it, like shared iPads, they don’t have a username attached them. So it can actually, the Configurator does that sort of thing. Whereas the more complicated stuff is done on the MDM side of things. So in our case, having multiple stations does not cause an issue because the centralization of the MDM, which could be a workaround for having multiple Configurator. I can see having multiple Configurator stations causing problems.

Marcus Ransom:
There’s a few things that, in my experience with it that I’ve found, that you need to manage carefully, which is making sure that you’ve got the same supervision identity on each work station and ensuring consistency. So in my old gig, the deployment lab that we had doing large deployments for multiple customers, there was also the other side of this conundrum, which is using the same Configurator workstation for different organizations. And I found the best way to handle that was a different login. Login, logout, don’t cross the streams, putting IPSWs and things like that that people wanted to use to speed up restores in a shared volume so they could copy them into where they needed to be. But I found, whilst technically you could use a single user login instance of Configurator with multiple organizations, dragons be there, and it was easier to accidentally do the wrong thing there.

Charles Edge:
Yeah, I never even tried that. I can see why you do it, especially if you were at a consulting firm or doing some kind of multitenancy situation. But we always did that at my old shop, and it was before Configurator 2 era I guess. But we always did that with multiple computers and re-imaged, because just weird artifacts floating around who knows where.

Marcus Ransom:
And given that most of the organization identity and supervision identity is certificate-based as well, it’s not straightforward to… Seen people with best intentions try to just copy user folders and key chains and think that that’s going to work. And I’ve found when you’re building up a new Configurator workstation is to stop, test, verify, make sure everything’s right, which is why the workflow we had when there were often lots of time pressures was to make sure that there was redundancy built in, that there wasn’t just one workstation with that particular customer’s details on it. That there were multiples, so that if somebody was in the middle of a last minute rush, which would never happen at a consultancy, and then you had a last minute rush for another customer, that you weren’t squabbling over the same workstation. You’d then just be squabbling over the same 16 port hub to be able to do that.

Tom Bridge:
That was always the bigger challenge. The number of machines that you could connect at once.

Marcus Ransom:
Yeah. Yeah.

Subhi Hashwa:
Can I just say, not all hubs are created equal?

Charles Edge:
Oh yeah. Just not all USB chargers are created equal or USB cables for that matter.

Marcus Ransom:
These ones are expensive for a reason.

Subhi Hashwa:
Reassuringly expensive, [inaudible 00:39:57].

Marcus Ransom:
Yes.

Tom Bridge:
It will not waste your time.

Subhi Hashwa:
Absolutely. Absolutely. And you know what I mean, I’ve had a USB hub, 32 ports, 750 watt power supply built in. It claims to do this, that and the other. And you plug in, and then your laptop shuts down or says this device is drawing too much power from your USB. It’s like you’re trying to power 32 devices from my laptop. What’s wrong with you?

Marcus Ransom:
The other one that I got was when you’d get a, what claimed to be a sink and charge hub. But it wasn’t a sink and charge, it was a sink or charge. So it could either power devices or it could move data through. And if you were doing something that involved pushing a lot of applications onto devices and they were going to be connected for some time, realizing that it’s going to drain the batteries while it’s doing that.

Charles Edge:
Wow, I never ran into that. That would suck.

Marcus Ransom:
Yeah, it did. Yeah.

Tom Bridge:
Let that sink in.

Charles Edge:
I do feel like, so we mentioned supervision in that last question, and I guess it’s critical to manage all the things these days. Have you found the ability to add a device into an ASM or ABM tenant useful, or are the requirements used the manual configuration option to be a limitation with that?

Subhi Hashwa:
No, it’s extremely useful. It’s sometimes in an organization with big enough iPads or iPhones or whatever will turn up and someone will say, “Oh yeah, I bought this with my own card on expenses and why is it not in the system?” It’s like, well, okay, you didn’t follow process, but we can help you with this. So in that regard, it’s the only way, isn’t it? Now you can actually, maybe you can phone Apple and ask them to add it if it was a recent purchase. But yeah, I mean-

Charles Edge:
I’ve never had luck with that.

Marcus Ransom:
Yeah, really needs to be, it’s done programmatically. It needs to be the reseller. If it was purchased through Apple, even then there’s a lot of hoops you need to jump through that needed to have been purchased by the right channels, which as frustrating as that can be, I see that as being a good thing. When you think about what could happen if one of your devices ends up in somebody else’s ABM instance. All your base belong to them.

Subhi Hashwa:
Yeah, yeah. I mean we’ve had that. Even through reputable proper channels, refurbished devices coming back and say, “Yeah, the wrong device came back, it belongs to another organization.” It’s like, oops. And vice versa. It’s like some of our devices that went for repair ended up somewhere else and you go, hmm.

Marcus Ransom:
And this is why the phone number that you put in your MDM in the presage to say, this device is owned by, make it an international number. Because I have had to call a Norwegian school and say, “Why is our device showing up in your Apple School Manager?” And it turned out that the genius was having a bad day when they swapped a serial number over, which, I’ve had plenty of bad days. So I totally get that. But that streamlined the process of going to Apple and getting that resolved because we had already spoken to the person who had technically legal ownership of that device and confirmed that that serial number was in fact not one that they’d purchased or swapped, and that streamlined the process there.

Charles Edge:
I do feel like this feature opened up a whole bunch of other security options. So let’s say that you want to require a device to be enrolled through automated enrollment and/or supervised in order for it to be able to even join the network. And then all of a sudden, and this happens a lot in school districts from what I’ve noticed, all of a sudden, a parents group doing the wonderful thing of raising some money and buying some devices, not through the proper channels, but how are they supposed to know? And now you’ve got all these devices that can’t even join the network. And this feature to me was one of the best that we got, so.

Marcus Ransom:
Even the way it was initially described, where they would describe it as devices that had been donated. So we would see, I remember doing work for a school that the local prison was giving them iPads that had been confirmed they were used by the wardens, not the inmates. The inmates weren’t sitting there on Instagram all day. But these were still perfectly good devices for this school and for this school that was struggling for funding. It was amazing and opened up all sorts of options in the classroom, and that was the language Apple used initially. This is for donated devices, because I guess they’d had plenty of scenarios like that where organizations were saying, “Hey, we want to be able to do this, but apparently we can’t.” And now we can.

Charles Edge:
Now if the inmates were on Instagram all day, would they be taking selfies wearing that shirt you’re wearing?

Marcus Ransom:
Probably.

Charles Edge:
More power to them. It’s a good shirt. I like it. But since Tom mentioned it, I had to mention it too. So I guess one more thing, or not one more, we’ve got a few more, but so DFU mode. How’s that invoked, and what information might an admin be able to find in Configurator?

Subhi Hashwa:
Okay, so DFU, device firmware upgrade, it’s basically the last resort when you have a device that’s misbehaving. It’s a recovery mode. If you want to know how to get into DFU mode, you’re going to have to find the right page on apple.com for your device, unfortunately. Each device has its own key combination. You need about 10 fingers at the same time on the device to actually get to the right stage. So for an iPad, you switch it [inaudible 00:46:45]. So eight, ninth gen iPads, you have the home button, you switch it off, you press the home button, and then you plug it into the lightning cable, and that’s how you get to the DFU mode. On an SE3 for instance, volume down, power, volume up, power, both volumes.

Charles Edge:
You have to google it every time.

Subhi Hashwa:
Yeah. It was like, I had to do it once and I didn’t save it.

Marcus Ransom:
Muscle memory is the only way.

Subhi Hashwa:
It’s too painful to commit to memory. So it puts it into a recovery mode. Sometimes you get something on the screen, sometimes you don’t. But the bottom line is it’s a way of you recovering your device. So what it does is you can install the latest iOS iPadOS, and on the Apple silicon, you can revive your iPad, you can revive your computer using DFU as well. And you can reinstall the MacOS from Configurator. So it is the last resort because it’s going to wipe your device and it’s like whatever you do, it’s going to wipe your device. Actually, can you upgrade? I’ve never actually managed to get upgrade working in DFU. Okay. I don’t know if it’s even possible.

Marcus Ransom:
I’ve certainly put different versions of iOS and MacOS going both forwards and backwards, as long as they’re signed, using that method.

Tom Bridge:
And the signature’s still good, right? That’s always the fun one. We recently had a couple of test devices that we found that were on an older operating system, and we’re like, oh, save those. Don’t do anything about those. Because I was going to say the last thing, and there are no versions of iOS 14 that are still signed. I think there’s maybe only one or two versions of 15 that are still signed. So having a good way to test older devices, test all workflows without having to depend on some of those things is very important.

Subhi Hashwa:
Yeah, absolutely. Absolutely. It’s always good to have an older version, but the Apple recommendation, which was made very, very clear just recently, I mean it’s like a couple of weeks ago I think, was that only the latest stream of the OS is security patched. So if you’re using the last, so for instance, at the moment, at this current moment in time, we have iPadOS 16 and iPadOS 15.71 available at the same time, but only 16 Apple is committed to have the latest security fixes on. So it’s something to keep in mind, but if you have the cases that you need to test it on 14, et cetera, I mean, yeah, definitely keep those with the caveat that you know what you’re doing.

Tom Bridge:
So another troubleshooting step we all use is doing backup and restore. So tell us a little bit more about the backup and restore functionality that’s used in Configurator. Does that come up much or are you still using it, or what’s your thought there?

Subhi Hashwa:
No. Yeah, we don’t use that feature. The way we back up for our students, for instance, iCloud, you have 200 gigs, it’s plenty for any, even for a student. It’s like with an iPad, with photos, it’s like, it’s just enough.

Marcus Ransom:
It’s a lot better than five gig, isn’t it?

Subhi Hashwa:
Yeah. It’s free.

Marcus Ransom:
On the scale of usable and not usable, 200 gigs definitely on the usable side of the equation.

Subhi Hashwa:
Yeah, absolutely. Absolutely. So it’s like, what we tell our students is back up to iCloud. Backing up the iPad itself, for us, the iPad is… I don’t want to use the word disposable, but it is a replaceable device. It’s like, your data is in iCloud. If you keep anything on the iPad that you’re not backing up, that becomes your problem, because everyone is issued with a managed Apple ID. And if you have a managed Apple ID, you need to use it. That’s a way. I mean, personally, following the discussion that we’re having here, I mean it’s like, is Configurator losing a lot of its powers to other things? That’s a question that is coming up in my mind right now. Is a lot of the features that Configurator does, is it no longer needed with MDMs?

Tom Bridge:
That’s a really good question and I think that there’s still, we’ve talked about one of the use cases that it’s really needed for, and that is moving devices from unmanaged states into Apple Business Manager, Apple School Manager, and having those kind of tools are not optional. I think that that is one important route that’s there, because I mean, the other piece of this is that obviously Apple School Manager and Apple Business Manager are a lot of places, but they are not everywhere yet. And so having a way to do supervision for iOS and MacOS devices that are in various states is really important. And I think that we can’t get away from needing that still.

Charles Edge:
Yeah. Sometimes I feel really bad for admins in countries where some of these services aren’t available who are listening to the pod, and are like, “Life would be so much better.” I totally get that. And speaking of services that aren’t available everywhere, I guess volume purchasing program, or whatever we’re supposed to call it these days, isn’t available everywhere. How’s your experience been with the integration between VPP and Configurator?

Subhi Hashwa:
Yeah, VPP, I mean, it’s amazing for, it’s headache-free deployment for, it’s like apps. Again, we focus more on the MDM side of things rather than Configurator for VPP. And it’s a godsend. I mean, the ability to buy licenses for free apps. So for those who don’t know, the VPP program obviously comes with, it’s now integrated to Apple Business Manager and Apple School Manager. It didn’t use to be the case. It used to be a separate program, and you would get your token and then you put in your MDM, and then you have access to the licenses that you’ve acquired from Apple. So you still need a license for an app, even though the app may be free. And you need enough licenses, and whether you distribute them on device basis or user basis, that’s up to you. Again, you push the VPP to the device and then you don’t need an Apple ID from an MDM point of view. I believe it’s the same in Configurator.

Charles Edge:
If they’re supervised, yeah.

Tom Bridge:
Yeah. If they’re supervised.

Subhi Hashwa:
It’s the same behavior. There we go. So yeah, just on a supervised device, you just push the apps that you want to push, and you don’t need an Apple ID, and life is simple that way. You’re only delivering the apps that you want, and you can put the restrictions that you want on the device. And hide this, add this, make it full screen, whatever. To your [inaudible 00:55:07]. Is this the right words?

Tom Bridge:
Yeah, yeah.

Subhi Hashwa:
So like you said, in an arts gallery or something like that, you don’t want to show anything except whatever the presentation is that you’re trying to show. So again, that would be an ideal scenario in that case.

Tom Bridge:
So going past what we see in Configurator as well as what we see in the finder for an attached iOS or iPadOS device, what kind of information might be available from the command line, from using config util?

Subhi Hashwa:
Okay, so config util can give you the UDID of the device that you can use in your MDM if want to search for it, for instance. It can give you whether the device is supervised or not. It can give you a list of all the devices are connected. You can do so much with it. The main page for cfgutil is huge. There is also a website, cfgutil Automation, did I pronounce it right? Yeah. configautomation.com. configautomation.com. It has loads and loads and loads of workflows, what you can do, et cetera, et cetera. I don’t think it’s been updated in a while, but you know what? It’s a wealth of information. It’s really, really, really good.

Charles Edge:
Yeah, I don’t think cfgutil has been updated that much since Sal built that site when he left Apple. So I can still remember, I think it was at [inaudible 00:57:04] admin when he came and they just built cfgutil and he’s like, “Look at this thing.” And he was building all these automator based workflows, basically shelling out cfgutil. It was pretty rad. And then University of Utah has done some stuff with it. I feel like some of the third-party projects that just hook into it are pretty awesome.

Subhi Hashwa:
Is it the Marriott Library?

Charles Edge:
Yes.

Subhi Hashwa:
Yes, yes, yes, yes, yes. They, they’ve done some presentations and stuff and it’s like, it was an inspiration. They were on different level. The amount of stuff that they’ve done and the automation that they did was amazing. Highly recommend it if anyone is looking into that.

Speaker 5:
Here at the Mac Admins Podcast, we want to say a special thank you to all of our Patreon backers. The following people are to be recognized for their incredible generosity. Stu Bacca. Thank you. Adam Selby. Thank you. Nate Walk. Thank you. Michael Si. Thank you. Rick Goody. Thank you. Mike Boylan. You know it. Thank you. Melvin Vives. Thank you. Bill Stites. Thank you. Anoush d’Orville. Thank you. Jeffrey Compton, M. Marsh, Stu McDonald, Hamlin Krewson, Adam Burg. Thank you. A. J. Potrebka. Thank you. James Stracey, Tim Perfitt of Twocanoes. Thank you. Nate Cinal, Will O’Neal, Seb Nash, the folks at Command Control Power, Stephen Weinstein, Chad Swarthout, Daniel McLaughlin, Justin Holt, Bill Smith, and Weldon Dodd. Thank you all so much, and remember that you can back us if you just head on out to patreon.com/macadmpodcast. Thanks everybody.

Tom Bridge:
So we have a bonus question because we love a good bonus question here on the podcast. And this one’s a personal preference choice here. So you’ve dealt a lot with the Apple ID, Apple devices for mobility. Do you have a favorite amongst, we’ve got what, 10 gens of iPads now, plus Minis and Airs and Pros and all sorts of things there. Do you have a favorite?

Subhi Hashwa:
IPad Pro. It’s shiny.

Tom Bridge:
Yeah, it’s so shiny. I was going to say, I have a 2000, what, 19? So I was going to say not the first gen Pros, but the second gen Pros. And I’ve definitely been giving some thought to putting it up on eBay and getting one of the new fancy Pros, but I haven’t done it yet. So Charles, how about you?

Charles Edge:
So I’m holding up a book. I’ll put a link in the show notes to it. And I’ve been going through, now that I’m, for the first time in three years, I’m not working on a book right now. So I was going through and I was typing in some basic games based on what was in the book, and in my Apple II, which the way the keys clank is just so gratifying on an Apple II. So I refuse to use an emulator.

Tom Bridge:
It’s a great sound. There’s such a great sound there. It’s got such a unique keyboard tone, I think is the industry term for that.

Charles Edge:
Your fingers do get a little more tired. It takes a little more pressure, and not as much as an [inaudible 01:00:34] typewriter or some other device that you can really only do one fingered. But yeah, the Apple II has definitely always been my favorite. I guess these days really. I spend so much time in Xcode, my MacBook, I just have to use a MacBook. I couldn’t live on an iPad Pro, regrettably. I wish I could, but.

Subhi Hashwa:
There is a video that just came out recently on Mac address talking about Mac keyboards. It was like, which one is the clunkier?

Tom Bridge:
I was going to say, there was a TikTok recently I think, that had keyboard sounds from like $90 to 10,000. And the different keyboard tones that were used on each of those, I thought that Foley work was phenomenal. I can’t explain it. That’s two extra orders of magnitude more than I would spend on a keyboard, which tells you where I come down. Because if it doesn’t have touch ID, I don’t want it. And that tells you where I sit on the keyboard scales. But it is what it is. And I think that that is kind of there. For me, I have to say, if I’m looking at just the mobile devices, I think that certain iPhone 5 kind of era, chamfered edge, flat sided iPhone was probably one of my best, my most favorite of the Apple devices.
And then if I’ve got to go mobility, I really think that the very first iPad Mini was such a great device because it was thin, light, performant, had touch ID and just kept going. And that was a great little device. I was very happy when the mini form factor got an update again a few years ago. That’s my primary iPad now, so count me in on that front. Subhi, it’s been such a pleasure to talk with you tonight. If folks are looking for you, do you hang out in the Macadmin Slack?

Subhi Hashwa:
I do. I do. Obviously, that’s the go-to if you want any question answered with authority.

Tom Bridge:
Yes, indeed. Whether or not that authority is earned, sometimes, question mark, but I think that’s the benefit of any good community, is finding authoritative answers more than anything else. But thank you so much for joining us. If folks want to find you on the internet outside of the Macadmins Slack, are you posting any place?

Subhi Hashwa:
No, not really. So yeah.

Tom Bridge:
Fantastic.

Subhi Hashwa:
You can find me on LinkedIn or, yeah.

Tom Bridge:
All good spots. Mastodon, I’m hearing Mastodon as the new hotness. I looked into what it would take to set up a Mastodon this weekend and I looked at that and I was like, I think I’m okay.

Charles Edge:
There’s a programming server that I’ve been on. Just join a server that’s already there for the most part.

Tom Bridge:
Yeah, I think that’s probably what I’m going to need to do if I want to play in that world. But, Subhi, thank you so much for joining us.

Charles Edge:
Also, why move on?

Tom Bridge:
Oh, well, I mean that’s the other piece, but I’m not going anywhere just yet. I’ve already, I lost my original. So I had a Twitter account with a very low user number. I used to be user number 11,011, and I was stupid and deactivated, and you’re supposed to reactivate every 30 days. And I missed a calendar warning and lost my account, and now there’s somebody squatting on TBridge on the Twitter machine. And very sad, but kind of is what it is. I F-ed around and I found out, I think is the way that the kids put it these days. So I’m back, I’m here to ride it into the crater.

Charles Edge:
I don’t mind riding it into the crater. I will not be paying $8 to keep my little blue check mark. Just throwing that out there.

Tom Bridge:
Yeah, I will not be paying $8 a month to get one, because life is too short, and it doesn’t seem to actually apply any kind of verification. So I mean, what’s the point, other than to say you’re a star-bellied Sneetch, I guess.

Marcus Ransom:
The guy who formulated the six degrees of separation theories back in the sixties, he, in one of his books on early social networking, said, “Don’t mess with your influencers.” So the people with the checkmarks-

Tom Bridge:
100%.

Marcus Ransom:
… I think, with me as an exception, are the influencers of the platform, so.

Tom Bridge:
There’s a really good Twitter thread, and I’ll find it and link it in the show notes, about the Trust Thermocline, which I thought was a really interesting concept that you are… Yeah, that you have a group of consistent users and when they no longer trust you at a deep level, when you have breached their trust that way, that’s where you have breached the thermocline that you don’t come back up from. And I thought that that was a really insightful use of the word. So I’ll find that thread. I’ll throw it in there.
I thought it was really interesting, because it also has applicability to IT trust. I’ve talked at length about what it takes to be a trusted IT person and the trust that you have to have from your users in order to function as an IT professional. When you have lost that trust, that’s where shadow IT comes in, and a bunch of other things there. So now we’ve gone and delved into ethics, and it’s too late for that today. I have not had enough wine. So I think that’s where we’ll leave it and say thank you Subhi so much for joining us this week.

Subhi Hashwa:
Thank you. Thank you.

Tom Bridge:
And we hope to have you back in the future to talk about the next round of Configurator updates, assuming they ever come.

Subhi Hashwa:
Yeah, absolutely.

Tom Bridge:
So, cool. Thank you so much, and thanks to our awesome sponsors this week. That is Kandji and our friends at Mosyle. And thanks everybody, we’ll see you next time.

Charles Edge:
See you next time.

Speaker 5:
The Mac Admins Podcast is a production of Mac Admins Podcast LLC. Our producer is Tom Bridge. Our sound editor and mixing engineer is James Smith. Our theme music was produced by Adam Codega the first time he opened GarageBand Sponsorship for the Mac Admins Podcast is provided by the macadmins.org Slack, where you can join thousands of Mac admins in a free Slack instance. Visit macadmins.org and also by Technolutionary LLC. Technically, we can help. For more information about this podcast and other broadcasts like it, please visit podcast.macadmins.org. Since we’ve converted this podcast to APFS, the funny metadata joke is at the end.

Links

Listen

Sponsors:

Patreon Sponsors:

The Mac Admins Podcast has launched a Patreon Campaign! Our named patrons this month include:

Rick Goody, Mike Boylan, Melvin Vives, William (Bill) Stites, Anoush d’Orville, Jeffrey Compton, M.Marsh, Hamlin Krewson, Adam Burg, A.J. Potrebka, James Stracey, Timothy Perfitt, Nate Cinal, William O’Neal, Sebastian Nash, Command Control Power, Stephen Weinstein, Chad Swarthout, Daniel MacLaughlin, Justin Holt, William Smith, and Weldon Dodd

Mac Admins Podcast Community Calendar, Sponsored by Watchman Monitoring

Conferences
Event Name Location Dates Format Cost
XWorld Melbourne, AUS 30-31 March 2023 TBA TBA
Upcoming Meetups
Event Name Location Dates Cost
Houston Apple Admins Saint Arnold Brewing Company 5:30pm 4th March 2024 Free
Recurring Meetups
Event Name Location Dates Cost
London Apple Admins Pub Online weekly (see #laa-pub in MacAdmins Slack for connection details), sometimes in-person Most Thursdays at 17:00 BST (UTC+1), 19:00 BST when in-person Free
#ANZMac Channel Happy Hour Online (see #anzmac in MacAdmins Slack for connection details) Thursdays 5 p.m. AEST Free
#cascadia Channel Happy Hour Online (see #cascadia channel in Mac Admins Slack) Thursdays 4 p.m. PT (US) Free

If you’re interested in sponsoring the Mac Admins Podcast, please email podcast@macadmins.org for more information.

Social Media:

Get the latest about the Mac Admins Podcast, follow us on Twitter! We’re @MacAdmPodcast!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back MAP on Patreon



Support the podcast by becoming a backer on Patreon. All backer levels get access to exclusive content!

Subscribe

Archives