Integrate Snipe-IT with AzureAD

Snipe-IT is a fantastic, little, open source, asset management tool.

One of the pinpoints when you have new employees coming onboard is you have to manually provision their account. As such it’s helpful to have Snipe-IT integrated with a directory service. Ideally, this would be achieved via SAML but until that feature is available, the method below will help to get your user base into the system.


This guide assumes your Snipe-IT instance has a public IP address but can easily be adapted to work with a private IP.

We’ll be setting up LDAP sync with Azure Active Directory Domain Services (AADDS). The project does provide documentation on LDAP configuration but I’ve found it requires some nuance in order to get it working with AzureAD. Before continuing ensure:

  • You have Azure AD Domain Services Configured.
  • You know your Snipe-IT instances public IP address. If using the hosted version, support can provide this to you.
  • You have configured the network security group used by ADDS to allow TCP port 636 (LDAP) traffic from your Snipe-IT IP address.
  • You have created a service account to handle the LDAP querying. ADDS can take some time to sync a new account. Allow time for a new account to be created.

Syncing Methods

The LDAP integration in Snipe-IT can work in two ways:
1. User syncing.
2. LDAP login.

With user syncing, Snipe-IT simply does an an import of users (without their password) from your directory.

With LDAP login, Snipe-IT users can log into the Snipe-IT dashboard using credentials that have been synchronized from the directory.

In my org, we don’t allow non-IT staff to login to the dashboard. Additionally, synchronizing passwords doesn’t sit well for me from a security perspective as I prefer Azure services to be the main authentication point. As such, I’ll be configuring LDAP in user syncing mode only. Note: this method requires IT staff to be manually provisioned with a username/password from the Snipe-IT dashboard.


Start by going to > Settings > LDAP

LDAP Integration: Enabled
Active Directory: This is an Active Directory server (Checked)
LDAP Password Sync: No (Unchecked) 
Active Directory domain:
LDAP Serverldaps:// (Note port 636 used for LDAPS over SSL)
Use TLS: No (Unchecked)
LDAP SSL certificate validation: No (Unchecked)
LDAP Bind Username:
Base Bind DN: DC=COMPANY,DC=com
LDAP Filter: &(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))
Username Field: samaccountname
Last Name: sn
LDAP First Name: givenname
LDAP Authentication query: samaccountname=
LDAP Version: 3
LDAP Employee Number: LEAVE BLANK
LDAP Email: userprincipalname
Custom Password Reset URL: ANY URL YOU WOULD LIKE

Once configured, go to your Snipe-IT users page and you’ll see a new option to import users.

Next setup a Cron job to frequently run LDAP sync e.g. every night. If you are used the hosted version, contact support and they’ll set this up for you.
For self-hosted instances, follow the instructions here.

Fix: New profile does not meet criteria to replace existing profile

I recently ran into an issue with a couple of machines when trying to re-enrol them via my companies Apple MDM solution, Jamf.

New profile does not meet criteria to replace existing profile

The cause itself is not Jamf, rather the way in which Apple enforces profiles deployed through DEP. Devices that receive this error have previously communicated with an Apple DEP server and pulled down a configuration which has a “Non-removable” flag set. In many regards this is great as it means the device cannot be removed from management by an end user or device thief. On the other hand, it makes life a little more complicated for us admins. One way to get around this is to wipe the device and start again but that’d be too easy…

Don’t let the “Non-removable” flag fool you. Using the following steps you’ll be able to clear out all existing configuration profiles on the device and re-enrol without running into this error.


  • Apple DEP already setup for your organization.
  • Access to a local administrator account.
  • The device EFI/Boot password (If set).

Disable SIP (System Integrity Protection)

  1. Click the Apple menu.
  2. Select Restart…
  3. Hold down Command-R to boot into the Recovery System. If prompted, enter the device EFI/Boot password.
  4. Click the Utilities menu and select Terminal.
  5. Type the following and press enter.
    csrutil disable
  6. Close the Terminal app.
  7. Click the Apple menu and select Restart….

Remove all old profiles Boot into recovery mode again.

  1. Hold down Command-R to boot into the Recovery System. If prompted, enter the device EFI/Boot password.
  2. Click the Utilities menu and select Terminal.
  3. Type the following and press return.
    rm -rf /var/db/ConfigurationProfiles/Store/
  4. Close the Terminal app.
  5. Click the Apple menu and select Restart…

Re-enroll the device via DEP

  1. Log back into the mac with an account that has local administrator privileges.
  2. Open
  3. Type the following and press return.
sudo profiles renew -type enrollment
  1. This should throw up a notification (Top right of screen) to enrol the device via DEP. Click it and follow the onscreen prompts to complete enrolment.
  2. If prompted, enter credentials for your DEP account.

Re-enable SIP (Crucial)

This step is very important to do as SIP is an integral part of a Mac’s security mechanism. Disabling will put the device at risk.

  1. Click the Apple menu.
  2. Select Restart…
  3. Hold down Command-R to boot into the Recovery System. If prompted, enter the device EFI/Boot password.
  4. Click the Utilities menu and select Terminal.
  5. Type the following and press return.
csrutil enable
  1. Close the Terminal app.
  2. Click the Apple menu and select Restart….


Deploy an always up to date Google Chrome via Jamf

My approach to working with configuration management systems such as Jamf Pro Cloud is to be as hands off as possible when it comes to software updates. In this day and age there’s much smarter ways of ensuring your devices have the latest packages after imaging than to manually specify the installation package to the management platform.

For the majority of commodity software packages these days, it’s often possible to pull the latest version of an application straight from the vendors sites before an automated installation. That’s exactly what we’re going to do today:

      1. Create a script titled “Install Google Chrome”
      2. Add the following to the script:
        #make temp directory
        mkdir ~/ChromeTemp
        cd ~/ChromeTemp
        #remove any existing installations
        rm -rf /Applications/Google\
        #Installing Chrome
        curl -L -O ""
        hdiutil mount -nobrowse googlechrome.dmg
        cp -R "/Volumes/Google Chrome/Google" /Applications
        hdiutil unmount "/Volumes/Google Chrome"
        #Clean up
        rm googlechrome.dmg
        rmdir ~/ChromeTemp
      3. Create a policy that runs the script at your specified trigger time. I choose to set the frequency to run once after device enrolment – After it’s installed, Google Chrome will update itself  as needed (providing you haven’t put any measures in place to prevent this).
      4. Within your new policy,  add rules to kill any running instances and remove existing installations as described in How to stop running applications via Jamf MDM.


Do be aware that since you’re essentially pulling software from a vendors repository, you’re at the mercy of whatever they supply behind the link. So be mindful to only use this method with vendors you absolutely trust.


How to stop running applications via Jamf MDM

Before deploying applications, there’s probably two things you need to do. 1. Kill the process if it’s running. 2. Remove any existing installations if they exist. The following describes how to easily achieve this using Jamf’s built in tools.

Jamf Kill Process and Uninstall application
Don’t forget to change the name of the application you’re killing.

  1. Within your application’s deployment/ self service policy, add the “Files & Processes” configuration option.
  2. Specify the applications potential existing installation location. Check the option to delete if exists.
  3. Specify the applications potential running process name. Check the option to kill the task if running. If you don’t know the processes exact name, you can find this by the application and locating the process name in Activity Monitor.
  4. (Optional) continue to build out your policy if needed.
  5.  Save


  • Don’t worry, if the application is not found on the target system, Jamf will skip over this process and continue to execute the policy.
  • If you can’t find the process name using activity montior you will also find that it’s generally the same name as the file located at /Applications/APPLICATIONNAME/Contents/MacOS/FILENAME



It’s time to make your LMS Sexy

Whether you’ve been a Student, Teacher or a System Administrator in an educational environment over the past 10 years you’ll know one thing; educational learning tools are damm ugly!

This especially applies to the largely deployed, Moodle, which is Open Source. Moodle, being free (as in beer as well as speech), with it’s open source nature is the the more flexible and ultimately better option within the field of E-Learning. I have spent a lot of time administrating  Moodle Systems, I can attest to the fact that the UI leaves much to be desired. I am of the belief that this stems from a consistent problem with open source projects – Open source projects traditionally attract a lot of very clever dev’s but never enough graphic design and UI guys. Side note: theres is huge opportunity for Photoshop kids to bulk out their resumé by contributing to FOSS projects.

The educational sector always seems to be just as far behind in technology deployments as Microsoft is in releasing it’s lab projects. Moodle is like a lot of other OS web apps in that it supports theming with the use of 3rd party skins.  Honestly though, most of them out there are garbage. Or.. at least that was the case until Snap. We’ll get to snap in a sec.


Moodle’s major competitor, Blackboard, has steadily been investing heavily in their own competitors product in recent years. It’s now at the point where the proprietary software maker, Blackboard are the largest contributors to the Moodle upstream codebase. Blackboard owns a subsidiary company called ‘MoodleRooms’ which basically provides hosting and support of Moodle for institutions that don’t want roll their own. That’s where their incentive to contribute and invest in the Moodle ecosystem comes from. They also do some custom, proprietary, development which if you ever meet them they’ll try to sell you hard.


A few years back, the one reason you’d possibly choose to go the MoodleRooms way was their custom skin called Snap. Unfortunately, as this skin was proprietary you had use their service to use this theme. This theme was however the bomb! Night/day, however you want to phrase it. The theme brought all that was good about the Modern internet, Web 2.0, adaptive/ responsive layout, typeface focused design, minimalism, clear iconography, glyphs and SVG graphics, to the outdated Moodle platform. I managed to attend the MoodleRooms Teaching and Learning Forum back in 2015 where the designer of SNAP, Stuart Lamour, presented much of the reasoning for the design decision. I remember leaving thinking “why has no one done this before?”. I also left the event with regret that I couldn’t use Snap in the self hosted Moodle instances I manage.

The positive outcome of Blackboard’s involvement with Moodle is that later that year, they released SNAP back into the Moodle community and made it open source. I immediately started deploying it into our production Moodle environments with amazing feedback from teachers. Finally our Moodle platforms were doing the now common HTML5/ responsive approach correctly. Snap does not just shuffle elements around the page to be ‘responsive’ like all of the other themes were claiming. Snap actually delivers the appropriate assets on screen relative to the device.

I urge to you take a look at Snap here on Github if you’re a Moodle admin.

A few screenshots from snap, you wouldn’t believe this is Moodle:

Home pagescreen-shot-2017-03-02-at-9-44-18-pm

Course pages look appealing and make you want to dig right in. This page also provides universal search allowing users to search the entirety of your Moodle database for courses, assets, learning materials, users, etc.


Snap combined with well designed SCORM pages make for an enticing and well designed course page.


Set up: VMware ESXI in VirtualBox

Setting up ESXI under virtualising can be awkward. Here i’ve listed a series of instructions to get the hypervisor up and running under VirtualBox. These setting should be similar in WorkStation, Parallels, Qemu, Fusion etc. For the purpose of this guide i’m going to use Vbox as it’s cross platform and settings should be the same if not similar on any host OS.

Please note running a self contained hypervisor under virtualisation will not have optimum results. It is recommended to run ESXI on dedicated hardware. This guide should only be used to tryout the product.

System Requirements:

  • Dual-core, 64 bit, processor with VT/ AMD-V support
  • 1.5 GB of usable ram
  • 20+ GB free storage

1. Download an install virtual box for here. As of writing this i’m running version 4.1.18

2. Download the vSphere hypervisor trial ISO file from here. You may need to register for a free account if you don’t already have one. I’m running version the latest 5.1 version.

3. Launch VirtualBox & create  new virtual machine.

New VM

Name your VM anything you want. Select ‘Linux’ for your operating system & ‘Ubuntu’ for the version. Press continue..

4. As I understand it vSphere requires at least 1.5 Gigabytes of RAM. Move the slider to represent this and move on.

Select Memory

5. Still in the wizard, create a virtual hard drive appropriate in size to the VM’s you plan on installing within ESXI/vSphere. I’ve selected ‘VHD’ for the drive type. My drive is also Dynamically allocated.

6. Continue the wizard and finnish creating the VM.

7. Before launching, go into the settings for the VM.  Here we are going to remove any parameters that are unnecessary. First disable the shared clipboard under ‘General’, ‘Advanced’.

Disable Shared clipboard

8. Remove ‘Floppy’ from ‘Boot Order’ found under ‘System’, ‘Motherboard’.

Remove floppy

9. Under ‘System’, ‘Processor’, ensure that more than one CPU core & ‘PAE/NX’ is enabled

Processor settings

10. Under ‘Acceleration’ it is essential to have ‘VT -x/ AMD-V’ enabled as these are prerequisites of EXSI/ vSphere.

11. Under ‘Storage’, we need to point the virtual optical drive to the ISO we downloaded earlier.

Select ISO

12. I disabled sound under ‘Audio’ as it’s redundant.

13. Now for the important part. According to others networking can be done through ‘NAT’ or ‘Host-only’ network adapters. However from my testing, I have found that using the ‘Bridged’ connection gives the best results. These settings can be found under ‘Network’, ‘Adapter 1’.


14. To finnish up i’ve also disabled USB support. This can be found under ‘Ports’, ‘USB’.

Thats’s about it. Once you’ve installed the OS and tested it, you can then go into the settings again and start adding items you may need such as multiple virtual hard drives and remote desktop.

Checkout this process in action:


What is ESXI –

Download vSphere –

Download VirtualBox –