Since it's not built into the JSS aside from what's inside the database...make a script in the configs, maybe postflight, that logs to something like a website with the machine name and config name.
Or the other package option that just came through. Many ways to do it...
Craig
I don't know if there is a better email address to send a Casper
feature request to, but if I post it here then maybe others can say if
they'd also be interested....
I would find it really useful if Casper Admin could do a reverse
lookup on the JSS and list all the Macs that it knows about with a
particular configuration - at the moment it's really tedious to get at
this info.
Any chance for this feature??
Clare
--------------------------------------------
Clare Bartlet mailto:cpb10 at cam.ac.uk
Macintosh Support phone: +44 1223 334723
University of Cambridge Computing Service
New Museums Site, Pembroke Street, Cambridge CB2 3QH
Hi Clare,
I think this is one of the most appropriate places to post feature ideas so people do get a chance to expand on it and refine it. You can email the support team directly if you'd like to as well, if you need that address let me know...didn't want to post it. You can get more information here:
http://www.jamfsoftware.com/support/
In regards to your request I thinks its possible since it's querying autorun data, assuming you stored image time information in the JSS. The Casper Imaging Logs don't have any configuration chosen information in them, but I wish they did actually (feature request). Regardles, I'm wondering why you want to do this? If you explain what it is you need to do or why you want to do it "we" can help maybe give you a better solution or it would make more sense to JAMF to look at including it in a future release.
Craig Ernst
Systems Management & Configuration
----------------------------------
University of Wisconsin-Eau Claire
Learning & Technology Services
105 Garfield Ave
Eau Claire, WI 54701
Phone: (715) 836-3639
Fax: (715) 836-6001
----------------------------------
ernstcs at uwec.edu
we have around 200 Macs that are configured using Casper. These Macs
On 17 Jun 2008, at 16:54, Ernst, Craig S. wrote:
are in around 25 different, and often remote, locations. The imaging
of these Macs is carried out by different people at each of these
sites. We have rebuilt the JSS from scratch this time around. Once we
have asked the sites to image their Macs I would like to be able to
look at each configuration and see all the Macs that have picked up
that config. I can't see how else to do this
Any ideas would be appreciated
Clare
--------------------------------------------
Clare Bartlet mailto:cpb10 at cam.ac.uk
Macintosh Support phone: +44 1223 334723
University of Cambridge Computing Service
New Museums Site, Pembroke Street, Cambridge CB2 3QH
I don't have an answer for this aside from querying against the MySQL database in MySQL Query Browser or command line. Sorry =(
Craig
You could create a smart group and dump all your inventory in it that
has a certain software version or what not, and then everyone not in the
group isn't running the same software configuration. Unless you are
actually talking about hardware configurations.
Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
cell: 913-449-7589
office: 913-627-0351
Ho about Logs
Packages Installed By Casper/Policy
Packages that have been installed using Casper or a Policy
--
ricky
Don,
I think your misunderstanding the problem. I do use AD, that's all I use
here. I use it for scoping policies all the time.
In AD we have things broken down very well to specific areas and different
user admin accounts for LABS vs OFFICES for the sake of separation, and so I
don't accidentally break an office machine when trying to do something in a
lab. I have to use the different accounts on the Windows side, one for each
specific area. Technically I have to do the same thing on the Mac side, but
for some reason I just HAPPEN to know the built-in admin account for all the
Macs. =)
I DO use these groups in my AD bindings to separate out who has admin rights
on boxes in the different areas. The housing admins group only gets added to
the bindings for housing machines at image time, the education labs the
same, etc.
What we're specifically talking about here is when you grant a user or group
rights to use the Control and Observe aspects of Casper Remote via
CasperVNC.
Under Settings -> Accounts -> Edit Account (for any user or group) ->
Privileges Tab.
Under VNC Privileges if I give that user or group rights to work without a
prompt they can do that on ANY box in my entire management system regardless
of how I scope out administrative rights locally on the box. I can't say
they only get to use control without a prompt on LAB boxes.
It's partially a trust issue and privacy issue, but I have to trust people
to not abuse it. Fortunately the JSS logs this information. However, I also
like to try and make sure we don't have to get put into bad situations if
someone does break that trust. Protect people from themselves.
Not sure if that helped clarify or not...
Craig E
So I promise this will be my last injection to this thread for today...I hope.
This whole bit about being more granular should apply to every aspect of privileges within the JSS itself quite honestly. I understand that doing this creates a huge level of complexity programmatically for the development team, but that’s not my problem. =)
I should be allowed to create containers (groups) of machines to assign distinct users/groups JSS privileges on. I would like to think I could use my pre-existing smart groups to populate these containers. Here is the process:
You would create your container
In that new container you would select the systems you want in it either with individual machines or groups (much like scoping policies)
In that container you would add the users/groups you want to set privileges for
For each user/group you select the particular permissions
Then the last piece for the cherry on top is creating pre-defined sets of permissions that I can custom name so that I can re-use them over and over again instead of checking 5 million boxes. If that were to happen then the last bullet could read:
* For each user/group you select the particular permissions or assign a pre-defined custom permissions set
Wow...that would be AWESOME!
The creating pre-defined sets of permissions bit can really stand on its own as a separate feature request now in the existing format, but expands nicely into this model, too. In fact, I think I may have asked for that as a feature a long while back.
Have a nice evening.
Craig E
Just some suggestions... these may have been requested already, or
there may be a way to do these that I'm unaware of.
ARD:
I rarely use ARD since implementing Casper Suite, however as an
alternative it may be nice once in a while. I'd like to suggest the
ability to export a formatted computer list from Casper inventory that
would be able to be imported into ARD.
VNC Improvements:
Support of multiple displays
Ability to run as a daemon so as not to disconnect when logging in/out
would it be possible to use the built-in screen sharing as the vnc
client?
Thanks!
I endorse all of these improvements. This functionality would be great!
Regards,
Ok, so since we're on the subject of Feature Requests, I figured I'd throw this out there and see if I get any bites.
It would be nice to be able to add/remove a computer to a static group via a policy or a script (and maybe there already is, and I'm just overlooking the script options).
What I would be able to use it for now, is to determine battery status. I check battery life via a script, to see if the full charge capacity is under a certain mA, and then install a dummy package is it is. I then report on that, and replace the batteries as needed based on this info.
It would be nice if at this point, I could put that computer into a static group and have a policy uninstall the dummy packages and remove it from the bad battery group, and then remove it from the static group. This way, if that computer ever has battery problems again, I could have all of the policies set to ongoing, and they would run again, whereas if I set them to once per computer, if they ever had any issues nothing would occur.
Thanks,
Robert
I have some specific scripts that output desired info into
/var/log/battery.log for our own internal use. I can share them if you
want to take a peek at them.
I stopped using ARD years ago since using Casper Suite for remote work. The point below is my biggest issue.
I understand why it happens and ARD just handles this more elegantly. I would just be content if the reconnect button actually just worked so I can quickly get back onto a box without bouncing around between Casper Remote windows.
Perhaps there would be advantages to using the built-in screen sharing capabilities, but I’m not certain if that would require purchasing any rights by JAMF. The the VNC client is free (or so I think) and ultimately it gets what you need done in a secure fashion.
Craig E
Send unix command and managing servers via ARD client is very nice. I
can to everything from the interface. Also, I am sure you can export
casper inventory reports to say, XML and then import them into ARD. I
have not tried this but I bet it works. I also think that Casper VNC is
not meant to compete with ARD Admin, they are two very different
products. I think still that even with Casper ARD Admin is a must need
tool for IT people.
The problems I see with using ARD are mainly security related:
Difficult to make sure everyone is using secure settings
Difficult to make sure people do not have reporting features turned on
If there isn't a task server or the user is not setting the task
server, large reports are sent over wan and have really killed our
connections
Screen Sharing access is not logged (centrally at least)
I really have not been using it since we began using Casper Suite...
but I could see maybe keeping it alive for a few "privileged" admins.
ARD usage has become out of hand at my company with former or non IT
users having access to it (and timbuktu).
I still use ARD for my remote server access, but that’s it. I use one tool for all my other endpoints, Casper Suite. =)
Craig E
I’ll add one more thing to this now that I sat and thought about it. I apologize to the digesters for my many multiple emails.
The other issue I’ve had with Casper Remote access is the ability to be more granular with permissions to who can access which systems remotely. I have two distinct areas LABS and OFFICES. Right now if I give access to someone who needs to do something in a lab without a user prompt with Casper Remote they also have that ability in the offices, which I don’t want.
The ability to say this group of users can access this set of machines in this fashion, and that’s it, instead of being a global decision.
Craig E
More granular permissions is something that I've asked for in the past. It
would be nice to give someone full control but only over a certain
department or building, for instance.
Just curious, why not scope policies to AD groups? Of course this assumes the JSS is bound to AD.
Nichols, Jared - 1160 - MITLL jared.nichols at ll.mit.edu wrote:
Don
I’d have to agree with Thomas. I couldn’t live without ARD. Casper Remote isn’t a replacement for that, IMO.
- JD
Hello,
I would like to request a new feature. To make administration easier I would
love to see multiple triggers on a single policy.
Thanks,
Mark Pellecchia
OIT Support Services
Princeton University
markpe at princeton.edu
Mark,
Can you give some type of scenario as to why you would need to do this? My initial thinking is this just makes it more complicated...
Also, make sure you copy support at jamfsoftware.com so they see the request as well, but they really love it when it comes with how and why so they better understand the need.
Thanks!
Craig E
You can already do this if you want. Casper has a built in feature to duplicate a policy. So for example I will make a log in hook that runs once per a computer, and then a self service duplicate that runs indefinitely just in case two different users swap out computers so they can rerun the policy under their account, and you can finally duplicate the policy and put a manual trigger on it. So any of your IT staff can trigger it from the command line.
Is that what you are asking about?
-Tom
That makes a lot of polices thou
Sent from my iPad
