Skip to main content

I'm looking to start a discussion on creative ways to manage user's login experience. Just curious - How do you manage your Mac's Login Items such as Network drives and Printers?

I'm currently not a JAMF Casper Suite customer (yet), but hopefully will be in spring 2015.

I currently have ~300 Macs. I am (still) using the Golden Triangle paradigm of AD/OD/MCX to manage my Macs. The primary things I manage are the distribution of network drive & printer mapping to Macs as Login Items via MCX. MCX and Workgroup Manager are deprecated and I'd like to decommission my OD infrastructure this year.

A current "Real world" example of my Mac environment:

Jonny Appleseed is in Department A. His user ID and groups live in AD. His Mac computer object lives in both AD and OD. His AD groups are nested into OD groups as well. Basic "Golden Triangle" scenario here.

Jonny Appleseed logs into his iMac. Jonny automatically gets a couple common/shared/collaborative SMB network drives as well as a specific SMB drive for Department A staff. Likewise, Jonny also gets the HP network printers for Department A too. Kerberos SSO helps with the seamless mounting of SMB network drives. Our printers do not require authentication.

Worth mentioning that I don't currently use the AD network UNC home attribute. I don't use 3rd-party tools such as Centrify or Likewise.

This paradigm described above worked well for me over the years - but alas it will be going away in 2015.

Do you guys 'n gals use MDM-style Profiles for this type of login script management? Ad hoc shell scripts perhaps? Can you leverage Casper Suite for this of type of login script management?

My goal (per my CIO's direction) has always been to mimic the behavior of our 900 Windows PCs (i.e.; no matter what platform an employees prefers, her/she will have automatic access to their SMB network drives and printers at login - period). Obviously, Network drive & printer mapping is handled on Windows via tried & true AD GPO policies. I'd like to maintain a similar management structure on the OS X side of the house (without OD/MCX/WGM of course.)

I'd like to hear your thoughts on this matter. I appreciate your feedback.

I have a login policy configured for each printer/share that my users need (or have notified me that they need), scoped to all managed workstations. They're then limited by AD group (we don't use OD) in the same way that the GPO is applied to certain groups, to emulate that behavior.

@dstranathan, this is what we do: https://macmule.com/2011/09/08/how-to-map-drives-printers-based-on-ad-group-membership-on-osx/

Our system was a bit of a hack, but it worked. i had to do it quickly and had not learned casper very well before i needed it.

i ended up making an applescript app that ran every shell script in the directory /.login/
First it uninstalled any printers prnRm.sh, then installed required printers (biased off a weird logic patter i needed) prnAdd.sh Then mapped the required drives biased on if they are a student or not (users AD group membership)

I needed to do it this way, because i needed the users kerberos authentication to run the commands, so i could not just deploy them though casper.

I've only been with the Casper Suite for about a year now (maybe 1.5?), and I'm using both Profiles and scripts to get the job done. Network drives are being handled via Profiles. This is still a work in progress, but each department has a shared network drive, and everyone has a private network drive. There's one profile, applied to all Staff/Faculty machines, that mounts the personal drive. The department drives are where it gets...fun. Some departments only want their drive mapped on machines within their department, so the profile is limited to machines in their department and the drive mapping itself is limited to folks who are members of that drive's AD group. Other departments want their staff to be able to mount the drive on any machine on campus, so there's a separate profile for that. We're still working out some of the kinks, but it's been really helpful so far.

Printers...well, ech. They're printers, so they're going to be finicky. Our labs, which utilize drive protection software, have a login script that runs to map the lab's printer. Depending on the department, we have Self Service items for the department copiers/multi-function devices or run once policies against the Staff/Faculty machines. Both the Self Service and policies are scoped to specific machines (smart/static groups) and specific AD groups. I use scripts over Profiles & Casper's built-in function as it just 'seems' to be more reliable on the more complex printers, which then necessitates that all my printers be scripted; for consistency.

If you have any specific questions about my setup or anything else, feel free to ask.

Thanks guys.

@bentoms I am playing with your example AppleScript & launchd LaunchAgent and I like the basic framework a lot - this has potential for my environment as it basically does exactly what I need. I already have a rough prototype running on a couple Macs here in IT. But I see a couple gotchas/caveats that Im trying to workaround.

Mind if I ask you a few questions about your script? Can I contact you?

Printers: We moved the entire organisation to a single vendor and almost all printers are follow you type printers. This means there are only a couple of universal queues deployed.
We do have some stand alones deployed directly out of Casper based on machine location and a self service solution for adhoc additions.

Shares: Because our AD has a couple of none standard settings I custom scripted a solution for this that reads a config file from a read only share, this lists available shares and what AD group membership to check before attempting to mount these shares, it also checks periodically and attempts to repair any missing shares so that laptop users that go wandering eventually get their shares back given a few minutes back at their desk. It could do with some more tweaking but it works.

Casper in general: Given a reasonable level of scripting ability you can make it do pretty much anything! sounds like an over exageration, but it's really not, if you could do it sitting in front of the machine you can probably make Casper do it in a managed fashion one way or another.

Terms & ConditionsCookie settingsAccessibility statement