How would you prevent a mass-reimage initiated by Casper?

My first thought is to restrict Autorun Data from being saved to all machines in Casper. That way, even if a policy was created for a machine to reboot to your netboot server, there's no configuration to be deployed and Casper Imaging will sit at the login screen.

Pretty much what @stevevalle said.

Kill the auto run, setup configurations as you need & make folks authenticate in Imaging & then select a config.

Let me start with an example that I can think of: when using AutoRun configuration data, setting both the "Image Automatically" and "Skip delay when imaging automatically" options is a disaster waiting to happen. My general thought, though, is that it would be difficult to do this accidentally to more than one machine, especially if you discourage their user and the techs are only interesting in using Imaging to deploy a pre-configured configuration. Sure, after-the-fact you could set AutoRun data and the appropriate options for a group of machines within the JSS, and then somehow initiate that group of machines to NetBoot, which (in our environment) would automatically start Imaging and thus start the reimaging. To me, though, the number of steps involved strongly implies malicious intent. Preventing Imaging from running automatically would stop an accidental deployment, but only slow down a malicious actor.

@mikeh In addition to AutoRun data, you'd probably also want to limit your PreStage Imaging configs too, or clean them out once a device has been imaged, assuming you use PreStage Imaging. Granted, in order for PreStage to become an issue a tech would need to delete the computer from the JSS and boot the computer off of a NetBoot or other device that had Casper Imaging set to auto launch. Like you said, more a malicious actor type thing than an accidental re-image.

The only way I can see there being an accidental re-image with either AutoRun Data or PreStage data, would be the end user accidentally holding the N key down during boot. Or even holding Option key and being curious about the NetBoot images they see. Again, PreStage would need the machine to be removed from the JSS for it to run, but AutoRun would run automatically.

@stevevalle @bentoms Thanks for the responses. My post above was intended to be the first post; I had posted it right after creating the discussion, but it was held for moderation.

Here's hoping (?) somebody knows of a "creative" way to wipe out a bunch of machines through Casper.

Thanks @stevewood! I do love me some PreStage Imaging for my computer labs (until we settle on a DEP workflow, that is), so I don't want to completely restrict it. The suggestion to clear them out when the machines are completed is excellent advice.

Appreciate your comments!

My approach to this would be the same as my approach to anything else I do that affects a large number of machines.

Build a test environment.

Test the intended workflow / changes.

Test it again.

Document everything.

Make the changes in production.

@mikeh some other thoughts:

There isnt a mass action for the mdm command to wipe computers like there is for iOS but people could still send out a wipe computer command from each record. very powerful, very destructive. It is a privilege that can be taken away at the JSS user level.

There is also the risk of "rm -rf /" being sent via Execute Command in a policy or via script, which there is no way to prevent that. Only audit trails after the fact. You can remove ability to update or create scripts in the user permissions but that may hinder other needed things.

Or in scripts doing things like "rm -rf /Users/$username/Folder/Folder/" and due to how they are getting $username it was actually deleting the user directory.

Also in 10.11 an "rm -rf /" will just delete the user data and anything added to the computer yet should leave the OS intact due to SIP, similar to an iOS wipe. But its the user data that is at risk here.

Sometimes a bad or misused packages bricking computers. Whether thats a dmg with FEU and other mis configured data or a pkg with a script that has destructive properties it doesnt matter. Like somebody accidentally pushing out a full OS dmg over top of existing computers instead of caching the newest OS installer app from the app store for the in place upgrade workflow.

Basically, the JSS does things elevated privileges, if you tell the JSS to do something on computers, it will do it. Hence the NEED for a test environment and all things being vetted and moved through that process. Like what @kitzy is recommending.

@bentoms Thanks for mentioning the MDM commands. I had forgotten about them because I rarely use them.

Scripting and malformed packages are always going to be a problem, but we generally restrict most techs from creating either within the JSS. I didn't think there was anything we could do about restricting the ability to execute commands via Remote and policies, like you stated. Good to have an authority say it.

@kitzy @bentoms A formal test environment would be nice, indeed.

I'm very glad I posted. Thanks again!