Keeping track of Fonts

I'm working on this as well- and I have a call in. But the short of it is that JSS isn't exactly designed for the job. You may want to look at Extensis Universal Type Server as we are.

However, in the interim I do wish to use JSS to at least set a baseline on what we know we own, and what's questionable - and here's my dilemma and a workaround (I think).

I want to build a "perfect" Mac with fonts that we know are OK- • Fonts that come with the OS
• Fonts that come with Microsoft Office (standard on all Macs here)
• Fonts that install with our Adobe products (standard on all Macs here)

And inventory it to populate the list of fonts you could suppress from reports.
To set a "baseline"- then anything showing up in a font report is in the "unknown" category. I need to get the names, amounts and install frequency of the "unknowns" to start to resolve licensing and, if need be, buy more or remove if unneeded.

Here's the problem- when you turn on collecting fonts as an inventory option you'll start getting fonts from any system that checks in, not just the "perfect" system, thus polluting the baseline. That's unfortunately what I did, and as far as I can tell, there's no way through the JSS interface to remove the whole list available for the Supress/Unsupress lists - and I don't much feel like hand adding appx 2k fonts by hand.

If I do manage to gouge the existing fonts collected by the JSS, I'll need to do the following:
• Turn off the option to collect fonts until I'm ready.
• Set the Update Inventory policy to Disabled
• Remove fonts collected by the JSS (however you do that...)
• Turn the option to collect fonts back on
• run sudo jamf recon on the "perfect" Mac
• Add the fonts collected to the Suppress Fonts list
• Turn the Collect Inventory Policy back to something reasonable - like once a day.
• Profit!

Sounds like you're looking at a manual SQL query to kill all those fonts that are mucking up your JSS.

Are you more interested in keeping machines in-line with your baseline (e.g. someone adds a font, it gets yanked) or are you more interested in just knowing what you have that's outside of your baseline?

(e.g. enforcement vs reporting)

FontExplorer X Server worked for me.

I went through a great deal of pain to get font compliancy.

I even looked at Extensis UTS and when it first came out and tested the hell out of it and wasn't impressed by the software or support team.

Worth trying out different vendor software management solutions and make up your own mind. Please keep saying to me "use UTS" but i know i never will again.

We are currently testing out a hybrid MCX/hidden folder/manual deletion/UTS solution to this:

1. We have an MCX to whitelist every application on /
2. We have a 2nd MCX to Blacklist /Applications/FontBook.app (since non-admin users can use it to install fonts in ~/Library/Fonts)
3. We have a 3rd MCX to enable Family Controls (required to white/blacklist apps)
4. We've made ~/Library/Fonts hidden so users cannot just drag fonts into this folder.
5. I've written a short bash script to find any fonts other than in /System/Library/Fonts and remove them, then lay down a fresh package containing only fonts common to all departments in /Library/Fonts.
6. Finally, we leverage UTS to provide only the fonts necessary to each department.

This way we only have to worry about what fonts the company actually is licensed for since all other fonts get removed. It's left to our creative departments to police fonts used in artwork since this method does not stop artists from using fonts on their desktops or potentially figuring out how to get fonts into the hidden ~/L/F folder...

I've written an article about white/blacklisting apps here: http://acdesigntech.wordpress.com/2012/02/09/using-managed-preferences-mcx-to-blacklist-applications/

@ jarednichols: how much stuff is outside of our baseline, so I can make decisions about how bad off we are, possibly a font management solution, purchases thereafter. And yes, that's a SQL purge... I have a support request in with JAMF about the means as I don't feel comfortable poking around in there.

The goal of getting the "baseline" set in the JSS is really to just get a handle on how far outside of compliance we may or may not be- and my suspicion is that we'll have to do a great deal of remediation. - I have no real intention of managing the fonts for 200+ users with the JSS, but the stats from the JSS - especially if it shows we really have a mess on our hands, will be used as another justification to moving to UTS or FontExplorer X, depending on what fits best.

acdesigntech's method sounds good, and is similar to one I've used in the past. The exception being that I used FontAgent Pro Server in place of UTS. I also never hid the local Fonts folder in their home directory, but I did stop people from using FontBook. FAP Server was a godsend when I worked in a creative environment. As anyone who has dealt with this knows, fonts are akin to viruses. They seem to multiply and copy themselves from machine to machine until you have to take drastic measures!

In my particular setup, since no users were admins, those steps cut down on the large majority of rogue fonts, since they could only install from the FAP client. Savvy users knew how to drop fonts into ~/Library/Fonts/ but most of them just complied. The important thing was, having a consistent, clean and bug free set of fonts actually made their lives easier, so it wasn't hard to get everyone to stay in line. Most didn't want to go back to how it was before this was implemented, since it was such a mess.

Any font server would likely do as well, so if you really want to get serious about controlling this, I suggest testing them all out and seeing what fits best. Hopefully its in your budget. Sounds like you could use it.

Another thought I had about this was, if once you get a clean baseline, you know you should have only, say, 150 fonts in the /Library/Fonts/ location and 0 in any ~/Library/Fonts/ folder, you could craft and extension attribute that would simply do a count on the number of items in the folder, then report it into a result. For ex, if you scan local font folders on inventory with the EA and it returns a number higher than 0, that could be used to drop that Mac into a SmartGroup which would then send you an email. Should be simple enough to do that. And it would give you the notification you're looking for.

mm2270's EA suggestion is excellent. If you are interested in WHICH fonts are out of compliance, you could always populate an array in a shell script with the names of each font in your baseline, and then compare all font folders on the Mac to this array and output the names of any font not found in your base array. Might help with any purchasing decisions you need to make.