Admin users (unfortunately)...prevent renaming hard drive?

after getting a bit of help with my unix wizardly I came up with this, since the boot volume could change on a Mac Pro, or device where there are lots of partitions.

diskutil info `bless --getboot` | sed -n '/Volume Name:/ s/.*Volume Name: *//p'

That will grab the full name of the booted volume, including spaces, and multiple names. Though, now that I think about it, you could just have a script enforce the name change regardless once a day as well.

Nice. I'm checking with the manager who is making the request to clarify. Do they mean (1) hard drive name...if so, do they want all to be Macintosh HD or do they want it to match the computer name, (2) computer name, which can be enforced by JSS as Lance described, (2) host name, which I suppose can be set to match computer name. If they're looking to keep Macintosh HD it should be easy. If they want Macintosh HD to match computer name, it would be a little trickier but I suppose we could enforce computer name using JSS, then pipe that value into a script to rename Macintosh HD to the computer name. I'll have more info on their request soon.

Thanks,
Don

I have a couple of scripts that maintain the computer name, you could easily adapt them to keep the volume name. If you set casper to run the policy off line, it will cache the scripts. I have mine set to run once a day, so if they rename their computer "BLING-BLING" it gets renamed back to standard naming convention. Eventually they give up.

http://tlarkin.com/tech/2-shell-scripts-maintain-standard-naming-conventions

If you read my bottom comment, you need to edit one part of the script. My syntax highlighter doesn't like <, >, and >> because they are reserved HTML characters. So it changes them to &gt; and so forth. I haven't had time to fix it, but those scripts do work as I have tested them on a few users that liked to rename their computer to things outside the standard naming convention, which totally jacks up our smart groups in Casper.

-Tom

Don,
this can be done through policy and set to execute at logout.
Take a look at the Advanced tab in the policy creation. Check the Reset Computer Names as your option.
Give that a whirl.

-Lance

Ah, but Lance that renames the computer. Don is looking for something to
re-name the hard drive. Users are changing from "Macintosh HD" to "My
Drive", or whatever.

Don, try using Thomas' method. If you need it done more frequently, set it
as a policy that runs every15 or whatever your maintenance time frame is.

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

maybe just change the perms on / to 755. i think default is 775 with system being owner and admin being the group.

eric winkelhake
mundocomww
office 312 220 1669
cell 312 504 5155

Yeah. it just hit me.
My bad Don.. Too much multitasking, too little coffee.

You could alter my scripts to cache the HD name or even hard code it, then check to see what the name is and if/then do commands accordingly.

It would be pretty easy.

Lance, Steve, Thomas,

Interesting, yes, we want to rename the hard drive to "Macintosh HD". That said, I'll confirm if the computer name (Lance's thought) might be needed as well. Looks like we're going to test both. Thanks for all the great feedback. :)

Don

Hi Don,

Unfortunately, if end users are admins, there's no such thing as "locking down".

However, with policies, we can ensure that certain things are constantly reinforced. To change a volume name, you can use...

diskutil renameVolume oldVolumeName NewVolumeName

Now, if you don't know what "oldVolumeName" is, you'll have to find out. This can be done script-o-matically too.

This line will grab the volume name of the boot volume (only tested in Snow Leopard)...

diskutil info / | grep "Volume Name" | cut -c 30-

An extension attribute can be created for "boot volume name". A smart group can then be created with the criterion of "boot volume name is not desiredBootVolumeName".

Creating a policy scoped to the group described above and running a script containing the commands above will allow you to maintain your boot volume name. Setting this policy to run on an every15 trigger with an ongoing frequency will reset your volume names back to what you want them to be with regularity, but only if they have been changed.

I hope this is helpful.

Thanks,

--
Miles Leacy
Technical Training Manager
Mobile (347) 277-7321

miles at jamfsoftware.com<mailto:miles at jamfsoftware.com>
....................................................................
JAMF Software
1011 Washington Ave. S
Suite 350
Minneapolis, MN 55415
....................................................................
Office: (612) 605-6625
Facsimile: (612) 332-9054
....................................................................
US Support: (612) 216-1296
UK Support +44.(0)20.3002.3907
AU Support +61.(0)2.8014.7469
....................................................................
http://www.jamfsoftware.com<http://www.jamfsoftware.com/>

Hi Miles,

Yes, we're from the same "Users don't get admin rights unless you want us to hire more support staff to continuously clean up the mess" school. :D

I tested and it works great:

diskutil info / | grep "Volume Name" | cut -c 30-

Definitely interested in leveraging Extension Attributes (reminds me of Xinet where we use them daily in the Venture MySQL database and WebNative GUI <g>).

This is quite helpful...centrally managed, leveraging the native Casper toolset as much as possible. Will test this too, once we implement we'll shout back to the list.

PS, a belated thanks to Pete Wann who also sent some great suggestions off list.

Thanks,
Don

I to was in the same boat as you. When I started working for my current
company everyone had admin permissions. I got the buy in from the upper
management to lock down the systems. I planed it with the roll out with a
major os upgrade. That way the user gets something new and gets something
taken away. It really helped out as they where not as mad then. Also if
you are public owned company you can just blame Soxs:)

We still give laptops admin accounts but we black list all the software we
do not want them to run. I have run into too many problems where they
needed to change the time zone (there is a work around now but back then I
was SOL) install software for a client job at a client site. I have yanked
one or two people admin accounts on laptops for abuse but all and all it has
been ok.

Rich

Rich Dagel
Senior Technology Specialist

Landor Associates
1001 Front Street
San Francisco, CA 94111
United States
415 365 3933
http://www.landor.com
Rich.Dagel at landor.com

Hi Rich,

Thanks for the feedback. We generally have a second local admin account on laptops that only Helpdesk and the rest of IT have the password for. If a user gets in trouble, they can call in for the password (our Helpdesk is 24/7/365)...alternatively we can provide them with the password before they hit the road. Casper changes the scene though...definitely looking to refine best practices on the laptop side now that we have a new toolset that can do so much.

Don

We have this problem here too with users either accidentally or otherwise
re-naming the system drives, which of course causes imaging to fail. I took
Miles' examples from yesterday & put this script together - It tested
perfectly on my machine, so I now have it executed as a daily policy:

#!/bin/bash

export VolumeName=diskutil info / | grep "Volume Name" | cut -c 30-

if [ "$VolumeName" != "Macintosh HD" ];
then diskutil renameVolume "$VolumeName" "Macintosh HD"
exit 1; fi

-- Christopher Kemp
CNN-BEST
Central Engineering

Hi Chris,

This is great, but I wonder if this can be done using Extension Attributes?

Also, our client may need the boot drive to match it's JSS computer name. You mentioned imaging failing, is this a problem?

Thanks,
Don

I wrote a one liner that always grabs the boot volumes name and I also have scripts that I linked that cache the computer name to a local file and checks itself once a day. This way if the user changes anything, and recon updates casper with the different name, the cached name when it was imaged will never be altered.

Don't know about using Extension Attributes - for what purpose exactly?

You can call the boot drive anything you want, so long as it's listed
correctly in the Autorun Data. If the name Casper expects is different from
the boot drive, however, then imaging will fail because it can't find where
to install the OS.

A side effect of this is that the computer will also keep trying to netboot
until told otherwise, because the startup volume will still be set to
netboot.

Christopher

Hi Chris,

I was thinking the quickest way to check to make sure the boot drive is named Macintosh HD would be by using Extension Attributes. Then if necessary, rename the drive. I guess a script and policy would do the same without going that route. :) Thanks for the Autorun Data info, it looks like we're going to have to keep the default Macintosh HD to prevent issues.

The client called to say they want the Computer Name to be consistent with what is in JSS. So if a user renames it, it'll revert back. I guess this can be done with policies too. I'll have to do some digging.

Thanks,
Don

That's easily done via Policy - create a Custom policy, triggered via
every15 (once a day is probably enough), and on the Advanced tab select
"Reset Computer Names" - this will push whatever name is in the JSS to the
computer(s) affected by the policy.

Christopher

Chris, thanks for saving me some time and trouble. :) Hoping to pay it forward as I get more experience with the suite.

Don

Has anyone ever tried setting the auto run data to a device node instead of a volume name? Like, /dev/disk0s2 for example? Which is the default boot drive for most (but not all) Macs?

I've never tried it. If it works that way then the name shouldn't matter, right?