- Jamf Nation Community
- Products
- Jamf Pro
- Re: AutoDMG Workflow - Admin Account
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
AutoDMG Workflow - Admin Account
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-21-2015 05:17 PM
We have always used Composer to create an OS Package for use with Casper Imaging. For the most part it works very well. Install an OS on a machine. Make a few customizations and then create an OS Package from it with Composer. I've been playing around with AutoDMG and can certainly see why so many people use it. I'm running into a few odd things and it's probably me just not understanding the work flow. I'm about to flip to building Yosemite machines so this is why I'm revisiting this.
In our Composer built OS Package we would pre-create the admin account. That would be the one and only admin account and Casper would use it as well.
So in this new work flow I build an OS Package using AutoDMG. I put that into a configuration in Casper Admin and I see under the management tab that I can put in what I want my admin account to be. I can enter the password and I can check "Create account if it does not exist". I then build the machine. I end up with something that doesn't really have any accounts on it, but Casper does seem to be able to talk to it. But I can't even ssh in with that admin account that I supposedly created. Where is this account it created ? Is it a hidden account or ssh only ? Should it be a regular account with admin access ?
So I then tried using CreateUserPkg as part of the AutoDMG work flow. I add a package into AutoDMG with an admin account that was the same one as I used to use. This seems to sort of work. The account is there after imaging. But when I log into it I get a dialog box saying it needs to repair the libraries in order to run applications. (Asking for an admin account and password). At which point it doesn't even want to take username and password for the account I just created. I basically can't even get rid of that dialog without a reboot. Is the problem more of a 10.10.3 thing with CreateUserPkg ? Anyone having issues with CreateUserPkg and 10.10.3 ? Maybe this worked ok with previous OS's ?
Just did another test and in Casper imaging and under the accounts tab I had it create this admin account there. This seemed to work fine. I can log in after the build and it doesn't want to repair libraries. But it's a lot of extra typing to do in Casper Imaging if you are building 600 machines. Am I missing something here ?
I'm thinking about maybe Prestage ? Or a QuickAdd package that would put the machine into a certain department where I could have a policy that then creates the account. Sorry for the long post. :(
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-21-2015 06:13 PM
autodmg and create user pkg works great for me on. I just finished a 10.10.3 image and its fine. Sounds like a casper imaging issue. I don't user casper imaging because, well, it sucks. I use DeployStudio to lay down images and then apply the casper quick add.pkg and let my policies and smart groups build the machine from there.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-21-2015 09:52 PM
I use AutoDMG and CreateUserPkg at a number of sites (along with Casper Imaging). Anytime I've seen the "repair user library" issue, it's because of something being put into the default user template (FUT).
Try just a base OS + your user pkg. Bet it works fine. Add back in a couple of your policies with FUT (or contain files in /System/Library/User Template). Keep adding and removing packages until you find the one that's causing the issue.
What version of the JSS are you using? What version of Casper Imaging? I've had the most success with 9.65, although that version has some distribution point issues.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-21-2015 10:12 PM
Thanks for the tip @RobertHammen. Come to think of it there might be a script during the imaging process that modifies the default user template. I'll try just the OS it self and see how that goes. We are running 9.63. Casper Imaging 9.65 (as per your suggestion.) Was waiting for 9.71 to upgrade. OS is 10.10.3.
Thanks for the reply @calumhunter We've been using Casper Imaging for years (Probably 7) and it's been pretty good. Your idea does sound interesting though.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-21-2015 10:42 PM
I do something similar so hopefully this helps. I've been able to deploy OS packages from autodmg from 10.9.x to 10.10.3 using Casper 9.x versions. I'm currently deploying 10.9.5 and 10.10.3 OS packages from autodmg using Casper v9.63 and Casper Imaging v9.63.
For the management account in the Configuration, I think it is generally recommended to let the JSS use it for what it needs to do and not log in with it. If you need an admin account to log in with, then create a separate local admin account for that purpose. Here is a pretty good explanation of the management account and its checkbox options from mm2270 (the "SOLVED" post):
https://jamfnation.jamfsoftware.com/discussion.html?id=13354
To create the local admin account to log in with, I have a policy in the JSS that is triggered by "Enrollment Complete" that creates the admin account using the "Local Accounts" payload. Be sure to check the box to allow the account to administer the computer. The account will get created during Casper Imaging when enrollment takes place. It should be noted that this local admin account will get created for all Configurations or whenever any Mac is enrolled, including self enrollment if you use it. That is what we want in our environment.
If you do not want that and instead want different local admin accounts for different Configurations, you could do a script that runs during imaging that creates the local admin account instead of using the policy. Then add the script you want to the corresponding Configuration. There are other creative ways to do that though. That's just one method that quickly came to mind.
As a side note, you can also use a policy in the JSS to rotate the local admin account's password when you want to.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-21-2015 11:50 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-22-2015 01:12 AM
+1
Take it out of the box, let Casper create the account
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-22-2015 03:34 PM
@RobertHammen You were right. That "repair user library" issue was coming from a package.
Thanks for all the info everyone. Much appreciated.
