Jamf Nation Community

Hi David,

We approached JAMF about the same thing, the ability to segregate within JSS. We are testing Casper in one environment (2000 Macs) that has departments who hire freelance "Mac techs" to manage their own Macs. We need to get Casper to those Macs, but don't want those "Mac techs" to have any (ANY) access to Macs in other departments. The only way to manage things is to have multiple JSS (as Craig mentioned). We're looking into the possibility of (at least) having a MySQL box on the LAN that can gather inventory information from all the JSS...not very elegant, but we hope possible (albeit unsupported by JAMF).

Here's to JAMF Casper Suite maturing and being able to better handle these kinds of diverse enterprise environments.

Don

Hi David-

Currently this is not possible. We also run a "federated" IT support
model and would like to delegate "full" control to groups of machines.
Currently, Casper will allow certain permissions but they apply to all
machines in Casper. You can't segment "ok this group has full control but
only over this department" currently. The increased granularity of the
security model of Casper has been a big feature request and Jamf is well
aware that the community is looking for it. To Jamf's credit, they're
great at implementing things that we want and not just throwing in fluff
features. However, I imaging this will take a good amount of
re-engineering at the core of the product so I don't know how long it will
take or how long they've been working on it.

This shortcoming withstanding, you'll find Casper to be a fantastic
product with great support from both the company and community.

j
-- Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

David

This is possible, but it is only possible really if you set it up that way. Sounds to me more like a Open Directory question rather than a Casper question. However, Casper will allow you to set up network segments by subnet range and assign them to buildings and then allow you to create smart groups and scope policy to buildings. So, if you know that building A has a subnet range of 10.100.10.10 to 10.100.50.254 then you can set that up in Casper. Then when you execute policy and scope it for that network segment, only machines on that subnet range will get that policy.

As for remote management goes. That is tricky. When we first deployed our 1 to 1 here we tried doing OD groups for ARD access. Needless to say I had very little luck or success with it. So, now I deploy local accounts for ARD access and that can be fine tuned and scoped for smart groups based on network segment just like I previously explained.

Hope that helps

Tom

I disagree, this is a Casper question. We’re really talking about separation of user rights within the JSS, and network segments or groups in OD or AD don’t help with this.

If you give a user rights to image systems, they can do anything, any configuration, any software (if you allow custom).
If you give a user rights to push software using casper remote, they can push to any managed system
If you give a user rights to remote control a box they can do that to all of them instead of a specific group based on smart groups (I would separate out labs and offices)

It’s easy to break out local administrative rights on the box with groups, but not within the Casper Suite of tools.

Craig E

If you give them the right to create policy, they can root the machine. Casper runs as root. They can just send unix command to do whatever
they want. If you want more granular machine support I think OD is the
way to go, as MCX settings can even overwrite local admin rights. Plus
I mean physical access trumps all security.

I think in a very large multiple building environment you may want to
set up multiple JSS boxes. For remote management if you give a user
access to Casper remote I think they have access across the board. Is
that not the case? To answer the last question, SUS servers (which is
OS X Server side) can be set and Casper policy can be scoped to only use
and allow what the SUS says so.

Unless I am not getting the question right? It is after all Monday and
the first day of school.....so I could be way off.

Thanks

Tom

I second that, big feature request.

Hasaan Herrington
Technical Support II
Information Technology
Anchorage School District
(907) 742-4615

We've requested this as well.
On 8/15/10 10:29 PM, "Don Montalvo" <donmontalvo at gmail.com> wrote:

Everything so far has focussed on permissions levels in a single
hierarchy, but so far nothing has focussed on the idea of fiefdoms with
separate but equal administrators. Unlike a Windows enterprise domain
setup you can't delegate to one fiefdom without handing over the keys to
the kingdom.

This is one of the few things preventing Casper from being a truly
enterprise-class management system.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

Along with the ability to segregate, we also need resilience (master/replica) for JSS to be able to manage diverse, global enterprise environments. :)

Don

Smith, William William.Smith at merrillcorp.com wroteL

Hi,

On 16.08.2010, at 16:06, Herrington_Hasaan wrote:

+1

--

Marko Jung
NSMS - Oxford University Computing Services
http://www.oucs.ox.ac.uk/nsms