Jamf Nation Community

I just want to add, if you run AFP on a non Mac platform, it is an older version and does not accept encrypted passwords for authentication. I have this ridiculous testing software on our Novell/SuSe boxes that host the database for the testing software. I have to force all clients to use clear text passwords in AFP to these servers.

Otherwise Criss pretty much nailed it. It all comes down to having the proper back end to support your clients. So, you will have to assess how many Mac clients you plan on managing and go from there.

What about ExtremeZIP? is that older version?

I know Novells if, and i wouldnt touch novells if my life depended on it, we used to use it and oh was it rubbish, Abend becomes your friend.

Criss

Criss Myers
Senior Customer Support Analyst (Mac Services)
iPhone Developer
Apple Certified Technical Coordinator v10.5
LIS Development Team
Adelphi Building AB28
University of Central Lancashire
Preston PR1 2HE
Ex 5054
01772 895054

Novell rubbish? Oh, I don't know, give me an old Novell 3.12 server over a
Windows server any day for print and AFP. Those things were bullet proof!

:-)

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

hmmmm not ours

Criss Myers
Senior Customer Support Analyst (Mac Services)
iPhone Developer
Apple Certified Technical Coordinator v10.5
LIS Development Team
Adelphi Building AB28
University of Central Lancashire
Preston PR1 2HE
Ex 5054
01772 895054

Novell makes a great and solid product, the problem is, they are typically 2 years behind everyone else. If anyone has ever used iPrint with their Mac clients, please let me know how you got it set up, and I will pay pal you money for beers! I would love to deploy iPrint with Casper.

Thanks

Tom

"Platform" doesn't make a difference. AFP version is the key factor.
On 5/5/10 9:15 AM, "Criss Myers" <CMyers at uclan.ac.uk> wrote:

Group Logic's ExtremeZ-IP is up-to-date using version 3.2 of the AFP
protocol. We use it here and it works great.

Windows Server 2003 and earlier never moved beyond AFP 2.2 and AFP file
sharing support was completely removed from Windows Server 2008.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

Hello,

My setup is very similar to Criss’ actually, but he has more Macs than I do I believe, we’re just under 500.

Our Macs are bound to Active Directory and have Windows Server based homes mounted via SMB.

I have two Mac Servers:

One houses the primary JSS and distribution point so they use: AFP, MySQL, and Tomcat (The JSS Setup Utility will walk you through all of this)

The second houses the replication distribution point, is my backup JSS, Apple Software Update Server, and NetBoot server

If you plan to have the ability to Netboot Macs for imaging or other troubleshooting reasons, Macs don’t PXE boot, they use BSDP for Netboot. If the clients are in the same subnet as the Netboot server, nothing additional is usually required. If you span subnets you’ll need to add a helper address to the network for the IP address of the Netboot server, similar to supporting PXE across the network.

http://support.apple.com/kb/TA21323?viewlocale=en_US

http://www.bombich.com/mactips/netboot.html

Fire off any other questions you have here, lots of people willing to help.

Craig E

Hi Craig,

Actually I have only 300 macs.

I also have 2 test lab servers which replicate the live with same ram configuration, most of my servers are quad xeon 3ghz

How do u do you jss backup ? Is it just a file backup for restore?

That's one thing I do dislike about Casper is redundancy , you can have DP replicas but no jss replica, so should the jss fail there's no backup unless you restore a backup file which requires user input.

And if the server fails and needs rebuilding or the server room is offline you news to build a new server and do a restore, all of which means downtime , one main reason why I us OD to manage my MCX rather than Casper, as I have 3 OD replicas

Rant over, sorry

Criss

Some clients have a long, drawn out process for getting replacement servers. It can take months. And if you spec out a server that's designated as a "just in case" Xserve for JSS, the client hits you with "why are you giving us Casper if there's no redundancy?" On the MCX side, even if JSS offered redundancy, if you have AD or OD which are robust and already very well supported by IT, why duplicate efforts to build yet another directory services structure? I used to push for AD/OD integration, until AD 2003R2 came out. Now we push AD schema extension (or for rich, deep pocketed clients, AD plug-ins). The only way I'd ever recommend JSS for MCX is in small shops that don't have AD or OD. But who knows...JAMF might just surprise us. :)

Don

As far as what I do I did already detail that in a reply to the list on Thursday, April 29, 2010 4:30 PM (-6 GMT)

I am sure that there are installations where the JSS being down for extended periods of time due to some type of outage may be quite traumatic. That's simply not the case for us, but probably because we keep things as simple as possible here.

During an outage here's what I lose:
- Automatic mapping of printers for students in the labs (probably the worst thing)
- The ability for policies (and self service) that are not ongoing and cached to run, or things that require access to the main distribution point

During an outage people can still login (although it may be delayed a little), they still mount their network shares, all the software is still there and runs. Downtime of the JSS does not cripple workstation usage like Active Directory and our Domain Controllers being down, email being down, file servers being down, or the network being down.

If the main server totally fails to the point of data being unrecoverable I lose:
- Any data updated since the last nightly backup, this might be login info, policy updates, and application usage reports (I'm sure there's more)
- Any packages or scripts added since the last nightly sync (although a copy of any new packs and scripts would exist in my test environment), or when in Casper Admin perform a sync to your distribution points before exiting.

Quite honestly, we don't go back into our JSS for a lot of data reports for others/management. It is a reporting tool for me to group systems and track what needs updating, a fresh run of recon refreshes any missing data about the systems.

Since all of the files, including the database backup, already exist on the backup server the downtime is very minimal assuming the backup server is still OK and accessible. If it isn't I'm sure there are bigger issues we're dealing with than a fail over problem.

--missing content--

- Run the JSS Setup Utility against the backup server, install the JSS comp
onents, and restore the backup within minutes
- Update the DNS pointer to the new IP address
- Run Casper Remote and flush DNS cache on systems that are available if ne
cessary
- Get up from my couch and head to campus to see what's wrong with the main server

This can all happen within 10 minutes. It's not perfect, but it's what I've got.

Would fail over be nice? Hell yeah it would be nice, but the current scenar
io is acceptable for OUR installation, but I know that's not the case for m
any of you. Adding fault tolerance will drive up the cost of the product mo
re than likely, not everyone wants or needs it perhaps, and there may be te
chnical limitations to making it possible. I would like to think that anyth
ing is possible with software given the right resources and talent.

Craig E

MCX is the same in OD as it is locally. There is no difference. I think OD is easier to use, but that is mainly because WGM is a bit more intuitive with editing property lists. I think once Jamf integrates dictionary, boolean, integer, and so forth options to easily modify property lists it will be about the same functionality as OD. With the exception OD would still have user, group, and computer group preferences for more shades of management.

Yep, for our clients, it's strictly a matter of where MCX is managed and who controls it. Many companies, many different SLA's. ;)

Just to be clear, I know Casper *can* do MCX, and for some firms it might be just the ticket. For firms that have stable/redundant AD infrastructure, we're leveraging it.

Don

This guy has a really awesome blog about managing OS X and he touches on localized MCX a lot

http://managingosx.wordpress.com/

Worth a read if you haven't ever been there, but yeah OD is more robust as you can do user, groups, computer and computer group policy, where as with Casper I don't think you can quite do that.

This guy has a really awesome blog about managing OS X and he touches on localized MCX a lot
On May 6, 2010, at 9:41 AM, Thomas Larkin wrote:

http://managingosx.wordpress.com/

Worth a read if you haven't ever been there, but yeah OD is more robust as you can do user, groups, computer and computer group policy, where as with Casper I don't think you can quite do that.

Actually, it does.
Examine the Managed Preference Profile within the Management>>Managed Preferences.
You can create a profile of MCX preferences and scope that profile to Computer Groups, Indiv. Computers, Depts., Buildings and User Groups.
In addition you can apply the profile to a network segment.

-Lance

--
Lance Ogletree
Systems Engineer
Direct: (972) 547-9566
Mobile: (972) 342-5990
lance.ogletree at jamfsoftware.com<mailto:lance.ogletree at jamfsoftware.com>
....................................................................
JAMF Software
1011 Washington Ave. S
Suite 350
Minneapolis, MN 55415
....................................................................
Office: (612) 605-6625
Facsimile: (612) 332-9054
....................................................................
US Support: (612) 216-1296
....................................................................
http://www.jamfsoftware.com<http://www.jamfsoftware.com/>

I stand corrected :)

Thanks for chiming in, one of those days I'll actually read the manual

We've been slowly rolling out Casper-managed MCX on newly imaged machines to ensure some of the very basic security policies are adhered to. It's been working rather well, though sometimes it takes an initial reboot of a newly imaged machine to take the policies.

Overall, I'm happy that Jamf integrated it into the Suite. I've run OD-AD magic triangle in the past and it always felt like it was held together with duct tape and chewing gum. Perhaps it's better now that OS X Server's a bit more mature. I'm just happy to leverage a product we're already using to add a new facet of manageability.

j

--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Greg Neagle is an icon, really knows his stuff. Josh has some good info as well as a great video up on the Apple site:

http://seminars.apple.com/seminarsonline/mcx/apple/index.html?s=301

Don

Would anyone know how i would setup a netboot/ PXE boot in a mixed
environment i.e PC and Mac

Basically we have the KACE product for PC's and are currently in the early
stages of setting up Casper for the Macs.

Our DHCP Server is currently set to send all PXE boot requests to Kace, how
would I enable it to determine the differences between a PC and Mac and send
all netboot requests for Macs to the Casper Box and PXE to Kace ( for PC)

I'm a complete newbie so be gentle!

( our DHCP Servers are on Free BSD)

Thanks

Abz

You can also use the bless command on the macs to give it a one time
netboot to a specific server. Not sure if that helps you or not

We use this:

http://www.deploystudio.com/Home.html
http://web.mac.com/driley/web/deploystudio_files/DeployStudio_Guide.pdf

Pretty much everything about this is easy; and it's free.

It doesn't do packaged based installing, but for monolithic imaging, it's the bees knees.

We PXE boot our PCs and Netboot our Macs. Our DHCP server uses option 66 to specify the PXE server and 67 to specify the boot file.

Cheers!
Kerry

I think your right James...

On the Mac, you can do packaged based installing in your workflows. I was talking about the PC side. I should have worded that sentence like this:

"It doesn't do packaged based installing while PXE booted..."

... but don't quote me on that one either. :)

I think you can only make monolithic images for PCs. Has anyone used it for packaged based installing on a PC? 'cause that'd be cool!

I'm just about as far as you can get from being a DeployStudio expert, so if I'm wrong, please let me know.

Have an enjoyable afternoon,
Kerry

Thank you all for your feedback

We have a budget of approximately £2500, were are looking at this Xserve

Apple Xserve 8-core "Nehalem" 2.26GHz/3GB/2x160GB/DualPSU 2 x 160GB Serial ATA ADM @ 7200-rpm (mirrored OS) Dual 750W Power Supply NVIDIA GeForce GT 120 256MB 8x SuperDrive DL (DVD+R DL/DVD + RW/CD-RW) 3GB (3x1GB)

Because we are restricted by budget ( and can't buy a RAIDED Xserve) I was
thinking of attaching some external storage space to hold the OSX Updates.

Or can anyone suggest a better way of doing this?

Can i ask what macs u are supporting with this and what the demand will
be on the server?

Criss

Criss Myers
Senior Customer Support Analyst (Mac Services)
iPhone Developer
Apple Certified Technical Coordinator v10.5
LIS Development Team
Adelphi Building AB28
University of Central Lancashire
Preston PR1 2HE
Ex 5054
01772 895054

Hi Criss

We are currently supporting approximately 120 Macs in our London Office ( a
combination of Mac PROs, MacBook PROs, iMacs and MacBooks) All running
10.5.8

The Server will need to be able to create packages, send out Images/OSX
Updates and it will also be used to remote control machines.

Abz

This is a comment aside from your discussion:
On 5/11/10 3:49 AM, "Abdurrahman Mungul" <abdurrahman.mungul at imagination.com> wrote:

I would avoid using the server as a workstation. Use a Mac workstation to
create packages and remote control machines. If you crash a workstation,
only one machine is affected. If you crash a server then everyone is
affected.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492