Posted on 05-27-2015 03:34 PM
Unfortunately I missed it in testing, but we rolled out 9.65 and I realized that techs with casper remote access are presented with a prompt to share the screen with the user, or instead login with the casperscreensharing account. If they choose the latter, the client has no visibility at what the tech is doing. Worst case a disgruntled tech could login as casperscreensharing and then logout and login as an administrator and wreak havoc on the computer with the client having no idea this is going on.
Am I the only JAMF customer that is concerned by this? It seems like I'm the only one who has complained so far. We have very strict remote control guidelines (I know this makes us unique), but it seems extreme this is enabled by default with no way to turn it off. We do force users to accept the connection, but there is still the assumption of visibility once the client accepts the prompt.
I get the usefulness of this feature, a user doesn't need to be bothered, a tech could do work on the back end without bothering the user. I don't get why this is on by default without a way to disable the feature for more secure environments where it's important the client sees what the technician is doing for 100% visibility.
I have had a few calls and emails with JAMF about this, and so far the answer was it's working as designed and instead technicians shouldn't have admin access on the machines, if they didn't have that then they couldn't do anything malicious. Really, for our remote control guidelines, it's more about the visibility than the malicious intent.
Am I alone in wishing there was some way to disable this?
Posted on 05-27-2015 05:29 PM
But that is a function of screensharing in OS X itself.
If instead of ARD you use the built in screen sharing app in OS X and connect as a user that is not logged in while someone else is logged in you will get the same exact prompt since its also using the built in OS X screensharing app in both cases.
Posted on 05-27-2015 11:13 PM
@CasperSally If they have access to remote, do they also have access to run scripts & install software etc?
Cos that too could cause havoc as well. Hell, they could restart via remote whilst a user is logged in. All without logging into a user session.
Posted on 05-28-2015 03:33 AM
It sounds like you might need to disable screen sharing in Casper remote and have them use something else. That being said, have you tried changing some of the privileges:
Posted on 05-28-2015 04:08 AM
@bentoms - the tech accounts are very locked down. techs can only use casper remote to screen share.
@davidacland - This isn't how casper remote worked in 9.32. I wonder if the change was in the release notes at some point, if it was, I obviously missed it. In my opinion, building off of the build in screen sharing is fine, but I don't consider the ability to masquerade as another user screen sharing anymore and the user prefs you took a screen shot of don't reflect that.
Our concern isn't really the techs doing something malicious, that's really a worst case example, it's more the policy we have that the end user accepts the request and can see what techs are doing every step of the way.
It's unfortunate to have to consider another product for remote access. It's not like we'll get some sort of reduced rate for not using Casper Remote anymore to offset the cost of another product. We use Bomgar for PC access... it's not cheap.
Posted on 05-28-2015 05:25 AM
@CasperSally - this isn't a concern in my environment, but I know that @mm2270 has been working on a method to alert users when there is an active screensharing session. It was detailed in https://jamfnation.jamfsoftware.com/discussion.html?id=12735
Posted on 05-28-2015 05:51 AM
I think that's a function built in to OSX, not Casper.
Posted on 05-28-2015 05:56 AM
@CasperSally have you tried turning off the without asking option? if it has to prompt the user I am fairly certain they will not get the other option. if I get time to play around today I will try to test that as well.
Posted on 05-28-2015 05:59 AM
@nessts - we never have allowed the without asking option for the techs, part of our policy requires the request for control/view.
Posted on 05-28-2015 06:42 AM
saves me needing to test it then i suppose.
Posted on 05-28-2015 07:44 AM
@mattware is right, Casper Remote is sending the request to Screen Sharing.app (built into OS X).
FWIW, that Screen Share with Remote Users Without Asking checkbox is a no-no in every environment I've ever been in (legal, HR, and security mandates).
So we have to make sure hat box is off for all JSS user/group accounts.
So we have only the Use Casper Remote and Screen Share with Remote Users enabled for techs.
Check in Computer record > History > Screen Sharing Logs to see who logged on to which computer.
You can use an ACL for Remote Management, but you'd have to share the local admin account credentials (not sure how that would pan out if you're rotating that password).
Posted on 05-28-2015 09:59 AM
I wanted to chime in on this topic, partly because I think that some of us are confusing the issue that @CasperSally brought up here, and also because I understand the issue and will detail one possible way to mitigate it.
The issue here isn't whether techs are secretly logging into other users Macs. or that the end users aren't being asked to authorize the connection. As she has mentioned, the users do see a prompt to allow the remote tech to connect when its done over Casper Remote. The issue is that, because of how Apple's built in screen sharing works, which Casper Remote has been using now for several years I might add, its connecting with the temporary "casperscreensharing" account. When this happens, the tech gets presented with 2 options - Share the screen with the currently logged in console user, OR, log in as casperscreensharing. The latter option is where the concern comes in since this allows someone to log in and not show any control over the screen of the current console user. so they can't see anything the remote tech is doing.
This is not a big issue for us, so, though I've known it works this way for a while, I never gave it much thought until now.
First thing is, this is Apple's screensharing at work and not something JAMF is doing. This is how it works. Here's an example:
• If I have another Mac that I am logged into with my AD account on, and from my primary Mac I fire up regular old Screen Sharing.app, type in the remote Mac's IP or hostname and connect, I get prompted for credentials.
• If I type in my own AD credentials, since my account is also on that Mac and in control of the screen, I get logged right into that account, no questions asked, no other options given.
• If on the other hand, I type in the name/password of a local account on the Mac, like a local admin account, I then get 2 options - Share the screen with my account that's logged into the remote system, or log in as that local administrator account. I can choose whichever one, leading to the concern above.
So in essence, the only way for Casper Remote to not present those options would be for it to somehow know the credentials for the logged in user and connect as them and not as casperscreensharing.
Obviously this is impossible, and so, as JAMF stated, this is working as designed.
Now, for a possible solution, I just tested something out and wanted to share.
So, one thing JAMF could implement (as an option of course) to stop logging in as their "casperscreensharing" account is to disable actual login to that account. What I mean is, set the User shell to /usr/bin/false
. I just did a series of tests on this and it prevents me from logging into that account when I'm presented with those options. I tested this by starting a Casper Remote session and when the prompt appears on my admin Mac, going to the test Mac I'm remoting into and doing the following command:
sudo chsh -s /usr/bin/false casperscreensharing
Once done, I tried selecting the "casperscreensharing" account to log into and could not. Its a bit ugly as is, because it simply sits there indefinitely trying to 'log in' and can't. You have no choice but to click Cancel and restart a screen share connection. I then tried by sharing the screen with my console account and got right in, so setting the shell that way doesn't affect the ability to share the screen with the logged in user.
Given this, I came up with the following process, which is a bit rough right now, but may help with this issue. Its a LaunchDaemon that watches /private/var/
(The "casperscreensharing" account home directory gets put here) and when the script the LaunchDaemon runs fires, it checks to see if the account is there and if the UserShell is set to /usr/bin/false
. If its not, it "fixes" it and thus prevents anyone from logging in with it. There are some other things going on to help catch it if it needs to loop a few times for example, but generally speaking, thats all it does.
Disclaimer: I have not done an extensive amount of testing with this, just preliminary exploration of a possible solution. You can try this out to see how it works for you, but no guarantees this will always work properly.
Here's the LaunchDaemon (which I named com.org.cssfix < "casperscreensharing fix):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.org.cssfix</string>
<key>Program</key>
<string>/private/var/scripts/disable_cssuser.sh</string>
<key>RunAtLoad</key>
<true/>
<key>WatchPaths</key>
<array>
<string>/private/var</string>
</array>
</dict>
</plist>
And here's the script, named "disable_cssuser.sh" and put into /private/var/scripts/
as shown in the LaunchDaemon, but it can be put anywhere:
#!/bin/bash
acct="casperscreensharing"
function fixcasperscreensharing ()
{
if [ "$times" == 4 ]; then
echo "Failed to correct casperscreensharing account"
exit 1
fi
if [[ $(dscl . read /Users/${acct} UserShell | awk '{print $NF}') == "/bin/bash" ]]; then
echo "casperscreensharing account is active and has a user shell of /bin/bash. Fixing..."
chsh -s /usr/bin/false casperscreensharing
sleep 0.7
if [[ $(dscl . read /Users/${acct} UserShell | awk '{print $NF}') == "/usr/bin/false" ]]; then
echo "casperscreensharing login has been disabled. Exiting..."
exit 0
else
let times=$((times+1))
fixcasperscreensharing
fi
fi
}
if [[ $(dscl . list /Users | grep "$acct") ]]; then
times=1
fixcasperscreensharing
else
echo "casperscreensharing account was not found. Exiting..."
exit 0
fi
sleep 9
I have this exact LaunchDaemon and script running on a test 10.10.3 Mac next to me, and have been testing Casper Remote screen sharing to it for the last 2 hours, and I have not been able to log in under casperscreensharing with this on, through multiple attempts and through reboots, but I can share the screen with the account the Mac is actually logged into (mine) every single time, so it seems to be working well for me.
If anyone wants to take this basic concept and perhaps flesh this out or make it more reliable, feel free to. I likely will not put any more time into it, but wanted to share a possible way to address this. Perhaps JAMF can add something into a future version, like a checkbox under some settings in the JSS that will automatically create the account in a way that no-one can log into it. Its possible to do, as I've shown above.
Posted on 05-28-2015 10:30 AM
thanks @mm2270 for the time you put into this, I really appreciate it. I'm definitely going to test and bring this up with JAMF and see if they see any downside to the approach.
Posted on 05-28-2015 11:22 AM
@CasperSally Sure, no problem.
As I mentioned, though its not a big deal for us, I can certainly appreciate the concern.
FWIW, I've done a little more testing with this in place and so far I've seen no ill effects. Each time I start up a CR screen sharing connection, I'm unable to log in with the "casperscreensharing" account, but can always share the screen with the console user. Once I'm in, it acts just as if I'd chosen to share the screen from the get-go and can control the screen, etc. When finished, I close the Screen Sharing window and a few moments later Casper Remote detects the closed connection and notes that in the Screen Sharing connections window.
Also, looking at the casperscreensharing account in dscl, it appears just like any other local account, complete with a home directory, full name, password, UID, GeneratedUID, even a user picture! :) So it seems it should be possible for them to just create the account with a disabled shell to prevent using it to connect.
I'd say the only downside is that the Screen Sharing.app can't possibly know the User Shell has been disabled for that account, and so it just tries and tries and tries to connect, with no message as to why it can't. I'd imagine eventually it will just time out, but I haven't let it try long enough to know.
Definitely post back when you discuss it with JAMF as I'm curious what their thoughts are on this.
Posted on 05-29-2015 11:16 AM
Sorry @CasperSally, I wasn't quite getting it.
But as usual @mm2270 stepped in. :)
Hope you get the answers from JAMF you're after. Please report back!
Posted on 06-03-2015 05:29 AM
Posted on 06-03-2015 06:18 AM
@CasperSally Thanks for reporting back on that. I'm not in the least surprised by their response. It is, of course, unsupported since its modifying the original process (slightly) Though it may be a good solution, its a hack. Not a particularly dangerous hack, but a hack nonetheless.
I'm hoping JAMF will consider implementing something (as I originally mentioned) that would be an option in the JSS to prevent log in to the casperscreensharing account in the future. Its not impossible to do, but they will have to decide if this warrants an actual feature in the product. From the standpoint of security/transparency, I'd say it would make a good feature to have in there.
Speaking of that, did you actually make a Feature Request out of this? I can't recall now. If not, might be a good idea to get that in to get votes on it.
Posted on 06-03-2015 06:24 AM
@mm2270 - I just created the feature request here, thanks for the reminder. They always seem like such a drop in the bucket it doesn't always seem to be worth the effort, but it can't hurt.
https://jamfnation.jamfsoftware.com/featureRequest.html?id=3622