Posted on 05-05-2016 12:42 PM
Anyone have any ideas on how to change a computer's management account without running recon? I have quickadd packages that have a standing invitation for new / re-enrollments. I use one quickadd for each of our sites and I would rather not have to update them every password rotation, but just one policy.
I'm trying to change/set/create the management account via policy when a machine is imaged and having this trigger on enrollment runs yet another recon - which I'm trying simply eliminate as not necessary during a re-image.
The current method I'm using is:
jamf recon -sshUsername '_hiddenuser' -sshPassword 'initialimagingpassword'
Running recon after just having run recon is ... dumb. Never mind the fact that the command also seems to fail to add the user to com.apple.access_ssh. Again.. .dumb. Its really just got two things to do and it fails at one of them. sigh
Posted on 05-05-2016 01:27 PM
Sounds like you're using the management account for your backdoor account and for JSS management properties. A couple things about that.
1st, the management account is used by Casper Remote, to SSH into a machine and kick off a policy when you've sent something to it with Casper Remote. The management account is NOT use for normal JSS processes.
2nd, if your policies require you to rotate that password, then it makes sence to auto-generate a password and have it rotated with a policy in the JSS.
3rd, if you need a backdoor/admin account, it may make sense to manage that through other channels. Perhaps just create a user on each machine for admin use with a JSS policy? You can create/delete that account as needed and avoid the password-syncing issues of the management account.
Posted on 05-06-2016 03:09 AM
No, we are on the same page. We do have a traditional local administrator account. I've realized the above you've outlined, however a bit late. When we rolled out casper we leveraged the local admin for casper's ssh/casper remote. This local administrator account now requires rotation by policy. But we still need to know this password for day-to-day administrative tasks.
To accommodate this I'm splitting off a casper management account which will take advantage the randomized password feature. Then will rotate the local admin account. This is pretty much complete.
Outstanding is my re-imaging process - which I have to do often enough in my environment - no way out of it. Just take my word for it. In my environment - we break OSX a lot.
My conundrum is just my enrollment process. Its still using the admin account and I was hoping not having to re-create all my quickadd packages which are used in my imaging process (deploystudio). I was looking for a way to use a policy and implement first boot to fix the management account issue but its a pain because of repeated recons.
In the wake of a new day I can see the light. I can just re-create the quickadd packages. Its easier than fighting to get casper working the way I feel it should.
Its either that or I leverage the API - which I've started developing tools for already.
Posted on 05-06-2016 08:11 AM
Pardon my whining.... Making the new quickadd packages took less than five minutes. I think I had to click maybe 20 times. I'm such a git.