Posted on 03-13-2015 07:21 AM
I am trying to find the right options for a limited user to be able to push
out a FileVault configuration. It works fine as an admin user, but so far
with the limited user account when I attempt to push the FileVault
configuration I get the error
"there was an error creating resources on the JSS"
I have tried this solution with no joy so far
https://jamfnation.jamfsoftware.com/discussion.html?id=8235
Solved! Go to Solution.
Posted on 03-13-2015 09:04 AM
I was able to kick out an encryption configuration with a tech user having the following permissions. We are running 9.65
Advanced Computer Searches Read
Computers Read
Policies Create
Allow User to Enroll
Change Password
Enroll Computers and Mobile Devices
Use Casper Remote Install/Uninstall Software Remotely Run Scripts Remotely Map Printers Remotely Add Dock Items Remotely Manage Local User Accounts Remotely Bind to Active Directory Remotely Reboot Computers Remotely Perform Maintenance Tasks Remotely Search for Files/Processes Remotely Enable Disk Encryption Configurations Remotely Screen Share with Remote Computers Screen Share with Remote Computers Without Asking
Use Casper Imaging Customize a Configuration Store Autorun Data
Posted on 03-13-2015 08:17 AM
Does the user in question have Create Privileges for Policies?
Posted on 03-13-2015 08:35 AM
@Kaltsas yes, but sadly no joy. If you have a limited access user working for such a task, would you be willing to share all privileges you currently have set for them?
Posted on 03-13-2015 08:38 AM
What version of the JSS are you running? There was a bug at one point where you had to set the permissions in Casper Imaging Privileges to allowed to jigger some Casper Remote function to working correctly.
Posted on 03-13-2015 08:39 AM
JSS 9.65
Posted on 03-13-2015 08:40 AM
It's possible the bug hasn't been fixed, have you tried flipping the permissions in Casper Imaging Privileges to allowed?
Posted on 03-13-2015 08:42 AM
Currently Casper Imaging Privileges has 3 options:
Use Casper Imaging (set)
Customize a Configuration (not set)
Store Autorun Data (not set)
Posted on 03-13-2015 08:46 AM
Our encryption policy is in self service, but I had gotten that error with techs doing other functions in Casper Remote. Let me fire up a test machine and I'll try to push an encryption configuration to it with a tech account.
Posted on 03-13-2015 08:48 AM
I updated the Casper Imaging Privileges 3 options:
Use Casper Imaging (set)
Customize a Configuration (set)
Store Autorun Data (set)
still no joy
Posted on 03-13-2015 09:04 AM
I was able to kick out an encryption configuration with a tech user having the following permissions. We are running 9.65
Advanced Computer Searches Read
Computers Read
Policies Create
Allow User to Enroll
Change Password
Enroll Computers and Mobile Devices
Use Casper Remote Install/Uninstall Software Remotely Run Scripts Remotely Map Printers Remotely Add Dock Items Remotely Manage Local User Accounts Remotely Bind to Active Directory Remotely Reboot Computers Remotely Perform Maintenance Tasks Remotely Search for Files/Processes Remotely Enable Disk Encryption Configurations Remotely Screen Share with Remote Computers Screen Share with Remote Computers Without Asking
Use Casper Imaging Customize a Configuration Store Autorun Data
Posted on 03-13-2015 09:24 AM
Thanks for the configuration info! Verifying all these settings and I am now able to schedule the job successfully, but it fails on authentication.
I think I have a larger problem: Even as an admin user, attempting to use Casper Remote to screen share a computer, I get an error that an incorrect username/password is entered for this computer.
I have updated permissions for a limited access user and have been able to successfully start the FileVault configuration job, but it errors out while authenticating.'
When I attempt to user this account to screen share, I get the same incorrect username/password is entered for this computer error
What username/password is in use for Casper Remote functions?
Posted on 03-13-2015 09:29 AM
My inclination is the casper management account/credentials are used for the actual execution of these functions by the jamfbinary on the target system. Do you have a policy in place that randomizes the management account? This seems like, potentially, the JSS has inaccurate information about the management account on the target system.
Posted on 03-13-2015 09:48 AM
I think I will consider this solved as the problem now appears to be authentication.
Thanks!
Posted on 03-13-2015 10:02 AM
I think there is another thread talking about general casper remote issues in the newer versions that would be worth checking for.