Help

Enable Level 1 Tech to push FileVault via Casper Remote

Go to solution
donparfet
Contributor

Posted on ‎03-13-2015 07:21 AM

I am trying to find the right options for a limited user to be able to push
out a FileVault configuration. It works fine as an admin user, but so far
with the limited user account when I attempt to push the FileVault
configuration I get the error

"there was an error creating resources on the JSS"
I have tried this solution with no joy so far

https://jamfnation.jamfsoftware.com/discussion.html?id=8235

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Kaltsas
Contributor III

Posted on ‎03-13-2015 09:04 AM

I was able to kick out an encryption configuration with a tech user having the following permissions. We are running 9.65

Advanced Computer Searches Read
Computers Read
Policies Create
Allow User to Enroll Change Password Enroll Computers and Mobile Devices

Use Casper Remote Install/Uninstall Software Remotely Run Scripts Remotely Map Printers Remotely Add Dock Items Remotely Manage Local User Accounts Remotely Bind to Active Directory Remotely Reboot Computers Remotely Perform Maintenance Tasks Remotely Search for Files/Processes Remotely Enable Disk Encryption Configurations Remotely Screen Share with Remote Computers Screen Share with Remote Computers Without Asking

Use Casper Imaging Customize a Configuration Store Autorun Data

View solution in original post

0 Kudos
13 REPLIES 13

Go to solution
Kaltsas
Contributor III

Posted on ‎03-13-2015 08:17 AM

Does the user in question have Create Privileges for Policies?

0 Kudos

Go to solution
donparfet
Contributor

Posted on ‎03-13-2015 08:35 AM

@Kaltsas yes, but sadly no joy. If you have a limited access user working for such a task, would you be willing to share all privileges you currently have set for them?

0 Kudos

Go to solution
Kaltsas
Contributor III

Posted on ‎03-13-2015 08:38 AM

What version of the JSS are you running? There was a bug at one point where you had to set the permissions in Casper Imaging Privileges to allowed to jigger some Casper Remote function to working correctly.

0 Kudos

Go to solution
donparfet
Contributor

Posted on ‎03-13-2015 08:39 AM

JSS 9.65

0 Kudos

Go to solution
Kaltsas
Contributor III

Posted on ‎03-13-2015 08:40 AM

It's possible the bug hasn't been fixed, have you tried flipping the permissions in Casper Imaging Privileges to allowed?

0 Kudos

Go to solution
donparfet
Contributor

Posted on ‎03-13-2015 08:42 AM

Currently Casper Imaging Privileges has 3 options:
Use Casper Imaging (set)
Customize a Configuration (not set)
Store Autorun Data (not set)

0 Kudos

Go to solution
Kaltsas
Contributor III

Posted on ‎03-13-2015 08:46 AM

Our encryption policy is in self service, but I had gotten that error with techs doing other functions in Casper Remote. Let me fire up a test machine and I'll try to push an encryption configuration to it with a tech account.

0 Kudos

Go to solution
donparfet
Contributor

Posted on ‎03-13-2015 08:48 AM

I updated the Casper Imaging Privileges 3 options:
Use Casper Imaging (set)
Customize a Configuration (set)
Store Autorun Data (set)
still no joy

0 Kudos

Go to solution
Kaltsas
Contributor III

Posted on ‎03-13-2015 09:04 AM

I was able to kick out an encryption configuration with a tech user having the following permissions. We are running 9.65

Advanced Computer Searches Read
Computers Read
Policies Create
Allow User to Enroll Change Password Enroll Computers and Mobile Devices

Use Casper Remote Install/Uninstall Software Remotely Run Scripts Remotely Map Printers Remotely Add Dock Items Remotely Manage Local User Accounts Remotely Bind to Active Directory Remotely Reboot Computers Remotely Perform Maintenance Tasks Remotely Search for Files/Processes Remotely Enable Disk Encryption Configurations Remotely Screen Share with Remote Computers Screen Share with Remote Computers Without Asking

Use Casper Imaging Customize a Configuration Store Autorun Data

0 Kudos

Go to solution
donparfet
Contributor

Posted on ‎03-13-2015 09:24 AM

Thanks for the configuration info! Verifying all these settings and I am now able to schedule the job successfully, but it fails on authentication.
I think I have a larger problem: Even as an admin user, attempting to use Casper Remote to screen share a computer, I get an error that an incorrect username/password is entered for this computer.
I have updated permissions for a limited access user and have been able to successfully start the FileVault configuration job, but it errors out while authenticating.'
When I attempt to user this account to screen share, I get the same incorrect username/password is entered for this computer error
What username/password is in use for Casper Remote functions?

0 Kudos

Go to solution
Kaltsas
Contributor III

Posted on ‎03-13-2015 09:29 AM

My inclination is the casper management account/credentials are used for the actual execution of these functions by the jamfbinary on the target system. Do you have a policy in place that randomizes the management account? This seems like, potentially, the JSS has inaccurate information about the management account on the target system.

0 Kudos

Go to solution
donparfet
Contributor

Posted on ‎03-13-2015 09:48 AM

I think I will consider this solved as the problem now appears to be authentication.
Thanks!

0 Kudos

Go to solution
davidacland
Honored Contributor II
Honored Contributor II

Posted on ‎03-13-2015 10:02 AM

I think there is another thread talking about general casper remote issues in the newer versions that would be worth checking for.

0 Kudos