Jamf Nation Community

tlarkin · ‎09-20-2011

hello,

This is a multi feature request. I will just get to the point:

1) run as user - pretty self explanatory. I would like the ability to run a script, command, whatever as the user that is logged in. Much like a user agent. I know you can script this out, but really I would like to be able to tell a script by a check box to just say run as user, then I wouldn't have to deploy user agents. Then make them available offline, and also be able to say run at login or start up, or whatever.

2) I am surprised this isn't a feature of Casper just yet, but I would like to see a set of keychain tools. I am going through the process right now of adding keychain items and it is a pain in the butt. This feature request is sort of two fold, since if Casper had the ability to run as user, I could use that to modify a user's keychain and not need their keychain password. Also, when a user changes their password it doesn't always change the password of their keychain, which also causes issues. So I can deploy user agents but then I have scripts with passwords or have to put the password/commands in the user agent itself and well, that is just not all that well in the concept of security.

As of right now I am basically working with commands like this:

/usr/sbin/networksetup -addpreferredwirelessnetworkatindex Airport usd500_wpa 0 WPA2 mypasskey

# on this below usd500_wpa is my SSID of my wifi network

/usr/bin/security add-generic-password -a usd500_wpa -s AirPort -D "AirPort network password" -l usd500_wpa -w mypasskey -T /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -T /usr/libexec/airportd -U ~/Library/Keychains/login.keychain

This seems to work for me post image script and as a user agent, but I think Casper should make it easy for me and just add this in the framework. So I can go in and say all users get this added to their keychains and then Casper just does it for me. I am also looking at adding Internet passwords for our online text books and such, which also uses the security command.

Thoughts?

Thanks, tom

bentoms · ‎09-20-2011

I have used Keychain Minder to remind users to update their keychain password at login.

It helps nagging those that ignore the inbuilt login prompt.

Regards,

Ben.

tlarkin · ‎09-20-2011

Yes, but if you can run as user, you can update their keychain and you can also change it when they change their password....Just seems like a good set of features to have if you ask me

rockpapergoat · ‎09-20-2011

keychain minder handles a separate issue.

can you get by with adding items to the system keychain, setting trust, and allowing all users access? i haven't tried this with web page logins, but it seems like it would work.

as for features, i'd like to see better reporting in general and better search for policies…

tlarkin · ‎09-20-2011

I originally tried using the system keychain, it seems the
login.keychain overrides it and causes the system keychain to "lose" the
passkeys I set up. Apple verified this via enterprise support. Do
you have any keychain tools Nate you could share?

Thanks, Tom

bentoms · ‎09-20-2011

I've used the method Nate's described for Certs.

No idea about passwords. Sorry.

Regards,

Ben.

rockpapergoat · ‎09-20-2011

I don't have anything special in my bg of tricks; just use security to add items as needed. as I see it, the options are to roll up scripts based on the security binary to manipulate keychains or use the security framework to do the same. the results should be about identical. hooking into the framework directly may allow for more elegant app-like experiences, though.

if you haven't yet, try to pass the passwords in variables Casper can handle ($4, $5, etc.) instead of in plain text within your scripts. the passwords may be logged in plain text on the client side if you're not careful, though.

Jamf Nation Community

[Feature request] run as user, modify keychains