Jamf Nation Community

Report Inappropriate Content · ‎04-04-2007

Does anyone else think it'd be a good idea for Casper to have a checkbox to
reset the printing system? I'm working on a script to do the same thing, but
it'd be great to have the option of removing ALL the client's printers
before pushing out a new set. It'd be great if it did the same thing as when
you do the "reset printing system" from the Print Setup Util.

Reseting seems like the best way to avoid duplicate/dead printers on the
client systems.

Anyone else think that's a good idea?
-- David Norris
Systems Administrator
Crispin Porter + Bogusky
dnorris at cpbgroup.com

tlarkin · ‎02-11-2010

Send unix command and managing servers via ARD client is very nice. I
can to everything from the interface. Also, I am sure you can export
casper inventory reports to say, XML and then import them into ARD. I
have not tried this but I bet it works. I also think that Casper VNC is
not meant to compete with ARD Admin, they are two very different
products. I think still that even with Casper ARD Admin is a must need
tool for IT people.

Kedgar · ‎02-11-2010

The problems I see with using ARD are mainly security related:

Difficult to make sure everyone is using secure settings
Difficult to make sure people do not have reporting features turned on
If there isn't a task server or the user is not setting the task server, large reports are sent over wan and have really killed our connections
Screen Sharing access is not logged (centrally at least)

I really have not been using it since we began using Casper Suite... but I could see maybe keeping it alive for a few "privileged" admins. ARD usage has become out of hand at my company with former or non IT users having access to it (and timbuktu).

ernstcs · ‎02-11-2010

I still use ARD for my remote server access, but that’s it. I use one tool for all my other endpoints, Casper Suite. =)

Craig E

ernstcs · ‎02-11-2010

I’ll add one more thing to this now that I sat and thought about it. I apologize to the digesters for my many multiple emails.

The other issue I’ve had with Casper Remote access is the ability to be more granular with permissions to who can access which systems remotely. I have two distinct areas LABS and OFFICES. Right now if I give access to someone who needs to do something in a lab without a user prompt with Casper Remote they also have that ability in the offices, which I don’t want.

The ability to say this group of users can access this set of machines in this fashion, and that’s it, instead of being a global decision.

Craig E

jarednichols · ‎02-11-2010

More granular permissions is something that I've asked for in the past. It
would be nice to give someone full control but only over a certain
department or building, for instance.

donmontalvo · ‎02-11-2010

Just curious, why not scope policies to AD groups? Of course this assumes the JSS is bound to AD.
Nichols, Jared - 1160 - MITLL jared.nichols at ll.mit.edu wrote:

Don

--
https://donmontalvo.com

Report Inappropriate Content · ‎02-11-2010

I’d have to agree with Thomas. I couldn’t live without ARD. Casper Remote isn’t a replacement for that, IMO.

- JD

Report Inappropriate Content · ‎06-15-2010

Hello,

I would like to request a new feature. To make administration easier I would
love to see multiple triggers on a single policy.

Thanks,
Mark Pellecchia
OIT Support Services
Princeton University
markpe at princeton.edu

ernstcs · ‎06-15-2010

Mark,

Can you give some type of scenario as to why you would need to do this? My initial thinking is this just makes it more complicated...

Also, make sure you copy support at jamfsoftware.com so they see the request as well, but they really love it when it comes with how and why so they better understand the need.

Thanks!

Craig E

tlarkin · ‎06-15-2010

You can already do this if you want. Casper has a built in feature to duplicate a policy. So for example I will make a log in hook that runs once per a computer, and then a self service duplicate that runs indefinitely just in case two different users swap out computers so they can rerun the policy under their account, and you can finally duplicate the policy and put a manual trigger on it. So any of your IT staff can trigger it from the command line.

Is that what you are asking about?

-Tom

Bukira · ‎06-15-2010

That makes a lot of polices thou

Sent from my iPad

donmontalvo · ‎07-02-2010

Extension Attributes?

--
https://donmontalvo.com

jarednichols · ‎07-02-2010

Hi-

It would be great if the suite was more aware of version numbers. If I could make a smart group that has a collection of computers that have Firefox but the version number is "less than" 3.6.6" rather than having to say "is not 3.6.6" or "is not 3.6.5" or "is not 3.6.4" etc. The second Firefox 3.6.7 comes out, my smart group is invalidated and people could get back-rev'd if I'm not on top of it.

Thanks!
j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

dderusha · ‎07-02-2010

I concur.
It would make smart groups more efficient

Dan De Rusha
I.T. SPECIALIST

SCHAWK!
T 847.296.6000 M 847.287.1337
F 847.296.9466

1600 Sherwin Avenue
Des Plaines, IL 60018 USA
schawk.com

Schawk invites Industry Thought Leaders to participate in BRANDSQUARE, a one-of-a-kind, exclusive online marketing community. Visit http://brandsquare.com.

ernstcs · ‎07-02-2010

This sounds very similar to a request I had for OS requirements in packages so you could say:

10.5.4+ or 10.5.4< instead of then having to type out 10.5.4, 10.5.5, 10.5.6, 10.5.7, 10.5.8

I can agree with your request as well.

Craig E

RobertHammen · ‎07-02-2010

This is why I make the "update" policies run once rather than recurring. When a new version comes out, after copying it into Casper Admin, I disable the policy, change the smart group version number, flush the policy history, then edit the policy to add in the new package and re-enable it...

davelb20 · ‎07-07-2010

Hello,

I'm not sure if this is currently a feature of Casper, I haven't been able to find any information on it. But I think it would be very convenient if Casper Admin had a command line interface. I am aware of the command line interface available for casper clients through the jamf binary. But I think it would be useful to be able to add files, dmgs, scripts, etc. to Casper Admin through a command line interface. This would allow me to automate customization of dmg files, instead of having to do everything by hand on a computer that has Casper Admin installed. Does anyone know if this is available now or if it is a planned feature in the future? I have already been told by Jamf support that adding/modifying files directly from the caspershare mount is not best practice and could cause problems, has anyone else had any luck with this?.

Thank you

-- David Bruno

John_Wetter · ‎07-07-2010

Interesting Request. I'm trying to imagine a way I'd use this but I don't see it. Can you describe more about what types of functions you'd use this for?

You are correct in saying that it isn't best practice. You might be able to get away with it if you're the only person using Casper, but in an environment where multiple people are using it, editing the live packages is going to lead to all kinds of problems and making sure they're sync'ed across all of the package servers will be hard to do in real time before waiting for a scheduled sync.

John

tlarkin · ‎07-07-2010

I have been slapped on the wrists a few times for my bad habits, but I will edit scripts off the share and then do a sync. My sync settings are set to sync new items by modification date. So, if I mount the master share, and edit say a few lines of a script and save it back to the share, the modification date gets updated. Then when I do a sync, and it does a diff check it will notice that my script has a newer date on the master share and will sync across the distribution points. I do this mainly for efficiency of time as it is a lot quicker to do. Also, I am the only person at my work that does anything on the back end with Casper. No one else touches it, so if anything goes wrong it is always something I did. In retrospect when everything works like it is suppose to, that is also my doing.

As for this feature request, if you are looking at automating tasks, ever think of doing AppleScript or Automator? Does Casper Admin have a dictionary for AppleScript?

davelb20 · ‎07-07-2010

Thomas & John,

Yes AppleScript crossed my mind, but I wasn't sure how that would work with Casper. Anyway, the reason this is important is that we have config files on the clients which possibly change from day to day, so we were going to script the creation of a dmg file with all those files rolled in and create a policy to install it on all of the clients as necessary. So I was interested in being able to script creating the dmg, saving it in casper admin, then adding it to the policy for distribution to clients. I didn't have much luck with command line features in casper admin, but I did manually look through the casper mysql database and view the tables. I found that if you monitor /var/log/jamfChangeManagement.log on the Casper admin server while working with casper admin it displays the sql command equivalent to actions taken in the gui. We thought about manually modifying the database, then adding the files to the share and everything would be up to date. But we decided not to go this route since using sql commands on the database involves a lot of hoops just to use casper. We instead decided to only use casper to run a policy with a script which copies and extracts a tar file to all the systems instead of using a dmg in casper and installing it.

Dave

tlarkin · ‎07-07-2010

I am not sure if this will work for you, but if you configure a machine exactly how you want it, and then drag all the files into composer you can make a dmg snap shot of just those files. Then toss it in casper admin and do the rest yourself. You could have automator record your actions as you do it manually and maybe set up a work flow.

May I ask what it is you are actually modifying on a daily basis? You could also create one script and use the defaults command to write changes to any property list, and you can use other command line tools to write text to any configuration file.

talkingmoose · ‎07-07-2010

None of the applications in the Casper Suite are AppleScript aware.
On 7/7/10 8:57 AM, "Thomas Larkin" <tlarki at kckps.org> wrote:

While I love AppleScript, I know that implementing this in the suite would
probably be a chore to do. Much more difficult than a command line
interface (I'm assuming). If I had my druthers, I'd prefer JAMF to focus
on CLI scripting support first. AppleScript is intended to run under a
user login and often with a GUI interface whereas a CLI script isn't
limited to this. And any shell script can be called from AppleScript to
make droplets.

Now, would I like to see the applications scriptable? I'm trying to think
of the possibilities:

1) Casper Remote - It already has a Save as... button to allow you to save
individual command files that can be simple or complex. All that's needed
is to select the machines and go. I'd actually prefer to see this in a
customizable menu a la Apple Remote Desktop's Send UNIX Command. I can't
think of any reason to script this.

2) Casper Admin - This has possibilities. We often update packages and
"version" them to keep them identifiable. I'd love to have some sort of
droplet where I could drop a new package, index it, have Casper Admin
identify the old package, apply the old package's settings to the new
package and update the configurations for me. I could also see this useful
for adding many new packages and applying the same settings and
configurations to all of them.

3) Recon - I don't use this enough to warrant scripting.

4) Composer - Again, I'm often creating new packages that are just newer
versions of the ones they're replacing. If I could run a script to allow
me to quickly create a new package with predefined names, files,
permissions and package format then I'd find that handy. Furthermore, I
could tie this into a workflow to take the new package and throw it into
Casper Admin for me.

5) Casper Imaging - This doesn't really need scripting since it can be
pre-configured using AutoRun and PreStage.

6) JSS Utility - I don't see this needing any scripting either. It's used
so rarely on a day-to-day basis.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

davelb20 · ‎07-07-2010

We have local files that can change on a daily basis specific to our daily operations. But I'm not sure if automator would completely work, since in order to run composer it prompts for the local admin passwd. So we would have to store the password in the application and that is not allowed in our security policy.

David Bruno

talkingmoose · ‎07-07-2010

Are these files per user (such as preferences) or per computer?
On 7/7/10 9:43 AM, "David Bruno" <david.bruno at arl.army.mil> wrote:

Anything that's changing on a daily basis might be more easily handled
using some sort of login/launchd script that pulls them from a sever.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

davelb20 · ‎07-07-2010

The files will be the same across all of the computers, regardless of user.

David Bruno
Computer Scientist
ARL/CISD
410-278-8929
david.bruno at us.army.mil

tlarkin · ‎07-07-2010

I think a log in hook script would then possibly be your best bet, or a policy that is set to run at start up. Then you can just script the changes from bash and have Casper run your script.

jarednichols · ‎07-07-2010

Hi-

I'd like to see the ability to actively SSH to a machine if you have the appropriate privileges in your JSS account. Seeing how the JSS knows a machine's management account password (we spin them randomly) it would be nice if there was an SSH button in Casper Remote. You pick your one computer you'd like to SSH to, click the SSH button and it passes the credentials stored in the server's database down to a local terminal session.

This would save an awfully lot of time from running unix commands and looking at the resulting log report. I often find myself doing this to troubleshoot end-user problems.

Thanks!
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

tlarkin · ‎07-07-2010

This is exactly what I use ARD Admin for. However, it would be a nice feature.

jarednichols · ‎07-07-2010

I'd use ARD, but our access account machine passwords are spun randomly and only the JSS knows it. Not only that, but it's buying two products that do a lot of feature overlap. I'd rather have the thing I use all the time (and prefer) do it (Casper) as it seems an easy add-on.

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

jarednichols · ‎07-20-2010

Hi-

It would be great if using Composer and building a pkg installer if you could use a code signing certificate. This way, with one workflow we can create both our Casper DMG and pkg installers that for use in a standalone manner can be verified as coming from a trusted source instead of doubling efford and using Apple’s Package Builder (which supports certs). I’m not sure if Composer is using packagemaker internally, but if it is, the “--sign” flag will allow a Cert to be specified.

Thanks
j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

localhorst · ‎08-14-2010

Hi,

On 07.07.2010, at 17:31, Nichols, Jared - 1170 - MITLL wrote:

have you considered deploying SSH keys to all hosts and using a slightly modified sudo configuration?

Regards,
Marko

--

Marko Jung
NSMS - Oxford University Computing Services
http://www.oucs.ox.ac.uk/nsms

Report Inappropriate Content · ‎04-29-2011

I concur on being able to parse packages for distribution. We have a number of very large dual boot images that never need to be distributed to our elementary sites. My other request (which I've submitted in the past, so forgive the repetition) would be for some manner of notification if and when a replication fails.

Janice Hill
PC Support Manager
Sheboygan Area School District
920.459.4032

jarednichols · ‎05-02-2011

RE the replication thing… I'm not incredibly familiar with it, but I image there's some settings in rsync that could be tweaked for this.

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

jarednichols · ‎05-02-2011

I should say, "RE the replication failure thing"…

It's early.

j

tlarkin · ‎05-02-2011

Replicas are read only, and only the Master can write down to them. I
am sure at some point it does use rsync or something similar
under-the-hood.

Report Inappropriate Content · ‎05-02-2011

Hey Thomas,

You're totally right.

Just for reference, here's the manual command to replicate (from child) :

sudo jssutil replicateFromMaster -server <IP Address> -remoteUsername <username -remotePath <path> -localPath <path> -localOwner <username> This command will replicate the child distribution point from the master. It is intended to be run from the child distribution point server. -server The DNS or IP address of the JSS Master Distribution Point -remoteUsername The username assigned to the read/write user for the master distribution point -remotePath Full path to the master distribution point share -localPath Full path to the child distribution point share -localOwner The username assigned to the read/write user for the master distribution point If you are unsure about any of these settings as they are currently issued, please reference one of the two following paths on your child server to determine what the JSS Setup Utility is using for the variables in the flags: /System/Library/LaunchDaemons/com.jamfsoftware.task.replicate.plist or /Library/LaunchDaemons/com.jamfsoftware.task.replicate.plist In these files, you should be able to see what values are being used.

replicateFromMaster command I use :

sudo jssutil replicateFromMaster -server chiquito -remoteUsername adminesl -remotePath /Volumes/FileHome/Casper/CasperShare/ -localPath /Volumes/Macintosh HD2/CasperShare/ -localOwner adminesl -verbose

Here's the rsync commands running in background:

ssh -l adminesl chiquito rsync --server --sender -vlogDtprz . "/Volumes/FileHome/Casper/CasperShare/" /usr/bin/rsync -avrpogz --delete -e ssh adminesl at chiquito:"/Volumes/FileHome/Casper/CasperShare/" /Volumes/Macintosh HD2/CasperShare/ sh -c /usr/bin/rsync -avrpogz --delete -e ssh adminesl at chiquito:'"/Volumes/FileHome/Casper/CasperShare/"' '/Volumes/Macintosh HD2/CasperShare/' >& /tmp/jamf101027544.tmp

I don't think we can interfere with the rsync commands launched by jssutil.

Maybe we could disable the replication and setup a cron ?

This question was addressed earlier :

I use rsync and set it in a cronjob, mine looks like this 00 01 /usr/local/bin/rsync.sh ##51 14 rsync -rav --delete -e ssh rsyncusr at mainservername:"/share/path/CasperShare/" /distribution/share/path/ This runs every night I also scripted it so I can manually do it. I use Share keys so no Password has to be in the script. Here is my Documentation on that. Each on of these Distribution Points have the personal cert or Shared Key of the main distribution and have created user rsyncusr. This allows a rsync without needing password input. This is setup from Each Distribution Point you must have a user with the name on each server rsyncusr happens to be mine mkdir ~/.ssh ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -C "Enter an optional comment about your key?" Enter passphrase (empty for no passphrase) no passphrase Your identification has been saved in /Users/rsyncusr/.ssh/id_rsa <-- if Linux will be /home/rsyncusr/.ssh/id_rsa Your public key has been saved in /Users/rsyncusr/.ssh/id_rsa.pub <-- if Linux will be /home/rsyncusr.ssh/id_rsa.pub The key fingerprint is: 60:b5:c1:b7:ee:ab:31:d1:70:d8:03:41:df:0f:08:eb Enter an optional comment about your key? *do this on all servers chmod 700 ~/.ssh chmod 600 ~/.ssh/* *Do this just from the Distubution Points cat ~/.ssh/id_rsa.pub | ssh mainservername 'cat - >> ~/.ssh/authorized_keys' *after first accepting the ssh connection, should no longer need a password*** D. Trey Howell ACMT, ACHDS, CCA trey.howell at austinisd.org Desktop Engineering twitter @aisdmacgeek

We could use --exclude, but it would be much more elegant if JAMF included it in the GUI.

Francois

On 2 mai 2011, at 15:05, Thomas Larkin wrote:

Replicas are read only, and only the Master can write down to them. I am sure at some point it does use rsync or something similar under-the-hood. >>> "Nichols, Jared - 1170 - MITLL" <jared.nichols at ll.mit.edu> 5/2/2011 7:03 AM >>> I should say, "RE the replication failure thing"… It's early. j On May 2, 2011, at 8:00 AM, Nichols, Jared - 1170 - MITLL wrote: RE the replication thing… I'm not incredibly familiar with it, but I image there's some settings in rsync that could be tweaked for this. j -- Jared F. Nichols Desktop Engineer, Client Services Information Services Department MIT Lincoln Laboratory 244 Wood Street Lexington, Massachusetts 02420 781.981.5436 From: Janice Hill <jhill at sheboygan.k12.wi.us> Date: Fri, 29 Apr 2011 15:29:25 -0400 To: "casper at list.jamfsoftware.com" <casper at list.jamfsoftware.com> Subject: [Casper] Feature Request I concur on being able to parse packages for distribution. We have a number of very large dual boot images that never need to be distributed to our elementary sites. My other request (which I've submitted in the past, so forgive the repetition) would be for some manner of notification if and when a replication fails. Janice Hill PC Support Manager Sheboygan Area School District 920.459.4032
Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper This message has been sent from the Kansas City, Kansas Public Schools. The information contained in this email and any attachments may be privileged and confidential, and are intended only for the individual or entity identified as the addressee. If you are not the addressee, or if the message has been addressed to you in error, you are not authorized to read, retain, copy, or distribute the message or any attachments. If you have received the message in error, please delete it and any attachments and notify the sender by return e-mail or by telephone. Thank you.
Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper

--

Francois Tiffreau | IT operations Manager

ESL Education
Head office – Switzerland
Grand-Rue 50, 1820 Montreux
t +41 21 962 88 80 | f +41 21 962 88 81
skype esl.francois

http://www.esl-education.org

Please consider the environment before printing this e-mail

This e-mail message may contain certain confidential and privileged material for the sole use of the intended recipient. Any review, use or distribution by others is prohibited. If you are not the intended recipient, please contact the sender and destroy or delete all copies.

tlarkin · ‎05-03-2011

This is great, how do you load balance your clients? Do you have a
policy that sets the JSS by network segment?

jarednichols · ‎09-02-2011

Hi-

It would be nice (for those of us who have a lot of policies) if the Policies listing page (policies.html) was able to have disclosure triangles for each category of policies. It would make going to different areas of the page a lot faster.

Thanks

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Walter · ‎09-02-2011

Feature requests should be sent to support at jamfsoftware.com<mailto:support at jamfsoftware.com> and your account rep. In my experience, JAMF is very responsive to feature requests. I'm a fairly new Casper user and Casper 8.2 already has some changes I suggested.
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
walter.rowe at nist.gov<mailto:walter.rowe at nist.gov>
301-975-2885

jarednichols · ‎09-02-2011

If you notice I CC'd the list and sent it to JAMF Support.

It's common list courtesy to CC it when you make a feature request. I've seen loads of changes since 6.01 that came from the community.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436