Help

How to determine who deployed an image via Casper Imaging?

benbaker
New Contributor

Posted on ‎04-04-2017 04:33 PM

Hi:

Is there a way to determine which person's login deployed an image via Casper Imaging? I'm trying to determine who imaged a certain Mac on a certain date when they were not supposed to. Thanks in advance!

Ben

Labels:
0 Kudos
4 REPLIES 4

bradtchapman
Valued Contributor II

Posted on ‎04-04-2017 05:09 PM

Casper Imaging is a permission that is not automatically granted to new standard users in the JSS. You would have to intentionally create an account or a group, and then give them the rights to use it.

So I have a couple of questions:

  1. Is access to Casper Imaging restricted to a group or set of individuals?
  2. Did you have the "Change management" logs enabled?

If the answer to those questions is "yes," then you can find the imaging event under System Settings > Change Management > Logs.

If you did not have change management logs enabled, or if your staff have been using a generic user account to start Casper Imaging, then your hopes of discovering the culprit are diminished.

Frankly, I'm more familiar with DeployStudio, which leaves behind a log trace on the server and the imaged computer. Others who use Casper Imaging more frequently may be able to share some additional insight.

0 Kudos

benbaker
New Contributor

Posted on ‎04-04-2017 06:16 PM

Hi bradtchapman, thanks for your response. We have our access to imaging limited to our help desk staff and the Change Management logs are enabled but when I went in there it just shows policy logs and none for the computer in question during the timeframe it was reimaged. The Event Logs do show the computer being imaged as well as the time but the Username field in Event Detail is conspicuously absent.

0 Kudos

jhalvorson
Valued Contributor

Posted on ‎04-04-2017 08:37 PM

Within your JSS website, search on the computer name. Click the results to see that computer's details. Scroll to the very bottom of the page and click on History. Usually the first entry will list the user account name that was used for Casper Imaging.

0 Kudos

benbaker
New Contributor

Posted on ‎04-06-2017 02:02 PM

I checked the History on the computer record and it is also blank. When the person reimaged it it overwrote the previous record for the computer with the new hostname but I'm not sure why the log history is blank. I just imaged a new computer and it does show my username next to "created" as the first entry in the History on that computer record. Thanks for your help guys.

0 Kudos