- Jamf Nation Community
- Products
- Jamf Pro
- How to package and always trust an untrusted certi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to package and always trust an untrusted certificate for Messenger?
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-26-2011 01:46 PM
We are using Microsoft Messenger 7.01/7.02 on our corporate network.
There is an untrusted (default) certificate that has to be installed under
the user's login items in keychain before Messenger will allow the user to
logon locally.
The scenario is that I am trying to fix a mistake on a monolithic image. We
installed Messenger 8.01 by mistake and it went out with the gold monolithic
image.
So what I did was launch Composer, did a New and Modified Snapshot. After
the initial snapshot was created, I did the following steps.
Dragged the 8.0.1 version of Microsoft Messenger to the trashcan.
Emptied the trash. (needed to remove the old version)
Installed Microsoft Messenger 7.02 by drag and dropping the app to the
Applications folder
Lauched Microsoft Messenger and did a partial walkthrough of the installer
but quit it when it asked for the username/password.
I then installed our untrusted certificate by double clicking on it which
opens up Keychain Assistant
Chose Always Trust and saved/oked the cert install window in Keychain
Assistant.
Relaunched Microsoft Messenger 7.02 and quit it a few more times for good
measure
Once that was done, I went ahead and built the package and selected the
checkboxes for Fill User Templates and Fill Existing User Home Directories
Spammed the package out to my test box. It did properly uninstall Messenger
8.01 and installed Messenger 7.02
I then logged in with my domain credentials.
At that point before completed login, I get the window 'The system was
unable to unlock your login keychain' and I have the options of continue
login, create new keychain, or update keychain password.
The problem is that I don't want to update the keychain password, because
the only password it will take is the local admin account I used to create
the package with, it won't unlock with the domain credentials.
What is the proper method for packaging up certificates so that they are
available in all user's login keychains?
Thanks,
Brenton Snyder
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-26-2011 02:30 PM
Sounds like you overwrote the users' login.keychain with the one that you captured w/Composer. Generally not a good practice.
On Oct 26, 2011, at 3:46 PM, Brenton Snyder wrote:
I had to do something exactly similar for Messenger 7.02 and what I ended up doing was:
a) packaging up the certificate and deploying it to /Users/Shared
b) ran a script "after" which added the certificate to the currently-logged-in users' keychain. You may need to modify this to "step through" /Users to get all users (if there are multiples per machine) to have this certificate trusted.
The script I used looked something like this :
#!/bin/bash
#for the current console user, imports the Root CA and marks it trusted
USERNAME=$3
if [ "$USERNAME" == "" ] ; then
# script not called at login; find out who is using the computer
USERNAME=/usr/bin/w | grep console | awk '{print $1}'
fi
if [ "$USERNAME" == "" ] ; then
echo "No one is using the computer; cannot set the preference." 1>&2
exit 1
else
echo "Setting keychain defaults for $USERNAME"
`sudo -u $USERNAME /usr/bin/security import /Users/Shared/root.cer -k /Users/$USERNAME/Library/Keychains/login.keychain`
`sudo -u $USERNAME /usr/bin/security add-certificates /Users/Shared/root.cer`
`sudo -u $USERNAME /usr/bin/security add-trusted-cert /Users/Shared/root.cer`
`/bin/rm -f /Users/Shared/root.cer`
echo "Done."
fi
exit 0
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-26-2011 04:59 PM
Thanks for the help. We are still learning about Casper at this stage.
Anyway, I still have a few questions. Should I have this script triggered
by login or other method? I am thinking that the best bet for this script
is to deploy it when the user calls in and we have them logout and then have
it execute when they login.
What would be the best method for going about the step through if we wanted
to hit multiple users on the same box? I am not sure that will be an issue
since almost all the boxes have single users.
Brenton
