Posted on 11-07-2018 01:35 PM
Here is what I want to do: I would like to make it such that the root user on all managed computers has the AppleShowAllFiles set to 'yes'. I can think of only one way to do this but it seems very, very inefficient:
I have created a script to see who is logging in. If the logged in user is root, I issue the command 'Defaults write com.apple.finder AppleShowAllFiles yes'. Then, I created a policy to run this script which is triggered at login, and is set to 'ongoing' in frequency.
The problem of setting it to 'Once per computer' in frequency is that if it is not the root user who logs in first, then the setting will never get set because the script will never run again. But the problem with running the script at every login is that 99% of the time it will not be the root user logging in, but rather a student or a teacher, and that seems highly inefficient to me.
It seems like I should be able to set the scope to all computers and specific users, but oddly, the option to add local/LDAP users to the scope is missing so this doesn't seem like an option although I must say it would have been the most elegant solution I could think of. Is there a good reason this is missing from the scope options? Or is this a feature that has not been implemented yet?
So what is the best way to configure the policy so that the root is guaranteed to have that setting set, and it is not run at every singe login?
EDIT: I don't know why I didn't think of selecting 'Once per user per computer'. That makes it less inefficient :) . But if there is a better way to do it, please chime in!
Posted on 11-07-2018 02:21 PM
I'm not really sure that trying to set any preferences for the root user account is a great idea, nor is logging in to the machine as root unless there's a real need for it, but.. I think maybe you're overthinking this whole process. If your root account is enabled on your Macs (I assume it is or no-one would be able to log in as root), then since Jamf policies, especially ones run by the check-in trigger, are actually run by root, you should be able to simply drop that command into a policy in the Execute Command field, set it to run (once) on each machine and it will/should write the pref value into each systems root account preferences. In short, don't bother struggling with login triggered policies.
Just my $0.02.
Posted on 11-07-2018 02:45 PM
mm2270, your suggestion worked, thank you very much. But I think I will have the exact same question soon when I am trying to set user settings for the admin account on the school's computers. Is it possible to set a scope for a specific local/LDAP account?
Posted on 11-07-2018 02:51 PM
#!/bin/bash
User="administrator" ## Change this to the name of the local admin account you want to affect
AdminUID=$(id -u $User)
/bin/launchctl asuser "$AdminUID" sudo -iu "$User" /usr/bin/defaults write com.apple.finder AppleShowAllFiles -bool YES
Edit: I'm not sure if you can set scope for a specific LDAP/Local account unless you use the login or logout trigger, or if it's run via Self Service. I believe those are the only times those scope options appear, but I'm not in front of my Jamf server right now to look.