Jamf Nation Community

Hi,

Could you please share us your instructions and scripts (if any)?

We have provided with the enosxintel(binary file) and EnCase SAFE v6.18 Administration Guide to package. We have followed as described in the documentation to create StartupItems.

They have not mentioned about the location to drop the "enosxintel" binary file and the permission for the file. Also share us the best practices for packaging?

Thanks & Regards,
Karthikeyan

Sorry, I've been a bit buried of late. I'll try to screencap the install .pkg I built for this, and any tricky policy options. We deploy a new firewall pref with an exception for encase already in it, since there is no way to programmatically add exceptions. I think I built the pref deployment as part of this policy...

--Robert

bringing this back from the dead…

did you end up posting the launchdaemon anywhere?

i have the following at the moment, but it doesn't appear to work quite right. i also got no details from the vendor, so that's fun.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.company.encase</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/sbin/enosxintel</string>
    <string>-d</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

did you run it daemonized?

@rockpapergoat][/url
I just finished explaining to our security team how ridiculous it is that they are still using StartupItems when I came across your post.

they recommend using a startupitem, which seems pretty dumb

Nice to see they listen to feedback. :)

I haven't touched EnCase in quite some time. Does anyone know if they support FileVault2 yet? Last I heard they were just starting to support FV1. They certainly seem to lag behind in support. : (

Nice to see they listen to feedback. :)

Nice when that happens. We have a vendor who still insists on using StartupItems to launch their software instead of LaunchDaemons, despite my having handed them a working .plist file... :rolleyes:

I'm having issues getting this to run. Several articles and 4 or 5 VM's later I still can't get this to work. Could anyone dust off their notes and assist me with this please?

I just dragged the installer into Casper admin and we were good to go : )

C

I've installed it on a VM and and ran the following in terminal:

sudo /usr/sbin/enosxintel -d -i -p /usr/sbin -l 4445

But running:

sudo lsof -i -n -P | grep 4445

Show's nothing is running on that port. I'm blaming this on being sick as to why it's just not making any sense to me.

If you installed it already, then I would not run it again that way. Instead I would suggest just loading (or unloading and reloading) the launchdaemon that controls it, com.GSI.Servlet.

@ctangora
Just unloaded and loaded but without any progress. In Colsole this is seen over and over again.

11/18/14 4:13:49.090 PM com.apple.kextd[12]: kext com.GSI.kext.gsidrv  100009000 is in exception list, allowing to load
11/18/14 4:13:49.099 PM com.apple.kextd[12]: kext com.GSI.kext.gsidrv  100009000 is in exception list, allowing to load
11/18/14 4:13:49.000 PM kernel[0]: GSI driver loaded
11/18/14 4:13:49.000 PM kernel[0]: GSI driver unloaded
11/18/14 4:13:49.144 PM com.apple.launchd[1]: (com.GSI.Servlet) Throttling respawn: Will start in 10 seconds

After looking back this happens literally every 10 seconds just about. I'm going to start a new VM of Mavericks and do this piece by piece.
Once I have it installed I'm going to take a snapshot of that VM.

I wonder if I was given an older version perhaps....

Has anyone encountered any serious issues as a result of deploying this? As far as I can tell - this developer seems to be operating in the dark ages (using a KEXT ; KEXT is not signed ; binary is signed with their own certificate - not an Apple developer certificate ; documentation lists 10.9.4 as latest supported OS) ; scary messages in logs like "This service is defined to be constantly running and is inherently inefficient")

I'm seriously worried if I deploy - there will be a kernel panic on thousands of machines when they update to 10.10.x

Thoughts?

Last version I installed recently couldn't deal with encrypted VM. Hadn't yet tested with FV2. It was installed on 10.10.1 and later without any obvious issues/kernel panics, but wasn't tested by InfoSec to see if it worked.