Jamf Nation Community

Apfelpom · ‎08-04-2011

Hello,

first of all, I'm pretty new to Casper Suite (8.2.1) and Open-Directory administration (10.6.8-Clients and Servers), so please excuse my questions if they all seams obvious.

I wanted to set password policies for all our users and I've already migrated all local home folders to mobile homes to make the deal, but I'm not sure if this was the best/only solution.

Anyway I'm running into new "problems".

On the other hand I want to use the managed preferences feature from JSS and not those in Apples Workgroup Manager.app because I'm not familiar with it. The table in the Casper Administrators Guide on page 274 shows how JSS affect MCX settings from third-party providers. For Mobile Home users and Open Directory nothing is applied from JSS. I understand the table this way: JSS will not apply any MCX if the user account is a mobile one. I made a simple test to confirm this: even if a mobile user has MCX from JSS, only the MCX entries of Workgroup Manager.app are displayed (in System Profiler > Managed Clients). Am I wrong?

That's the way I understand mobile home: it's approximately a network home which is syncing with the home path on the local disk (and there must be a cached LDAP-entry to allow logins when far from network), isn't it? That's why I doesn't understand this "limitation" (I've already said, that I'm just discovering these administrative concepts ;-). Does anyone know why JSS won't/can't apply MCX-settings with mobile homes (but for Local and Network Homes)?

Further I would be glad to know how you are managing preferences of those mobile homes, if there is a workaround or a best practice. Or if I have to disable Managed Preferences in JSS and use WGM.

Thank's in advance for any hint!

Regards,

Yann Borg

tlarkin · ‎08-04-2011

Hello,

Welcome to the list and Casper. I have been running casper and OD for over 4 years now. We have a 1:1 and we do use mobile homes. Casper MCX will not really play nice with OD MCX. You should really use one or the other. There are a plethora of methods you can use to deploy MCX. You can bind to server and use OD, you can use WGM and do export/import with MCX files and scripts (I do this for local accounts and it works well), you can use the defaults command in scripts, you can use Casper, and so forth.

If you are binding and authenticating to OD anyway, MCX should be easier (in my opinion) in WGM. You can simply drag plist files to the details tab in WGM for preferences and edit the plist there on the spot. Also, if you are using OD and mobile homes, why not use OD for password policy?

Maybe I am not grasping it, could you please describe in more detail your issues?

thanks, Tom

Apfelpom · ‎08-04-2011

Hi Tom,

Thank's for your input!

Walter · ‎08-05-2011

My experience is just because there is a domain and key/value doesn't mean Managed Preferences will successfully apply the setting. For those settings that don't seem to work in managed preferences, I write a script that uses a "defaults write" and apply them via policy.

There are some settings we always want to be specific values (eg. password policy settings). For those we create an extension attribute that checks the value to make sure it is what we want enforced. For any of these attributes, the output of the script is either "Passed" or "Failed - <why it failed>". We then create a smart group for each of these attributes where the criteria is attribute value "is not" "Passed". Finally, we set the scope of the policy script to this smart group. This way we insure that any change made by a user is reset to our managed value within two cycles of policy checkin.

Walter
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
walter.rowe at nist.gov<mailto:walter.rowe at nist.gov>
301-975-2885

Jamf Nation Community

JSS Managed Preferences and Mobile Homes