Jamf Nation Community

seems like 1&2 have been answered
for 3 and the mobile accounts, if you are on lion look at the configuration profiles from lion server, that can make all accounts be forced to be mobile accounts.

if you know the username and password you can run
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username -p passwd

to create a mobile account for the user. we wrote an applescript to obtain the info from the user and create the mobile acct for them because most of our users are remote and have to run a vpn client before being able to login.

hope that helps

You don't need the -p flag to have createmobileaccount create a mobile account:

/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username

The command above will create the account, home folder and cache all needed attributes except for the account's password. The password attributes will be cached once the user logs in for the first time.

Its true that jamfHelper will not work when a Mac is sitting at the login screen. If you call it while ssh'd into a Mac sitting at login for example, you'll get the PID returned. Looking up that PID in ps gives you a "Stopped" message.
This may be because jamfHelper is an app executable, not an actual binary. You can't run an app at the login window as far I know.

That said, I would agree with Charlie that combining the first 2 steps to have an auto login happen, then jamfHelper locking the screen while it completes may be the way to approach this. Though I'm not sure if an empty pkg is necessary. I think just designating the scripts to "Install on the boot volume" may be enough.

Thanks for the quick responses, gonna try the suggestions now!

For example, you can use a script like this to automate the creation of a mobile account from a directory service (like AD or OD) and give it admin rights.

#!/bin/sh

#################################################
##  Create localadmin user on imaged machine   ##
#################################################

/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n localadmin


#################################################
##  Give the localadmin account admin rights   ##
#################################################

dscl . -append /Groups/admin GroupMembership localadmin

only if you don't need the password cached right away that is true. my remote users ssl vpn dies when the firstboot user logs out so they can login, so we need it.

and for question 1
if you do
launchctl unload /System/Library/LaunchDaemons/com.apple.loginwindow.plist

that will stop the loginwindow from displaying, you can then setup your autologin info, load the launchdaemon and the start jamfHelper

Here is my issue with the mobile account creation. I went to our Lion test server and built a basic configuration profile for a device group. one payload which is mobility settings to create mobile account at login. Downoad it and upload to the JSS and I get this error:
An error occured while processing HTTPRequestAction 'EditOSXConfigurationProfile': java.lang.NullPointerException

@mm270-

You are correct about how jamfhelper accomplishes the lockout. I had not thought that through. However, I don't see another way to force a restart. Scripts do not have the option for "Install on the boot volume" through Casper Admin. You have to assign that option to a package. For convenience, I have an empty package that gets flagged this way so that I don't have to remember which package is set up this way. If there is a better way, however, I'm all for it.

Yeah, you're right. Not sure why i thought that was available for scripts. Perhaps it was discussed as a feature request at one point, but its not present as of yet.
It can obviously be done since in an imaging workflow the first run script gets assigned to run after the reboot. it just isn't available with normal scripts uploaded to Casper Admin.

@nextyoyoma

Thanks! I'm working with spowell and the blank package is working great for launching jamfHelper while our scripts run. We were trying to call jamfHelper with a script we had running at Reboot in our configuration. But as pointed out jamfHelper doesn't launch at the login screen and we were at a loss.

So, 1 and 2 are taken care of. Thanks!

I know that question 1 is already answered, but I did want to mention a second way to accomplish this. We had the same discussion on the list/site back in November:

https://jamfnation.jamfsoftware.com/discussion.html?id=24

Justin Sako gave an example of utilizing a LaunchAgent to cover the loginwindow. I tested it then on 10.6 and 10.7 and it worked fine. I just tested again on 10.7.3 and it still works.

So, you can use a LaunchAgent with jamfHelper to lock the screen with a message.

Thanks for the repys. Justin was actually our jumpstart tech! His scripts look really nice, but complicated and we really don't have much experience with them. We ended up going with the blank package route and are very pleased with the resulting locked window/message.

We are still looking for a way to deploy mobility settings that will force mobile account creation at FIRST login. All we've been able to get is a profile that installs after first login, which requires a second login to get the mobile account. Maybe this is one of the only settings we will have to continue managing via MCX.

What is the connection of your home accounts, afp, nfs or smb and how are you mounting them?
Are you bound to Directory Service and if so, which, AD, OD or OpenLDAP?