management user

Not applicable

Hey Group,
It is possible to use the management user to login into the mac after it is
imaged and managed?

Thanks
LC

13 REPLIES 13

tlarkin
Honored Contributor

My image is 100% pristine. Never been booted, no user accounts, just
the OS and software packages. Then I can maintain 1 master image for
all machines in my deployment. Then just set up post image shell
scripts which create the local user accounts, and pull down packages via
manual trigger policies based on auto run data for the client. For
example, students and teachers have different packages, local user
accounts and settings, but I don't want to create 2 separate images. We
also have machines in middle schools that will have different software
needs, but still need the base image. So, I created a compiled
configuration that is universal to every computer's needs. So, my
process goes like this:

1) netboot and image - block copy base image via asr script 2) first reboot after image a) computers that go to students get the post image student script b) computers that go to teachers get the post image teacher script c) computers in middle schools get the middle school post image
script 3) Post image script runs, executes manual trigger policies 4) Imaging is done and post image script shuts down machine

The only bug I have ever ran into, is sometimes the first user you log
into doesn't get a full home directory from the user template copied
over properly. This is not a big deal to me because the local admin
accounts aren't used for storing any data or running apps, they are used
for management only. Otherwise I deploy several local user accounts. On teacher machines all staff and teachers get access to a local admin
account, which they can use the credentials to install software, and the
like. I also put a hidden local IT account on every machine so anyone
in IT can log into any Mac locally no problem. Then I have a separate
local admin account that is hidden for ARD usage. Any non IT person who
would need ARD remote access gets the password to this account. I keep
this separate in case of a password leak. I have no problem nuking and
redeploying the ARD admin local account for remote access. That way I
never have to give out the local admin for the IT group, except for my
co-workers. I never give anyone access to the casper managed account at
all, I am the only one that knows that password period. I would have
Casper randomize it, but my network isn't the fastest I have seen
database issues with the password being out of sync with that.

I just wish I had a decent network that way I could maybe use a
different approach, however, this has seemed to work best.

-Tom

jarednichols
Honored Contributor

Yes.
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

tlarkin
Honored Contributor

Yes, it is a legit account, but depending on how you set it up, it may or may not have a home folder. If an account is strictly used for SSH authentication only, it doesn't really need a home folder. If it doesn't have one, one should be created on the fly from the user template at first login.

It is my opinion though, that the Casper managed account should only ever be used for Casper. I have separate local admin accounts for separate reasons.

donmontalvo
Esteemed Contributor II

Create Policy > Manually > Accounts > New Account > [x] Allow user to administer computer

--
https://donmontalvo.com

Not applicable

Yea, they only want one local admin account, then they plan to use AD admin
accounts.

Crazy I know, but it what it is.

LC

donmontalvo
Esteemed Contributor II

Sorry, I hit the SEND button too quickly. One department had an admin account created (they defined for us) and forgot the password. So we created a new account using a policy.

PS, I didn't meant to CC the list on my reply...sorry.

Don

--
https://donmontalvo.com

Not applicable

So I added another user during imaging, and neither account is able to
login.

Any ideas?

LC

donmontalvo
Esteemed Contributor II

We're seeing this where users disable SSH...a lot...unfortunately...

Admin rights = toddler with loaded gun

Don

--
https://donmontalvo.com

tlarkin
Honored Contributor

Do you have the ensure this computer is managed box checked? If not, then anything post imaging will not execute since the Casper Framework is set to not manage those machines. Users, bindings, post image scripts, etc are all ran after imaging is done.

bentoms
Release Candidate Programs Tester

You can hide the user & create them an account in /var/ so users can't see.

Regards,

Ben.

tlarkin
Honored Contributor

This is a snippet from my post image shell script

/usr/sbin/jamf createAccount -username "$admin1_short" -realname
"$admin1_long" -password "$admin1_passwd" –home
/private/var/$admin1_short –shell “/bin/bash” -hiddenUser -admin

It puts the home folder in /private/var, makes it hidden, and an admin

bentoms
Release Candidate Programs Tester

Yea like the below!

Ha ha, nice one Tom.

I tend to have a management account baked into image in /users so I can create packages that use fut.

Does creating in /var/ break it?

Regards,

Ben.

Not applicable

Found that I need to have Fix Permissions checked for the logins to work
correctly.

LC