Skip to main content
Question

MCX settings via JSS persistence issue

  • May 11, 2011
  • 19 replies
  • 49 views
A
  • Anonymous

So I finally decided to leverage the Managed Preferences (MCX)
settings in my JSS. I created a Managed Preference manifest to turn
off the open "safe" files option in Safari and pushed it to all my
users (who are all Admins).

I noticed afterwards that this appeared to enable "Parental Controls"
for all my users (and in fact any user on the system). I realized that
this is probably because JSS just manages the local ds store for
manipulating MCX settings for each user (i.e. these machines are not
bound to an OS X Server to get their MCX settings, so JSS manipulates
it locally instead for the same effect).

However, I've now decided that I don't want this MCX setting on any of
my laptops. I've disabled all Managed Preferences on the JSS, both
user level and system level, and have actually deleted any managed
preferences manifests that were created.

I thought that upon relogin or restart, this would remove these
MCX-applied settings from each machine, but they appear to be staying.
I've tried manually deleting the MXC settings in ~/Library/Managed
Preferences but upon relogin or restart, these MCX settings appear to
be pulled down again from the server (which is weird, because JSS
doesn't have these settings set anymore). Maybe it's pulling it from a
cached setting somewhere?

So, how can I revert what I've done? I don't want my Admin users to be
managed or have Parental Controls enabled.

FYI, I will instead push this Safari change using a script that uses
the defaults command.

Thanks,

Damien Barrett

    19 replies

    D
    Forum|alt.badge.img+11
    • dkucmierz
    • Contributor
    • May 12, 2011

    I had a similar issue caused by a bug in a previous version of casper. In order to fix it, I created a policy to run a command on each machine:

    dscl . -delete /Computers/localhost

    I had only tried computer level mcx. If you did user level, I think you'd have to delete the local mcx for each user.

    --

    David Kucmierz
    Mesquite ISD Technical Services
    972.882.5506

    M
    Forum|alt.badge.img+20
    • Matt11
    • Valued Contributor
    • May 12, 2011

    I think JAMF needs to include a MCX flush option.

    :)

    --
    Matt Lee
    FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
    Fox Networks Group
    matthew.lee at fox.com<mailto:matthew.lee at fox.com>

    Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
    Help Desk Hours: Mon-Fri, 6AM-6PM PST

    Eyoung
    Forum|alt.badge.img+10
    • Eyoung
    • Contributor
    • May 12, 2011

    10.6 needs one too :-)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    You do not need to leave your room. Remain sitting at your table and listen. Do not even listen, simply wait,
    be quiet, still and solitary. The world will freely offer itself to you to be unmasked, it has no choice, it will roll in ecstasy at your feet.
    --Franz Kafka

    Eric Young
    eyoung at thayer.org

    T
    Forum|alt.badge.img+31
    • tlarkin
    • Honored Contributor
    • May 12, 2011

    Try deleting the computer record

    sudo dscl . delete /Computers

    M
    Forum|alt.badge.img+20
    • Matt11
    • Valued Contributor
    • May 12, 2011

    What is the right way to do this? Ive tried everything and it doesn't seem to work :(

    Stupid MCXs!!!!

    --
    Matt Lee
    FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
    Fox Networks Group
    matthew.lee at fox.com<mailto:matthew.lee at fox.com>

    Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
    Help Desk Hours: Mon-Fri, 6AM-6PM PST

    J
    Forum|alt.badge.img+24
    • jarednichols
    • Valued Contributor
    • May 12, 2011

    sudo dscl . -delete /Computers/localhost

    Then

    Sudo rm –rf /Library/Managed Preferences

    Reboot but ensure you're not going to get MCX re-thrown on you by the JSS first.
    --
    Jared F. Nichols
    Desktop Engineer, Client Services
    Information Services Department
    MIT Lincoln Laboratory
    244 Wood Street
    Lexington, Massachusetts 02420
    781.981.5436

    A
    • Anonymous
    • May 12, 2011

    We use this little script

    ++++++

    #!/bin/sh

    dscl . -delete /Computers/localhost
    rm -R /Library/Managed Preferences/*
    jamf manage
    reboot

    +++++

    Nick Caro Senior Desktop Support Administrator

    M
    Forum|alt.badge.img+20
    • Matt11
    • Valued Contributor
    • May 12, 2011

    Very nice Nick. Right after I saw the message before this I wrote the exact same thing and looks like it might have worked.

    --
    Matt Lee
    FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
    Fox Networks Group
    matthew.lee at fox.com<mailto:matthew.lee at fox.com>

    Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
    Help Desk Hours: Mon-Fri, 6AM-6PM PST

    A
    • Anonymous
    • May 12, 2011

    I cant take the credit… JAMF Support gave that to us.
    Last year I was "testing" MCX and had no idea what a pandoras box that could be when you are still dealing with an OD environment.
    Wer had a few days of pure panic. This def. does work and they wont come back as long as you disable MCX on JSS.

    Nick Caro Senior Desktop Support Administrator

    Eyoung
    Forum|alt.badge.img+10
    • Eyoung
    • Contributor
    • May 12, 2011

    works a treat.

    under 10.5 and below there was a very nice flushmcx or resetmcx or some such command that could be sent to a machine.

    the apple giveth and the apple taketh away I guess.

    /////////////////////////////////////
    Conscience is the inner voice which warns us that someone may be looking.
    - H.L. Mencken

    Eric Young
    eyoung at thayer.org

    M
    Forum|alt.badge.img+20
    • Matt11
    • Valued Contributor
    • May 12, 2011

    The Apple has been taking away a bit too much lately :(
    --
    Matt Lee
    FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
    Fox Networks Group
    matthew.lee at fox.com<mailto:matthew.lee at fox.com>

    Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
    Help Desk Hours: Mon-Fri, 6AM-6PM PST

    R
    Forum|alt.badge.img+13

    There's still /usr/bin/mcxrefresh and dscl's -mcxdelete flag.

    T
    Forum|alt.badge.img+10
    • ToriAnneke
    • Contributor
    • May 12, 2011

    I created a local Bash script along with a plist on every machine at logout, weekly that runs as root:

    sudo dscl . -delete /Computers
    Sleep 1
    sudo rm –rf /Library/Managed Preferences

    So far… So good.

    I like Sleep 1
    ;)

    -P@

    T
    Forum|alt.badge.img+31
    • tlarkin
    • Honored Contributor
    • May 12, 2011

    In the past I have always just deleted the computer record in dscl and
    the managed preferences folder in /Library and it has done the trick for
    me

    M
    Forum|alt.badge.img+20
    • Matt11
    • Valued Contributor
    • May 12, 2011

    The situation I am in is, I have 2 managed preferences groups. 1 that has basic MCX's and another that has all the basics + a few extras. I remove people from those groups depending on where they are and what they are doing. Is running the bash script at logout all the time a good idea just so that the MCX's are fresh?

    --
    Matt Lee
    FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
    Fox Networks Group
    matthew.lee at fox.com<mailto:matthew.lee at fox.com>

    Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
    Help Desk Hours: Mon-Fri, 6AM-6PM PST

    J
    Forum|alt.badge.img+24
    • jarednichols
    • Valued Contributor
    • May 12, 2011

    Killing them every time may be a bit of overkill. Then you run the risk of a machine being offline the next time it boots and not receiving MCX. I'd reserve flushing MCXs for troubleshooting.

    j
    --
    Jared F. Nichols
    Desktop Engineer, Client Services
    Information Services Department
    MIT Lincoln Laboratory
    244 Wood Street
    Lexington, Massachusetts 02420
    781.981.5436

    M
    Forum|alt.badge.img+20
    • Matt11
    • Valued Contributor
    • May 12, 2011

    Im a huge house keeping fan. Would once a week be a better option? Maybe once a week at login and than trigger a jamf -mcx to recompose the MCX's?

    --
    Matt Lee
    FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
    Fox Networks Group
    matthew.lee at fox.com<mailto:matthew.lee at fox.com>

    Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
    Help Desk Hours: Mon-Fri, 6AM-6PM PST

    M
    Forum|alt.badge.img+20
    • Matt11
    • Valued Contributor
    • May 23, 2011

    For some reason this darn Screen Saver will not disable!!!! I've tried all the commands and it just keeps grayed out. I seem to not be able to control this even though it is no longer in the MCX profile and I have disabled all the settings. MCX's can be a pain in the butt without OD it seems.

    --
    Matt Lee
    FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
    Fox Networks Group
    matthew.lee at fox.com<mailto:matthew.lee at fox.com>

    Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
    Help Desk Hours: Mon-Fri, 6AM-6PM PST

    T
    Forum|alt.badge.img+31
    • tlarkin
    • Honored Contributor
    • May 23, 2011

    delete the following:

    /Library/Managed Preferences/<username> alternatively you can wild
    card it and wipe out all managed preferences

    Then delete the computer records, if any

    sudo dscl . delete /Computers

    Then a log in/out (or a reboot) should clear out all MCX settings,
    unless Casper or OD are applying them.

    Terms & ConditionsCookie settingsAccessibility statement