- Jamf Nation Community
- Products
- Jamf Pro
- MCX settings via JSS persistence issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
MCX settings via JSS persistence issue
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-11-2011 11:06 AM
So I finally decided to leverage the Managed Preferences (MCX)
settings in my JSS. I created a Managed Preference manifest to turn
off the open "safe" files option in Safari and pushed it to all my
users (who are all Admins).
I noticed afterwards that this appeared to enable "Parental Controls"
for all my users (and in fact any user on the system). I realized that
this is probably because JSS just manages the local ds store for
manipulating MCX settings for each user (i.e. these machines are not
bound to an OS X Server to get their MCX settings, so JSS manipulates
it locally instead for the same effect).
However, I've now decided that I don't want this MCX setting on any of
my laptops. I've disabled all Managed Preferences on the JSS, both
user level and system level, and have actually deleted any managed
preferences manifests that were created.
I thought that upon relogin or restart, this would remove these
MCX-applied settings from each machine, but they appear to be staying.
I've tried manually deleting the MXC settings in ~/Library/Managed
Preferences but upon relogin or restart, these MCX settings appear to
be pulled down again from the server (which is weird, because JSS
doesn't have these settings set anymore). Maybe it's pulling it from a
cached setting somewhere?
So, how can I revert what I've done? I don't want my Admin users to be
managed or have Parental Controls enabled.
FYI, I will instead push this Safari change using a script that uses
the defaults command.
Thanks,
Damien Barrett
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 05:54 AM
I had a similar issue caused by a bug in a previous version of casper. In order to fix it, I created a policy to run a command on each machine:
dscl . -delete /Computers/localhost
I had only tried computer level mcx. If you did user level, I think you'd have to delete the local mcx for each user.
--
David Kucmierz
Mesquite ISD Technical Services
972.882.5506
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 06:25 AM
I think JAMF needs to include a MCX flush option.
:)
--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>
Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 06:48 AM
10.6 needs one too :-)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You do not need to leave your room.
Remain sitting at your table and listen.
Do not even listen, simply wait,
be quiet, still and solitary.
The world will freely offer itself to you to be unmasked,
it has no choice,
it will roll in ecstasy at your feet.
--Franz Kafka
Eric Young
eyoung at thayer.org
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 07:02 AM
Try deleting the computer record
sudo dscl . delete /Computers
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 07:12 AM
What is the right way to do this? Ive tried everything and it doesn't seem to work :(
Stupid MCXs!!!!
--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>
Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 07:14 AM
sudo dscl . -delete /Computers/localhost
Then
Sudo rm –rf /Library/Managed Preferences
Reboot but ensure you're not going to get MCX re-thrown on you by the JSS first.
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 07:15 AM
We use this little script
++++++
#!/bin/sh
dscl . -delete /Computers/localhost
rm -R /Library/Managed Preferences/*
jamf manage
reboot
+++++
Nick Caro Senior Desktop Support Administrator
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 07:20 AM
Very nice Nick. Right after I saw the message before this I wrote the exact same thing and looks like it might have worked.
--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>
Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 07:24 AM
I cant take the credit… JAMF Support gave that to us.
Last year I was "testing" MCX and had no idea what a pandoras box that could be when you are still dealing with an OD environment.
Wer had a few days of pure panic. This def. does work and they wont come back as long as you disable MCX on JSS.
Nick Caro Senior Desktop Support Administrator
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 07:45 AM
works a treat.
under 10.5 and below there was a very nice flushmcx or resetmcx or some such command that could be sent to a machine.
the apple giveth and the apple taketh away I guess.
/////////////////////////////////////
Conscience is the inner voice which warns us that someone may be looking.
- H.L. Mencken
Eric Young
eyoung at thayer.org
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 07:48 AM
The Apple has been taking away a bit too much lately :(
--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>
Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 07:50 AM
There's still /usr/bin/mcxrefresh and dscl's -mcxdelete flag.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 07:51 AM
I created a local Bash script along with a plist on every machine at logout, weekly that runs as root:
sudo dscl . -delete /Computers
Sleep 1
sudo rm –rf /Library/Managed Preferences
So far… So good.
I like Sleep 1
;)
-P@
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 07:55 AM
In the past I have always just deleted the computer record in dscl and
the managed preferences folder in /Library and it has done the trick for
me
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 08:01 AM
The situation I am in is, I have 2 managed preferences groups. 1 that has basic MCX's and another that has all the basics + a few extras. I remove people from those groups depending on where they are and what they are doing. Is running the bash script at logout all the time a good idea just so that the MCX's are fresh?
--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>
Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 08:23 AM
Killing them every time may be a bit of overkill. Then you run the risk of a machine being offline the next time it boots and not receiving MCX. I'd reserve flushing MCXs for troubleshooting.
j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2011 08:31 AM
Im a huge house keeping fan. Would once a week be a better option? Maybe once a week at login and than trigger a jamf -mcx to recompose the MCX's?
--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>
Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2011 11:13 AM
For some reason this darn Screen Saver will not disable!!!! I've tried all the commands and it just keeps grayed out. I seem to not be able to control this even though it is no longer in the MCX profile and I have disabled all the settings. MCX's can be a pain in the butt without OD it seems.
--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>
Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2011 11:35 AM
delete the following:
/Library/Managed Preferences/<username> alternatively you can wild
card it and wipe out all managed preferences
Then delete the computer records, if any
sudo dscl . delete /Computers
Then a log in/out (or a reboot) should clear out all MCX settings,
unless Casper or OD are applying them.
