Posted on 02-26-2013 09:51 AM
I am having users upgrade to Mountain Lion in place, we don't do imaging on our macs or dual partitions upgrades. The issue is when after the upgrade CasperSSH gets removed as its a hidden account. I found a work around by unhiding the CasperSSH account prior to upgrade (change UID above 500) then the Account is still there after upgrade. However when I go to re hide the account, self service application breaks and everytime you go to run a policy or application install in Self Service it prompts with "Self Service wants to make changes, type your password to allow this"
any thoughts?
Posted on 02-26-2013 10:24 AM
How are you hiding the account post-upgrade?
Posted on 02-26-2013 10:37 AM
Script was provided to be by JAMF Support team
#!/bin/sh
####################################################################################################
#
# Copyright (c) 2013, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# ABOUT THIS PROGRAM
#
# NAME
# changeUserID.sh -- Change the UniqueID for the specified user
#
# SYNOPSIS
# sudo changeUserID.sh
# sudo changeUserID.sh <mountPoint> <computerName> <loginUsername> <username> <newUID>
#
# DESCRIPTION
# This script changes the UniqueID for the specified user. If the specified UID is already assigned
# to another user it will be incremented and checked to find the next available UID.
#
####################################################################################################
#
# version 1.0
# Created by Jason Van Zanten, JAMF Software, LLC, on February 21, 2013
#
# version 1.1
# Updated by Jason Van Zanten, JAMF Software, LLC, on February 22, 2013
# - Added functions for setting UID and hiding 500 users
# - Improved handling of edge case where UID = 1000
# - Improved error checking
#
####################################################################################################
# HARDCODED VARIABLES
username="CasperSSH" # Username to change UID
newuid="504" # New UID
# CHECK FOR SCRIPT PARAMETERS
if [ "$3" != "" ] && [ "$username" == "" ]
then
username="$3"
fi
if [ "$4" != "" ] && [ "$newuid" == "" ]
then
newuid="$4"
fi
####################################################################################################
#
# SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
####################################################################################################
# FUNCTIONS
function is_integer() {
printf "%d" $1 > /dev/null 2>&1
return $?
}
function setUserID() { username=$1 olduid=$2 testuid=$3
/usr/bin/dscl . change /Users/$username UniqueID $olduid $testuid
error=$?
if [ "$error" == "0" ]
then
echo "UID for $username set to $testuid."
else
echo "ERROR: $error."
fi
}
function hide500Users() { username=$1 newuid=$2 testuid=$3
if [ "$newuid" -lt "501" ] && [ "$testuid" -gt "500" ]
then
echo "Next available UID above 500. User $username will not be hidden."
elif [ "$testuid" -le "500" ]
then
echo "Hiding 500 users from login window..."
/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
fi
}
# ERROR CHECKING
if [ "$username" == "" ]
then
echo "ERROR: Username cannot be blank. Exiting."
exit 1
fi
if [ "$newuid" == "" ]
then
echo "WARN: No new UID specified. Setting to 100."
newuid="100"
elif is_integer "$newuid"
then
if [ "$newuid" -gt "1000" ]
then
echo "ERROR: Script unable to set UID above 1000. Exiting."
exit 2
elif [ "$newuid" -gt "500" ]
then
echo "WARN: New UID above 500. User $username will not be hidden."
elif [ "$newuid" -lt "0" ]
then
echo "ERROR: Script unable to set UID below 0. Exiting."
exit 3
fi
else
echo "ERROR: New UID must be an integer value between 0 and 1000. Exiting."
exit 4
fi
# FIND EXISTING UID FOR SPECIFIED USERNAME
olduid=/usr/bin/dscl . read /Users/$username UniqueID 2> /dev/null | /usr/bin/awk '{ print $2 }'
if [ "$olduid" == "" ]
then
echo "ERROR: Existing UID not found. Exiting."
exit 5
fi
# CHANGE UID FOR SPECIFIED USERNAME
if [ "$olduid" == "$newuid" ]
then
# No change required
echo "Nothing to change for $username: UID $olduid."
else
# Change required
echo "Attempting to change UID for $username from $olduid to $newuid..."
# Check for availability of specified new UID
result=/usr/bin/dscl . list /Users UniqueID | /usr/bin/grep -w $newuid | /usr/bin/grep -v $username
testuid="$newuid"
# If new UID is unavailable, check for next available UID
while [ "$result" != "" ] && [ "$testuid" -le "1000" ]
do
testuid=$[$testuid+1]
result=/usr/bin/dscl . list /Users UniqueID | /usr/bin/grep -w $testuid | /usr/bin/grep -v $username
done
# If available UID found, change UID for specified user if [ "$testuid" -le "1000" ] then # Change UID for specified user setUserID $username $olduid $testuid
# If necessary, hide 500 users from login window
hide500Users $username $newuid $testuid
else
echo "No available UID between $newuid and 1000."
echo "UID for $username left at $olduid."
fi
fi
echo "DONE"
exit 0
Posted on 02-26-2013 11:22 AM
Oh lordy, look at that.
What we did was add the users to the loginwindow hidden user list instead of messing with the UIDs post upgrade.
defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add user1 user2 user3
Posted on 02-26-2013 11:27 AM
What I was orginally going to do was just a quick 1line script that changes the UID to a number I define in the command line then do upgrade then run same script but manually set the UID back to 80
What do you recommend.
Posted on 02-26-2013 12:24 PM
There's no guarantee that any given UID won't be taken.
I wouldn't change the UID at all. I'd add the user to the hidden user list and be done with it.
Posted on 02-26-2013 12:35 PM
we use installOSX.pkg developed by greg neagle:
http://managingosx.wordpress.com/2012/07/25/son-of-installlion-pkg/
but yes: starting with lion, any HIDDEN admin user will be broken and you'd need to recreate it. jamf's script renumbers the user account but we developed another approach - resetting the original, hidden user account.
the script we developed also enables java web plug-ins for older versions of java, DISables the iCloud start-up wizard, installs any available software updates that we've approved on our internal server and calls a custom trigger that fixed a few other things that the new OS install breaks: namely, installing new versions of java and flash.
our script runs as a launchd process on firstboot AFTER the new OS install has completed.
enjoy, customize, comment, lemme know.
#!/bin/sh
# copyright ©, david koff for the j. paul getty trust
# permission to use if these two lines are included
# this script runs via launchd at start-up immediately following
# the installation of a new OS utilizing OSX Lion or higher
# it deletes itself after completion but fixes several issues left by Apple:
# recreates a hidden admin account called "ard" (although you can substitute any you prefer)
# resets ard access settings
# installs any available SuS patches
# re-creates the Java prefs to auto-enable web-plug-ins (older versions of java)
#----------------------------------------------------------
# Variables
#----------------------------------------------------------
#-----Assignments
SCRIPTNAME=$0
user405=ard
#-----Directories & Files
LOG="/Library/Logs/Your Company Installations.log" ##enter the path to whatever log file you'd prefer
kickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
systemsetup="/usr/sbin/systemsetup"
PlistBuddy="/usr/libexec/PlistBuddy"
login="/Library/Preferences/com.apple.loginwindow"
#-----Computations
over500=`dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'`
USER=`defaults read $login lastUserName`
hwVers=`system_profiler | grep "Model Name" | awk '{ print $3 }'`
MSpid=`ps -ax | grep Microsoft | cut -c 1-5`
#-----Dynamically Set
if [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-50` == "00000000-0000-1000-8000-" ]]; then
MAC_UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c51-62 | awk {'print tolower()'}`
elif [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-50` != "00000000-0000-1000-8000-" ]]; then
MAC_UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-62`
fi
#----------------------------------------------------------
# Timestamp
#----------------------------------------------------------
echo " " >> $LOG
echo "###################################" >> $LOG
echo "########## Beginning Log ##########" >> $LOG
echo "##### $SCRIPTNAME ######" >> $LOG
echo "#### `date "+%A %m/%d/%Y %H:%M"` #####" >> $LOG
echo "###################################" >> $LOG
echo " " >> $LOG
#----------------------------------------------------------
# Admin Account Recreation
#----------------------------------------------------------
echo "---Recreate ARD account" >> $LOG
if [ -d /private/var/$user405 ]; then
echo "the ard directory is already present, no need to recreate..." >> $LOG
else
mkdir /private/var/$user405 >> $LOG
fi
dscl . -create /Users/$user405 >> $LOG
dscl . -create /Users/$user405 realname "${user405}" >> $LOG
dscl . -create /Users/$user405 NFSHomeDirectory /private/var/$user405 >> $LOG
chown -R $user405 /private/var/$user405 >> $LOG
dscl . -passwd /Users/$user405 yourpasswordhere >> $LOG #we cleartext the password as it changes via policy later
dscl . -create /Users/$user405 PrimaryGroupID 405 >> $LOG
dscl . -create /Users/$user405 UniqueID 405 >> $LOG
dscl . -create /Users/$user405 shell /bin/bash >> $LOG
dscl . -append /Groups/admin GroupMembership $user405 >> $LOG
defaults write $login Hide500Users -bool TRUE ### hides this user from user list and user switching
defaults write $login HiddenUsersList -array add $user405 ### hides this user from login screen
#----------------------------------------------------------
# Disable iCloud Wizard from current & future users
#----------------------------------------------------------
for USER_TEMPLATE in "/System/Library/User Template"/*
do
defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.loginwindow -dict ” #creates a blank file if none exists
defaults write "${USER_TEMPLATE}"/Library/Preferences/loginwindow -dict ” #creates a blank file if none exists
defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion -string '10.8'
echo "com.apple.SetupAssistant for the $USER_TEMPLATE now won't propmpt for iCloud..."
done
for i in $over500
do
defaults write /Users/$i/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
defaults write /Users/$i/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion -string '10.8'
chown "${i}":staff /Users/$i/Library/Preferences/com.apple.SetupAssistant.plist >> $LOG
echo "com.apple.SetupAssistant for the $i account now won't prompt for iCloud..."
done
#----------------------------------------------------------
# Modifications: ARD, SSH, Time
#----------------------------------------------------------
echo " " >> $LOG
echo "---ARD PREFS" >> $LOG
$kickstart -activate >> $LOG
$kickstart -configure -users ard -access -on -privs -DeleteFiles -TextMessages -OpenQuitApps -GenerateReports -RestartShutdown -SendFiles -ChangeSettings -clientopts -setmenuextra -menuextra no -setreqperm -reqperm yes >> $LOG
echo "---SSH PREFS" >> $LOG
$systemsetup -setremotelogin on >> $LOG
echo "---TIME PREFS" >> $LOG
$systemsetup -setusingnetworktime on >> $LOG
$systemsetup -settimezone America/Los_Angeles >> $LOG
$systemsetup -setnetworktimeserver yourdomain.timeserver.edu >> $LOG ## feel free to use whatever time server you like here
#----------------------------------------------------------
# Quit apps & download updates
#----------------------------------------------------------
echo " " >> $LOG
echo "---QUIT APPS" >> $LOG
killall Safari >> $LOG
killall firefox-bin >> $LOG
killall Google Chrome >> $LOG
killall JavaApplicationStub >> $LOG #groupwise
killall groupwise >> $LOG
kill $MSpid >> $LOG
echo "---SUS INSTALLS" >> $LOG
defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL "http://xserve-timcook.getty.edu:8088/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard.merged-1_pilottesters.sucatalog"
echo "Software Update Server has been set for this Mac to use reposado at: http://xserve-timcook.getty.edu:8088"
sleep 2
softwareupdate -ia >> $LOG
echo "Apple updates complete. Now calling a custom policy to:" >> $LOG
echo "install printer drivers, Java and enable Java web-plug-ins." >> $LOG
jamf policy -trigger UpgradeMountainLion >> $LOG ## this calls a custom trigger that, for us, installs a new version of java and flash
# ---------------------------------------------------------
# Enable Java Web Plug-ins
# ---------------------------------------------------------
echo " " >> $LOG
for i in $over500
do
echo "-----------------------------------" >> $LOG
echo "For the user account: $i" >> $LOG
echo "-----------------------------------" >> $LOG
rm -f /Users/$i/Library/Preferences/ByHost/com.apple.java.JavaPreferences.*
echo "JavaPrefs plist has been deleted from: $i account" >> $LOG
echo "The Mac UUID has been set to: $MAC_UUID" >> $LOG
# Set the "Enable applet plug-in" setting in the Java Preferences for the current user.
$PlistBuddy -c "Delete :GeneralByTask:Any:WebComponentsEnabled" /Users/$USER/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist >> $LOG
$PlistBuddy -c "Add :GeneralByTask:Any:WebComponentsEnabled bool true" /Users/$USER/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist >> $LOG
$PlistBuddy -c "Delete :GeneralByTask:Any:WebComponentsLastUsed" /Users/$USER/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist >> $LOG
$PlistBuddy -c "Add :GeneralByTask:Any:WebComponentsLastUsed real $(( $(date "+%s") - 978307200 ))" /Users/$USER/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist >> $LOG
echo " " >> $LOG
done
echo "Java Web-Apps have been enabled for ALL 500+ users on this Mac." >> $LOG
#----------------------------------------------------------
# Wrap-Up
#----------------------------------------------------------
# Removes the launchd item and script
echo "Pausing 2 seconds before deleting script..." >> $LOG
sleep 2
rm -f $0
echo "$0 has now been deleted." >> $LOG
rm -f /Library/LaunchDaemons/com.getty.NewOS1stBoot.plist
echo "The LaunchDaemon has now been deleted." >> $LOG
echo " " >> $LOG
echo "###################################" >> $LOG
echo "############# END LOG #############" >> $LOG
echo "#### `date "+%A %m/%d/%Y %H:%M"` ####" >> $LOG
echo "###################################" >> $LOG
echo " " >> $LOG
exit 0
Posted on 02-26-2013 12:49 PM
@themacdweeb - thanks for this ill take a look but what do you do about the Casper SSH account, that is what is breaking for me... that account completely goes away then i cannot use casper remote to screenshare or push scripts, applications etc.
Posted on 02-26-2013 01:04 PM
One thing you could do is, as part of the upgrade, copy a zip file containing a QuickAdd installer, launchdaemon and script to the Mac being upgraded.
The script would do the following:
The launchdaemon would trigger the script to run at first boot.
Posted on 02-26-2013 01:21 PM
craig,
just re-read my post and my script. this isn't about your casperSSH account. it's about ANY hidden admin account as ALL hidden admin accounts will disappear after deploying lion or above. our solution: re-create that account. my script does that for our admin account. you can customize it to recreate your account.
d
Posted on 10-08-2013 11:53 AM
Whats the process to make it "our script runs as a launchd process on firstboot AFTER the new OS install has completed. "