Posted on 06-28-2012 07:00 AM
This was a recent list I was given:
Firewall on with exceptions (presently disabled)
Completed.
Manually adjusting the .plist files on the machine does adjust the exceptions in the firewall policy. However this can only be done on an application basis and it requires you auth every time you make a change. Also OSX does not respect Casper trying to update the .plist files themselves. Therefore, any firewall changes have to be pushed via a dmg that overwrites the com.apple.alf.plist file with root access and this has been done.
SSH (remote login) only for admins (presently all users)
Wi-Fi off for iMacs (presently defaults to on)
Completed.
I created a bash file called disablewifi.sh
#!/bin/sh
OS=/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,4)}'
#10.6 Wireless is referenced as Airport and 10.7 is referenced as Wi-Fi
if [[ "$OS" < "10.7" ]]; then
echo Turning off wireless for 10.6 iMac
/usr/sbin/networksetup -setnetworkserviceenabled Airport off
else
echo Turning off wireless for 10.7 iMac
/usr/sbin/networksetup -setnetworkserviceenabled Wi-Fi off
Fi
exit 0
From there, I created a smart group in Casper that put all of the iMacs into a single group.
Lastly, I created a policy to deploy the script to all the iMacs and ran it.
Disabling of the Internet Sharing setting across the board.
I'm not sure how to get this done. I have a script that can indeed turn it off. But that doesn't actually solve the problem. Macs with this turned on tend to exhibit weird behavior on our network, aka impersonating other computers for no reason. If you just turn this off in system preferences it doesn't actually stop impersonating. You have to check another option like firewire or bluetooth that wouldn't normally have TCP/IP traffic and then turn ICS off for the impersonation to go away. So if its off and ethernet or wi-fi is checked (and wi fi is in use) it will still behave badly.
Active Patch Management (pushing, scheduling and monitoring patches)
Computers that are powered on and have network connection between the hours of 12:01AM-7:59AM and 10:01PM-11:59PM on every Saturday install patches
Computers that need to have forced patched installs can be added to a special policy as required.
o Also investigate a way to specify multiple update servers in the plist
This is not possible. The .plist for the update server is only programed to accept one variable.
Have talked to JAMF and a possible work around is we create another Casper server in the DMZ that clients can talk to and if they are outside of the TCU network have them update the .plist file back to the default setting.
On the other hand, I have created a script that will look for the en0 and en1 ip addresses, figure out if it needs to change the SUS settings and if the computer is on an external domain, delete the settings files we are pushing and set things back to default.
#!/bin/sh
#getting the first 7 bytes of the IP address to see if the address is internal or external
en0ipsuffix=$((ifconfig en0 inet) | grep inet | cut -d" " -f2 | cut -b1-7)
en1ipsuffix=$((ifconfig en1 inet) | grep inet | cut -d" " -f2 | cut -b1-7)
#get the logged in user
user=$3
if [ "$user" = "" ]; then
echo "Error: This script must be run at the login trigger. Please correct the trigger that is being used to run the policy."
exit 1
fi
#error handling to make sure we have retrieved at least one good IP address
if [ $$en0ipsuffix = "" ] && [ $$en1ipsuffix = "" ]; then
echo "Error did not retrieve an IP address"
exit 1
fi
#determine if one or more ip address is internal
if [ $en0ipsuffix = "138.237" ] || [ $en1ipsuffix = "138.237" ] ; then
echo "Computer is on the internal network, leaving SUS settings alone"
exit 0
else
echo "Computer is on an external network, changing SUS back to default"
#delete the managed preferences that set the SUS to internal servers (must be run as root)
defaults delete "/Library/Managed Preferences/com.apple.SoftwareUpdate" CatalogURL
defaults delete "/Library/Managed Preferences/$user/com.apple.SoftwareUpdate" CatalogURL
fi
exit 0
Alternatively, a coworker mentioned that we could try using loadbalancer for internal and external traffic back to our internal patch server.
Active network scanning for client additions/deletions to Casper
I've been doing some thinking on this and unless Casper has some way to accept remote delete commands, I'm not sure that this is possible. As far as additions, would likely just need a script to run a newly found computer to run recon. The trick is going to be getting a script on a computer that isn't already managed...
Integrate Casper groups with AD users and groups (build out a structure similar to AD where you can easily and quickly roll updates to either a single department or all departments)
Completed.
This was not possible as described because Casper does not manage user or groups. Settings are instead deployed to machines. To achieve the functionality requested a script was created that dumped the department suffix from the hostname on the machine into Casper. From there policies/updates can be deployed to one or more departments.
#!/bin/sh
#get the dept suffix from the hostname (our hostnames are computername.deptcode.domainname so computer1.it.tcu.edu)
deptname=$((HOSTNAME) | cut -d. -f2)
#set the Department in the jss (note must be run as root and also requires the department to be defined in the Casper Department interface)
jamf recon -department $deptname
exit 0
8. Mount the personal shares automatically
Currently testing a script that will do this. It works on 10.7 with the user having to auth every time to the server. Does not appear to work on 10.6 in its current form.
Sadly this also includes net use commands found in the batch scripts we have for every user in Netlogon. Trying to figure out how to read from that share via a bash script has proven difficult.
Work with 10.8 pre-release to learn what settings (security and user settings) have been changed, added or removed and investigate how TCU should set these.
Have been advised that mcx type settings are going away in 10.8 and instead will use profile management. In the process of setting up a profile management server for further testing.
Work to see how Casper can set the new 10.8 settings
Will not be able to do this until after 10.8 is released. JAMF states “Since Apple is known to either add or remove features at the last minute we are unable to give a specific release date or what features will be available”
Provide 3rd party updates through Casper or Secunia or other platform
Casper/Apple Software Update server does not support nor have the capability to manage 3rd party updates. Secunia version 5, cannot deliver patches to OSX. Secunia support indicated this functionality could come with version 6 of the product.
Learn how Casper or other MDM software can be used to deploy Apple and Android mobile devices
Needs more clarification on what “deploy” actually means.
If anyone could read over my responses and correct any wrong information I have, or would like to add anything to this please do so.
Posted on 06-28-2012 07:25 AM
If I'm not mistaken, the wireless port is listed as "Airport" under 10.6 and as "Wi-Fi" in 10.7, which could explain why some of your Macs are not showing they have a Wi-Fi interface. Further down in your post you mentioned both 10.6 and 10.7 Macs, so I'm going to guess that may be the reason.
If so, you'll have to put in an OS check into your script and run the appropriate command based on which OS the system is on.
o Also investigate a way to specify multiple update servers in the plist This is not possible. The .plist for the update server is only programed to accept one variable. Have talked to JAMF and a possible work around is we create another Casper server in the DMZ that clients can talk to and if they are outside of the TCU network have them update the .plist file back to the default setting.
I had to work on a similar issue where I am. We have a very mobile workforce (99% laptops) I was able to come up with something that involves a LaunchDaemon, a local script, a JSS policy and the JAMF NetSUS appliance all working in conjunction to allow users to run Software Update when outside the office and still have control over what they actually see in Software Update app. And it does not involve putting anything in the DMZ or opening anything up to the outside world.
Just pointing the clients back to Apple's servers as not a good solution for us, since we have to block certain installations.
If you're interested in knowing what I've come up with, ping me offline and I can provide you with some details. (mm2270 at me dot com) We haven't really rolled this out yet as we're still debating whether its necessary, but I've tested it out pretty thoroughly and it works.
Re: #12 - The Casper Suite cannot manage Android devices and likely never will. So I think you can take that one off the list. Unless you're only talking about what it can manage as far as iOS devices. Different story then.
Posted on 06-28-2012 08:23 AM
mm2270, In regards to disabling Wifi it looks like you were spot on. I've adjusted the script to the following:
#!/bin/sh
OS=`/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,4)}'`
#10.6 Wireless is referenced as Airport and 10.7 is referenced as Wi-Fi
if [[ "$OS" < "10.7" ]]; then
echo Turning off wireless for 10.6 iMac
/usr/sbin/networksetup -setnetworkserviceenabled Airport off
else
echo Turning off wireless for 10.7 iMac
/usr/sbin/networksetup -setnetworkserviceenabled Wi-Fi off
fi
I've also emailed you for details on your patch management setup. Thanks for your response!
Posted on 06-28-2012 09:02 AM
I just emailed you details on what I put together.
Also, in your script above, wouldn't you want it to be doing
if [[ "$OS" < "10.7" ]]; then
I think that would detect 10.6 and lower and run the correct command, otherwise you run "/usr/sbin/networksetup -setnetworkserviceenabled Wi-Fi off"
No?
Posted on 06-28-2012 10:12 AM
:X We'll just pretend like that didn't happen and called it fixed...
Posted on 06-28-2012 10:23 AM
X We'll just pretend like that didn't happen and called it fixed...
I'm not even sure what you're talking about ;^)
Posted on 06-28-2012 12:34 PM
I just updated the script that was in the resource kit for 10.7 to disable the wireless. You're all doing it right, and this one is pretty comprehensive then.
#!/bin/sh
####################################################################################################
#
# Copyright (c) 2010, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# SUPPORT FOR THIS PROGRAM
#
# This program is distributed "as is" by JAMF Software, LLC's Resource Kit team. For more
# information or support for the Resource Kit, please utilize the following resources:
#
# http://list.jamfsoftware.com/mailman/listinfo/resourcekit
#
# http://www.jamfsoftware.com/support/resource-kit
#
# Please reference our SLA for information regarding support of this application:
#
# http://www.jamfsoftware.com/support/resource-kit-sla
#
####################################################################################################
#
# ABOUT THIS PROGRAM
#
# NAME
# turnOffAirport.sh -- Turns the airport's power off.
#
# SYNOPSIS
# sudo turnOffAirport.sh
# sudo turnOffAirport.sh <mountPoint> <computerName> <currentUsername>
#
# DESCRIPTION
# This script turns off power to the airport and can be especially useful when you want to ensure
# that users are connecting to a wired connection when possible. This script is different from
# the "disableAirport.sh" script in that the user can still re-enable the airport after the script
# turns it off. If you would like to completely disable the airport, try running the
# "disableAirport.sh" script.
#
####################################################################################################
#
# HISTORY
#
# Version: 1.2
#
# - Created by Nick Amundsen on August 7th, 2008
# - Updated by Nick Amundsen on April 21st, 2010
# - Added support for 10.6 - networksetup command now requires interface name
# - Updated by Craig Ernst on June 28th, 2012
# - Added support for 10.7 - networksetup command now requires reference to Wi-Fi service
#
####################################################################################################
#
# SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
####################################################################################################
OS=`/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,4)}'`
if [[ "$OS" < "10.5" ]]; then
echo "Turning off the airport for OS $OS..."
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/networksetup -setairportpower off
elif [[ "$OS" == "10.5" ]]; then
echo "Turning off the airport for OS $OS..."
/usr/sbin/networksetup -setairportpower off
elif [[ "$OS" == "10.6" ]]; then
echo "Turning off the airport for OS $OS..."
/usr/sbin/networksetup -setairportpower AirPort off
else
echo "Turning off the airport for OS $OS..."
/usr/sbin/networksetup -setnetworkserviceenabled Wi-Fi off
fi
I have a question about why you need the SSH access for multiple people. I understand that every site is different, but it is beyond rare for us to actually SSH into a box and as such the only account that can do it is our management account to allow the JSS tools to get in. Granted this doesn't work if there are good reasons to have SSH access and you don't want others to have the management account. In more current versions of the OS you have to start digging into DSCL and the com.apple.access_ssh entry instead of the config file in /etc/sshd_config. Found this site was useful. I didn't have time to dig into it more:
http://lists.apple.com/archives/remote-desktop/2009/Aug/msg00026.html
Will keep looking more into
Posted on 06-28-2012 12:34 PM
In the meantime I wrote this script for our patch management issue as a quick and dirty...
#!/bin/sh
#getting the first 7 bytes of the IP address to see if the address is internal or external
en0ipsuffix=$((ifconfig en0 inet) | grep inet | cut -d" " -f2 | cut -b1-7)
en1ipsuffix=$((ifconfig en1 inet) | grep inet | cut -d" " -f2 | cut -b1-7)
#get the logged in user
user=$3
if [ "$user" = "" ]; then
echo "Error: This script must be run at the login trigger. Please correct the trigger that is being used to run the policy."
exit 1
fi
#error handling to make sure we have retrieved at least one good IP address
if [ "$en0ipsuffix" = "" ] && [ "$en1ipsuffix" = "" ]; then
echo "Error did not retrieve an IP address"
exit 1
fi
#determine if one or more ip address is internal
if [ "$en0ipsuffix" = "138.237" ] || [ "$en1ipsuffix" = "138.237" ] ; then
echo "Computer is on the internal network, leaving SUS settings alone"
exit 0
else
echo "Computer is on an external network, changing SUS back to default"
#delete the managed preferences that set the SUS to internal servers (must be run as root)
defaults delete "/Library/Managed Preferences/com.apple.SoftwareUpdate" CatalogURL
defaults delete "/Library/Managed Preferences/$user/com.apple.SoftwareUpdate" CatalogURL
fi
exit 0
Posted on 06-28-2012 12:42 PM
ernstcs, for SSH access I actually have it setup to ON -> only these user -> Administrators on our domain image.
The problem is that not every computer has been imaged with our domain image (another argument for a different day).
So basically I need to change the SSH setting from On -> all users -> to ON -> only these user -> Administrators
or
ON -> only these user -> a local admin account
for computers that aren't set right.
Posted on 06-28-2012 12:43 PM
Thomas, you don't need to delete the plist files for SUS. I assume all the Macs that would run this are managed by Casper? If so, just do-
sudo jamf removeSWUSettings
That points them back to Apple (both in root and the top level Library locations)
Posted on 06-28-2012 12:57 PM
mm2270, I've found that command to be less than reliable... (meaning I've never seen it actually do what it's supposed to do)
Posted on 06-28-2012 01:27 PM
OK, odd. Its always worked for me, but it could be a difference in the jamf binary version (We're still on 8.4 at the moment) Anyway, I misread your script. I see now that you're just deleting the CatalogURL from the plist, not the whole plist, so that's fine. I think the jamf command does the same thing anyway. Whatever works.
Posted on 06-28-2012 01:34 PM
ernstcs, my partner in crime (ie co-worker) found something for SSH changes that looks like will fit out bill:
[
https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=460
](
https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=460
)
Posted on 07-03-2012 07:05 AM
So I think I have have the beginnings of a script that will help answer issue 8 more completely:
!/bin/sh
username="$3"
domainname=`dscl . -read /Users/$username | awk '/^OriginalNodeName:/,/^Password:/' | head -2 | tail -1 | cut -c 2- | cut -d/ -f4`
batchfilename=`/usr/bin/dscl /Search read /Users/$username SMBScriptPath | head -1 | awk '{print $2}'`
#If the domainname is still blank, report an error
if [ "$domainname" == "" ]; then
echo "Error: Could not obtain a domain name from dscl."
exit 1
fi
echo "The domain name is $domainname"
#If the batchfilename is still blank, report an error.
if [ "$batchfilename" == "" ]; then
echo "Error: Could not obtain a batch file name from dscl."
exit 1
fi
echo "The batch file name is $batchfilename"
#Create a path to access
batchfilelocation="//$domainname/NetLogon"
echo "Using $batchfilelocation as the batch file location"
#Check to see if the Volume is already mapped
if [ -d "/Volumes/Netlogon" ]; then
echo "Netlogon already in use"
else
#mount Netlogon
mkdir /Volumes/NetLogon
mount -o nobrowse -t smbfs $batchfilelocation /Volumes/NetLogon
fi
#Put all of the file locations into an array
#IFS had to be written this way because it does not accept
to pivot on newlines. You have to give it a newline to change it from spaces. This allows grep to dump a whole line into the array
IFS='
'
#make sure NetLogon actually mapped before trying to grep anything
if [ -d "/Volumes/Netlogon" ]; then
arr=($(grep '\' "/Volumes/NetLogon/$batchfilename" | tr "[A-Z]" "[a-z]" | sed s:"::g | sed s:\\:/:g | sed 's| /persistent:no||g' | sed 's|net use [a-z]: ||g' | sed 's/[^a-z_/ .0-9]//g') )
else
echo "Error: Netlogon Mount Failed"
exit 1
fi
#process all the shares in the array
for i in "${arr[@]}"; do
#make sure the line in the batch file was not commented out
if [[ $i != *rem* ]]
then
#Determine a volume name based on the share
volumename=`echo $i | sed 's:\\: :g' | sed 's:/: :g' | awk '{print $(NF-0)}'`
echo "Volume name will be created as $volumename"
#Check to see if the Volume is already mapped
if [ -d "/Volumes/$volumename" ]; then
echo "Volume name $volumename already in use"
else
#Procede to mount the share
mkdir /Volumes/$volumename
mount -t smbfs $i /Volumes/$volumename
fi
fi
done
diskutil unmount /Volumes/NetLogon
exit 0
Posted on 07-03-2012 08:05 AM
another way to turn wireless power off:
#!/bin/bash
airport=`/usr/sbin/networksetup -listallhardwareports | /usr/bin/awk '/Wi-Fi|AirPort/ {getline; print $2}'`
/usr/sbin/networksetup -setairportpower $airport off
echo "power to $airport is off."
this cat has no skin…
Posted on 07-03-2012 10:47 AM
Hey Guys,
I want to play! Here is what I do for OS detection and I have used it in production environments to report on the Aiprot or Wifi MAC address for customers.
#!/bin/bash
# get wifi MAC address based on OS version
OSvers=$(/usr/bin/sw_vers -productVersion)
case ${OSvers} in
10.6*) service="Airport" ;;
10.7*) service="Wi-Fi" ;;
esac
# command to grab mac address
wirelessMAC=$(/usr/sbin/networksetup -getmacaddress ${service} | /usr/bin/awk '{ print $3 }')
/bin/echo "<result>${wirelessMAC}</result>"
You could use that same logic to pass the service into a command to turn the airport off. Even have it run at start up, login, and logout. Then use MCX to require admin rights to modify the Airport settings.
Now I will try to address each of your questions/concerns with the list.
1 - firewall - this can be done by editing the com.apple.alf.plist file I believe. It has been a while since I tinkered with it, but if memory serves this where you can set some of those things.
2 - ssh - when you enable ssh a group is created in directory services called com.apple.access_ssh. You simply add the admin group to this group and it should allow only admin users access to ssh. To turn on ssh from the command line, just run systemsetup -setremotelogin on
dscl . read /Groups/com.apple.access_ssh GroupMembership
**GroupMembership: admin**
3 - see top of this post, first thing I commented on
4 - Internet Sharing. In previous versions of OS X you could simply run the /usr/libexec/InternetSharing binary to set it on or off, and that is no longer present. You could also edit the /Library/Preferences/com.apple.nat.plist. However, it seems that in 10.7 it has changed. I think by editing the /etc/apache2/httpd.conf file. If I enable it in system preferences I can see this part of the config file:
cat httpd.conf | grep -A5 "WEB"
<IfDefine WEBSHARING_ON>
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
--
<IfDefine WEBSHARING_ON>
# Multi -language error messages
#Include /private/etc/apache2/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
Include /private/etc/apache2/extra/httpd-autoindex.conf
--
<IfDefine WEBSERVICE_ON>
Include /etc/apache2/sites/*.conf
</IfDefine>
<IfDefine !WEBSERVICE_ON>
Include /etc/apache2/sites/virtual_host_global.conf
Include /etc/apache2/sites/*_.conf
Include /etc/apache2/sites/*__shadow.conf
</IfDefine>
</IfDefine>
5 - patch management can be scheduled via a policy and you can tell policies when not to run in Casper. This should be easy and straight forward. You will have to set up a SUS though, either apple branded or look at our net appliance running Reposado. You can set SWU servers by network segments, managed preference or a script.
6 - Automation of adding and remove clients from being managed? I am not sure exactly what you are being asked to do here. I have several ideas but don't want to jump the gun. Can you give me some more details and maybe an example or two on this topic?
7 - Leverage LDAP. Sounds like you got this working?
8 - Personal network shares mounting, you mean like home folders? There are ways to do this. MCX, scripts, startup and login items. Is kerberos involved?
9, 10, 11 - I don't know the answer to the third party question as I am not familiar with that product, and discussion of 10.8 is not allowed via NDA contracts most people have signed to use pre-released software from Apple.
12 - Casper can deploy settings, apps and ebooks to iOS devices. Then of course you also have inventory leverage with Casper and iOS devices as well. Saved and advanced searches, smart groups, etc. Your account manager should be able to help you get a demo of the MDM stuff. Also, 10.7 machines can use MDM management features like remote lock and remote wipe.
I hope this helps you in some manner. I also hope it actually makes sense.
Thanks,
Tom
Posted on 07-03-2012 11:48 AM
Tom, thanks for the response! (I've also edited the OP to reflect more updated information)
Point 1: Yup, deploying the changes was tricky though. Apple didn't respect Casper trying to change that file through mcs pushes for some reason.
Point 6: Being asked for some kind of process that when a new mac starts talking on the domain that Casper automatically tries to add it to its database and manage it. Then to remove computers it needs to actively scan an IP table for computers that are no longer on the list and delete them from Casper.
Point 7: I got the intended functionality, yes, but Casper doesn't leverage LDAP to get it.
Point 8: Yes home drives, and also other shares as specified via the user login script in windows. I've been making good progress on a bash script that will read the login script from netlogon and then map the shares that the batch files references on the mac itself. Kerb isn't involved yet, but it needs to be. JAMF's own script that I've found to map just home drives doesn't seem to be working either. It will prompt the user to enter a password for the share every time they login. I haven't found a way to do pass the tickets yet in the script to get rid of that behavior. If you go a few posts above this one, I posted the script that I currently have.
see [
https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=476](
https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=476)
Posted on 07-03-2012 01:42 PM
Hey Thomas,
Point 6 - There is an API, and you could write some srcipts to automate function if the Macs talk to another database. You can use Recon.app to scan network segments. Are you using SCCM and Active Directory? When a Mac is bound does it create a new computer record in AD? I mean there is way to automate it, but it won't be easy. You'll have to write some minor code. Unless, anyone else has any ideas on how to do this? Please chime in, as I could not be thinking of other ways to accomplish this.
7 - If you map your LDAP server you can leverage LDAP group membership in the scope of a policy. I wasn't sure if that is what you were looking for.
8 - A good way to test kerberos is log into an AD user account that is on a Mac that is bound to your domain controller, then just map the drive manually. If it doesn't ask for authentication kerberos is working. Alternatively, you can also check the ticket app in /System/Library/CoreServices. If the ticket is valid and exists you won't need to authenticate to any kerberized share/server.
Hope this helps,
Tom
Posted on 07-06-2012 07:09 AM
Tom,
Can you point me to documentation on the API you are talking about for Casper? We aren't using SCCM, but we do have a peoplesoft backend database that manages our IPs for us. So for example if an EA is not in this database it doesn't get an IP. The hope is to leverage that database as IPs are added/removed to it to trigger some action within Casper to try to auto add/remove the machine if it hasn't already been done so.
Not really. Our computers are not part of groups, they are just stored in departmental OU's for policies. The hope was to leverage the already created OU structure for Casper Organization, but Casper isn't really set up to do something like that. This point was kinda poorly written by management since even our GPOs don't really leverage pushing policies to groups. (Users are in the same containers as their computer's, so really the structure is more important than the user/group itself)
Kerb is working on the mac. I can run the same mount commands via terminal and have it work flawlessly. I can't however have the script do the same thing. Even Casper's own script to mount home drives requires me to auth every time it mounts the drive. Also, I updated my post at (7/3/12 at 9:05 AM) with my latest script. When I run it locally, it will ask me to auth and I type my pw in and it works. When I push it through Casper it doesn't prompt me for auth and fails saying that the server rejected the connection.
Lastly what tags are you guys using to get code to show up in those little boxes. Theres not really a "reply to" feature here to try and reverse engineer that feature.
Posted on 07-06-2012 07:18 AM
Thomas, download the Casper SDK DMG from the jamf site (http://www.jamfsoftware.com/developer-resources/)
There is not a whole lot of documentation on how to use it, which I personally feel is something that JAMF should beef up. There's a lot of power and capability in the API, but it can be hard to figure out exactly how to use it.
As for the tags, are you not seeing the icons above the post box when you type up a reply? There are buttons for quoting text, adding "code" tags for scripts and URLs for links among several others.
Posted on 07-06-2012 07:49 AM
Hey Thomas,
Take a look at the JAMF binary, there is a mount command. I have had issues with the Unix binary not mounting shares with Kerberos at my previous job, so I ended up using an Applescript to fix that. However, I think the `jamf mount` command may do what you need.
Thanks,
Tom