Posted on 08-04-2016 06:33 AM
Hi all.
(first time post, Life long admirer of your work)
Could Anyone HELP
As you could possibly tell we are new to all of the above.
We have El'capitan macs which we are integrating with our AD (not Set up for apple in the schema) using Casper suite which has just been installed by our third party.
We have a file cluster on 2012 R2 which stores the windows users Profile and Home Directory
What I would like to do is for the user to log on to the Mac, for that log on to then force a network mapping to both there profile Dir and Home Directory.
I would like the profile to be roaming
and I would also like there both shares to use Variables so I can apply to all users.
I do feel, after searching and trying different scripts out, that this is impossible so I am reaching out to you guys.
Thank you in advance Michael
Posted on 08-04-2016 07:30 AM
Roaming home directories is a very bad idea. Someone who knows their stuff well can get it to work, but it'll be a headache and you'll end up being lynched by your users.
Instead, you could have those shares auto-mounted. (https://jamfnation.jamfsoftware.com/discussion.html?id=14262). That's possible, but you'll need to know a little bash and applescript.
I recommend before trying to do much, you learn a little about those two languages. Mostly bash.... -t-
Posted on 08-04-2016 11:29 AM
+1000 on learning bash, it will save your bacon! Also, talk to your Apple Rep about Enterprise Connect. It will help tremendously with Kerberos Tickets, & password changes, and is capable of auto-mounting file-shares for your users.
Posted on 08-04-2016 11:39 AM
@thoule wrote:
Roaming home directories is a very bad idea.
Akin to having your nekked body dragged over broken glass.
Posted on 08-05-2016 01:04 AM
Thanks everyone.
I think the struggle for us is we have a very weird setup and we are a financial institute, so we are locked down heavily to.
Ill take a look at the automounts and let you know how I get on
I did get this from MacMule but truthfully do not know where to run it from JSS or local to the mac
15 -- Get the logged in users username 16 set loggedInUser to do shell script "whoami" 17
18 -- Get the Users account UniqueID 19 set accountType to do shell script "dscl . -read /Users/" & loggedInUser & " | grep UniqueID | cut -c 11-" 20
21 -- Get the nodeName from the Users account 22 set nodeName to do shell script "dscl . -read /Users/" & loggedInUser & " | awk '/^OriginalNodeName:/,/^Password:/' | head -2 | tail -1 | cut -c 2-" 23
24 -- Get the Users group membership from AD 25 set ADGroups to do shell script "dscl " & quoted form of nodeName & " -read /Users/" & loggedInUser & " | awk '/^dsAttrTypeNative:memberOf:/,/^dsAttrTypeNative:msExchHomeServerName:/'" 26
27 -- Get the Users AD Home Folder 28 set ADHome to do shell script "dscl " & quoted form of nodeName & " -read /Users/" & loggedInUser & "| grep SMBHome: | cut -c 10- | sed 's/\///g' " 29
30 -- Checks to see if account is an AD Account, if its not exit 31 if accountType is less than 1000 then 32 tell me to quit 33 end if 34
35 ------------------------------ 36 --- Drives 37 ------------------------------ 38 --Home Folder -- Maps the drive specified in the profile field for the AD User continue if user has no profile path set 39 try 40 41 mount volume "smb:" & ADHome 42 43 on error 44 45 end try 46
47 -- Checks Group Membership for ADGroups contains user & if they -- are in the correct groups, mount shares. --------- 48 if ADGroups contains "GroupName" then 49 mount volume "SMB://server/share" 50 end if
Posted on 08-05-2016 01:20 AM
Post the link where you found this. I'd like to help.
Posted on 08-05-2016 01:26 AM
Hi
https://macmule.com/2011/09/08/how-to-map-drives-printers-based-on-ad-group-membership-on-osx/
As I would normally do in the windows world I tried to run each line of the script to see what was happening yet could not figure it out
Should I run it through JSS ??
Any help is appreciated Thank you in advance
Posted on 08-05-2016 01:44 AM
His script should work but I'm at home and don't have access to an AD environment to test. As for running the script to test, it's an Apple Script so you can't run it line by line in a Terminal window if that's what you have tried.
Going back to the scripting portion it should be packaged and "installed" to each client along with the LaunchDaemon he wrote about. These two files should be copied locally as the LaunchDaemon (think of those as Windows Startup Items) will point to the Applescript to run when someone logs on. Being that it's almost 5AM I need to get some sleep (plus refresh myself on that entire post MacMule made when I'm not in a zombie like state) but surely others will continue to help tomorrow. I'll check this when I get up and add whatever I can to help out. Surely with the great people on here we can get you going in the right direction.
Posted on 08-05-2016 02:22 AM
Thanks for that mate Yeah get some sleep, ill keep looking at that and figure out how to package the script and the Launch daemon and have a play around with it Thanks @Snickasaurus
Posted on 08-05-2016 01:57 PM
The best way to deploy those (any?) scripts that you want to keep on the machine would be to place them in the location they should run from and then drag them into Composer and create a package, first making sure all scripts have the appropriate permissions. Have you played around with Composer yet?
Posted on 08-06-2016 07:33 PM
@MichaelH How's it going? Have you figured out how to deploy the scripts?
Posted on 08-07-2016 12:46 AM
@Snickasaurus & @MichaelH FWIW, run is as a LaunchAgent, not a LaunchDaemon.
LaunchAgents run as the user logged in, so the AppleScript will then try & map the drives as the user.
But, to testing the mappings.. Just run the AppleScript app as a user.
Posted on 08-07-2016 09:35 AM
Thanks for catching that @bentoms . I've not been sleeping well lately and I let that slip by.
Posted on 08-08-2016 05:01 PM
I am going to quote a favorite movie of mine
"just because you can do something doesn't mean you should.”
And the man who saved Apple
"you are holding it wrong"
Do you have Apple enterprise help? While you are going to get very very very good advice from Jamf Nation ( it's the best by far) ... I would still recommend that you get Apple enterprise support and professional services, we recommend many options here that Apple doesn't, can't and knows better than to recommend ....
If I was supporting a financial institution and I would want the support of Apple for every aspect of my deployment. When something goes wrong you are going to want Apple to have CYA, instead just telling your manager/boss "that is what they told me to do on Jamf Nation"...
I would also bet that Apple can help you a lot with the setting required by your security team.
Good Luck!!!
C
PS if you need an Apple contact let me know and I think rjlemmon is an Apple employee ....
https://jamfnation.jamfsoftware.com/discussion.html?id=17757