Help

Policy to block renaming Macintosh HD

rhs615
New Contributor III

Posted on ‎11-01-2013 09:03 AM

I Have a few scripts that point to /Volumes/Macintosh HD/.... because of this, if someone changes the name of the disk, the scripts fail.

Does anyone know of a way to block a user from renaming the Macintosh HD or a safe way to send out a policy to check the HD name, and then, if needed, rename back to Macintosh HD on an every 15 trigger, or something similar?

Thanks in advance!

0 Kudos
10 REPLIES 10

nessts
Valued Contributor II

Posted on ‎11-01-2013 09:16 AM

if it were me I would remove the disk name from your scripts and just use /
but you can figure out which of the things in /Volumes is a link and check the name of it
then you can use diskutil to rename, here is a perl snippet that should to do that. I did not compile or check the syntax on this so check it out first :)

opendir D, "/Volumes/" or die "$progname: /Volumes: $!
";
    my @mounts = readdir(D) or die "Unable to read /Volumes: $!
";
    closedir D;
    my $rightname = "Macintosh HD";
    foreach my $dir (@mounts) {
        next unless (-l "/Volumes/$dir");
        system("diskutil rename "/Volumes/$dir" "$rightname"")
        unless($dir eq $rightname);
}
0 Kudos

WesWhet
Release Candidate Programs Tester

Posted on ‎11-01-2013 10:12 AM

I'm assuming you're trying to run a script and the path points to a certain directory in /Macintosh HD. You can use this so it doesn't matter where the script is being run from it still works.

For example this is installing a .pkg that's in the same directory as the script. 

# Get the current running path of this script.
scriptRunningPath=`dirname $0`

sudo installer -pkg $scriptRunningPath/funstuff.pkg -target /
0 Kudos

tlarkin
Honored Contributor

Posted on ‎11-01-2013 11:19 AM

Hey Everyone,

The logical issue of just looking for /Volumes/Macintosh HD is that I could have several volumes named that, or I could mount a DMG named that, and you could get some false positives and not be able to properly rename your hard drive. I am assuming this is to do with Casper Imaging, where the volume names don't match, or are you enforcing a volume naming policy?

In the past I have had a script that looked at the device node. This may actually change for fusion drives as I don't have a Mac available to me that have fusion drives. Typically, on every Mac, /dev/disk0s2 is the boot volume. This of course is not 100% as users could run multiple partitions, or in a Mac like a Mac Pro, could have multiple hard drives. So, I have used a one liner like this to detect the device node name:

diskutil info /dev/disk0s2 | awk '/Volume Name:/ { print $3 }'
boot

I actually name my boot volume, 'boot,' clever I know, right? So, you could take that into a script to make sure the boot volume is named what you want, here is an example:

#!/bin/bash
currentVolumeName=$(diskutil info /dev/disk0s2 | awk '/Volume Name:/ { print $3 }')
setVolumeName="Macintosh HD"

if [[ ${crrentVolumeName} != ${setVolumeName} ]]
  then diskutil rename /dev/disk0s2 ${setVolumeName}
fi

exit 0

You can then cache this policy and enable it for offline mode, and it will run regardless of being connected to the JSS or not. What I actually did, was run a pre-flight script in imaging that renamed the volume, because I did not care what the users named the volume and I did not want to play a game of "whack-a-mole," constantly trying to rename their boot volumes.

Just be weary that I am using device nodes in my example code, and that they could vary from different Mac model to different Mac model. Back when I was a System Administrator all 12,000 of our Macs only had 1 hard drive in them, so by default /dev/disk0s2 was always the boot drive.

If you would like Casper to just do this with a check box, please file a feature request here on JAMF Nation to have the JSS handle HD volume names, and if it gets enough votes up perhaps it could be a future feature in our product.

Thanks,
Tom

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎11-01-2013 12:10 PM

@tlarkin][/url][/url][/url

Using diskutil info /dev/disk0s2 isn't actually accurate in some cases. For example, on a FileVault 2 enabled system, your line returns:

Volume Name:              Not applicable (no file system)

And as you mentioned, there's no guarantee the boot drives disk identifier will be disk0s2. You're better off using diskutil to pull the boot volume's info and forget targeting any disk id.

This is slightly less pretty but gives you better results from what I've been able to test-

diskutil info / | awk -F":" '/Volume Name/{print $NF}' | sed 's/^ *//g'

The rest of the script would be the same.

0 Kudos

tlarkin
Honored Contributor

Posted on ‎11-01-2013 12:22 PM

Mike,

Yup I did not test on a FV2 enabled system, good catch! Another method I have used in the past, is using the bless command. However, I have noticed if a user changes the boot volume in the Start Up Volume under System Preferences you get weird results. So, you could detect it like so:

$ bless --getBoot
/dev/disk0s2

You can see the output is /dev/disk0s2 like on a majority of Macs out there. Fusion drives also probably throw a logical monkey wrench into the mix as well. However, I like your method of just checking for the root file system.

Good call.

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎11-01-2013 12:33 PM

I'm with @nessts just use /.

Much easier & portable.

0 Kudos

chris_kemp
Contributor III

Posted on ‎11-02-2013 10:29 PM

I have a script that runs under every15 that checks this, and fixes it if necessary:

#!/bin/sh

export VolumeName=`diskutil info / | grep "Volume Name" | cut -c 30-`

if [ "$VolumeName" != "Macintosh HD" ];
then diskutil renameVolume "$VolumeName" "Macintosh HD"
exit 1; 
fi

This has worked quite well for the past few years, mainly to keep fat-fingered users from renaming the volume accidentally.

0 Kudos

mvught
Contributor

Posted on ‎08-06-2014 02:48 AM

I want to have a smart group before running this script. The criteria is not available in the SmartGroups so i need a extension attribute for this to do it.
Can anyone give me a push in the right direction?

0 Kudos

franton
Valued Contributor III

Posted on ‎08-06-2014 06:02 AM

You can't scope smart groups to extension attributes so you'll have to build in the logic into the script.

I run this as an attribute. It's similar to @chris.kemp 's script above.

#!/bin/bash

# Script to find the name of the current boot volume

# Author  : r.purves@arts.ac.uk
# Version : 1.0 - Initial Version

# Grab the current boot volume name

BootVolume=$( diskutil info / | grep "Volume Name" | cut -c 30- )

# Check and rename if necessary

if [ "$VolumeName" != "Macintosh HD" ];
then
    diskutil renameVolume "$BootVolume" "Macintosh HD"
fi

# Grab the current boot volume name again and report to the JSS.

BootVolume=$( diskutil info / | grep "Volume Name" | cut -c 30- )

echo "<result>$BootVolume</result>"

exit 0
0 Kudos

dstranathan
Valued Contributor II

Posted on ‎02-25-2016 12:49 PM

Related (but not identical) situation...

1) Custom Extension Attribute:
Input Type: Script
Data Type: String

Reports the Boot Volume name to the JSS during it's normal update inventory process (or a recon). 

#!/bin/sh
bootVolume=`diskutil info / | grep "Volume Name" | cut -c 30-`
echo "<result>$bootVolume</result>"

2) Smart Group:

Computers are added to a specific Smart Group if the boot volume name is NOT named "Macintosh HD”. Based on the Extension Attribute above.

3) Policy:

Trigger: Startup (could be set to be more aggressive)
Frequency: Ongoing
Scope: Smart Group (see above)
Payload: Script, Update Inventory

If a computer is in the Smart Group, run the script payload below, and update the JSS inventory.

4) Script:

Rename the boot volume to “Macintosh HD”

This script is a payload in the Policy above.

#!/bin/sh
/usr/sbin/diskutil renameVolume / "Macintosh HD"