Posted on 10-31-2012 09:04 AM
I want a policy to trigger when a user logs in to a machine for the first time (imagine a new user getting a new computer). I don't want the policy to ever trigger on machines that are already existing in the JSS, only a machine that has been recently given to a new user (or a machine that has just had the Casper agent installed for the first time). I'm basically trying to have all new imaged machines execute a FileVault encryption policy, but I don't want it to go to any of my existing 10.8 users.
Currently I'm running Casper Suite 8.6 and I'm really only concerned about targeting Mountain Lion systems.
Solved! Go to Solution.
Posted on 10-31-2012 09:42 AM
Well, if you want it for newly recon'ed machines, why not smart group for JSS Computer ID more than "x" (where x is the last machine in your JSS at the moment), and further scope the smart group to OS like 10.8
Posted on 10-31-2012 09:48 AM
But the login once per computer would also capture any existing 10.8 Macs, which it seems Vince is looking to exclude, so it would need to be a little more specific.
Just curious, but why do you need to exclude any existing 10.8 Macs from the policy? Something internal or political perhaps? Not matter really, just wondering.
Here are a few things to think about-
1- Create a Smart Group using JSS IDs of a number starting higher than the last Mac currently in your inventory. For ex, if your highest JSS Computer ID is 1021, create a Smart Group that starts from 1022 and up to some really high number and also add in that the OS needs to be "Like 10.8." to get only Macs that are new and are running Mountain Lion. Then set the policy to Login Once Per User or Once Per Computer.
2- You could drop some hidden file on all of your current 10.8 Macs with a policy. A simple identifier of sorts that could be read back in a script that executes first from the policy. If it sees it, it exits. If the script does not see the file, it assumes its a new 10.8 Mac and then executes the policy using a manual trigger id.
Edit: Heh, Andrina beat me to it. ;-) I'd def go with using the JSS ID smart group.
Posted on 10-31-2012 09:38 AM
You could scope it via meta data and smart group using the at login once per computer.
Posted on 10-31-2012 09:42 AM
Well, if you want it for newly recon'ed machines, why not smart group for JSS Computer ID more than "x" (where x is the last machine in your JSS at the moment), and further scope the smart group to OS like 10.8
Posted on 10-31-2012 09:48 AM
But the login once per computer would also capture any existing 10.8 Macs, which it seems Vince is looking to exclude, so it would need to be a little more specific.
Just curious, but why do you need to exclude any existing 10.8 Macs from the policy? Something internal or political perhaps? Not matter really, just wondering.
Here are a few things to think about-
1- Create a Smart Group using JSS IDs of a number starting higher than the last Mac currently in your inventory. For ex, if your highest JSS Computer ID is 1021, create a Smart Group that starts from 1022 and up to some really high number and also add in that the OS needs to be "Like 10.8." to get only Macs that are new and are running Mountain Lion. Then set the policy to Login Once Per User or Once Per Computer.
2- You could drop some hidden file on all of your current 10.8 Macs with a policy. A simple identifier of sorts that could be read back in a script that executes first from the policy. If it sees it, it exits. If the script does not see the file, it assumes its a new 10.8 Mac and then executes the policy using a manual trigger id.
Edit: Heh, Andrina beat me to it. ;-) I'd def go with using the JSS ID smart group.
Posted on 10-31-2012 10:15 AM
Thanks for the quick response folks! The JSS ID smart group is a great idea! And for your curiosity mm2270.. we have a certain time frame where all systems from that point forward need to be encrypted no matter what. Other folks can opt in but for the time being it's not being retroactively enforced. Good times! :)
Posted on 10-31-2012 11:06 AM
You could also have a script run post install or "At Reboot" that calls a policy with a manual trigger.
Posted on 10-31-2012 11:14 AM
We use DeployStudio and I created a script that calls the policy using a manual trigger. The problem is that we also run a script that deletes the file /private/var/db/.AppleSetupDone . Doing this makes the Mac behave as an 'out of the box' experience, having the user create their account etc. The encryption policy is set to FileVault enable the 'current or next user login', however it doesn't enable the account that is created after the user walks through the 'out of the box' questions and their account is created. If it enabled that first user I wouldn't have a problem and would definitely use that method.