Prestage - Authentication options?

CCNapier
Contributor

Ideally we want our technicians to authenticate before prestage imaging kicks in, but this doesn't seem possible; when a Mac is netbooted (and not already in the DB), Casper Imaging starts without authentication and counts down for Prestage.

We want a hands off approach; we don't want technicians to log into casper to add serial numbers, or increment the count for prestage - we want prestage to just work on all machines. Of course, if a normal user netboots accidentally, it could prestage and image their machine if it's not already enrolled!

Can anyone suggest a way to enforce the Authentication prompt to appear, OR some other workaround (I was thinking prestage could add to Casper and then run a script to reboot and netboot again somehow, which would then use normal Casper Imaging (no prestage) and hence present login box)?

7 REPLIES 7

davidacland
Honored Contributor II

I just had a quick look and couldn't see it as an option. The possibilities that you could try are:

  • Leave the local username and password fields empty in the prestage which should need the to input it before it could run
  • Limit what networks can use the prestige via the scope (although this would mean imaging in a separate / dedicated area before deploying to desk)

CCNapier
Contributor

@davidacland The local username and password fields are already empty, but it auto-logs in. I tried adding "test" as the username and password to see if this would stall the imaging, but it still logged in! I assume the credentials are wrapped somewhere in the NBI (hint: I created the NBI with you sitting beside me less than a month ago)

davidacland
Honored Contributor II

Ah, that might be if it's logging in as root. In that case it doesn't need authentication to run Casper Imaging.

daz_wallace
Contributor III

Hi @CCNapier

From memory, I don't think you can enable "Prestage" but still require a tech to login.

My understanding of the use case is Prestage is used to have Macs automatically reimage themselves with no user interaction and so wouldn't be suitable for this usage.

Full Disclosure, I haven't used an Imaging Prestage for a few years.

Hope that answers your question!

Darren

gachowski
Valued Contributor III

@CCNapier

What about scoping pre-stage to the Mac address of Thunderbolt adapters and the adding 4 or 5 per you imaging locations. We do that in out testing environment and control access to the Thunderbolt adapters.

In production We set the pre-stage to auto run and scoped to subnets but we don't have Casper imaging auto launch on log in so the user would have to netboot and then launch Casper Imaging from the dock.. so that is a few steps they have to do to "image" a personal Mac..not likely to happen on accident. I just set the pre-stage increment the counts hight and check them once a fews week or so...

  1. Know how the imaging works
  2. be on the same subnet as the imaging netboot ( no IP helpers)
  3. launch Casper imaging

Also there is an run automatic check box in the pre-stage, have you tested with that not check? I think that might "require" a log in

C

PS you can get rid of the count down in the Autorun Imaging JSS setting

PSS, have you thought about how you are going to re-image machines? if "we don't want technicians to log into casper" you are going to have to have a script for the technicians to run to delete the machines with API.. and the best way to do that is a scrip on a netboot server... that is why our Casper Imaging doesn't launch on log in...

CCNapier
Contributor

@gachowski We don't want to do anything special. If any machine, new or old, needs imaged we want to put it (or keep it) in the location and just image. Whilst attaching a TB adaptor might resolve that, it's still an extra step that really doesn't need to be done.

  • We image right across our entire IP range with IP helpers.
  • Run automatic unchecked doesn't prompt for authentication (just doesn't start imaging).
  • When I say I don't want them to "log in", I mean I don't want them to "require" logging into the JSS web admin to perform any administration before imaging. I want them to log in to start imaging so prestage is out the window.

Chris_Hafner
Valued Contributor II

The more I'm reading this, the more I wonder if Pre-Stage is the way you want to handle this in the first place. Why not just skip the prestage and roll that way.