Jamf Nation Community

Im not familiar with their tool but it looks like it does a system scan for patch management and generates a report back to them on their side. so the most limited way to enable an account to allow them to run i'd presume a remote terminal command would be necessary and sufficient.

they don't need gui or screen sharing access to this account or system or any way to do anything other than run a tool to check installed applications and patches for vulnerabilities on their side

OK. Mind you, I'm still not clear on 'what' you or 'they' are trying to accomplish. However, It sounds like you've got some managed Macs, and there's some team somewhere that wants limited access to those machines for the purposes of auditing apps patches and 'vulnerabilities'. If I'm off would you mind describing those needs as well as the situation in detail? Sorry, I'm just not following.

With the info we have so far, it sounds like you might want to give them limited address to the JSS. The JSS already tracks installed Apps, patches as well as running various scripts/commands in the form of Extension Attributes. No need to access computers directly.

You're not going to make an account on the Mac that is totally Read Only. Generally a company in your situation is going either have a backdoor account to do their scans, which may be admin or not depending on company policy and goals. In order to scan user directories, it would need to be admin. If non-admin, they'd have write access to their home directories and /tmp and /Users/Shared. And Read access to most everything except for other User directories.

Some companies rely on EnCase which allows the server to capture an image of a hard drive and RAM for forensic use. However Guidance software STILL doesn't have an El Cap version so that may not be a good direction to go.

You're not going to make an account on the Mac that is totally Read Only. Generally a company in your situation is going either have a backdoor account to do their scans, which may be admin or not depending on company policy and goals. In order to scan user directories, it would need to be admin. If non-admin, they'd have write access to their home directories and /tmp and /Users/Shared. And Read access to most everything except for other User directories.

Some companies rely on EnCase which allows the server to capture an image of a hard drive and RAM for forensic use. However Guidance software STILL doesn't have an El Cap version so that may not be a good direction to go.

thanks @thoule that makes sense and is the general direction of what I was trying to explain, but since me and our small team were not fully divulged with information from them, we could only make out those needs.

@Chris_Hafner that helps, sorry Im not clear...the instructions they left to us were; we need a read only account, so we can do X, Y, Z. (patch and app scanning). Their follow ups were just as redundant. but I think you got the gist of it and kind of presumed either a local admin or some sort of JSS access.

Heh, fair enough. If it were me, I'd be sending reports or giving JSS reporting access. Then again, I don't have to answer to an infosec team.

It sounds like you would give your Infosec folks an account they use to SSH into the managed asset. I would suggest the account be setup without password (not meaning there is no password required to login, rather that the password database for the account is unavailable... old UNIX trick used for system accounts) and use SSH Authorized Keys for authentication. The account won't need to have admin, just be a regular user account.

@charles.hitch is there documentation I could research that you are aware of or a process? --- i regrettably ask because it might be an option.

@Chris_Hafner yeah its not fun right now, casper is still new in our environment and still being shunned, its a very odd place to be right now. to say the least

thanks for all the input regardless

nm

@walt if InfoSec are running EnCase they'll need an account with admin rights.

@walt can't you run their app via a policy? or even maybe write EA's to capture the info they need?

That was my thinking. However, all you corporate folks have some weird requirements thrown down the line at you!

@walt Here you go

#!/bin/sh
USER_NAME="bob"
UID=400
USER_HOME_DIR="/var/bob"
/usr/bin/dscl /Local/Default create /Users/$USER_NAME uid $UID
/usr/bin/dscl /Local/Default create /Users/$USER_NAME gid 20
/usr/bin/dscl /Local/Default create /Users/$USER_NAME shell /bin/sh
/usr/bin/dscl /Local/Default create /Users/$USER_NAME home $USER_HOME_DIR
/usr/bin/dscl /Local/Default create /Users/$USER_NAME realname "Bob Smith"
/usr/bin/dscl /Local/Default create /Users/$USER_NAME passwd *
ditto /System/Library/User Template/English.lproj/ $USER_HOME_DIR/
mkdir -p $USER_HOME_DIR/.ssh
# add in the SSH key here
/usr/sbin/chown -R $UID:20 $USER_HOME_DIR
/bin/chmod 700 $USER_HOME_DIR/.ssh
/bin/chmod 600 $USER_HOME_DIR/.ssh/authorized_keys