Run Policy Post OS X Upgrade Using Casper & InstallESD

freddie_cox
Contributor III

So I can successfully upgrade machines using the "drag and drop" of the installer into Casper Admin per the steps from the following document:

http://resources.jamfsoftware.com/archive/Deploying-OS-X-v10.7-or-Later-with-the-Casper-Suite.pdf

My question is how to run a policy or script of my choosing once the upgrade is compete. Since this is installing OS version dependent AD plugins the users will not be able to log in until this step is complete so it is imperative that it is done.

The process currently looks like this:

Cache Installer -> Make Policy Available in Self Service -> Run Script to unjoin machine, leaving the computer account and removing the OS Dependent plugins -> Reboot/Upgrade

Any ideas or suggestions on how to accomplish this would be greatly appreciated!

1 ACCEPTED SOLUTION

Chris
Valued Contributor

As always, so many ways to skin this cat...
Just to throw one more method in here, you can leverage /url">@rtrouton][/url's First Boot Package Install.pkg
[http://derflounder.wordpress.com/2013/05/13/first-boot-package-install-pkg/
and createOSXinstallPKG to run "Post-Upgrade" tasks.
Puzzle it together like so:
http://work.chrisdietrich.de/deploying-mavericks-via-casper-self-service/

View solution in original post

9 REPLIES 9

bentoms
Release Candidate Programs Tester

@freddie.cox (hi), which version of JSS?

freddie_cox
Contributor III

@bentoms We're at the latest, 9.22.

bentoms
Release Candidate Programs Tester

@freddie.cox, cool. Just wanted to make sure.

I guess you could use dummy receipts to right a file that is picked up by an extension attribute & then runs the binding?

Hang on, why do you need to un/re-bind? The AD Binding should work across the update.

stevewood
Honored Contributor II
Honored Contributor II

I would test using a Smart Group and a policy targeted at that group. In the workflow you listed above, the Self Service policy, just add something like this to the "Execute Command" box on the Files And Processes "tab":

touch /Library/Application Support/JAMF/Receipts/OS-Upgrade.tx | jamf recon

Have a Smart Group set to look for that "receipt", or an EA that looks for that file and a Smart Group that looks for it, or however you want to get the computer into the Smart Group.

Then have a policy that is set for "startup" that runs the scripts you want.

I would test this, obviously, because I'm not certain how the policy will react to the restart that the OS installer does. It should not trigger the policy, but you can never be too safe.

mm2270
Legendary Contributor III

@freddie.cox][/url][/url I don't know if this will work with the OS upgrade workflow, but you could try building a one time LaunchDaemon + script that you could package up and include as part of the OS upgrade policy. Something that would be installed maybe after the OS upgrade, or maybe before, I'm not sure which would make more sense.

What the LD and script could do is check for connectivity to the JSS, and when successful, have it move on to run your specific policy by ID or trigger, and finally when complete, unload and delete the LaunchDaemon as well as deleting itself, so self destructing, or self cleaning, however you want to look at it. As long as the LaunchDaemon has the RunAtLoad key and maybe a start interval of 10 seconds, it should load at startup and keep rerunning until it can connect with the JSS and run the policy, then remove itself.

Actually for that matter you could potentially script the entire bind process or whatever it is that you need to happen after the upgrade, without relying on connection to the JSS.

Does that help?

Chris
Valued Contributor

As always, so many ways to skin this cat...
Just to throw one more method in here, you can leverage /url">@rtrouton][/url's First Boot Package Install.pkg
[http://derflounder.wordpress.com/2013/05/13/first-boot-package-install-pkg/
and createOSXinstallPKG to run "Post-Upgrade" tasks.
Puzzle it together like so:
http://work.chrisdietrich.de/deploying-mavericks-via-casper-self-service/

freddie_cox
Contributor III

@bentoms If I do not unbind I get some awesome PAM errors that throw directory services into a meltdown (E.g 300% CPU utilization) following the upgrade.

Also, since they are stored in /etc and /opt I sometimes get some permissions problems following the upgrade that I have just found it easier to unbind, remove, upgrade, re-install and rejoin.

@stevewood I was toying around with that as an option, but was also concerned about how it would handle the restarts the Installer has baked in.

@mm2270 JSS Connection wouldn't be as crucial as the ability to hit our LDAP server, but I do understand the logic.

@Chris I just found the DerFlounder page. I'll take a look at the other link you posted.

Thanks all for the quick replies!

freddie_cox
Contributor III

Looking like going with @Chris suggestion is going to be the ticket.

Still working out some of the kinks in the process, but thanks all!

andrew_stenehje
Contributor

You could also refer to this thread:

https://jamfnation.jamfsoftware.com/discussion.html?id=7397

We used a LaunchD item for our 10.8 upgrade and it worked very consistently. I had hit and miss results when testing doing it via smart groups.