Self Service Story

jason_stanaland
New Contributor

Hi everyone! Does anyone have a really cool story about an app that you have distributed using Self Service? Have you distributed an app (iOS or OS X, in-house or third party) via Casper Suite Self Service that has resulted in great results for your school or business? If so, please share by commenting below or shooting me an email at jason.stanaland@jamfsoftware.com. Thanks and have a great day!

18 REPLIES 18

corbinmharris
Contributor

Self Service was a great tool in the OS X 10.9 Mavericks migration last year. Earlier this year we encrypted all our Macs with FileVault2 via SelfService. Our Mac users are spread across offices in Florida, Oregon, Montevideo, Uruguay and along with remote users across the States.

We could have never met our financial and HIPA security requirements in encrypting 150 + Macs without Casper and the Self Service feature. Users were able to migrate to 10.9 then encrypt their Macs with very little assistance from support.

Corbin

andrew_stenehje
Contributor

Our 10.8 migration for teacher laptops was done through Self Service and it went really well. We had about 1,700 teachers update from 10.7 to 10.8 via Self Service in about a month and a half. In the past, that would've required lots of people re-imaging.

boberito
Valued Contributor

Our 10.8 to 10.9 migration was done through Self Service with a custom Mavericks installer. Grades 4 through 12, faculty, and staff. Nearly 500 computers done without much Tech staff involvement.

In the past we'd have to schedule a collection of computers, re-image, redistribute. But now it was painless and we were able to sit back and relax instead of stress.

rderewianko
Valued Contributor II

We try to do everything through self service.

When a user's machine breaks. They get a loaner with the base software.. We rely heavily on VPN's.

Our employees know, if they get a loaner they can get the config for vpn etc through self service.

Chris_Hafner
Valued Contributor II

My personal favorited is our "De-Brewsterization" process (I work for Brewster Academy). At the beginning of our year we do erase and image computers (for the sake of stability at the beginning of classes). Yet at the end of the year I've developed, with much assistance from JAMFNation tips and tricks; A process that removes all of our licensed software, restrictions, admin account, JAMF Binary and connections to various servers, services all while promoting the student user to "admin". Oh, and the unit takes itself out of the JSS (accountability) and all in an average of under 3 min. Most computers finish in 110 seconds but for our users that have optionally installed Adobe products via "Self-Service" take longer as they've got to run those installers as opposed to just the scripts.

It is seriously cool at least form where I come from!

musat
Contributor III

@Chris_Hafner, are those student accounts that you promote "Mobile Managed" accounts? If so, how do you convert them to a "Normal" account?

cstout
Contributor III
Contributor III

@Chris_Hafner, I've been working on setting up something that would do only a fraction of what you've accomplished in your "De-Brewsterization process." Would you mind sharing the part of your script that removes the JAMF binary and removes the record from the JSS?

Chris_Hafner
Valued Contributor II

@musat NO, these are NOT Mobile Accounts. We used them some time ago and the experience wasn't that great for anyone involved. That said, we can't authenticate our user accounts by Active Directory even though it authenticates everything else on campus. This does make it very easy to promote the "student" account to admin. That said, I have run across threads discussing how to turn a mobile account into a standard account. A long time ago when we used to do that it was as simple as removing the directory binding. I believe it's different now but not insurmountable.

@cstout I found some great ways to accomplish this after finding this thread:https://jamfnation.jamfsoftware.com/discussion.html?id=10188

Here's the breakdown of the various scripts I use at the end of the "De-Brewsterization" policy. However, this is

A) A single Policy
B) It cannot run an inventory at the end... C) This relies on the user being a standard account (I happen to know the name but that's easily gathered in a script if you don't)

•Two before Scripts run 1) Promotes user to Admin (again, I know the users shortname before hand)

sudo /usr/sbin/dseditgroup -o edit -a student -t user admin

2) A script that quits any open applications that I care about. I won't include that as it's very simple and everyones situation is different.

• Install "Uninstall" Policies for all of the Academy's licensed software. Since I force myself to use Composer to create PKGs/DMGs (for this reason) it's trivial. Simply add your licensed software to the policy and select "Un-Install". This assumes that you've created your installers as .DMGs and have indexed them. *I have about 15 of these that I use during this process.

• Install the Adobe Cleaner Tool (to be called later by script)

• Maintenance is configured to install all cached packages. This is really really important as I include un-installers for any of our Adobe CS products. These un-installers are created using AAMEE and cached when a user installs the matching Adobe products via self-service. This will run before the "after" scripts and is critical to keep in mind.

• After Scripts include the following

This cleans up some left over directories after any normal un-installers run their course as well as running that Adobe Cleaner Tool I mentioned previously.

rm -rf /Applications/Microsoft Office 2008 rm -rf /Applications/Logger Pro 3 rm -rf /Applications/Graphical Analysis 3 rm -rf /Applications/Adobe Acrobat X Pro # This will run the Adobe Cleaner Tool /Users/Shared/Adobe Creative Suite Cleaner Tool.app/Contents/MacOS/Adobe Creative Suite Cleaner Tool --removeAll=CS5-CS5.5

This little baby is what removes the computer in question from the JSS. There are many ways to do this. I've seen the original author move to a UDID based method but I've had more success with this (Calling both en1 and then en0 to hit a match)

set CAM=networksetup -getmacaddress en1 | cut -c18-35 |sed 's/:/./g' curl -k -v -u Delete:VtoU3rfwziprqpLPQUabL2QCA https://jss.baaccess.net:8443/JSSResource/computers/macaddress/$CAM -X DELETE set JAM=networksetup -getmacaddress en0 | cut -c18-35 |sed 's/:/./g' curl -k -v -u Delete:VtoU3rfwziprqpLPQUabL2QCA https://jss.baaccess.net:8443/JSSResource/computers/macaddress/$JAM -X DELETE

Now here we are. This is the last chance to do anything to the system before it's completely out of my control. My final entries (separate script) kill the two remaining processes I care about. Self-Service, from which the policy was initiated AND SophosUIServer (which doesn't get killed during the uninstall). Then I delete Self-Service and the plist that controls the custom SoftwareUpdate info that we put on our machines. This points the computer BACK to apples SUS. You'll notice that since the systems already been removed from the JSS nothing is left to automatically change it back to our servers. This doesn't matter if you're using network segments or any other policy to affect a computers SUS.

Finally I use the built in JAMF "deleteAccount" to kill my administrative account (the one that the JSS uses) and -removeFramework to kill the jamf binary.

killall "Self Service" killall "SophosUIServer" rm -r /Applications/Self Service.app rm -r /Library/Preferences/com.apple.SoftwareUpdate.plist /usr/sbin/jamf deleteAccount -username admin -deleteHomeDirectory /usr/sbin/jamf -removeFramework

This leaves the user with no connection to the JSS in any manner. No left overs, no control accounts. Perhaps the user would prefer to no longer have a user called "student" but it's their problem at that point.

With that said, please let me know if I haven't been clear about any of this. It is as simple a system that I could think of in order to accomplish what can be a very difficult task. This is why I am a Casper user. There may be fancier ways to do things, but I like the simplest. I hope I didn't leave anything out as I've only given myself a few moments to write this. I'm happy to comment on it as this was highly successful during our run a few weeks ago. While we took our time going through our students (only about 365 in a day) I could have lit this off and cleared the whole school with accountability in a MAXIMUM of 7 min from any computers "check in". Again, average time was 110 seconds over wifi ;-)

P.S. I am not a script guru by any means.

jennifer
Contributor

@Chris_Hafner Do the AAMEE uninstallers take care of de-activating the licenses for you?

Chris_Hafner
Valued Contributor II

Ahhh... I should point out that these are CS 5.5 licenses on a "site" license model form before CC... so no, but they don't have to be. We handle all Adobe upgrades via -self-service. However, we're moving to CC either this year or next and will deal with that then.

Matt
Valued Contributor

At my old job we used Self Service for just about everything.

1.) Upgrade OSX package from Mt Lion -> Mavericks
2.) OS X patches from 10.9.1 -> 10.9.2
3.) Licensed software installed based on AD group membership
4.) Self Service scripts for computer health and virus scanning
5.) Separate section for Desktop Support Tools and Scripts
6.) Common issue fixes for end user self support
7.) Cataloguing important web links for users

Aaron
Contributor II

I use Self Service for all sorts of little things, which has made life for me and my users orders of magnitude easier.

But the one thing I'm proud of is a little script I knocked up to help with password changes. We run an AD environment, and a proxy that uses NTLM auth, and it was always a hassle when it came time to change password (every 90 days). It mostly came down to user education, but there were constantly issues of keychains not getting updated, accounts getting repeatedly locked out, etc. It was a mess.

Now, I just tell the users to run a script from Self Service, and it helps them with their AD password, login, proxies, email... the lot (unfortunately not proxy passwords in Dropbox, because Dropbox doesn't seem to allow for that). The amount of support required has dropped considerably.

Chris_Hafner
Valued Contributor II

Self Service is bad @$$ isn't it!

jennifer
Contributor

@Chris_Hafner Understood. Thanks

@jason.stanaland Our answers match most everyone else:
Upgrades from 10.7-10.8
Upgrades to 10.9 (in progress)
FileVault Setup (in development)
Plugins for password resets, service desk tickets, intranet items.
General Software Updates
'First-Aid' cache clearing, permissions, etc.
and of course, the first thing we did...printers!

Not applicable

Self Service has been really useful for my creative & studio users dealing with font ID corruption from Universal Type Client 3.31 not being fully compatible with Mavericks. Since none of them are admin users, I can kill the UTC components (FMCore), flush caches, even run 'fontrestore default' if necessary, all without IT.

I've also used SS for Mavericks upgrades on a per-machine basis, sadly was never given approval to let my end users run it on their own.

Next I'm hoping to get Self Service handling login keychain resets, which I know there are already some great ideas floating around on here..

spotter
New Contributor III

Self Service has allowed our user who are mostly Doctors install software, updates, and do basic maintenance items at also any location which before required a few days if not longer. It has been a huge win for us cause when we mentioned MDM for Mac's we didn't hear any cheers but now that has changed and users are wanting their device enrolled so they can utilize Self Service... THANKS FOR A GREAT PRODUCT JAMF !!!!

agirardi
New Contributor II

This is a wonderful topic as I am preparing a speech for PSU Mac Admins and talking about self service type options to take the burden off IT, and help your customers.

Andrina Kelly had some great topics in her speech at JNUC last year (https://jamfnation.jamfsoftware.com/jnucEvent.html?eventId=15), but I am always interested to hear more ways that people are using self service. The possibilities are extensive in what you can do.

jason_stanaland
New Contributor

A big thanks to everyone in the community that responded to this thread and to everyone who uses Self Service to empower their end users be successful. I love hearing these stories. So many great things here. Thanks again everyone!