- Jamf Nation Community
- Products
- Jamf Pro
- Sinple question - best practice: Casper Remote, SS...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-09-2014 09:25 AM
I am in a trial of Casper right now, and looking for a little guidance, if anyone has some to offer.
I want to create a management or service account on each workstation, hide it from the local user, enable it for SSH, and turn SSH on (to allow Capser Remote).
Is there a best practice approach for this from within JSS?
I have seen a few different articles on this here at JAMFNATION and am not sure yet which way to go.
Thanks in advance.
Matthew Ellis
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-09-2014 10:22 AM
Best Practices depend upon goals, environments, and customers. You need to understand your options and make a choice.
You could, for example, do everything you described by creating a Quick-Add package (using the Recon app) and deploying that to the Macs you wish to manage. You could do OTA enrollment, and set the Computer Management Framework Settings (again, all of the options you want are there), and have users or techs run that by visiting https://yourjss.com:8443/enroll. Another option is to use Casper Imaging and just make sure you set up the configuration to utilize your desired management account (settings built in for hiding it).
If you had existing Macs, and were already attempting to manage them somewhat (for example, with ARD), I might use a Quick-Add package and send that out. If you wanted to start from scratch, depending on your model, I might go with Imaging (strict/managed) or Self-enrolled (BYOD, self-service, etc).
Personally, our Macs get ordered through controlled processes (mostly) and get set up by techs before the user ever touches them, so we do this via Casper Imaging. Back when this was first started, there was a combination of techs using the enroll URL or a quick-add package deployed as a part of another imaging workflow (deploy studio I think).
3 REPLIES 3
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-09-2014 10:12 AM
How are you getting machines into the JSS? Imaging? Recon? QuickAdd package? Web-based enrollment? The same basic steps are available everywhere, just need to configure them.
As a consultant, whether I keep the local admin account hidden or not, I usually let Casper create the account from a never-booted image, and enable SSH strictly for that account. Again, whether it's hidden or not depends upon the particular client's needs...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-09-2014 10:22 AM
Best Practices depend upon goals, environments, and customers. You need to understand your options and make a choice.
You could, for example, do everything you described by creating a Quick-Add package (using the Recon app) and deploying that to the Macs you wish to manage. You could do OTA enrollment, and set the Computer Management Framework Settings (again, all of the options you want are there), and have users or techs run that by visiting https://yourjss.com:8443/enroll. Another option is to use Casper Imaging and just make sure you set up the configuration to utilize your desired management account (settings built in for hiding it).
If you had existing Macs, and were already attempting to manage them somewhat (for example, with ARD), I might use a Quick-Add package and send that out. If you wanted to start from scratch, depending on your model, I might go with Imaging (strict/managed) or Self-enrolled (BYOD, self-service, etc).
Personally, our Macs get ordered through controlled processes (mostly) and get set up by techs before the user ever touches them, so we do this via Casper Imaging. Back when this was first started, there was a combination of techs using the enroll URL or a quick-add package deployed as a part of another imaging workflow (deploy studio I think).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-09-2014 01:51 PM
I use the service account + an Active Directory management group scoped for SSH access on our Macs. Service account is created/hidden/configured with your basic QuickAdd package, then AD group added to the SSH access with a subsequent Casper policy.
