I'm having an incredibly annoying issue crop up with an increasing
number of my users based around logging in after the screensaver locks
their computer. The computer logs in but when they hit the main GUI all
of the applications appear to be in the ...
This morning we had a disruption in our LDAP service and it resulted in
a large number of people not being able to login to their machines if
they let them fall asleep or lock. The passwords do cache though as
users are able to login to their machine...
This may be a simple question that I'm just missing the answer for. I'm
about to switch how we give access to our network so it is done by
configuration profiles. In the interest of not needing to change the
password every time an admin leaves the co...
I'm have an incredibly frustrating problem on my hands and I'm hoping
someone has an idea of what direction I should head in. I recently
rolled out a large number of Time Machine drives to my company and
created a Self Service policy that automatical...
Thought I'd share this for anyone that might be interested. I've rolled
out 100 or so TimeMachine drives to users who leave them plugged into
their Thunderbolt Displays for convenience. The problem quickly arose
that no one was remembering to eject t...
@Mauricio in the end, the only thing protecting your creds is POSIX
permissions. Because the script gets downloaded to the JAMF application
support folder in plain text and the parameters are published in ps
output as plaintext, all the piece are the...
Sadly these "encrypted" options don't actually increase complexity much
at all. Parameters form the JPS are passed in plain text to the sh
binary. All you need to do is run a ps aux | grep sh and you have what
@Mauricio this is definitely best practice, but the annoying reality is
that the permissions necessary for reassigning site membership are
Computer and User update. The good thing is this means you don't have to
worry about data exfiltration. The bad...
Encrypting the keys if the package contains both parts isn't really
doing much. I utilize a similar method of leverage the PKG itself for
getting the creds on system but I use a unix socket to pass the
credentials from the PKG directly to the LaunchD...
I've literally spent the last 2 months working on this exact issue. I've
finally designed an onboarding process that has the user select their
site at enrollment during DEPNotify. The main challenges were around
securely getting the API credentials t...