New List

If I'm not mistaken, the wireless port is listed as "Airport" under 10.6 and as "Wi-Fi" in 10.7, which could explain why some of your Macs are not showing they have a Wi-Fi interface. Further down in your post you mentioned both 10.6 and 10.7 Macs, so I'm going to guess that may be the reason.
If so, you'll have to put in an OS check into your script and run the appropriate command based on which OS the system is on.

o Also investigate a way to specify multiple update servers in the plist This is not possible. The .plist for the update server is only programed to accept one variable. Have talked to JAMF and a possible work around is we create another Casper server in the DMZ that clients can talk to and if they are outside of the TCU network have them update the .plist file back to the default setting.

I had to work on a similar issue where I am. We have a very mobile workforce (99% laptops) I was able to come up with something that involves a LaunchDaemon, a local script, a JSS policy and the JAMF NetSUS appliance all working in conjunction to allow users to run Software Update when outside the office and still have control over what they actually see in Software Update app. And it does not involve putting anything in the DMZ or opening anything up to the outside world.
Just pointing the clients back to Apple's servers as not a good solution for us, since we have to block certain installations.
If you're interested in knowing what I've come up with, ping me offline and I can provide you with some details. (mm2270 at me dot com) We haven't really rolled this out yet as we're still debating whether its necessary, but I've tested it out pretty thoroughly and it works.

Re: #12 - The Casper Suite cannot manage Android devices and likely never will. So I think you can take that one off the list. Unless you're only talking about what it can manage as far as iOS devices. Different story then.

mm2270, In regards to disabling Wifi it looks like you were spot on. I've adjusted the script to the following:

#!/bin/sh
OS=`/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,4)}'`

#10.6 Wireless is referenced as Airport and 10.7 is referenced as Wi-Fi
if [[ "$OS" < "10.7" ]]; then
 echo Turning off wireless for 10.6 iMac
 /usr/sbin/networksetup -setnetworkserviceenabled Airport off
 else
 echo Turning off wireless for 10.7 iMac
 /usr/sbin/networksetup -setnetworkserviceenabled Wi-Fi off
fi

I've also emailed you for details on your patch management setup. Thanks for your response!

I just emailed you details on what I put together.

Also, in your script above, wouldn't you want it to be doing

if [[ "$OS" < "10.7" ]]; then

I think that would detect 10.6 and lower and run the correct command, otherwise you run "/usr/sbin/networksetup -setnetworkserviceenabled Wi-Fi off"

No?

:X We'll just pretend like that didn't happen and called it fixed...

X We'll just pretend like that didn't happen and called it fixed...

I'm not even sure what you're talking about ;^)

I just updated the script that was in the resource kit for 10.7 to disable the wireless. You're all doing it right, and this one is pretty comprehensive then.

#!/bin/sh
####################################################################################################
#
# Copyright (c) 2010, JAMF Software, LLC.  All rights reserved.
#
#       Redistribution and use in source and binary forms, with or without
#       modification, are permitted provided that the following conditions are met:
#               * Redistributions of source code must retain the above copyright
#                 notice, this list of conditions and the following disclaimer.
#               * Redistributions in binary form must reproduce the above copyright
#                 notice, this list of conditions and the following disclaimer in the
#                 documentation and/or other materials provided with the distribution.
#               * Neither the name of the JAMF Software, LLC nor the
#                 names of its contributors may be used to endorse or promote products
#                 derived from this software without specific prior written permission.
#
#       THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
#       EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#       WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#       DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
#       DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#       (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
#       LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
#       ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
#       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
#       SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# SUPPORT FOR THIS PROGRAM
#
#       This program is distributed "as is" by JAMF Software, LLC's Resource Kit team. For more
#       information or support for the Resource Kit, please utilize the following resources:
#
#               http://list.jamfsoftware.com/mailman/listinfo/resourcekit
#
#               http://www.jamfsoftware.com/support/resource-kit
#
#       Please reference our SLA for information regarding support of this application:
#
#               http://www.jamfsoftware.com/support/resource-kit-sla
#
####################################################################################################
#
# ABOUT THIS PROGRAM
#
# NAME
#   turnOffAirport.sh -- Turns the airport's power off.
#
# SYNOPSIS
#   sudo turnOffAirport.sh
#   sudo turnOffAirport.sh <mountPoint> <computerName> <currentUsername>
#
# DESCRIPTION
#   This script turns off power to the airport and can be especially useful when you want to ensure
#   that users are connecting to a wired connection when possible.  This script is different from
#   the "disableAirport.sh" script in that the user can still re-enable the airport after the script
#   turns it off.  If you would like to completely disable the airport, try running the
#   "disableAirport.sh" script.
#
####################################################################################################
#
# HISTORY
#
#   Version: 1.2
#
#   - Created by Nick Amundsen on August 7th, 2008
#   - Updated by Nick Amundsen on April 21st, 2010
#       - Added support for 10.6 - networksetup command now requires interface name
#       - Updated by Craig Ernst on June 28th, 2012
#               - Added support for 10.7 - networksetup command now requires reference to Wi-Fi service
#
####################################################################################################
#
# SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
####################################################################################################
OS=`/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,4)}'`

if [[ "$OS" < "10.5" ]]; then
    echo "Turning off the airport for OS $OS..."
    /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/networksetup -setairportpower off
elif [[ "$OS" == "10.5" ]]; then
    echo "Turning off the airport for OS $OS..."
    /usr/sbin/networksetup -setairportpower off
elif [[ "$OS" == "10.6" ]]; then
    echo "Turning off the airport for OS $OS..."
    /usr/sbin/networksetup -setairportpower AirPort off
else
    echo "Turning off the airport for OS $OS..."
    /usr/sbin/networksetup -setnetworkserviceenabled Wi-Fi off  
fi

I have a question about why you need the SSH access for multiple people. I understand that every site is different, but it is beyond rare for us to actually SSH into a box and as such the only account that can do it is our management account to allow the JSS tools to get in. Granted this doesn't work if there are good reasons to have SSH access and you don't want others to have the management account. In more current versions of the OS you have to start digging into DSCL and the com.apple.access_ssh entry instead of the config file in /etc/sshd_config. Found this site was useful. I didn't have time to dig into it more:

http://lists.apple.com/archives/remote-desktop/2009/Aug/msg00026.html

Will keep looking more into

In the meantime I wrote this script for our patch management issue as a quick and dirty...

#!/bin/sh
#getting the first 7 bytes of the IP address to see if the address is internal or external
en0ipsuffix=$((ifconfig en0 inet) | grep inet | cut -d" " -f2 | cut -b1-7)
en1ipsuffix=$((ifconfig en1 inet) | grep inet | cut -d" " -f2 | cut -b1-7)

#get the logged in user
user=$3

if [ "$user" = "" ]; then
    echo "Error:  This script must be run at the login trigger.  Please correct the trigger that is being used to run the policy."
    exit 1
fi

#error handling to make sure we have retrieved at least one good IP address
if [ "$en0ipsuffix" = "" ] && [ "$en1ipsuffix" = "" ]; then
    echo "Error did not retrieve an IP address"
    exit 1
fi

#determine if one or more ip address is internal    
if [ "$en0ipsuffix" = "138.237" ] || [ "$en1ipsuffix" = "138.237" ] ; then
    echo "Computer is on the internal network, leaving SUS settings alone"
    exit 0
else
    echo "Computer is on an external network, changing SUS back to default"
    #delete the managed preferences that set the SUS to internal servers (must be run as root)
    defaults delete "/Library/Managed Preferences/com.apple.SoftwareUpdate" CatalogURL
    defaults delete "/Library/Managed Preferences/$user/com.apple.SoftwareUpdate" CatalogURL
fi

exit 0

ernstcs, for SSH access I actually have it setup to ON -> only these user -> Administrators on our domain image.

The problem is that not every computer has been imaged with our domain image (another argument for a different day).

So basically I need to change the SSH setting from On -> all users -> to ON -> only these user -> Administrators or
ON -> only these user -> a local admin account

for computers that aren't set right.

Thomas, you don't need to delete the plist files for SUS. I assume all the Macs that would run this are managed by Casper? If so, just do-

sudo jamf removeSWUSettings

That points them back to Apple (both in root and the top level Library locations)

mm2270, I've found that command to be less than reliable... (meaning I've never seen it actually do what it's supposed to do)

OK, odd. Its always worked for me, but it could be a difference in the jamf binary version (We're still on 8.4 at the moment) Anyway, I misread your script. I see now that you're just deleting the CatalogURL from the plist, not the whole plist, so that's fine. I think the jamf command does the same thing anyway. Whatever works.

ernstcs, my partner in crime (ie co-worker) found something for SSH changes that looks like will fit out bill:
[
https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=460
](
https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=460
)

So I think I have have the beginnings of a script that will help answer issue 8 more completely:

!/bin/sh
username="$3"

domainname=`dscl . -read /Users/$username | awk '/^OriginalNodeName:/,/^Password:/' | head -2 | tail -1 | cut -c 2- | cut -d/ -f4`
batchfilename=`/usr/bin/dscl /Search read /Users/$username SMBScriptPath | head -1 | awk '{print $2}'`

#If the domainname is still blank, report an error
if [ "$domainname" == "" ]; then
    echo "Error:  Could not obtain a domain name from dscl."
    exit 1
fi
echo "The domain name is $domainname"

#If the batchfilename is still blank, report an error.
if [ "$batchfilename" == "" ]; then
    echo "Error:  Could not obtain a batch file name from dscl."
    exit 1
fi
echo "The batch file name is $batchfilename"

#Create a path to access
batchfilelocation="//$domainname/NetLogon"
echo "Using $batchfilelocation as the batch file location"

#Check to see if the Volume is already mapped
if [ -d "/Volumes/Netlogon" ]; then
echo "Netlogon already in use"
else
    #mount Netlogon
    mkdir /Volumes/NetLogon
    mount -o nobrowse -t smbfs $batchfilelocation /Volumes/NetLogon
fi

#Put all of the file locations into an array
#IFS had to be written this way because it does not accept 
 to pivot on newlines. You have to give it a newline to change it from spaces. This allows grep to dump a whole line into the array
IFS='
'
#make sure NetLogon actually mapped before trying to grep anything
if [ -d "/Volumes/Netlogon" ]; then
arr=($(grep '\\' "/Volumes/NetLogon/$batchfilename" | tr "[A-Z]" "[a-z]" | sed s:"::g | sed s:\\\\:/:g | sed 's| /persistent:no||g' | sed 's|net use [a-z]: ||g' | sed 's/[^a-z_/ .0-9]//g') )
else
    echo "Error: Netlogon Mount Failed"
    exit 1
fi

#process all the shares in the array
for i in "${arr[@]}"; do
    #make sure the line in the batch file was not commented out
    if [[ $i != *rem* ]] 
    then
        #Determine a volume name based on the share
        volumename=`echo $i | sed 's:\\\\: :g' | sed 's:/: :g' | awk '{print $(NF-0)}'`
        echo "Volume name will be created as $volumename"
        #Check to see if the Volume is already mapped
        if [ -d "/Volumes/$volumename" ]; then
        echo "Volume name $volumename already in use"
        else
            #Procede to mount the share
            mkdir /Volumes/$volumename
            mount -t smbfs $i /Volumes/$volumename
        fi
    fi
done
diskutil unmount /Volumes/NetLogon
exit 0

another way to turn wireless power off:

#!/bin/bash
airport=`/usr/sbin/networksetup -listallhardwareports | /usr/bin/awk '/Wi-Fi|AirPort/ {getline; print $2}'`
/usr/sbin/networksetup -setairportpower $airport off
echo "power to $airport is off."

this cat has no skin…

Hey Guys,

I want to play! Here is what I do for OS detection and I have used it in production environments to report on the Aiprot or Wifi MAC address for customers.

#!/bin/bash

# get wifi MAC address based on OS version

OSvers=$(/usr/bin/sw_vers -productVersion)

case ${OSvers} in

  10.6*) service="Airport" ;;

  10.7*) service="Wi-Fi" ;;

esac

# command to grab mac address

wirelessMAC=$(/usr/sbin/networksetup -getmacaddress ${service} | /usr/bin/awk '{ print $3 }')

/bin/echo "<result>${wirelessMAC}</result>"

You could use that same logic to pass the service into a command to turn the airport off. Even have it run at start up, login, and logout. Then use MCX to require admin rights to modify the Airport settings.

Now I will try to address each of your questions/concerns with the list.

1 - firewall - this can be done by editing the com.apple.alf.plist file I believe. It has been a while since I tinkered with it, but if memory serves this where you can set some of those things.

2 - ssh - when you enable ssh a group is created in directory services called com.apple.access_ssh. You simply add the admin group to this group and it should allow only admin users access to ssh. To turn on ssh from the command line, just run systemsetup -setremotelogin on

dscl . read /Groups/com.apple.access_ssh GroupMembership
**GroupMembership: admin**

3 - see top of this post, first thing I commented on

4 - Internet Sharing. In previous versions of OS X you could simply run the /usr/libexec/InternetSharing binary to set it on or off, and that is no longer present. You could also edit the /Library/Preferences/com.apple.nat.plist. However, it seems that in 10.7 it has changed. I think by editing the /etc/apache2/httpd.conf file. If I enable it in system preferences I can see this part of the config file:

cat httpd.conf | grep -A5 "WEB"
<IfDefine WEBSHARING_ON>
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
--
<IfDefine WEBSHARING_ON>
# Multi    -language error messages
#Include /private/etc/apache2/extra/httpd-multilang-errordoc.conf

# Fancy directory listings
Include /private/etc/apache2/extra/httpd-autoindex.conf
--
    <IfDefine WEBSERVICE_ON>
        Include /etc/apache2/sites/*.conf
    </IfDefine>
    <IfDefine !WEBSERVICE_ON>
        Include /etc/apache2/sites/virtual_host_global.conf
        Include /etc/apache2/sites/*_.conf
        Include /etc/apache2/sites/*__shadow.conf
    </IfDefine>
</IfDefine>

5 - patch management can be scheduled via a policy and you can tell policies when not to run in Casper. This should be easy and straight forward. You will have to set up a SUS though, either apple branded or look at our net appliance running Reposado. You can set SWU servers by network segments, managed preference or a script.

6 - Automation of adding and remove clients from being managed? I am not sure exactly what you are being asked to do here. I have several ideas but don't want to jump the gun. Can you give me some more details and maybe an example or two on this topic?

7 - Leverage LDAP. Sounds like you got this working?

8 - Personal network shares mounting, you mean like home folders? There are ways to do this. MCX, scripts, startup and login items. Is kerberos involved?

9, 10, 11 - I don't know the answer to the third party question as I am not familiar with that product, and discussion of 10.8 is not allowed via NDA contracts most people have signed to use pre-released software from Apple.

12 - Casper can deploy settings, apps and ebooks to iOS devices. Then of course you also have inventory leverage with Casper and iOS devices as well. Saved and advanced searches, smart groups, etc. Your account manager should be able to help you get a demo of the MDM stuff. Also, 10.7 machines can use MDM management features like remote lock and remote wipe.

I hope this helps you in some manner. I also hope it actually makes sense.

Thanks,
Tom

Tom, thanks for the response! (I've also edited the OP to reflect more updated information)

Point 1: Yup, deploying the changes was tricky though. Apple didn't respect Casper trying to change that file through mcs pushes for some reason.

Point 6: Being asked for some kind of process that when a new mac starts talking on the domain that Casper automatically tries to add it to its database and manage it. Then to remove computers it needs to actively scan an IP table for computers that are no longer on the list and delete them from Casper.

Point 7: I got the intended functionality, yes, but Casper doesn't leverage LDAP to get it.

Point 8: Yes home drives, and also other shares as specified via the user login script in windows. I've been making good progress on a bash script that will read the login script from netlogon and then map the shares that the batch files references on the mac itself. Kerb isn't involved yet, but it needs to be. JAMF's own script that I've found to map just home drives doesn't seem to be working either. It will prompt the user to enter a password for the share every time they login. I haven't found a way to do pass the tickets yet in the script to get rid of that behavior. If you go a few posts above this one, I posted the script that I currently have.

see [
https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=476](
https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=476)

Hey Thomas,

Point 6 - There is an API, and you could write some srcipts to automate function if the Macs talk to another database. You can use Recon.app to scan network segments. Are you using SCCM and Active Directory? When a Mac is bound does it create a new computer record in AD? I mean there is way to automate it, but it won't be easy. You'll have to write some minor code. Unless, anyone else has any ideas on how to do this? Please chime in, as I could not be thinking of other ways to accomplish this.

7 - If you map your LDAP server you can leverage LDAP group membership in the scope of a policy. I wasn't sure if that is what you were looking for.

8 - A good way to test kerberos is log into an AD user account that is on a Mac that is bound to your domain controller, then just map the drive manually. If it doesn't ask for authentication kerberos is working. Alternatively, you can also check the ticket app in /System/Library/CoreServices. If the ticket is valid and exists you won't need to authenticate to any kerberized share/server.

Hope this helps,
Tom

Tom,

1. Can you point me to documentation on the API you are talking about for Casper? We aren't using SCCM, but we do have a peoplesoft backend database that manages our IPs for us. So for example if an EA is not in this database it doesn't get an IP. The hope is to leverage that database as IPs are added/removed to it to trigger some action within Casper to try to auto add/remove the machine if it hasn't already been done so.

2. Not really. Our computers are not part of groups, they are just stored in departmental OU's for policies. The hope was to leverage the already created OU structure for Casper Organization, but Casper isn't really set up to do something like that. This point was kinda poorly written by management since even our GPOs don't really leverage pushing policies to groups. (Users are in the same containers as their computer's, so really the structure is more important than the user/group itself)

3. Kerb is working on the mac. I can run the same mount commands via terminal and have it work flawlessly. I can't however have the script do the same thing. Even Casper's own script to mount home drives requires me to auth every time it mounts the drive. Also, I updated my post at (7/3/12 at 9:05 AM) with my latest script. When I run it locally, it will ask me to auth and I type my pw in and it works. When I push it through Casper it doesn't prompt me for auth and fails saying that the server rejected the connection.

Lastly what tags are you guys using to get code to show up in those little boxes. Theres not really a "reply to" feature here to try and reverse engineer that feature.

Thomas, download the Casper SDK DMG from the jamf site (http://www.jamfsoftware.com/developer-resources/)

There is not a whole lot of documentation on how to use it, which I personally feel is something that JAMF should beef up. There's a lot of power and capability in the API, but it can be hard to figure out exactly how to use it.

As for the tags, are you not seeing the icons above the post box when you type up a reply? There are buttons for quoting text, adding "code" tags for scripts and URLs for links among several others.

Hey Thomas,

Take a look at the JAMF binary, there is a mount command. I have had issues with the Unix binary not mounting shares with Kerberos at my previous job, so I ended up using an Applescript to fix that. However, I think the `jamf mount` command may do what you need.

Thanks,
Tom