Posts Tagged ‘Casper’

Use Casper to collect Mac App Store IDs

Sunday, November 11th, 2012

An administrator may need to allow his users access to the Mac App Store but might prefer they download software only under sanctioned Apple IDs. Using an extension attribute in Casper, he can compile a list of all Apple IDs used on every Mac.

When a user enters an Apple ID to access the Mac App Store, it gets stored in his Home folder in:


So long as he doesn’t sign out of the Mac App Store (he’ll probably just quit when he’s done) the ID remains in the file. Multiple users on a machine may use multiple Apple IDs because the credentials are stored for each user rather than once for the computer.

The following script gathers a list of unique Apple IDs from all user accounts and then returns the list to the Casper JSS as an extension attribute.

#!/bin/sh # Get a list of existing .plist files USERFOLDERS=$( find /Users/*/Library/Preferences \ -name ) # Make a list of Apple IDs found in the .plists for APLIST in $USERFOLDERS do IDLIST=$( echo "$IDLIST\n$( defaults read $APLIST AppleID )" ) done # Remove blank and duplicate lines IDLIST=$( echo "$IDLIST" | sed '/^$/d' | uniq ) # Return the result echo "<result>$IDLIST</result>"

To add the following script as an extension attribute in the JSS:

  1. Navigate to Settings tab –> Inventory Options –> Inventory Collection Preferences –> Extension Attributes tab –> Add Extension Attribute.
  2. Name this Extension Attribute “Mac App Store Apple IDs”.
  3. Set the Data Type to String.
  4. Set the Input Type to Script and paste in the script.
  5. Click the OK button and then Save the Extension Attribute.

Capture Network Device Information Using Casper

Friday, November 9th, 2012

JAMF Software’s Casper suite is designed to capture and store information about Mac and Windows clients. However, it can also store information about network resources such as printers and routers by using a server or workstation as a pseudo SNMP Network Management Station. The following example illustrates how to use a Casper Extension Attribute to store the uptime of an Airport Extreme base station in a managed client’s record in the JAMF Software Server (JSS).

Uptime is the length of time a device has been active since its last reboot. An Airport Extreme base station should have a relatively long uptime (weeks or months) compared to a workstation (days). If the uptime of a base station is always just a few days then that may indicate hardware failure or power problems.

First, using the snmpwalk command, a server or workstation can poll the public community of any Airport base station at its IP address:

snmpwalk -v1 -c public -M /usr/share/snmp/mibs

This command will return a lot of information. Applying grep to return just the sysUpTime information and cut to trim away  everything but the value of sysUpTime, the final result looks something like:

$ snmpwalk -v1 -c public -M /usr/share/snmp/mibs
-m AIRPORT-BASESTATION-3-MIB | grep sysUpTime | cut -d \) -f 2

286 days, 10:38:38.70

An extension attribute is simply a shell script that runs a command to gather information and then returns that information to be stored in the JSS. Every managed computer in the JSS runs these scripts during routine inventories. But only one should be dedicated to polling the base station and storing the uptime information.

During a routine inventory this script verifies whether the name of the computer in the script matches the name of the current computer. If they match then it runs the snmpwalk command to poll the base station for its uptime.

To add this as an extension attribute in the JSS:

  1. Navigate to Settings tab –> Inventory Options –> Inventory Collection Preferences –> Extension Attributes tab –> Add Extension Attribute.
  2. Name this Extension Attribute “Airport Uptime”.
  3. Set the Data Type to String.
  4. Set the Input Type to Script and paste in the script.
  5. Edit the script by entering the name of the computer that should poll the Airport base station.
  6. Enter the IP address of the Airport base station in the script as well.
  7. Click the OK button and then Save the Extension Attribute.

Run the Recon application on the polling computer to update its inventory in the JSS. When done the EA should return the uptime for the base station to the computer’s record.

To view the information search for the computer in the JSS and click its Details link. Click the Extension Attributes section on the next page and locate the “Airport Uptime” Extension Attribute on the right.

Update: John C. Welch has written a companion piece to this post outlining some better and more efficient ways to accomplish the SNMP polling: A companion post to a 318 post. Thanks for the writeup, John!

Microsoft’s System Center Configuration Manager 2012

Sunday, March 18th, 2012

Microsoft has released the Beta 2 version of System Center Configuration Manager (SCCM) aka System Center 2012. SCCM is a powerful tool that Microsoft has been developing for over a decade. It started as an automation tool and has grown into a full-blown management tool that allows you to manage, update, and distribute software, license, policies and a plethora of other amazing features to users, workstation, servers, and devices including mobile devices and tablets. The new version has been simplified infrastructure-wise, without losing functionality compared to previous versions.

SCCM provides end-users with a easy to use web portal that will allow them to choose what software they want easily, providing an instant response to install the application in a timely manner. For Mobile devices the management console has an exchange connector and will support any device that can use Exchange Active Sync protocol. It will allow you to push policies and settings to your devices (i.e. encryption configurations, security settings, etc…). Windows phone 7 features are also manageable through SCCM.

The Exchange component sits natively with the configuration manager and does not have to interface with Exchange directly to be utilized. You can also define minimal rights for people to just install and/or configure what they need and nothing more. The bandwidth usage can be throttled to govern its impact on the local network.

SCCM will also interface with Unix and Linux devices, allowing multiple platform and device management. At this point, many 3rd party tools such as the Casper Suite and Absolute Manage also plug into SCCM nicely. Overall this is a robust tool for the multi platform networks that have so commonly developed in today’s business needs everywhere.

Microsoft allows you to try the software at For more information, contact your 318 Professional Services Manager or if you do not yet have one.

Introduction to Centralized Configurations with Puppet

Thursday, March 8th, 2012

One of the hardest things for IT to tackle at large scale is workstation lifecycle management. Machines need to be deployed, maintained, and re-provisioned based on the needs of the business. Many of the solutions provided by vendors need to be driven by people, pulling levers and applying changes in realtime. Since Macs have a Unix foundation, they can take advantage of an automation tool used for Linux and other platforms, Puppet. It can be used to cut down on a lot of the manual interaction present in other systems, and is based on the concept that configuration should be expressed in readable text, which can then be checked into a version control system.
To quickly bootstrap a client-server setup the Puppet Enterprise product is recommended, but we’ll be doing things in a scaled-down fashion for this post. We’ll use Macs, and it won’t matter what OS either the puppetmaster(server) or client is running on, nor if either are a Virtual Machine. First, install Facter, a complementary tool to collect specifications about your system, and then Puppet, from the PuppetLabs download site. Then, open Terminal and run this command to begin configuring the server, which adds the ‘puppet’ user and group:

sudo /usr/sbin/puppetmasterd --mkusers

Then, we’ll create a configuration file to specify a few default directories and the hostname of the server, so it can begin securing communication with the ssl certificates it will generate. I’m using computers bonjour names throughout this example, but DNS and networking/firewalls should be configured as appropriate for production setups, among other optimizations.

sudo vim /etc/puppet/puppet.conf
vardir = /var/lib/puppet
libdir = $vardir/lib
ssldir = /etc/puppet/ssl
certname = mini.local

Before we move on, an artifact of the –mkusers command above is that the puppet process may have been started in the background. For us to apply the changes we’ve made and start over with the server in verbose mode, you can just kill the ruby process started by the puppet user, either in Activity Monitor or otherwise.Now, let’s move on to telling the server what we’d like to see passed down to each client, or ‘node’:

sudo vim /etc/puppet/manifests/site.pp
# /etc/puppet/manifests/site.pp
import "classes/*"
import "nodes"
sudo vim /etc/puppet/manifests/nodes.pp
# /etc/puppet/manifests/nodes.pp
node '318admins-macbook-air.local' {
  include testing
sudo vim /etc/puppet/manifests/classes/testing.pp
# /etc/puppet/manifests/classes/testing.pp
 class testing {
   exec { "Run Recon, Run":
    command  => /usr/sbin/jamf recon -username '318admin' -passhash 'GOBBLEDEGOOK' -sshUsername \
    'casperadmin' -sshPasshash 'GOOBLEDEBOK' -swu -skipFonts -skipPlugins,  }

Here we’ve created three files as we customized them to serve a laptop with the bonjour name 318admins-macbook-air.local. Site.pp points the server to the configurations and  clients it can manage, Nodes.pp allows a specific client to receive a certain set of configurations(although you could use ‘node default include company_wide’ to affect everyone), and the actual configuration we’d like to enforce is present in Testing.pp.

One last tweak and our server is ready:

sudo chown -R puppet:puppet /etc/puppet

and we actually run the server, with some extra feedback turned on, with this:

sudo puppet master --no-daemonize --onetime --verbose --debug

Now, we can move on to setting up our client. Besides installing the same packages (in the same order) as above, we need to add a few directories and one file before we’re ready to go:

sudo mkdir -p /var/lib/puppet/var
sudo mkdir /var/lib/puppet/ssl
sudo vim /etc/puppet/puppet.conf
# /etc/puppet/puppet.conf
server = mini.local
vardir = /var/lib/puppet
ssldir = /var/lib/ssl
certname = 318admin-macbook-air.local

Then we’re ready to connect our client.

sudo puppet agent --no-daemonize --onetime --verbose --debug

You should see something like this on the server, “notice: 318admins-macbook-air.local has a waiting certificate request”. On the server we go ahead and sign it like this:

sudo puppet cert --sign 318admins-macbook-air.local

Running puppet agent again should result in the a successful connection this time, with the configuration being passed down from the server for the client to apply.

This is just a small sample of how you can quickly start using Puppet, and we hope to share more of its benefits when integrated with other systems in the future.

Hiding a Restore Partition With jamf

Monday, August 9th, 2010

The jamf command that is placed inside the /usr/sbin directory has a number of things it does really well. Many of the tasks exposed in Casper Admin can be tapped into using shell scripts.

One nice option that the Casper Suite has for the mobile users in many an enterprise is the ability to restore a given machine to a known good working state. Casper addresses this using a concept known as a restore partition. The restore partition can be used to deploy a base set of packages to a client, or maybe just a functional operating system that hooks back into the JSS, or JAMF Software Server. Because you want the restore partition to be somewhat undefiled, you can hide it. Then, if a user needs to boot to the restore partition, they would simply boot the computer holding down the option key and select Restore (or whatever you have named it).

The /usr/sbin/jamf command can then be used to hide that restore partition using the hideRestore option. For example, assuming that the restore partition is named Restore, the following command will hide it:

/usr/sbin/jamf hideRestore

But, you might find that you want to deploy multiple hidden partitions. So let’s say that you had another for running disk tools. In our environment we could call it 318Tools. So to hide it as well, we would use the same command, but with the -name option followed by the name of the other partition we would like to hide, like so:

/usr/sbin/jamf hideRestore -name 318Tools

Overall, there are a number of uses other than simple patch management with the Casper Suite, and this is just one of the small things you can do with the jamf command, an integral part of the Suite.