Posts Tagged ‘JAMF’

Connect Casper to Active Directory

Wednesday, November 14th, 2012

Integrating any system into Active Directory can seem like a daunting task, especially for someone who’s not an AD administrator or doesn’t even has access to the directory service. JAMF Software has supported connecting Casper to AD for several versions of its product and has refined the connection process to be simple enough for someone with little or no AD experience to complete.

Connecting Casper to AD allows it to take advantage of existing user and group accounts, eliminating the tedium of creating them manually, and the user himself has one less password to remember. When his password changes the new password works immediately in Casper. Likewise, when a user’s account expires or is disabled then access to Casper ceases.

Gather the following information for the connection process:

  • Service account. This should be an AD account dedicated for Casper to use to authenticate to AD. It should be set not to expire and not to require changing at first login. This requires both the account name and its AD password.
  • The name of an AD Domain Controller (same as a Windows Global Catalog server, which assumes the role of an LDAP server).
  • The name of the organization’s NetBIOS domain.
  • The login names for any two user accounts in AD. Passwords aren’t required; these are used for testing lookups only.
  • The names for any two security groups in AD that include one or both test user accounts. These are used for testing lookups only. (Domain Users and Domain Admins are two common security groups.)

To connect Casper to AD do the following:

  1. Log in to the JAMF Software Server (JSS) for Casper using a local user account.
  2. Navigate to Settings tab –> LDAP Server Connections. Click on the Add LDAP Server Connection button. This begins a process that verifies the service account’s credentials and creates the user and group mappings between Casper and AD.
    New LDAP Server Connection button
  3. Select Active Directory as the LDAP server type and click the Continue button.
    LDAP server connection type
  4. For Host name enter the fully qualified domain name or IP address of the Domain Controller.
  5. For AD Domain enter the Windows NetBIOS domain name. Click the Continue button.
    Domain information
  6. Enter the name of the service account and its password that the JSS will use to authenticate and connect to AD. Click the Continue button.
    Service account
  7. If the Enter Test Accounts page appears then AD has accepted the service account’s credentials. Now, enter the account names of two AD users. These can be your own and a co-worker’s account. For the best results pick two users who are in very different parts of the organization. Click the Continue button.
    Test accounts
  8. The Verify Attribute Mappings page should display information about each user the JSS found in AD. Mappings are the pairing of attributes and values for an object in AD. In this case, verify the Username shown is actually the user’s short account name, verify Real Name shows the user’s first and last name, verify that Email displays the correct email address for each user, etc.New mappings
  9. Some fields may not be populated. That’s typically because the AD information is incomplete. If either user has information for a field but not the other then verify that information is correct or at least in the correct format.
  10. Casper may have wrongly mapped an attribute. For example, the telephoneNumber attribute may actually be phone in AD. To change the mapping click the edit button (ellipsis) to the right of the mapping and review the LDAP Attributes to see if another one is more suitable. Changing the attribute immediately changes the values for each user to help quickly identify better choices. Click the Return to Verify Mappings button when done.
    Edit mappings
  11. The new mappings appear in the list. Click the Continue button.
    New mappings
  12. Enter the two domain security groups and verify whether the test users are members. They may be members of one, both or none. Click the Continue button.
    Verify groups
  13. Finally, click the Save button to save the settings.

Now, when adding new users to Casper, the JSS can pull the user information from AD.

  1. Navigate to Settings tab –> Accounts. Click on the Add Account from LDAP button.
    New Account button
  2. Enter the name of an AD user who should have privileges in the JSS. Click the Next button.
    Add User from LDAP Account
  3. If the lookup returns more than one result then locate the correct result and click the Add… link to the right.
  4. Grant the necessary privileges to the JSS and click the Save button.

At this point the newly added user should be able to log in to the JSS using his AD credentials. The JSS will also use the AD information for email alerts and other functions.

If the LDAP connection is ever deleted then existing LDAP user accounts will fail to work, even if the LDAP connection is recreated. Re-enabling users to log in will require adding their accounts and privileges again under the new LDAP connection.

Microsoft’s System Center Configuration Manager 2012

Sunday, March 18th, 2012

Microsoft has released the Beta 2 version of System Center Configuration Manager (SCCM) aka System Center 2012. SCCM is a powerful tool that Microsoft has been developing for over a decade. It started as an automation tool and has grown into a full-blown management tool that allows you to manage, update, and distribute software, license, policies and a plethora of other amazing features to users, workstation, servers, and devices including mobile devices and tablets. The new version has been simplified infrastructure-wise, without losing functionality compared to previous versions.

SCCM provides end-users with a easy to use web portal that will allow them to choose what software they want easily, providing an instant response to install the application in a timely manner. For Mobile devices the management console has an exchange connector and will support any device that can use Exchange Active Sync protocol. It will allow you to push policies and settings to your devices (i.e. encryption configurations, security settings, etc…). Windows phone 7 features are also manageable through SCCM.

The Exchange component sits natively with the configuration manager and does not have to interface with Exchange directly to be utilized. You can also define minimal rights for people to just install and/or configure what they need and nothing more. The bandwidth usage can be throttled to govern its impact on the local network.

SCCM will also interface with Unix and Linux devices, allowing multiple platform and device management. At this point, many 3rd party tools such as the Casper Suite and Absolute Manage also plug into SCCM nicely. Overall this is a robust tool for the multi platform networks that have so commonly developed in today’s business needs everywhere.

Microsoft allows you to try the software at For more information, contact your 318 Professional Services Manager or if you do not yet have one.

Introduction to Centralized Configurations with Puppet

Thursday, March 8th, 2012

One of the hardest things for IT to tackle at large scale is workstation lifecycle management. Machines need to be deployed, maintained, and re-provisioned based on the needs of the business. Many of the solutions provided by vendors need to be driven by people, pulling levers and applying changes in realtime. Since Macs have a Unix foundation, they can take advantage of an automation tool used for Linux and other platforms, Puppet. It can be used to cut down on a lot of the manual interaction present in other systems, and is based on the concept that configuration should be expressed in readable text, which can then be checked into a version control system.
To quickly bootstrap a client-server setup the Puppet Enterprise product is recommended, but we’ll be doing things in a scaled-down fashion for this post. We’ll use Macs, and it won’t matter what OS either the puppetmaster(server) or client is running on, nor if either are a Virtual Machine. First, install Facter, a complementary tool to collect specifications about your system, and then Puppet, from the PuppetLabs download site. Then, open Terminal and run this command to begin configuring the server, which adds the ‘puppet’ user and group:

sudo /usr/sbin/puppetmasterd --mkusers

Then, we’ll create a configuration file to specify a few default directories and the hostname of the server, so it can begin securing communication with the ssl certificates it will generate. I’m using computers bonjour names throughout this example, but DNS and networking/firewalls should be configured as appropriate for production setups, among other optimizations.

sudo vim /etc/puppet/puppet.conf
vardir = /var/lib/puppet
libdir = $vardir/lib
ssldir = /etc/puppet/ssl
certname = mini.local

Before we move on, an artifact of the –mkusers command above is that the puppet process may have been started in the background. For us to apply the changes we’ve made and start over with the server in verbose mode, you can just kill the ruby process started by the puppet user, either in Activity Monitor or otherwise.Now, let’s move on to telling the server what we’d like to see passed down to each client, or ‘node’:

sudo vim /etc/puppet/manifests/site.pp
# /etc/puppet/manifests/site.pp
import "classes/*"
import "nodes"
sudo vim /etc/puppet/manifests/nodes.pp
# /etc/puppet/manifests/nodes.pp
node '318admins-macbook-air.local' {
  include testing
sudo vim /etc/puppet/manifests/classes/testing.pp
# /etc/puppet/manifests/classes/testing.pp
 class testing {
   exec { "Run Recon, Run":
    command  => /usr/sbin/jamf recon -username '318admin' -passhash 'GOBBLEDEGOOK' -sshUsername \
    'casperadmin' -sshPasshash 'GOOBLEDEBOK' -swu -skipFonts -skipPlugins,  }

Here we’ve created three files as we customized them to serve a laptop with the bonjour name 318admins-macbook-air.local. Site.pp points the server to the configurations and  clients it can manage, Nodes.pp allows a specific client to receive a certain set of configurations(although you could use ‘node default include company_wide’ to affect everyone), and the actual configuration we’d like to enforce is present in Testing.pp.

One last tweak and our server is ready:

sudo chown -R puppet:puppet /etc/puppet

and we actually run the server, with some extra feedback turned on, with this:

sudo puppet master --no-daemonize --onetime --verbose --debug

Now, we can move on to setting up our client. Besides installing the same packages (in the same order) as above, we need to add a few directories and one file before we’re ready to go:

sudo mkdir -p /var/lib/puppet/var
sudo mkdir /var/lib/puppet/ssl
sudo vim /etc/puppet/puppet.conf
# /etc/puppet/puppet.conf
server = mini.local
vardir = /var/lib/puppet
ssldir = /var/lib/ssl
certname = 318admin-macbook-air.local

Then we’re ready to connect our client.

sudo puppet agent --no-daemonize --onetime --verbose --debug

You should see something like this on the server, “notice: 318admins-macbook-air.local has a waiting certificate request”. On the server we go ahead and sign it like this:

sudo puppet cert --sign 318admins-macbook-air.local

Running puppet agent again should result in the a successful connection this time, with the configuration being passed down from the server for the client to apply.

This is just a small sample of how you can quickly start using Puppet, and we hope to share more of its benefits when integrated with other systems in the future.

Hiding a Restore Partition With jamf

Monday, August 9th, 2010

The jamf command that is placed inside the /usr/sbin directory has a number of things it does really well. Many of the tasks exposed in Casper Admin can be tapped into using shell scripts.

One nice option that the Casper Suite has for the mobile users in many an enterprise is the ability to restore a given machine to a known good working state. Casper addresses this using a concept known as a restore partition. The restore partition can be used to deploy a base set of packages to a client, or maybe just a functional operating system that hooks back into the JSS, or JAMF Software Server. Because you want the restore partition to be somewhat undefiled, you can hide it. Then, if a user needs to boot to the restore partition, they would simply boot the computer holding down the option key and select Restore (or whatever you have named it).

The /usr/sbin/jamf command can then be used to hide that restore partition using the hideRestore option. For example, assuming that the restore partition is named Restore, the following command will hide it:

/usr/sbin/jamf hideRestore

But, you might find that you want to deploy multiple hidden partitions. So let’s say that you had another for running disk tools. In our environment we could call it 318Tools. So to hide it as well, we would use the same command, but with the -name option followed by the name of the other partition we would like to hide, like so:

/usr/sbin/jamf hideRestore -name 318Tools

Overall, there are a number of uses other than simple patch management with the Casper Suite, and this is just one of the small things you can do with the jamf command, an integral part of the Suite.

Using the JAMF Binary with the Casper Suite

Thursday, October 25th, 2007

Casper is an incredibly useful tool for package deployment, maintaining records of the systems in your environment and policy management. But for those of you already using Casper (or considering it) you’ll be glad to know that you can use the jamf binary to do all kinds of fun stuff that can help with troubleshooting computers in your environment. For example:

The following command will setup a hidden SSH user and restrict SSH access to be allowed by only that user: jamf createAccount -username casperadmin -realname "Casper Admin" -password casperadmin -home /Users/casperadmin -hiddenUser -admin -secureSSH

This command can be used to display a popup on the system it’s run on that says “Hello Minnesota”: jamf displayMessage -message "Hello Minnesota"

The following command will unmount a mounted server called mainserver: jamf unmountServer -mountPoint /Volumes/mainserver

The following command can be used to change a users home page in all of their web browsers: jamf setHomePage -homepage

The following command can be used to fire up the SSH daemon: jamf startSSH

The following command can be used to fix the By Host files on the local machine: jamf fixByHostFiles -target

The following command can be used to run a Fix Permissions on the local machine: jamf fixPermissions /

The following can be used to flush all of the caches on your local system: jamf flushCaches -flushSystem

The following can be used to bless the drive externaldrive: jamf bless -target /Volumes/externaldrive

The following can be used to run a software update on the local system: jamf runSoftwareUpdate

The following can be used to bind to an AD environment (rather than dsconfigad if for some reason you just didn’t like using dsconfigad), but would need all the parameters for your environment put in as flags: jamf bindAD

The following can be used to enable OpenFirmware passwords on your computer to secretpass: jamf setOFP -mode full -password secretpass

Most of these options are available inside the Casper suite, but the ability to do some simple tasks very quickly from the terminal is yet another reason to fall in love with Casper.