[Casper] time bomb accounts on a smart group

[Mark Hughes]

The metal tag that holds our asset number is a part of the theft tag program that we work
with that helps in tracking down stolen or reported missing laptops. It is barcoded as well. 

Mark

Mark Hughes, Apple Technician
TIS Department, KCKPS USD500
Cell 913-449-7791
mahughe at kckps.org
>>> John Wetter <john_wetter at hopkins.k12.mn.us> 02/20/09 11:24 AM >>>
It looks like you have thought about this, but in our 1-1 program, we just have them barcoded.  The only unique thing on the laptop is the students account and we 'check out' the laptop to the student in our Library circulation system.  So, when we give them a spare, that becomes their new computer and when the fixed laptop comes back from AppleCare, it gets thrown in the spare pile to be imaged whenever we get to it and image a bunch.  This should help avoid the issue of needing to collect laptops back as I can see from both sides the inconvenience of that.

-John


On 2/20/09 10:46 AM, "Thomas Larkin" <tlarki at kckps.org> wrote:



 Considering I send probably 50 units in a week for HD failure that is not really an option.  Plus I barely have time to admin the 30 servers, do all the casper packages plus admin the casper servers, create users/groups and manage the LDAP, update the images, let alone do any sort of hardware repair.  They hired me to pretty much do everything here and I pretty much do everything from end user support all the way up do directory administration, casper stuff, you name it I probably most likely do it.  We have an AUP in place, however I am not educational administration so I can't do any sort of discipline nor do I want to.  The principals actually work well with us, and it always comes down to me having them force kids to come bring in their spare.  I want to avoid getting people involved to force kids to come trade their spare in.  Plus the admins already deal with tons of AUP infractions every day, like students using their laptops to do unacceptable things, which I won't go into because you know what I am talking about.



 Also as a standard to the troubleshooting process and to ensure they have the most up to date software a machine with issues gets wiped and reimaged anyway, and home sync should only sync their documents folder and there are clean up scripts that delete any music and movies on their home directory plus their disk quota is 200 megabytes.



 We also have our own custom built inventory system that ties into Casper our software developers made.  It ties in student information from the SILK program they use for the student database as well as serial number and asset tag of the machine that I dumped out of the Casper database.  There is also a built in ticket system for repair history and work orders and an assign system for assigning machines to the repair center for repair or for a student to be assigned a spare.  If I didn't have to deal with end user support on top of everything else I do, could possibly reassign, however that is not a timely option at this point in time.  Each machine is labeled with stickers of the student name and the learning community they belong to.  So, I would have to use some sort of goo be gone to clean off the labels, relabel it, reivnetory it, un assign the current user to their machine, and then repeat 40 to 60 times per a week as that is my average of machines that go out for repair.



 I think in our set up, a every 30 day policy assigned to spare machines that cleans them out is probably the best bet.  Students also have access to an online web based product called "school loop" which allows them to store their school work on their locker on line, and it apparently has unlimited space.  However, there is a file size limit of like 5 megabytes.  So, with home folder sync and school loop they have the means to back up their data.



 Sorry for the long novel like explanation but given out current structure the time bomb effect would be best practice.



 I was thinking of just changing all passwords on the machine to something ridiculous or using dscl or jamf binary to just delete them.  Our admin accounts live in /private/var for a reason, mainly being so that I can kill all users in /Users and never worry about deleting our local admin account or root.




 Thanks again for any input and for reading this sort of a rant of an email.


--
John Wetter
Technology Support Administrator
Educational Technology, Media & Information Services
Hopkins Public Schools
952-988-5373