From martin-van-diemen at g-star.com Fri Jan 2 02:50:28 2009 From: martin-van-diemen at g-star.com (Martin van Diemen) Date: Fri, 2 Jan 2009 11:50:28 +0100 Subject: [Casper] Delete com.adobe.mediabrowser.plist In-Reply-To: Message-ID: Hi Miles, Thanks for your reply. I've tried to make use of the $3 variable but the strange thing is that it's empty. We're making use of Active Directory. Could this have something to do with it? Best wishes for 2009 to you all! Kind Regards, Martin van Diemen t +31(0) 205677744 __________________ G-Star International B.V. www.g-star.com ________________________________ From: Miles Leacy Date: Wed, 31 Dec 2008 14:57:34 +0100 To: Martin van Diemen Cc: Conversation: [Casper] Delete com.adobe.mediabrowser.plist Subject: Re: [Casper] Delete com.adobe.mediabrowser.plist username is $3 $1 is the mount point of the target drive $2 is the computer name $4 through $11 are configurable. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Wed, Dec 31, 2008 at 4:58 AM, Martin van Diemen wrote: Hi, I want to delete the com.adobe.mediabrowser.plist (~/Library/Preferences/) for the user that's currently logging in. I tried to do this with a policy: Search for file by path: ~/Library/Preferences/com.adobe.mediabrowser.plist and Delete if found. This doesn't work because it can't find the file (cause it's using the casper account?). Is this possible with a variable e.g. /Users/$1/Library/Preferences/com.adobe.mediabrowser.plist? $1 doesn't work. If I use a script which variable tells me the login name of the user? Thanks in advance. Kind Regards, Martin van Diemen t +31(0) 205677744 __________________ G-Star International B.V. www.g-star.com _______________________________________________ Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper From miles.leacy at themacadmin.com Fri Jan 2 08:23:36 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Fri, 2 Jan 2009 11:23:36 -0500 Subject: [Casper] Delete com.adobe.mediabrowser.plist In-Reply-To: References:

Message-ID: What is the script triggered by? I would set it to login or logout to be sure that there is a username available. If it runs on another trigger, you risk the possibility that no one is logged in. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Fri, Jan 2, 2009 at 5:50 AM, Martin van Diemen < martin-van-diemen at g-star.com> wrote: > Hi Miles, > > Thanks for your reply. I've tried to make use of the $3 variable but the > strange thing is that it's empty. We're making use of Active Directory. > Could this have something to do with it? > > Best wishes for 2009 to you all! > > Kind Regards, > > Martin van Diemen > > t +31(0) 205677744 > __________________ > > G-Star International B.V. > www.g-star.com > > > > ________________________________ > From: Miles Leacy > Date: Wed, 31 Dec 2008 14:57:34 +0100 > To: Martin van Diemen > Cc: > Conversation: [Casper] Delete com.adobe.mediabrowser.plist > Subject: Re: [Casper] Delete com.adobe.mediabrowser.plist > > username is $3 > > $1 is the mount point of the target drive > $2 is the computer name > > $4 through $11 are configurable. > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com < > http://www.themacadmin.com> > > > > > On Wed, Dec 31, 2008 at 4:58 AM, Martin van Diemen < > martin-van-diemen at g-star.com> wrote: > Hi, > > I want to delete the com.adobe.mediabrowser.plist (~/Library/Preferences/) > for the user that's currently logging in. I tried to do this with a policy: > Search for file by path: ~/Library/Preferences/com.adobe.mediabrowser.plist > and Delete if found. > > This doesn't work because it can't find the file (cause it's using the > casper account?). > Is this possible with a variable e.g. > /Users/$1/Library/Preferences/com.adobe.mediabrowser.plist? $1 doesn't work. > > If I use a script which variable tells me the login name of the user? > > Thanks in advance. > > Kind Regards, > > Martin van Diemen > > t +31(0) 205677744 > __________________ > > G-Star International B.V. > www.g-star.com > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090102/677bfd46/attachment.htm From rharter at uwsp.edu Fri Jan 2 12:27:43 2009 From: rharter at uwsp.edu (Ryan Harter) Date: Fri, 2 Jan 2009 14:27:43 -0600 Subject: [Casper] Delete com.adobe.mediabrowser.plist In-Reply-To: References: Message-ID: <73F743E9-1C87-4E61-95C3-9E9311B6A57E@uwsp.edu> What version of Casper are you using? There was a bug in 6.0 that caused $3 to not be set, Casper 6.01 fixed this. Ryan Harter UW - Stevens Point Workstation Developer 715.346.2716 Ryan.Harter at uwsp.edu On Jan 2, 2009, at 4:50 AM, Martin van Diemen wrote: > Hi Miles, > > Thanks for your reply. I've tried to make use of the $3 variable but > the strange thing is that it's empty. We're making use of Active > Directory. Could this have something to do with it? > > Best wishes for 2009 to you all! > > Kind Regards, > > Martin van Diemen > > t +31(0) 205677744 > __________________ > > G-Star International B.V. > www.g-star.com > > > > ________________________________ > From: Miles Leacy > Date: Wed, 31 Dec 2008 14:57:34 +0100 > To: Martin van Diemen > Cc: > Conversation: [Casper] Delete com.adobe.mediabrowser.plist > Subject: Re: [Casper] Delete com.adobe.mediabrowser.plist > > username is $3 > > $1 is the mount point of the target drive > $2 is the computer name > > $4 through $11 are configurable. > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > > On Wed, Dec 31, 2008 at 4:58 AM, Martin van Diemen > wrote: > Hi, > > I want to delete the com.adobe.mediabrowser.plist (~/Library/ > Preferences/) for the user that's currently logging in. I tried to > do this with a policy: > Search for file by path: ~/Library/Preferences/ > com.adobe.mediabrowser.plist and Delete if found. > > This doesn't work because it can't find the file (cause it's using > the casper account?). > Is this possible with a variable e.g. /Users/$1/Library/Preferences/ > com.adobe.mediabrowser.plist? $1 doesn't work. > > If I use a script which variable tells me the login name of the user? > > Thanks in advance. > > Kind Regards, > > Martin van Diemen > > t +31(0) 205677744 > __________________ > > G-Star International B.V. > www.g-star.com > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090102/252d876f/attachment.html From martin-van-diemen at g-star.com Sun Jan 4 22:34:44 2009 From: martin-van-diemen at g-star.com (Martin van Diemen) Date: Mon, 5 Jan 2009 07:34:44 +0100 Subject: [Casper] Delete com.adobe.mediabrowser.plist In-Reply-To: Message-ID: Triggered by login. I also tested the script when an user was logged in. Kind Regards, Martin van Diemen t +31(0) 205677744 __________________ G-Star International B.V. www.g-star.com ________________________________ From: Miles Leacy Date: Fri, 2 Jan 2009 17:23:36 +0100 To: Martin van Diemen Cc: Conversation: [Casper] Delete com.adobe.mediabrowser.plist Subject: Re: [Casper] Delete com.adobe.mediabrowser.plist What is the script triggered by? I would set it to login or logout to be sure that there is a username available. If it runs on another trigger, you risk the possibility that no one is logged in. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Fri, Jan 2, 2009 at 5:50 AM, Martin van Diemen wrote: Hi Miles, Thanks for your reply. I've tried to make use of the $3 variable but the strange thing is that it's empty. We're making use of Active Directory. Could this have something to do with it? Best wishes for 2009 to you all! Kind Regards, Martin van Diemen t +31(0) 205677744 __________________ G-Star International B.V. www.g-star.com ________________________________ From: Miles Leacy Date: Wed, 31 Dec 2008 14:57:34 +0100 To: Martin van Diemen Cc: Conversation: [Casper] Delete com.adobe.mediabrowser.plist Subject: Re: [Casper] Delete com.adobe.mediabrowser.plist username is $3 $1 is the mount point of the target drive $2 is the computer name $4 through $11 are configurable. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Wed, Dec 31, 2008 at 4:58 AM, Martin van Diemen wrote: Hi, I want to delete the com.adobe.mediabrowser.plist (~/Library/Preferences/) for the user that's currently logging in. I tried to do this with a policy: Search for file by path: ~/Library/Preferences/com.adobe.mediabrowser.plist and Delete if found. This doesn't work because it can't find the file (cause it's using the casper account?). Is this possible with a variable e.g. /Users/$1/Library/Preferences/com.adobe.mediabrowser.plist? $1 doesn't work. If I use a script which variable tells me the login name of the user? Thanks in advance. Kind Regards, Martin van Diemen t +31(0) 205677744 __________________ G-Star International B.V. www.g-star.com _______________________________________________ Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper From martin-van-diemen at g-star.com Sun Jan 4 22:35:48 2009 From: martin-van-diemen at g-star.com (Martin van Diemen) Date: Mon, 5 Jan 2009 07:35:48 +0100 Subject: [Casper] Delete com.adobe.mediabrowser.plist In-Reply-To: <73F743E9-1C87-4E61-95C3-9E9311B6A57E@uwsp.edu> Message-ID: The version that has been installed is 6.01 Kind Regards, Martin van Diemen t +31(0) 205677744 __________________ G-Star International B.V. www.g-star.com ________________________________ From: Ryan Harter Date: Fri, 2 Jan 2009 21:27:43 +0100 To: Martin van Diemen Cc: Miles Leacy , Conversation: [Casper] Delete com.adobe.mediabrowser.plist Subject: Re: [Casper] Delete com.adobe.mediabrowser.plist What version of Casper are you using? There was a bug in 6.0 that caused $3 to not be set, Casper 6.01 fixed this. Ryan Harter UW - Stevens Point Workstation Developer 715.346.2716 Ryan.Harter at uwsp.edu On Jan 2, 2009, at 4:50 AM, Martin van Diemen wrote: Hi Miles, Thanks for your reply. I've tried to make use of the $3 variable but the strange thing is that it's empty. We're making use of Active Directory. Could this have something to do with it? Best wishes for 2009 to you all! Kind Regards, Martin van Diemen t +31(0) 205677744 __________________ G-Star International B.V. www.g-star.com ________________________________ From: Miles Leacy Date: Wed, 31 Dec 2008 14:57:34 +0100 To: Martin van Diemen Cc: Conversation: [Casper] Delete com.adobe.mediabrowser.plist Subject: Re: [Casper] Delete com.adobe.mediabrowser.plist username is $3 $1 is the mount point of the target drive $2 is the computer name $4 through $11 are configurable. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Wed, Dec 31, 2008 at 4:58 AM, Martin van Diemen wrote: Hi, I want to delete the com.adobe.mediabrowser.plist (~/Library/Preferences/) for the user that's currently logging in. I tried to do this with a policy: Search for file by path: ~/Library/Preferences/com.adobe.mediabrowser.plist and Delete if found. This doesn't work because it can't find the file (cause it's using the casper account?). Is this possible with a variable e.g. /Users/$1/Library/Preferences/com.adobe.mediabrowser.plist? $1 doesn't work. If I use a script which variable tells me the login name of the user? Thanks in advance. Kind Regards, Martin van Diemen t +31(0) 205677744 __________________ G-Star International B.V. www.g-star.com _______________________________________________ Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper _______________________________________________ Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper From tlarki at kckps.org Mon Jan 5 10:06:23 2009 From: tlarki at kckps.org (Thomas Larkin) Date: Mon, 05 Jan 2009 12:06:23 -0600 Subject: [Casper] Delete com.adobe.mediabrowser.plist In-Reply-To: References: <73F743E9-1C87-4E61-95C3-9E9311B6A57E@uwsp.edu> Message-ID: <4961F7BF.7141.0039.0@kckps.org> I have a search and destroy policy that searches out files by type or by name and deletes them. You don't need a script as it is a one liner command. Keeping it simple is the way to go in my humble opinion. If you want to get specific you can script it out and make it more robust. Here are some examples: /usr/bin/find /Users/* -name "full_filename.extension" -print -delete That will search the /Users folder and delete all files to test it out just use the -print option first and leave out the delete option. Then once you confirmed it works add back in the delete. Working for a public school system I get to search and destroy some creative user created content that gets passed around from time to time. If you are looking to delete a certain file type across the board you can add to the find command with regex and since home folder synchronizing is not perfect it syncs things that are not suppose to be there, and then I have to play janitor on the file servers. An example of that is: /usr/sbin/find -x -E /path/to/share -regex '.*\.(m[4po][34agpv]|mpeg|aac|asf|wmv)' -print -delete That deletes pretty much any file with those extensions in the file name, MP3, MP4, AAC, mpeg, so on and so forth. So that should give you something to work with and with the find command set the path to a narrow scope, otherwise it will just search the root of the drive and that can take forever to run Hope that helps ___________________________ Thomas Larkin TIS Department KCKPS USD500 tlarki at kckps.org blackberry: 913-449-7589 office: 913-627-0351 >>> Martin van Diemen 01/05/09 12:35 AM >>> The version that has been installed is 6.01 Kind Regards, Martin van Diemen t +31(0) 205677744 __________________ G-Star International B.V. www.g-star.com ________________________________ From: Ryan Harter Date: Fri, 2 Jan 2009 21:27:43 +0100 To: Martin van Diemen Cc: Miles Leacy , Conversation: [Casper] Delete com.adobe.mediabrowser.plist Subject: Re: [Casper] Delete com.adobe.mediabrowser.plist What version of Casper are you using? There was a bug in 6.0 that caused $3 to not be set, Casper 6.01 fixed this. Ryan Harter UW - Stevens Point Workstation Developer 715.346.2716 Ryan.Harter at uwsp.edu On Jan 2, 2009, at 4:50 AM, Martin van Diemen wrote: Hi Miles, Thanks for your reply. I've tried to make use of the $3 variable but the strange thing is that it's empty. We're making use of Active Directory. Could this have something to do with it? Best wishes for 2009 to you all! Kind Regards, Martin van Diemen t +31(0) 205677744 __________________ G-Star International B.V. www.g-star.com ________________________________ From: Miles Leacy Date: Wed, 31 Dec 2008 14:57:34 +0100 To: Martin van Diemen Cc: Conversation: [Casper] Delete com.adobe.mediabrowser.plist Subject: Re: [Casper] Delete com.adobe.mediabrowser.plist username is $3 $1 is the mount point of the target drive $2 is the computer name $4 through $11 are configurable. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Wed, Dec 31, 2008 at 4:58 AM, Martin van Diemen wrote: Hi, I want to delete the com.adobe.mediabrowser.plist (~/Library/Preferences/) for the user that's currently logging in. I tried to do this with a policy: Search for file by path: ~/Library/Preferences/com.adobe.mediabrowser.plist and Delete if found. This doesn't work because it can't find the file (cause it's using the casper account?). Is this possible with a variable e.g. /Users/$1/Library/Preferences/com.adobe.mediabrowser.plist? $1 doesn't work. If I use a script which variable tells me the login name of the user? Thanks in advance. Kind Regards, Martin van Diemen t +31(0) 205677744 __________________ G-Star International B.V. www.g-star.com _______________________________________________ Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper _______________________________________________ Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper _______________________________________________ Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090105/193101b4/attachment.html From david.lundgren at brooks.edu Mon Jan 5 13:10:16 2009 From: david.lundgren at brooks.edu (David Lundgren) Date: Mon, 5 Jan 2009 15:10:16 -0600 Subject: [Casper] Upgrading from Tiger to Leopard Message-ID: I was wondering how you all have done migrations from Tiger to Leopard. We have an Active Directory setup where the users home directories are local to the machine (our faculty often have 10GB+ of data, and some have laptops). We were contemplating doing separate user and OS partitions at the same time to make any future OS upgrades less painful, without having to worry about user data. Thanks, David Lundgren IT Systems Administrator Brooks Institute - "Passion, Vision, Excellence" 27 East Cota Street Santa Barbara, CA 93101 (888) 304-3456 (toll-free) (805) 690-7615 (office) http://www.brooks.edu From jared.nichols at ll.mit.edu Mon Jan 5 16:34:41 2009 From: jared.nichols at ll.mit.edu (Nichols, Jared) Date: Mon, 5 Jan 2009 19:34:41 -0500 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: Message-ID: One thing to consider is that Leopard is no longer based on netinfo. Pre-leopard was nice using NetInfo Manager for arranging tasks like the movement of /users to a different drive/partition. This would all have to be done with dscl now... On the upshot, it's all scriptable... j On 1/5/09 16:10 , "David Lundgren" wrote: I was wondering how you all have done migrations from Tiger to Leopard. We have an Active Directory setup where the users home directories are local to the machine (our faculty often have 10GB+ of data, and some have laptops). We were contemplating doing separate user and OS partitions at the same time to make any future OS upgrades less painful, without having to worry about user data. Thanks, David Lundgren IT Systems Administrator Brooks Institute - "Passion, Vision, Excellence" 27 East Cota Street Santa Barbara, CA 93101 (888) 304-3456 (toll-free) (805) 690-7615 (office) http://www.brooks.edu _______________________________________________ Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper -- Jared Nichols ISD Infrastructure and Operations - Desktop Engineering MIT Lincoln Laboratory 244 Wood St. Lexington, MA 02420-9108 (781) 981-5500 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090105/03a902a9/attachment.html From miles.leacy at themacadmin.com Tue Jan 6 06:01:16 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Tue, 6 Jan 2009 09:01:16 -0500 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: References: Message-ID: If you don't mind doing some extra work now, you can move people's data to another partition now, and in the future, you can do as you like with the system volume going forward without worry about user data. Note that if you boot an existing Mac (with user data) to a Leopard volume, you can create new partitions non-destructively and this task can be scripted. I would (and do) do it like this: #!/bin/sh # ##### HEADER BEGINS ##### # scr_sys_symlinkUsers.sh # # Created 20071011 by Miles A. Leacy IV # miles.leacy at themacadmin.com # Modified 20090106 by Miles A. Leacy IV # Copyright 2009 Miles A. Leacy IV # # This script may be copied and distributed freely as long as this header remains intact. # # This script is provided "as is". The author offers no warranty or guarantee of any kind. # Use of this script is at your own risk. The author takes no responsibility for loss of use, # loss of data, loss of job, loss of socks, the onset of armageddon, or any other negative effects. # # Test thoroughly in a lab environment before use on production systems. # When you think it's ok, test again. When you're certain it's ok, test twice more. # # This script moves /Users to /Volumes/Data. If your data volume is named differently, # be sure to replace each instance of "/Volumes/Data" with the path to your data volume. # Run as an "at reboot" script when imaging with Casper. # ##### HEADER ENDS ##### /bin/mv /Users /Volumes/Data rm -R /Users /bin/ln -s /Volumes/Data /Users diskutil repairPermissions / ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Mon, Jan 5, 2009 at 4:10 PM, David Lundgren wrote: > I was wondering how you all have done migrations from Tiger to Leopard. > > We have an Active Directory setup where the users home directories are > local > to the machine (our faculty often have 10GB+ of data, and some have > laptops). > > We were contemplating doing separate user and OS partitions at the same > time > to make any future OS upgrades less painful, without having to worry about > user data. > > Thanks, > > David Lundgren > IT Systems Administrator > > Brooks Institute - "Passion, Vision, Excellence" > 27 East Cota Street > Santa Barbara, CA 93101 > (888) 304-3456 (toll-free) > (805) 690-7615 (office) > http://www.brooks.edu > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090106/05c05fc6/attachment.html From tlarki at kckps.org Tue Jan 6 07:28:14 2009 From: tlarki at kckps.org (Thomas Larkin) Date: Tue, 06 Jan 2009 09:28:14 -0600 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: References: Message-ID: <4963242E.7141.0039.0@kckps.org> I don't know if I think that is a totally wise idea. I have read on several occasions either at AFP548.com or macenterprise.org about moving home directories and then connecting them by symbolic link. While I can't exactly recall the specifics other than it has to do with NetInfo and the location of the home directory or with Open Directory (dscl in 10.5) and how the user database actually points to the home folder. Also, if I recall diskutility will not repair permissions on user data, it only does it on system data. I am not saying it won't work, I am just saying there may be some issues as I have read from other people posting and how NetInfo and Open Directory handle the user database. Please correct me if I am wrong on that, because I have never tried to make a user partition on a local machine just for home directories, well at least not in OS X. In Linux I have. If you don't have network homes, or portable home directories I really strongly suggest you look into something like that. I know that 10gigs of data for each user can eat up storage pretty quick, but storage is actually well, kind of cheap these days. Over the summer we reimaged 6,000 Macbooks from 10.4 to 10.5. 10.5.4 was a damn nightmare but 10.5.5 smoothed most of those things out. I wiped out all of our servers, reloaded them, and since I house home directories on separate volumes on the network I just pointed in WGM the volume for home directories. I also recommend a full wipe and fresh import of LDAP. I just exported mine to plain text (users and groups) and then reimported them via WGM. This will not preserve passwords, so I did a master password reset. I have tools now to set unique passwords for users as well, and will be implementing that over next summer. Next summer I am wiping out everything and freshly loading every thing. ___________________________ Thomas Larkin TIS Department KCKPS USD500 tlarki at kckps.org blackberry: 913-449-7589 office: 913-627-0351 >>> "Miles Leacy" 01/06/09 8:01 AM >>> If you don't mind doing some extra work now, you can move people's data to another partition now, and in the future, you can do as you like with the system volume going forward without worry about user data. Note that if you boot an existing Mac (with user data) to a Leopard volume, you can create new partitions non-destructively and this task can be scripted. I would (and do) do it like this: #!/bin/sh # ##### HEADER BEGINS ##### # scr_sys_symlinkUsers.sh # # Created 20071011 by Miles A. Leacy IV # miles.leacy at themacadmin.com # Modified 20090106 by Miles A. Leacy IV # Copyright 2009 Miles A. Leacy IV # # This script may be copied and distributed freely as long as this header remains intact. # # This script is provided "as is". The author offers no warranty or guarantee of any kind. # Use of this script is at your own risk. The author takes no responsibility for loss of use, # loss of data, loss of job, loss of socks, the onset of armageddon, or any other negative effects. # # Test thoroughly in a lab environment before use on production systems. # When you think it's ok, test again. When you're certain it's ok, test twice more. # # This script moves /Users to /Volumes/Data. If your data volume is named differently, # be sure to replace each instance of "/Volumes/Data" with the path to your data volume. # Run as an "at reboot" script when imaging with Casper. # ##### HEADER ENDS ##### /bin/mv /Users /Volumes/Data rm -R /Users /bin/ln -s /Volumes/Data /Users diskutil repairPermissions / ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Mon, Jan 5, 2009 at 4:10 PM, DaviWe have an Active Directory setup where the users home directories are local to the machine (our faculty often have 10GB+ of data, and some have laptops). We were contemplating doing separate user and OS partitions at the same time to make any future OS upgrades less painful, without having to worry about user data. Thanks, David Lundgren IT Systems Administrator Brooks Institute - "Passion, Vision, Excellence" 27 East Cota Street Santa Barbara, CA 93101 (888) 304-3456 (toll-free) (805) 690-7615 (office) http://www.brooks.edu _______________________________________________ Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090106/61b9844b/attachment.html From miles.leacy at themacadmin.com Tue Jan 6 07:52:28 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Tue, 6 Jan 2009 10:52:28 -0500 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: <4963242E.7141.0039.0@kckps.org> References: <4963242E.7141.0039.0@kckps.org> Message-ID: I've been doing this in production environments (large enterprises as well as my family's Macs) for at least two years on both Tiger and Leopard without any issues. What are the potential issues you're concerned about? The reason for including the permissions repair is lost to antiquity and poor documentation I'm afraid, but I seem to vaguely recall it having something to do with the /Users/Shared folder. Since it works, I'm not overly concerned with uncovering the answer, but if you care to, you could comment out the permissions repair line and see what the difference is. Whether netinfo or ds is handling your home folders, it refers to them as a filesystem path. As far as my knowledge and experience goes, there is no difference in how home folders function between a system with a genuine /Users path and one with a symlinked /Users path. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Tue, Jan 6, 2009 at 10:28 AM, Thomas Larkin wrote: > I don't know if I think that is a totally wise idea. I have read on > several occasions either at AFP548.com or macenterprise.org about moving > home directories and then connecting them by symbolic link. While I can't > exactly recall the specifics other than it has to do with NetInfo and the > location of the home directory or with Open Directory (dscl in 10.5) and how > the user database actually points to the home folder. Also, if I recall > diskutility will not repair permissions on user data, it only does it on > system data. I am not saying it won't work, I am just saying there may be > some issues as I have read from other people posting and how NetInfo and > Open Directory handle the user database. Please correct me if I am wrong on > that, because I have never tried to make a user partition on a local machine > just for home directories, well at least not in OS X. In Linux I have. > > If you don't have network homes, or portable home directories I really > strongly suggest you look into something like that. I know that 10gigs of > data for each user can eat up storage pretty quick, but storage is actually > well, kind of cheap these days. > > Over the summer we reimaged 6,000 Macbooks from 10.4 to 10.5. 10.5.4 was > a damn nightmare but 10.5.5 smoothed most of those things out. I wiped out > all of our servers, reloaded them, and since I house home directories on > separate volumes on the network I just pointed in WGM the volume for home > directories. I also recommend a full wipe and fresh import of LDAP. I just > exported mine to plain text (users and groups) and then reimported them via > WGM. This will not preserve passwords, so I did a master password reset. I > have tools now to set unique passwords for users as well, and will be > implementing that over next summer. Next summer I am wiping out everything > and freshly loading every thing. > > > ___________________________ > Thomas Larkin > TIS Department > KCKPS USD500 > tlarki at kckps.org > blackberry: 913-449-7589 > office: 913-627-0351 > > > > > > >>> "Miles Leacy" 01/06/09 8:01 AM >>> > > If you don't mind doing some extra work now, you can move people's data to > another partition now, and in the future, you can do as you like with the > system volume going forward without worry about user data. > > > Note that if you boot an existing Mac (with user data) to a Leopard > volume, you can create new partitions non-destructively and this task can be > scripted. > > > I would (and do) do it like this: > > > #!/bin/sh > > # > > ##### HEADER BEGINS ##### > > # scr_sys_symlinkUsers.sh > > # > > # Created 20071011 by Miles A. Leacy IV > > # miles.leacy at themacadmin.com > > # Modified 20090106 by Miles A. Leacy IV > > # Copyright 2009 Miles A. Leacy IV > > # > > # This script may be copied and distributed freely as long as this header > remains intact. > > # > > # This script is provided "as is". The author offers no warranty or > guarantee of any kind. > > # Use of this script is at your own risk. The author takes no > responsibility for loss of use, > > # loss of data, loss of job, loss of socks, the onset of armageddon, or any > other negative effects. > > # > > # Test thoroughly in a lab environment before use on production systems. > > # When you think it's ok, test again. When you're certain it's ok, test > twice more. > > # > > # This script moves /Users to /Volumes/Data. If your data volume is named > differently, > > # be sure to replace each instance of "/Volumes/Data" with the path to your > data volume. > > # Run as an "at reboot" script when imaging with Casper. > > # > > ##### HEADER ENDS ##### > > > /bin/mv /Users /Volumes/Data > > > rm -R /Users > > > /bin/ln -s /Volumes/Data /Users > > > diskutil repairPermissions / > > > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > On Mon, Jan 5, 2009 at 4:10 PM, David Lundgren > > > > wrote: > >> I was wondering how you all have done migrations from Tiger to Leopard. >> >> We have an Active Directory setup where the users home directories are >> local >> to the machine (our faculty often have 10GB+ of data, and some have >> laptops). >> >> We were contemplating doing separate user and OS partitions at the same >> time >> to make any future OS upgrades less painful, without having to worry about >> user data. >> >> Thanks, >> >> David Lundgren >> IT Systems Administrator >> >> Brooks Institute - "Passion, Vision, Excellence" >> 27 East Cota Street >> Santa Barbara, CA 93101 >> (888) 304-3456 (toll-free) >> (805) 690-7615 (office) >> http://www.brooks.edu >> >> _______________________________________________ >> Casper mailing list >> Casper at list.jamfsoftware.com >> http://list.jamfsoftware.com/mailman/listinfo/casper >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090106/f0294f29/attachment.htm From tlarki at kckps.org Tue Jan 6 08:27:54 2009 From: tlarki at kckps.org (Thomas Larkin) Date: Tue, 06 Jan 2009 10:27:54 -0600 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: References: <4963242E.7141.0039.0@kckps.org> Message-ID: <4963322A.7141.0039.0@kckps.org> I guess I would rather do it in DS than by a sym link just because. Sym link goes bad lots of problems I think could happen. Users could jack it up them self as well since they own everything. Especially with NetInfo. I saw so many weird quirks with it when we ran Tiger, and a lot of times it would dupe local or mobile accounts to the machine and I would have to go in and delete one of them to make the account work again. I guess I am just a bit paranoid, and I don't like touching anything in production. I would have to fully test the sym link thing heavily before I did it in my live environment. It is good to know it works for you, maybe some day I will try it. Also, with laptops I don't think diskutility supports live resizing in Tiger, so you would have to be a bit more creative because you couldn't have a second volume nor could you script something to create a new volume on the existing drive in Tiger. I think that is one of the 300 new features of Leopard if I recall, to resize live partitions and create a /users partition to house the directory. Plus with all the hard drive failures I see anyway every day on the Macbooks, I would really suggest using mobile home directories. Then you can just wipe and resync the home directory and call it a day. The down side to that is that a home sync is not a true back up, it is a synchronization, which some users just can't quite grasp. When you toss these in your production machines, are these servers or are these like actual user machines? I think working in education has made me paranoid since students like to tinker, hack, exploit, and crash machines whenever they can. ___________________________ Thomas Larkin TIS Department KCKPS USD500 tlarki at kckps.org blackberry: 913-449-7589 office: 913-627-0351 >>> "Miles Leacy" 01/06/09 9:52 AM >>> I've been doing this in production environments (large enterprises as well as my family's Macs) for at least two years on both Tiger and Leopard without any issues. What are the potential issues you're concerned about? The reason for including the permissions repair is lost to antiquity and poor documentation I'm afraid, but I seem to vaguely recall it having something to do with the /Users/Shared folder. Since it works, I'm not overly concerned with uncovering the answer, but if you care to, you could comment out the permissions repair line and see what the difference is. Whether netinfo or ds is handling your home folders, it refers to them as a filesystem path. As far as my knowledge and experience goes, there is no difference in how home folders function between a system with a genuine /Users path and one with a symlinked /Users path. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Tue, Jan 6, 2009 at 10:28 AM, Thomas Larkin wrote: I don't know if I think that is a totally wise idea. I have read on several occasions either at AFP548.com or macenterprise.org about moving home directories and then connecting them by symbolic link. While I can't exactly recall the specifics other than it has to do with NetInfo and the location of the home directory or with Open Directory (dscl in 10.5) and how the user database actually points to the home folder. Also, if I recall diskutility will not repair permissions on user data, it only does it on system data. I am not saying it won't work, I am just saying there may be some issues as I have read from other people posting and how NetInfo and Open Directory handle the user database. Please correct me if I am wrong on that, because I have never tried to make a user partition on a local machine just for home directories, well at least not in OS X. In Linux I have. If you don't have network homes, or strongly suggest you look into something like that. I know that 10gigs of data for each user can eat up storage pretty quick, but storage is actually well, kind of cheap these days. Over the summer we reimaged 6,000 Macbooks from 10.4 to 10.5. 10.5.4 was a damn nightmare but 10.5.5 smoothed most of those things out. I wiped out all of our servers, reloaded them, and since I house home directories on separate volumes on the network I just pointed in WGM the volume for home directories. I also recommend a full wipe and fresh import of LDAP. I just exported mine to plain text (users and groups) and then reimported them via WGM. This will not preserve passwords, so I did a master password reset. I have tools now to set unique passwords for users as well, and will be implementing that over next summer. Next summer I am wiping out everything and freshly loading every thing. ___________________________ Thomas Larkin TIS Department KCKPS USD500 tlarki at kckps.org blackberry: 913-449-7589 office: 913-627-0351 >>> "Miles Leacy" 01/06/09 8:01 AM >>> If you don't mind doing some extra work now, you can move people's data to another partition now, and in the future, you can do as you like with the system volume going forward without worry about user data. Note that if you boot an existing Mac (with user data) to a Leopard volume, you can create new partitions non-destructively and this task can be scripted. I would (and do) do it like this: #!/bin/sh # ##### HEADER BEGINS ##### # scr_sys_symlinkUsers.sh # # Created 20071011 by Miles A. Leacy IV # miles.leacy at themacadmin.com # Modified 20090106 by Miles A. Leacy IV # Copyright 2009 Miles A. Leacy IV # # This script may be copied and distributed freely as long as this header remains intact. # # This script is provided "as is". The author offers no warranty or guarantee of any kind. # Use of this script is at your own risk. The author takes no responsibility for loss of use, # loss of data, loss of job, loss of socks, the onset of armageddon, or any other negative effects. # # Test thoroughly in a lab environment before use on production systems. # When you think it's ok, test again. When you're certain it's ok, test twice more. # # This script moves /Users to /Volumes/Data. If your data volume is named differently, # be sure to replace each instance of "/Volumes/Data" with the path to your data volume. # Run as an "at reboot" script when imaging with Casper. # ##### HEADER ENDS ##### /bin/mv /Users /Volumes/Data rm -R /Users /bin/ln -s /Volumes/Data /Users diskutil repairPermissions / ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Mon, Jan 5, 2009 at 4:10 PM, David Lundgren wrote: I was wondering how you all have done migrations from Tiger to Leopard. We have an Active Directory setup where the users home directories are local to the machine (our faculty often have 10GB+ of data, and some have laptops). We were contemplating doing separate user and OS partitions at the same time to make any future OS upgrades less painful, without having to worry about user data. Thanks, David Lundgren IT Systems Administrator Brooks Institute - "Passion, Vision, Excellence" 27 East Cota Street Santa Barbara, CA 93101 (888) 304-3456 (toll-free) (805) 690-7615 (office) http://www.brooks.edu _______________________________________________ Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090106/1dbb59a8/attachment.html From miles.leacy at themacadmin.com Tue Jan 6 09:01:43 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Tue, 6 Jan 2009 12:01:43 -0500 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: <4963322A.7141.0039.0@kckps.org> References: <4963242E.7141.0039.0@kckps.org> <4963322A.7141.0039.0@kckps.org> Message-ID: On Tue, Jan 6, 2009 at 11:27 AM, Thomas Larkin wrote: > Users could jack it up them self as well since they own everything. > They own /Users/. They don't own /Users. should not be able to affect the /Users symlink. If your users are admins, you've got a host of problems and I suggest making a policy stating that no one is an admin ASAP. That's a separate discussion though. On Tue, Jan 6, 2009 at 11:27 AM, Thomas Larkin wrote: > I saw so many weird quirks with it when we ran Tiger, and a lot of times it > would dupe local or mobile accounts to the machine and I would have to go in > and delete one of them to make the account work again. > This was a netinfo issue. As far as I know, it does not occur in Leopard's local ds. Nicole Jacque from Apple distributed a lovely script to handle this issue. I'll paste it at the end of this message. I run this script as a policy triggered by every15 on a smart group consisting of all tiger machines. On Tue, Jan 6, 2009 at 11:27 AM, Thomas Larkin wrote: > I don't think diskutility supports live resizing in Tiger > It doesn't. If you're migrating to Leopard, one of the first things I suggest is to create a Leopard diagnostic/utility/imaging image. If you boot your Tiger system from an external drive imaged with this Leopard image, you can take advantage of Leopard's diskutil command and its live resizing options. Plus with all the hard drive failures I see anyway every day on the > Macbooks, I would really suggest using mobile home directories. Then you > can just wipe and resync the home directory and call it a day. > Network homes have never been an option in the environments I've worked with. The network infrastructure or storage infrastructure (or both) has been a show-stopper. Also, if you go this route, you need to resync the entire home directory after a reimage. With a separate data partition, you don't lose time to file copying. I'm not saying network homes are bad, just that they don't solve the problem of time lost to data copying. On Tue, Jan 6, 2009 at 11:27 AM, Thomas Larkin wrote: > When you toss these in your production machines, are these servers or are > these like actual user machines? > I only do this for client machines. Servers have a single "Server HD" system volume with a default /Users path. I put any service data and/or share points on enterprise storage volumes. On Tue, Jan 6, 2009 at 11:27 AM, Thomas Larkin wrote: > I think working in education has made me paranoid since students like to > tinker, hack, exploit, and crash machines whenever they can. > I've worked in K-12 and I agree with you. Unfortunately, adults aren't always any better. I've had to come up with almost as many interesting management policies and processes in the corporate world as I did in education. A good mix of permissions, MCX and Casper policies should prevent and/or revert any unauthorized tinkering. # Script to remove 'disabled user' records from local directory # This should work in both Tiger and Leopard # Run this script as root or with sudo #!/bin/sh for cuser in `dscl . -list /Users AuthenticationAuthority | grep DisabledUser | awk '{print $1}' | tr '\n' ' '`; do dscl . -delete /Users/$cuser done ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Tue, Jan 6, 2009 at 11:27 AM, Thomas Larkin wrote: > I guess I would rather do it in DS than by a sym link just because. Sym > link goes bad lots of problems I think could happen. Users could jack it up > them self as well since they own everything. Especially with NetInfo. I > saw so many weird quirks with it when we ran Tiger, and a lot of times it > would dupe local or mobile accounts to the machine and I would have to go in > and delete one of them to make the account work again. I guess I am just a > bit paranoid, and I don't like touching anything in production. I would > have to fully test the sym link thing heavily before I did it in my live > environment. It is good to know it works for you, maybe some day I will try > it. > > Also, with laptops I don't think diskutility supports live resizing in > Tiger, so you would have to be a bit more creative because you couldn't have > a second volume nor could you script something to create a new volume on the > existing drive in Tiger. I think that is one of the 300 new features of > Leopard if I recall, to resize live partitions and create a /users partition > to house the directory. > > Plus with all the hard drive failures I see anyway every day on the > Macbooks, I would really suggest using mobile home directories. Then you > can just wipe and resync the home directory and call it a day. The down > side to that is that a home sync is not a true back up, it is a > synchronization, which some users just can't quite grasp. > > When you toss these in your production machines, are these servers or are > these like actual user machines? I think working in education has made me > paranoid since students like to tinker, hack, exploit, and crash machines > whenever they can. > > > > ___________________________ > Thomas Larkin > TIS Department > KCKPS USD500 > tlarki at kckps.org > blackberry: 913-449-7589 > office: 913-627-0351 > > > > > > >>> "Miles Leacy" 01/06/09 9:52 AM >>> > > I've been doing this in production environments (large enterprises as well > as my family's Macs) for at least two years on both Tiger and Leopard > without any issues. What are the potential issues you're concerned about? > > > The reason for including the permissions repair is lost to antiquity and > poor documentation I'm afraid, but I seem to vaguely recall it having > something to do with the /Users/Shared folder. Since it works, I'm not > overly concerned with uncovering the answer, but if you care to, you could > comment out the permissions repair line and see what the difference is. > > > Whether netinfo or ds is handling your home folders, it refers to them > as a filesystem path. As far as my knowledge and experience goes, there is > no difference in how home folders function between a system with a genuine > /Users path and one with a symlinked /Users path. > > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > On Tue, Jan 6, 2009 at 10:28 AM, Thomas Larkin > > > > wrote: > >> I don't know if I think that is a totally wise idea. I have read on >> several occasions either at AFP548.com or macenterprise.org about moving >> home directories and then connecting them by symbolic link. While I can't >> exactly recall the specifics other than it has to do with NetInfo and the >> location of the home directory or with Open Directory (dscl in 10.5) and how >> the user database actually points to the home folder. Also, if I recall >> diskutility will not repair permissions on user data, it only does it on >> system data. I am not saying it won't work, I am just saying there may be >> some issues as I have read from other people posting and how NetInfo and >> Open Directory handle the user database. Please correct me if I am wrong on >> that, because I have never tried to make a user partition on a local machine >> just for home directories, well at least not in OS X. In Linux I have. >> >> >> If you don't have network homes, or portable home directories I really >> strongly suggest you look into something like that. I know that 10gigs of >> data for each user can eat up storage pretty quick, but storage is actually >> well, kind of cheap these days. >> >> >> Over the summer we reimaged 6,000 Macbooks from 10.4 to 10.5. 10.5.4 >> was a damn nightmare but 10.5.5 smoothed most of those things out. I wiped >> out all of our servers, reloaded them, and since I house home directories on >> separate volumes on the network I just pointed in WGM the volume for home >> directories. I also recommend a full wipe and fresh import of LDAP. I just >> exported mine to plain text (users and groups) and then reimported them via >> WGM. This will not preserve passwords, so I did a master password reset. I >> have tools now to set unique passwords for users as well, and will be >> implementing that over next summer. Next summer I am wiping out everything >> and freshly loading every thing. >> >> >> ___________________________ >> Thomas Larkin >> TIS Department >> KCKPS USD500 >> tlarki at kckps.org >> blackberry: 913-449-7589 >> office: 913-627-0351 >> >> >> >> >> >> >>> "Miles Leacy" 01/06/09 8:01 AM >>> >> >> >> If you don't mind doing some extra work now, you can move people's data to >> another partition now, and in the future, you can do as you like with the >> system volume going forward without worry about user data. >> >> >> >> Note that if you boot an existing Mac (with user data) to a Leopard >> volume, you can create new partitions non-destructively and this task can be >> scripted. >> >> >> I would (and do) do it like this: >> >> >> #!/bin/sh >> >> # >> >> ##### HEADER BEGINS ##### >> >> # scr_sys_symlinkUsers.sh >> >> # >> >> # Created 20071011 by Miles A. Leacy IV >> >> # miles.leacy at themacadmin.com >> >> # Modified 20090106 by Miles A. Leacy IV >> >> # Copyright 2009 Miles A. Leacy IV >> >> # >> >> # This script may be copied and distributed freely as long as this header >> remains intact. >> >> # >> >> # This script is provided "as is". The author offers no warranty or >> guarantee of any kind. >> >> # Use of this script is at your own risk. The author takes no >> responsibility for loss of use, >> >> # loss of data, loss of job, loss of socks, the onset of armageddon, or >> any other negative effects. >> >> # >> >> # Test thoroughly in a lab environment before use on production systems. >> >> # When you think it's ok, test again. When you're certain it's ok, test >> twice more. >> >> # >> >> # This script moves /Users to /Volumes/Data. If your data volume is named >> differently, >> >> # be sure to replace each instance of "/Volumes/Data" with the path to >> your data volume. >> >> # Run as an "at reboot" script when imaging with Casper. >> >> # >> >> ##### HEADER ENDS ##### >> >> >> /bin/mv /Users /Volumes/Data >> >> >> rm -R /Users >> >> >> /bin/ln -s /Volumes/Data /Users >> >> >> diskutil repairPermissions / >> >> >> >> ---------- >> Miles A. Leacy IV >> >> ? Certified System Administrator 10.4 >> ? Certified Technical Coordinator 10.5 >> ? Certified Trainer >> Certified Casper Administrator >> ---------- >> voice: 1-347-277-7321 >> miles.leacy at themacadmin.com >> www.themacadmin.com >> >> >> >> >> On Mon, Jan 5, 2009 at 4:10 PM, David Lundgren >> >> >> >> wrote: >> >>> I was wondering how you all have done migrations from Tiger to Leopard. >>> >>> We have an Active Directory setup where the users home directories are >>> local >>> to the machine (our faculty often have 10GB+ of data, and some have >>> laptops). >>> >>> We were contemplating doing separate user and OS partitions at the same >>> time >>> to make any future OS upgrades less painful, without having to worry >>> about >>> user data. >>> >>> Thanks, >>> >>> David Lundgren >>> IT Systems Administrator >>> >>> Brooks Institute - "Passion, Vision, Excellence" >>> 27 East Cota Street >>> Santa Barbara, CA 93101 >>> (888) 304-3456 (toll-free) >>> (805) 690-7615 (office) >>> http://www.brooks.edu >>> >>> _______________________________________________ >>> Casper mailing list >>> Casper at list.jamfsoftware.com >>> http://list.jamfsoftware.com/mailman/listinfo/casper >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090106/e20f8843/attachment.html From Tommy.Birchett at martinagency.com Tue Jan 6 09:37:42 2009 From: Tommy.Birchett at martinagency.com (Tommy Birchett) Date: Tue, 6 Jan 2009 12:37:42 -0500 Subject: [Casper] Deploy CS4 Message-ID: Has anyone used Casper for deploying CS4? Does it basically work the same as CS3? -- Tommy Birchett | The Martin Agency| 804-698-8592 | 804-389-3071 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090106/6aa6ff18/attachment.html From amir-bozorgzadeh at uiowa.edu Wed Jan 7 05:57:54 2009 From: amir-bozorgzadeh at uiowa.edu (Bozorgzadeh, Amir J) Date: Wed, 7 Jan 2009 07:57:54 -0600 Subject: [Casper] CS4 Message-ID: I am in the process of upgrading several lab machines to CS4. I created the package and distributed and get a 150:30 error. I sent an email to Jamf and they sent back some fixes for it. The Licensing Service Update worked but is an applescript. The problem is it makes a lot of calls to several scripts so Jamf software says there is no way to make it distributable. Has anyone had any experience with this? Is anyone getting CS4 to install. My license is a multiple site license if that makes any difference. Any help would be appreciated. Thanks. ________________________________ Amir Bozorgzadeh Campus Technology Services University of Iowa 2800 UCC Iowa City, Iowa 52242 319-335-5480 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090107/cbf2a518/attachment.htm From NATHANIEL.LINDLEY at spps.org Wed Jan 7 06:45:48 2009 From: NATHANIEL.LINDLEY at spps.org (NATHANIEL.LINDLEY at spps.org) Date: Wed, 7 Jan 2009 08:45:48 -0600 Subject: [Casper] JSS search box Message-ID: So, I like the new v6 JSS web but what does the search box in the top right actually do? I type in "word" and it gives me the File Servers link and JSS Accounts. I was hoping it would be a shortcut to Inventory search so that I can type an Asset Tag in the search box and go right to that machine, instead of clicking Inventory and then the tag and then search. Feature request I guess. Nathaniel Lindley ++++++++++++++++++ Educational Technology Saint Paul Public Schools Saint Paul, Minnesota nathaniel.lindley at spps.org phone: 651-248-6861 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090107/5c098aac/attachment.htm From ERNSTCS at uwec.edu Wed Jan 7 06:56:56 2009 From: ERNSTCS at uwec.edu (Ernst, Craig S.) Date: Wed, 7 Jan 2009 08:56:56 -0600 Subject: [Casper] JSS search box In-Reply-To: Message-ID: That's meant to allow you to quickly locate a section within the JSS, like Directory Bindings. So if you typed in Directory and searched you'd get the Directory Bindings section listed. The search that you want is strictly in the Inventory tab. I could see that search box being convenient to search at minimum inventory for one less click into the inventory tab. Craig On 1/7/09 8:45 AM, "Nathaniel Lindley" wrote: So, I like the new v6 JSS web but what does the search box in the top right actually do? I type in "word" and it gives me the File Servers link and JSS Accounts. I was hoping it would be a shortcut to Inventory search so that I can type an Asset Tag in the search box and go right to that machine, instead of clicking Inventory and then the tag and then search. Feature request I guess. Nathaniel Lindley ++++++++++++++++++ Educational Technology Saint Paul Public Schools Saint Paul, Minnesota nathaniel.lindley at spps.org phone: 651-248-6861 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090107/1d038014/attachment.html From amir-bozorgzadeh at uiowa.edu Wed Jan 7 10:25:56 2009 From: amir-bozorgzadeh at uiowa.edu (Bozorgzadeh, Amir J) Date: Wed, 7 Jan 2009 12:25:56 -0600 Subject: [Casper] CS4 Message-ID: I am in the process of upgrading several lab machines to CS4. I created the package and distributed and get a 150:30 error. I sent an email to Jamf and they sent back some fixes for it. The Licensing Service Update worked but is an applescript. The problem is it makes a lot of calls to several scripts so Jamf software says there is no way to make it distributable. Has anyone had any experience with this? Is anyone getting CS4 to install. My license is a multiple site license if that makes any difference. Any help would be appreciated. Thanks. ________________________________ Amir Bozorgzadeh Campus Technology Services University of Iowa 2800 UCC Iowa City, Iowa 52242 319-335-5480 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090107/8765979c/attachment.html From rharter at uwsp.edu Wed Jan 7 11:22:18 2009 From: rharter at uwsp.edu (Ryan Harter) Date: Wed, 7 Jan 2009 13:22:18 -0600 Subject: [Casper] CS4 In-Reply-To: References: Message-ID: <25F354AD-DBA0-4197-B6AF-F08AC2ADF05E@uwsp.edu> I'm currently testing it out right now. How are you doing it. Are you making dmg's and using Casper's Adobe Install just like CS3 or are you using the Deployment Utils from Adobe and using a custom policy? I'm planning on making a Deployment package and a custom policy that will copy the installer and run the AdobeUberInstaller application for silent install. Ryan Harter UW - Stevens Point Workstation Developer 715.346.2716 Ryan.Harter at uwsp.edu On Jan 7, 2009, at 12:25 PM, Bozorgzadeh, Amir J wrote: > I am in the process of upgrading several lab machines to CS4. > > I created the package and distributed and get a 150:30 error. I sent > an email to Jamf and they sent back some fixes for it. The Licensing > Service Update worked but is an applescript. The problem is it makes > a lot of calls to several scripts so Jamf software says there is no > way to make it distributable. > > Has anyone had any experience with this? Is anyone getting CS4 to > install. My license is a multiple site license if that makes any > difference. > > Any help would be appreciated. > > Thanks. > Amir Bozorgzadeh > Campus Technology Services > University of Iowa > 2800 UCC > Iowa City, Iowa 52242 > 319-335-5480 > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090107/2257e1a6/attachment.htm From rharter at uwsp.edu Wed Jan 7 11:41:39 2009 From: rharter at uwsp.edu (Ryan Harter) Date: Wed, 7 Jan 2009 13:41:39 -0600 Subject: [Casper] CS4 In-Reply-To: References: Message-ID: <5FD1ED6B-C082-4C2D-8F5F-FF95E4F3C42C@uwsp.edu> If you have site licensing then you should have gotten an Adobe CS4 Deployment Toolkit disk with your dvd's. I just used that to create the package. AFAIK Adobe licenses go into a database on the client, so if you make a package for that, the database won't work quite right, and if you make more than one package then one will overwrite the shared database. We used to get around this by packaging them all on the same machine and making sure they went in the same order every time. That was in the CS2 days, however. The Deployment toolkit makes a package (really just a folder) that contains: /AdobeUberInstaller /AdobeUberUninstaller /AdobeUberInstaller.xml /AdobeUberUninstaller.xml The xml files point to the installer, which can be on an afp share, and running the AdobeUberInstaller as root runs a silent install and lets you suppress the EULA, etc. My plan is to write a script that will: 1. Either use casper to copy the deployment package down or just mount a share to do it. 2. Run /AdobeUberInstaller 3. srm /CS4 Deployment Package As far as I can think, it should be as simple as that. Perhaps some extra testing to make sure we don't screw anything up, but that should be it. What do you think? Has anyone tried anything similar? Ryan Harter UW - Stevens Point Workstation Developer 715.346.2716 Ryan.Harter at uwsp.edu On Jan 7, 2009, at 1:25 PM, Bozorgzadeh, Amir J wrote: > I did it pretty straight forward. I used composer installed CS4 and > all updates. Ran all apps. > > This did not work. Or at least I get the licensing error I > mentioned. Adobe installer on Casper does not work. It does not > support CS4. Errors that it is not an Adobe installer. Jamf Software > verified this and said the next version will support CS4. > > Let me know how your testing goes. Where do I find info on the Uber > installer I keep hearing about? I am not familiar with it. > > Thanks for response, > Amir > > > On 1/7/09 1:22 PM, "Ryan Harter" wrote: > > I'm currently testing it out right now. How are you doing it. Are > you making dmg's and using Casper's Adobe Install just like CS3 or > are you using the Deployment Utils from Adobe and using a custom > policy? > > I'm planning on making a Deployment package and a custom policy that > will copy the installer and run the AdobeUberInstaller application > for silent install. > > > Ryan Harter > UW - Stevens Point > Workstation Developer > 715.346.2716 > Ryan.Harter at uwsp.edu > > > On Jan 7, 2009, at 12:25 PM, Bozorgzadeh, Amir J wrote: > > I am in the process of upgrading several lab machines to CS4. > > I created the package and distributed and get a 150:30 error. I > sent an email to Jamf and they sent back some fixes for it. The > Licensing Service Update worked but is an applescript. The problem > is it makes a lot of calls to several scripts so Jamf software says > there is no way to make it distributable. > > Has anyone had any experience with this? Is anyone getting CS4 to > install. My license is a multiple site license if that makes any > difference. > > Any help would be appreciated. > > Thanks. > > Amir Bozorgzadeh > Campus Technology Services > University of Iowa > 2800 UCC > Iowa City, Iowa 52242 > 319-335-5480 > > > > > > > > > > Amir Bozorgzadeh > Campus Technology Services > University of Iowa > 2800 UCC > Iowa City, Iowa 52242 > 319-335-5480 > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090107/4c929c23/attachment.htm From bkvines at wgclawfirm.com Wed Jan 7 13:51:11 2009 From: bkvines at wgclawfirm.com (Bryan Vines) Date: Wed, 7 Jan 2009 15:51:11 -0600 Subject: [Casper] Upgrading from Tiger to Leopard Message-ID: David, We began exploring the idea of having the user data on a separate partition for the same reason -- future OS upgrades will hopefully be less painful. We have been using a three-partition scheme: Restore, Macintosh HD, and Data. Our partition sizes are: Restore: 15GB Macintosh HD: 30GB or so Data: The rest of the drive. We've found we need at least an 80GB drive to allow the users about 30GB of space. We deployed a few Tiger machines with this partitioning scheme, but then we went ahead and switched to deploying Leopard (mostly because of laptops which would only run Leopard). User homes go on Data, so if the main boot partition ends up hosed, we can restore it from our standard configuration and get the user up and running again with a minimum of fuss. We're now moving our older installed base to Leopard. We have to go touch each machine, either to repartition its hard drive or install a larger one. We're hoping we won't have to do that when Snow Leopard rolls around. -- Bryan Vines bkvines at wgclawfirm.com > From: David Lundgren > Subject: [Casper] Upgrading from Tiger to Leopard > > I was wondering how you all have done migrations from Tiger to > Leopard. > > We have an Active Directory setup where the users home directories > are local > to the machine (our faculty often have 10GB+ of data, and some have > laptops). > > We were contemplating doing separate user and OS partitions at the > same time > to make any future OS upgrades less painful, without having to worry > about > user data. > > Thanks, > > David Lundgren > IT Systems Administrator -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090107/99cfcbd0/attachment.htm From miles.leacy at themacadmin.com Wed Jan 7 14:02:20 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Wed, 7 Jan 2009 17:02:20 -0500 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: References: Message-ID: This is very similar to my client setups. I give Macintosh HD 20GB on 80GB drives, 40GB on all others. I strongly recommend using a Restore partition unless you have a robust network and a netboot server. Even if you do use netboot on site, having a restore partition can get you out of a jam with a mobile user on the road. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com 2009/1/7 Bryan Vines > David, > We began exploring the idea of having the user data on a separate partition > for the same reason -- future OS upgrades will hopefully be less painful. We > have been using a three-partition scheme: Restore, Macintosh HD, and Data. > > Our partition sizes are: > Restore: 15GB > Macintosh HD: 30GB or so > Data: The rest of the drive. > > We've found we need at least an 80GB drive to allow the users about 30GB of > space. We deployed a few Tiger machines with this partitioning scheme, but > then we went ahead and switched to deploying Leopard (mostly because of > laptops which would only run Leopard). > > User homes go on Data, so if the main boot partition ends up hosed, we can > restore it from our standard configuration and get the user up and running > again with a minimum of fuss. > > We're now moving our older installed base to Leopard. We have to go touch > each machine, either to repartition its hard drive or install a larger one. > We're hoping we won't have to do that when Snow Leopard rolls around. > > -- > Bryan Vines > bkvines at wgclawfirm.com > > > From: David Lundgren > Subject: [Casper] Upgrading from Tiger to Leopard > > I was wondering how you all have done migrations from Tiger to Leopard. > > We have an Active Directory setup where the users home directories are > local > to the machine (our faculty often have 10GB+ of data, and some have > laptops). > > We were contemplating doing separate user and OS partitions at the same > time > to make any future OS upgrades less painful, without having to worry about > user data. > > Thanks, > > David Lundgren > IT Systems Administrator > > > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090107/fe78801f/attachment.htm From tlarki at kckps.org Thu Jan 8 08:07:39 2009 From: tlarki at kckps.org (Thomas Larkin) Date: Thu, 08 Jan 2009 10:07:39 -0600 Subject: [Casper] Self Service Feature REQ Message-ID: <4965D06B.7141.0039.0@kckps.org> So, It has come to my attention that certain users may need certain software and licenses are limited. Instead of me doing bunches of manual data entries and finding out all the individual laptops (out of 6,000) and creating a smart group out of them, I would like the idea of putting a password on a self service install. Then giving that password to that class, and so the students in that particular class can install it with their password. Then make a smart group of all users that have that application installed to track the licenses. I was talking to a teacher who wanted to buy 30 copies of some accounting software for a class. I was dreading the thought of me having to track down each student, the asset tag of their computer, and creating yet another smart group, then I thought if I could just put like a password on the self service install, the student could install it them self with that password. I know that working in a 1:1 is way different but I have users that may switch laptops due to hardware failure and I just want them to be able to install it on whatever laptop they are given. In many cases when a laptop goes out for repair a spare is issued. Thoughts? ___________________________ Thomas Larkin TIS Department KCKPS USD500 tlarki at kckps.org blackberry: 913-449-7589 office: 913-627-0351 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090108/f26c20d1/attachment.html From NATHANIEL.LINDLEY at spps.org Thu Jan 8 08:17:39 2009 From: NATHANIEL.LINDLEY at spps.org (NATHANIEL.LINDLEY at spps.org) Date: Thu, 8 Jan 2009 10:17:39 -0600 Subject: [Casper] Self Service Feature REQ In-Reply-To: <4965D06B.7141.0039.0@kckps.org> Message-ID: Tom, Not sure if this would work, but could you create a user group that is allowed certain policies for self-service? In AD we have a building tech group that can install apps that are licensed like Office, but that install is not available to anonymous. I would think I could have a group in AD for the users that need that app and then maybe grant rights to that group to execute the install policy? I haven't tried it so I'm not sure if that would work. And a single password would be much simpler, especially since you could disable the policy after the correct number of licenses have been installed. Nathaniel Lindley ++++++++++++++++++ Educational Technology Saint Paul Public Schools Saint Paul, Minnesota nathaniel.lindley at spps.org phone: 651-248-6861 "Thomas Larkin" Sent by: casper-bounces at list.jamfsoftware.com 01/08/2009 10:00 AM To cc Subject [Casper] Self Service Feature REQ So, It has come to my attention that certain users may need certain software and licenses are limited. Instead of me doing bunches of manual data entries and finding out all the individual laptops (out of 6,000) and creating a smart group out of them, I would like the idea of putting a password on a self service install. Then giving that password to that class, and so the students in that particular class can install it with their password. Then make a smart group of all users that have that application installed to track the licenses. I was talking to a teacher who wanted to buy 30 copies of some accounting software for a class. I was dreading the thought of me having to track down each student, the asset tag of their computer, and creating yet another smart group, then I thought if I could just put like a password on the self service install, the student could install it them self with that password. I know that working in a 1:1 is way different but I have users that may switch laptops due to hardware failure and I just want them to be able to install it on whatever laptop they are given. In many cases when a laptop goes out for repair a spare is issued. Thoughts? ___________________________ Thomas Larkin TIS Department KCKPS USD500 tlarki at kckps.org blackberry: 913-449-7589 office: 913-627-0351 _______________________________________________ Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090108/4a42fc17/attachment.htm From jstrauss at loyolahs.edu Thu Jan 8 08:30:38 2009 From: jstrauss at loyolahs.edu (Jeff Strauss) Date: Thu, 8 Jan 2009 08:30:38 -0800 Subject: [Casper] Self Service Feature REQ In-Reply-To: <4965D06B.7141.0039.0@kckps.org> References: <4965D06B.7141.0039.0@kckps.org> Message-ID: <8624C018-2041-4EDA-9B94-5164D5537405@loyolahs.edu> Just a thought, and this is probably not very elegant, but it may work... Can you get a list of the students in the class from the teacher and then create a smart group for computers with those logged-in users? Or manually search the inventory for users and match those to asset tags? I'm not in front of my JSS at the moment so I don't know if those options are feasible. Do students in your environment go home with their laptops or are they issued a random one on a daily basis? Jeff Sent from my iPhone 3G On Jan 8, 2009, at 8:11 AM, "Thomas Larkin" > wrote: So, It has come to my attention that certain users may need certain software and licenses are limited. Instead of me doing bunches of manual data entries and finding out all the individual laptops (out of 6,000) and creating a smart group out of them, I would like the idea of putting a password on a self service install. Then giving that password to that class, and so the students in that particular class can install it with their password. Then make a smart group of all users that have that application installed to track the licenses. I was talking to a teacher who wanted to buy 30 copies of some accounting software for a class. I was dreading the thought of me having to track down each student, the asset tag of their computer, and creating yet another smart group, then I thought if I could just put like a password on the self service install, the student could install it them self with that password. I know that working in a 1:1 is way different but I have users that may switch laptops due to hardware failure and I just want them to be able to install it on whatever laptop they are given. In many cases when a laptop goes out for repair a spare is issued. Thoughts? ___________________________ Thomas Larkin TIS Department KCKPS USD500 tlarki at kckps.org blackberry: 913-449-7589 office: 913-627-0351 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090108/22f96728/attachment.htm From miles.leacy at themacadmin.com Thu Jan 8 08:36:33 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Thu, 8 Jan 2009 11:36:33 -0500 Subject: [Casper] Self Service Feature REQ In-Reply-To: <4965D06B.7141.0039.0@kckps.org> References: <4965D06B.7141.0039.0@kckps.org> Message-ID: Presumably, you have a record of which machine was issued to whom (Ideally, that info is stored in the JSS). In the case you describe, I would suggest creating a manual group of the 30 machines intended to receive the software. This doesn't address your stated desire to give a client the ability to reinstall the app on any machine they use. To do that may take a few steps, but I think you could get there with relative ease. I am assuming you are using some variety of LDAP, likely Active Directory or Open Directory. Here's what I'd do: 1 Create an LDAP group consisting of the people who should have this software. 2 a Create a script that queries for the logged-in user's groups. If your "accounting software" group is found, the script issues a custom trigger for the installation. Run this script with a policy triggered by login, once per user. b If you want to keep the self-service aspect, have the custom trigger in the script above kick off the installation of an empty package instead of the accounting software. Use the receipt from that empty package as the criterion for a smart group to which the self-service policy is scoped. I hope this helps. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com 2009/1/8 Thomas Larkin > So, > > It has come to my attention that certain users may need certain software > and licenses are limited. Instead of me doing bunches of manual data > entries and finding out all the individual laptops (out of 6,000) and > creating a smart group out of them, I would like the idea of putting a > password on a self service install. Then giving that password to that > class, and so the students in that particular class can install it with > their password. Then make a smart group of all users that have that > application installed to track the licenses. I was talking to a teacher who > wanted to buy 30 copies of some accounting software for a class. I was > dreading the thought of me having to track down each student, the asset tag > of their computer, and creating yet another smart group, then I thought if I > could just put like a password on the self service install, the student > could install it them self with that password. > > I know that working in a 1:1 is way different but I have users that may > switch laptops due to hardware failure and I just want them to be able to > install it on whatever laptop they are given. In many cases when a laptop > goes out for repair a spare is issued. > > Thoughts? > > ___________________________ > Thomas Larkin > TIS Department > KCKPS USD500 > tlarki at kckps.org > blackberry: 913-449-7589 > office: 913-627-0351 > > > > > > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090108/ef884a0d/attachment.html From rharter at uwsp.edu Thu Jan 8 08:41:47 2009 From: rharter at uwsp.edu (Ryan Harter) Date: Thu, 8 Jan 2009 10:41:47 -0600 Subject: [Casper] Self Service Feature REQ In-Reply-To: References: <4965D06B.7141.0039.0@kckps.org> Message-ID: <040528D5-FB1F-4F83-8FBA-BAA6820CDC4F@uwsp.edu> I could be wrong, but can't you just require the user to login to self service and scope the policy to a specific group of users? That way no matter what computer they're on, they can get it and it won't appear for anyone else. I would think, assuming this is accurate, that this would be an easy solution because there is no shared password and they would just log on with their normal domain credentials. Ryan Harter UW - Stevens Point Workstation Developer 715.346.2716 Ryan.Harter at uwsp.edu On Jan 8, 2009, at 10:36 AM, Miles Leacy wrote: > Presumably, you have a record of which machine was issued to whom > (Ideally, that info is stored in the JSS). > > In the case you describe, I would suggest creating a manual group of > the 30 machines intended to receive the software. > > This doesn't address your stated desire to give a client the ability > to reinstall the app on any machine they use. To do that may take a > few steps, but I think you could get there with relative ease. I am > assuming you are using some variety of LDAP, likely Active Directory > or Open Directory. > > Here's what I'd do: > 1 Create an LDAP group consisting of the people who should have > this software. > 2 a Create a script that queries for the logged-in user's groups. > If your "accounting software" group is found, the script issues a > custom trigger for the installation. Run this script with a policy > triggered by login, once per user. > b If you want to keep the self-service aspect, have the custom > trigger in the script above kick off the installation of an empty > package instead of the accounting software. Use the receipt from > that empty package as the criterion for a smart group to which the > self-service policy is scoped. > > I hope this helps. > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > 2009/1/8 Thomas Larkin > So, > > It has come to my attention that certain users may need certain > software and licenses are limited. Instead of me doing bunches of > manual data entries and finding out all the individual laptops (out > of 6,000) and creating a smart group out of them, I would like the > idea of putting a password on a self service install. Then giving > that password to that class, and so the students in that particular > class can install it with their password. Then make a smart group > of all users that have that application installed to track the > licenses. I was talking to a teacher who wanted to buy 30 copies of > some accounting software for a class. I was dreading the thought of > me having to track down each student, the asset tag of their > computer, and creating yet another smart group, then I thought if I > could just put like a password on the self service install, the > student could install it them self with that password. > > I know that working in a 1:1 is way different but I have users that > may switch laptops due to hardware failure and I just want them to > be able to install it on whatever laptop they are given. In many > cases when a laptop goes out for repair a spare is issued. > > Thoughts? > > ___________________________ > Thomas Larkin > TIS Department > KCKPS USD500 > tlarki at kckps.org > blackberry: 913-449-7589 > office: 913-627-0351 > > > > > > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090108/bed041fb/attachment.htm From miles.leacy at themacadmin.com Thu Jan 8 09:02:39 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Thu, 8 Jan 2009 12:02:39 -0500 Subject: [Casper] Self Service Feature REQ In-Reply-To: <4965DA40.7141.0039.0@kckps.org> References: <4965D06B.7141.0039.0@kckps.org> <4965DA40.7141.0039.0@kckps.org> Message-ID: Only you know your environment and workflow, but it would seem to my eye that the process you describe would save work on the front end only to create work on the back end. As I see the options, you can take steps to ensure the software is only deployed to the appropriate users or you can take steps to clean up after any unauthorized or otherwise undesired installs. If you use a password to enable a self-service policy, people may (and by may, I mean will) share the password with individuals for whom no licenses were purchased and you'll get unwanted installs which you will then have to track down and uninstall. If you use groups, only those people logging in with the correct account will get the install. Again, you know your environment better than anyone on the outside, but it appears from my point of view that the groups method will be the easiest in the long run. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Thu, Jan 8, 2009 at 11:49 AM, Thomas Larkin wrote: > Those are all good ideas, and ideas I have already thought of. Here in > lies the problem though. There are 5 of us for 6,000 laptops. I am so busy > with other things I don't want to have to deal with doing custom groups for > this and that because once I do this for one group of students pandora's box > will be open. Then every department will want it and i will be doing these > lits all the time. > > I would much rather create a self service install, put a password on it, > give that password to the teacher then make smart groups that list all > machines that have it installed. Then I can track it down that way, and > also have casper uninstall it on machines that don't need it. Lots of > educational software is developed very poorly for enterprise type installs > and is a pain. The licensing is also somewhat ridiculous and not caught up > to schools that do 1:1 deployments. > > To give you an idea I have about 100 laptops in repair at any given time > and 100 spares issued. Sometimes less, sometimes a bit more, it just > depends. I get them back I have to reimage them make sure it was fixed > properly, make sure it can log in, etc etc. > > Basically, I just want to keep it simple and make it as easy as possible. > > Thanks for your guy's tips though. > > >>> "Miles Leacy" 01/08/09 10:36 AM >>> > > Presumably, you have a record of which machine was issued to whom (Ideally, > that info is stored in the JSS). > > > In the case you describe, I would suggest creating a manual group of the > 30 machines intended to receive the software. > > > This doesn't address your stated desire to give a client the ability to > reinstall the app on any machine they use. To do that may take a few steps, > but I think you could get there with relative ease. I am assuming you are > using some variety of LDAP, likely Active Directory or Open Directory. > > > Here's what I'd do: > > 1 Create an LDAP group consisting of the people who should have this > software. > > 2 a Create a script that queries for the logged-in user's groups. If > your "accounting software" group is found, the script issues a custom > trigger for the installation. Run this script with a policy triggered by > login, once per user. > > b If you want to keep the self-service aspect, have the custom trigger > in the script above kick off the installation of an empty package instead of > the accounting software. Use the receipt from that empty package as the > criterion for a smart group to which the self-service policy is scoped. > > > I hope this helps. > > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > 2009/1/8 Thomas Larkin > > > > > So, >> >> >> It has come to my attention that certain users may need certain software >> and licenses are limited. Instead of me doing bunches of manual data >> entries and finding out all the individual laptops (out of 6,000) and >> creating a smart group out of them, I would like the idea of putting a >> password on a self service install. Then giving that password to that >> class, and so the students in that particular class can install it with >> their password. Then make a smart group of all users that have that >> application installed to track the licenses. I was talking to a teacher who >> wanted to buy 30 copies of some accounting software for a class. I was >> dreading the thought of me having to track down each student, the asset tag >> of their computer, and creating yet another smart group, then I thought if I >> could just put like a password on the self service install, the student >> could install it them self with that password. >> >> >> I know that working in a 1:1 is way different but I have users that may >> switch laptops due to hardware failure and I just want them to be able to >> install it on whatever laptop they are given. In many cases when a laptop >> goes out for repair a spare is issued. >> >> >> Thoughts? >> >> >> ___________________________ >> Thomas Larkin >> TIS Department >> KCKPS USD500 >> tlarki at kckps.org >> blackberry: 913-449-7589 >> office: 913-627-0351 >> >> >> >> >> >> >> _______________________________________________ >> Casper mailing list >> Casper at list.jamfsoftware.com >> http://list.jamfsoftware.com/mailman/listinfo/casper >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090108/e0636f2a/attachment.html From jared.nichols at ll.mit.edu Thu Jan 8 09:23:53 2009 From: jared.nichols at ll.mit.edu (Nichols, Jared) Date: Thu, 8 Jan 2009 12:23:53 -0500 Subject: [Casper] Wake On LAN Message-ID: Is there any mechanism that folks know of to do wake on lan in Casper? I can't seem to find anything in the documentation. Or, do folks leave this up to ARD? Thanks! j -- Jared Nichols ISD Infrastructure and Operations - Desktop Engineering MIT Lincoln Laboratory 244 Wood St. Lexington, MA 02420-9108 (781) 981-5500 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090108/d014014d/attachment.html From miles.leacy at themacadmin.com Thu Jan 8 09:40:36 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Thu, 8 Jan 2009 12:40:36 -0500 Subject: [Casper] Wake On LAN In-Reply-To: References: Message-ID: I don't recall anything specifically in the Casper tools, however, if you define a maintenance window, you could use a pmset script to ensure computers are on and awake at a certain time. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com 2009/1/8 Nichols, Jared > Is there any mechanism that folks know of to do wake on lan in Casper? I > can't seem to find anything in the documentation. Or, do folks leave this > up to ARD? > > Thanks! > > j > -- > Jared Nichols > ISD Infrastructure and Operations ? Desktop Engineering > MIT Lincoln Laboratory > 244 Wood St. > Lexington, MA 02420-9108 > (781) 981-5500 > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090108/cce71fa8/attachment.htm From greg.lopez at wunderman.com Thu Jan 8 12:21:16 2009 From: greg.lopez at wunderman.com (Gregory Lopez) Date: Thu, 08 Jan 2009 12:21:16 -0800 Subject: [Casper] NAV 11 preventing ssh connections in Leopard Message-ID: Greetings. I have a problem where Norton AntiVirus 11 is preventing ssh connections on my Leopard macs (including my own) which in turn is preventing me from using Casper to deploy software updates. I've made sure Remote Login is on and that the Firewall is allowing connections. It's as if port 22 keeps toggling off despite the GUI saying otherwise. Here's the message I get when I try to ssh into one of the macs: XXX-XXXXX:~ xxxxxxxx$ ssh -vvv x.x.x.x OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006 debug1: Reading configuration data /etc/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to x.x.x.x http://x.x.x.x port 22. debug1: connect to address x.x.x.x port 22: Connection refused ssh: connect to host x.x.x.x port 22: Connection refused The problem goes away when I uninstall NAV 11. It temporarily goes away when I run Disk Utility and repair disk permissions. I am able to ssh in for about 10-15 minutes before my connection is refused. Here??s a log: Repairing permissions for ??Macintosh HD?? Reading permissions database. Reading the permissions database can take several minutes. User differs on "private/etc/hostconfig", should be 0, user is 99. Group differs on "private/etc/hostconfig", should be 0, group is 99. User differs on "System/Library/LaunchDaemons/ssh.plist", should be 0, user is 99. Group differs on "System/Library/LaunchDaemons/ssh.plist", should be 0, group is 99. Group differs on "private/etc/cups", should be 0, group is 26. Permissions differ on "private/var/spool/cups/cache/rss", should be drwxr-xr-x , they are drwxrwxr-x . Permissions repair complete This problem is consistent from 10.5-10.5.6. Anyone else run into this one? G Lo -- Gregory Lopez Sr. Mac/Network Analyst Wunderman - Seattle -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090108/16a34bd5/attachment.html From jeremymatthews at mac.com Thu Jan 8 13:04:03 2009 From: jeremymatthews at mac.com (Jeremy Matthews) Date: Thu, 08 Jan 2009 16:04:03 -0500 Subject: [Casper] Self Service Feature REQ In-Reply-To: References: Message-ID: Since this is more or less a desire to limit the scope of an install, is it possible to create a network segment just for that class, and use it as the filter? You could limit DHCP expirations to something like an hour, or immediate (depending on the equipment) - just long enough to grab some software and install. No mucking around with groups and other such nonsense - more or less a giant filter is enabled without you having to know the details. You could patch in a local subnet or VLAN (wired), or setup a WAP and give it a temporary password (put it on the blackboard or something simple) - set the policy in casper to allow self-service for that policy within that network seg. Since this gets into the network side of life...you never know - depends on how nice those guys play. Then, when no longer needed, turn it off. -j From tlarki at kckps.org Thu Jan 8 14:01:29 2009 From: tlarki at kckps.org (Thomas Larkin) Date: Thu, 08 Jan 2009 16:01:29 -0600 Subject: [Casper] Self Service Feature REQ In-Reply-To: References:

Message-ID: <49662359.7141.0039.0@kckps.org> That would work but we run Layer3 VLANs here so the user keeps their first IP they get, which could be on a VLAN on the other side of the network. Like I said, I am special, short bus special, because my users roam around in user space with laptops hahahaha. I wish it was static desktops on set VLANs, life would be a walk in the park, and well boring too. If I had more help it would be easier to get some things done as well, but 6,000 laptops and 6 guys running the show you tend to have to do all sorts of things all day every day. There is not a day that goes by that I don't reimage at least 10 laptops for whatever reason. I probably have casper imaging nightmares by now, but luckily my conscious blocks it. I am just trying to figure out how to deploy educational software, which isn't developed for mass deployment in the first place to roaming users that could be anywhere at any given time on our network. The password thing was the first thing that came to mind. Even the ones I have out now, looking at policy logs, kids don't install a text book if they don't need it. I am not too worried about that, but some things I would want to limit with maybe a password. It was just an idea, and I will try to think of other ways. Since they can be anywhere at any time with their laptop I wanted to do self service since they could do it from anywhere in our network that way. >>> Jeremy Matthews 01/08/09 3:04 PM >>> Since this is more or less a desire to limit the scope of an install, is it possible to create a network segment just for that class, and use it as the filter? You could limit DHCP expirations to something like an hour, or immediate (depending on the equipment) - just long enough to grab some software and install. No mucking around with groups and other such nonsense - more or less a giant filter is enabled without you having to know the details. You could patch in a local subnet or VLAN (wired), or setup a WAP and give it a temporary password (put it on the blackboard or something simple) - set the policy in casper to allow self-service for that policy within that network seg. Since this gets into the network side of life...you never know - depends on how nice those guys play. Then, when no longer needed, turn it off. -j -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090108/96130484/attachment.htm From jared.nichols at ll.mit.edu Thu Jan 8 17:11:30 2009 From: jared.nichols at ll.mit.edu (Nichols, Jared) Date: Thu, 8 Jan 2009 20:11:30 -0500 Subject: [Casper] NAV 11 preventing ssh connections in Leopard In-Reply-To: Message-ID: With NAV functioning ??properly?? can you do a sudo ipfw list and post the results? Thanks j On 1/8/09 15:21 , "Gregory Lopez" wrote: Greetings. I have a problem where Norton AntiVirus 11 is preventing ssh connections on my Leopard macs (including my own) which in turn is preventing me from using Casper to deploy software updates. I've made sure Remote Login is on and that the Firewall is allowing connections. It's as if port 22 keeps toggling off despite the GUI saying otherwise. Here's the message I get when I try to ssh into one of the macs: XXX-XXXXX:~ xxxxxxxx$ ssh -vvv x.x.x.x OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006 debug1: Reading configuration data /etc/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to x.x.x.x http://x.x.x.x port 22. debug1: connect to address x.x.x.x port 22: Connection refused ssh: connect to host x.x.x.x port 22: Connection refused The problem goes away when I uninstall NAV 11. It temporarily goes away when I run Disk Utility and repair disk permissions. I am able to ssh in for about 10-15 minutes before my connection is refused. Here??s a log: Repairing permissions for ??Macintosh HD?? Reading permissions database. Reading the permissions database can take several minutes. User differs on "private/etc/hostconfig", should be 0, user is 99. Group differs on "private/etc/hostconfig", should be 0, group is 99. User differs on "System/Library/LaunchDaemons/ssh.plist", should be 0, user is 99. Group differs on "System/Library/LaunchDaemons/ssh.plist", should be 0, group is 99. Group differs on "private/etc/cups", should be 0, group is 26. Permissions differ on "private/var/spool/cups/cache/rss", should be drwxr-xr-x , they are drwxrwxr-x . Permissions repair complete This problem is consistent from 10.5-10.5.6. Anyone else run into this one? G Lo -- Gregory Lopez Sr. Mac/Network Analyst Wunderman - Seattle -- Jared Nichols ISD Infrastructure and Operations - Desktop Engineering MIT Lincoln Laboratory 244 Wood St. Lexington, MA 02420-9108 (781) 981-5500 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090108/69ab43d5/attachment.html From jared.nichols at ll.mit.edu Thu Jan 8 17:15:35 2009 From: jared.nichols at ll.mit.edu (Nichols, Jared) Date: Thu, 8 Jan 2009 20:15:35 -0500 Subject: [Casper] Self Service Feature REQ In-Reply-To: <49662359.7141.0039.0@kckps.org> Message-ID: It almost sounds like you have a need for a keyserver. Are there other pieces of software that could benefit from keying? I've played around with K2 and it seemed to work well, independently of whether or not the software was key aware. j On 1/8/09 17:01 , "Thomas Larkin" wrote: That would work but we run Layer3 VLANs here so the user keeps their first IP they get, which could be on a VLAN on the other side of the network. Like I said, I am special, short bus special, because my users roam around in user space with laptops hahahaha. I wish it was static desktops on set VLANs, life would be a walk in the park, and well boring too. If I had more help it would be easier to get some things done as well, but 6,000 laptops and 6 guys running the show you tend to have to do all sorts of things all day every day. There is not a day that goes by that I don't reimage at least 10 laptops for whatever reason. I probably have casper imaging nightmares by now, but luckily my conscious blocks it. I am just trying to figure out how to deploy educational software, which isn't developed for mass deployment in the first place to roaming users that could be anywhere at any given time on our network. The password thing was the first thing that came to mind. Even the ones I have out now, looking at policy logs, kids don't install a text book if they don't need it. I am not too worried about that, but some things I would want to limit with maybe a password. It was just an idea, and I will try to think of other ways. Since they can be anywhere at any time with their laptop I wanted to do self service since they could do it from anywhere in our network that way. >>> Jeremy Matthews 01/08/09 3:04 PM >>> Since this is more or less a desire to limit the scope of an install, is it possible to create a network segment just for that class, and use it as the filter? You could limit DHCP expirations to something like an hour, or immediate (depending on the equipment) - just long enough to grab some software and install. No mucking around with groups and other such nonsense - more or less a giant filter is enabled without you having to know the details. You could patch in a local subnet or VLAN (wired), or setup a WAP and give it a temporary password (put it on the blackboard or something simple) - set the policy in casper to allow self-service for that policy within that network seg. Since this gets into the network side of life...you never know - depends on how nice those guys play. Then, when no longer needed, turn it off. -j -- Jared Nichols ISD Infrastructure and Operations - Desktop Engineering MIT Lincoln Laboratory 244 Wood St. Lexington, MA 02420-9108 (781) 981-5500 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090108/79ca843b/attachment.htm From daniel.farnworth at thecreativepartnership.co.uk Fri Jan 9 04:19:00 2009 From: daniel.farnworth at thecreativepartnership.co.uk (Daniel Farnworth) Date: Fri, 9 Jan 2009 12:19:00 +0000 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: References: Message-ID: <353C2EA2-A3AE-4853-A20F-864B9B2D76E8@thecreativepartnership.co.uk> Just chiming in with my 2 pence worth, we approach this in a slightly different way for a number of reasons. I'm not sure about other applications, but we discovered that Avid applications do not like symlinks when it comes to /Users which they still rather irritatingly use to store various things (mostly in / Users/Shared) What we do instead is have a separate Homes or Data partition and then use fstab to mount this directly to /Users, this gives us the best of both worlds, user data on a separate volume and no symlinks involved. It also this works a treat for the Avid apps as they just see that the /Users directory is in the correct place. I have a pre- install script that we use to do this for us if anyone is interested. Cheers Dan On 7 Jan 2009, at 22:02, Miles Leacy wrote: > This is very similar to my client setups. > > I give Macintosh HD 20GB on 80GB drives, 40GB on all others. > > I strongly recommend using a Restore partition unless you have a > robust network and a netboot server. Even if you do use netboot on > site, having a restore partition can get you out of a jam with a > mobile user on the road. > > ---------- > Miles A. Leacy IV > > Certified System Administrator 10.4 > Certified Technical Coordinator 10.5 > Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > 2009/1/7 Bryan Vines > David, > > We began exploring the idea of having the user data on a separate > partition for the same reason -- future OS upgrades will hopefully > be less painful. We have been using a three-partition scheme: > Restore, Macintosh HD, and Data. > > Our partition sizes are: > Restore: 15GB > Macintosh HD: 30GB or so > Data: The rest of the drive. > > We've found we need at least an 80GB drive to allow the users about > 30GB of space. We deployed a few Tiger machines with this > partitioning scheme, but then we went ahead and switched to > deploying Leopard (mostly because of laptops which would only run > Leopard). > > User homes go on Data, so if the main boot partition ends up hosed, > we can restore it from our standard configuration and get the user > up and running again with a minimum of fuss. > > We're now moving our older installed base to Leopard. We have to go > touch each machine, either to repartition its hard drive or install > a larger one. We're hoping we won't have to do that when Snow > Leopard rolls around. > > -- > Bryan Vines > bkvines at wgclawfirm.com > > >> From: David Lundgren >> Subject: [Casper] Upgrading from Tiger to Leopard >> >> >> I was wondering how you all have done migrations from Tiger to >> Leopard. >> >> We have an Active Directory setup where the users home directories >> are local >> to the machine (our faculty often have 10GB+ of data, and some have >> laptops). >> >> We were contemplating doing separate user and OS partitions at the >> same time >> to make any future OS upgrades less painful, without having to >> worry about >> user data. >> >> Thanks, >> >> David Lundgren >> IT Systems Administrator > > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper -- Daniel Farnworth IT Manager The Creative Partnership daniel.farnworth at thecreativepartnership.co.uk http://www.thecreativepartnership.co.uk Tel: +44 (0)20 7439 7762 Fax: +44 (0)20 7437 1467 PGP Public Key available The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorised to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify postmaster at thecreativepartnership.co.uk immediately and then delete this email from your system. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of The Creative Partnership. The Creative Partnership has taken every reasonable precaution to ensure that any attachment to this e-mail has been swept for viruses. However, The Creative Partnership cannot accept liability for any damage sustained as a result of software viruses and would advise that you carry out your own virus checks before opening any attachment. From miles.leacy at themacadmin.com Fri Jan 9 04:39:14 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Fri, 9 Jan 2009 07:39:14 -0500 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: <353C2EA2-A3AE-4853-A20F-864B9B2D76E8@thecreativepartnership.co.uk> References: <353C2EA2-A3AE-4853-A20F-864B9B2D76E8@thecreativepartnership.co.uk> Message-ID: Wow. That's really a great idea. I may have to change my procedure. Can you share more details? Is this a launchd item, a policy, etc? ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com 2009/1/9 Daniel Farnworth > Just chiming in with my 2 pence worth, we approach this in a slightly > different way for a number of reasons. > > I'm not sure about other applications, but we discovered that Avid > applications do not like symlinks when it comes to /Users which they > still rather irritatingly use to store various things (mostly in / > Users/Shared) > > What we do instead is have a separate Homes or Data partition and > then use fstab to mount this directly to /Users, this gives us the > best of both worlds, user data on a separate volume and no symlinks > involved. It also this works a treat for the Avid apps as they just > see that the /Users directory is in the correct place. I have a pre- > install script that we use to do this for us if anyone is interested. > > Cheers > Dan > > On 7 Jan 2009, at 22:02, Miles Leacy wrote: > > > This is very similar to my client setups. > > > > I give Macintosh HD 20GB on 80GB drives, 40GB on all others. > > > > I strongly recommend using a Restore partition unless you have a > > robust network and a netboot server. Even if you do use netboot on > > site, having a restore partition can get you out of a jam with a > > mobile user on the road. > > > > ---------- > > Miles A. Leacy IV > > > > Certified System Administrator 10.4 > > Certified Technical Coordinator 10.5 > > Certified Trainer > > Certified Casper Administrator > > ---------- > > voice: 1-347-277-7321 > > miles.leacy at themacadmin.com > > www.themacadmin.com > > > > > > > > > > 2009/1/7 Bryan Vines > > David, > > > > We began exploring the idea of having the user data on a separate > > partition for the same reason -- future OS upgrades will hopefully > > be less painful. We have been using a three-partition scheme: > > Restore, Macintosh HD, and Data. > > > > Our partition sizes are: > > Restore: 15GB > > Macintosh HD: 30GB or so > > Data: The rest of the drive. > > > > We've found we need at least an 80GB drive to allow the users about > > 30GB of space. We deployed a few Tiger machines with this > > partitioning scheme, but then we went ahead and switched to > > deploying Leopard (mostly because of laptops which would only run > > Leopard). > > > > User homes go on Data, so if the main boot partition ends up hosed, > > we can restore it from our standard configuration and get the user > > up and running again with a minimum of fuss. > > > > We're now moving our older installed base to Leopard. We have to go > > touch each machine, either to repartition its hard drive or install > > a larger one. We're hoping we won't have to do that when Snow > > Leopard rolls around. > > > > -- > > Bryan Vines > > bkvines at wgclawfirm.com > > > > > >> From: David Lundgren > >> Subject: [Casper] Upgrading from Tiger to Leopard > >> > >> > >> I was wondering how you all have done migrations from Tiger to > >> Leopard. > >> > >> We have an Active Directory setup where the users home directories > >> are local > >> to the machine (our faculty often have 10GB+ of data, and some have > >> laptops). > >> > >> We were contemplating doing separate user and OS partitions at the > >> same time > >> to make any future OS upgrades less painful, without having to > >> worry about > >> user data. > >> > >> Thanks, > >> > >> David Lundgren > >> IT Systems Administrator > > > > > > _______________________________________________ > > Casper mailing list > > Casper at list.jamfsoftware.com > > http://list.jamfsoftware.com/mailman/listinfo/casper > > > > > > _______________________________________________ > > Casper mailing list > > Casper at list.jamfsoftware.com > > http://list.jamfsoftware.com/mailman/listinfo/casper > > -- > Daniel Farnworth > IT Manager > The Creative Partnership > daniel.farnworth at thecreativepartnership.co.uk > > http://www.thecreativepartnership.co.uk > Tel: +44 (0)20 7439 7762 > Fax: +44 (0)20 7437 1467 > > PGP Public Key available > > > > > > > The information contained in this communication is intended solely for the > use of the individual or entity to whom it is addressed and others > authorised to receive it. It may contain confidential or legally privileged > information. If you are not the intended recipient you are hereby notified > that any disclosure, copying, distribution or taking any action in reliance > on the contents of this information is strictly prohibited and may be > unlawful. If you have received this communication in error, please notify > postmaster at thecreativepartnership.co.uk immediately and then delete this > email from your system. Any views or opinions presented in this email are > solely those of the author and do not necessarily represent those of The > Creative Partnership. The Creative Partnership has taken every reasonable > precaution to ensure that any attachment to this e-mail has been swept for > viruses. However, The Creative Partnership cannot accept liability for any > damage sustained as a result of software viruses and would advise that you > carry out your own virus checks before opening any attachment. > > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/108f4461/attachment.html From damien at mac.com Fri Jan 9 04:44:08 2009 From: damien at mac.com (Damien Weiss) Date: Fri, 9 Jan 2009 07:44:08 -0500 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: <353C2EA2-A3AE-4853-A20F-864B9B2D76E8@thecreativepartnership.co.uk> References: <353C2EA2-A3AE-4853-A20F-864B9B2D76E8@thecreativepartnership.co.uk> Message-ID: <6AC8A1F5-80F0-4928-9778-0F7012EABFDB@mac.com> YES!!!!! PLEASE!!!! Send that script on. That's something that I would implement almost immediately. Thanks! Damien On Jan 9, 2009, at 7:19 AM, Daniel Farnworth wrote: > I have a pre- > install script that we use to do this for us if anyone is interested. > > Cheers > Dan From daniel.farnworth at thecreativepartnership.co.uk Fri Jan 9 05:15:25 2009 From: daniel.farnworth at thecreativepartnership.co.uk (Daniel Farnworth) Date: Fri, 9 Jan 2009 13:15:25 +0000 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: <6AC8A1F5-80F0-4928-9778-0F7012EABFDB@mac.com> References: <353C2EA2-A3AE-4853-A20F-864B9B2D76E8@thecreativepartnership.co.uk> <6AC8A1F5-80F0-4928-9778-0F7012EABFDB@mac.com> Message-ID: <5C92A9E0-6021-4E3D-B75C-94999CE11483@thecreativepartnership.co.uk> He he, thought that'd be popular. The script is fairly poorly written (I'm not a Bash wiz) so any improvements are welcome (please let me have any so I can improve mine). We run it as a 'before' script during our imaging process and it takes a look at the internal disks, tries to figure out which is the system disk or otherwise the disk in the first bay (Mac Pros only I think) and then partitions it up into various volumes that we want. Our post-flight script then takes the names of these and builds an fstab file which it writes down to /etc. It also moves our admin user's ('lwsadmin' in the script) home directory to /var/homes. We figured this may be wise just in case the data partition goes dead for any reason. Our OS image is pre-confd with lwsadmin's home pointing at the correct location, so you may want to excise this section and rely on using root to login in bad circumstances. Oh, the post script also 'hides' some of the partitions (Restore, Freespace etc) so they don't show on the desktop, check the resulting fstab to see how this is done. Be careful using this, it is destructive. Usual disclaimers apply =) ### Pre-install Partition Script #!/bin/bash -v exec 2>&1 function rawdisksize { FLOAT=$1 INT1=${FLOAT/.*} #if $(( INT1 % 10 )) then while (( INT1 % 10 )) do let INT1++ done #fi echo "$INT1" } function partitionsizes { case $RAW_SIZE in 30) INTHD_SIZE=15 HOMES_SIZE=10 SCRATCH_SIZE=3 RESTORE_SIZE=0 ;; 40) INTHD_SIZE=20 HOMES_SIZE=10 SCRATCH_SIZE=5 RESTORE_SIZE=0 ;; 60) INTHD_SIZE=30 HOMES_SIZE=10 SCRATCH_SIZE=10 RESTORE_SIZE=5 ;; 80) INTHD_SIZE=40 HOMES_SIZE=10 SCRATCH_SIZE=10 RESTORE_SIZE=10 ;; 120) INTHD_SIZE=60 HOMES_SIZE=20 SCRATCH_SIZE=10 RESTORE_SIZE=20 ;; 160) INTHD_SIZE=80 HOMES_SIZE=25 SCRATCH_SIZE=10 RESTORE_SIZE=25 ;; 240) INTHD_SIZE=160 HOMES_SIZE=25 SCRATCH_SIZE=10 RESTORE_SIZE=25 ;; *) INTHD_SIZE=$(( ($RAW_SIZE / 100) * 66 )) HOMES_SIZE=$(( ($RAW_SIZE / 100) * 11 )) SCRATCH_SIZE=$(( ($RAW_SIZE / 100) * 11 )) RESTORE_SIZE=$(( ($RAW_SIZE / 100) * 11 )) ;; esac } # Define a function to define whether this is a 'Bay Capable' machine #function bayedmachine { # This needs to be written fairly soon #} if [ ! -e /Volumes/CP-IntHD-01/.cp-partition-done ]; then echo ${1} TARGETDISK=`diskutil info ${1} | grep "Device Identifier:" | awk '{ print $3 }' | cut -c 1-5` echo ${TARGETDISK} # now to partition the disk # if [ ! -z $TARGETDISK ] then TOTAL_SIZE=`diskutil info $TARGETDISK | grep "Total Size" | awk '{ print $3 }'` RAW_SIZE=$(rawdisksize $TOTAL_SIZE) partitionsizes echo "Total size of $TARGETDISK: $TOTAL_SIZE GB" echo "Raw size of $TARGETDISK: $RAW_SIZE GB" echo "CP-IntHD-01 Size: $INTHD_SIZE GB" echo "CP-Homes-01 Size: $HOMES_SIZE GB" echo "CP-Scratch-NOT-BackedUp Size: $SCRATCH_SIZE GB" echo "Restore Size: $RESTORE_SIZE GB" # Check processor type so we partition in the right format sysinfo=`system_profiler` countPPC=`echo ${sysinfo} | grep -c PowerPC` countIntel=`echo ${sysinfo} | grep -c Intel` if [ ${countPPC} -ge 1 -a ${countIntel} -eq 0 ]; then echo "Got a PPC in here" partition_scheme_type="APMFormat" elif [ ${countIntel} -ge 1 -a ${countPPC} -eq 0 ]; then echo "Intel Inside" partition_scheme_type="GPTFormat" else echo "Can't work out what kinda proc, it either ain't got one or could be a Cray?" exit 1 fi # Set the partition going if [ $RESTORE_SIZE -gt 0 ]; then diskutil partitionDisk $TARGETDISK 4 $partition_scheme_type \ "Journaled HFS+" CP-IntHD-01 "$INTHD_SIZE"G \ "Journaled HFS+" CP-Homes-01 "$HOMES_SIZE"G \ "Journaled HFS+" CP-Scratch-NOT-BackedUp "$SCRATCH_SIZE"G \ "Journaled HFS+" Restore "$RESTORE_SIZE"G else diskutil partitionDisk $TARGETDISK 3 $partition_scheme_type \ "Journaled HFS+" CP-IntHD-01 "$INTHD_SIZE"G \ "Journaled HFS+" CP-Homes-01 "$HOMES_SIZE"G \ "Journaled HFS+" CP-Scratch-NOT-BackedUp "$SCRATCH_SIZE"G fi chown root:admin /Volumes/CP-Homes-01 chown root:admin /Volumes/CP-Scratch-NOT-BackedUp chown root:admin /Volumes/Restore chown root:admin /Volumes/Free-Space chmod g+w /Volumes/CP-Homes-01 chmod g+w /Volumes/CP-Scratch-NOT-BackedUp chmod g+w /Volumes/Restore chmod g+w /Volumes/Free-Space touch /Volumes/CP-IntHD-01/.cp-partition-done else echo "Problem acquiring target disk, exiting"; exit 1 fi else echo "The partition scheme has already been created. Exiting" exit 0 fi exit 0 ### Post Install Script #!/bin/bash -v # Redirect STDERR to STDOUT exec 2>&1 VOLSDIR="/Volumes/" ROOTVOL="CP-IntHD-01" HOMESVOL="CP-Homes-01" ROOTPATH="${VOLSDIR}${ROOTVOL}" HOMESPATH="${VOLSDIR}${HOMESVOL}" if [ -e "${1}/.cp-partition-done" ]; then # Ditto the contents of $ROOTPART/Users/Shared to their new location ditto -v "${1}/Users/Shared" "${HOMESPATH}/Shared" if (( ! $? )); then # Remove the old copy of $ROOTPART/Users/Shared echo "Done dittoing..." rm -vR "${1}/Users/Shared" || { echo "rm /Users/Shared failed" ; } rm -v "${1}/Users/.DS_Store" || { echo "rm /Users/.DS_Store failed" ; } rm -v "${1}/Users/.localized" || { echo "rm /Users/.localized failed" ; } if [ -e "${1}/var/homes/lwsadmin" ]; then rm -vR "${1}/Users/lwsadmin" || { echo "rm /Users/lwsadmin failed" ; } fi DEVID=`diskutil list | grep $HOMESVOL | awk '{print $6}'` UUID=`diskutil info $DEVID | grep UUID | /usr/bin/awk {'print $2'}` echo "# Remap the $HOMESPATH to /Users" >> $1/etc/fstab || { echo "'fstab' Stage 1 failed: $HOMESPATH" ; exit 1 ; } echo -e "UUID=${UUID}\t/Users\thfs\trw,nobrowse\t1\t1\n" >> $1/etc/ fstab || { echo "'fstab' Stage 2 failed: $HOMESPATH" ; exit 1 ; } HIDDEN_VOLS=(Restore Free-Space) for volume in "${HIDDEN_VOLS[@]}"; do DEVID=`diskutil list | grep $volume | awk '{print $6}'` UUID=`diskutil info $DEVID | grep UUID | /usr/bin/awk {'print $2'}` echo "# Set the volume $volume to not mount at startup" >> $1/etc/ fstab || { echo "'fstab' Stage 3 ($volume) failed: $volume" ; exit 1 ; } echo -e "UUID=${UUID}\tnone\thfs\trw,noauto\t1\t1\n" >> $1/etc/ fstab || { echo "'fstab' Stage 4 ($volume) failed: $UUID" ; exit 1 ; } done fi touch "${1}/.cp-user-migration-done" || { echo "Task completion file could not be created" ; exit 1 ; } exit 0 else # Log the error echo "Could not find partition completion file. It would be wise not to continue" # Exit with above 0 status exit 1 fi On 9 Jan 2009, at 12:44, Damien Weiss wrote: > > YES!!!!! PLEASE!!!! Send that script on. That's something that I > would implement almost immediately. > > Thanks! > Damien > > On Jan 9, 2009, at 7:19 AM, Daniel Farnworth wrote: > >> I have a pre- >> install script that we use to do this for us if anyone is interested. >> >> Cheers >> Dan > -- Daniel Farnworth IT Manager The Creative Partnership daniel.farnworth at thecreativepartnership.co.uk http://www.thecreativepartnership.co.uk Tel: +44 (0)20 7439 7762 Fax: +44 (0)20 7437 1467 PGP Public Key available The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorised to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify postmaster at thecreativepartnership.co.uk immediately and then delete this email from your system. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of The Creative Partnership. The Creative Partnership has taken every reasonable precaution to ensure that any attachment to this e-mail has been swept for viruses. However, The Creative Partnership cannot accept liability for any damage sustained as a result of software viruses and would advise that you carry out your own virus checks before opening any attachment. From tlarki at kckps.org Fri Jan 9 07:46:30 2009 From: tlarki at kckps.org (Thomas Larkin) Date: Fri, 09 Jan 2009 09:46:30 -0600 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: <5C92A9E0-6021-4E3D-B75C-94999CE11483@thecreativepartnership.co.uk> References: <353C2EA2-A3AE-4853-A20F-864B9B2D76E8@thecreativepartnership.co.uk> <6AC8A1F5-80F0-4928-9778-0F7012EABFDB@mac.com> <5C92A9E0-6021-4E3D-B75C-94999CE11483@thecreativepartnership.co.uk> Message-ID: <49671CF6.7141.0039.0@kckps.org> When we did our massive dual boot image over this last summer I was looking at the /etc/fstab file to hide the windows partition from the OS X side. I had so many problems getting fstab to work. It would not work for me if I used volume name or the device mount point, ie /dev/disk1s3/. It would work if I used UUID, but if you mass duplicate that UUID to tons of machines I found that it wouldn't work. What has been your experience using /etc/fstab in 10.5? ___________________________ Thomas Larkin TIS Department KCKPS USD500 tlarki at kckps.org blackberry: 913-449-7589 office: 913-627-0351 >>> Daniel Farnworth 01/09/09 7:15 AM >>> He he, thought that'd be popular. The script is fairly poorly written (I'm not a Bash wiz) so any improvements are welcome (please let me have any so I can improve mine). We run it as a 'before' script during our imaging process and it takes a look at the internal disks, tries to figure out which is the system disk or otherwise the disk in the first bay (Mac Pros only I think) and then partitions it up into various volumes that we want. Our post-flight script then takes the names of these and builds an fstab file which it writes down to /etc. It also moves our admin user's ('lwsadmin' in the script) home directory to /var/homes. We figured this may be wise just in case the data partition goes dead for any reason. Our OS image is pre-confd with lwsadmin's home pointing at the correct location, so you may want to excise this section and rely on using root to login in bad circumstances. Oh, the post script also 'hides' some of the partitions (Restore, Freespace etc) so they don't show on the desktop, check the resulting fstab to see how this is done. Be careful using this, it is destructive. Usual disclaimers apply =) ### Pre-install Partition Script #!/bin/bash -v exec 2>&1 function rawdisksize { FLOAT=$1 INT1=${FLOAT/.*} #if $(( INT1 % 10 )) then while (( INT1 % 10 )) do let INT1++ done #fi echo "$INT1" } function partitionsizes { case $RAW_SIZE in 30) INTHD_SIZE=15 HOMES_SIZE=10 SCRATCH_SIZE=3 RESTORE_SIZE=0 ;; 40) INTHD_SIZE=20 HOMES_SIZE=10 SCRATCH_SIZE=5 RESTORE_SIZE=0 ;; 60) INTHD_SIZE=30 HOMES_SIZE=10 SCRATCH_SIZE=10 RESTORE_SIZE=5 ;; 80) INTHD_SIZE=40 HOMES_SIZE=10 SCRATCH_SIZE=10 RESTORE_SIZE=10 ;; 120) INTHD_SIZE=60 HOMES_SIZE=20 SCRATCH_SIZE=10 RESTORE_SIZE=20 ;; 160) INTHD_SIZE=80 HOMES_SIZE=25 SCRATCH_SIZE=10 RESTORE_SIZE=25 ;; 240) INTHD_SIZE=160 HOMES_SIZE=25 SCRATCH_SIZE=10 RESTORE_SIZE=25 ;; *) INTHD_SIZE=$(( ($RAW_SIZE / 100) * 66 )) HOMES_SIZE=$(( ($RAW_SIZE / 100) * 11 )) SCRATCH_SIZE=$(( ($RAW_SIZE / 100) * 11 )) RESTORE_SIZE=$(( ($RAW_SIZE / 100) * 11 )) ;; esac } # Define a function to define whether this is a 'Bay Capable' machine #function bayedmachine { # This needs to be written fairly soon #} if [ ! -e /Volumes/CP-IntHD-01/.cp-partition-done ]; then echo ${1} TARGETDISK=`diskutil info ${1} | grep "Device Identifier:" | awk '{ print $3 }' | cut -c 1-5` echo ${TARGETDISK} # now to partition the disk # if [ ! -z $TARGETDISK ] then TOTAL_SIZE=`diskutil info $TARGETDISK | grep "Total Size" | awk '{ print $3 }'` RAW_SIZE=$(rawdisksize $TOTAL_SIZE) partitionsizes echo "Total size of $TARGETDISK: $TOTAL_SIZE GB" echo "Raw size of $TARGETDISK: $RAW_SIZE GB" echo "CP-IntHD-01 Size: $INTHD_SIZE GB" echo "CP-Homes-01 Size: $HOMES_SIZE GB" echo "CP-Scratch-NOT-BackedUp Size: $SCRATCH_SIZE GB" echo "Restore Size: $RESTORE_SIZE GB" # Check processor type so we partition in the right format sysinfo=`system_profiler` countPPC=`echo ${sysinfo} | grep -c PowerPC` countIntel=`echo ${sysinfo} | grep -c Intel` if [ ${countPPC} -ge 1 -a ${countIntel} -eq 0 ]; then echo "Got a PPC in here" partition_scheme_type="APMFormat" elif [ ${countIntel} -ge 1 -a ${countPPC} -eq 0 ]; then echo "Intel Inside" partition_scheme_type="GPTFormat" else echo "Can't work out what kinda proc, it either ain't got one or could be a Cray?" exit 1 fi # Set the partition going if [ $RESTORE_SIZE -gt 0 ]; then diskutil partitionDisk $TARGETDISK 4 $partition_scheme_type \ "Journaled HFS+" CP-IntHD-01 "$INTHD_SIZE"G \ "Journaled HFS+" CP-Homes-01 "$HOMES_SIZE"G \ "Journaled HFS+" CP-Scratch-NOT-BackedUp "$SCRATCH_SIZE"G \ "Journaled HFS+" Restore "$RESTORE_SIZE"G else diskutil partitionDisk $TARGETDISK 3 $partition_scheme_type \ "Journaled HFS+" CP-IntHD-01 "$INTHD_SIZE"G \ "Journaled HFS+" CP-Homes-01 "$HOMES_SIZE"G \ "Journaled HFS+" CP-Scratch-NOT-BackedUp "$SCRATCH_SIZE"G fi chown root:admin /Volumes/CP-Homes-01 chown root:admin /Volumes/CP-Scratch-NOT-BackedUp chown root:admin /Volumes/Restore chown root:admin /Volumes/Free-Space chmod g+w /Volumes/CP-Homes-01 chmod g+w /Volumes/CP-Scratch-NOT-BackedUp chmod g+w /Volumes/Restore chmod g+w /Volumes/Free-Space touch /Volumes/CP-IntHD-01/.cp-partition-done else echo "Problem acquiring target disk, exiting"; exit 1 fi else echo "The partition scheme has already been created. Exiting" exit 0 fi exit 0 ### Post Install Script #!/bin/bash -v # Redirect STDERR to STDOUT exec 2>&1 VOLSDIR="/Volumes/" ROOTVOL="CP-IntHD-01" HOMESVOL="CP-Homes-01" ROOTPATH="${VOLSDIR}${ROOTVOL}" HOMESPATH="${VOLSDIR}${HOMESVOL}" if [ -e "${1}/.cp-partition-done" ]; then # Ditto the contents of $ROOTPART/Users/Shared to their new location ditto -v "${1}/Users/Shared" "${HOMESPATH}/Shared" if (( ! $? )); then # Remove the old copy of $ROOTPART/Users/Shared echo "Done dittoing..." rm -vR "${1}/Users/Shared" || { echo "rm /Users/Shared failed" ; } rm -v "${1}/Users/.DS_Store" || { echo "rm /Users/.DS_Store failed" ; } rm -v "${1}/Users/.localized" || { echo "rm /Users/.localized failed" ; } if [ -e "${1}/var/homes/lwsadmin" ]; then rm -vR "${1}/Users/lwsadmin" || { echo "rm /Users/lwsadmin failed" ; } fi DEVID=`diskutil list | grep $HOMESVOL | awk '{print $6}'` UUID=`diskutil info $DEVID | grep UUID | /usr/bin/awk {'print $2'}` echo "# Remap the $HOMESPATH to /Users" >> $1/etc/fstab || { echo "'fstab' Stage 1 failed: $HOMESPATH" ; exit 1 ; } echo -e "UUID=${UUID}\t/Users\thfs\trw,nobrowse\t1\t1\n" >> $1/etc/ fstab || { echo "'fstab' Stage 2 failed: $HOMESPATH" ; exit 1 ; } HIDDEN_VOLS=(Restore Free-Space) for volume in "${HIDDEN_VOLS[@]}"; do DEVID=`diskutil list | grep $volume | awk '{print $6}'` UUID=`diskutil info $DEVID | grep UUID | /usr/bin/awk {'print $2'}` echo "# Set the volume $volume to not mount at startup" >> $1/etc/ fstab || { echo "'fstab' Stage 3 ($volume) failed: $volume" ; exit 1 ; } echo -e "UUID=${UUID}\tnone\thfs\trw,noauto\t1\t1\n" >> $1/etc/ fstab || { echo "'fstab' Stage 4 ($volume) failed: $UUID" ; exit 1 ; } done fi touch "${1}/.cp-user-migration-done" || { echo "Task completion file could not be created" ; exit 1 ; } exit 0 else # Log the error echo "Could not find partition completion file. It would be wise not to continue" # Exit with above 0 status exit 1 fi On 9 Jan 2009, at 12:44, Damien Weiss wrote: > > YES!!!!! PLEASE!!!! Send that script on. That's something that I > would implement almost immediately. > > Thanks! > Damien > > On Jan 9, 2009, at 7:19 AM, Daniel Farnworth wrote: > >> I have a pre- >> install script that we use to do this for us if anyone is interested. >> >> Cheers >> Dan > -- Daniel Farnworth IT Manager The Creative Partnership daniel.farnworth at thecreativepartnership.co.uk http://www.thecreativepartnership.co.uk Tel: +44 (0)20 7439 7762 Fax: +44 (0)20 7437 1467 PGP Public Key available The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorised to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify postmaster at thecreativepartnership.co.uk immediately and then delete this email from your system. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of The Creative Partnership. The Creative Partnership has taken every reasonable precaution to ensure that any attachment to this e-mail has been swept for viruses. However, The Creative Partnership cannot accept liability for any damage sustained as a result of s oftware viruses and would advise that you carry out your own virus checks before opening any attachment. _______________________________________________ Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/aa086b3e/attachment.htm From miles.leacy at themacadmin.com Fri Jan 9 08:19:06 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Fri, 9 Jan 2009 11:19:06 -0500 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: <5C92A9E0-6021-4E3D-B75C-94999CE11483@thecreativepartnership.co.uk> References: <353C2EA2-A3AE-4853-A20F-864B9B2D76E8@thecreativepartnership.co.uk> <6AC8A1F5-80F0-4928-9778-0F7012EABFDB@mac.com> <5C92A9E0-6021-4E3D-B75C-94999CE11483@thecreativepartnership.co.uk> Message-ID: Thanks for sharing! I'll have a poke at it to see how I can simplify it. Are you still deploying Macs with hard drives smaller than 80GB? For my own purposes and the types of environments I've been in lately, I'd probably just remove the whole case section pertaining to $RAW_SIZE. I'm curious as to your reasoning for making the home partition so much smaller while devoting the majority of the disk to the boot volume. I typically do it the other way around, though if you were concerned with keeping home directory size under control, I can see using this approach. My general disk space distribution is: For 80GB (which is the smallest I encounter these days): 20GB Boot Volume 10GB Restore Volume Data Volume For anything larger: 40GB Boot Volume 20GB Restore Volume Data Volume I find that I don't need any more than 20GB for the OS and Applications. In practice, I have rarely deployed a system that required any more than 10GB. Where more disk space is available, I double it to allow for unexpected growth. For apps with large amounts of template & resource data (such as Final Cut), I deploy it to the /Users/Shared directory. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Fri, Jan 9, 2009 at 8:15 AM, Daniel Farnworth < daniel.farnworth at thecreativepartnership.co.uk> wrote: > He he, thought that'd be popular. > > The script is fairly poorly written (I'm not a Bash wiz) so any > improvements are welcome (please let me have any so I can improve mine). > > We run it as a 'before' script during our imaging process and it > takes a look at the internal disks, tries to figure out which is the > system disk or otherwise the disk in the first bay (Mac Pros only I > think) and then partitions it up into various volumes that we want. > Our post-flight script then takes the names of these and builds an > fstab file which it writes down to /etc. It also moves our admin > user's ('lwsadmin' in the script) home directory to /var/homes. We > figured this may be wise just in case the data partition goes dead > for any reason. Our OS image is pre-confd with lwsadmin's home > pointing at the correct location, so you may want to excise this > section and rely on using root to login in bad circumstances. > > Oh, the post script also 'hides' some of the partitions (Restore, > Freespace etc) so they don't show on the desktop, check the resulting > fstab to see how this is done. > > Be careful using this, it is destructive. Usual disclaimers apply =) > > ### Pre-install Partition Script > > #!/bin/bash -v > > exec 2>&1 > > function rawdisksize { > FLOAT=$1 > INT1=${FLOAT/.*} > #if $(( INT1 % 10 )) then > while (( INT1 % 10 )) > do > let INT1++ > done > #fi > echo "$INT1" > } > > > function partitionsizes { > > case $RAW_SIZE in > > 30) > INTHD_SIZE=15 > HOMES_SIZE=10 > SCRATCH_SIZE=3 > RESTORE_SIZE=0 > ;; > > 40) > INTHD_SIZE=20 > HOMES_SIZE=10 > SCRATCH_SIZE=5 > RESTORE_SIZE=0 > ;; > > 60) > INTHD_SIZE=30 > HOMES_SIZE=10 > SCRATCH_SIZE=10 > RESTORE_SIZE=5 > ;; > > 80) > INTHD_SIZE=40 > HOMES_SIZE=10 > SCRATCH_SIZE=10 > RESTORE_SIZE=10 > ;; > > 120) > INTHD_SIZE=60 > HOMES_SIZE=20 > SCRATCH_SIZE=10 > RESTORE_SIZE=20 > ;; > > 160) > INTHD_SIZE=80 > HOMES_SIZE=25 > SCRATCH_SIZE=10 > RESTORE_SIZE=25 > ;; > > 240) > INTHD_SIZE=160 > HOMES_SIZE=25 > SCRATCH_SIZE=10 > RESTORE_SIZE=25 > ;; > > *) > INTHD_SIZE=$(( ($RAW_SIZE / 100) * 66 )) > HOMES_SIZE=$(( ($RAW_SIZE / 100) * 11 )) > SCRATCH_SIZE=$(( ($RAW_SIZE / 100) * 11 )) > RESTORE_SIZE=$(( ($RAW_SIZE / 100) * 11 )) > ;; > esac > > } > > > # Define a function to define whether this is a 'Bay Capable' machine > #function bayedmachine { > > # This needs to be written fairly soon > > #} > > > if [ ! -e /Volumes/CP-IntHD-01/.cp-partition-done ]; then > > echo ${1} > TARGETDISK=`diskutil info ${1} | grep "Device Identifier:" | awk > '{ print $3 }' | cut -c 1-5` > echo ${TARGETDISK} > > # now to partition the disk > # > > if [ ! -z $TARGETDISK ] > then > TOTAL_SIZE=`diskutil info $TARGETDISK | grep "Total Size" | > awk > '{ print $3 }'` > RAW_SIZE=$(rawdisksize $TOTAL_SIZE) > partitionsizes > > echo "Total size of $TARGETDISK: $TOTAL_SIZE GB" > echo "Raw size of $TARGETDISK: $RAW_SIZE GB" > echo "CP-IntHD-01 Size: $INTHD_SIZE GB" > echo "CP-Homes-01 Size: $HOMES_SIZE GB" > echo "CP-Scratch-NOT-BackedUp Size: $SCRATCH_SIZE GB" > echo "Restore Size: $RESTORE_SIZE GB" > > > # Check processor type so we partition in the right format > > sysinfo=`system_profiler` > > countPPC=`echo ${sysinfo} | grep -c PowerPC` > countIntel=`echo ${sysinfo} | grep -c Intel` > > if [ ${countPPC} -ge 1 -a ${countIntel} -eq 0 ]; then > echo "Got a PPC in here" > partition_scheme_type="APMFormat" > > elif [ ${countIntel} -ge 1 -a ${countPPC} -eq 0 ]; then > echo "Intel Inside" > partition_scheme_type="GPTFormat" > > else > echo "Can't work out what kinda proc, it either > ain't got one or > could be a Cray?" > exit 1 > > fi > > > # Set the partition going > > if [ $RESTORE_SIZE -gt 0 ]; then > > diskutil partitionDisk $TARGETDISK 4 > $partition_scheme_type \ > "Journaled HFS+" CP-IntHD-01 "$INTHD_SIZE"G > \ > "Journaled HFS+" CP-Homes-01 "$HOMES_SIZE"G > \ > "Journaled HFS+" CP-Scratch-NOT-BackedUp > "$SCRATCH_SIZE"G \ > "Journaled HFS+" Restore "$RESTORE_SIZE"G > > else > > diskutil partitionDisk $TARGETDISK 3 > $partition_scheme_type \ > "Journaled HFS+" CP-IntHD-01 "$INTHD_SIZE"G > \ > "Journaled HFS+" CP-Homes-01 "$HOMES_SIZE"G > \ > "Journaled HFS+" CP-Scratch-NOT-BackedUp > "$SCRATCH_SIZE"G > > fi > > > chown root:admin /Volumes/CP-Homes-01 > chown root:admin /Volumes/CP-Scratch-NOT-BackedUp > chown root:admin /Volumes/Restore > chown root:admin /Volumes/Free-Space > > chmod g+w /Volumes/CP-Homes-01 > chmod g+w /Volumes/CP-Scratch-NOT-BackedUp > chmod g+w /Volumes/Restore > chmod g+w /Volumes/Free-Space > > touch /Volumes/CP-IntHD-01/.cp-partition-done > > else > > echo "Problem acquiring target disk, exiting"; > exit 1 > > fi > > else > > echo "The partition scheme has already been created. Exiting" > exit 0 > > fi > > exit 0 > > > ### Post Install Script > > #!/bin/bash -v > > # Redirect STDERR to STDOUT > exec 2>&1 > > VOLSDIR="/Volumes/" > > ROOTVOL="CP-IntHD-01" > HOMESVOL="CP-Homes-01" > > ROOTPATH="${VOLSDIR}${ROOTVOL}" > HOMESPATH="${VOLSDIR}${HOMESVOL}" > > > > > if [ -e "${1}/.cp-partition-done" ]; then > > # Ditto the contents of $ROOTPART/Users/Shared to their new location > > ditto -v "${1}/Users/Shared" "${HOMESPATH}/Shared" > if (( ! $? )); then > > # Remove the old copy of $ROOTPART/Users/Shared > echo "Done dittoing..." > rm -vR "${1}/Users/Shared" || { echo "rm /Users/Shared > failed" ; } > rm -v "${1}/Users/.DS_Store" || { echo "rm /Users/.DS_Store > failed" ; } > rm -v "${1}/Users/.localized" || { echo "rm > /Users/.localized > failed" ; } > > if [ -e "${1}/var/homes/lwsadmin" ]; then > rm -vR "${1}/Users/lwsadmin" || { echo "rm > /Users/lwsadmin > failed" ; } > fi > > DEVID=`diskutil list | grep $HOMESVOL | awk '{print $6}'` > UUID=`diskutil info $DEVID | grep UUID | /usr/bin/awk > {'print $2'}` > echo "# Remap the $HOMESPATH to /Users" >> $1/etc/fstab || { > echo > "'fstab' Stage 1 failed: $HOMESPATH" ; exit 1 ; } > echo -e "UUID=${UUID}\t/Users\thfs\trw,nobrowse\t1\t1\n" >> > $1/etc/ > fstab || { echo "'fstab' Stage 2 failed: $HOMESPATH" ; exit 1 ; } > > HIDDEN_VOLS=(Restore Free-Space) > > for volume in "${HIDDEN_VOLS[@]}"; do > > DEVID=`diskutil list | grep $volume | awk '{print > $6}'` > UUID=`diskutil info $DEVID | grep UUID | > /usr/bin/awk {'print $2'}` > > echo "# Set the volume $volume to not mount at > startup" >> $1/etc/ > fstab || { echo "'fstab' Stage 3 ($volume) failed: $volume" ; exit 1 ; } > echo -e "UUID=${UUID}\tnone\thfs\trw,noauto\t1\t1\n" > >> $1/etc/ > fstab || { echo "'fstab' Stage 4 ($volume) failed: $UUID" ; exit 1 ; } > > done > > fi > > touch "${1}/.cp-user-migration-done" || { echo "Task completion file > could not be created" ; exit 1 ; } > > exit 0 > > else > # Log the error > echo "Could not find partition completion file. It would be wise not > to continue" > # Exit with above 0 status > exit 1 > > fi > > > > > > > On 9 Jan 2009, at 12:44, Damien Weiss wrote: > > > > > YES!!!!! PLEASE!!!! Send that script on. That's something that I > > would implement almost immediately. > > > > Thanks! > > Damien > > > > On Jan 9, 2009, at 7:19 AM, Daniel Farnworth wrote: > > > >> I have a pre- > >> install script that we use to do this for us if anyone is interested. > >> > >> Cheers > >> Dan > > > > -- > Daniel Farnworth > IT Manager > The Creative Partnership > daniel.farnworth at thecreativepartnership.co.uk > > http://www.thecreativepartnership.co.uk > Tel: +44 (0)20 7439 7762 > Fax: +44 (0)20 7437 1467 > > PGP Public Key available > > > > > > > The information contained in this communication is intended solely for the > use of the individual or entity to whom it is addressed and others > authorised to receive it. It may contain confidential or legally privileged > information. If you are not the intended recipient you are hereby notified > that any disclosure, copying, distribution or taking any action in reliance > on the contents of this information is strictly prohibited and may be > unlawful. If you have received this communication in error, please notify > postmaster at thecreativepartnership.co.uk immediately and then delete this > email from your system. Any views or opinions presented in this email are > solely those of the author and do not necessarily represent those of The > Creative Partnership. The Creative Partnership has taken every reasonable > precaution to ensure that any attachment to this e-mail has been swept for > viruses. However, The Creative Partnership cannot accept liability for any > damage sustained as a result of software viruses and would advise that you > carry out your own virus checks before opening any attachment. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/85ac7ae6/attachment.html From miles.leacy at themacadmin.com Fri Jan 9 08:30:06 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Fri, 9 Jan 2009 11:30:06 -0500 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: <49671CF6.7141.0039.0@kckps.org> References: <353C2EA2-A3AE-4853-A20F-864B9B2D76E8@thecreativepartnership.co.uk> <6AC8A1F5-80F0-4928-9778-0F7012EABFDB@mac.com> <5C92A9E0-6021-4E3D-B75C-94999CE11483@thecreativepartnership.co.uk> <49671CF6.7141.0039.0@kckps.org> Message-ID: UUIDs, being universally unique, you can't reference a UUID from machine A and disk A on machine B. It's like telling someone to go to Guam when this person doesn't know where Guam is and has neither a boat nor a plane. I've just skimmed the script so far (I have some deadlines I'm working today), but if I read it correctly, Dan's script is quite clever in that it dynamically grabs the appropriate UUID from the disk being acted upon. So, if using the UUID is a best practice, then Dan's got quite a nugget of scripty goodness here. To make sure due diligence is performed, let me ask; What if any issues has anyone using fstab in this way encountered? Are there any theoretical issues to be concerned about? ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com 2009/1/9 Thomas Larkin > When we did our massive dual boot image over this last summer I was > looking at the /etc/fstab file to hide the windows partition from the OS X > side. I had so many problems getting fstab to work. It would not work for > me if I used volume name or the device mount point, ie /dev/disk1s3/. It > would work if I used UUID, but if you mass duplicate that UUID to tons of > machines I found that it wouldn't work. > > What has been your experience using /etc/fstab in 10.5? > > > > ___________________________ > Thomas Larkin > TIS Department > KCKPS USD500 > tlarki at kckps.org > blackberry: 913-449-7589 > office: 913-627-0351 > > > > > > >>> Daniel Farnworth > 01/09/09 7:15 AM >>> > > He he, thought that'd be popular. > > The script is fairly poorly written (I'm not a Bash wiz) so any > improvements are welcome (please let me have any so I can improve mine). > > We run it as a 'before' script during our imaging process and it > takes a look at the internal disks, tries to figure out which is the > system disk or otherwise the disk in the first bay (Mac Pros only I > think) and then partitions it up into various volumes that we want. > Our post-flight script then takes the names of these and builds an > fstab file which it writes down to /etc. It also moves our admin > user's ('lwsadmin' in the script) home directory to /var/homes. We > figured this may be wise just in case the data partition goes dead > for any reason. Our OS image is pre-confd with lwsadmin's home > pointing at the correct location, so you may want to excise this > section and rely on using root to login in bad circumstances. > > Oh, the post script also 'hides' some of the partitions (Restore, > Freespace etc) so they don't show on the desktop, check the resulting > fstab to see how this is done. > > Be careful using this, it is destructive. Usual disclaimers apply =) > > ### Pre-install Partition Script > > #!/bin/bash -v > > exec 2>&1 > > function rawdisksize { > FLOAT=$1 > INT1=${FLOAT/.*} > #if $(( INT1 % 10 )) then > while (( INT1 % 10 )) > do > let INT1++ > done > #fi > echo "$INT1" > } > > > function partitionsizes { > > case $RAW_SIZE in > > 30) > INTHD_SIZE=15 > HOMES_SIZE=10 > SCRATCH_SIZE=3 > RESTORE_SIZE=0 > ;; > > 40) > INTHD_SIZE=20 > HOMES_SIZE=10 > SCRATCH_SIZE=5 > RESTORE_SIZE=0 > ;; > > 60) > INTHD_SIZE=30 > HOMES_SIZE=10 > SCRATCH_SIZE=10 > RESTORE_SIZE=5 > ;; > > 80) > INTHD_SIZE=40 > HOMES_SIZE=10 > SCRATCH_SIZE=10 > RESTORE_SIZE=10 > ;; > > 120) > INTHD_SIZE=60 > HOMES_SIZE=20 > SCRATCH_SIZE=10 > RESTORE_SIZE=20 > ;; > > 160) > INTHD_SIZE=80 > HOMES_SIZE=25 > SCRATCH_SIZE=10 > RESTORE_SIZE=25 > ;; > > 240) > INTHD_SIZE=160 > HOMES_SIZE=25 > SCRATCH_SIZE=10 > RESTORE_SIZE=25 > ;; > > *) > INTHD_SIZE=$(( ($RAW_SIZE / 100) * 66 )) > HOMES_SIZE=$(( ($RAW_SIZE / 100) * 11 )) > SCRATCH_SIZE=$(( ($RAW_SIZE / 100) * 11 )) > RESTORE_SIZE=$(( ($RAW_SIZE / 100) * 11 )) > ;; > esac > > } > > > # Define a function to define whether this is a 'Bay Capable' machine > #function bayedmachine { > > # This needs to be written fairly soon > > #} > > > if [ ! -e /Volumes/CP-IntHD-01/.cp-partition-done ]; then > > echo ${1} > TARGETDISK=`diskutil info ${1} | grep "Device Identifier:" | awk > '{ print $3 }' | cut -c 1-5` > echo ${TARGETDISK} > > # now to partition the disk > # > > if [ ! -z $TARGETDISK ] > then > TOTAL_SIZE=`diskutil info $TARGETDISK | grep "Total Size" | awk > '{ print $3 }'` > RAW_SIZE=$(rawdisksize $TOTAL_SIZE) > partitionsizes > > echo "Total size of $TARGETDISK: $TOTAL_SIZE GB" > echo "Raw size of $TARGETDISK: $RAW_SIZE GB" > echo "CP-IntHD-01 Size: $INTHD_SIZE GB" > echo "CP-Homes-01 Size: $HOMES_SIZE GB" > echo "CP-Scratch-NOT-BackedUp Size: $SCRATCH_SIZE GB" > echo "Restore Size: $RESTORE_SIZE GB" > > > # Check processor type so we partition in the right format > > sysinfo=`system_profiler` > > countPPC=`echo ${sysinfo} | grep -c PowerPC` > countIntel=`echo ${sysinfo} | grep -c Intel` > > if [ ${countPPC} -ge 1 -a ${countIntel} -eq 0 ]; then > echo "Got a PPC in here" > partition_scheme_type="APMFormat" > > elif [ ${countIntel} -ge 1 -a ${countPPC} -eq 0 ]; then > echo "Intel Inside" > partition_scheme_type="GPTFormat" > > else > echo "Can't work out what kinda proc, it either ain't got one or > could be a Cray?" > exit 1 > > fi > > > # Set the partition going > > if [ $RESTORE_SIZE -gt 0 ]; then > > diskutil partitionDisk $TARGETDISK 4 $partition_scheme_type \ > "Journaled HFS+" CP-IntHD-01 "$INTHD_SIZE"G \ > "Journaled HFS+" CP-Homes-01 "$HOMES_SIZE"G \ > "Journaled HFS+" CP-Scratch-NOT-BackedUp "$SCRATCH_SIZE"G \ > "Journaled HFS+" Restore "$RESTORE_SIZE"G > > else > > diskutil partitionDisk $TARGETDISK 3 $partition_scheme_type \ > "Journaled HFS+" CP-IntHD-01 "$INTHD_SIZE"G \ > "Journaled HFS+" CP-Homes-01 "$HOMES_SIZE"G \ > "Journaled HFS+" CP-Scratch-NOT-BackedUp "$SCRATCH_SIZE"G > > fi > > > chown root:admin /Volumes/CP-Homes-01 > chown root:admin /Volumes/CP-Scratch-NOT-BackedUp > chown root:admin /Volumes/Restore > chown root:admin /Volumes/Free-Space > > chmod g+w /Volumes/CP-Homes-01 > chmod g+w /Volumes/CP-Scratch-NOT-BackedUp > chmod g+w /Volumes/Restore > chmod g+w /Volumes/Free-Space > > touch /Volumes/CP-IntHD-01/.cp-partition-done > > else > > echo "Problem acquiring target disk, exiting"; > exit 1 > > fi > > else > > echo "The partition scheme has already been created. Exiting" > exit 0 > > fi > > exit 0 > > > ### Post Install Script > > #!/bin/bash -v > > # Redirect STDERR to STDOUT > exec 2>&1 > > VOLSDIR="/Volumes/" > > ROOTVOL="CP-IntHD-01" > HOMESVOL="CP-Homes-01" > > ROOTPATH="${VOLSDIR}${ROOTVOL}" > HOMESPATH="${VOLSDIR}${HOMESVOL}" > > > > > if [ -e "${1}/.cp-partition-done" ]; then > > # Ditto the contents of $ROOTPART/Users/Shared to their new location > > ditto -v "${1}/Users/Shared" "${HOMESPATH}/Shared" > if (( ! $? )); then > > # Remove the old copy of $ROOTPART/Users/Shared > echo "Done dittoing..." > rm -vR "${1}/Users/Shared" || { echo "rm /Users/Shared failed" ; } > rm -v "${1}/Users/.DS_Store" || { echo "rm /Users/.DS_Store > failed" ; } > rm -v "${1}/Users/.localized" || { echo "rm /Users/.localized > failed" ; } > > if [ -e "${1}/var/homes/lwsadmin" ]; then > rm -vR "${1}/Users/lwsadmin" || { echo "rm /Users/lwsadmin > failed" ; } > fi > > DEVID=`diskutil list | grep $HOMESVOL | awk '{print $6}'` > UUID=`diskutil info $DEVID | grep UUID | /usr/bin/awk {'print $2'}` > echo "# Remap the $HOMESPATH to /Users" >> $1/etc/fstab || { echo > "'fstab' Stage 1 failed: $HOMESPATH" ; exit 1 ; } > echo -e "UUID=${UUID}\t/Users\thfs\trw,nobrowse\t1\t1\n" >> $1/etc/ > fstab || { echo "'fstab' Stage 2 failed: $HOMESPATH" ; exit 1 ; } > > HIDDEN_VOLS=(Restore Free-Space) > > for volume in "${HIDDEN_VOLS[@]}"; do > > DEVID=`diskutil list | grep $volume | awk '{print $6}'` > UUID=`diskutil info $DEVID | grep UUID | /usr/bin/awk {'print $2'}` > > echo "# Set the volume $volume to not mount at startup" >> $1/etc/ > fstab || { echo "'fstab' Stage 3 ($volume) failed: $volume" ; exit 1 ; } > echo -e "UUID=${UUID}\tnone\thfs\trw,noauto\t1\t1\n" >> $1/etc/ > fstab || { echo "'fstab' Stage 4 ($volume) failed: $UUID" ; exit 1 ; } > > done > > fi > > touch "${1}/.cp-user-migration-done" || { echo "Task completion file > could not be created" ; exit 1 ; } > > exit 0 > > else > # Log the error > echo "Could not find partition completion file. It would be wise not > to continue" > # Exit with above 0 status > exit 1 > > fi > > > > > > > On 9 Jan 2009, at 12:44, Damien Weiss wrote: > > > > > YES!!!!! PLEASE!!!! Send that script on. That's something that I > > would implement almost immediately. > > > > Thanks! > > Damien > > > > On Jan 9, 2009, at 7:19 AM, Daniel Farnworth wrote: > > > >> I have a pre- > >> install script that we use to do this for us if anyone is interested. > >> > >> Cheers > >> Dan > > > > -- > Daniel Farnworth > IT Manager > The Creative Partnership > daniel.farnworth at thecreativepartnership.co.uk > > http://www.thecreativepartnership.co.uk > Tel: +44 (0)20 7439 7762 > Fax: +44 (0)20 7437 1467 > > PGP Public Key available > > > > > > > The information contained in this communication is intended solely for the > use of the individual or entity to whom it is addressed and others > authorised to receive it. It may contain confidential or legally privileged > information. If you are not the intended recipient you are hereby notified > that any disclosure, copying, distribution or taking any action in reliance > on the contents of this information is strictly prohibited and may be > unlawful. If you have received this communication in error, please notify > postmaster at thecreativepartnership.co.uk immediately and then delete this > email from your system. Any views or opinions presented in this email are > solely those of the author and do not necessarily represent those of The > Creative Partnership. The Creative Partnership has taken every reasonable > precaution to ensure that any attachment to this e-mail has been swept for > viruses. However, The Creative Partnership cannot accept liability for any > damage sustained as a result of s > oftware viruses and would advise that you carry out your own virus checks > before opening any attachment. > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/c9ae3ebd/attachment.html From rharter at uwsp.edu Fri Jan 9 09:56:16 2009 From: rharter at uwsp.edu (Ryan Harter) Date: Fri, 9 Jan 2009 11:56:16 -0600 Subject: [Casper] Computer group from AD Message-ID: Hey Guys- Has anyone created a smart group that would take members based on if the computer is a member of an AD group. Essentially what I'm trying to do is scope a policy to a group of computers in AD, like you can with the User scope, but it doesn't seem to work with computers. When user's register for our disaster recovery system, their computer is added to a group in AD, and I would like to install the backup client on their machine based on whether or not they are in this group. Any ideas? Ryan Harter UW - Stevens Point Workstation Developer 715.346.2716 Ryan.Harter at uwsp.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/95e010ad/attachment.html From ERNSTCS at uwec.edu Fri Jan 9 09:57:24 2009 From: ERNSTCS at uwec.edu (Ernst, Craig S.) Date: Fri, 9 Jan 2009 11:57:24 -0600 Subject: [Casper] Computer group from AD In-Reply-To: Message-ID: Don't believe the JSS works with computer accounts in AD. Craig E On 1/9/09 11:56 AM, "Ryan Harter" wrote: Hey Guys- Has anyone created a smart group that would take members based on if the computer is a member of an AD group. Essentially what I'm trying to do is scope a policy to a group of computers in AD, like you can with the User scope, but it doesn't seem to work with computers. When user's register for our disaster recovery system, their computer is added to a group in AD, and I would like to install the backup client on their machine based on whether or not they are in this group. Any ideas? Ryan Harter UW - Stevens Point Workstation Developer 715.346.2716 Ryan.Harter at uwsp.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/2cfba74e/attachment.htm From jared.nichols at ll.mit.edu Fri Jan 9 11:03:01 2009 From: jared.nichols at ll.mit.edu (Nichols, Jared) Date: Fri, 9 Jan 2009 14:03:01 -0500 Subject: [Casper] Computer group from AD In-Reply-To: Message-ID: Wouldn't you just create a smart computer group that goes off of the Active Directory Status attribute? You could either make it "Active Directory Status" is <> (if you have more than one and you want to specify which) or you could make "Active Directory Status" is not "Not Bound" It's a double negative, but that would return any machine bound to an AD, no matter what the AD is called. See Attachment. Maybe I don't understand completely your question? j On 1/9/09 12:57 , "Ernst, Craig S." wrote: Don't believe the JSS works with computer accounts in AD. Craig E On 1/9/09 11:56 AM, "Ryan Harter" wrote: Hey Guys- Has anyone created a smart group that would take members based on if the computer is a member of an AD group. Essentially what I'm trying to do is scope a policy to a group of computers in AD, like you can with the User scope, but it doesn't seem to work with computers. When user's register for our disaster recovery system, their computer is added to a group in AD, and I would like to install the backup client on their machine based on whether or not they are in this group. Any ideas? Ryan Harter UW - Stevens Point Workstation Developer 715.346.2716 Ryan.Harter at uwsp.edu -- Jared Nichols ISD Infrastructure and Operations - Desktop Engineering MIT Lincoln Laboratory 244 Wood St. Lexington, MA 02420-9108 (781) 981-5500 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/dd40e315/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Picture 2.png Type: application/octet-stream Size: 47585 bytes Desc: Picture 2.png Url : http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/dd40e315/attachment.obj From miles.leacy at themacadmin.com Fri Jan 9 11:35:46 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Fri, 9 Jan 2009 14:35:46 -0500 Subject: [Casper] Computer group from AD In-Reply-To: References: Message-ID: "Bound to a directory" and "Member of a group" are different concepts. I would also like the ability to recognize computer accounts and computer groups. You could work around the current situation with a script using logic like so: 1. Query LDAP (AD) for the groups "my computer" ($2, assuming your machine names are the same as your AD names) belongs to. 2. grep the output for the group you want to key on. 3. call a custom trigger The ability for Casper to recognize computer accounts & groups would be better than this, but this can give you the same net effect as scoping a policy to an AD group. This also assumes you have the ability to perform LDAP lookups in AD. If your JSS is taking advantage of LDAP, then you could use the same account to perform the lookup in the script. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com 2009/1/9 Nichols, Jared > Wouldn't you just create a smart computer group that goes off of the > Active Directory Status attribute? You could either make it "Active > Directory Status" is <> (if you have more than one and you want > to specify which) or you could make "Active Directory Status" is not "Not > Bound" It's a double negative, but that would return any machine bound to > an AD, no matter what the AD is called. > > See Attachment. > > Maybe I don't understand completely your question? > > j > > > On 1/9/09 12:57 , "Ernst, Craig S." wrote: > > Don't believe the JSS works with computer accounts in AD. > > Craig E > > > On 1/9/09 11:56 AM, "Ryan Harter" wrote: > > Hey Guys- > > Has anyone created a smart group that would take members based on if the > computer is a member of an AD group. > > Essentially what I'm trying to do is scope a policy to a group of computers > in AD, like you can with the User scope, but it doesn't seem to work with > computers. > > When user's register for our disaster recovery system, their computer is > added to a group in AD, and I would like to install the backup client on > their machine based on whether or not they are in this group. Any ideas? > > * > Ryan Harter > *UW - Stevens Point > Workstation Developer > 715.346.2716 > Ryan.Harter at uwsp.edu > > > > > > > -- > Jared Nichols > ISD Infrastructure and Operations ? Desktop Engineering > MIT Lincoln Laboratory > 244 Wood St. > Lexington, MA 02420-9108 > (781) 981-5500 > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/6a48c128/attachment.htm From rharter at uwsp.edu Fri Jan 9 12:22:53 2009 From: rharter at uwsp.edu (Ryan Harter) Date: Fri, 9 Jan 2009 14:22:53 -0600 Subject: [Casper] Computer group from AD In-Reply-To: References: Message-ID: This sounds like a good workaround. I have emailed JAMF about this too, but haven't heard anything. I'm sure they're all off at MacWorld:) I was hoping for a solution that I could make a computer group with so that I could only run it on the computers that need it and not on every computer just for the 20% that actually need the client. There is also talk of "leasing" CS3 licenses to departments on campus, in which case I would like to have self service only advertise the install on the computers that are in the CS3Licensed AD group. I may do this by having us add the users to a group as well and scope it that way temporarily, but the ultimate goal is to have it available for department machines, not users. I was thinking of some sort of logic like: 1. run a policy that will check dscl for the group memberships of the computer. 2. install a dummy package. 3. base a smart group on the receipt of the dummy package. 4. scope the policies to the smart group That way, I can not only run the policy just for the group, but also keep a record of who's in it. It's not a very elegant solution, but it may have to do. Ryan Harter UW - Stevens Point Workstation Developer 715.346.2716 Ryan.Harter at uwsp.edu On Jan 9, 2009, at 1:35 PM, Miles Leacy wrote: > "Bound to a directory" and "Member of a group" are different concepts. > > I would also like the ability to recognize computer accounts and > computer groups. > > You could work around the current situation with a script using > logic like so: > > 1. Query LDAP (AD) for the groups "my computer" ($2, assuming your > machine names are the same as your AD names) belongs to. > 2. grep the output for the group you want to key on. > 3. call a custom trigger > > The ability for Casper to recognize computer accounts & groups would > be better than this, but this can give you the same net effect as > scoping a policy to an AD group. This also assumes you have the > ability to perform LDAP lookups in AD. If your JSS is taking > advantage of LDAP, then you could use the same account to perform > the lookup in the script. > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > 2009/1/9 Nichols, Jared > Wouldn't you just create a smart computer group that goes off of the > Active Directory Status attribute? You could either make it "Active > Directory Status" is <> (if you have more than one and > you want to specify which) or you could make "Active Directory > Status" is not "Not Bound" It's a double negative, but that would > return any machine bound to an AD, no matter what the AD is called. > > See Attachment. > > Maybe I don't understand completely your question? > > j > > > On 1/9/09 12:57 , "Ernst, Craig S." wrote: > > Don't believe the JSS works with computer accounts in AD. > > Craig E > > > On 1/9/09 11:56 AM, "Ryan Harter" wrote: > > Hey Guys- > > Has anyone created a smart group that would take members based on if > the computer is a member of an AD group. > > Essentially what I'm trying to do is scope a policy to a group of > computers in AD, like you can with the User scope, but it doesn't > seem to work with computers. > > When user's register for our disaster recovery system, their > computer is added to a group in AD, and I would like to install the > backup client on their machine based on whether or not they are in > this group. Any ideas? > > > Ryan Harter > UW - Stevens Point > Workstation Developer > 715.346.2716 > Ryan.Harter at uwsp.edu > > > > > > -- > Jared Nichols > ISD Infrastructure and Operations ? Desktop Engineering > MIT Lincoln Laboratory > 244 Wood St. > Lexington, MA 02420-9108 > (781) 981-5500 > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/51183c90/attachment.html From miles.leacy at themacadmin.com Fri Jan 9 12:50:13 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Fri, 9 Jan 2009 15:50:13 -0500 Subject: [Casper] Computer group from AD In-Reply-To: References:

Message-ID: I'm a big fan of smart groups based on dummy receipts. To break it down (as I would do it, at least): Run the initial policy on all machines (once per day, limited to off-hours if there would be any performance concerns). This policy does: - run script that checks AD groups. - if desired group is found, issue a custom trigger of "receipt exists". - if desired group is not found, issue a custom trigger of "receipt does not exist". The "receipt exists" custom trigger policy does: - Install the dummy package The "receipt does not exist" custom trigger policy does: - delete the dummy package's receipt Smart group is scoped to the existence of the dummy receipt. You can now scope to your smart group knowing that it consists of all members of your target AD group, with up to a 24-hour lag behind changes in group membership. If 24 hours is too big of a window, you could set it to every15 (or 30 or whatever your periodic trigger is) and execution frequency of "ongoing". This is pretty lightweight, so I don't think there's any cause for performance concerns. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Fri, Jan 9, 2009 at 3:22 PM, Ryan Harter wrote: > This sounds like a good workaround. I have emailed JAMF about this too, > but haven't heard anything. I'm sure they're all off at MacWorld:) > I was hoping for a solution that I could make a computer group with so that > I could only run it on the computers that need it and not on every computer > just for the 20% that actually need the client. > > There is also talk of "leasing" CS3 licenses to departments on campus, in > which case I would like to have self service only advertise the install on > the computers that are in the CS3Licensed AD group. I may do this by having > us add the users to a group as well and scope it that way temporarily, but > the ultimate goal is to have it available for department machines, not > users. > > I was thinking of some sort of logic like: > > 1. run a policy that will check dscl for the group memberships of the > computer. > 2. install a dummy package. > 3. base a smart group on the receipt of the dummy package. > 4. scope the policies to the smart group > > That way, I can not only run the policy just for the group, but also keep a > record of who's in it. It's not a very elegant solution, but it may have to > do. > * > Ryan Harter* > UW - Stevens Point > Workstation Developer > 715.346.2716 > Ryan.Harter at uwsp.edu > > On Jan 9, 2009, at 1:35 PM, Miles Leacy wrote: > > "Bound to a directory" and "Member of a group" are different concepts. > I would also like the ability to recognize computer accounts and computer > groups. > > You could work around the current situation with a script using logic like > so: > > 1. Query LDAP (AD) for the groups "my computer" ($2, assuming your machine > names are the same as your AD names) belongs to. > 2. grep the output for the group you want to key on. > 3. call a custom trigger > > The ability for Casper to recognize computer accounts & groups would be > better than this, but this can give you the same net effect as scoping a > policy to an AD group. This also assumes you have the ability to perform > LDAP lookups in AD. If your JSS is taking advantage of LDAP, then you could > use the same account to perform the lookup in the script. > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > 2009/1/9 Nichols, Jared > >> Wouldn't you just create a smart computer group that goes off of the >> Active Directory Status attribute? You could either make it "Active >> Directory Status" is <> (if you have more than one and you want >> to specify which) or you could make "Active Directory Status" is not "Not >> Bound" It's a double negative, but that would return any machine bound to >> an AD, no matter what the AD is called. >> >> See Attachment. >> >> Maybe I don't understand completely your question? >> >> j >> >> >> On 1/9/09 12:57 , "Ernst, Craig S." wrote: >> >> Don't believe the JSS works with computer accounts in AD. >> >> Craig E >> >> >> On 1/9/09 11:56 AM, "Ryan Harter" wrote: >> >> Hey Guys- >> >> Has anyone created a smart group that would take members based on if the >> computer is a member of an AD group. >> >> Essentially what I'm trying to do is scope a policy to a group of >> computers in AD, like you can with the User scope, but it doesn't seem to >> work with computers. >> >> When user's register for our disaster recovery system, their computer is >> added to a group in AD, and I would like to install the backup client on >> their machine based on whether or not they are in this group. Any ideas? >> >> * >> Ryan Harter >> *UW - Stevens Point >> Workstation Developer >> 715.346.2716 >> Ryan.Harter at uwsp.edu > >> >> >> >> >> >> >> -- >> Jared Nichols >> ISD Infrastructure and Operations ? Desktop Engineering >> MIT Lincoln Laboratory >> 244 Wood St. >> Lexington, MA 02420-9108 >> (781) 981-5500 >> >> _______________________________________________ >> Casper mailing list >> Casper at list.jamfsoftware.com >> http://list.jamfsoftware.com/mailman/listinfo/casper >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/f0fb756f/attachment.htm From rharter at uwsp.edu Fri Jan 9 12:58:02 2009 From: rharter at uwsp.edu (Ryan Harter) Date: Fri, 9 Jan 2009 14:58:02 -0600 Subject: [Casper] Computer group from AD In-Reply-To: References: Message-ID: <2BB873C2-2F31-45F8-9E75-2EFEFDD9BBDC@uwsp.edu> Ideally I would like to create a smart group based on AD group membership. The reason for this is that this is a cross platform venture. For the backup system I was talking about, users register themselves at a web page that then adds them to a Bacula group in AD. On the PC side group policy will then install the client on their system because they have been added to that group. As it stands on the mac side when someone registers for the service we have to manually install the client. As for the CS3 installs, when their department "leases" a license they're computers will just be added to an AD group (presumably automated by a website, hasn't been implemented yet) and the PC guys will use that group membership to advertise the install with SCCM. I would like the Mac side to be just as automated, once the website puts their computer in the AD group, the install will be advertised. I think for the Bacula client install, the best solution would be to have a smart group based on the AD group, and then a run once per computer policy to install the client. For CS3, a self service install scoped to a smart group based on the AD group, which you can already do with users, but with computers, so that when the computer is added, the install will be advertised. Before Casper we used AD group membership extensively to define which scripts were run, and what maintenance tasks were performed. The groups help us determine whether machines are labs, faculty, which particular faculty, and anything special about each (i.e. registered for backups). Our network isn't segmented well enough to use segments (we have a lab and facstaff vlan for each building and that is all). The major goal of this is to automate all of these processes. We all know that Mac admins have a lot to do and adding every individual user who decides to sign up for something is not high on my list:) What would also be cool is a documented way to tie into the JSS with a web page (perhaps PHP) so that I could make a web page where people could sign up for something, get all the information I need and send some pieces to the JSS and some to other systems. Perhaps there's a way to do this. I hadn't thought of it before but boy does that sound cool. Thanks for all the input. I really think mailing lists are a great way of narrowing down the best way to do something based on what other people have done. Thanks again. Ryan Harter UW - Stevens Point Workstation Developer 715.346.2716 Ryan.Harter at uwsp.edu On Jan 9, 2009, at 2:28 PM, Ernst, Craig S. wrote: > So you don?t want to use the tools for Groups or Smart Groups in > the JSS? Or do you have options to limit based on network segments? > If you know the machines that need it...create a group in the JSS > and assign accordingly. I?m not sure how you name machines, or > assign them in terms of department and what not in the JSS, but > that?s why those options are there. > > I?m not really sure why the desire to use AD... > > I only ask because we don?t use AD on the Macs for anything but > authentication, thus all of our Macs are in a single container in > AD. What do you use the groups in AD for Macs for? > > And to be clear...I?m not saying what your trying to do is wrong or > unnecessary...I just am trying to better understand what you are > trying to do and perhaps learn something. > > Craig E > > > On 1/9/09 2:22 PM, "Ryan Harter" wrote: > > This sounds like a good workaround. I have emailed JAMF about this > too, but haven't heard anything. I'm sure they're all off at > MacWorld:) > > I was hoping for a solution that I could make a computer group with > so that I could only run it on the computers that need it and not on > every computer just for the 20% that actually need the client. > > There is also talk of "leasing" CS3 licenses to departments on > campus, in which case I would like to have self service only > advertise the install on the computers that are in the CS3Licensed > AD group. I may do this by having us add the users to a group as > well and scope it that way temporarily, but the ultimate goal is to > have it available for department machines, not users. > > I was thinking of some sort of logic like: > > 1. run a policy that will check dscl for the group memberships of > the computer. > 2. install a dummy package. > 3. base a smart group on the receipt of the dummy package. > 4. scope the policies to the smart group > > That way, I can not only run the policy just for the group, but also > keep a record of who's in it. It's not a very elegant solution, but > it may have to do. > > > Ryan Harter > UW - Stevens Point > Workstation Developer > 715.346.2716 > Ryan.Harter at uwsp.edu > > > On Jan 9, 2009, at 1:35 PM, Miles Leacy wrote: > > "Bound to a directory" and "Member of a group" are different concepts. > > I would also like the ability to recognize computer accounts and > computer groups. > > You could work around the current situation with a script using > logic like so: > > > 1. Query LDAP (AD) for the groups "my computer" ($2, assuming your > machine names are the same as your AD names) belongs to. > 2. grep the output for the group you want to key on. > > 3. call a custom trigger > > The ability for Casper to recognize computer accounts & groups would > be better than this, but this can give you the same net effect as > scoping a policy to an AD group. This also assumes you have the > ability to perform LDAP lookups in AD. If your JSS is taking > advantage of LDAP, then you could use the same account to perform > the lookup in the script. > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > 2009/1/9 Nichols, Jared > > Wouldn't you just create a smart computer group that goes off of > the Active Directory Status attribute? You could either make it > "Active Directory Status" is <> (if you have more than > one and you want to specify which) or you could make "Active > Directory Status" is not "Not Bound" It's a double negative, but > that would return any machine bound to an AD, no matter what the AD > is called. > > See Attachment. > > Maybe I don't understand completely your question? > > j > > > On 1/9/09 12:57 , "Ernst, Craig S." > > wrote: > > > Don't believe the JSS works with computer accounts in AD. > > Craig E > > > On 1/9/09 11:56 AM, "Ryan Harter" > > wrote: > > > Hey Guys- > > Has anyone created a smart group that would take members based on > if the computer is a member of an AD group. > > Essentially what I'm trying to do is scope a policy to a group of > computers in AD, like you can with the User scope, but it doesn't > seem to work with computers. > > When user's register for our disaster recovery system, their > computer is added to a group in AD, and I would like to install the > backup client on their machine based on whether or not they are in > this group. Any ideas? > > > Ryan Harter > UW - Stevens Point > Workstation Developer > 715.346.2716 > Ryan.Harter at uwsp.edu > > > > > > > > > -- > Jared Nichols > ISD Infrastructure and Operations ? Desktop Engineering > MIT Lincoln Laboratory > 244 Wood St. > Lexington, MA 02420-9108 > (781) 981-5500 > > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/d3d94c5c/attachment.html From rharter at uwsp.edu Fri Jan 9 14:27:42 2009 From: rharter at uwsp.edu (Ryan Harter) Date: Fri, 9 Jan 2009 16:27:42 -0600 Subject: [Casper] Computer group from AD In-Reply-To: References:

Message-ID: <21371DCC-0478-4393-AFF2-116CE8426B39@uwsp.edu> From Jamf: > What you will want to do is log on to the JSS, go to Admin, and add > the LDAP server again, only scope it to computers rather than > Users. That should give you the ability to scope to the AD groups. That seems to work for getting computer and group records, but I haven't found yet how to scope a policy to that group, the JSS just seems to return Casper groups. I'll let you know when I find this out. Ryan Harter UW - Stevens Point Workstation Developer 715.346.2716 Ryan.Harter at uwsp.edu On Jan 9, 2009, at 2:50 PM, Miles Leacy wrote: > I'm a big fan of smart groups based on dummy receipts. > > To break it down (as I would do it, at least): > > Run the initial policy on all machines (once per day, limited to off- > hours if there would be any performance concerns). This policy does: > - run script that checks AD groups. > - if desired group is found, issue a custom trigger of "receipt > exists". > - if desired group is not found, issue a custom trigger of "receipt > does not exist". > > The "receipt exists" custom trigger policy does: > - Install the dummy package > > The "receipt does not exist" custom trigger policy does: > - delete the dummy package's receipt > > Smart group is scoped to the existence of the dummy receipt. > > You can now scope to your smart group knowing that it consists of > all members of your target AD group, with up to a 24-hour lag behind > changes in group membership. If 24 hours is too big of a window, > you could set it to every15 (or 30 or whatever your periodic trigger > is) and execution frequency of "ongoing". This is pretty > lightweight, so I don't think there's any cause for performance > concerns. > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > On Fri, Jan 9, 2009 at 3:22 PM, Ryan Harter wrote: > This sounds like a good workaround. I have emailed JAMF about this > too, but haven't heard anything. I'm sure they're all off at > MacWorld:) > > I was hoping for a solution that I could make a computer group with > so that I could only run it on the computers that need it and not on > every computer just for the 20% that actually need the client. > > There is also talk of "leasing" CS3 licenses to departments on > campus, in which case I would like to have self service only > advertise the install on the computers that are in the CS3Licensed > AD group. I may do this by having us add the users to a group as > well and scope it that way temporarily, but the ultimate goal is to > have it available for department machines, not users. > > I was thinking of some sort of logic like: > > 1. run a policy that will check dscl for the group memberships of > the computer. > 2. install a dummy package. > 3. base a smart group on the receipt of the dummy package. > 4. scope the policies to the smart group > > That way, I can not only run the policy just for the group, but also > keep a record of who's in it. It's not a very elegant solution, but > it may have to do. > > Ryan Harter > UW - Stevens Point > Workstation Developer > 715.346.2716 > Ryan.Harter at uwsp.edu > > On Jan 9, 2009, at 1:35 PM, Miles Leacy wrote: > >> "Bound to a directory" and "Member of a group" are different >> concepts. >> >> I would also like the ability to recognize computer accounts and >> computer groups. >> >> You could work around the current situation with a script using >> logic like so: >> >> 1. Query LDAP (AD) for the groups "my computer" ($2, assuming your >> machine names are the same as your AD names) belongs to. >> 2. grep the output for the group you want to key on. >> 3. call a custom trigger >> >> The ability for Casper to recognize computer accounts & groups >> would be better than this, but this can give you the same net >> effect as scoping a policy to an AD group. This also assumes you >> have the ability to perform LDAP lookups in AD. If your JSS is >> taking advantage of LDAP, then you could use the same account to >> perform the lookup in the script. >> >> ---------- >> Miles A. Leacy IV >> >> ? Certified System Administrator 10.4 >> ? Certified Technical Coordinator 10.5 >> ? Certified Trainer >> Certified Casper Administrator >> ---------- >> voice: 1-347-277-7321 >> miles.leacy at themacadmin.com >> www.themacadmin.com >> >> >> >> >> 2009/1/9 Nichols, Jared >> Wouldn't you just create a smart computer group that goes off of >> the Active Directory Status attribute? You could either make it >> "Active Directory Status" is <> (if you have more than >> one and you want to specify which) or you could make "Active >> Directory Status" is not "Not Bound" It's a double negative, but >> that would return any machine bound to an AD, no matter what the AD >> is called. >> >> See Attachment. >> >> Maybe I don't understand completely your question? >> >> j >> >> >> On 1/9/09 12:57 , "Ernst, Craig S." wrote: >> >> Don't believe the JSS works with computer accounts in AD. >> >> Craig E >> >> >> On 1/9/09 11:56 AM, "Ryan Harter" wrote: >> >> Hey Guys- >> >> Has anyone created a smart group that would take members based on >> if the computer is a member of an AD group. >> >> Essentially what I'm trying to do is scope a policy to a group of >> computers in AD, like you can with the User scope, but it doesn't >> seem to work with computers. >> >> When user's register for our disaster recovery system, their >> computer is added to a group in AD, and I would like to install the >> backup client on their machine based on whether or not they are in >> this group. Any ideas? >> >> >> Ryan Harter >> UW - Stevens Point >> Workstation Developer >> 715.346.2716 >> Ryan.Harter at uwsp.edu >> >> >> >> >> >> -- >> Jared Nichols >> ISD Infrastructure and Operations ? Desktop Engineering >> MIT Lincoln Laboratory >> 244 Wood St. >> Lexington, MA 02420-9108 >> (781) 981-5500 >> >> _______________________________________________ >> Casper mailing list >> Casper at list.jamfsoftware.com >> http://list.jamfsoftware.com/mailman/listinfo/casper >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090109/a918787c/attachment.html From david.lundgren at brooks.edu Fri Jan 9 18:15:11 2009 From: david.lundgren at brooks.edu (David Lundgren) Date: Fri, 9 Jan 2009 18:15:11 -0800 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: <5C92A9E0-6021-4E3D-B75C-94999CE11483@thecreativepartnership.co.uk> Message-ID: Thank you all for your help, ideas and definitely the script. I was going to use python for the scripting part as my netinstall is leopard, but I'll just modify yours as needed for our setup. If I refactor the script I'll shoot it back to the list. I ran into the same problem as a others saw with the symlink'd /Users when installing CS4, it didn't like symlinks. So I setup the fstab on Leopard (using vifs) and it worked for the CS4 install. Thanks Dave On 1/9/09 5:15 AM, "Daniel Farnworth" wrote: > He he, thought that'd be popular. > > The script is fairly poorly written (I'm not a Bash wiz) so any > improvements are welcome (please let me have any so I can improve mine). > > We run it as a 'before' script during our imaging process and it > takes a look at the internal disks, tries to figure out which is the > system disk or otherwise the disk in the first bay (Mac Pros only I > think) and then partitions it up into various volumes that we want. > Our post-flight script then takes the names of these and builds an > fstab file which it writes down to /etc. It also moves our admin > user's ('lwsadmin' in the script) home directory to /var/homes. We > figured this may be wise just in case the data partition goes dead > for any reason. Our OS image is pre-confd with lwsadmin's home > pointing at the correct location, so you may want to excise this > section and rely on using root to login in bad circumstances. > > Oh, the post script also 'hides' some of the partitions (Restore, > Freespace etc) so they don't show on the desktop, check the resulting > fstab to see how this is done. > > Be careful using this, it is destructive. Usual disclaimers apply =) > > ### Pre-install Partition Script > > #!/bin/bash -v > > exec 2>&1 > > function rawdisksize { > FLOAT=$1 > INT1=${FLOAT/.*} > #if $(( INT1 % 10 )) then > while (( INT1 % 10 )) > do > let INT1++ > done > #fi > echo "$INT1" > } > > > function partitionsizes { > > case $RAW_SIZE in > > 30) > INTHD_SIZE=15 > HOMES_SIZE=10 > SCRATCH_SIZE=3 > RESTORE_SIZE=0 > ;; > > 40) > INTHD_SIZE=20 > HOMES_SIZE=10 > SCRATCH_SIZE=5 > RESTORE_SIZE=0 > ;; > > 60) > INTHD_SIZE=30 > HOMES_SIZE=10 > SCRATCH_SIZE=10 > RESTORE_SIZE=5 > ;; > > 80) > INTHD_SIZE=40 > HOMES_SIZE=10 > SCRATCH_SIZE=10 > RESTORE_SIZE=10 > ;; > > 120) > INTHD_SIZE=60 > HOMES_SIZE=20 > SCRATCH_SIZE=10 > RESTORE_SIZE=20 > ;; > > 160) > INTHD_SIZE=80 > HOMES_SIZE=25 > SCRATCH_SIZE=10 > RESTORE_SIZE=25 > ;; > > 240) > INTHD_SIZE=160 > HOMES_SIZE=25 > SCRATCH_SIZE=10 > RESTORE_SIZE=25 > ;; > > *) > INTHD_SIZE=$(( ($RAW_SIZE / 100) * 66 )) > HOMES_SIZE=$(( ($RAW_SIZE / 100) * 11 )) > SCRATCH_SIZE=$(( ($RAW_SIZE / 100) * 11 )) > RESTORE_SIZE=$(( ($RAW_SIZE / 100) * 11 )) > ;; > esac > > } > > > # Define a function to define whether this is a 'Bay Capable' machine > #function bayedmachine { > > # This needs to be written fairly soon > > #} > > > if [ ! -e /Volumes/CP-IntHD-01/.cp-partition-done ]; then > > echo ${1} > TARGETDISK=`diskutil info ${1} | grep "Device Identifier:" | awk > '{ print $3 }' | cut -c 1-5` > echo ${TARGETDISK} > > # now to partition the disk > # > > if [ ! -z $TARGETDISK ] > then > TOTAL_SIZE=`diskutil info $TARGETDISK | grep "Total Size" | > awk > '{ print $3 }'` > RAW_SIZE=$(rawdisksize $TOTAL_SIZE) > partitionsizes > > echo "Total size of $TARGETDISK: $TOTAL_SIZE GB" > echo "Raw size of $TARGETDISK: $RAW_SIZE GB" > echo "CP-IntHD-01 Size: $INTHD_SIZE GB" > echo "CP-Homes-01 Size: $HOMES_SIZE GB" > echo "CP-Scratch-NOT-BackedUp Size: $SCRATCH_SIZE GB" > echo "Restore Size: $RESTORE_SIZE GB" > > > # Check processor type so we partition in the right format > > sysinfo=`system_profiler` > > countPPC=`echo ${sysinfo} | grep -c PowerPC` > countIntel=`echo ${sysinfo} | grep -c Intel` > > if [ ${countPPC} -ge 1 -a ${countIntel} -eq 0 ]; then > echo "Got a PPC in here" > partition_scheme_type="APMFormat" > > elif [ ${countIntel} -ge 1 -a ${countPPC} -eq 0 ]; then > echo "Intel Inside" > partition_scheme_type="GPTFormat" > > else > echo "Can't work out what kinda proc, it either ain't > got one or > could be a Cray?" > exit 1 > > fi > > > # Set the partition going > > if [ $RESTORE_SIZE -gt 0 ]; then > > diskutil partitionDisk $TARGETDISK 4 > $partition_scheme_type \ > "Journaled HFS+" CP-IntHD-01 "$INTHD_SIZE"G \ > "Journaled HFS+" CP-Homes-01 "$HOMES_SIZE"G \ > "Journaled HFS+" CP-Scratch-NOT-BackedUp > "$SCRATCH_SIZE"G \ > "Journaled HFS+" Restore "$RESTORE_SIZE"G > > else > > diskutil partitionDisk $TARGETDISK 3 > $partition_scheme_type \ > "Journaled HFS+" CP-IntHD-01 "$INTHD_SIZE"G \ > "Journaled HFS+" CP-Homes-01 "$HOMES_SIZE"G \ > "Journaled HFS+" CP-Scratch-NOT-BackedUp > "$SCRATCH_SIZE"G > > fi > > > chown root:admin /Volumes/CP-Homes-01 > chown root:admin /Volumes/CP-Scratch-NOT-BackedUp > chown root:admin /Volumes/Restore > chown root:admin /Volumes/Free-Space > > chmod g+w /Volumes/CP-Homes-01 > chmod g+w /Volumes/CP-Scratch-NOT-BackedUp > chmod g+w /Volumes/Restore > chmod g+w /Volumes/Free-Space > > touch /Volumes/CP-IntHD-01/.cp-partition-done > > else > > echo "Problem acquiring target disk, exiting"; > exit 1 > > fi > > else > > echo "The partition scheme has already been created. Exiting" > exit 0 > > fi > > exit 0 > > > ### Post Install Script > > #!/bin/bash -v > > # Redirect STDERR to STDOUT > exec 2>&1 > > VOLSDIR="/Volumes/" > > ROOTVOL="CP-IntHD-01" > HOMESVOL="CP-Homes-01" > > ROOTPATH="${VOLSDIR}${ROOTVOL}" > HOMESPATH="${VOLSDIR}${HOMESVOL}" > > > > > if [ -e "${1}/.cp-partition-done" ]; then > > # Ditto the contents of $ROOTPART/Users/Shared to their new location > > ditto -v "${1}/Users/Shared" "${HOMESPATH}/Shared" > if (( ! $? )); then > > # Remove the old copy of $ROOTPART/Users/Shared > echo "Done dittoing..." > rm -vR "${1}/Users/Shared" || { echo "rm /Users/Shared failed" > ; } > rm -v "${1}/Users/.DS_Store" || { echo "rm /Users/.DS_Store > failed" ; } > rm -v "${1}/Users/.localized" || { echo "rm /Users/.localized > failed" ; } > > if [ -e "${1}/var/homes/lwsadmin" ]; then > rm -vR "${1}/Users/lwsadmin" || { echo "rm > /Users/lwsadmin > failed" ; } > fi > > DEVID=`diskutil list | grep $HOMESVOL | awk '{print $6}'` > UUID=`diskutil info $DEVID | grep UUID | /usr/bin/awk {'print > $2'}` > echo "# Remap the $HOMESPATH to /Users" >> $1/etc/fstab || { > echo > "'fstab' Stage 1 failed: $HOMESPATH" ; exit 1 ; } > echo -e "UUID=${UUID}\t/Users\thfs\trw,nobrowse\t1\t1\n" >> > $1/etc/ > fstab || { echo "'fstab' Stage 2 failed: $HOMESPATH" ; exit 1 ; } > > HIDDEN_VOLS=(Restore Free-Space) > > for volume in "${HIDDEN_VOLS[@]}"; do > > DEVID=`diskutil list | grep $volume | awk '{print > $6}'` > UUID=`diskutil info $DEVID | grep UUID | /usr/bin/awk > {'print $2'}` > > echo "# Set the volume $volume to not mount at > startup" >> $1/etc/ > fstab || { echo "'fstab' Stage 3 ($volume) failed: $volume" ; exit 1 ; } > echo -e "UUID=${UUID}\tnone\thfs\trw,noauto\t1\t1\n" > >> $1/etc/ > fstab || { echo "'fstab' Stage 4 ($volume) failed: $UUID" ; exit 1 ; } > > done > > fi > > touch "${1}/.cp-user-migration-done" || { echo "Task completion file > could not be created" ; exit 1 ; } > > exit 0 > > else > # Log the error > echo "Could not find partition completion file. It would be wise not > to continue" > # Exit with above 0 status > exit 1 > > fi > > > > > > > On 9 Jan 2009, at 12:44, Damien Weiss wrote: > >> >> YES!!!!! PLEASE!!!! Send that script on. That's something that I >> would implement almost immediately. >> >> Thanks! >> Damien >> >> On Jan 9, 2009, at 7:19 AM, Daniel Farnworth wrote: >> >>> I have a pre- >>> install script that we use to do this for us if anyone is interested. >>> >>> Cheers >>> Dan >> > > -- > Daniel Farnworth > IT Manager > The Creative Partnership > daniel.farnworth at thecreativepartnership.co.uk > > http://www.thecreativepartnership.co.uk > Tel: +44 (0)20 7439 7762 > Fax: +44 (0)20 7437 1467 > > PGP Public Key available > > > > > > > The information contained in this communication is intended solely for the use > of the individual or entity to whom it is addressed and others authorised to > receive it. It may contain confidential or legally privileged information. If > you are not the intended recipient you are hereby notified that any > disclosure, copying, distribution or taking any action in reliance on the > contents of this information is strictly prohibited and may be unlawful. If > you have received this communication in error, please notify > postmaster at thecreativepartnership.co.uk immediately and then delete this email > from your system. Any views or opinions presented in this email are solely > those of the author and do not necessarily represent those of The Creative > Partnership. The Creative Partnership has taken every reasonable precaution to > ensure that any attachment to this e-mail has been swept for viruses. However, > The Creative Partnership cannot accept liability for any damage sustained as a > result of software viruses and would advise that you carry out your own virus > checks before opening any attachment. > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper -- David Lundgren IT Systems Administrator Brooks Institute - "Passion, Vision, Excellence" 27 East Cota Street Santa Barbara, CA 93101 (888) 304-3456 (toll-free) (805) 690-7615 (office) http://www.brooks.edu From daniel.farnworth at thecreativepartnership.co.uk Mon Jan 12 06:51:45 2009 From: daniel.farnworth at thecreativepartnership.co.uk (Daniel Farnworth) Date: Mon, 12 Jan 2009 14:51:45 +0000 Subject: [Casper] Upgrading from Tiger to Leopard In-Reply-To: References: <353C2EA2-A3AE-4853-A20F-864B9B2D76E8@thecreativepartnership.co.uk> <6AC8A1F5-80F0-4928-9778-0F7012EABFDB@mac.com> <5C92A9E0-6021-4E3D-B75C-94999CE11483@thecreativepartnership.co.uk> <49671CF6.7141.0039.0@kckps.org> Message-ID: <242804D3-F369-47C4-9432-722A74F63B08@thecreativepartnership.co.uk> Thanks Miles, your comments are much appreciated. For what it's worth, the fstab will work just fine using LABEL=volume_name and this may in fact be more portable, but we figured that best practice was to use UUIDs wherever possible. The only area this may be an issue is if you where to move a physical data disk to another machine but not the system disk, but you'd only need to update the fstab appropriately and all would be well. We've found this to be a very effective way of separating data from OS/applications, you just need to to remember to be careful when erasing, re-imaging and definitely when partitioning! Cheers Dan On 9 Jan 2009, at 16:30, Miles Leacy wrote: > UUIDs, being universally unique, you can't reference a UUID from > machine A and disk A on machine B. It's like telling someone to go > to Guam when this person doesn't know where Guam is and has neither > a boat nor a plane. > > I've just skimmed the script so far (I have some deadlines I'm > working today), but if I read it correctly, Dan's script is quite > clever in that it dynamically grabs the appropriate UUID from the > disk being acted upon. So, if using the UUID is a best practice, > then Dan's got quite a nugget of scripty goodness here. > > To make sure due diligence is performed, let me ask; What if any > issues has anyone using fstab in this way encountered? Are there > any theoretical issues to be concerned about? > > ---------- > Miles A. Leacy IV > > Certified System Administrator 10.4 > Certified Technical Coordinator 10.5 > Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > 2009/1/9 Thomas Larkin > When we did our massive dual boot image over this last summer I was > looking at the /etc/fstab file to hide the windows partition from > the OS X side. I had so many problems getting fstab to work. It > would not work for me if I used volume name or the device mount > point, ie /dev/disk1s3/. It would work if I used UUID, but if you > mass duplicate that UUID to tons of machines I found that it > wouldn't work. > > What has been your experience using /etc/fstab in 10.5? > > > > ___________________________ > Thomas Larkin > TIS Department > KCKPS USD500 > tlarki at kckps.org > blackberry: 913-449-7589 > office: 913-627-0351 > > > > > > >>> Daniel Farnworth > 01/09/09 7:15 AM >>> > > He he, thought that'd be popular. > > The script is fairly poorly written (I'm not a Bash wiz) so any > improvements are welcome (please let me have any so I can improve > mine). > > We run it as a 'before' script during our imaging process and it > takes a look at the internal disks, tries to figure out which is the > system disk or otherwise the disk in the first bay (Mac Pros only I > think) and then partitions it up into various volumes that we want. > Our post-flight script then takes the names of these and builds an > fstab file which it writes down to /etc. It also moves our admin > user's ('lwsadmin' in the script) home directory to /var/homes. We > figured this may be wise just in case the data partition goes dead > for any reason. Our OS image is pre-confd with lwsadmin's home > pointing at the correct location, so you may want to excise this > section and rely on using root to login in bad circumstances. > > Oh, the post script also 'hides' some of the partitions (Restore, > Freespace etc) so they don't show on the desktop, check the resulting > fstab to see how this is done. > > Be careful using this, it is destructive. Usual disclaimers apply =) > > ### Pre-install Partition Script > > #!/bin/bash -v > > exec 2>&1 > > function rawdisksize { > FLOAT=$1 > INT1=${FLOAT/.*} > #if $(( INT1 % 10 )) then > while (( INT1 % 10 )) > do > let INT1++ > done > #fi > echo "$INT1" > } > > > function partitionsizes { > > case $RAW_SIZE in > > 30) > INTHD_SIZE=15 > HOMES_SIZE=10 > SCRATCH_SIZE=3 > RESTORE_SIZE=0 > ;; > > 40) > INTHD_SIZE=20 > HOMES_SIZE=10 > SCRATCH_SIZE=5 > RESTORE_SIZE=0 > ;; > > 60) > INTHD_SIZE=30 > HOMES_SIZE=10 > SCRATCH_SIZE=10 > RESTORE_SIZE=5 > ;; > > 80) > INTHD_SIZE=40 > HOMES_SIZE=10 > SCRATCH_SIZE=10 > RESTORE_SIZE=10 > ;; > > 120) > INTHD_SIZE=60 > HOMES_SIZE=20 > SCRATCH_SIZE=10 > RESTORE_SIZE=20 > ;; > > 160) > INTHD_SIZE=80 > HOMES_SIZE=25 > SCRATCH_SIZE=10 > RESTORE_SIZE=25 > ;; > > 240) > INTHD_SIZE=160 > HOMES_SIZE=25 > SCRATCH_SIZE=10 > RESTORE_SIZE=25 > ;; > > *) > INTHD_SIZE=$(( ($RAW_SIZE / 100) * 66 )) > HOMES_SIZE=$(( ($RAW_SIZE / 100) * 11 )) > SCRATCH_SIZE=$(( ($RAW_SIZE / 100) * 11 )) > RESTORE_SIZE=$(( ($RAW_SIZE / 100) * 11 )) > ;; > esac > > } > > > # Define a function to define whether this is a 'Bay Capable' machine > #function bayedmachine { > > # This needs to be written fairly soon > > #} > > > if [ ! -e /Volumes/CP-IntHD-01/.cp-partition-done ]; then > > echo ${1} > TARGETDISK=`diskutil info ${1} | grep "Device Identifier:" | awk > '{ print $3 }' | cut -c 1-5` > echo ${TARGETDISK} > > # now to partition the disk > # > > if [ ! -z $TARGETDISK ] > then > TOTAL_SIZE=`diskutil info $TARGETDISK | grep "Total Size" | awk > '{ print $3 }'` > RAW_SIZE=$(rawdisksize $TOTAL_SIZE) > partitionsizes > > echo "Total size of $TARGETDISK: $TOTAL_SIZE GB" > echo "Raw size of $TARGETDISK: $RAW_SIZE GB" > echo "CP-IntHD-01 Size: $INTHD_SIZE GB" > echo "CP-Homes-01 Size: $HOMES_SIZE GB" > echo "CP-Scratch-NOT-BackedUp Size: $SCRATCH_SIZE GB" > echo "Restore Size: $RESTORE_SIZE GB" > > > # Check processor type so we partition in the right format > > sysinfo=`system_profiler` > > countPPC=`echo ${sysinfo} | grep -c PowerPC` > countIntel=`echo ${sysinfo} | grep -c Intel` > > if [ ${countPPC} -ge 1 -a ${countIntel} -eq 0 ]; then > echo "Got a PPC in here" > partition_scheme_type="APMFormat" > > elif [ ${countIntel} -ge 1 -a ${countPPC} -eq 0 ]; then > echo "Intel Inside" > partition_scheme_type="GPTFormat" > > else > echo "Can't work out what kinda proc, it either ain't got one or > could be a Cray?" > exit 1 > > fi > > > # Set the partition going > > if [ $RESTORE_SIZE -gt 0 ]; then > > diskutil partitionDisk $TARGETDISK 4 $partition_scheme_type \ > "Journaled HFS+" CP-IntHD-01 "$INTHD_SIZE"G \ > "Journaled HFS+" CP-Homes-01 "$HOMES_SIZE"G \ > "Journaled HFS+" CP-Scratch-NOT-BackedUp "$SCRATCH_SIZE"G \ > "Journaled HFS+" Restore "$RESTORE_SIZE"G > > else > > diskutil partitionDisk $TARGETDISK 3 $partition_scheme_type \ > "Journaled HFS+" CP-IntHD-01 "$INTHD_SIZE"G \ > "Journaled HFS+" CP-Homes-01 "$HOMES_SIZE"G \ > "Journaled HFS+" CP-Scratch-NOT-BackedUp "$SCRATCH_SIZE"G > > fi > > > chown root:admin /Volumes/CP-Homes-01 > chown root:admin /Volumes/CP-Scratch-NOT-BackedUp > chown root:admin /Volumes/Restore > chown root:admin /Volumes/Free-Space > > chmod g+w /Volumes/CP-Homes-01 > chmod g+w /Volumes/CP-Scratch-NOT-BackedUp > chmod g+w /Volumes/Restore > chmod g+w /Volumes/Free-Space > > touch /Volumes/CP-IntHD-01/.cp-partition-done > > else > > echo "Problem acquiring target disk, exiting"; > exit 1 > > fi > > else > > echo "The partition scheme has already been created. Exiting" > exit 0 > > fi > > exit 0 > > > ### Post Install Script > > #!/bin/bash -v > > # Redirect STDERR to STDOUT > exec 2>&1 > > VOLSDIR="/Volumes/" > > ROOTVOL="CP-IntHD-01" > HOMESVOL="CP-Homes-01" > > ROOTPATH="${VOLSDIR}${ROOTVOL}" > HOMESPATH="${VOLSDIR}${HOMESVOL}" > > > > > if [ -e "${1}/.cp-partition-done" ]; then > > # Ditto the contents of $ROOTPART/Users/Shared to their new location > > ditto -v "${1}/Users/Shared" "${HOMESPATH}/Shared" > if (( ! $? )); then > > # Remove the old copy of $ROOTPART/Users/Shared > echo "Done dittoing..." > rm -vR "${1}/Users/Shared" || { echo "rm /Users/Shared failed" ; } > rm -v "${1}/Users/.DS_Store" || { echo "rm /Users/.DS_Store > failed" ; } > rm -v "${1}/Users/.localized" || { echo "rm /Users/.localized > failed" ; } > > if [ -e "${1}/var/homes/lwsadmin" ]; then > rm -vR "${1}/Users/lwsadmin" || { echo "rm /Users/lwsadmin > failed" ; } > fi > > DEVID=`diskutil list | grep $HOMESVOL | awk '{print $6}'` > UUID=`diskutil info $DEVID | grep UUID | /usr/bin/awk {'print $2'}` > echo "# Remap the $HOMESPATH to /Users" >> $1/etc/fstab || { echo > "'fstab' Stage 1 failed: $HOMESPATH" ; exit 1 ; } > echo -e "UUID=${UUID}\t/Users\thfs\trw,nobrowse\t1\t1\n" >> $1/etc/ > fstab || { echo "'fstab' Stage 2 failed: $HOMESPATH" ; exit 1 ; } > > HIDDEN_VOLS=(Restore Free-Space) > > for volume in "${HIDDEN_VOLS[@]}"; do > > DEVID=`diskutil list | grep $volume | awk '{print $6}'` > UUID=`diskutil info $DEVID | grep UUID | /usr/bin/awk {'print $2'}` > > echo "# Set the volume $volume to not mount at startup" >> $1/etc/ > fstab || { echo "'fstab' Stage 3 ($volume) failed: $volume" ; exit > 1 ; } > echo -e "UUID=${UUID}\tnone\thfs\trw,noauto\t1\t1\n" >> $1/etc/ > fstab || { echo "'fstab' Stage 4 ($volume) failed: $UUID" ; exit 1 ; } > > done > > fi > > touch "${1}/.cp-user-migration-done" || { echo "Task completion file > could not be created" ; exit 1 ; } > > exit 0 > > else > # Log the error > echo "Could not find partition completion file. It would be wise not > to continue" > # Exit with above 0 status > exit 1 > > fi > > > > > > > On 9 Jan 2009, at 12:44, Damien Weiss wrote: > > > > > YES!!!!! PLEASE!!!! Send that script on. That's something that I > > would implement almost immediately. > > > > Thanks! > > Damien > > > > On Jan 9, 2009, at 7:19 AM, Daniel Farnworth wrote: > > > >> I have a pre- > >> install script that we use to do this for us if anyone is > interested. > >> > >> Cheers > >> Dan > > > > -- > Daniel Farnworth > IT Manager > The Creative Partnership > daniel.farnworth at thecreativepartnership.co.uk > > http://www.thecreativepartnership.co.uk > Tel: +44 (0)20 7439 7762 > Fax: +44 (0)20 7437 1467 > > PGP Public Key available > > > > > > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed and > others authorised to receive it. It may contain confidential or > legally privileged information. If you are not the intended > recipient you are hereby notified that any disclosure, copying, > distribution or taking any action in reliance on the contents of > this information is strictly prohibited and may be unlawful. If you > have received this communication in error, please notify > postmaster at thecreativepartnership.co.uk immediately and then delete > this email from your system. Any views or opinions presented in > this email are solely those of the author and do not necessarily > represent those of The Creative Partnership. The Creative > Partnership has taken every reasonable precaution to ensure that > any attachment to this e-mail has been swept for viruses. However, > The Creative Partnership cannot accept liability for any damage > sustained as a result of s > oftware viruses and would advise that you carry out your own virus > checks before opening any attachment. > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > -- Daniel Farnworth IT Manager The Creative Partnership daniel.farnworth at thecreativepartnership.co.uk http://www.thecreativepartnership.co.uk Tel: +44 (0)20 7439 7762 Fax: +44 (0)20 7437 1467 PGP Public Key available The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorised to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify postmaster at thecreativepartnership.co.uk immediately and then delete this email from your system. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of The Creative Partnership. The Creative Partnership has taken every reasonable precaution to ensure that any attachment to this e-mail has been swept for viruses. However, The Creative Partnership cannot accept liability for any damage sustained as a result of software viruses and would advise that you carry out your own virus checks before opening any attachment. From miles.leacy at themacadmin.com Mon Jan 12 07:11:01 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Mon, 12 Jan 2009 10:11:01 -0500 Subject: [Casper] Dummy Receipts and Custom Triggering a Policy In-Reply-To: <16A544D3-EA6B-4332-AD96-9279B2B30174@uwsp.edu> References: <16A544D3-EA6B-4332-AD96-9279B2B30174@uwsp.edu> Message-ID: Gents, I'm taking this back on list because there may be others in the community that would benefit from this discussion. To Recap, there are two questions: how to use custom triggers and how to create dummy receipts. To use a custom trigger there are two things to do: 1. Create a policy and in the General tab, choose "other (Manually specify the run at action in this field) -->" from the "Triggered by:" drop down menu and enter your custom trigger in the text field next to this drop down menu. I use Apple-esque run-together phrases with caps, such as "memberAccountingComputerGroup" for my custom triggers. I'm not sure what the upper limit is for custom trigger length, but I haven't hit it yet, and I like to be descriptive with my triggers. Re: "Dummy receipts" The so-called "dummy receipt" is a receipt from a payload-free package. I create empty prebuilt Apple .pkg files using Composer like so... 1. Create an empty folder with the same name as your intended package (and receipt) in /Applications/The Casper Suite/Temp/ (see attachment "Picture 1.png") 2. Open Composer, choose this prebuilt package and save it as an Apple .pkg. (see attachment "Picture 2.png") Some may find that using these "dummy receipts" creates clutter, but if you integrate the concept into your workflows, document your work, and maintain clear and consistent policies (in the general sense, not Casper Policies) and naming conventions, use of receipts in this way can be a very efficient and effective method to extend your management capabilities. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Fri, Jan 9, 2009 at 5:39 PM, Ryan Harter wrote: > I haven't used dummy receipts before, I've been trying to avoid them if > possible because it seems like more for me to keep track of. Miles might be > able to give you more help with that. > As for the custom trigger, you've got it all figured out. when you set a > policy you can set triggered by to custom (I think it even has an ascii > arrow ----->) and enter the trigger in the text box. Then you call sudo > jamf policy --trigger "custom trigger" and it will run that policy. I > currently do it as a workaround to get my adobe installs to run after boot > time. > > Hope this helps, > * > Ryan Harter* > UW - Stevens Point > Workstation Developer > 715.346.2716 > Ryan.Harter at uwsp.edu > > On Jan 9, 2009, at 4:30 PM, Cyrus Vahhaji wrote: > > Miles, Ryan, > > I've been following "Computer group from AD" thread and you brought up > dummy receipts and triggering custom policies and didn't want to hijack the > thread with my question. > > What is the best way of creating a Dummy Receipt? Would it be an empty > folder created in Composer? > > What do you mean by "custom trigger" here? > - if desired group is found, issue a custom trigger of "receipt exists". > Is it triggering a policy to add the dummy receipt that the machine is in > AD? If so, are you using something like "sudo jamf policy ?trigger "desired > policy" > > Thanx, > > *Cyrus Vahhaji > **Accenture > Best Buy Technology Group > *desk ? 612.291.3643 > fax ? 952.430.4260 > email ? mailto:cyrus.vahhaji at bestbuy.com > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise private information. If you have > received it in error, please notify the sender immediately and delete the > original. Any other use of the email by you is prohibited. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/1a794e67/attachment-0001.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: Picture 1.png Type: image/png Size: 119266 bytes Desc: not available Url : http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/1a794e67/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: Picture 2.png Type: image/png Size: 87124 bytes Desc: not available Url : http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/1a794e67/attachment-0003.png From rharter at uwsp.edu Mon Jan 12 07:38:55 2009 From: rharter at uwsp.edu (Ryan Harter) Date: Mon, 12 Jan 2009 09:38:55 -0600 Subject: [Casper] Computer group from AD In-Reply-To: References:

Message-ID: I'd like to update everyone on this issue. Jamf has replied to my emails saying that this is actually possible. What you need to do is: 1. Set up a new LDAP server (even if you have one for users) and scope it to computers. 2. Click "Text Server" and make sure you can see the groups, computers, and computer's group membership. 3. The groups from AD should now appear in the "Static Computer Groups" section with their source being "Active Directory". That is what Jamf says should be happening, however, I've gotten through setup two and they still don't show up in Groups. It could be an environment specific problem, but I'll let you know how to get it working when I figure it out. Ryan Harter UW - Stevens Point Workstation Developer 715.346.2716 Ryan.Harter at uwsp.edu On Jan 9, 2009, at 2:50 PM, Miles Leacy wrote: > I'm a big fan of smart groups based on dummy receipts. > > To break it down (as I would do it, at least): > > Run the initial policy on all machines (once per day, limited to off- > hours if there would be any performance concerns). This policy does: > - run script that checks AD groups. > - if desired group is found, issue a custom trigger of "receipt > exists". > - if desired group is not found, issue a custom trigger of "receipt > does not exist". > > The "receipt exists" custom trigger policy does: > - Install the dummy package > > The "receipt does not exist" custom trigger policy does: > - delete the dummy package's receipt > > Smart group is scoped to the existence of the dummy receipt. > > You can now scope to your smart group knowing that it consists of > all members of your target AD group, with up to a 24-hour lag behind > changes in group membership. If 24 hours is too big of a window, > you could set it to every15 (or 30 or whatever your periodic trigger > is) and execution frequency of "ongoing". This is pretty > lightweight, so I don't think there's any cause for performance > concerns. > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > On Fri, Jan 9, 2009 at 3:22 PM, Ryan Harter wrote: > This sounds like a good workaround. I have emailed JAMF about this > too, but haven't heard anything. I'm sure they're all off at > MacWorld:) > > I was hoping for a solution that I could make a computer group with > so that I could only run it on the computers that need it and not on > every computer just for the 20% that actually need the client. > > There is also talk of "leasing" CS3 licenses to departments on > campus, in which case I would like to have self service only > advertise the install on the computers that are in the CS3Licensed > AD group. I may do this by having us add the users to a group as > well and scope it that way temporarily, but the ultimate goal is to > have it available for department machines, not users. > > I was thinking of some sort of logic like: > > 1. run a policy that will check dscl for the group memberships of > the computer. > 2. install a dummy package. > 3. base a smart group on the receipt of the dummy package. > 4. scope the policies to the smart group > > That way, I can not only run the policy just for the group, but also > keep a record of who's in it. It's not a very elegant solution, but > it may have to do. > > Ryan Harter > UW - Stevens Point > Workstation Developer > 715.346.2716 > Ryan.Harter at uwsp.edu > > On Jan 9, 2009, at 1:35 PM, Miles Leacy wrote: > >> "Bound to a directory" and "Member of a group" are different >> concepts. >> >> I would also like the ability to recognize computer accounts and >> computer groups. >> >> You could work around the current situation with a script using >> logic like so: >> >> 1. Query LDAP (AD) for the groups "my computer" ($2, assuming your >> machine names are the same as your AD names) belongs to. >> 2. grep the output for the group you want to key on. >> 3. call a custom trigger >> >> The ability for Casper to recognize computer accounts & groups >> would be better than this, but this can give you the same net >> effect as scoping a policy to an AD group. This also assumes you >> have the ability to perform LDAP lookups in AD. If your JSS is >> taking advantage of LDAP, then you could use the same account to >> perform the lookup in the script. >> >> ---------- >> Miles A. Leacy IV >> >> ? Certified System Administrator 10.4 >> ? Certified Technical Coordinator 10.5 >> ? Certified Trainer >> Certified Casper Administrator >> ---------- >> voice: 1-347-277-7321 >> miles.leacy at themacadmin.com >> www.themacadmin.com >> >> >> >> >> 2009/1/9 Nichols, Jared >> Wouldn't you just create a smart computer group that goes off of >> the Active Directory Status attribute? You could either make it >> "Active Directory Status" is <> (if you have more than >> one and you want to specify which) or you could make "Active >> Directory Status" is not "Not Bound" It's a double negative, but >> that would return any machine bound to an AD, no matter what the AD >> is called. >> >> See Attachment. >> >> Maybe I don't understand completely your question? >> >> j >> >> >> On 1/9/09 12:57 , "Ernst, Craig S." wrote: >> >> Don't believe the JSS works with computer accounts in AD. >> >> Craig E >> >> >> On 1/9/09 11:56 AM, "Ryan Harter" wrote: >> >> Hey Guys- >> >> Has anyone created a smart group that would take members based on >> if the computer is a member of an AD group. >> >> Essentially what I'm trying to do is scope a policy to a group of >> computers in AD, like you can with the User scope, but it doesn't >> seem to work with computers. >> >> When user's register for our disaster recovery system, their >> computer is added to a group in AD, and I would like to install the >> backup client on their machine based on whether or not they are in >> this group. Any ideas? >> >> >> Ryan Harter >> UW - Stevens Point >> Workstation Developer >> 715.346.2716 >> Ryan.Harter at uwsp.edu >> >> >> >> >> >> -- >> Jared Nichols >> ISD Infrastructure and Operations ? Desktop Engineering >> MIT Lincoln Laboratory >> 244 Wood St. >> Lexington, MA 02420-9108 >> (781) 981-5500 >> >> _______________________________________________ >> Casper mailing list >> Casper at list.jamfsoftware.com >> http://list.jamfsoftware.com/mailman/listinfo/casper >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/77970a09/attachment.htm From miles.leacy at themacadmin.com Mon Jan 12 08:31:37 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Mon, 12 Jan 2009 11:31:37 -0500 Subject: [Casper] Dummy Receipts and Custom Triggering a Policy In-Reply-To: References: <16A544D3-EA6B-4332-AD96-9279B2B30174@uwsp.edu> Message-ID: Oops, I realized that I forgot to mention the second thing to do to use custom triggers. Ryan mentioned it further back in the thread, but here it is again... After you save your policy that is triggered by "other", for example, let's say that other="customTrigger". You call the custom-triggered policy via the jamf binary like so: sudo jamf policy --trigger "customTrigger" ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Mon, Jan 12, 2009 at 10:11 AM, Miles Leacy wrote: > Gents, > I'm taking this back on list because there may be others in the community > that would benefit from this discussion. > > To Recap, there are two questions: how to use custom triggers and how to > create dummy receipts. > > To use a custom trigger there are two things to do: > 1. Create a policy and in the General tab, choose "other (Manually specify > the run at action in this field) -->" from the "Triggered by:" drop down > menu and enter your custom trigger in the text field next to this drop down > menu. I use Apple-esque run-together phrases with caps, such as > "memberAccountingComputerGroup" for my custom triggers. I'm not sure what > the upper limit is for custom trigger length, but I haven't hit it yet, and > I like to be descriptive with my triggers. > > Re: "Dummy receipts" > The so-called "dummy receipt" is a receipt from a payload-free package. I > create empty prebuilt Apple .pkg files using Composer like so... > 1. Create an empty folder with the same name as your intended package (and > receipt) in /Applications/The Casper Suite/Temp/ (see attachment "Picture > 1.png") > 2. Open Composer, choose this prebuilt package and save it as an Apple > .pkg. (see attachment "Picture 2.png") > > Some may find that using these "dummy receipts" creates clutter, but if you > integrate the concept into your workflows, document your work, and maintain > clear and consistent policies (in the general sense, not Casper Policies) > and naming conventions, use of receipts in this way can be a very efficient > and effective method to extend your management capabilities. > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > > On Fri, Jan 9, 2009 at 5:39 PM, Ryan Harter wrote: > >> I haven't used dummy receipts before, I've been trying to avoid them if >> possible because it seems like more for me to keep track of. Miles might be >> able to give you more help with that. >> As for the custom trigger, you've got it all figured out. when you set a >> policy you can set triggered by to custom (I think it even has an ascii >> arrow ----->) and enter the trigger in the text box. Then you call sudo >> jamf policy --trigger "custom trigger" and it will run that policy. I >> currently do it as a workaround to get my adobe installs to run after boot >> time. >> >> Hope this helps, >> * >> Ryan Harter* >> UW - Stevens Point >> Workstation Developer >> 715.346.2716 >> Ryan.Harter at uwsp.edu >> >> On Jan 9, 2009, at 4:30 PM, Cyrus Vahhaji wrote: >> >> Miles, Ryan, >> >> I've been following "Computer group from AD" thread and you brought up >> dummy receipts and triggering custom policies and didn't want to hijack the >> thread with my question. >> >> What is the best way of creating a Dummy Receipt? Would it be an empty >> folder created in Composer? >> >> What do you mean by "custom trigger" here? >> - if desired group is found, issue a custom trigger of "receipt exists". >> Is it triggering a policy to add the dummy receipt that the machine is in >> AD? If so, are you using something like "sudo jamf policy ?trigger "desired >> policy" >> >> Thanx, >> >> *Cyrus Vahhaji >> **Accenture >> Best Buy Technology Group >> *desk ? 612.291.3643 >> fax ? 952.430.4260 >> email ? mailto:cyrus.vahhaji at bestbuy.com >> >> This message is for the designated recipient only and may contain >> privileged, proprietary, or otherwise private information. If you have >> received it in error, please notify the sender immediately and delete the >> original. Any other use of the email by you is prohibited. >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/35700732/attachment.htm From miles.leacy at themacadmin.com Mon Jan 12 09:26:09 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Mon, 12 Jan 2009 12:26:09 -0500 Subject: [Casper] Search and destroy apps Message-ID: Hi all, I have another script to share. In more than one environment I've worked with, users were not allowed to store or run apps in/from their home folders. Policies were made clear that any apps in one's home folder were considered a policy violation, and subject to automatic deletion. I put together the following script to make sure I never had to go hunt for someone's hidden apps again. #!/bin/bash ##### HEADER BEGINS ##### # scr_maint_searchDestroyAppsInHomeFolder.bash # # Created 20080729 by Miles A. Leacy IV # miles.leacy at themacadmin.com # Modified 20090112 by Miles A. Leacy IV # Copyright 2009 Miles A. Leacy IV # # This script may be copied and distributed freely as long as this header remains intact. # # This script is provided "as is". The author offers no warranty or guarantee of any kind. # Use of this script is at your own risk. The author takes no responsibility for loss of use, # loss of data, loss of job, loss of socks, the onset of armageddon, or any other negative effects. # # Test thoroughly in a lab environment before use on production systems. # When you think it's ok, test again. When you're certain it's ok, test twice more. # # This script performs a search & destroy on any apps in the user's home folder # This script deletes user data. Be sure of your organization's policies as they may apply before using. # # Again, THIS SCRIPT DELETES USER DATA. Make sure you understand what data will be deleted and that it is # permissible to delete that data before using this script. # # It is intended to be run as part of a Casper policy triggered by login. # # Note: This script can take several minutes to run on very large home folders. # It took 5 minutes and 31 seconds on a 146.77 GB home folder on a Mac Pro in testing. # ##### HEADER ENDS ##### # Set $isapp to indicate whether an item is an application # initial value is 0 # a value of 0 = not an application # a value of 1 = an application isapp=0 # return the absolute path of each item in the specified directory and act upon them in the "do" loop. find /Users/$3 | while read file do # skip the contents of .app bundles [[ "$file" = *.app/* ]] && continue # determine whether $file is an application and change value of $isapp if it is isapp=`mdls -name kMDItemKind "$file"|grep -c Application` # if $file is an application ($isapp contains any nonzero value), act upon it. if [ $isapp -ne 0 ]; then echo "Deleting" "$file"; fi # reset $isapp isapp=0 done ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/af46bca4/attachment.html From william.smith at merrillcorp.com Mon Jan 12 09:38:22 2009 From: william.smith at merrillcorp.com (Smith, William) Date: Mon, 12 Jan 2009 11:38:22 -0600 Subject: [Casper] Dummy Receipts and Custom Triggering a Policy In-Reply-To: Message-ID: Very nifty! I?d like to see this get added to the JAMF KB. Couldn?t find anything like this there. -- bill William M. Smith, Technical Analyst MCS IT Merrill Communications, LLC (651) 632-1492 On 1/12/09 10:31 AM, "Miles Leacy" wrote: > Oops, I realized that I forgot to mention the second thing to do to use custom > triggers. Ryan mentioned it further back in the thread, but here it is > again... > > After you save your policy that is triggered by "other", for example, let's > say that other="customTrigger". > > You call the custom-triggered policy via the jamf binary like so: > > sudo jamf policy --trigger "customTrigger" > > On Mon, Jan 12, 2009 at 10:11 AM, Miles Leacy > wrote: >> Gents, >> >> I'm taking this back on list because there may be others in the community >> that would benefit from this discussion. >> >> To Recap, there are two questions: how to use custom triggers and how to >> create dummy receipts. >> >> To use a custom trigger there are two things to do: >> 1. Create a policy and in the General tab, choose "other (Manually specify >> the run at action in this field) -->" from the "Triggered by:" drop down menu >> and enter your custom trigger in the text field next to this drop down menu. >> I use Apple-esque run-together phrases with caps, such as >> "memberAccountingComputerGroup" for my custom triggers. I'm not sure what >> the upper limit is for custom trigger length, but I haven't hit it yet, and I >> like to be descriptive with my triggers. >> >> Re: "Dummy receipts" >> The so-called "dummy receipt" is a receipt from a payload-free package. I >> create empty prebuilt Apple .pkg files using Composer like so... >> 1. Create an empty folder with the same name as your intended package (and >> receipt) in /Applications/The Casper Suite/Temp/ (see attachment "Picture >> 1.png") >> 2. Open Composer, choose this prebuilt package and save it as an Apple .pkg. >> (see attachment "Picture 2.png") >> >> Some may find that using these "dummy receipts" creates clutter, but if you >> integrate the concept into your workflows, document your work, and maintain >> clear and consistent policies (in the general sense, not Casper Policies) and >> naming conventions, use of receipts in this way can be a very efficient and >> effective method to extend your management capabilities. >> >> On Fri, Jan 9, 2009 at 5:39 PM, Ryan Harter wrote: >>> I haven't used dummy receipts before, I've been trying to avoid them if >>> possible because it seems like more for me to keep track of. Miles might be >>> able to give you more help with that. >>> >>> As for the custom trigger, you've got it all figured out. when you set a >>> policy you can set triggered by to custom (I think it even has an ascii >>> arrow ----->) and enter the trigger in the text box. Then you call sudo >>> jamf policy --trigger "custom trigger" and it will run that policy. I >>> currently do it as a workaround to get my adobe installs to run after boot >>> time. >>> >>> On Jan 9, 2009, at 4:30 PM, Cyrus Vahhaji wrote: >>> >>>> Miles, Ryan, >>>> >>>> I've been following "Computer group from AD" thread and you brought up >>>> dummy receipts and triggering custom policies and didn't want to hijack the >>>> thread with my question. >>>> >>>> What is the best way of creating a Dummy Receipt? Would it be an empty >>>> folder created in Composer? >>>> >>>> What do you mean by "custom trigger" here? >>>> - if desired group is found, issue a custom trigger of "receipt exists". >>>> Is it triggering a policy to add the dummy receipt that the machine is in >>>> AD? If so, are you using something like "sudo jamf policy ?trigger "desired >>>> policy" From miles.leacy at themacadmin.com Mon Jan 12 10:17:09 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Mon, 12 Jan 2009 13:17:09 -0500 Subject: [Casper] Search and destroy apps In-Reply-To: References: Message-ID: I left out a command in the script in my first message. Here is the complete script: #!/bin/bash ##### HEADER BEGINS ##### # scr_maint_searchDestroyAppsInHomeFolder.bash # # Created 20090112 by Miles A. Leacy IV # miles.leacy at themacadmin.com # Modified 20090112 by Miles A. Leacy IV # Copyright 2009 Miles A. Leacy IV # # This script may be copied and distributed freely as long as this header remains intact. # # This script is provided "as is". The author offers no warranty or guarantee of any kind. # Use of this script is at your own risk. The author takes no responsibility for loss of use, # loss of data, loss of job, loss of socks, the onset of armageddon, or any other negative effects. # # Test thoroughly in a lab environment before use on production systems. # When you think it's ok, test again. When you're certain it's ok, test twice more. # # This script performs a search & destroy on any apps in the user's home folder # This script deletes user data. Be sure of your organization's policies as they may apply before using. # # Again, THIS SCRIPT DELETES USER DATA. Make sure you understand what data will be deleted and that it is # permissible to delete that data before using this script. # # It is intended to be run as part of a Casper policy triggered by login. # # Note: This script can take several minutes to run on very large home folders. # It took 5 minutes and 31 seconds on a 146.77 GB home folder on a Mac Pro in testing. # ##### HEADER ENDS ##### # Set $isapp to indicate whether an item is an application # initial value is 0 # a value of 0 = not an application # a value of 1 = an application isapp=0 # return the absolute path of each item in the specified directory and act upon them in the "do" loop. find /Users/$3 | while read file do # skip the contents of .app bundles [[ "$file" = *.app/* ]] && continue # determine whether $file is an application and change value of $isapp if it is isapp=`mdls -name kMDItemKind "$file"|grep -c Application` # if $file is an application ($isapp contains any nonzero value), act upon it. if [ $isapp -ne 0 ]; then echo "Deleting" "$file"; rm -R "$file" fi # reset $isapp isapp=0 done ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Mon, Jan 12, 2009 at 12:26 PM, Miles Leacy wrote: > Hi all, > I have another script to share. In more than one environment I've worked > with, users were not allowed to store or run apps in/from their home > folders. Policies were made clear that any apps in one's home folder were > considered a policy violation, and subject to automatic deletion. I put > together the following script to make sure I never had to go hunt for > someone's hidden apps again. > > #!/bin/bash > > ##### HEADER BEGINS ##### > # scr_maint_searchDestroyAppsInHomeFolder.bash > # > # Created 20080729 by Miles A. Leacy IV > # miles.leacy at themacadmin.com > # Modified 20090112 by Miles A. Leacy IV > # Copyright 2009 Miles A. Leacy IV > # > # This script may be copied and distributed freely as long as this header > remains intact. > # > # This script is provided "as is". The author offers no warranty or > guarantee of any kind. > # Use of this script is at your own risk. The author takes no > responsibility for loss of use, > # loss of data, loss of job, loss of socks, the onset of armageddon, or any > other negative effects. > # > # Test thoroughly in a lab environment before use on production systems. > # When you think it's ok, test again. When you're certain it's ok, test > twice more. > # > # This script performs a search & destroy on any apps in the user's home > folder > # This script deletes user data. Be sure of your organization's policies > as they may apply before using. > # > # Again, THIS SCRIPT DELETES USER DATA. Make sure you understand what data > will be deleted and that it is > # permissible to delete that data before using this script. > # > # It is intended to be run as part of a Casper policy triggered by login. > # > # Note: This script can take several minutes to run on very large home > folders. > # It took 5 minutes and 31 seconds on a 146.77 GB home folder on a Mac Pro > in testing. > # > ##### HEADER ENDS ##### > > # Set $isapp to indicate whether an item is an application > # initial value is 0 > # a value of 0 = not an application > # a value of 1 = an application > isapp=0 > > # return the absolute path of each item in the specified directory and act > upon them in the "do" loop. > find /Users/$3 | while read file > do > > # skip the contents of .app bundles > [[ "$file" = *.app/* ]] && continue > > # determine whether $file is an application and change value of $isapp if > it is > isapp=`mdls -name kMDItemKind "$file"|grep -c Application` > > # if $file is an application ($isapp contains any nonzero value), act upon > it. > if [ $isapp -ne 0 ]; > then echo "Deleting" "$file"; > fi > > # reset $isapp > isapp=0 > > done > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/f6988007/attachment.htm From Cyrus.Vahhaji at bestbuy.com Mon Jan 12 10:50:02 2009 From: Cyrus.Vahhaji at bestbuy.com (Cyrus Vahhaji) Date: Mon, 12 Jan 2009 12:50:02 -0600 Subject: [Casper] Dummy Receipts and Custom Triggering a Policy In-Reply-To: Message-ID: Miles, Thanx for your thorough info. Question on syntax used below. Should there be two dashes ?--? or one dash ?-? before trigger? Noticed Ryan also using two dashes but Jamf help pages has only one. Thanx for clarifying this. Cyrus From: Miles Leacy Date: Mon, 12 Jan 2009 11:31:37 -0500 To: Ryan Harter Cc: Cyrus Vahhaji , "Harter, Ryan" , Jamf List Serve Subject: Re: Dummy Receipts and Custom Triggering a Policy Oops, I realized that I forgot to mention the second thing to do to use custom triggers. Ryan mentioned it further back in the thread, but here it is again... After you save your policy that is triggered by "other", for example, let's say that other="customTrigger". You call the custom-triggered policy via the jamf binary like so: sudo jamf policy --trigger "customTrigger" ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Mon, Jan 12, 2009 at 10:11 AM, Miles Leacy wrote: > Gents, > > I'm taking this back on list because there may be others in the community that > would benefit from this discussion. > > To Recap, there are two questions: how to use custom triggers and how to > create dummy receipts. > > To use a custom trigger there are two things to do: > 1. Create a policy and in the General tab, choose "other (Manually specify the > run at action in this field) -->" from the "Triggered by:" drop down menu and > enter your custom trigger in the text field next to this drop down menu. I > use Apple-esque run-together phrases with caps, such as > "memberAccountingComputerGroup" for my custom triggers. I'm not sure what the > upper limit is for custom trigger length, but I haven't hit it yet, and I like > to be descriptive with my triggers. > > Re: "Dummy receipts" > The so-called "dummy receipt" is a receipt from a payload-free package. I > create empty prebuilt Apple .pkg files using Composer like so... > 1. Create an empty folder with the same name as your intended package (and > receipt) in /Applications/The Casper Suite/Temp/ (see attachment "Picture > 1.png") > 2. Open Composer, choose this prebuilt package and save it as an Apple .pkg. > (see attachment "Picture 2.png") > > Some may find that using these "dummy receipts" creates clutter, but if you > integrate the concept into your workflows, document your work, and maintain > clear and consistent policies (in the general sense, not Casper Policies) and > naming conventions, use of receipts in this way can be a very efficient and > effective method to extend your management capabilities. > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > > On Fri, Jan 9, 2009 at 5:39 PM, Ryan Harter wrote: >> I haven't used dummy receipts before, I've been trying to avoid them if >> possible because it seems like more for me to keep track of. Miles might be >> able to give you more help with that. >> >> As for the custom trigger, you've got it all figured out. when you set a >> policy you can set triggered by to custom (I think it even has an ascii arrow >> ----->) and enter the trigger in the text box. Then you call sudo jamf >> policy --trigger "custom trigger" and it will run that policy. I currently >> do it as a workaround to get my adobe installs to run after boot time. >> >> Hope this helps, >> >> >> Ryan Harter >> UW - Stevens Point >> Workstation Developer >> 715.346.2716 >> Ryan.Harter at uwsp.edu >> >> >> On Jan 9, 2009, at 4:30 PM, Cyrus Vahhaji wrote: >> >>> Miles, Ryan, >>> >>> I've been following "Computer group from AD" thread and you brought up >>> dummy receipts and triggering custom policies and didn't want to hijack the >>> thread with my question. >>> >>> What is the best way of creating a Dummy Receipt? Would it be an empty >>> folder created in Composer? >>> >>> What do you mean by "custom trigger" here? >>> - if desired group is found, issue a custom trigger of "receipt exists". >>> Is it triggering a policy to add the dummy receipt that the machine is in >>> AD? If so, are you using something like "sudo jamf policy ?trigger "desired >>> policy" >>> >>> Thanx, >>> >>> Cyrus Vahhaji >>> Accenture >>> Best Buy Technology Group >>> desk ? 612.291.3643 >>> fax ? 952.430.4260 >>> email ? mailto:cyrus.vahhaji at bestbuy.com >>> >>> This message is for the designated recipient only and may contain >>> privileged, proprietary, or otherwise private information. If you have >>> received it in error, please notify the sender immediately and delete the >>> original. Any other use of the email by you is prohibited. >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/7cb00d67/attachment.htm From miles.leacy at themacadmin.com Mon Jan 12 10:52:23 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Mon, 12 Jan 2009 13:52:23 -0500 Subject: [Casper] Dummy Receipts and Custom Triggering a Policy In-Reply-To: References: Message-ID: A single dash is correct. Sorry for the typo. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Mon, Jan 12, 2009 at 1:50 PM, Cyrus Vahhaji wrote: > Miles, > > Thanx for your thorough info. Question on syntax used below. Should there > be two dashes "--" or one dash "-" before trigger? Noticed Ryan also using > two dashes but Jamf help pages has only one. > > Thanx for clarifying this. > Cyrus > > > ------------------------------ > *From: *Miles Leacy > *Date: *Mon, 12 Jan 2009 11:31:37 -0500 > *To: *Ryan Harter > *Cc: *Cyrus Vahhaji , "Harter, Ryan" < > Ryan.Harter at uwsp.edu>, Jamf List Serve > *Subject: *Re: Dummy Receipts and Custom Triggering a Policy > > Oops, I realized that I forgot to mention the second thing to do to use > custom triggers. Ryan mentioned it further back in the thread, but here it > is again... > > After you save your policy that is triggered by "other", for example, let's > say that other="customTrigger". > > You call the custom-triggered policy via the jamf binary like so: > > sudo jamf policy --trigger "customTrigger" > > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > On Mon, Jan 12, 2009 at 10:11 AM, Miles Leacy > wrote: > > Gents, > > I'm taking this back on list because there may be others in the community > that would benefit from this discussion. > > To Recap, there are two questions: how to use custom triggers and how to > create dummy receipts. > > To use a custom trigger there are two things to do: > 1. Create a policy and in the General tab, choose "other (Manually specify > the run at action in this field) -->" from the "Triggered by:" drop down > menu and enter your custom trigger in the text field next to this drop down > menu. I use Apple-esque run-together phrases with caps, such as > "memberAccountingComputerGroup" for my custom triggers. I'm not sure what > the upper limit is for custom trigger length, but I haven't hit it yet, and > I like to be descriptive with my triggers. > > Re: "Dummy receipts" > The so-called "dummy receipt" is a receipt from a payload-free package. I > create empty prebuilt Apple .pkg files using Composer like so... > 1. Create an empty folder with the same name as your intended package (and > receipt) in /Applications/The Casper Suite/Temp/ (see attachment "Picture > 1.png") > 2. Open Composer, choose this prebuilt package and save it as an Apple > .pkg. (see attachment "Picture 2.png") > > Some may find that using these "dummy receipts" creates clutter, but if you > integrate the concept into your workflows, document your work, and maintain > clear and consistent policies (in the general sense, not Casper Policies) > and naming conventions, use of receipts in this way can be a very efficient > and effective method to extend your management capabilities. > > ---------- > Miles A. Leacy IV > > ? Certified System Administrator 10.4 > ? Certified Technical Coordinator 10.5 > ? Certified Trainer > Certified Casper Administrator > ---------- > voice: 1-347-277-7321 > miles.leacy at themacadmin.com > www.themacadmin.com > > > > > > On Fri, Jan 9, 2009 at 5:39 PM, Ryan Harter wrote: > > I haven't used dummy receipts before, I've been trying to avoid them if > possible because it seems like more for me to keep track of. Miles might be > able to give you more help with that. > > As for the custom trigger, you've got it all figured out. when you set a > policy you can set triggered by to custom (I think it even has an ascii > arrow ----->) and enter the trigger in the text box. Then you call sudo > jamf policy --trigger "custom trigger" and it will run that policy. I > currently do it as a workaround to get my adobe installs to run after boot > time. > > Hope this helps, > > * > Ryan Harter > *UW - Stevens Point > Workstation Developer > 715.346.2716 > Ryan.Harter at uwsp.edu > > > > On Jan 9, 2009, at 4:30 PM, Cyrus Vahhaji wrote: > > Miles, Ryan, > > I've been following "Computer group from AD" thread and you brought up > dummy receipts and triggering custom policies and didn't want to hijack the > thread with my question. > > What is the best way of creating a Dummy Receipt? Would it be an empty > folder created in Composer? > > What do you mean by "custom trigger" here? > - if desired group is found, issue a custom trigger of "receipt exists". > Is it triggering a policy to add the dummy receipt that the machine is in > AD? If so, are you using something like "sudo jamf policy ?trigger "desired > policy" > > Thanx, > > *Cyrus Vahhaji > **Accenture > Best Buy Technology Group > *desk ? 612.291.3643 > fax ? 952.430.4260 > email ? mailto:cyrus.vahhaji at bestbuy.com > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise private information. If you have > received it in error, please notify the sender immediately and delete the > original. Any other use of the email by you is prohibited. > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/4dcede57/attachment.html From ERNSTCS at uwec.edu Mon Jan 12 11:08:27 2009 From: ERNSTCS at uwec.edu (Ernst, Craig S.) Date: Mon, 12 Jan 2009 13:08:27 -0600 Subject: [Casper] Dummy Receipts and Custom Triggering a Policy In-Reply-To: Message-ID: So now that you have all these message compile a single one that's all correct. =) Thanks, for the info, Miles!! Craig E On 1/12/09 12:52 PM, "Miles Leacy" wrote: A single dash is correct. Sorry for the typo. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Mon, Jan 12, 2009 at 1:50 PM, Cyrus Vahhaji wrote: Miles, Thanx for your thorough info. Question on syntax used below. Should there be two dashes "--" or one dash "-" before trigger? Noticed Ryan also using two dashes but Jamf help pages has only one. Thanx for clarifying this. Cyrus ________________________________ From: Miles Leacy > Date: Mon, 12 Jan 2009 11:31:37 -0500 To: Ryan Harter > Cc: Cyrus Vahhaji >, "Harter, Ryan" >, Jamf List Serve > Subject: Re: Dummy Receipts and Custom Triggering a Policy Oops, I realized that I forgot to mention the second thing to do to use custom triggers. Ryan mentioned it further back in the thread, but here it is again... After you save your policy that is triggered by "other", for example, let's say that other="customTrigger". You call the custom-triggered policy via the jamf binary like so: sudo jamf policy --trigger "customTrigger" ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Mon, Jan 12, 2009 at 10:11 AM, Miles Leacy > wrote: Gents, I'm taking this back on list because there may be others in the community that would benefit from this discussion. To Recap, there are two questions: how to use custom triggers and how to create dummy receipts. To use a custom trigger there are two things to do: 1. Create a policy and in the General tab, choose "other (Manually specify the run at action in this field) -->" from the "Triggered by:" drop down menu and enter your custom trigger in the text field next to this drop down menu. I use Apple-esque run-together phrases with caps, such as "memberAccountingComputerGroup" for my custom triggers. I'm not sure what the upper limit is for custom trigger length, but I haven't hit it yet, and I like to be descriptive with my triggers. Re: "Dummy receipts" The so-called "dummy receipt" is a receipt from a payload-free package. I create empty prebuilt Apple .pkg files using Composer like so... 1. Create an empty folder with the same name as your intended package (and receipt) in /Applications/The Casper Suite/Temp/ (see attachment "Picture 1.png") 2. Open Composer, choose this prebuilt package and save it as an Apple .pkg. (see attachment "Picture 2.png") Some may find that using these "dummy receipts" creates clutter, but if you integrate the concept into your workflows, document your work, and maintain clear and consistent policies (in the general sense, not Casper Policies) and naming conventions, use of receipts in this way can be a very efficient and effective method to extend your management capabilities. ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com On Fri, Jan 9, 2009 at 5:39 PM, Ryan Harter > wrote: I haven't used dummy receipts before, I've been trying to avoid them if possible because it seems like more for me to keep track of. Miles might be able to give you more help with that. As for the custom trigger, you've got it all figured out. when you set a policy you can set triggered by to custom (I think it even has an ascii arrow ----->) and enter the trigger in the text box. Then you call sudo jamf policy --trigger "custom trigger" and it will run that policy. I currently do it as a workaround to get my adobe installs to run after boot time. Hope this helps, Ryan Harter UW - Stevens Point Workstation Developer 715.346.2716 Ryan.Harter at uwsp.edu On Jan 9, 2009, at 4:30 PM, Cyrus Vahhaji wrote: Miles, Ryan, I've been following "Computer group from AD" thread and you brought up dummy receipts and triggering custom policies and didn't want to hijack the thread with my question. What is the best way of creating a Dummy Receipt? Would it be an empty folder created in Composer? What do you mean by "custom trigger" here? - if desired group is found, issue a custom trigger of "receipt exists". Is it triggering a policy to add the dummy receipt that the machine is in AD? If so, are you using something like "sudo jamf policy -trigger "desired policy" Thanx, Cyrus Vahhaji Accenture Best Buy Technology Group desk - 612.291.3643 fax - 952.430.4260 email - mailto:cyrus.vahhaji at bestbuy.com This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/1e626483/attachment.html From hbonath at computersitecolumbus.com Mon Jan 12 11:27:53 2009 From: hbonath at computersitecolumbus.com (Henry Bonath) Date: Mon, 12 Jan 2009 14:27:53 -0500 Subject: [Casper] Remotely configure Directory Utility Message-ID: Is there any way out there to remotely configure LDAPv3 plugin for server search paths? So far, the only way that may be possible that I can see is to push out .plist files with directory info to /Library/Preferences/DirectoryService Thanks in advance! -Henry ________________________________ [http://www.computersitecolumbus.com/images/CSC_Logo.jpg] Henry Bonath Network Engineer Computer Site Columbus 6155-N Huntley Road Columbus, OH 43229 computersitecolumbus.com Tel: 614.786.7100 Cell: 614.738.0822 Fax: 614.786.7310 Your I.T. Department ________________________________ 14:29:15 Mon 12 Jan 2009 This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/22a17cf2/attachment.htm From swood at integerdallas.com Mon Jan 12 11:38:39 2009 From: swood at integerdallas.com (Steve Wood) Date: Mon, 12 Jan 2009 13:38:39 -0600 Subject: [Casper] Remotely configure Directory Utility In-Reply-To: Message-ID: Unless Miles or someone else has a better way, this is how I?ve done it in the past, using these commands in a script: #!/bin/bash/ OD_SERVER=yourODServer.name' AD_DOMAIN='yourADdomain' SiteId='NHV' OldName=`scutil --get ComputerName` SERIALNUM=`system_profiler | grep "Serial Number" | awk '{print $3}'` scutil --set ComputerName $SiteId$SERIALNUM scutil --set LocalHostName $SiteId$SERIALNUM scutil --set HostName $SiteId$SERIALNUM /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resource s/kickstart -configure -computerinfo -set1 -1 $OldName computerid=`scutil --get ComputerName` dsconfigldap -v -f -a $OD_SERVER -n OD_SERVER -c $computerid -u diradmin -p 'pass' sleep 10 dsconfigad -f -a $computerid -domain $AD_DOMAIN -u swood -p 'pass' -ou "CN=Unsorted Computers,OU=Locations,DC=yourad,DC=net" sleep 20 dscl /Search -create / SearchPolicy CSPSearchPath dscl /Search -append / CSPSearchPath /LDAPv3/$OD_SERVER dscl /Search -append / CSPSearchPath "/Active Directory/All Domains" sleep 10 dscl /Search/Contacts -create / SearchPolicy CSPSearchPath dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/$OD_SERVER dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All Domains" Steve Wood Director of IT swood at integerdallas.com The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201 T 214.758.6813 | F 214.758.6901 | C 940.312.2475 From: Henry Bonath Date: Mon, 12 Jan 2009 14:27:53 -0500 To: "casper at list.jamfsoftware.com" Subject: [Casper] Remotely configure Directory Utility Is there any way out there to remotely configure LDAPv3 plugin for server search paths? So far, the only way that may be possible that I can see is to push out .plist files with directory info to /Library/Preferences/DirectoryService Thanks in advance! -Henry Henry Bonath Network Engineer Computer Site Columbus 6155-N Huntley Road Columbus, OH 43229 computersitecolumbus.com Tel: 614.786.7100 Cell: 614.738.0822 Fax: 614.786.7310 Your I.T. Department 14:29:15 Mon 12 Jan 2009 This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. _______________________________________________ Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper -- The information contained in this email transmission is solely for the addressee(s) named above and is privileged and/or confidential. If the reader of this message is not the intended recipient or the person responsible to deliver it to the intended recipient; he or she is prohibited from reading or disclosing the information contained in this transmission. Any examination, use, dissemination, distribution, or copying of this communication is strictly prohibited. Please contact us immediately by telephone for instructions if you have received this communication in error: (214) 758-6800 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/60d5359b/attachment.html From miles.leacy at themacadmin.com Mon Jan 12 11:42:01 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Mon, 12 Jan 2009 14:42:01 -0500 Subject: [Casper] Remotely configure Directory Utility In-Reply-To: References: Message-ID: #!/bin/bash ##### HEADER BEGINS ##### # scr_sys_dsConfigLDAP.bash # # Created 20070212 by Miles A. Leacy IV # miles.leacy at themacadmin.com # Modified 20090106 by Miles A. Leacy IV # Copyright 2009 Miles A. Leacy IV # # This script may be copied and distributed freely as long as this header remains intact. # # This script is provided "as is". The author offers no warranty or guarantee of any kind. # Use of this script is at your own risk. The author takes no responsibility for loss of use, # loss of data, loss of job, loss of socks, the onset of armageddon, or any other negative effects. # # Test thoroughly in a lab environment before use on production systems. # When you think it's ok, test again. When you're certain it's ok, test twice more. # # This script adds an LDAP configuration and sets the custom search path. # Replace "ldap.server.ext" with your LDAP server's FQDN or use a script parameter to pass # a value from Casper. # # If you don't use Active directory, comment out or delete all lines that # contain "Active Directory". # # This script is intended for use as an "At Reboot" script with Casper Imaging. # ##### HEADER ENDS ##### # add LDAP config dsconfigldap -v -a ldap.server.ext # set up the custom search paths dscl /Search -create / SearchPolicy CSPSearchPath dscl /Search -append / CSPSearchPath "/Active Directory/All Domains" dscl /Search -append / CSPSearchPath /LDAPv3/ldap.server.ext dscl /Search/Contacts -create / SearchPolicy CSPSearchPath dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All Domains" dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/ldap.server.ext ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com 2009/1/12 Henry Bonath > Is there any way out there to remotely configure LDAPv3 plugin for > server search paths? > So far, the only way that may be possible that I can see is to push out > .plist files with directory info to /Library/Preferences/DirectoryService > > Thanks in advance! > -Henry > > ------------------------------ > > > > [image: CSC Logo] > Henry Bonath > Network Engineer > Computer Site Columbus > 6155-N Huntley Road > Columbus, OH 43229 > computersitecolumbus.com > Tel: 614.786.7100 > Cell: 614.738.0822 > Fax: 614.786.7310 > > *Your I.T. Department* > > ------------------------------ > > 14:29:15 Mon 12 Jan 2009 > > > This message (and any associated files) is intended only for the use of the > individual or entity to which it is addressed and may contain information > that is confidential, subject to copyright or constitutes a trade secret. If > you are not the intended recipient you are hereby notified that any > dissemination, copying or distribution of this message, or files associated > with this message, is strictly prohibited. If you have received this message > in error, please notify us immediately by replying to the message and > deleting it from your computer. > > > _______________________________________________ > Casper mailing list > Casper at list.jamfsoftware.com > http://list.jamfsoftware.com/mailman/listinfo/casper > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/3b46b087/attachment.htm From hbonath at computersitecolumbus.com Mon Jan 12 11:54:26 2009 From: hbonath at computersitecolumbus.com (Henry Bonath) Date: Mon, 12 Jan 2009 14:54:26 -0500 Subject: [Casper] Remotely configure Directory Utility In-Reply-To: Message-ID: Thanks so much! On 1/12/09 2:42 PM, "Miles Leacy" wrote: #!/bin/bash ##### HEADER BEGINS ##### # scr_sys_dsConfigLDAP.bash # # Created 20070212 by Miles A. Leacy IV # miles.leacy at themacadmin.com # Modified 20090106 by Miles A. Leacy IV # Copyright 2009 Miles A. Leacy IV # # This script may be copied and distributed freely as long as this header remains intact. # # This script is provided "as is". The author offers no warranty or guarantee of any kind. # Use of this script is at your own risk. The author takes no responsibility for loss of use, # loss of data, loss of job, loss of socks, the onset of armageddon, or any other negative effects. # # Test thoroughly in a lab environment before use on production systems. # When you think it's ok, test again. When you're certain it's ok, test twice more. # # This script adds an LDAP configuration and sets the custom search path. # Replace "ldap.server.ext" with your LDAP server's FQDN or use a script parameter to pass # a value from Casper. # # If you don't use Active directory, comment out or delete all lines that # contain "Active Directory". # # This script is intended for use as an "At Reboot" script with Casper Imaging. # ##### HEADER ENDS ##### # add LDAP config dsconfigldap -v -a ldap.server.ext # set up the custom search paths dscl /Search -create / SearchPolicy CSPSearchPath dscl /Search -append / CSPSearchPath "/Active Directory/All Domains" dscl /Search -append / CSPSearchPath /LDAPv3/ldap.server.ext dscl /Search/Contacts -create / SearchPolicy CSPSearchPath dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All Domains" dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/ldap.server.ext ---------- Miles A. Leacy IV ? Certified System Administrator 10.4 ? Certified Technical Coordinator 10.5 ? Certified Trainer Certified Casper Administrator ---------- voice: 1-347-277-7321 miles.leacy at themacadmin.com www.themacadmin.com 2009/1/12 Henry Bonath Is there any way out there to remotely configure LDAPv3 plugin for server search paths? So far, the only way that may be possible that I can see is to push out .plist files with directory info to /Library/Preferences/DirectoryService Thanks in advance! -Henry ________________________________ Henry Bonath Network Engineer Computer Site Columbus 6155-N Huntley Road Columbus, OH 43229 computersitecolumbus.com Tel: 614.786.7100 Cell: 614.738.0822 Fax: 614.786.7310 Your I.T. Department ________________________________ 14:29:15 Mon 12 Jan 2009 This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. _______________________________________________ Casper mailing list Casper at list.jamfsoftware.com http://list.jamfsoftware.com/mailman/listinfo/casper -------------- next part -------------- An HTML attachment was scrubbed... URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/ed5b44ad/attachment.html From miles.leacy at themacadmin.com Mon Jan 12 12:08:03 2009 From: miles.leacy at themacadmin.com (Miles Leacy) Date: Mon, 12 Jan 2009 15:08:03 -0500 Subject: [Casper] Remotely configure Directory Utility In-Reply-To: