Jamf Software

JAMF Nation Monthly Challenges & Solutions

MARCH '10

  • Q: An environment with local user upgrades and re-imaging can prove to be an interesting task due to the need to preserve user data. This month's challenge is to let us know how you use the Suite to preserve user information!
  • A: There are many ways to to preserve user information when upgrading and reimaging client computers.
  • If your environment is using directory bound accounts you can leverage the com.apple.homesync Managed Preference settings in the JSS to set up your accounts to automatically sync desired data from your users home directories to a file server. Various managed preference settings in regards to homesync can be found by going to:
  • • JSS > Management > Managed Preferences > Create Managed Preference
    • Choose "Create from template" and click "Continue"
    • Settings can be found by expanding options for "com.apple.homeSync"

  • You could use a third party software backup solution such as Crashplan that can be deployed with the Casper Suite and use extension attributes to monitor the status of backups.Extension attributes can be set by going to:
  • • JSS > Settings > Inventory Options > Inventory Collection Preferences > Extension Attributes.
    •To choose from available Templates choose "Add Extension Attribute From Tempalate"
    • Currently we have provided Extension Attribute templates for use with Time Machine, Crashplan, and LiveBackup

  • You can leverage Managed Preference settings in the JSS to set up your 10.5 and 10.6 clients to backup via Time Machine Various managed preference settings in regards to Time Machine can be found by going to:
  • • JSS > Management > Managed Preferences > Create Managed Preference
    • Choose "Create from template" and click continue
  • Settings can be found by expanding options for "com.apple.TimeMachine"

FEBRUARY '10

  • Q: Software updates are a necessary part of any healthy environment. This month's JAMF Challenge is to let us know how you deploy software updates using the Casper Suite.

  • A: To deploy specific SoftwareUpdates that are located on a SoftwareUpdate Server you can use the "Run Command" portion of a policy to call out to the softwareupdate utility directly. By using OSX's built in softwareupdate utility you will not have to worry about updates getting deployed to computers that should not have them or are missing prerequisites.
  • To do this however you will need to know the short name of the update you wish to deploy. To do this, open up Terminal (which is located in the Utilities folder) and type: softwareupdate -l
  • It should return something like this:
  • Software Update Command Line
  • The short name is always marked by an asterisk. In this case we are going to want to update iTunes whose update short name is iTunesX-9.0.3.
  • Now we will create a SmartGroup for comptuers that do not have the most recent version of iTunes. Which will look something like this:

  • Software Update JSS Edit Smart Group

  • Next create a policy set to run "Once Per Computer" and on the trigger of your choosing. Then go the the advanced tab and in the run box type the following:
  • Software Update JSS Edit Policy

  • The -i flag tells softwareupdate that this is the update that we wish to install. Click "Save" and you are good to go!

JANUARY '10

  • Q: How do you use the Casper Suite to help your organization be more energy efficient?

  • A: You can use the PM Script Builder from the Resource Kit to create a script that will force computers to go to sleep and then wake up at a specific time. For example, rather than letting a lab stay on all night you can use the PM Script Builder to to create a script to shut the computers down after classes are over with and then wake back up an hour before the school day starts.

DECEMBER '09

  • Q: How do you utilize network segments in your environment!

  • A: There are four network segments in this environment. One is for the wireless while the other three are specific to other buildings. Policies that deploy packages are scoped to all network segments except the wireless network segment. The remaining three network segments are used to set the distribution points and Netboot servers that reside in each of the buildings.

NOVEMBER '09

  • Q: The JSS allows privileges to be set for specific users and groups thus allowing administrators to restrict actions like Imaging, Remote Control, and adding computers to the JSS. This month's challenge is for you to tell us about the different ways you are using privileges within your organization.

  • A: For a help desk, especially a student run one, you can set up accounts on the JSS that will only privileges to use certain aspects Recon, Imaging, and Casper Remote. To edit user accounts log on to the JSS Web Application and go to Settings > Accounts > Create New Account. Once you have entered in the user information click on the "Privileges Tab' and select the following:
  • By only checking "Observe Remote Computers" and "Control Remote Computers" the Help Desk workers will only be able to remotely access computers if a user allows it.

OCTOBER '09

  • Q: In most environments it is necessary to run weekly or monthly maintenance policies and we would like to know what yours are!

  • A: In most environments it is required that passwords be changed on a regular basis. The task of changing the management account on the client computers can be done automatically by creating a policy set to run once per month and scoped to all computers. The settings on the General and Accounts tab are:

SEPTEMBER '09

  • Q: Every organization has reports that must be created that can require everything from managed client computers to what users have administrative rights on their computers. This months challenge is to send us a workflow that you use, that includes using the Casper Suite or the Recon Suite, to create necessary reports for your organization.

  • A: The report that we are running is the "Fonts Distribution Report" from the Resource Kit. This top part of this report lists all of the fonts that have been reported to the JSS and includes the version of the font, if it is suppressed, and how many copies are installed.
  • By clicking on the "View Distribution" link you will be taken to an list of computers that have that font installed as well as any display information you selected in the initial search.

JUNE '09

  • Q: In the past, we have talked about creating a package with Composer 7.0 using Pre-Installed Diff file. For the challenge, send us the procedure to create your own Pre-Installed Diff files (i.e. .composer files), and send along a .composer file for a software title not included in Composer's list of Pre-Installed titles. Entries will be reviewed, and valid submissions will be included in a future feed of Pre-Installed Diff files.

  • A: The diff I created was for Adobe Air 1.5.1. The first step is to create a traditional Composer Package. Once you have done that...
  • 1. Expand out the package source, then Snapshot Information
  • 2. Right click on Files for Package. This will display the option "Export .composer File"
  • 3. A .composer dialogue box will open.
  • Enter in the Package name, description and creator of the diff, then save the file

  • Now that the nuts and bolts of the diff have been created it is time to make it pretty and add an application icon.
  • 1. Locate the .composer file on the disk and right click on it then select "Get Info"
  • 2. Scroll down to the bottom of the info box to "Sharing & Permissions" and change all of the privileges to "Read & Write"
  • 3. Locate the installed application and right click on that and select "Get Info"
  • 4. Click on the icon in the upper right of the info box for the installed application. There should be a faint blue box that appears
  • 5. Press command-c, then select the icon in the upper right of the info box for the .composer file and press command-v

  • Now to install the Diff
  • 1. Right click on Composer and select "Show Package Contents"
  • 2. Then Navigate to Contents > Support > New PackageOptions > Software and drag the new .composer file into there

  • When you relaunch Composer and go to PreInstalled software, you should be able to see the new diff as an option:

MAY '09

  • Q: Describe the steps you would take to configure your JSS to notify you if you deploy more copies of Microsoft Office than you own.

  • Solution Provided by Keith Hamilton

  • A: The first step would be to navigate through the JSS to the Admin tab, then Inventory Options, then to Licensed Software.
  • After clicking Create New... simply enter the display name and/or publisher of the software, in this case, Microsoft Office 2008 and Microsoft, respectively. Since we only manage Macintosh computers, I've chosen Macintosh for the platform type. The important step to perform in the Info tab is to check the Send Email Notification on Violation checkbox - this will send an email to the JSS admin email account(s) when the software restrictions in the Licenses tab are violated.
  • The next step is to click on the Licenses tab, where the specifics for the application license will be entered. By clicking the Add License button, you can access a screen that lets you enter the pertinent information for your software license, including type of license, number of licenses, the license key, and any purchasing information. An important step in this section is to click Store License before proceeding, or you will have to enter the licensing information again. Once you've clicked Store License, you should see something like this:
  • At this point you could enter more licenses, depending on how you purchased the software. Assuming there is only one license for the software, you would, at this point, click the Software Definitions tab, where you will see this:
  • You will want to click the Add Application button, assuming you are adding Microsoft Office to the list of Licensed Software. Once in the Add Application section, you will be asked to enter the application's title and version number.
  • For the purposes of searching for Microsoft Office, I always search for Entourage, since all of our Mac users use Entourage for mail - I am guaranteed to find it on someone's machine. Of course, any application that makes sense to search with should be entered here. Next, enter the base version number, so as to pickup any and all subversions of Office [2008]. Once the title and version are entered, click Store Definition. You should see something like this at the top of the Software Definitions screen.
  • Click Save. That's it! All the settings are in place to have an email sent to the administrator when more than 25 copies of Office are put to use. This may come upon imaging, or the next time Recon is run (as you may already have more copies in use than licenses).

APRIL '09

  • Q: We have seen Self Service used in many different scenarios. What Self Service policies are you currently using that you would like to share with the JAMF Community?
  • A: Thomas Larkin of the Kansas City Publice Schools and Ben Greiner of Forget Computers both submitted excellent examples of Self Service policies they've implemented, here they are!

  • Thomas Larkin - Dual Boot Policy

  • We use self service a few ways. The first major thing we did was set up a dual boot policy that users can trigger via self service. This was helpful because a user must run admin rights to boot into WIndows partitions normally. I created an ongoing self service policy assigned to all computers that would have windows on them, which is the Student laptops. In the reboot tabs I put reboot now and reboot immediately. On the advanced tab of the Casper policy window in the JSS I added this one liner command:
  • /usr/sbin/bless --device /dev/disk0s3 --setBoot --legacy --nextonly
  • This will force a reboot over to Windows 1 time only, so if the user reboots or shuts down they are diverted back to OS X again.
  • View a YouTube video of this policy in action.

  • Thomas Larkin - Mapping a Network Drive

  • The next Self Service policy we did was one that mapped a network drive for the NTE testing database for the MAP test application from NWEA. Now the MAP test application they just released is a Windows version wrapped in the Cross over API. So there was a lot of weird things for me to try to accomplish with this cross platform app. I packaged it with Composer and pushed it out to all my clients. I now have a Self Service policy that runs a script that will first mount the network share, verify if the network share exists, and if it does exist it will then launch the TestTaker application.
  • Accomplishing this allows us to drop Windows from the Macs completely.

  • Ben Greiner

  • Forget Computers Font Standards
  • This moves unnecessary fonts from all the font libraries into a central location that we then control with a font management application.
  • Font Cache Cleaner
  • Verify Your Hard Drive
  • This appears once a month on any Mac that hasn't been verified by this policy.

FEBRUARY '09

  • Q: Describe the process that you would use to deploy a major software update to your users, but you only want the updates to be applied when those users are on the company network.
  • A: JAMF Support has put together a PDF of the solution to this challenge. To view this months' solution you can download it.

DECEMBER '09

  • Q: After going through initial testing of your standard enterprise configuration, you notice your Desktop Pattern is not being set properly during imaging. You have gone through and verified the package is in the Configuration and the logs say the Desktop Pattern package is being applied properly.
  • You have narrowed it down to another package having the com.apple.desktop.plist file in it. Your configuration has over 50 packages, so it is not an option to mount each package and search the contents.
  • What is the quickest and easiest way to find all packages that have the com.apple.desktop.plist file?
  • A: The first step is to make sure your packages are indexed.
  • Launch Casper Admin and authenticate to the JSS if prompted. Highlight the Package(s) that you want to index.



  • Click on the icon in the toolbar labeled Index Packages. Authenticate to the local computer when prompted for local credentials.
  • Next, login to the JSS web, click the Management Tab.



  • Then, click the Casper Admin link.



  • Search for com.apple.desktop.plist.



  • The search results can then be cross-checked against the packages in your image build.



  • Launch Casper Admin, select the Configuration, sort by Priority. You can now see the order the packages are applied and find the offending com.apple.desktop.plist.



DECEMBER '08

  • Q: Name as many methods as you can to add a computer to the JAMF Software Server.

  • A:
  • Recon Local
  • Recon Remote
  • Recon Scanner
  • QuickAdd Package
  • Casper Imaging, using a configuration with a Managed Account
  • Casper Imaging with the Management Preferences set to Run Recon after Imaging
  • Using the jamf command-line binary:
  • jamf recon -username xxxxx -password xxxxx
  • Pre-Staging
  • Manually via the JSS Web Interface

NOVEMBER '08

  • Q: After rolling out the Casper Suite and looking at the information provided by Recon related to local user accounts, you realize that there are 3 different local administrator accounts on your managed workstations (admin, macadmin and netadmin).

  • Describe the process that you would use to remotely update your clients so that they all have one local administrator account named macadmin.

  • A: To get rid of these accounts I would first create a smart group of any machines in inventory that have the following user accounts:
  • Mac Admin
  • Net Admin
  • Admin
  • I would use the search feature for local user accounts, and create the smart group from the Management > Smart Groups link in the JSS web interface.
  • Next after creating that smart group I would verify that there are actual members of that group and that it is working. Since I just ran recon my inventory should be up to date. Now there are two ways of doing this. I could just script out the following, and then have recon create a new user account or modify an existing one. For me though personally I like my local admin account to be hidden for several reasons, so I would do this.
  • The easy way is to let Casper do the work for you instead of messing with the dscl command. So, I am going to assume you want to just start over, and if not I will give another solution.
  • Create a policy that will delete the Net Admin, Mac Admin and Admin accounts on the machines. You can do this by creating a new policy under the Management Tab, and under the accounts tab have it delete each of the unwanted accounts. In this case I had it delete all three, and then in the same policy under the advanced tab I put in a command from the jamf binary to create a new local hidden admin account for casper management. The following command will work
  • /usr/sbin/jamf createAccount -username macadmin -realname
    "Mac Admin" -password password -home /var/macadmin -hiddenUser -admin
  • macAdmin screenshot
  • JAMF Nation
  • Current Issue
  • Product Update: Casper Suite 7.3
  • "Securing the Mac OS" Solutions Series
  • User Group and CCA Dates
Copyright © JAMF Software, LLC 2002-2010 | Privacy Policy | Copyright Notice | Terms of Use | Contact
Mac and the Mac logo are trademarks of Apple Computer, Inc., registered in the U.S. and other countries.