13 Sep
2013

Migrating a Casper installation

It’s that time again, you’ve probably been putting it off for a while, your somewhat old, so far reliable hardware is nearing the end of it’s service life. You’ve gone from a single distribution point, to multiple distribution points, and fail over distribution points too.. Now the Tomcat server needs a refresh, you might also want to change the management url to provide services outside the firewall. Looking around the documentation is pretty thin, and doesn’t appear to cover all the steps. You might be using configuration profiles and be worried about certificate based communication..

These are the steps I used to migrate without interruption to users the JSS to a new tomcat server, and change the management url at the same time. Just a warning this took a lot of preparation and testing, even though I was able to make it work, I would still suggest a heavy test plan specific for your installation in case you are using features I’m not.

I’m assuming you’ve already built your new server and have a working installation of tomcat, connections to your database, and hopefully some monitoring of services too.

Schedule a long change window with full outage to Casper services…

  • Stop Tomcat on the old server
  • Stop Tomcat on the new server
  • Backup the database used by the old server
  • Restore the old database backup to the new database

At this point a note.. You like myself may have a separate database host, unfortunately with this procedure you will need to have two databases.. database old and database new – as you will need both the old and new JSS running for the migration.

  • If both databases are on the same host you might need to increase the max connections in the my.cnf file and restart mysql
  • Open a mysql session and truncate these tables: mobile_device_management_framework and certificate_authority_settings

The reason for truncating these tables is to ensure the built in CA correctly refers to your new management url. If you aren’t changing the management url.. ignore…

  • Start Tomcat on the new server
  • Change the JSS URL
  • Restart Tomcat
  • Acquire a new certificate from the built in CA
  • Update the change management path (if you are changing server OS like I did)
  • Restart Tomcat
  • Request a new APNS cert
  • Disable any policies or configuration profiles not wanted on the new server
  • Create a quickadd package with Recon pointed to the new server
  • Start Tomcat on the old server
  • Upload the quickadd package to the old server and sync distribution points
  • On the old server create a policy to install the quickadd package, and in the advanced tab run the command “jamf manage”, and disable update inventory.
  • Scope the policy to a few computers on the everyHour trigger
  • Test the migration – even if you’ve done it before, test again – you’ve just restored the database and replaced certificates so a test is good for peace of mind
  • On the new server create 2 smart groups, one for computers with the old management url, the other for the new

This allows you to see the migration process – how many still to go.. how many have come across.

  • If the policy test was successful widen the scope
  • Disable staff logins for the old server (keep yours active) you don’t want computers accidentally enr0lled to the old JSS
  • Refreshing the members view of the smart groups you should gradually see the clients coming across to the new server.
  • Don’t forget to make sure  your new database is backed up with both nightly dumps and to tape!

Some points to consider…

My environment is heavily reliant upon certificates deployed with configuration profiles. There is a small period of time whilst enrollment to the new server is completed that all profiles are dropped from the client. If your network is reliant on certificates for authentication and other services, you should ensure these are deployed by other means prior to attempting the migration.

To work around this, a configuration profile was packaged, deployed to clients via policy, then installed via policy with the profiles command. This was to ensure should a client have a messy migration the user would be able to continue working. This would also ease repairing a computer if necessary as the support staff would still be able to remotely access a computer. Might sound like extra work, however with users all over the world as much as I’d like a trip to the Sydney office.. It’s probably better if I don’t visit because my migration took the users offline!

I hope this is helpful, ask questions, or share your tips on migrations.

For those interested the JSS was migrated from OS X Server and is now happily running on an Ubuntu virtual machine hosted on esxi.

16 Aug
2013

The Rice Cooker

A while ago I was told to go gluten free, I’ll admit at times I got fed up and cheated with gluten. Unfortunately I need to start being committed to my gluten free relationship.

Whilst it is very easy to turn up at the nearest Whole Foods Market and fill up the trolley with everything labelled “gluten free” it isn’t a very economically sustainable way to eat and to use the cliché was using my “Whole Pay”.

Ordering rice with steamed vegetables and no sauce for the fear of gluten contaminated sauce with delivery from seamless was also unsustainable. By the time you add on taxes and the delivery tip, a simple rice and veg could be a nice cut of home cooked meat.

Time to start being smart about this.

  • A large bag of rice from Western Beef supermarket $3.
  • Tub of Whole Foods mixed washed and chopped veg $10
  • Small tub of Whole Foods champagne cheddar cheese spread $5
  • Aroma rice cooker with stainless steel vege steamer and insert $50

The rice should last me a month if I eat it every day, though I’m going to mix it up a bit. The veg and cheese will last a couple of days. I know the veges and cheese spread is over priced, but here it is.. I like good quality produce, and I’m tired at the end of the day – trust me I’m up for hours and had a workout before most people have had coffee, then I do a full day at work. I don’t feel like washing and chopping.

Recipe #1 Makes dinner and lunch

  • 1 rice cooker cup of rice (this is smaller than a standard cooking cup)
  • Add water to the fill line
  • Add assorted veg to steamer tray

Wash your rice before adding to the rice cooker! If you don’t it will bubble up, overflow, then all that time you saved on ready cut veg was wasted.

Turn your rice cooker to cook, then let sit on keep warm for about 10 – 15 minutes after cooking.

Serve half for dinner, put half aside for tomorrow’s lunch, Put a generous dollop of the champagne cheddar spread which will melt into the veg and rice for flavour.

Somewhat bland, made tastier with the cheese spread, meets all of the requirements my Doctor gave, before gradually adding back in more interesting foods. You can see tomorrow’s lunch.Lunch

 

16 Aug
2013

Recovering File Vault Recovery Keys with Casper

When deleting a computer from inventory you will lose policy history, logs, and the file vault recovery key.. I suspect you care about the last one. Admittedly you still have the Master key which allows decryption, however there are times when you can’t use that such as providing to a user.

Let’s say you didn’t keep a copy of the key before removing the computer from inventory and later re-enrolled the computer and now the key is missing from the storage tab. Assuming you have been doing your nightly backups, you can recover the key with these steps. If you’re not backing up.. we need to have a chat later!

Locate the nightly backup:

cd /Library/JSS/Backups/Database

Unzip the backup

gunzip yourbackup.sql.gz

Create a dummy database

mysql -u root -p
 create database restore
 quit

Restore the backup to the dummy database

 mysql -p -u root restore < yourbackup.sql

Determine current computer id (you’ll need this later) in the example we’ll use testing

mysql -u root -p
select computer_id, computer_name from jamfsoftware.computers 
where computer_name like "testing";
 +-------------+---------------+
 | computer_id | computer_name |
 +-------------+---------------+
 | 9999        | testing       |
 +-------------+---------------+

Determine previous computer id

select computer_id, computer_name from restore.computers 
where computer_name like "testing";
 +-------------+---------------+
 | computer_id | computer_name |
 +-------------+---------------+
 | 8888        | testing       |
 +-------------+---------------+

Find recovery key using the previous computer id

 select * from restore.file_vault_2_computer_key 
 where computer_id = 8888;
 +-----------------+-------------+-----------------------------+----------------------------------------------+------+
 | file_vault_2_id | computer_id | file_vault_2_certificate_id | individual_key_encrypted                     | disk |
 +-----------------+-------------+-----------------------------+----------------------------------------------+------+
 | 1               | 8888        | 1                           | dJO92iPEFZIqZ1tpQ25CJHZo7kpZMexQR+adgFtwHN8= |      |
 +-----------------+-------------+-----------------------------+----------------------------------------------+------+

Now you have the recovery key, and you can use a mysql insert statement to add the key back to the jamfsoftware database, remembering to use the current computer id, as the previous id is displayed in the output above.

This was done with 8.71 of the Casper Suite, with different versions the schema probably changes.

8 Dec
2011

10.7 Lion how to disable the Resume “Restore windows when quitting and re-opening apps”

I’m currently deploying Lion, one feature I really want to turn off for a number of reasons is the Resume functionality also known as:
System Preferences -> General -> Restore windows when quitting and re-opening apps checkbox.

The one that stops all the apps reopening when you log back in or restart.

To do this, we’ll use MCX.

You will need to Edit .GlobalPreferences

Choose whether you want Once, Often, Always, then add a new key called:

NSQuitAlwaysKeepsWindows of type boolean and value false.

Save your changes, do a MCX refresh on your clients. ( sudo mcxrefresh -n ) and no more windows.

If you’re still reading.. here is why I don’t want it. I work in a place where a lot of presentations are done often in a hurry. So on Saturday night at home on their own internet connection lets say theoretically a user is looking at something that doesn’t meet the safe for work criteria.. When they run in late on Monday morning plug in their laptop to the projector as its still starting up forgetting their weekend web browsing.. lets just say its better for all involved that we don’t see their content.

The users can thank me later :)

3 Oct
2011

Using Custom Triggers with the Casper Suite

Until recently I had been quiet happy strolling along with the built in triggers – login, startup, logout etc.. I was using these in combination with smart groups for package deployment or determining which computers needed to run a script. I would create a smart group for lets say all the computers that didn’t have a version of clickview installed, then set to install at startup.

I was asked recently about what I was doing with custom triggers.. the answer I wasn’t – I was quite happy with the builtin triggers.. then a few days another person asked me the same question.. OK it’s time to see what all the fuss is about. Let’s just say I implemented them pretty quickly.

I’ve created a custom trigger for a re-imaged computer. There are some applications that don’t package well – for example ones that generate files containing a unique identifier for the computer based on the MAC address. I was previously deploying these with smart groups for the computers that were missing the application.

Now I needed to do 2 things to have the application deployed on first boot:

  • Create a script that calls my custom trigger (setting the script to run “At Reboot” in Casper Admin) and assign to the configuration in Capser Admin
  • Using the web interface of my JSS create policies that are triggered by my custom trigger name

So part one is simple you need a script that is pretty much one line:


#!/bin/sh
jamf policy -trigger reimaged

A couple of points here, the jamf command with policy option needs to run as root, because we are running this as a first boot script it automatically runs as the root user. If say you were running the jamf policy command manually you should put sudo in front. It is also good practice to put the full path of the jamf command which I have left out of the example above.

The word reimaged is the name of our custom trigger, you can call this anything you like. You can also create as many custom triggers as you like.

Now that the freshly imaged computer is going to check in with the JSS to see what policies have the trigger reimaged, we just need to set reimaged as a trigger. This is really easy – When creating the policy in the general tab of your JSS Select Other for the “Triggered By” option, then when the text box opens up type the same trigger name as in your script in this example “reimaged”. For execution I select ongoing as we never know how often a computer will need to be reimaged.

Please share your custom trigger usage, I’d like to see what others are using them for.

27 Sep
2011

Petting the Orange Fox

It’s that time of year.. where I need to refresh and create new SOEs. One thing I’ve decided I want better this year is the firefox user experience. I’m tired of windows popping up making sure the users know their rights, and welcoming them to firefox. So here is a quick run down on the modifications I packaged to provide a better firefox user experience.

We’re on 10.6.8 and Firefox 6.0.2

First of all I want to set the default homepage.

Navigate to:  /Applications/Firefox.app/Contents/MacOS

Create a file called “browserconfig.properties” and add the following lines

browser.startup.homepage_reset=http://lisacherie.com
browser.startup.homepage=http://lisacherie.com

Next I’d like to remove the annoying popup on first launch asking if you would like to migrate a safari or other profile. Create a file in the same directory called “override.ini” with the following:

[XRE]
EnableProfileMigrator=false

Now to turn off some features like autoupdate which if allowed to run free might override my carefully selected customisations or worse just not work. I am also configuring firefox to use the system defined proxy. Some of the users where I work like to switch to anonymous proxies via the web browser (It’s nice to know our internet filtering works well!), so this will be locked to prevent change.

lockPref("app.update.enabled", false);
lockPref("browser.rights.3.shown", true);
lockPref("browser.startup.homepage_override.mstone", "ignore");
lockPref("browser.startup.homepage", "http://lisacherie.com");
lockPref("browser.shell.checkDefaultBrowser", false);
lockPref("network.proxy.type", 5);
lockPref("profile.allow_automigration", false);
lockPref("profile.confirm_automigration", false);
lockPref("startup.homepage_override_url", "");
lockPref("startup.homepage_welcome_url", "");

Now to let firefox know to use these settings we have carefully crafted create the file:
/Applications/Firefox.app/Contents/MacOS/defaults/pref/_config.js

and populate with:

pref("general.config.obscure_value", 0);
pref("general.config.filename", "firefox.cfg");

Good luck! remember to make sure you use the same permissions as the existing firefox config files (watch out for the ACL). Please share if you find some other useful customisations.

28 Jun
2011

1 iPad many users.. how do I support this….

A few things happened recently.. I was asked to prepare a number of iPads that would be shared amongst a number of users, so that each user would have a clean iPad, the so called cleaning needed to be quick and easy, so that a classroom teacher could do it at the end of class. I also needed to be certain the students would not accidently leave things behind.. like email accounts.. iTunes accounts.. or passcodes.. sounds like fun..

Then I saw a really cool podcast on different approaches to working with a fleet of mobile devices. There was some kind of tool mentioned that showed a way to lets call it re-image a mobile device in the same way you might re-image a lab computer. Perfect! I need this tool.. I made contact with the vendor and attempted to purchase for the organisation I work for.. Then I was told I can’t buy it.. It’s not available for purchase.

Crap!

So feeling sorry for myself for a while – how am I going to get this project done.. I was reminded I had a software engineering degree.. Maybe I could re-invent the wheel. Let’s think about this.. in iTunes there is a handy feature to back up my iPhone or insert device here. I always make sure I back up the backups of my iPhone, which are available in ~/Library/Application Support/MobileSync/Backup

So I have a copy of what I want on each iPad, but damned if I know how to write a whole lot of files across to a USB device.. i can’t excactly go cat file > “Lisa’s iPad”, but iTunes does know how to do this….

Let’s try and figure out how iTunes is doing this.. Open Activity Monitor and display the processes hierarchically.. this will let us see all the processes started by iTunes, and you got it… Choose the option to restore my iPhone/iPad/insert device….

Very briefly another process appears.. but doesn’t stay visible long enough for me to grab a sample or click the button in Activity Monitor to grab the open files listing to know where its hiding. So I have a pretty good idea of what the process might be called.. but where does it live?

My good friend Terminal and lsof – an awesome tool to give you a list of the open files at a point in time. So let’s restore my iPad again and have terminal ready to press enter on lsof. On the second try I pressed enter fast enough to get a massive long listing of open files (hint close everything else on your computer to make this list shorter.. lol).

Eventually I find a very long path hidden in the /System directory with the same name as our mystery iTunes process…

Bring back terminal!

cd to the directory we just found and let’s try running the command, and we get the super friendly output:

AppleMobileBackup[9149:903] ERROR: No action specified on command-line

crap.. what now.. there is no man page.. hmm time to start guessing..

help

same output

–help

part of the output included this:

Action (one required):
-b, –backup             perform a backup
-r, –restore            perform a restore

Oh YEAH!!

Now to start playing…. game on! I’ll re-invent the wheel yet.. and if I do it my way.. it’s going to have awesome rims!

2 May
2011

CS5 and Network Homes

A while ago I mentioned that I would write up what I did to make CS5 play nice with network homes. Well kind of nice.. some of the apps just aren’t meant to be used with network homes.

First of all you’ll need to refer back to the earlier post I wrote about packaging CS5, and the post on MCX cache redirection.

  1. Package CS5 by selecting only the following applications (or the subset of the list below which you would like). It may be possible to have the other apps also work, in the environment I have I was unsuccessful. In any case, I’m not sure I want a large number of students video editing over the network with Premiere Pro :)
    • Photoshop
    • Media Player
    • Adobe Illustrator
    • Flash
    • Dreamweaver
    • Extension Manager
    • Flash Builder
    • Flash Catalyst
  2. Install Acrobat
  3. Refer to the earlier post and follow the instructions for licensing, updating, and packaging.
  4. Once packaged, you will need to make use of MCX cache redirection.
  5. Set up a login cache redirection for:
  6. It is also a good idea to set up the subsequent logout redirection depending upon your environment.

In the earlier post I mentioned the user template, unfortunately with network home users you won’t be able to populate the user home when deploying with the Casper Suite. If you want particular preferences applied you will need to set via MCX where possible or use some other script or utility to propogate the files to each account home directory.

I hope this helps you out, if you have additional tips to get these or the other apps in the suite working well or better with network homes please share!

As a side.. I’m pretty certain Adobe don’t support network homes with CS5, so it’s quite likely from time to time strange behaviour or unexpected exiting of apps will occur.

19 Apr
2011

Flat batteries… Lost date and time

Back in the day there used to be an onboard battery which maintained the date and time of the system. These days it has been replaced with a capacitor.. If you also did first year Introduction to Electrical Engineering then think hard (like I had to) and you’ll remember a capacitor holds a charge for a while before the charge is gradually lost.

All good until you bring in students on summer holidays to the picture. I can tell you a large number do not use or charge their laptops over the holidays and when they return to school the capacitor has lost all charge also losing the system date and time. Once the date and time is lost the system clock reverts to 2001 and flashes up with a friendly warning about system instability and presents difficulty joining wireless networks.

A rough script I have put together runs at startup, checks to see if the time is set to the year 2001, and if so set the date to an arbitrary date within the range your NTP server will correct. Then reboot. Plenty of opportunity to make the script a bit smarter – I’ll leave that part for you. Please share if you come up with good ideas.

#!/bin/sh

DATE="04:19:11"
YEAR=`/usr/sbin/systemsetup -getdate | cut -d '/' -f 3`

if [ $YEAR == "2001" ]
then
 echo "we have a match"
 /usr/sbin/systemsetup -setusingnetworktime off
 /usr/sbin/systemsetup -setdate $DATE
 /usr/sbin/systemsetup -setusingnetworktime on
 reboot
fi
22 Jan
2011

MCX, Managed Client, Cache redirection, disabling iTunes sharing, radio streams, standardising the desktop picture

I really like MCX aka managed preferences, there are settings in the environment that need to be standardised for all users, and MCX allows me to make those settings centrally at a computer wide level.

Using WorkGroup Manager I ususally apply MCX to computer groups, looking at the GUI the options available are useful, but would appear limited, there are extra options that would be nice. By clicking the details tab, and choosing + you can pick additional preferences to manage. One of my favourites is ManagedClient, by choosing to import /System/Library/CoreServices/ManagedClient a number of additional preference options will appear. The options available in ManagedClient are so useful I am surprised more of these are not available in the GUI.

By clicking edit, you will then have the opportunity to select whether to Always, Often, or Once have the setting applied, usually I go with Always. Here are some of my favourites:

Cache Redirection: We have a number of shared computers that could be used by any number of users, it doesn’t make sense to use local accounts, or even mobile accounts, so we use network home directories on these computers. By default everything is written back to the network home including cache, which means a whole lot of extra traffic is going across the network, and a whole lot of extra read/writes to the network storage. Using MCX we can redirect cache to a folder on the local disk, preventing all the extra traffic and read/write requests. The options you want are in com.apple.MCXRedirector.

You will create a Login Redirection, and a Logout Redirection, which each have a Redirect Action comprising the action, destination folder path, and folder path.

To redirect ~/Library/Caches for all users you would choose options as illustrated in the screen shot below. Please note the screenshot also lists an additional redirect for Adobe that helped the application work better in our environment.

Top Menu Icons: I like to customise the icons in the top menu bar, for example I don’t want users having a Time Machine icon when as a standard user on a shared lab computer they can’t use time machine anyway. com.apple.mcxMenuExtras allows me to choose which items are displayed in that part of the screen real estate.

iTunes: Music sharing and radio streaming is great at home, I’m not overly thrilled about all that extra traffic, and shared music libraries across the network. The options available in com.apple.iTunes allow both of these to be disabled, along with options to restrict store content intented for mature audiences.

Desktop pictures: Some users just have a knack for picking inapropriate desktop pictures, on your home computer fine… On a shared lab computer, no thank you. By using com.apple.desktop you can preselect a nice tasteful desktop picture for your users. I typically do this for all shared computers that are in public spaces on campus. By default the options would only allow me to choose Once or Often, I manually copied the items to Always, ignored the orange alert about the manifests, and watched the standard picture appear (and stay). With the Once or Often options, the picture will appear, however can be changed – these options are useful to set an initial picture.

That’s all for today, please share any of your favourite MCX options.