Home > Casper, JSS, Mac administration, Mac OS X, macOS > Generating multiple-use Casper QuickAdd installer packages using the JSS

Generating multiple-use Casper QuickAdd installer packages using the JSS

As part of the process of upgrading my Casper server, I generally create a new installer for the Casper agent in the form of a QuickAdd installer package. This process usually looks like this:

1. Update the Casper Suite applications on the Mac where I’m generating the new QuickAdd installer package.

2. Open Casper Recon.

Screen Shot 2016 08 13 at 10 23 59 PM

3. Sign into Casper Recon.

Screen Shot 2016 08 13 at 10 24 58 PM

4. Select QuickAdd Package from the Recon sidebar.

Screen Shot 2016 08 13 at 10 26 45 PM

5. Set up the desired options for the QuickAdd installer package.

Screen Shot 2016 08 13 at 10 27 41 PM

6. Click the Create button.

Screen Shot 2016 08 13 at 10 27 42 PM

7. Choose a name for the new QuickAdd installer package.

Screen Shot 2016 08 13 at 10 28 06 PM

8. Wait for Recon to create the QuickAdd installer package.

Screen Shot 2016 08 13 at 10 28 43 PM

9. Take the newly-created QuickAdd package and use it to replace the existing QuickAdd packages used by CasperCheck and my deployment workflows.

Screen Shot 2016 08 13 at 10 29 31 PM

The reason I use this process is that Casper’s Recon application is able to generate a QuickAdd installer package with an unlimited enrollment invitation. With an unlimited enrollment invitation, I can use the same QuickAdd installer package multiple times to enroll multiple machines. This is in contrast the user-based enrollment process via the JSS, which by default generates a QuickAdd installer package with a one-time-use enrollment invitation.

I have this Recon-based process documented, but it’s always been something I’ve wanted to automate at least somewhat. Recently, as part of a discussion with my colleague Tom Larkin, I learned that a Casper JSS server which is configured to send out emails is capable of generating enrollment invitation emails, which include a link to download a JSS-generated QuickAdd. That invitation can be set to link to a QuickAdd with an unlimited enrollment invitation and an expiration date many years in the future, which effectively gives me the ability to generate the QuickAdd installer packages I want without the need to use Casper’s Recon application. For more details, see below the jump.

Pre-requisites:

Once the pre-requisites have been put in place, verify that your JSS account has the needed account privileges in order to be able to generate and send enrollment invitations via email.

If you want the user account to generate new invitations, here are the necessary JSS Objects privileges:

Under JSS Objects:

Computer Enrollment Invitations: Create, Read, Update
Computers: Read
Mobile Device Enrollment Invitations: CreateReadUpdate
Mobile Devices: Read

Screen Shot 2016 08 17 at 4 00 57 PM

Screen Shot 2016 08 17 at 4 01 03 PM

 

If you want the user account to also be able to delete existing invitations, here are the necessary JSS Objects privileges:

Computer Enrollment Invitations: CreateReadUpdate, Delete
Computers: Read
Mobile Device Enrollment Invitations: CreateReadUpdateDelete
Mobile Devices: Read

Screen Shot 2016 08 17 at 3 55 58 PM

Screen Shot 2016 08 17 at 3 56 08 PM

 

In both cases, here are the necessary JSS Actions privileges:

Send Email to End Users via JSS: selected

Screen Shot 2016 08 17 at 3 55 33 PM

In my testing, no other account privileges were required. Next, verify that your user-initiated computer enrollment is set up with the desired settings.

Screen Shot 2016 08 17 at 8 22 48 PM

Once your account privileges are set and user-initiated computer enrollment is configured, here’s how to generate and send enrollment invitation via email.

1. Log into the JSS
2. Select Enrollment Invitations

Screen Shot 2016 08 18 at 8 19 29 AM

3. Click the New button to start the invitation process.

Screen Shot 2016 08 18 at 8 35 47 AM

4. In the Specify Recipients window, enter the desired email address for the invitation then click the Next button.

Screen Shot 2016 08 17 at 3 36 50 PM

5. In the Configure the Invitation Message window, set up the invitation message as desired then click the Next button.

Screen Shot 2016 08 17 at 3 36 35 PM

6. In the Configure Invitation Security window, do the following:

A. Set the expiration date as far in the future as desired. As an example, I’ve set the expiration date to December 31st, 2030 at 11:59 PM, which is as far in the future as is currently possible.

Screen Shot 2016 08 17 at 8 20 49 PM

B. Check the Allow multiple uses checkbox.

Screen Shot 2016 08 17 at 8 20 50 PM

Once both the expiration date and Allow multiple uses settings are configured as desired, click the Next button.

Screen Shot 2016 08 17 at 8 20 48 PM

7. In the Complete window, click the Done button.

Screen Shot 2016 08 17 at 3 37 30 PM

Once the invitation has been generated and sent, check the email address in question. There should be an email from the Casper server with a link similar to the one shown below.

Screen Shot 2016 08 17 at 3 39 42 PM

Once you’ve clicked the link, you should be walked through the process of downloading the newly-created QuickAdd package.

Screen Shot 2016 08 17 at 3 38 01 PM

Screen Shot 2016 08 17 at 3 38 09 PM

Screen Shot 2016 08 17 at 3 38 48 PM

Testing:

Once the package has been built, test it by taking the QuickAdd installer package to at least two test machines which do not have Casper installed and install it. The end result should be that the Casper agent installs on the test machines and enrolls them successfully with the Casper server. The reason to install on more than one machine is to verify that the multiple uses invitation was set up properly.

Additional notes:

1. Once created, the enrollment invitation will be listed in the Casper server’s Enrollment Invitations section. If you delete the listing for the enrollment invitation, you also remove the enrollment invitation embedded in the QuickAdd package. The result is that the QuickAdd will no longer be able to enroll Macs with the Casper server and a new QuickAdd installer package will need to be created.

2. As part of the QuickAdd creation process, the Casper server does a lookup of the email address via LDAP to see if it can identify who is associated with the email address. It then adds that information to the computer inventory as part of the enrollment process, via a postinstall script in the QuickAdd installer package.

Screen Shot 2016 08 18 at 8 27 06 AM

Screen Shot 2016 08 18 at 8 54 45 AM

For the most part, this is harmless and may just mean that your JSS initially has the wrong user information for a particular machine. If desired, you can use pkgutil to expand the QuickAdd package, edit the postinstall script, then re-flatten the QuickAdd package. Expanding and re-flattening removes any package signing, so re-signing the package may be needed.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: