Generating multiple-use Casper QuickAdd installer packages using the JSS
As part of the process of upgrading my Casper server, I generally create a new installer for the Casper agent in the form of a QuickAdd installer package. This process usually looks like this:
1. Update the Casper Suite applications on the Mac where I’m generating the new QuickAdd installer package.
2. Open Casper Recon.
3. Sign into Casper Recon.
4. Select QuickAdd Package from the Recon sidebar.
5. Set up the desired options for the QuickAdd installer package.
6. Click the Create button.
7. Choose a name for the new QuickAdd installer package.
8. Wait for Recon to create the QuickAdd installer package.
9. Take the newly-created QuickAdd package and use it to replace the existing QuickAdd packages used by CasperCheck and my deployment workflows.
The reason I use this process is that Casper’s Recon application is able to generate a QuickAdd installer package with an unlimited enrollment invitation. With an unlimited enrollment invitation, I can use the same QuickAdd installer package multiple times to enroll multiple machines. This is in contrast the user-based enrollment process via the JSS, which by default generates a QuickAdd installer package with a one-time-use enrollment invitation.
I have this Recon-based process documented, but it’s always been something I’ve wanted to automate at least somewhat. Recently, as part of a discussion with my colleague Tom Larkin, I learned that a Casper JSS server which is configured to send out emails is capable of generating enrollment invitation emails, which include a link to download a JSS-generated QuickAdd. That invitation can be set to link to a QuickAdd with an unlimited enrollment invitation and an expiration date many years in the future, which effectively gives me the ability to generate the QuickAdd installer packages I want without the need to use Casper’s Recon application. For more details, see below the jump.
- Casper server configured to send emails
- Casper server configured to allow user-initiated enrollment of computers
Once the pre-requisites have been put in place, verify that your JSS account has the needed account privileges in order to be able to generate and send enrollment invitations via email.
If you want the user account to generate new invitations, here are the necessary JSS Objects privileges:
Under JSS Objects:
Computer Enrollment Invitations: Create, Read, Update
Mobile Device Enrollment Invitations: Create, Read, Update
Mobile Devices: Read
If you want the user account to also be able to delete existing invitations, here are the necessary JSS Objects privileges:
Computer Enrollment Invitations: Create, Read, Update, Delete
Mobile Device Enrollment Invitations: Create, Read, Update, Delete
Mobile Devices: Read
In both cases, here are the necessary JSS Actions privileges:
Send Email to End Users via JSS: selected
In my testing, no other account privileges were required. Next, verify that your user-initiated computer enrollment is set up with the desired settings.
Once your account privileges are set and user-initiated computer enrollment is configured, here’s how to generate and send enrollment invitation via email.
1. Log into the JSS
2. Select Enrollment Invitations
3. Click the New button to start the invitation process.
4. In the Specify Recipients window, enter the desired email address for the invitation then click the Next button.
5. In the Configure the Invitation Message window, set up the invitation message as desired then click the Next button.
6. In the Configure Invitation Security window, do the following:
A. Set the expiration date as far in the future as desired. As an example, I’ve set the expiration date to December 31st, 2030 at 11:59 PM, which is as far in the future as is currently possible.
B. Check the Allow multiple uses checkbox.
Once both the expiration date and Allow multiple uses settings are configured as desired, click the Next button.
7. In the Complete window, click the Done button.
Once the invitation has been generated and sent, check the email address in question. There should be an email from the Casper server with a link similar to the one shown below.
Once you’ve clicked the link, you should be walked through the process of downloading the newly-created QuickAdd package.
Once the package has been built, test it by taking the QuickAdd installer package to at least two test machines which do not have Casper installed and install it. The end result should be that the Casper agent installs on the test machines and enrolls them successfully with the Casper server. The reason to install on more than one machine is to verify that the multiple uses invitation was set up properly.
1. Once created, the enrollment invitation will be listed in the Casper server’s Enrollment Invitations section. If you delete the listing for the enrollment invitation, you also remove the enrollment invitation embedded in the QuickAdd package. The result is that the QuickAdd will no longer be able to enroll Macs with the Casper server and a new QuickAdd installer package will need to be created.
2. As part of the QuickAdd creation process, the Casper server does a lookup of the email address via LDAP to see if it can identify who is associated with the email address. It then adds that information to the computer inventory as part of the enrollment process, via a postinstall script in the QuickAdd installer package.
For the most part, this is harmless and may just mean that your JSS initially has the wrong user information for a particular machine. If desired, you can use pkgutil to expand the QuickAdd package, edit the postinstall script, then re-flatten the QuickAdd package. Expanding and re-flattening removes any package signing, so re-signing the package may be needed.