Archive

Archive for the ‘Casper’ Category

Providing access to Apple software updates from Jamf Pro’s Self Service

February 26, 2017 Leave a comment

For shops that want to help their customers stay on top of Apple software updates without forcing those updates to be applied, there is a convenient URL that can be used:

macappstore://showUpdatesPage

When this URL is called from the command line using the open command, the following actions take place:

  1. The App Store application launches
  2. The Updates page loads.
  3. The Mac automatically checks for Apple OS updates and updates for applications purchased through the Mac App Store (MAS).

The relevant command is shown below and can be run without root privileges:

open macappstore://showUpdatesPage

For folks using Jamf Pro (the management solution formerly known as Casper), this command can be leveraged to provide a way for customers to easily check for Apple and MAS software updates on their own schedule. For more details, see below the jump.

Read more…

Providing access to Mac App Store applications via Self Service policies

November 30, 2016 Leave a comment

In my shop, we’re not currently using Apple’s VPP program for purchasing applications from the Mac App Store (MAS). However, we do want to make it convenient for our users to be able to access and install some commonly used applications which are available from the App Store. Casper 9.4 and later natively supports providing access to MAS applications, but this approach is more focused on VPP-purchased applications. In my shop’s case, our customers are more likely to purchase apps from the MAS using Apple’s consumer payment model and then get reimbursed.

To help with this, I originally used a process similar to this one developed by Bryson Tyrell. I wanted to make the process more modular though, where I only needed to supply a URL from the MAS and have a scripted solution handle the rest. For more details, see below the jump.

Read more…

Categories: Casper, Mac OS X, macOS, Scripting

Providing website links via Casper Self Service policies

November 10, 2016 Leave a comment

It’s often useful to provide a way for everyone in your shop to be able to look up commonly used websites. Methods I’ve seen of doing this include:

  • Wiki pages
  • Bookmarks deployed to browsers
  • Browser extensions

Another method is to use Casper’s Self Service plug-ins feature.

Screen Shot 2016 11 10 at 9 57 09 AM

Screen Shot 2016 11 10 at 9 56 55 AM

This makes it easy to set up website bookmarks, which then appear in a sidebar of Self Service.

Self Service URL plug in

The main drawback to this method is you can’t scope these bookmarks to appear only to certain users or computers. These will appear on on all managed computers and to all users. If you need to have one set of bookmarks available to Group A in your organization, and a different set of bookmarks appearing to Group B, the Self Service plug-ins feature may not be the best solution.

Fortunately, you can solve this scoping issue using Casper policies and Self Service. For more details, see below the jump.

Read more…

Race condition vulnerability fixed in CasperCheck

November 7, 2016 Leave a comment

Recently, I was alerted by Todd Houle that his infosec folks had identified an vulnerability with CasperCheck that should be addressed.

The problem:

CasperCheck downloads a QuickAdd installer from a web server inside a .zip file and initially stores it in the /tmp directory. All users on the system have access to /tmp, so it was possible for an malicious unprivileged user to leverage a race condition to replace the downloaded .zip file with another .zip file with the same name.

Assuming that the replaced .zip file was valid and passed the check for being a valid .zip file, CasperCheck would then expand the contents of the replaced .zip file into the /var/root/quickadd directory. Assuming that the malicious unprivileged user had their own installer package stored inside the replaced .zip file, the next time that CasperCheck would determine that it needs to install the Casper agent via its cached QuickAdd installer, it would instead install that installer package in place of the expected QuickAdd package.

The fix:

The vulnerability assumes that the QuickAdd package is being downloaded to a place where an unprivileged user can access it, so the implemented fix to this problem is to download it to a place where only root has access. Todd fixed the issue by changing the designated download location to the following:

From: /tmp/quickadd.zip
To: $quickadd_dir/quickadd.zip, where the value of $quickadd_dir is /var/root/quickadd

Moving the download location to /var/root/quickadd means that the download is going to a location inside the root account’s home directory. Only root has write access to its home directory, which stops an account which doesn’t have root privileges from being able to swap out the .zip file.

Changes to CasperCheck:

Fortunately, the changes needed to implement this fix are minor and are in two places:

The quickadd_zip variable has changed:

From: /tmp/quickadd.zip
To: $quickadd_dir/quickadd.zip, where the value of $quickadd_dir is /var/root/quickadd

Screen Shot 2016 11 07 at 9 57 13 AM

 

The update_quickadd function has been updated, to move the following actions to be first:

  • The creation of the /var/root/quickadd directory, if that directory is not already present
  • The removal of existing files from the /var/root/quickadd directory
 
Screen Shot 2016 11 07 at 9 57 52 AM
 

I’ve posted an updated CasperCheck script with the described changes to the following location:

https://github.com/rtrouton/CasperCheck/blob/master/script/caspercheck.sh

If you’re a CasperCheck user, I recommend updating to the latest version at your earliest convenience.

The changes to the script can be seen here:

https://github.com/rtrouton/CasperCheck/commit/35e4e1d6ba9f363b894b36535b151637eb70602e

 

Hat tip: Thanks to Todd to alerting me to this issue and providing help to fix it.

Building a Casper smart group containing Sierra-incompatible Macs

September 20, 2016 2 comments

As part of preparing for macOS Sierra, I’m planning to provide a way for my customers to upgrade themselves to Sierra via Casper’s Self Service. Unlike the upgrade process I was able to provide for OS X Yosemite and El Capitan, where I could filter based on whether or not a particular Mac could run OS X 10.8.x, Sierra’s system requirements exclude some Macs which can support running OS X El Capitan.

To help make sure that Self Service wasn’t providing the option of upgrading to macOS Sierra to a Mac which couldn’t run it, I needed to compile lists of which Mac models could and couldn’t run macOS Sierra, based on the system requirements that Apple provided. For more details, see below the jump:

Read more…

Suppressing the iCloud and Diagnostics pop-up windows using profiles with Casper 9.93

August 24, 2016 Leave a comment

As part of the release of Casper 9.93, JAMF has added options for suppressing the iCloud and Diagnostics pop-up windows to the following MDM profile payloads:

  • Login Window
  • Security & Privacy

The iCloud pop-up window can be managed via the Login Window profile payload. To suppress the iCloud pop-up window, click on the Options tab for that payload and check the Disable Apple ID setup during login option.

Screen Shot 2016 08 24 at 8 45 59 AM

 

The Diagnostics pop-up window can be managed via the Security & Privacy profile payload. To suppress the Diagnostics pop-up window, click on the Privacy tab for that payload and uncheck the Allow sending diagnostic and usage data to Apple, and sharing crash data and statistics with app developers option.

Screen Shot 2016 08 24 at 8 46 30 AM

Generating multiple-use Casper QuickAdd installer packages using the JSS

August 18, 2016 Leave a comment

As part of the process of upgrading my Casper server, I generally create a new installer for the Casper agent in the form of a QuickAdd installer package. This process usually looks like this:

1. Update the Casper Suite applications on the Mac where I’m generating the new QuickAdd installer package.

2. Open Casper Recon.

Screen Shot 2016 08 13 at 10 23 59 PM

3. Sign into Casper Recon.

Screen Shot 2016 08 13 at 10 24 58 PM

4. Select QuickAdd Package from the Recon sidebar.

Screen Shot 2016 08 13 at 10 26 45 PM

5. Set up the desired options for the QuickAdd installer package.

Screen Shot 2016 08 13 at 10 27 41 PM

6. Click the Create button.

Screen Shot 2016 08 13 at 10 27 42 PM

7. Choose a name for the new QuickAdd installer package.

Screen Shot 2016 08 13 at 10 28 06 PM

8. Wait for Recon to create the QuickAdd installer package.

Screen Shot 2016 08 13 at 10 28 43 PM

9. Take the newly-created QuickAdd package and use it to replace the existing QuickAdd packages used by CasperCheck and my deployment workflows.

Screen Shot 2016 08 13 at 10 29 31 PM

The reason I use this process is that Casper’s Recon application is able to generate a QuickAdd installer package with an unlimited enrollment invitation. With an unlimited enrollment invitation, I can use the same QuickAdd installer package multiple times to enroll multiple machines. This is in contrast the user-based enrollment process via the JSS, which by default generates a QuickAdd installer package with a one-time-use enrollment invitation.

I have this Recon-based process documented, but it’s always been something I’ve wanted to automate at least somewhat. Recently, as part of a discussion with my colleague Tom Larkin, I learned that a Casper JSS server which is configured to send out emails is capable of generating enrollment invitation emails, which include a link to download a JSS-generated QuickAdd. That invitation can be set to link to a QuickAdd with an unlimited enrollment invitation and an expiration date many years in the future, which effectively gives me the ability to generate the QuickAdd installer packages I want without the need to use Casper’s Recon application. For more details, see below the jump.

Read more…

%d bloggers like this: