Providing website links via Casper Self Service policies

November 10, 2016 Leave a comment

It’s often useful to provide a way for everyone in your shop to be able to look up commonly used websites. Methods I’ve seen of doing this include:

  • Wiki pages
  • Bookmarks deployed to browsers
  • Browser extensions

Another method is to use Casper’s Self Service plug-ins feature.

Screen Shot 2016 11 10 at 9 57 09 AM

Screen Shot 2016 11 10 at 9 56 55 AM

This makes it easy to set up website bookmarks, which then appear in a sidebar of Self Service.

Self Service URL plug in

The main drawback to this method is you can’t scope these bookmarks to appear only to certain users or computers. These will appear on on all managed computers and to all users. If you need to have one set of bookmarks available to Group A in your organization, and a different set of bookmarks appearing to Group B, the Self Service plug-ins feature may not be the best solution.

Fortunately, you can solve this scoping issue using Casper policies and Self Service. For more details, see below the jump.

Read more…

Race condition vulnerability fixed in CasperCheck

November 7, 2016 Leave a comment

Recently, I was alerted by Todd Houle that his infosec folks had identified an vulnerability with CasperCheck that should be addressed.

The problem:

CasperCheck downloads a QuickAdd installer from a web server inside a .zip file and initially stores it in the /tmp directory. All users on the system have access to /tmp, so it was possible for an malicious unprivileged user to leverage a race condition to replace the downloaded .zip file with another .zip file with the same name.

Assuming that the replaced .zip file was valid and passed the check for being a valid .zip file, CasperCheck would then expand the contents of the replaced .zip file into the /var/root/quickadd directory. Assuming that the malicious unprivileged user had their own installer package stored inside the replaced .zip file, the next time that CasperCheck would determine that it needs to install the Casper agent via its cached QuickAdd installer, it would instead install that installer package in place of the expected QuickAdd package.

The fix:

The vulnerability assumes that the QuickAdd package is being downloaded to a place where an unprivileged user can access it, so the implemented fix to this problem is to download it to a place where only root has access. Todd fixed the issue by changing the designated download location to the following:

From: /tmp/quickadd.zip
To: $quickadd_dir/quickadd.zip, where the value of $quickadd_dir is /var/root/quickadd

Moving the download location to /var/root/quickadd means that the download is going to a location inside the root account’s home directory. Only root has write access to its home directory, which stops an account which doesn’t have root privileges from being able to swap out the .zip file.

Changes to CasperCheck:

Fortunately, the changes needed to implement this fix are minor and are in two places:

The quickadd_zip variable has changed:

From: /tmp/quickadd.zip
To: $quickadd_dir/quickadd.zip, where the value of $quickadd_dir is /var/root/quickadd

Screen Shot 2016 11 07 at 9 57 13 AM

 

The update_quickadd function has been updated, to move the following actions to be first:

  • The creation of the /var/root/quickadd directory, if that directory is not already present
  • The removal of existing files from the /var/root/quickadd directory
 
Screen Shot 2016 11 07 at 9 57 52 AM
 

I’ve posted an updated CasperCheck script with the described changes to the following location:

https://github.com/rtrouton/CasperCheck/blob/master/script/caspercheck.sh

If you’re a CasperCheck user, I recommend updating to the latest version at your earliest convenience.

The changes to the script can be seen here:

https://github.com/rtrouton/CasperCheck/commit/35e4e1d6ba9f363b894b36535b151637eb70602e

 

Hat tip: Thanks to Todd to alerting me to this issue and providing help to fix it.

Session videos from JAMF Nation User Conference 2016 now available

November 4, 2016 Leave a comment

Jamf has posted the session videos for from JAMF Nation User Conference 2016, including the video for my documentation session.

For those interested, all of the the JNUC 2016 session videos are available on YouTube. For convenience, I’ve linked my session here.

Not all installed fonts may be displayed in some applications’ font menu lists

November 3, 2016 Leave a comment

Recently, one of my customers had a problem with the font he needed not showing up in all applications. In this particular case, he wanted to use the Symbol font as part of a Keynote presentation he was preparing but it did not appear in Keynote’s font list.

Screen Shot 2016 11 03 at 9 12 28 AM

Meanwhile, the Symbol font did appear in PowerPoint 2016’s font list.

Screen Shot 2016 11 03 at 9 33 06 AM

Meanwhile, it was possible to copy and paste text using that font from PowerPoint and into Keynote, but then the font list in Keynote showed a blank entry in place of the name of the font.

Screen Shot 2016 11 03 at 9 34 59 AM

Screen Shot 2016 11 03 at 9 35 14 AM

What was going on? For more details, see below the jump.

Read more…

Enabling the “Remove items from the Trash after 30 days” setting on macOS Sierra

October 30, 2016 Leave a comment

A new feature in macOS Sierra is the ability to put items in the Trash and have those items automatically be deleted after 30 days. This option can be set in the Finder preferences using the process shown below:

1. Open the Finder preferences

Screen Shot 2016 10 29 at 9 03 20 PM

2. Select the Advanced options

Screen Shot 2016 10 29 at 9 03 29 PM

Screen Shot 2016 10 29 at 9 03 34 PM

3. Check the Remove items from the Trash after 30 days checkbox.

RemoveTrashAfter30Days

 

It’s also possible to enable or disable this setting from the command line. To enable the Remove items from the Trash after 30 days setting, the following defaults command can run by the logged-in user:

defaults write com.apple.finder FXRemoveOldTrashItems -bool true

Screen Shot 2016 10 29 at 9 04 44 PM

To disable it, the following defaults command can be run by the logged-in user:

defaults write com.apple.finder FXRemoveOldTrashItems -bool false

Screen Shot 2016 10 29 at 9 21 04 PM

For those who want to enable the Remove items from the Trash after 30 days setting using management profiles, I’ve created a .mobileconfig file and posted it here on Github:

https://github.com/rtrouton/profiles/tree/master/RemoveTrashAfter30Days

Categories: Uncategorized

Fixing server connection issues by changing network interface order

October 25, 2016 1 comment

I had one of my customers report a problem today after applying software updates to his Mac. His Mac had been able to automount certain network shares via NFS before the updates, but was unable to access those shares following the updates.

I connected remotely to the Mac and verified that I was unable to manually mount the NFS mounts.

When I tried to run the showmount command to get a list of the available NFS mounts on the server, I also received a timeout message:

I was about to send this on to the team that handled our NFS shares, when I remembered I hadn’t verified that I could access the server. Sure enough, I couldn’t:

I could ping Yahoo however, so I could contact the internet.

So I couldn’t access an internal network resource, but I could access the internet. What made this puzzling was that I was connecting remotely to the Mac via the IP address associated with this person’s Ethernet address. This IP address should not have had issues accessing internal network resources. What had happened? For more, see below the jump.

Read more…

Slides from the documentation session at JAMF Nation User Conference 2016

October 20, 2016 1 comment

For those who wanted a copy of my documentation talk at at JAMF Nation User Conference 2016, here are links to the slides in PDF and Keynote format.

PDF – http://tinyurl.com/JNUC2016DocPDF

Keynote – http://tinyurl.com/JNUC2016DocKeynote

%d bloggers like this: