The trick is going to be getting a script on a computer that isn't already managed. As far as additions, would likely just need a script to run a newly found computer to run recon. I've been doing some thinking on this and unless Casper has some way to accept remote delete commands, I'm not sure that this is possible. #delete the managed preferences that set the SUS to internal servers (must be run as root)ĭefaults delete "/Library/Managed Preferences/" CatalogURLĭefaults delete "/Library/Managed Preferences/$user/" CatalogURLĪlternatively, a coworker mentioned that we could try using loadbalancer for internal and external traffic back to our internal patch server.Īctive network scanning for client additions/deletions to Casper If || thenĮcho "Computer is on the internal network, leaving SUS settings alone"Įcho "Computer is on an external network, changing SUS back to default" #determine if one or more ip address is internal If & thenĮcho "Error did not retrieve an IP address" #error handling to make sure we have retrieved at least one good IP address Please correct the trigger that is being used to run the policy." #getting the first 7 bytes of the IP address to see if the address is internal or externalĮn0ipsuffix=$((ifconfig en0 inet) | grep inet | cut -d" " -f2 | cut -b1-7)Įn1ipsuffix=$((ifconfig en1 inet) | grep inet | cut -d" " -f2 | cut -b1-7)Įcho "Error: This script must be run at the login trigger. On the other hand, I have created a script that will look for the en0 and en1 ip addresses, figure out if it needs to change the SUS settings and if the computer is on an external domain, delete the settings files we are pushing and set things back to default. Have talked to JAMF and a possible work around is we create another Casper server in the DMZ that clients can talk to and if they are outside of the TCU network have them update the. plist for the update server is only programed to accept one variable. O Also investigate a way to specify multiple update servers in the plist So if its off and ethernet or wi-fi is checked (and wi fi is in use) it will still behave badly.Īctive Patch Management (pushing, scheduling and monitoring patches)Ĭomputers that are powered on and have network connection between the hours of 12:01AM-7:59AM and 10:01PM-11:59PM on every Saturday install patchesĬomputers that need to have forced patched installs can be added to a special policy as required. You have to check another option like firewire or bluetooth that wouldn't normally have TCP/IP traffic and then turn ICS off for the impersonation to go away. If you just turn this off in system preferences it doesn't actually stop impersonating. Macs with this turned on tend to exhibit weird behavior on our network, aka impersonating other computers for no reason. But that doesn't actually solve the problem. I have a script that can indeed turn it off. Lastly, I created a policy to deploy the script to all the iMacs and ran it.ĭisabling of the Internet Sharing setting across the board. usr/sbin/networksetup -setnetworkserviceenabled Wi-Fi offįrom there, I created a smart group in Casper that put all of the iMacs into a single group. usr/sbin/networksetup -setnetworkserviceenabled Airport off #10.6 Wireless is referenced as Airport and 10.7 is referenced as Wi-Fi OS= /usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '' I created a bash file called disablewifi.sh Wi-Fi off for iMacs (presently defaults to on) SSH (remote login) only for admins (presently all users) Therefore, any firewall changes have to be pushed via a dmg that overwrites the file with root access and this has been done. Also OSX does not respect Casper trying to update the. However this can only be done on an application basis and it requires you auth every time you make a change. plist files on the machine does adjust the exceptions in the firewall policy. Firewall on with exceptions (presently disabled)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |