Category: Scripting and Packaging (Page 1 of 2)

Binding Macs to AD using Munki’s Configuration Profile support

Although the trend is to move away from binding Macs to Active Directory (most commonly using NoMAD), we’re still binding for various reasons:

  • Being able to authenticate with domain credentials for doing things that require admin privileges.
  • Being able to connect remotely using domain credentials.
  • Computer labs and other multi-user Macs.
  • We’re still using AD mobile accounts, for now.

Originally, we would bind Macs to AD as part of our DeployStudio imaging workflow. Unfortunately, we faced a couple of drawbacks with this approach:

  • By installing/configuring something only when imaging, you’re not enforcing the setting – it’s a one-shot thing. In the future, the setting could change, or the application might require an update, but you’re not going to reimage your entire fleet every time that happens.
  • When we moved from DeployStudio to Imagr, we needed to trim our workflows to be as slim as possible.

With the help of Graham Gilbert’s tutorial, we were able to move AD binding to Munki. This also gave us an unexpected benefit: in the past, we frequently found that the binding on Macs would randomly break. This was a major issue in the classrooms, where students and faculty would not be able to login to computers and start class. Moving this to Munki with a custom installcheck_script made it “self-healing” – every 1-2 hours, Munki will rebind the Mac, if necessary (or prompt the user to do this through Managed Software Center).

For the past year, there’s been a big push to move to configuration profiles for applying settings. Luckily, you can use the “directory” payload to bind to AD! However, it’s just running dsconfigad in the background anyway, so it’s entirely possible for your Mac’s binding to be broken, but the AD profile to show as successfully installed. The MDM protocol currently has no method of determining if the AD profile should be reinstalled, so Munki is a much more logical choice for deploying this. Armin Briegel’s tutorial was instrumental in assisting with this transition.

Code and usage instructions are available in my GitHub repository.

Deploying JMP Pro 12.x and 13.x licenses

As I’m reorganizing my GitHub repositories, I’ve realized that I forgot to post about my work with Shea Craig and the JMP Team at SAS. Because of them, I was able to deploy JMP Pro 12.x and 13.x licenses to our Mac labs.

You can find code and instructions at my jmp_pro_12_license_pkg and jmp_pro_13_license_pkg GitHub repositories.

NoMAD Group Condition for Munki

One of the most powerful features of Munki are conditional items – and the ability for an admin to provide custom conditions for deploying or removing software. For example, we’ve been using the scripts that Hannes Juutilainen has published to determine which macOS version is supported by a particular Mac’s hardware.  We can then offer the most appropriate OS upgrade to each Mac.

We recently deployed the excellent NoMAD to single-user Macs, with the intention of resolving keychain issues (and eventually moving away from Active Directory binding altogether). If you’re using AD with your Macs, it’s absolutely worth checking out.

When a user logs into NoMAD, some data about the user’s AD account is retrieved for later usage – such as their group membership (also known as Organizational Units, or OUs). In our environment, users are divided into different groups based on their department. What if we could use that for deploying printers, similar to Group Policy on Windows?

You might see where I’m going with this – check out the script on GitHub for requirements and usage instructions.

Deploying Gaussian

I thought I blogged about deploying Gaussian 09 when I published this GitHub repository, but I guess I forgot to do that.  Anyhow, here’s some code for deploying Gaussian 16, the latest version of the Gaussian software.

New Munki tool: Computer Name

managedsoftwareupdate has several methods you can use to identify your Macs to your Munki server. While the hierarchy is documented on the Munki wiki, the ComputerName field (accessible in System Preferences –> Sharing), is not one of them. Since our inventory system is tied to the computer name, we wanted Munki to use that as the identifier for manifests, too.

I wrote a small LaunchDaemon and script to write the ComputerName field to Munki’s ClientIdentifier field (which overrides the hierarchy mentioned above) each time it’s changed. This allows IT to rename Macs and manifests as needed, but also audit unauthorized computer name changes through MunkiReport.

The code is available on my GitHub repository.

Boot Scheduler

Like most things, Boot Scheduler was written to scratch an itch: students were powering off lab computers, which could stay off for weeks or months at a time (particularly in the smaller labs). These Macs would stop checking in to Munki, would be horribly out of date, and would behave unpredictably once powered on again – the AD binding could become broken, or they might reboot unexpectedly to apply security patches.

We discussed using the built-in pmset tool to power on all Mac labs daily, but we have a long winter break – we don’t want these Macs turning on and wasting energy without anyone around to use them. Since pmset has no concept of calendar dates beyond days of the week, we had to develop something custom.

My hope is that if you’re facing similar issues, Boot Scheduler can help you. You can grab it from my GitHub repository – be sure to check out the README for installation and customization instructions.

New VMware Fusion backup scripts

I’ve overhauled my scripts for backing up VMware Fusion images with Carbon Copy Cloner.  Now, the currently running VMs are paused, backed up, then unpaused.  Pausing/unpausing does not save the contents of the VM’s RAM to disk, so I’ve also added support for suspend/resume.

You can get the updated scripts in my GitHub repository.

Deleting all printers

As I’m building new printer installers with The Luggage (there’s a great tutorial on the Munki wiki), I’ve often come across the need to delete all installed printers first. Maybe the printers are being replaced with a different model, or maybe the existing print queues were created by hand and have subtile naming differences.

I created a script (on my GitHub repository) and have been running it as part of Apple Remote Desktop, but it should work anywhere.

Tested with: 10.6, 10.8, 10.9

Setting the Software Update Server

Several years ago, I submitted a post to Mac OS X Hints. At the time, I worked for an Apple authorized service provider, and wanted an easy way to switch a customer’s computer to our Software Update Server temporarily, then switch back afterwards. Two users in the Mac OS X Hints forums helped me build an AppleScript application for this purpose.

I have since made significant improvements to the script, and still use it today. The code can be found in my GitHub repository.

Tested with: 10.4, 10.5, 10.6, 10.7, 10.8, 10.9

Backing up VMware Fusion images

Traditionally, VMware Fusion has not supported using Time Machine to backup your virtual machines. Although this changed with version 4, I’d rather not enable AutoProtect. Instead, I use Carbon Copy Cloner to backup my ‘Virtual Machines’ folder to the root of my Time Machine drive.

Just one catch – if VMware Fusion is open during the copy, eventually CCC will fill up the destination drive, as it’s repeatedly copying data that’s in use. The solution? A preflight script that checks for the VMware Fusion process, and aborts the backup if the program is currently running.

The scripts are available in my GitHub repository.

Page 1 of 2

Powered by WordPress & Theme by Anders Norén