Jamf Nation Community

As promised I would post some of the scripts I use. I'm sure there is a better way to do some of these but here they are. I also wanted to answer some of the Twitter questions that we weren't able to get to in the session.

Thank you to those that attended!

First is our script I use to assign the Name and Department when a student logs in. this runs at login once per computer.

#!/bin/bash

getUser=`ls -l /dev/console | awk '{ print $3 }'`

getclass=`dscl '/Active Directory/ACADEMIC/All Domains' -read /Users/$getUser dsAttrTypeNative:distinguishedName | awk '{ FS=","; print $2 }' | awk '{ FS="="; print $2 }' | tail -1`
getRealName=`dscl '/Active Directory/ACADEMIC/All Domains' -read /Users/$getUser RealName | grep -v ":"`


jamf recon -endUsername $getUser -department "$getclass" -building "Postoak" -realname "$getRealName" -email "$getUser@saes.org"

This is the script that runs on every check in to remove the guest network from student's computers. This can be edited to remove ANY wireless network you may not want users connecting to.

#!/bin/bash

Adapter=en0

FoundGuest=`networksetup -listpreferredwirelessnetworks $Adapter | grep "SAES Guest Wifi"`

if [ "$FoundGuest" == '  SAES Guest Wifi' ]; then
    ConnectedtoGuest=`networksetup -getairportnetwork $Adapter | awk '{ print $4 }'`
    if [ "$ConnectedtoGuest" == 'SAES Guest Wifi' ]; then
            #Gotta disconnect first to remove it
            networksetup -setairportpower $Adapter off
            networksetup -removepreferredwirelessnetwork $Adapter "SAES Guest Wifi"
            networksetup -setairportpower $Adapter on
    else
            networksetup -removepreferredwirelessnetwork $Adapter "SAES Guest Wifi"
    fi
fi

This sets the user to a sort of "Power User" which unfortunately has to be ran over and over because a lot of system updates seem to set it back to the default settings.

#!/bin/sh

spctl --master-disable 

#system preferences
security authorizationdb write system.preferences allow
security authorizationdb write system.preferences.network allow
security authorizationdb write system.preferences.accessibility allow
security authorizationdb write system.preferences.energysaver allow
security authorizationdb write system.preferences.printing allow
security authorizationdb write system.preferences.datetime allow
security authorizationdb write system.preferences.timemachine allow
security authorizationdb write system.preferences.network allow
security authorizationdb write system.preferences.security allow
security authorizationdb write system.services.systemconfiguration.network allow


#Printing
security authorizationdb write system.preferences.printing allow
security authorizationdb write system.printingmanager allow
security authorizationdb write system.print.admin allow
security authorizationdb write system.print.operator allow
security authorizationdb write system.print.operator allow

#potential force restart and shutdown if other users logged in
security authorizationdb write system.restart allow
security authorizationdb write system.shutdown allow

#App store
security authorizationdb write system.install.app-store-software allow

#DVD Player
security authorizationdb write system.device.dvd.setregion allow
security authorizationdb write system.device.dvd.setregion.chage allow
security authorizationdb write system.device.dvd.setregion.initial allow
security authorizationdb write system.device.dvd.setregion.change.comment allow
security authorizationdb write system.device.dvd.setregion.change.change allow
security authorizationdb write system.device.dvd.setregion.initial.class allow
security authorizationdb write system.device.dvd.setregion.change.class allow
security authorizationdb write system.device.dvd.setregion.change.comment allow
security authorizationdb write system.device.dvd.setregion.change.group allow
security authorizationdb write system.device.dvd.setregion.change.group allow
security authorizationdb write system.device.dvd.setregion.change.shared allow

#Groups needed to be in for things to unlock
USERNAME=`who |grep console| awk '{print $1}'`

dseditgroup -o edit -a $USERNAME -T group _appstore
dseditgroup -o edit -a $USERNAME -T group lpadmin

/usr/libexec/airportd prefs RequireAdminNetworkChange=NO RequireAdminIBSS=NO

This fixes CrashPlan's "forgetfulness"

#!/bin/sh
launchctl unload /Library/LaunchDaemons/com.crashplan.engine.plist
rm -rf /Library/Caches/CrashPlan/*
launchctl load /Library/LaunchDaemons/com.crashplan.engine.plist

This enables all the remote management we want on for our admin account q.

#!/bin/sh
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users q -restart -agent -privs -DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings

I grabbed scripts off of here https://www.jamf.com/jamf-nation/third-party-products/files/scripts to do things like download the newest Firefox, Chrome, and Java monthly.

How often do you look at new features in jamfPRO to assess if your script(s) are still necessary?

I try to stay up to date with the newest releases and what features are happening. Like now AppleID prompts can be blocked with a Configuration Profile I believe, so I could remove scripts to stop that. But it seems like most of the stuff we do with scripts hasn't been included in the JSS...err JAMF or JAMF Pro whatever I'm supposed to say soon. However the Patch Management will change that with some things we do I believe.

Just wondering if u continue to make Pages, Numbers, Keynote and GarageBand available in self service.

We do not make Pages, Numbers, or Keynote available but we do put a full blown install of GarageBand in Self Service. I believe if a student logins into the Mac App Store they can then accept the licenses for Pages, Numbers, and Keynotes and own them for themselves and install it if they want. But we try to discourage that since it doesn't easily make a Microsoft Office compatible file. Students have to submit documents sometimes to Schoology our Learning Management System and it REALLY doesn't like Pages files.

Will end users be allowed to connect to network printers or will end user he allowed to print from home?

Yes. Even though it's a school owned device we want them to feel ownership to it. And it really cripples the device if they aren't able to connect to the internet at home or print from home. How useful is a computer now a days without a network connection?

Why use office if you use GAFE

Some features aren't available in Google Docs or Sheets that are in Word and Excel for example. Also being able to work fully offline without a connection. And it seems like there's some fear in going full Google Apps. We're trying to push towards that but it'll be a slower transition than some things I think.