Copying User Settings to Create a Template for Newly Erased Computers

jamfpigeon
New Contributor III

Hello, new to Jamf. I'm coming from a monolithic imaging background using DeployStudio, and I'm trying to create a workflow for our particular setup. Our schools is now getting in laptops and desktops that can no longer be imaged, so our school is moving over to Jamf.

We don't have ActiveDirectory or OpenDirectory, otherwise this wouldn't be a problem. :/

I searched the discussions, but I didn't see anything that was applicable to my particular situation.

On all of our computers, we have 3 generic accounts: Teacher, Student, and CAASPP. CAASPP is the one I'm the most worried about, as the State testing software is so horribly written that you have to manually change a bunch of settings on a computer just for it to work, and that makes it impractical (impossible?) to do in a timely manner to over 400 Macs in the 1 to 2 weeks before testing when they inevitably change the browser and it has to be reloaded on all the machines. I'm just one person. :(

I attempted to use Composer to record all the settings files that are changed and make an installer DMG for each of the 3 users. It does make an installer, but doesn't appear to work as intended.

My PreStage DEP works fine. It installs the apps, creates the users and everything. Where it fails is the custome User Settings installer I made.

It'll work for some settings, but not the ones that matter for the testing account. I have to disable Mission Control, Keyboard hotkeys, Notifications, iTunes & AppStore update checks, Office update checks, all Accessibility settings, Disable Screensaver, disable Screen Lock, and set Parental Controls.

Few if any of the changes to settings seem to be recorded with Composer, even though it shows what looks like that correct preference files that were modified. I know for certain that Missions Control, Keyboard hotkeys, Notifications, Accessibility settings, Screensaver, and Screen Lock aren't recorded correctly.

Of course, none of this would matter if they'd just change the stupid testing browser to run in Kiosk mode.

1 ACCEPTED SOLUTION

lazyGhost
New Contributor III

@jamfpigeon The new version of CA Secure Browser 12.0 comes with a bundled configuration profile that they provide. You simply need to take the profile and upload to jamf and scope to a smart group of your choice. Then you only need 2 more profiles to supress Siri and you’re golden. PM if you’d like to know more.

View solution in original post

10 REPLIES 10

jamfpigeon
New Contributor III

Also, I don't know much of anything about shell scripting. I'm just being thrown into this and have a ton to learn.

larry_barrett
Valued Contributor

Which testing browser are you using?

jamfpigeon
New Contributor III

@althea Thanks for the suggestion. Unless you mean running a custom shell script, the built in Configuration Profile settings don't cover settings such as Mission Control and Screen Lock. :/

@larry_barrett We're using the CASecureBrower (aka SBAC, aka Airsat, aka CAASPP, aka ... whatever they decide to change the name to next year) for CAASPP.

I guess I was hoping it was as simple as copying over .plist files, but it doesn't appear to be the case.

I did a search for CA Secure Browser and SBAC and found a few threads. Those might lead me in the right direction, but they're referring to older versions of OS X and options that don't apply anymore.

Thanks for all the help,

Doug

bzuckrow
New Contributor III

This is more avoiding the problem instead of actually solving it....

What do you think about setting the computer to dual boot - install your regular config on one partition and install the testing config on the second. This way you can do whatever you have to do to make the testing work without touching your "regular" config.

My State used software that sounds like it had some of the same hurdles to overcome as yours. The testing software created a default user with associated security settings to lockdown many settings then autologin and auto start the testing browser. Their settings didn't jibe with anything we had in place - they used parental controls so everything needed permission to run - virus software - auto updaters that would start 15 minutes into the test etc.

Instead of trying to untangle their settings so they would work in our environment, it started to make sense to use dual boot and keep the images separate. Our image could do what it wants and their image could do what it wants. Then moving forward we could re-image either partition as necessary without messing anything up. Jamf does the imaging and we even set different policies and profiles depending on which partition was logged in (which I can't swear worked perfectly on every machine).

The downside is it will take 2 re-images to get this in place so you have to weigh pros/cons for yourself.

jamfpigeon
New Contributor III

These newer machines can't be imaged (at least, not easily.) Apple has disabled NetBoot on 2019 models and newer. Everything has to be done through Jamf.

I currently already have it set up correctly on all our 2018 and older machines. Even with Jamf I still image those older machines, but I'm being forced to adapt to Apple's way of doing things with the 2019 machines.

So I need to have a crash course on getting this CAASPP account set up by doing everything through Jamf. That means from using the Mojave installer to erase to a clean slate, PreStage DEP install (which includes creating accounts and installing the apps ... which works fine), and then configuring the accounts themselves. It's this very last part that's giving me trouble.

Apple wants us to do everything via DEP, but then hides all their settings in obscure places and don't make it easy for admins to change them. >:(

jamfpigeon
New Contributor III

I already did the preliminary training for Jamf, but that didn't include copying individual user account settings (not creating a New User template, but making custom settings for individually already installed accounts.)

lazyGhost
New Contributor III

@jamfpigeon The new version of CA Secure Browser 12.0 comes with a bundled configuration profile that they provide. You simply need to take the profile and upload to jamf and scope to a smart group of your choice. Then you only need 2 more profiles to supress Siri and you’re golden. PM if you’d like to know more.

jamfpigeon
New Contributor III

@lazyGhost YES. Thank you. I'll PM you.

I ran into the Siri Bug that I fixed by enabling / disabling Siri, but, yes, I'll need that info. I'll PM you.

Thank you thank you thank you. :)

jamfpigeon
New Contributor III

@lazyGhost Just as soon as I figure out how to PM someone ...