Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Implementing Corporate Security features already developed but not in Casper

There are already features in existence developed by the Jamf community by talented individuals for some time now that Jamf needs to incorporate if they trulls want to support Mac Admins in the business arena and not just stay barely ahead of new Apple features.
I speak of two lacking features developed by non Jamf employees;

Local Administrator Password Solution
https://github.com/unl/LAPSforMac

Caspercheck
https://github.com/rtrouton/CasperCheck

Both should have been a part of the Jamf Pro set by now as they are without a doubt well within Jamf's ability to include and much needed by Mac Admins.

Comment
Order by:

Posted: by gachowski

I'll be the old grumpy guy again . :)

While a fully agree that both these solutions are great, I am not sure that incorporating both this solutions are a slam dunk. I have looked at both since they were released and my 1st thought about LAPS was it's complicated process that while may be robust there is a lot going on that creates a good chance of issue arising. ( just because you can do something doesn't mean that you should)

CasperCheck, again a great solution and when it was released it was a home run, however now with the most likely future of the macOS getting locked down more and more I would think the correct way to solve this issue is for Jamf to work with Apple to get the Jamf binary protected in SIP.

C

Like

Posted: by Cornoir

I have to disagree with @gachowski as he is over complicating and confusing the details.
LAPS is just randomly changing the password of an admin account for security purposes. LAPS on both Mac and PC systems can easily be circumvented anyways (.AppleSetupDone removal in Single User mode anyone?).

As for CasperCheck there is nothing that Apple's SIP would do to help it reinstall itself which is what CasperCheck does nicely when setup properly. As per Apple:
"System Integrity Protection is a security technology in OS X El Capitan and later that's designed to help prevent potentially malicious software from modifying protected files and folders on your Mac."
So SIP is just a way to prevent certain files from being compromised by outside parties for hostile purposes at best. It will not repair or reinstall what it is supposed to protect, not to mention you can disable SIP in recovery mode without admin rights.

CasperCheck was design for:
"For folks using JAMF Software's Casper solution, sometimes the Casper agent installed on individual Macs stops working properly. They stop checking in with the Casper server, or check in but can't run policies anymore. To help address this issue, CasperCheck provides an automated way to check and repair Casper agents that are not working properly."

LAPS while not perfect is a necessary automation for large scale organization (200+) especially with companies trying to minimize operating costs with outsourced IT workers (who can move on or get fired) not to mention a very minimal step for security compliance (a TV show I worked on did not change their WiFi password for over 2 years after I left and might still not have).

A self repair option for any software, especially with organizations using laptops and remote workers more and more, is a good thing to have especially if an IT dept has a limited support team and a large user base, not to mention giving those to admin Macs one less thing to worry about.

Like

Posted: by MacLover

I think it will be beneficial to have this in place, can't be that difficult to implement. Centrify comes with this feature out of box and I have used it for testing purposes, it works really well.

https://blog.centrify.com/password-management-macs/

Like

Posted: by defiler

Vote up.

We use our own version of caspercheck and find in very useful, had automatically recovered hundreds of machines by it. We have also added a way to invoke it any time by commandline to give our technicians (our users themselves) ability to easily fix macs with jamf absent or broken.

LAPS is even more interesting. In its current implementation it doesn't seems so good in terms of security as it use extension attributes to store the passwords, so it's readable to anyone who has access to inventory, but if it was implemented in Filevault PRK style (separate permissions, not in general inventory information), we would definitely use it.

Like