Category : Casper

How to Uninstall NoMAD

Here is a simple script to uninstall NoMAD:

# /bin/bash
# Rui Qiu
# Remove NoMad and use direct AD Bind

loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk ‘{ print $3 }’`

pkill “NoMAD”
sudo rm -rf /Applications/NoMAD.app
sudo rm -rf “/Library/Managed Preferences/com.trusourcelabs.NoMAD.plist”
sudo rm -rf “/Library/Managed Preferences/$loggedInUser/com.trusourcelabs.NoMAD.plist”
sudo rm -rf “/Users/$loggedInUser/Library/LaunchAgents/com.trusourcelabs.NoMAD.plist”

 

And you can use this to search files:

mdfind -name “NoMAD”


Force Install macOS Update

Here is a simple command to force install macOS updates in the background:

softwareupdate -i -a

After running that, you can use casper to notify user to reboot 🙂

 

and here is a useful link to enable update on the Mac:


Shell Script to Remove Centrify, Move Wifi/LAN, and Request 802.1 Certificate

Here is a long script of doing a lot of things,  it deletes the Centrify Binding, Centrify certificates and itself, binds the machine to AD via native plugin and requests a 802.1x certificate via native RPC

 

#!/bin/sh

# This script deletes the Centrify Binding, Centrify certificates and itself, binds the machine to AD via native plugin and requests a 802.1x certificate via native RPC
# Rui Qiu
# Nov 17, 2017
# Last update: Dec 12, 2017

# exit code 0 – success
# 1 – no wifi
# 2 – no connection do DC
# 3 – migration failed, no connection to DC

CurrentUser=`/bin/ls -l /dev/console | /usr/bin/awk ‘{ print $3 }’`
ConnectedWIFI=$(/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk ‘/ SSID/ {print substr($0, index($0, $2))}’)
Ori_Network_Choice=$(networksetup -listallnetworkservices | grep -v ‘An asterisk ‘ | sed s/\^’*’// | sed ‘s/.*/\”&\”/’ | tr ‘\n’ ‘ ‘)
DCserver=$(ping -c1 -n $(adinfo –server) | head -n1 | sed “s/.*(\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)).*/\1/g”)
ADUser_Check=$(adquery user $CurrentUser | grep -c “113584762”)
FilePath=”XXX”

echo
echo ————————————Project Zero————————————
echo Current user is: $CurrentUser
echo AD User Check result is: $ADUser_Check
echo Current Wifi is: $ConnectedWIFI
echo DC server IP is: $DCserver

# Remove any previous installation files
if [ -d “$FilePath” ]; then rm -Rf “$FilePath”; fi

# Check if a user is on our WIFI network
if [ “$ConnectedWIFI” = “XXX” ] && [ “$ADUser_Check” = “1” ];
then

# Shut down Ethernet
#ethernet=$(networksetup -listnetworkserviceorder |grep ‘Hardware Port.*100\|Hardware Port.*LAN’ |grep -o ‘….$’ |cut -c 1-3)
echo
echo “~~~ Step 1 of 9 ~~~ You are on the correct WIFI, now move it as the first connection choice”
echo “Original Network Sequence Order”
echo $Ori_Network_Choice
echo networksetup -ordernetworkservices “Wi-Fi” `networksetup -listallnetworkservices | grep -v ‘An asterisk ‘ | sed s/\^’*’// | grep -v Wi-Fi | sed ‘s/.*/\”&\”/’ | tr ‘\n’ ‘ ‘` | bash
echo
echo “New Network Sequence Order”
networksetup -listallnetworkservices
sleep 5

# Check if can contact our Domain Controller
echo
echo “~~~ Step 2 of 9 ~~~ Ping our DC”
ping -c1 -W1 -q $DCserver &>/dev/null
status=$( echo $? )
if [ $status -ne 0 ] ; then
echo “Not on Zalando_Air”
mv “$FilePath”/project_zero.txt “$FilePath”/X_wifiwrong.txt
exit 1 # exit code needed
fi

# Uninstall Centrify
echo
echo “~~~ Step 3 of 9 ~~~ Uninstall Centrify”
/usr/local/share/centrifydc/bin/uninstall.sh -n -e

# Delete Old Centrify Certificates
echo
echo “~~~ Step 4 of 9 ~~~ Removing old Certificates”
a=$(hostname -s)
b=”.your.ad”
security find-certificate -c $a$b -a -Z | \
awk ‘/SHA-1/{system(“security delete-certificate -Z “$NF)}’

# Bind to AD
echo
echo “~~~ Step 5 of 9 ~~~ Bind to AD”
jamf policy -event bind -verbose

# Migrate user account to AD
#echo
echo “~~~ Step 6 of 9 ~~~ Migrating account”
echo ” Skipping this part, no need ”
#dscl . delete /Users/$CurrentUser
# chown -R $CurrentUser:Your_AD_ID /Users/$CurrentUser/
# chown -R $CurrentUser /Users/$CurrentUser/

# Install Configuration Profile
echo
echo “~~~ Step 7 of 9 ~~~ Installing profile”
/usr/bin/profiles -I -F /X/X.mobileconfig

# Revert Back to Original Network Sequence Order
echo
echo “~~~ Step 8 of 9 ~~~ Revert Back to Original Network Sequence Order, and Check Internet Access”
echo networksetup -ordernetworkservices $Ori_Network_Choice | bash
echo “Now the network sequence order is ”
networksetup -listallnetworkservices

echo “Check for Internal Access”
sleep 5
ping -c1 -W1 -q $DCserver &>/dev/null
status=$( echo $? )
if [ $status -ne 0 ] ; then
echo “Migration Failed, Cannot connect to DC”
mv “$FilePath”/X.txt “$FilePath”/X_failed.txt
exit 3 # exit code needed
fi

# Remove temp file
echo
echo “~~~ Step 9 of 9 ~~~ Finished, record the result and removing temp file”
mv “$FilePath”/X.txt “$FilePath”/X_finished.txt
rm “$FilePath”/X.mobileconfig
else
# If not on our WIFI network, exit
echo “Not on the right Wifi or is not an AD user, exit”
exit 0

fi


Casper Configuration Profiles Auto Renewal

If you are using AD certificates inside a configuration profile, here is the easiest way to make it auto renewal:

sudo defaults write /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled -bool YES

I have setup an extension attribute to check the Macs need this remediation:

#! /bin/bash
status=$(sudo defaults read /Library/Preferences/com.apple.mdmclient AutoRenewCertificatesEnabled)
echo “<result>$status</result>”

 

Any Macs without the result 1 will get remediated 🙂

Here is the link from Apple, it works for Sierra and up.

 

By default, the auto renewal time is 14 days before expiring.

Links to read:

https://support.apple.com/en-us/HT204836

https://support.apple.com/en-us/HT204446

 

To find expired certificates:

expired=$(security find-identity | grep EXPIRED | awk ‘{print $2}’)

 

To delete a certificate:

security find-certificate -c “certificatename” -a -Z | \
sudo awk ‘/SHA-1/{system(“security delete-certificate -Z “$NF)}’


802.1X Network Authentication for Mac

Cannot believe I spent so much time just to figure out how to do 802.1x network authentication for Mac 🙂

So for managing macs, we have two ways of setup 802.1x, one is using Apple Profile Manager to create a configuration profile, and the other way is to use Casper configuration profile.  From the internet, it seems Casper profile has some issues with ethernet profile, so I decided to use the Apple Profile Manger from the Server app.

However no matter what settings I make, it always turned out like this when I install the profile on a test mac:

So I have to choose the Casper configuration route. However if you are using Apple Profile Manager, here is a few points maybe helpful to you:

  1.  On the Certificate Server, you have to type something like this: https://FQDN/certsrv
  2.  The username you use to authenticate with RADIUS server, it can be %ComputerName%$,

Here are a few articles are talking about this method:

https://support.apple.com/en-us/HT204602

https://kevinbecker.squarespace.com/blog/2015/03/26/mac-os-x-wpa2-enterprise-authentication-using-a-microsoft-ca-part-2-2

 

Ok, now let’s talk about doing 802.1x authentication using Casper’s configuration profile.  Here are the settings from my environment:

  1. Upload your root CA certificate on the Certificate Tab;
  2. Setup your AD certificate to acquire your client certificate for your mac;
    2.1 Certificate Authority just the common name of your server is fine:
    2.2 Be careful about “The name of the CA”, you can find your real CA name from this URL:
    https://support.microsoft.com/en-us/help/555529?wa=wsignin1.0%3Fwa%3Dwsignin1.0
  3. On Network tab, create two network, one for wifi, and the other for ethernet.
    it needs to be “Computer Level” under ” General” tab
    Choose the security type your environment is in, for me, it is TLS
    On the Trust tab, choose the root CA, and specify any RADIUS you need to trust, if you list *.FQDN, it will NOT work. You have to manually specify all the FQDN of your RADIUS servers.

    On the username part, it is very important, If you use $COMPUTERNAME like Casper said, it will come out as name.domain.net, however for our RAIDUS server to be recognize, it needs to be something like name$, so we have to use %AD_ComputerID%.

    And then you do the same for ethernet. Some people prefer to create two separate configuration profiles, one for wifi, and the other for ethernet. I did that before, and then found out I will have two same client machine certificate, so I decided to put into one to avoid confusions.

3. If you think you are done, that is far too easy 🙂

If you install the configuration profile, you will see the ethernet will work well, however the wifi won’t work ( in my case, the wifi won’t associate my client machine certificate, so I have to manually link them together).

Here is my script to do a manual configuration profile install and then link them together:

#!/bin/sh

a=$(hostname -s)
b=”.your.domain.name”

/usr/bin/profiles -I -F /private/tmp/network.mobileconfig
security set-identity-preference -c $a$b -s com.apple.network.eap.user.identity.wlan.ssid.”your wifi name”

 

Ok, now you should be all set with 802.1 network authentication for your macs 🙂


How to Check Macs with Office 2011 & Office 2016 Installed in Casper

Here are the Casper Smart Groups to see how many office 2011 and office 2016 users:

 

 

 


How to use NetSUS to Netboot a VM

  1. Check the  “Model Identifier” from your already installed Mac VM, usually it is  VMware7,1.
  2. Add this into your NBImageInfo.plist of your boot image:

<key>EnabledSystemIdentifiers</key>

<array>

    <string>VMware7,1</string>

</array>

<key>ImageType</key>

 

https://macmule.com/2015/11/01/how-to-netboot-a-vmware-fusion-and-esxi-hosted-vm/

 


Casper Debug Log Location

Here is the full listing of enabling DEBUG Modes:

Enabling and Generating a Debug Log for Admin, Imaging & Remote 

1) Create Debug Folder in Casper Application Directory:

/Path/to/CasperApplication/Contents/Support/debug   

(Note: right-click on Casper Application > Show Contents > Go Into Support Folder > Create ‘debug’ folder)

(Example:  /Applications/Casper Imaging.app/Contents/Support/debug). Keep ‘debug’ lower case.

*Alternatively, You may create a file with the following command:

sudo touch /Applications/Casper\ Suite/Recon.app/Contents/Support/debug

2) Close and re-launch the application and do what you need to do for troubleshooting. 

This will create a log file in the home folder Library Logs like the following: ~/Library/Logs/JAMF/CasperImagingDebug.log

Casper Imaging Debug Log Considerations

Enabling debug for Casper Imaging.app creates a debug log on the computer hosting Casper Imaging and the client computer being imaged.

Hosting Computer:

~/Library/Logs/JAMF/CasperImagingDebug.log

Client Computer:

/Library/Logs/JAMF/ImagingScripts.log

Enabling and Generating a Debug Log for Self Service on client computer

1) Run the following two commands in Terminal on the client machine experiencing issues with Self Service:

defaults write ~/Library/Preferences/com.jamfsoftware.selfservice debug_mode -boolean YES

tail ~/Library/Logs/JAMF/JAMFDebug.log

2) Close and re-launch Self Service and replicate the behavior 

This will create a log file in the user’s home Library:

~/Library/Logs/JAMF/JAMFDebug.log


Casper MalwareBytes Package

Here are my two scripts for install and scan with MalwareBytes on Casper.

First one is to download, install and register MBBR:

#/bin/sh

# MBBR Scanner
# Ray Qiu
# Feb 2, 2017
# Download Installer
cd /tmp
curl -LOk http://xxx.com/tools/mbbr-mac.zip
sudo unzip -o mbbr-mac.zip

# Install
sudo installer -pkg “/tmp/mbbr-mac.pkg” -target /
# Registeration
MBBR_LICENSE=’xxx’
MPATH=’/usr/local/bin’
cd $MPATH
./mbbr register -key:$MBBR_LICENSE

 

Second one is to update Malwarebytes Database, rename existing log to old.log, and then scan the mac.

Once it is done with the scanning, casper will check if the log file has any viruses entry inside, and then email to specific mailbox for result.

 

#!/bin/bash

# Ray Qiu
# Feb 8, 2017

HOST=$(hostname)
count=0

# Rename old log file
MBBRPATH=’/usr/local/bin’
cd $MBBRPATH
MACHINEID=$(./mbbr register | sed -nE ‘s/Machine ID:[[:space:]]*([0-9A-Z]*)/\1/p’)
INFILE=”${MBBRPATH}/mbbr-logs/${MACHINEID}log.txt”
[ -f $INFILE ] && mv $INFILE $MBBRPATH/mbbr-logs/Old.log

# Start Scanning
./mbbr update
SCANRESULTS=$(./mbbr scan -remove -noreboot -stdout:detail)

# Check Result
egrep -iq ‘[-0-9 :]*(OSX|Trojan)\.|[-0-9 :]*Adware\.|[-0-9 :]*PUP\.’ $INFILE
if [ $? -eq 0 ] ; then
count=$((count+1))
fi

echo $count

if [ $count -eq 0 ] ; then
RESULT=”Casper MBBR Scanner: No Virus Found on $HOST”
else
RESULT=”Casper MBBR Scanner: Virus Found on $HOST”
fi

echo $RESULT

mail -s “$RESULT” [email protected] [email protected] < $INFILE

 


Casper MDM Enrollment Issue

we have a few macs that cannot enroll MDM, when I check the jamf log from the mac, it said

Error installing the computer level mdm profile: profiles install for

file:’/Library/Application Support/JAMF/tmp/mdm.mobileconfig’ and

user:’root’ returned -915 (Unable to contact the SCEP server at

“https://jss.xxxcom:8443//CA/SCEP”.)

Problem installing MDM profile.

Problem detecting MDM profile after installation.

It turned out to be our root certificate issue, some users do not have our root cert in the “SYSTEM” folder in their keychain.

The fix is just to inject our root cert and rerun mdm enrollment. here is my script for that:

#/bin/sh

# Inject Root Certficate
# Ray Qiu
# Jan 30, 2017

# Download Root Cert
cd /tmp
curl -LOk http://xxx.com/tools/new.cer

# Inject New Cert
sudo security add-trusted-cert -d -r trustRoot -k “/Library/Keychains/System.keychain” “/tmp/new.cer”

# Re enroll MDM
sudo jamf mdm

# Remove Root Cert
rm /tmp/new.cer