firstboot scripts

[nobrainer]

I have been given a directive to enable filevault on our mac’s. I’m reading that there isn’t an automated way to do this, but if I deploy the FileVaultMaster.cer and FileVaultMaster.keychain I can then use the Casper’s Enable FV script to actually bring up the ability to enable it. So my question is… how do I copy these 2 files via my firstboot.pkg file? Or would it be better to have it as a separate package since it will be going to laptops only and not desktops?

As a 2nd question…
Part of my current firstboot is to enable ARD/SSH. The ARD is enabled and working perfectly. SSH on the other hand is ‘enabled’ but the “only these users:” field is blank. How can I enable my local admin account in there?

Currently that portion of the script looks like this…
# ARD Configuration
# Enable ARD for macadmin
$kickstart -configure -allowAccessFor -specifiedUsers
$kickstart -activate -configure -access -on -users “macadmin” -privs -all -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw desktop -restart -agent

[dead2sin]

1. I’d make a seperate package just for file vault so that way if you decide to not do it in the future, you can just remove it.

2. Are you using the following to enable SSH?

[code]/usr/libexec/PlistBuddy -c “Delete Disabled” $3/System/Library/LaunchDaemons/ssh.plist[/code]

If so, any local admin should be able to connect untill you’ve edited the sshd_config file. I edit mine as follows on the firstboot:

[code]echo KerberosAuthentication yes >> /etc/sshd_config
echo KerberosOrLocalPasswd yes >> /etc/sshd_config
echo AllowGroups DOMAIN\\admingroup admin >> /etc/sshd_config
[/code]
This makes it so you can log in to SSH using Kerberos (AD in this case) and only DOMAIN\admingroup or admin (this is a local group) can log in using ssh.

Hope that helps!

Nate

[Author]

Posts