post setup scripts for individualizing machines

[knowmad]

I am curious (I know there is another older thread on this but it contains not much that is useful to me) how others are tackling an issue I tackle manually… but would love to find the time to script.

I do not work in a lab environment.
I work in an office environment, meaning that while each machine starts with the same setup, they instantly have to change to conform to the individual who will be using that machine.

So after I image a machine, I need to:
1) Re-install PGP (still have not figured out why it installs in instadmg without error and then errors on first boot)
2) set a machine specific Admin, master and root password, then re-disable root
3) Set the machine name to reflect the user and the property tag number (both things that can’t simply be divined from the machine)
4) Set up the user account
5) add wireless networks (I know this can be done by script and I keep meaning to use the app that was noted on the AFP front page but somehow….)
(edit: I just reread the app on the front page, its not what I need, its for 802.1X I remembered it as 802.11X meaning generalized wireless setup…. Someone once published half an app for adding the wireless connections at (I think) Duke with the caveat that you can change it for yourself…. I also never tried that)
6) set the DHCP ID to match the machine name
7) Setup the email account in entourage
8) other stuff that does not come to mind at the moment

We do not have an AD/OD/AnyD so binding is not an issue but at the same time automating this stuff based on logon credentials won’t work.
I WANT to build a script that starts at first Admin logon and asks:
1) property tag number
2) name of intended user
then it would set the machine name and DHCP-ID based on that info, create the user account and dump the required info into the entourage DB setup.
basically shortening my involvement by many minutes.
So far I have not done anything on this though I have talked about it often.
If any of you currently have scripts that do SOME of this, please share them… I will share (minus the password creation bits) anything I create from them, and give full credit … I don’t need it.

[Rusty Myers]

3) I use a script that will download a csv file from a web server. The file runs through [url=http://www.bombich.com/]Bombich’s[/url] set-names script also used in net restore. This way I can change the name of the file on the server, and let the machines name themselves.

Also, Remote Desktop, or another system control. Check out [url]http://education.apple.com/contact_me/systems_management/Solutions_for_Sys_Mgmt.pdf[/url]

[knowmad]

Spider, thank you. I forgot about Bombich’s script archive.
Useful, I will likely use parts of what he has.
I am looking for decentralized solutions, because I do not have access to a centralized server that the security guys will let me use for this in any meaningful manner.
Such is life.

[Patrick Fergus]

I haven’t tested what I’ll writing–parts have worked in some situations, but verify this stuff works before plugging it into your build. Ok, disclaimer over.

Big question–can bake ARD remote access turned on into your build? Unless you can pull the customized parts (e.g. names) from somewhere, ARD might bet your next best bet. All of these scripts are going to assume running as root/superuser privileges.

[i]1) Re-install PGP (still have not figured out why it installs in instadmg without error and then errors on first boot)[/i]

Will this possibly tolerate being installed at first boot? Create a script along the lines of:[code]#!/bin/bash
pgpPkgLocation=/path/to/pgp.pkg
installerLocation=/usr/sbin/installer

$installerLocation -pkg pgpPkgLocation -target / -verbose[/code]and use launchd to install upon first boot. Restart if you feel the need.

[i]2) set a machine specific Admin, master and root password, then re-disable root[/i]

I’m going on the assumption that root is already enabled.[code]#!/bin/bash
adminName=osxadmin
dsclLocation=/usr/bin/dscl
dsenablerootLocation=/usr/sbin/dsenableroot
password=mySecretPassword
rootPassword=mySecretRootPassword

$dsclLocation . -passwd /Users/$adminName $password
$dsclLocation . -passwd /Users/root $rootPassword
$dsenablerootLocation -d[/code]Sorry, I can’t help on setting the master password (I’m assuming you mean FileVault).

[i]3) Set the machine name to reflect the user and the property tag number (both things that can’t simply be divined from the machine)[/i][code]#!/bin/bash
systemSetupLocation=/usr/sbin/systemsetup
computerName=user_123456

$systemSetupLocation -setcomputername $computerName > /dev/null
$systemSetupLocation -setlocalsubnetname $computerName > /dev/null[/code][i]4) Set up the user account[/i][code]#!/bin/bash
shortname=favoriteUser
fullname=”Favorite User”
usersUniqueID=98765
groupID=1234567
usersPassword=shhhSecret

#Create their user record
dscl / -create /Users/$shortname
dscl / -create /Users/$shortname UserShell /bin/bash
dscl / -create /Users/$shortname RealName “$fullname”
dscl / -create /Users/$shortname UniqueID $usersUniqueID
dscl / -create /Users/$shortname gid $groupID
dscl / -create /Users/$shortname home /Users/$shortname
dscl / -passwd /Users/$shortname $usersPassword

#Create their home
/bin/mkdir /Users/$shortname
/usr/bin/ditto -rsrcFork /System/Library/User\ Template/English.lproj /Users/$shortname
/usr/sbin/chown -R $shortname:$groupID /Users/$username[/code][i]5) add wireless networks (I know this can be done by script and I keep meaning to use the app that was noted on the AFP front page but somehow….)
(edit: I just reread the app on the front page, its not what I need, its for 802.1X I remembered it as 802.11X meaning generalized wireless setup…. Someone once published half an app for adding the wireless connections at (I think) Duke with the caveat that you can change it for yourself…. I also never tried that)[/i]

I’m not much help here.

[i]6) set the DHCP ID to match the machine name[/i][code]#!/bin/bash
networksetupLocation=/usr/sbin/networksetup
clientID=thisComputersClientID
#You’re going to have to figure out what interface you want to use for DHCP. See “networksetup -listallnetworkservices”
networkServiceForDHCP=Ethernet

$networksetupLocation -setdhcp $networkServiceForDHCP $clientID[/code][i]7) Setup the email account in entourage[/i]

There are posts around the Internet regarding this. For example [url=http://blog.entourage.mvps.org/2007/05/exchange_server_setup_script_u.html]this one[/url] would be a starting point. Updated versions are probably floating around in the [url=http://lists.psu.edu/archives/macenterprise.html]archives of the MacEnterprise forums[/url]. The basic idea is that an Entourage “schedule” runs a script at launch. It pops up the first time the user opens Entourage and asks a few questions. Then it sets up the Entourage account and removes itself from the schedule.

You can build a script in ARD from the above and then you don’t have to babysit the machine while it is rebuilding.

– Patrick

[knowmad]

Ok,
1) I will likely leave PGP alone, though thats a good option.
2) root is not enabled BUT if I remember correctly, setting the password for root, enables it. Master Password I am working on as well… probably gonna be an applescript.
3) Ok, useful.
4) likely what I am going to do. I was gonna rip it out of (or use) the createuser script, and this is essentially what it does. I intend to set a blank password as I will have to login as that user immediately anyway. If I leave the home folder blank, wont it populate it on first login from the default template anyway?
5) There is a script for it, I will include it likely in my build instead of my boot process
6) Actually going to use a variation on your script to set the DHCP ID on all interfaces to match.
7) and this would be the reason I must login immediately. Awesome find, wish I had known about this ages ago, its certainly been around for a while…. When I find an update (or make my own) I will post the link.

I was thinking more along the lines of an apple script that asks for the user’s first and last name, Tag number and any security identifiers, then uses that information dumped to a shell script to set the UserName, MachineName, DHCP-ID, and secure passwords.
I often like monolithic scripts where I know I should use modular small ones…. lets see what I come up with.

[knowmad]

getting closer to the grand unified answer to everything (its 42) and along the way I realized that the master password is stored in:
/Library/Keychains/FileVaultMaster.keychain
which means… I might have a chance at setting it via command line after all.
The alternative is invoke osascript and then run a gui scripting item to set it…. yuck.
I also found this (written by our very own gneagle apparently…) http://www.macenterprise.org/articles/filevaultconsiderations
now to find the proper way to set the password from the command line… I WILL do this.

[Rusty Myers]

From the ink above:

“To do this, you’ll create a FileVault Master password on one machine, and then copy certain files to all your managed machines. Open the Security preference pane and click “Set Master Password”. Since this will be deployed to all your managed machines, and since changing it (and propagating that change to existing FileVault-protected accounts) is difficult, make sure it’s a non-trivial password, and do not make it the same as any other admin or root password you have in use. Use the Password Assistant to check on the quality of your chosen password. Click OK to create the master password.

Two new files are created in /Library/Keychains: FileVaultMaster.cer, and FileVaultMaster.keychain

To implement the FileVault Master Password on all the machines you manage, simply install these two files on all your managed machines. You can use any method to do this (put them in your install image, using ARD, radmind, FileWave, etc), but make sure they are in place BEFORE FileVault is turned on for any accounts on a given machine. If FileVault has been turned on before these FileVaultMaster files are installed, the pre-existing FileVault-protected accounts cannot be unlocked using the FileVault Master Password you just created.”

[knowmad]

Spider,
yes BUT that puts the same master password on every machine, and I can’t do that.
so I keep working.
Josh

[knowmad]

Patrick,
I am wondering if its me or not but…. Your dscl commands don’t look right as written in your post and having tried them as written…..

shouldn’t they be more like:
[code]dscl . -create realname $NAME[/code]
and so on?

[Patrick Fergus]

[i]2) root is not enabled BUT if I remember correctly, setting the password for root, enables it. Master Password I am working on as well… probably gonna be an applescript.[/i]

root also needs to be placed in the dslocal admin group to really be considered “enabled” (yes, we’re enabling root in one of our builds). Anything that would obtain rights through the OS X’s normal authorization processes would fail, but other ways of obtaining rights (sudoers, etc) might still be possible.

– Patrick

[knowmad]

and just to add to something (this thread) that everyone has forgotten:
over at MACOSX hints they put up (thank you tlarkin I think) this lovely hint:
[code]networksetup -help | grep addpref
Usage: networksetup -addpreferredwirelessnetworkatindex [password][/code]

original hint here: [url]http://hints.macworld.com/article.php?story=20101004114849586[/url]

[knowmad]

oh, and my post image script is in use, looks like crap and is up for offer to anyone who wants it… but I cant post it here cause the system flags it as spam…. ick

[Author]

Posts