[knowmad]

oddly i am not worried so much about my end users, but their kids (it would work if it hadn’t been for those meddling kids)…
boyfriends/girlfriends, brothers cousins family and friends….
Its the well meaning people who decide to ‘fix’ things for them while they are away from the office…. ie people who know enough to enable root in the directory utility but not in the command line… essentially, those meddling kids
Those who are determined, they will find a whole, those who are not determined will give up if the obvious entries are locked.

Larkost (et al) is correct, not handing out Admin rights would be ideal. But this place has a culture of entitlement, regardless of effect or outcome. So I do what I can.

[knowmad]

Patrick,
I am wondering if its me or not but…. Your dscl commands don’t look right as written in your post and having tried them as written…..

shouldn’t they be more like:
[code]dscl . -create realname $NAME[/code]
and so on?

[knowmad]

Larkost,
Your right….. but….

I don’t have the authority to set that rule, much though I would like to.

[knowmad]

just for the fun of it, I am going to revive this old thread… How do you (you being the community at large) handle these settings? Defaults write? MCX? something different?
I have been leaning more and more to MCX BUT not everything works well that way…. at least for me (firewall for instance)

[knowmad]

Spider,
yes BUT that puts the same master password on every machine, and I can’t do that.
so I keep working.
Josh

[knowmad]

getting closer to the grand unified answer to everything (its 42) and along the way I realized that the master password is stored in:
/Library/Keychains/FileVaultMaster.keychain
which means… I might have a chance at setting it via command line after all.
The alternative is invoke osascript and then run a gui scripting item to set it…. yuck.
I also found this (written by our very own gneagle apparently…) http://www.macenterprise.org/articles/filevaultconsiderations
now to find the proper way to set the password from the command line… I WILL do this.

[knowmad]

The only part of lanrev I have used so far has been installease, which installs separate from everything else and does the snapshotting for you…
so, install the installease item, then take a snapshot, then install the rest of lanrev (or those parts you want) and take the second snapshot, tell it to build an installed using (I use iceberg but… to each their own).
If that does not work you can always do the target mode trick.
Lanrev can take a snapshot of any disk, not just the startup.
Load a second mac into target mode, snapshot it, dismount, reboot it, install lanrev, reboot into target mode, attach to main machine an re-snapshot, build as mentioned above.
(shaken not stirred)
there are lots of variations on that theme you can use to do this, but hat gives you something to work with i think.

[knowmad]

Ok,
1) I will likely leave PGP alone, though thats a good option.
2) root is not enabled BUT if I remember correctly, setting the password for root, enables it. Master Password I am working on as well… probably gonna be an applescript.
3) Ok, useful.
4) likely what I am going to do. I was gonna rip it out of (or use) the createuser script, and this is essentially what it does. I intend to set a blank password as I will have to login as that user immediately anyway. If I leave the home folder blank, wont it populate it on first login from the default template anyway?
5) There is a script for it, I will include it likely in my build instead of my boot process
6) Actually going to use a variation on your script to set the DHCP ID on all interfaces to match.
7) and this would be the reason I must login immediately. Awesome find, wish I had known about this ages ago, its certainly been around for a while…. When I find an update (or make my own) I will post the link.

I was thinking more along the lines of an apple script that asks for the user’s first and last name, Tag number and any security identifiers, then uses that information dumped to a shell script to set the UserName, MachineName, DHCP-ID, and secure passwords.
I often like monolithic scripts where I know I should use modular small ones…. lets see what I come up with.

[knowmad]

well….
You can try InstaUp2Date
That might be akin to what your looking for, though it is not automatic, its better than many alternatives.
I know a lot of people only include major updates in their packages.
I for one generally keep an eye out and add new non-point updates to the bottom of my install list as they coem by.
I only really re-jigger everything when a completely new point release comes out

[knowmad]

Spider, thank you. I forgot about Bombich’s script archive.
Useful, I will likely use parts of what he has.
I am looking for decentralized solutions, because I do not have access to a centralized server that the security guys will let me use for this in any meaningful manner.
Such is life.

[knowmad]

[QUOTE][u]Quote by: knowmad[/u][p]…..If it does not see them it exits on 0 which causes launchdaemon to simply relaunch…
lather-rinse-repeat until it sees what it needs, then it launches the installers and exits on 1 which actually lets it die.
[/p][/QUOTE]

um, wow I was in a rush, got that backwards… exit on 1 causes respawn, exit on 0 causes clean end.
sorry…. still don’t have time to find the originator of that post/idea.

[knowmad]

Patrick,
On that last item of starting something to hold things up so everything can boot… someone else (no time to look and my memory is fuzzy) mentioned a neat trick of using launchdaemon to launch a script that looks for the items you need to be loaded before installing…. If it does not see them it exits on 0 which causes launchdaemon to simply relaunch…
lather-rinse-repeat until it sees what it needs, then it launches the installers and exits on 1 which actually lets it die.
The last in your chain of installers removes the script from launch-line-up (so to speak) and your all done.
One time first boot that makes certain not to run until everything is ready.
later I will look up the particulars and post-em.

[knowmad]

and also note this thread, it might be useful:
[url]https://www.afp548.com/forum/viewtopic.php?forum=45&showtopic=21477&highlight=time%20zone[/url]

[knowmad]

A quick check of the WorkGroup Manager shows something interesting.
It is capable of pushing printers, BUT the choices are ‘never’ or ‘always’.
I don’t know if it is possible for it to use ‘once’ or what would be the effect if you did that.

Which is to say: It can be done via MCX but it might have to be an always thing…. not so bad if you want these to always be available, and you can allow the user to change them or not as you choose.

[knowmad]

Your question is worded in a bit of an odd manner…. are you refering to the office update during an isntadmg build or after the machine is already in use?

regarding office updates:
If you have not installed the latest Apple security fix but have updated to 10.5.6 you may likely find that MS updates fail or hang if unattended and require a click on a debug window if attended.
Apple messed up something in 10.5.6 that MS used in their updates. All updates from 12.1.1 to 12.1.5. Apple quietly fixed the issue in the latest security update.
Net result, make certain you update before you build your image.
It does not matter if the image has the security update before/after MS Office, but the machine doing the build must have the update first.

That being said, I have no clue how to add a debugger to the individual updates/installs in an isntadmg build, but I am certain it can be done.

[Author]

Posts