Amsys / Moof Reblog, Mac Admin

via Meraki, Apple Classroom and ‘Not-shared’ shared iPads – moof IT

Advertisements

Re-Blog: Meraki, Apple Classroom and ‘Not-shared’ shared iPads – moof IT

Quote
Mac Admin

Add a web shortcut to the currently logged in user using a script

Hi All. It’s another, another customer request blog! (sorry)

I recently had a customer request that we deploy a Web Shortcut (or ‘weblock’) file to each user’s desktop at login. Thanks to Stephen for originally figuring this out, leaving me the easy job of writing it up, proper-like!

The Script

This can be found on the Amsys GitHub pages, here.

Some gotchas around usage:

  1. Please test this in your own environment on non-production Macs!!
  2. Edit the ‘webLockFileName’ variable on line 22 (here) with the name you wish to give the file. I’ve left an example name called `Apple Support Pages` for you to replace.
  3. Edit the ‘webLockDestination’ variable on line 24 (here) with the URL you wish the shortcut to point to. I’ve left an example URL of `https://www.apple.com/support` for you to replace.
  4. If the script detects the root user account, or no user account, it will exit without doing any work. These two scenarios tend to mean the device is sitting at the login window, or some other strangeness that would stop the script completing fine anyway.
  5. I’ve only tested this scripted solution on 10.11.x, 10.12.x and 10.13.x.

How do I use the script?

I’d suggest using this as a Jamf Pro (formally Casper) login policy, or using one of the outsetlogin‘ triggers.

Summary

And there we go, I’ve detailed the solution we used to deploy a web shortcut file to the logged in user’s desktop. Hopefully that’ll help some of you out! As always, if you have any questions, queries or comments, let us know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

Happy Holidays!!

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Standard
Mac Admin

Limit access to the Login Window using a script

Hi All. It’s another customer request blog! *does a little dance*

I recently had to update a script for a customer that I’d written a year or two ago. It seemed kinda helpful and I was surprised I hadn’t written up my notes on it at all, so here it is.

The Requirements

The customer had a number of Macs spread over various locations, but wanted to ensure only certain network users (Active Directory) could log into them. They already had a group in Active Directory for this task.

This option can be found (on directory bound Macs) in System Preferences > “Users & Groups” > “Login Options” > “Allow Network users to log in at the login window”.

Limit access to the Login Window using a script 01

This has three possible values:

  • ‘Yes’ (ticked)
  • ‘No’ (unticked)
  • ‘Other’ (by clicking the “Options…” button you can specify what groups or users can login.

Limit access to the Login Window using a script 02.png

Now the challenge was how to automate the above.

Why not use a Profile?

This was my first thought. The customer is a Jamf Pro (formally Casper) customer, and so has access to a fully fledged MDM solution. Actually looking through the profile payloads, there is an option to do what we required under “Login Window” > “Access”.

Limit access to the Login Window using a script 03

Casper Login Window Profile

Limit access to the Login Window using a script 04

Jamf Pro Login Window Profile

Playing with these I hit two issues:

  1. The customer’s server was not on-premise and wasn’t linked to their Active Directory. The values in the above profile payload can only be populated by searching the live Directory within the profile / MDM server.
  2. This payload did not work at the time (OS X 10.11.2/.3), both in my testing and as discussed here. This also seemed to be the same when using a Profile Manager (*shudder*) produced profile.

So, with a sad face, I started looking at other options.

The Script

So after a lot of digging, research and throwing things at a test device (or three), I came across this Jamf Nation post by none other than Greg Neagle, detailing the minimum requirements for the setup. I’ll add that to the list of things I owe him a beer for 😉

I’ve taken the customer-specific script, and rewrote it to be more generic and this can be found on the Amsys GitHub pages, here.

Some gotchas around usage:

  1. Please test this in your own environment on non-production Macs!!
  2. Edit the ‘allowGroup’ variable on line 33 (here) with the name of the directory user group you wish to allow access to the Mac. I’ve left an example group called ‘AllowedMacUsers’ for you to replace.
  3. In testing, I found that by only adding the allow group, none of the local users could log in (including the local admin!). Set the variable on line 36 (here) as follows:
    1. ‘admin’ – if you want to only allow any local admins users to login, in addition to your allow group.
    2. ‘all’ – if you want to allow all local user accounts to login, in addition to your allow group.
    3. Another else (preferably ‘no’ or ‘none’)! – if you only want to allow the allow group to login, and no local users at all.
  4. The script will need to be run after the local Mac is bound to the directory system, otherwise it may fail to add the directory user group to the ‘allowed’ list.
  5. I’ve only tested this scripted solution on 10.11.x and 10.12.x. There’s no reason it shouldn’t work on newer OSes but I’ve just not got round to testing it!

How do I remove the restriction?

So you’ve had a play and changed your mind? Or perhaps the requirement has changed? How do you remove the restrictions above?

Two methods:

  1. Login into the Mac, launch System Preferences and go to “Users & Groups” > “Login Options”, tick the “Allow Network users to log in at the login window” option and logout.
  2. Or, run the command ​
    dscl . -delete /Groups/com.apple.access_loginwindow
    and logout.

Summary

And there we go, I’ve detailed the solution I used to restrict access on macOS to a certain user group. Hopefully that’ll help some of you out! As always, if you have any questions, queries or comments, let us know below (or @daz_wallace on Mac Admins Slack) and I’ll try to respond to and delve into as many as I can.

The usual Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. I will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Standard