##osx-server

well i’m going to setup the DMZ stuff for this. should be fun

Avatharian: weird

zoooky: incidentally, the reason I was asking if it was a cloud JSS is that the MySQL communication is unencrypted. So bad idea to have a cloud JSS clustered with an internal. But DMZ to Internal should be fine.

adamcodega: Yeah, Apple couldn't figure out what the hell happened either, in either case. Just remoted in, looked around, said "Wow, this is *super* broken!" and gave me instructions on how to set up a new one.

Mav Server + PM, it has mostly sort of worked. I might switch over to using munki as an mdm, but I like the idea of doing a remote lock

haven't needed to yet, but seems like a nice feature

"it has mostly sort of worked"

a glowing commendation, from me

arrose: I thought of using munki, but really thats just another distribution system; I can distribute things alright, I need to ~manage~ them, which means being able to have to tools to easily generate profiles in the first place. Ideally, I'd like a system similar to GPO, which is what MCX was, but mcx is going the way of the dodo, for some god forsaken reason.

I mean, I suppose I could use profile manager just to make profiles but not manage them...

profiles, as a format, are great. I agree that generating them is not as easy as it should be

"easily generate profiles", yeah, you have to do spelunking to get the setting. It was possible to create...a thing that would guide you when creating MCX

Barely anyone ever did

A thing that was so uncommonly used I don't remember the name of it

using PM strictly to *make* profiles seems like overkill, but it does work

I have to say, I'm just really not impressed with Profiles; They alright for the relatively limited iOS, but they're so limited when it comes to OSX. There are a lot of Gotchas too, especially when it comes to overlapping profiles. I use the example of Printer Profiles: In my experience, they do not overlap correctly. If you assign more than one printer profile to a computer, the only one that actually seems to take hold is the

one installed last. Meaning that you need a separate profile for every unique configuration of printers you might find in you organization.

it'd be neat if there was a tool that worked like fseventer, but only looked at preference changes, and generated .mobileconfigs afterward

Avatharian: MCX still works.. Might be worth sticking with until KACE is rid off.

also when you uninstall profiles they don't seem to revert to a "system default" of sorts, or the previous settings it seems. If I uninstall one of those printer profiles, the computer doesn't uninstall the printers the profile added.

s/off/of/

Avatharian: Sal + Munki?

macmule: For now, though the issue there is I would need to set up the AD -> OD Triangle. We currently don't have OD. I've thought about it though.

adamcodega: Sal?

Avatharian: yea, manage one payload per profile (as in printer settings via one payload).. & they don't remove them.

Avatharian: local MCX?

Avatharian: http://salsoftware.com/ from grahamgilbert

Avatharian: http://salsoftware.com/

macmule: Would get awkward on the management end of things. Though that could be how I use Munki. The K1000 could be used for it as well, but would get awkward with the number of scripts I would need. In order to make it modular enough I would need 1 script per setting changed, unless I just made one script per group, but that would be much less agile.

awesome input from Tom Larkin https://jamfnation.jamfsoftware.com/discussion....

adamcodega: Do you need the paid functionality to get any sort of "Group" level organization at all or can you manage that part yourself through Munki instead? Right now I'm not gonna be able to get anyone to buy anything.

macmule: ^^

I just want to be able to say "the 8th Graders are a Group. They get This Printer, This Wifi Access, This desktop background,"

I don't even need to do software distribution per se, just OS settings would be really great.

Avatharian: Sal+ doesn’t do anything you can’t do by hand with Munki. It just makes some tasks a hell of a lot easier.

BTW: wtf am I doing on IRC today? I should be drunk by now.

I have to say, the Sal website is kind of information-sparse

happy Monday grahamgilbert

adamcodega: I’m on vacation until next week, but I couldn’t help myself. An AutoPkg recipe and an article already this week. So annoyed at myself!

Ok, so it looks like regular Sal at least is mostly just a reporting engine for Munki, the management stuff comes in at Sal+. Hmm.

Hmm?

at least that's what I'm seeing on the github page.

grahamgilbert: and Sal uses Puppet too right?

adamcodega: Not directly

Tells you what Munki is doing for everyone. Sal+ looks like it starts to involve Puppet-style management stuff.

adamcodega: our infrastructure uses it

ahh.

Sal+ is UNICORNS

(that is a lie)

I saw that someone had built a settings management engine for OSX for Puppet which looked interesting. Can't remember if it was for the free version or not...

But Sal+ is magical in that it allows me to eat and continue to release the other open source stuff

There are a couple of modules for managing OS X with puppet

grahamgilbert: it is Unicorns.. We all know you have a herd.. It a bike shed in London.

Avatharian: This one? https://github.com/dayglojesus/managedmac

See, I know that I could sit down with munki for a while, figure out alllll the settings I'll need to manage through defaults and whatnot, make all the packages to manage those, put it all together into one big happy Engine. That would be reinventing the wheel though, which I would like to try to avoid if I can get away with doing for free or very, very cheap.

s/it/in/

rtrouton: Yeah, I think that's the one

yeah, that's it. And then I saw the "OSX 10.9 or greater" and my heart was broken.

well, bruised. Actually, I could get away with that next school year.

and https://github.com/grahamgilbert/puppet-mac_admin

There will only be a very small number of computers left running 10.8 next year.

Anyway. Catch you all later

hmm. I'm sensing a different emphasis on the importance of Documentation for those two projects.

the dayglojesus one is pretty much what i'm looking for when it comes to options. Roll that into a puppet server... hmmmmmmmm. Wonder how easy it is to add things that aren't already provided in it, in case I come across any.

anyone tried running a puppet master server on OSX? Apparently possible but the line "the OS X package is very minimal compared to the Linux packages, and it doesn’t include the relevant init scripts." is a bit off-putting.

Or perhaps that just means you have to set up the initial installation manually as opposed to the package manager doing the grunt work for you.

Evening rtrouton

Evening adamcodega. How's it going?

You know, this looks doable.

Avatharian: I had the same issue for myself in choosing a tool, my needs are more on the setting management side than software update patch management whatever side.

rtrouton: Staying busy. Bunch of network stuff this week. Need to wrap my my FV2 workflow before we go 100%, and write an after action report on an outage on one of our ISPs this past Xmas Eve.

Avatharian: settings management and auditing/reporting.

adamcodega: Yeah; Amazingly enough, there actually is something the k1000 seems to be doing pretty well in tests so far, Patch Management. unlike other functions where something has gone wrong the first time I tried, this thing actually works so far. It's just a bit wierd to set up, all based on this odd labeling system.

Avatharian: when in doubt, VM Linux on a Mac.

adamcodega: Yeah, I could make a CentOS vm on my mac ESXi server. Never used that distro before, but the documentation seems fairly good for getting everything set up.

Avatharian: or just w Fusion Pro.

Yup, ISP outage on Xmas Eve but luckily it was resolved before 3 pm

push out the Puppet Agent with the k1000 and/or via the imaging process.... All I need to do is survive the next semester, get rid of 90%+ of the osx 10.8 laptops.

Avatharian: Puppet is better than nothing. At least you have a agent to do X

Avatharian: The K1000's patch management and inventory are the parts I like best about Kace. For everything else, that's why we bought Casper.

Avatharian: To do the initial distribution of Casper, we leveraged our KBox to push the Casper QuickAdd out.

rtrouton: How so? If you had credentials to install things on machines couldn't you use those creds in Recon?

adamcodega: Sure, but that meant I had to have Recon open and running. With the KBox handling the install, I just set up the install job and then watched as new boxes popped up in Casper.

Good point, hell if it does it, it does it.

Yup.

rtrouton: I'm a little fuzzy on our change from Meraki to Casper.. I forget the stumbling block that required manual package install.

To enroll a machine in Casper?

If I can get this system working for next summer it will make moving everything over to AutoDmg-based imaging a lot more feasible. A great deal fewer scripts will be required.

rtrouton: Correct.

rtrouton: Do you use Munki too?

adamcodega: Don't know that one, I've always used a QuickAdd to install.

I do not use Munki.

rtrouton: Yeah we used QuickAdds.. and.. ::cough::emailed everyone a download link to run the QuickAdd.

Ah. In my case, everyone already had the Kace agent installed. :-)

Hehe.

Using one system tool to install (or uninstall) another system tool is a time-honored sysadmin tradition. :-)

I actually just came up with some clever scripts for the k2000 which should, in theory at least, force it to use a launchd instead of a loginhook. If KACE won't fix it, I will. Need to integrate your firstboot script into a test image to see how nice it plays, but it ought to work. It just deletes the dumb loginhook and launches the scripting engine with a launchd instead, there's no reason I can think of it wouldn't work,

everything runs as root either way.

I think I remember now, a Meraki MDM profile was installed, but to do anything on the machine meant installing a Meraki agent, the config profile wouldn't do anything for us.

it is a nice last hurrah/reminder of why you're bothering

rtrouton: Yeah literally I had a post flight that deleted the Meraki MDM profile.

I mean pre flight. Duh.

adamcodega: Yeah, and even the meraki agent doesn't do much of anything beyond some basic reporting and locking. Their OSX support is less than barebones.

Back in a bit.

Avatharian: it's pretty slim config management.

Even though it's a freaking MDM profile and should do config management!

adamcodega: Yeah, it has the iOS stuff, but it does what, Wifi on OSX and that's pretty much it?

I was hoping that they were adding more, but I looked into it and it's been in that state for at least a year. Don't think it's changing any time soon.

Avatharian: Yeah it's weird, it's a slim list compared to the config profile window in Casper.

They'd rather sell you APs with features that only look good on product sheets.

or even regular ol' profile manager

Background scanning? Awesome! Well guess what it doesn't matter because your AP can't change channels without disconnecting all clients.

adamcodega: I haven't noticed that particular issue.

Not to say it isn't necessarily happening, leave it to users to get mass-disconnected and not tell anyone...

Well, it's not a technical issue, that your AP will disconnect everyone, but it's a feature issue. Background scanning isn't that useful if you can't do anything about it.

My sysadmin finally got back to work today. Talked to him about the wonky stuff I was seeing on the AP's. Turned out to be mostly fine; The DHCP complaining in the log is them not dealing with the IP helpers we have set up, combined with the way the hardware is connected. Doesn't actually seem to be causing problems. The AP Spoofing thing was just picking up AP's from another controller the next building over. The AP that is

having ARP/DNS issues is on an ethernet cord that's over 300ft long. Supposed to be on a repeater but the repeater might be bad.

Also, it turns out there are actual, honest to god accurate network maps. Nobody told me, and I didn't know where they were.

Woot.

Wanna hear something to make your hair curl? ~700 devices and users; 25mb of bandwidth to the outside world.