Update – CasperCheck & enrollmentComplete Jamf Policies

In a previous post I went through my process for editing the postinstall script of a Jamf QuickAdd package for use with Rich Trouton’s CasperCheck tool so that it does not trigger any enrollmentComplete policies you may have.

Recently I completed an upgrade of our production JSS (Jamf Pro) and found that since version 9.82 Jamf has changed this postinstall script slightly.  The process itself hasn’t changed, but the line in the script you comment out to prevent enrollmentComplete policies from running is different.

Screen Shot 2017-07-21 at 8.47.17 AM.png

Notice now that the enroll -invitation command in line 40 now by default includes the -noPolicy flag.  Only after confirming that this enroll command completes successfully does it run a policy -event enrollmentComplete.

The only other notable change is line 30 where it creates the jamf config file (/Library/Preferences/com.jamfsoftware.jamf.plist).  You’ll notice the new -verifySSLCert flag.  This is what determines whether or not the client will verify the SSL certificate on the JSS.  There are 3 options here:

  • always (default) – this should be used unless you are using a cert using the built-in Certificate Authority.
  • always_except_during_enrollment – this is the option we use, and is recommended for those using the built-in Certificate Authority in your JSS.
  • never – does not check the certificate on the JSS.

Make sure then that you build your QuickAdd package after you configure this on your JSS to ensure the proper value is applied to your machines should CasperCheck run.

Process for Configuring & Managing Macs for Exams

Working for a school, historically we’ve had students with computer accommodations conduct written portions of exams on Windows laptops.  This is because by default Microsoft’s built-in Notepad application does not offer any spelling or grammar features and therefore requires very little configuration or hands-on time in order to be exam-ready.

Recently however, I ran into some issues with a student taking a language exam on a PC as this required the student to use accented letters (é, ñ, etc.) using the Windows alt codes.  Unfortunately, because the exam was taken on a laptop we had difficulties using the Windows alt codes on PCs without a NumPad requiring us then to use the character map, which isn’t great for test-taking.

characterMap2.png

Since accented letters are a bit easier to enter on Mac – and don’t require you to memorize or reference a series of alt codes – I started down the path of how to configure our Macs for taking either written or auditory exams.

Below are the list of things I wanted to accomplish:

  • Setup a separate testing user
    • Since our students have network folders, we don’t want them signing in with their own credentials on the machine and accessing these resources.
  • Disable Internet connectivity
    • Since most exams involving a computer don’t require an Internet connection, we want to disable the network service entirely so there isn’t a risk of Wi-Fi being turned back on.  That being said, I also want to do this in a way that for me and my team is quick and easy to both turn on & off as needed without having to connect to our network.
  • Determine the application for written exams & lock it down
    • While Microsoft Word is the more widely used word processor on the Mac, many of its settings (at least as of this writing) are not manageable.  Microsoft Office 2016 versions 15.33-36 have started to add additional managed preferences (see this Google Doc for a complete list), but as of yet don’t meet our needs here.  TextEdit then is the logical choice, but offers spelling and grammar checking, which we need to disable.
  • Have audio output to multiple sources for auditory exams
    • In the case of language exams, we need to be able to have both the student and the proctor hear the same audio.  Thankfully, the Mac natively allows you to output audio to multiple sources, but takes a bit of configuration.
  • Prevent access to Spotlight
    • While a really handy tool for finding files, performing calculations, and defining words, we don’t want students to utilize this functionality during exams.  So how do we lock down something embedded in macOS that can’t really be turned off?

Click below for more details.

Read More