I work in a Casper environment that relies heavily on the Sites feature to deploy a unified Apple management solution across the enterprise. Out of the box, JAMFs Casper has been a great solution for us. There are a few things we would like to see Site admins to be able to do, amongst them, managed their own scripts and printers. We have leveraged Caspers REST based API to give the site admins additional access and control.
Enter The Ghostbusters
The in-house tools (named after Ghostbusters) give the Site Admins the ability to manage items not normally available to that user level. These applications were development for OS X with Cocoa and Obj-C / Swift as the primary languages. (See my SwiftJSS example) The architecture would also work with other languages,such as Ruby or Java.
So how does this work and what does it really do? Here’s a logic quick graph of what’s happening behind the scenes.
The Site Admins belong to a Active Directory Organizational Unit associated with their site. In this case, I use the OpenDirectory Framework to authenticate and lookup users Site credentials. It’s then cross referenced with the API by correlating the OU information with the proper Sites.
Middleman API / Behind the Scenes
Once we have the user authenticated to the proper site, a middleman API only account is used to get and push content to/from the JSS. You could just give the user the API permissions and use that account for the API calls. I opted for a 3rd Party account that I control that can be deactivated and cut off all application access. This also allows me to control their API access and force them to use my tool which enforces our naming rules.
The application then goes out and gathers the information needed for the user. This is usually categories and whatever object the app is designed to edit, like Scripts.
Matching Objects to Sites
We enforce a strict naming scheme in the shared areas of Casper. SITENAME-LABEL. Since the scripts and printers specific for each site is prefaced with the site name, we are able to parse only the objects belonging to the users site. On the posting side, the script name is auto-magically prefaced with the site name before posting.
A easy to use UI is presented to the user. They enter the information and the application generates the proper XML for posting. Easy peasy.
Here’s a look at what the completed Script management app looks like, called Egon.
That’s it in a nutshell.