Remote Software Deployment

Discussion in 'Mac OS X Server, Xserve, and Networking' started by GCW, Apr 27, 2015.

  1. GCW macrumors newbie

    Joined:
    Nov 10, 2014
    #1
    Hi,

    We are looking to deploy the updated version of our antivirus software (Symantec Endpoint Protection). Before anyone comments that Macs either don't need AV, or asks why I'm using SEP, it's entirely out of my hands and I'm just doing as I'm told - or at least trying to.

    We have been unable to push out the update as we (OK, I) neglected to enable Remote Login on the Mac image before deploying it to 86 Macs across the network.

    As you can probably understand, I don't really want to visit 86 Macs to manually enable this. I did try to write a login script to enable this, but it doesn't seem to do anything. Entering the command into Terminal prompts for credentials, after which it works. I can only assume that it is prompting for the password while my script is running.

    This is one of the commands I tried:

    sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist

    Here's the other:

    systemsetup -setremotelogin on

    Both have the same result.

    To cut a long story short, I'm going to want to update the AV and then deploy some other software:

    Munki Client
    Speaker Mute
    OS Security Updates

    I think we need Remote Login on but I've still left Remote Management off because I seem to recall that stops RealVNC from working.

    Could anyone advise please?

    Thanks,

    Gary
     
  2. superscape, Apr 27, 2015
    Last edited: Apr 27, 2015

    superscape macrumors 6502a

    superscape

    Joined:
    Feb 12, 2008
    Location:
    East Riding of Yorkshire, UK
    #2
    Well, there's a way around that. It's insecure as hell, but assuming your admin password is 'foo' then you could do:

    Code:
    echo foo | sudo -S systemsetup -setremotelogin on
    
    As I said, insecure as hell since your admin password is in there in plain text. However, it *would* work. I'll leave you to decide how bothered you are about the security implications!

    Oh, did I remember to mention it's insecure as hell? ;-)
     
  3. GCW thread starter macrumors newbie

    Joined:
    Nov 10, 2014
    #3
    How did you know my admin password? :p

    I was trying to avoid going down that route, but it's definitely handy knowing that this can be achieved with the "echo" command if absolutely necessary!
     
  4. superscape macrumors 6502a

    superscape

    Joined:
    Feb 12, 2008
    Location:
    East Riding of Yorkshire, UK
    #4
    You mean it's not Password1? ;)
     
  5. GCW thread starter macrumors newbie

    Joined:
    Nov 10, 2014
    #5
    No, but I was going to change it to that! I'll have to think of another one now!

    I've not had the opportunity to test that command today but I will be doing so tomorrow. Presumably it works with the local admin password and not domain admin, so although it's bad, it's not as bad as domain admin. If I used something like Automate I could make it very slightly more secure, enough in fact that the users couldn't access the keyboard or mouse while it is running. I'll give that a go tomorrow.

    Thanks,

    Gary
     
  6. Norouzi macrumors 6502

    Joined:
    Aug 6, 2004
    Location:
    Philadelphia, PA
    #6
    I know you said you didn't enable Remote Login, I'm going to assume that Remote Management isn't enabled either making Apple Remote Desktop out of the question?

    I'll tell you what I did when I had to provide a script to a couple of guys to run on a bunch of machines that required sudo. They didn't want to have to type the password on about 50 machines when running the script so I hashed the password using openssh and then had the script run openssh on that hash to decrypt it and save it in a variable which I passed to the command that needed to be run.

    It's still insecure as anyone who knows what their doing would be able to figure out what the script is doing, but it made me feel slightly better that the admin password wasn't sitting there in total plain text for anyone who looked at the script to see.
     
  7. Silencio macrumors 68020

    Silencio

    Joined:
    Jul 18, 2002
    Location:
    NYC
    #7
    Enabling Remote Management instead of Screen Sharing does, in fact, allow VNC clients to connect remotely. So if you want to use Apple Remote Desktop or VNC clients, turn on Remote Management on your client machines. In System Preferences > Sharing > Remote Management, you may want to click on Computer Settings and specify an explicit password for VNC clients to connect.

    Between ARD and Munki, you should have everything you need to keep your fleet updated. Munki in particular saves me a lot of time and headache, once I got everything configured to my liking.
     

Share This Page