Casper Suite

IDEA! As of October 2016, JAMF Software has been renamed jamf and plans to rename Casper Suite to jamf Pro sometime in 2017 when the software reaches version 10.

Casper Suite is a centralized management suite for the Macintosh platform. It helps automate the deployment of Macs and allows administrators to push out software to groups of machines without having to worry about the current status of the machine by using a check-in model (if a machine is off when an update is pushed out, it will receive it when it is next turned on and "checks in"). Casper Suite also allows specific customization by the end user without the user needing local administrator access to their machine by providing a "Self Service" app store filled with applications and tasks that are approved by the administrator.


Term Definition
JSS The JAMF Software Server is the web-side of the Casper Suite platform. The JSS is where most of the configuration by the admin will take place and also handles machine policies. It does not handle the distribution of packages or applications however, it does tell the client where it can find those types of items (JDS). The JSS is an Apache Tomcat server that runs by default on port 8443.
JDS The JAMF Distrubution Server is where package files are stored. When the JSS informs the client that it needs to install a package, it is informed what JDS has that package. The client then mounts that JDS temporarily and copies the package before installing it. The term "JDS" usually refers to the JDS appliance offered by JAMF which serves files over an HTTP share but that appliance does not work well with lxc. Instead, we currently use an AFP server to serve the files. The term JDS can still be applied to the AFP server.
AFP Apple Filing Protocol (formerly AppleTalk Filing Protocol) is a network protocol that offers file services for Mac OS.
Casper Admin an administrative application that can be used to add packages, printers and dock items to the JSS/JDS. It also allows for a GUI way to create and manage configurations.
Casper Remote a remote management tool that can be used to deploy changes to groups of machines provided by the JSS (think of it like a centrally managed Apple Remote Desktop).
Casper Imaging an imaging tool that can be used to image machines. This is usually used within a NetBoot image in order to provide complete access to the local hard drive without conflicts.
Recon a management tool that can be used to remotely enroll machines via SSH or to generate QuickAdd packages that can be run on the machine to trigger enrollment.
Composer a package creation tool that works around the idea of creating a snapshot before your machine has an application installed and a snapshot after it is installed. It is also useful to just figure out what files were added/changed by an installation.
Self Service a managed storefront that is installed on every machine. The content in the store can vary depending on what is scoped to the machine.
QuickAdd Package is a package that contains the core jamf binaries and tells the machine that it is executed on to enroll with the JSS. QuickAdd packages are unique to the machine that it is generated for.
Policies are a set of actions that execute from a defined trigger (startup, login, recurring check-in.etc) and executes a certain number of times from a defined frequency (Once per machine, once per day, once per week.etc)
Configuration Profiles are a set of defined setttings (referred to as "payloads") that are scoped and applied to machines. Profiles are not developed by JAMF, but instead are developed by Apple. When a profile is scoped to a machine, the profile is not directly sent from the JSS to the machine. The profile is sent to Apple and the machine later gets it via Apple's Push Notification Service (APNS) which will work anywhere that the machine has an internet connection. Profiles are usually used to lock down the OS and can modify the end user experience. Profiles are not used to deploy things such as packages, scripts, printers.etc. Profiles also work for iOS devices although not all payloads are available.
Managed Preferences are Apple's older version of Profiles using MCX. They are deprecated and should not be used at all. Most of the payload options are completely broken in newer versions of Mac OS X.
Configuration a set of install actions that are applied when using Casper Imaging. These steps can include .dmg image files, package files or printer/scripts. The order of these steps can be defined by priority. Actions can be delayed until the machine restarts which is preferred for packages. Configurations can be compiled into a .dmg but it is generally advised to not do so that way items within the configuration can be swapped easily without having to recompile.
AutoRun is a stored configuration on a specific machine that is remembered. When a machine is imaged using a configuration, it copies the set of actions it used into a locally stored configuration called "AutoRun". AutoRun data can be modified at any time such as if a user adds a new application via the Self Service store or an update is pushed out by an admin via a policy. AutoRun data is used to help make re-imaging faster. For example, if a user's machine is imaged with a basic configuration and later chooses to install Microsoft Office via the Self Service store, the JSS stores Microsoft Office into the machine's AutoRun data. If that machine's hard drive is replaced and it NetBoots to Casper Imaging again, it will read the AutoRun data and will not only install the base configuration, but will also install Microsoft Office automatically.
Packages are a file system directory that are displayed as a single file. Packages can be used to copy files and run scripts depending on their format. Packages come in two formats; .pkg and .dmg. ".pkg" packages allow for scripts to be run before and after the package has copied its payload. ".dmg" packages can not use scripts (since they are just a disk image) however, with Casper they can be used to modify User Templates. If a modification is made under /Users/dmerner/Library... and that change is saved as a .dmg package, Casper recognizes that "dmerner" is a username and not a hardcoded directory and can make those changes apply to any user that logs into the machine. This can be useful to modify the preferences of applications or to have first-time setups skipped.
Scopes are a system that the JSS uses to target specific machines. Scopes have 3 main settings; Targets, Limitations and Exclusions. Together, these three settings can restrict where a policy/profile is deployed. An example of all three being used may be "Target all machines in building A, limit to VLAN B, excluding machines that already have Microsoft Office installed".
Smart Groups are groups that dynamically change based upon their criteria. The criteria can be matched with data that is stored in the JSS inventory and is built using SQLesque statements. An example may be machines that have a hostname containing "mc-4" for machines present in MC on the fourth floor.
Static Groups are groups that are manually set, they should be avoided if at all possible.
PreStage Imaging can be used to allow enrollment/imaging from an entire vlan without the need for authentication. This can be useful for mass deploying/imaging machines without the need to authenticate each one. You can restrict what VLAN it targets, how many enrollments to allow before it expires and when to activate the PreStage enrollment.
User Initiated Enrollment can be used to enroll a machine with the JSS without imaging or installing/using Recon. This is accomplished by an admin going to and logging in. The JSS will ask you who the machine is being deployed to and will download a QuickAdd package that was auto generated. Only JSS admins can use this feature, it is not intended to be used by end users although it can be locked down to do so.
Enrollment Invitations can be used to generate a unique URL that a user can use to enroll their machines. This can be emailed to them and it downloads a QuickAdd package in a similar manner to User Initiated Enrollment. You can set the same URL to be usable a set amount of times in the case that the user has multiple devices.
JSS Inventory Casper Suite maintains its own internal inventory of all machines enrolled. Each inventory entry counts towards one license used. The JSS inventory should not be confused with CSCF's Asset Tracking system (E&I). A lot of useful information is stored in the JSS inventory including dynamic hardware specs, application usage info and general machine information.
AutoCasperNBI a third-party tool developed in order to create a NetBoot set with a blank minimal Mac OS X install and Casper Imaging. Details for the JSS are embedded in Casper Imaging which is auto started when the machine boots in order to automate installs. To create an NBI with AutoCasperNBI, you must provide a blank install DMG (using AutoDMG) and the Casper
AutoDMG a third-party tool that can be used to create Mac OS X images that have never been booted. Packages and applications can be installed but it is usually only used for basic or minimal images.
AutoPKG a third-party command line based tool that can be used to create untouched "clean" packages for popular applications based upon recipes that are provided by the community.

Common Tasks

Adding Packages

Adding Printers

Adding Dock Items

Package Creation

Creating packages for Mac OS X and Casper Suite is something that can be difficult to document due to the fact that there are many formats for a package and many different ways to deploy them. This of course depends on the software you are trying to deploy.

Mac packages generally come in two formats: .pkg and .dmg. Sometimes, a package is already provided in .pkg form. Most of the time, if the software doesn't need a license or any extra settings then using the provided .pkg will suffice. The only way to know if the package needs to be repackaged is to test it on a fresh environment.

A ".pkg" package is a package that has a payload which mimics the Mac file directory structure and can execute scripts at different points of the install process. There are also flat ".pkg" packages that do the same thing but can't use scripts at all and should generally be avoided. ".pkg" packages can also be given directly to a user and can be installed by double clicking them and following the provided installer.

A ".dmg" package is really just a payload and offers no scripting capabilities as it is just a disc image. This can be useful for simple apps that have an install process such as "Drag and drop into /Applications". The biggest use for ".dmg" packages is for User Template settings. If you want to capture the settings of an application to deploy to all users (e.g disabling the auto update of a program), then you can deploy those changes into a DMG package, have Casper Admin index the package and it will use the username of the account you captured the settings from as a wildcard and will store them under the default user template settings on the machine. ".dmg" packages provide no default installer and therefore shouldn't be used for packages that will be given directly to a user.

If at all possible, you want as little human intervention in your package creation in possible. Usually this means using the provided package file from the manufacturer or using autopkg to create it from a scripted recipe. If all else fails, you can run Composer to create a snapshot of your machine, install the software and then create another snapshot to compare and package the differences. This doesn't always work and can be messy to clean things up like permissions and log files. As a result, it should always be seen as a last resort.

Sometimes, you will need to create a "project package" that has a temporary payload of the manufacturer provided package and runs it along with other packages via a bash script. Usually this is only needed when the manufacturer messes up their package (Microsoft Office 2016) or provides their software in a non pkg or dmg form (Python modules).

Things to consider before making a package:

  • Does this software require a license?
  • Does this software have extra updates that aren't included in the base installer?
    • Are those updates packaged?
  • Do I need to capture and deploy non-default settings for this project?
  • Is this software available via autopkg?
  • Does the install process require a user to be logged in?
  • Does the install process require the target drive to be the current booted drive?

When a piece of software still needs to be repackaged, the following tools can be used:

Microsoft Office 2016

Microsoft Office 2016 is by far one of the most annoying applications to package up as the package provided to us from IST can't be installed via command line without breaking the volume licensing. This is due to the fact that Microsoft uses the wrong user variable in their activation script which we can't modify since the package is signed by Microsoft. Since the user variable that they use works for logged in console users, double clicking and running the package works fine.

IDEA! This package process is a modified version of Der Flounder's process found here.

The general process that our Microsoft Office 2016 package goes through is as follows:

  1. Installer copies the IST provided MS Office 2016 volume license package (which is an older version) and the MS Office 2016 15.26.0 update package to a temporary folder
  2. postinstall script is run
    1. postinstall runs the volume installer and fixes the licensing
    2. postinstall runs the updater which replaces all the installed apps from the previous package with the updated version (except for the license files)
  3. Temporary folder is deleted.

Der Flounder's tutorial is still 100% accurate and can still be followed with the exception of the updater packages. Instead of installing individual application updates for MS Word.etc, it's much easier to only repackage when a complete suite update is available. To see a list of available updates, view for a chart with download links from Microsoft's repositories. Remember that changing a package in the "" payload means that you must change the line in the postflight script that references it.


Xcode can be difficult to deploy as it is not only a Mac App Store application, but it requires additional license agreement steps on first launch that require an administrative password (something that lab users don't have). Mac App Store apps can't be grabbed via command line since there is no command line interface for it at all. Casper Suite has the ability to have machines directly download and install Mac App store apps but it requires a Volume Purchasing Account which we aren't able to have. There was some good work being done by Dmitry Rodionov on github in creating a Mac App Store Command Line Interface (mas-cli) but it has a few problems with the latest macOS.

The easiest solution is to run AppStoreExtract which will extract the raw, Apple signed package from the app store while your admin machine downloads it. This method works for any app in the Mac App store (including iLife and iWork) and those packages can be put directly into Casper for later install. A tutorial on using this script can be found here.

Xcode requires a few extra commands that can be deployed via a policy script after running the Apple Xcode package installer.

# DevToolsSecurity tool to change the authorization policies, such that a user who is a
# member of either the admin group or the _developer group does not need to enter an additional
# password to use the Apple-code-signed debugger or performance analysis tools.
/usr/sbin/DevToolsSecurity -enable

# Accept Xcode License
/Applications/ -license accept

# Install Additional Components
/usr/sbin/installer -pkg /Applications/ -target /

/usr/sbin/installer -pkg /Applications/ -target /

IDEA! Enabling DevToolsSecurity allows non-admin users to use the Xcode debug tools without admin approval as long as they are in the _developer group. They can be added by running the following:

/usr/bin/dscl . merge /Groups/_developer GroupMembership USERNAME



Installing the JSS

  1. Install the Java JDK (required for Apache Tomcat) on the target machine
    sudo apt-get install openjdk-8-jdk
  2. Login to your JAMFNation account
  3. Go to your "My Assets" page
  4. Under the "Casper Suite" option, expand Show JSS installer downloads and download the JSS Installer for Linux
  5. Transfer the downloaded to the server you are trying to upgrade using a method of your choice (scp, ftp.etc)
  6. Unzip the .zip file on the server using the unzip command, if you do not have unzip installed, then apt-get install unzip to install it
  7. Navigate to the installer file located in JSSInstallerLinux/JSS Installation/
  8. Run the installer file as root
    sudo ./

Upgrading the JSS

Every once and a while, JAMF releases a software update for the JSS. Upgrading the JSS platform is an easy to do task that should be done as soon as possible. Be sure the read the release notes to understand any changes before applying the update. Getting the correct files requires you to have a valid JAMFNation account that is associated with our account. If your account is not associated with University of Waterloo - SCS, contact a CSCF staff member that is associated so that they may request for your account to be added.

  1. Login to your JAMFNation account
  2. Go to your "My Assets" page
  3. Under the "Casper Suite" option, expand Show JSS installer downloads and download the JSS Installer for Linux
  4. Transfer the downloaded to the server you are trying to upgrade using a method of your choice (scp, ftp.etc)
  5. Unzip the .zip file on the server using the unzip command, if you do not have unzip installed, then apt-get install unzip to install it
  6. Navigate to the installer file located in JSSInstallerLinux/JSS Installation/
  7. Run the installer file as root
    sudo ./
Info Clients enrolled with the JSS will automatically upgrade their binaries to match the new version when they next check in.

Creating a new AutoCasperNBI for NetBooting

You usually want to keep your NetBoot Images (NBIs) as up to date as possible since having older NBIs with different Mac OS X or Casper Imaging versions can cause conflicts. Luckily, recreating the NBI from scratch is a very easy process.

  1. Download the latest Mac OS X installer from the Mac App Store
    1. Launch the Mac App Store application and download the latest "Install Mac OS X" installer for the operating system of your choice
      • Info The installer is updated every time a new minor release arrives, if you want the latest OS version for your NBI, you may want to re-download your installer even if you already have it.
  2. Create a blank Mac OS X image using AutoDMG
    1. If you don't have it already, download the latest AutoDMG version from the public github
    2. After launching AutoDMG, drag your Mac OS X found under /Applications to the upper part of the GUI
    3. After the application analyses your installer, there may be some small updates available in the bottom window, click the Download button to prepare the updates
    4. Build the DMG using the Build button. You will be prompted for an Administrator's password.
  3. Create the NBI using AutoCasperNBI

SSL Certificate Request/Renewal

Mac.cs is secured using a GlobalSign OrganizationSSL certificate provided from GlobalSign and managed by IST. This certificate expires every year and must be renewed. The process of requesting a certificate is similar to what is required on any standard server but requires a few final steps to put it in keystore format for apache tomcat to recognize.

ALERT! Macs will not install their management profiles if the SCEP server does not have SSL configured correctly. You will receive a "-915 (Unable to contact the SCEP server)" error if your certificate is self-signed, invalid or expired.

Mac.cs runs two web applications. The first is the Casper Suite JSS application that runs using Apache Tomcat on port 8443 TCP (, the second is an nginx forward server that transforms non SSL requests (80 TCP) into SSL requests (443 TCP) and forwards standard SSL requests (443 TCP) to the Casper Suite JSS application (8443 TCP). The second component isn't really required, but is convenient as users don't always have to specify the JSS port manually. Both applications must be aware of any SSL changes.

Some of these steps are pulled from IST's documentation located here.

  1. Create a 2048-bit private key using openssl
    openssl genrsa -out 2048
  2. Copy the key to /opt/certs/ for the nginx forwarder to use later
  3. Create a Certificate Signing Request (CSR) with your key
    openssl req -new -key -out -subj /C=CA/ST=Ontario/L=Waterloo/O=University\ of\ Waterloo/
  4. Navigate to the GlobalSign UW self-service page and select the following information
    • Products: Choose OrganizationSSL
    • Get the Green Bar: Choose no
    • Signing Algorithm: Choose SHA256
    • SSL Certificate Type: Choose Single Domain Certificate
    • Are you renewing this Certificate: If you are renewing the certificate, choose Yes, otherwise select No
    • Include Subject Alternative Names (SAN): Choose no
    • Enter Certificate Signing Request (CSR): Enter the contents of the file that we previously generated. Contents should look similar to the example CSR shown on the page.
    • Contact Information
      • First Name: Enter your first name
      • Last Name: Enter your last name
      • Telephone: Enter the University's phone number exactly as follows
        +1 519 888 4567
        If you want to include your extension, provide it in the following format ALERT! Do NOT enter in a personal number such as a cell number.
        +1 519 888 4567 x31100
      • Email Address: ALERT! Do NOT enter in a personal or other assigned UW email. Enter the following address No permission to view CFPrivate.EMailAddressCscfCerts

  1. Continue to the next page and click submit after verifying that the displayed information is correct. GlobalSign will contact IST and IST may contact us if they have any questions. If they are satisfied with the request, you will receive the certificate in the next couple of days.
  2. When the certificate is received, enter the Base64 into a file on the target server called mac.cs.crt. It should start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----
  3. Create the OrganizationSSL Certificate Authority Bundle
    1. Navigate GlobalSign's page that includes the intermediate certificate for OrganizationSSL located here.
    2. Scroll Down to Organization Validation CA - SHA256 - G2 and click View in Base64 buttons for the Intermediate Certificate.
    3. Navigate GlobalSign's page that includes the root certificate for OrganizationSSL located here.
    4. Scroll Down to GlobalSign Root R1 and click View in Base64 buttons for the Root Certificate.
    5. Copy both Base64 certificates into a file on the destination server called CA.crt . The file should look similar to this
      -----BEGIN CERTIFICATE-----
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      -----END CERTIFICATE-----
  4. Create the keystore providing the received certificate, CA bundle and private key
    openssl pkcs12 -export -in mac.cs.crt -inkey -out mac.cs.p12 -name tomcat -CAfile CA.crt -caname root -chain
    • You will be prompted for a password, enter something unique and store the password in a safe place ALERT! If the password is lost, this step must be redone to recreate the keystore file.
  5. Place the generated mac.cs.p12 keystore file in a safe place on the target server, ideally this would be in /usr/local/jss/tomcat
  6. Edit /usr/local/jss/tomcat/conf/server.xml
    1. Search for the value keystoreFile to find the keystore connector line
    2. Modify the variable keystoreFile to point towards the location and name of the new keystore file /usr/local/jss/tomcat/mac.cs.p12
    3. Modify the variable keystorePass with the password that was entered during the keystore creation process
    4. Ensure that keystoreType="PKCS12" is added to the line before the final closing bracket
  7. Restart tomcat
    /etc/init.d/jamf.tomcat8 restart
  8. Create a certificate bundle for the nginx forwarder
    1. Enter both your received certificate and the intermediate OrganizationSSL certificate into a file at /opt/certs/ IDEA!The order of the certificates in this file is important. The host cert must be placed first with the intermediate cert placed second.
    2. Ensure that the SSL key and certificate file are referenced in /etc/nginx/sites-available/default, if these values had to be changed/added, restart nginx service nginx restart
  9. Test the SSL certificate by navigating your browser to and You can view the certificate in your browser and view the new expiration date of the certificate to confirm that the new certificate is installed properly
Edit | Attach | Watch | Print version | History: r18 < r17 < r16 < r15 < r14 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r18 - 2018-03-20 - DevonMerner
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback