Managing Devices with Policies

Owned by Seth Garrepy
Last updated: Mar 20, 2017
2 min read

Policies are where we "do" something to a computer or a mobile device. Policies have a few basic components:

  1. Payloads (i.e. what is "done" to a computer)
  2. Scopes (i.e.who the action is done to)
  3. Self Service (i.e. make it available to the end user to do themselves)
  4. User Interactions (i.e. informing the end user about what will be done/what has been done)

Payloads

To learn about each of the payloads available, refer to the Casper Suite Administrator's Guide, pp. 260-263. We will cover the more commonly used payloads below, the information for which is also taken from the Administrator's Guide.

General

This payload allows you to do the following:

  • Enable or disable the policy. (For example, if you need to take the policy out of production temporarily, you may want to disable it.)
  • Add the policy to a category.
  • Choose one or more events to use to initiate the policy (called "trigger").
  • Choose how often the policy should run (called "execution frequency").

Packages

This payload allows you to perform the following software distribution tasks:

  • Install packages.
  • Cache packages.
  • Install cached packages.
  • Uninstall packages.

This payload also allows you to do the following when installing packages:

  • Specify the distribution point computers should download the packages from.
  • Add the packages to the Autorun data of each computer in the scope.

Printers

This payload allows you to map and unmap printers. You can also make a printer the default.

An important note about mapping printers is that this payload DOES NOT include the driver with the mapping. The driver must be pushed via the "Packages" payload, and can be included in the same policy, if you wish.

Restart Options

This payload allows you to restart computers after the policy runs. It also allows you to do the
following:

  • Specify the disk to restart computers from, such as a NetBoot image.
  • Specify criteria for the restart depending on whether or not a user is logged in.
  • Configure a restart delay.
  • Perform an authenticated restart on computers with OS X v10.8.2–v10.11 that are FileVault 2 enabled.
    Note: For this to work on computers with FileVault 2 activated, the enabled FileVault 2 user must log in after the policy runs for the first time and the computer has restarted.

 

Maintenance

This payload allows you to perform the following maintenance tasks:

  • Update inventory.
  • Reset computer names.
  • Install all cached packages.
  • Fix disk permissions.
  • Fix ByHost files.
  • Flush caches.
  • Verify the startup disk

Scopes

(Refer to the earlier discussion about Scope for more information.)

Set the Static or Smart Group to which you want this policy action to apply on the "Scopes" tab. The groups you add to this tab are CUMULATIVE, meaning that adding two groups to scope will include all computers from BOTH groups. If you want to only include those computers in common between both groups, create another Smart Group and choose two "Computer Group" criteria and set each of the them to the groups you want, and then choose the logical "AND" operator. "AND" will choose the "UNION" of both groups, meaning where they overlap/intersect.