“words—
lonely written words—are all you’ve got”

—Virginia Shea

“communication happens when I know you know what I know”

—Me

JSS User Accounts & Groups

Global Management Computer Management Mobile Device Management User Management Network Organization JSS Information Settings Dashboard Computers Mobile Devices Users Username Global Management New

Casper supports two types of users and groups. Local users and groups stored only in Casper’s MySQL database and directory users and groups added from an external directory service such as Active Directory, Open Directory, Novell or other LDAP-compatible service.

Goals

Create a standard account
Edit an account
 Create an LDAP account
View an account’s history
Add a note to an account
Clone an account
 Assign privileges
 Log in to user-specific account

jssuseraccountsgroups

First Account

During the setup process, the JSS will have you create your first account. This account will be a local administrator with full privileges. Although you will probably choose to use directory accounts for daily operations, keep this or another local account’s information available in case access to the directory service fails. A common first account name is “casperadmin”.

New Standard Account

To add a new standard (local) account, click the New button or press the “n” key for “new”. Choose Create Standard Account and click the Next button.

accountassistant

Under the Account tab, complete all fields for the new local user and choose either a pre-defined Privilege Set or choose Custom for more granular privileges. If choosing Custom, click the Privileges tab to assign permissions. Click the Save button or press “Control + s” for “save” when done.

editaccount

To change any of the settings for a standard account, click the Edit button or press the “e” key for “edit”.

Lou Caribou saved

New LDAP Account

Note: LDAP accounts require you configure an LDAP Server connection first! Create an LDAP Server connection before trying to add an LDAP account. A directory connection makes the Add LDAP Account and Add LDAP Group options available.

To add a new LDAP (directory) account, click the New button or press the “n” key for “new”. Choose Add LDAP Account and click the Next button.

Add LDAP Account

Enter a username from the directory and click the Next button.

LDAP username

Click the Add button next to the account you’re adding to the JSS.

Add user

Under the Account tab, complete or modify any additional fields for the new LDAP user and choose either a pre-defined Privilege Set or choose Custom for more granular privileges. If choosing Custom, click the Privileges tab to assign permissions. Because this is an LDAP account, password fields are not displayed. Directory users should modify their directory account passwords outside the JSS.

Click the Save button or press “Control + s” for “save” when done.

LDAP account added

History

Each account contains a history with creation date, modification dates and notes as well as who created or modified the account. Click the History button  or press the “l” key while viewing the account to view the history.

lcaribou account history

Click the Add Note button to include miscellaneous information for the user account.

lcaribounewnote

The note appears in inline with the account’s history and other notes.

lcaribou note

Clone

While viewing a standard or directory account, click the Clone button to duplicate the account and its privileges to make a new account. If cloning an LDAP account, you must enter the username of a directory user. You will also need to manually update the Full Name and Email Address fields for this new user.

lcaribou clone

Privileges

Each account and group contains a privilege set to define access to objects within the JSS and control access to the Casper Suite applications (Casper Admin, Casper Imaging, Casper Remote and Recon). Carefully designed privileges allow certain users or groups access only to those objects they need for their roles. For example, a full administrator may have privileges to all parts of the JSS and applications whereas a Help Desk group may have privileges only to review logs and use Casper Remote.

While editing a user click the Account tab or while editing a group click the Group tab. Choose the Privilege Set that most closely matches this user’s or group’s responsibilities.

Privilege Set

  • Administrator: Full privileges to create, read, update and delete all objects in the JSS and use all Casper Suite applications.
  • Auditor: Privileges to read all objects and settings in the JSS but no privileges to create, modify or delete those objects.
  • Enrollment Only: Privileges to use any part of the JSS required to add users and devices but no privileges to delete users and devices.
  • Custom: Granular privileges to access part or all of the JSS and applications.

If choosing the Custom Privilege Set then click the Privileges tab to edit privileges.

Privileges
JSS Objects JSS Settings JSS Actions Recon Casper Admin Casper Remote Casper Imaging
Create, Read, Update and Delete Read and Update Allow or Deny
Accounts and Groups Activation Code Change Password Add Computers Remotely Use Casper Admin Use Casper Remote Use Casper Imaging
Advanced Computer Searches Apache Tomcat Settings View License Serial Numbers Create QuickAdd Packages Save With Casper Admin Install/Uninstall Software Remotely Customize a Configuration
Advanced Mobile Device Searches Apple Configurator Enrollment for Mobile Devices Send Email to End Users via JSS Run Scripts Remotely Store Autorun Data
Advanced User Content Searches Autorun Imaging Send Computer Remote Lock Command Map Printers Remotely
Advanced User Searches Casper Imaging Send Computer Remote Wipe Command Add Dock Items Remotely
Buildings Change Management Send Computer Unmanage Command Manage Local User Accounts Remotely
Categories Check-In View Disk Encryption Recovery Key Change Management Account Remotely
Classes Cloud Distribution Point View Activation Lock Bypass Code Bind to Active Directory Remotely
Computer Enrollment Invitations Clustering Flush Policy Logs Set Open Firmware/EFI Passwords Remotely
Computer Extension Attributes Computer Inventory Collection Send Inventory Requests to Mobile Devices Reboot Computers Remotely
Computer PreStage Enrollments Customer Experience Metrics Send Mobile Device Remote Lock Command Perform Maintenance Tasks Remotely
Computers GSX Connection Send Mobile Device Remove Passcode Command Search for Files/Processes Remotely
Configurations JSS URL Send Mobile Device Remote Wipe Command Enable Disk Encryption Configurations Remotely
Departments Limited Access Unmanage Mobile Devices Screen Share with Remote Computers
Device Enrollment Program Log Flushing Send Mobile Device Managed Settings Command Screen Share with Remote Computers Without Asking
Directory Bindings Mobile Device Inventory Collection Send Mobile Device Mirroring Command
Disk Encryption Configurations PKI View JSS Information
Disk Encryption Institutional Configurations Security
Dock Items Self Service
eBooks Self Service Web Clip
Enrollment Profiles SMTP Server
File Share Distribution Points User-Initiated Enrollment for Computers
iOS Configuration Profiles User-Initiated Enrollment for Mobile Devices
JDS
LDAP Servers
Licensed Software
Managed Preference Profiles
Mobile Device Applications
Mobile Device Enrollment Invitations
Mobile Device Extension Attributes
Mobile Device Managed App Configurations
Mobile Device PreStage Enrollments
Mobile Devices
NetBoot Servers
Network Segments
OS X Configuration Profiles
Packages
Peripheral Types
Policies
PreStages
Printers
Provisioning Profiles
Push Certificates
Removable MAC Addresses
Restricted Software
Scripts
Self Service Plug-ins
Sites
Smart Computer Groups
Smart Mobile Device Groups
Smart User Groups
Software Update Servers
Static Computer Groups
Static Mobile Device Groups
Static User Groups
User Extension Attributes
Users
VPP Accounts
VPP Assignments
VPP Invitations

Log in to user-specific account

The ultimate goal of creating accounts is to have each JSS administrator log in to his own account. This makes tracking changes made by an administrator (accountability) possible and gives him the ability set his own preferences without affecting others. Each login provides an administrator his own dashboard, display and email settings.

To log out the first account or current account, click the down arrow next to the username in the upper right corner of the window and choose Log Out.

Log Out

Enter the newly created standard or LDAP account and click the Log In button.

Log In

Going forward, continue logging in with a user-specific account.