Free without Warranty
The ZENworks OS X agent (ZAC) is based on the ZENworks Unix agent. By default, both of these agents only grant SuperUser rights to the “root” user, which is a standard best practice in the Unix world. However, on OS X the “root” user is disabled by default, and best practice for OS X is to do everything with another local administrative user instead of enabling or using root.
So, whose best practice do you use? This script furthers OS X best practices by granting a local administrative user SuperUser rights in ZAC without permanently enabling root or requiring manual intervention. Once the local admin has SuperUser rights to ZAC, any other ZAC user changes can be done by this administrator and we never have to think about “root” again.
The script works by temporarily enabling root using OS X’s “dsenableroot” command, using “Expect” to SSH into the workstation from itself, running the appropriate ZAC commands to grant privileges, and ends by running dsenableroot again — this time to DISable the root user (including wiping root’s temporary password).
Script syntax is very simple:
/path/to/script/zacosxadmin.expect adminusername adminuserpassword newrootpassword
and the script is suitable for deploying from Terminal, ZENWorks itself, Apple Remote Desktop, or whatever other non-Novell Mac deployment system you are going to be replacing with ZEN 🙂 .
More documentation is in the script’s own comments. I have tested it on OS X 10.5, and it should be thoroughly forward-compatible. Please let me know what your experience is with it, whether you find it useful, and how it might be improved.