Add option for full registration to device authorization
I was just building our new quarterly images using 2 new VMs on our updated production FOG server (r6357). I see now that we have to authorize new systems (great idea). The issue I’m going to run into is this:
When we deploy to new new and unregister systems we can’t do everything at the client to begin image deployment. Now we have to boot into the fog menu then go into the fog management console (on a different device) authorize the system, then reboot the client back into the fog menu to select full registration. Once we are in full registration we will had the location prefix and then scan the barcode on the back of the dells to complete the device name.
We can select authorize the device from the fog menu, then the authorization process runs the quick registration. We have to go to the fog management gui and change the system name to the proper name. We will have to hand enter the device name since the management console may not be near the target computer where we can use the barcode scanner.
Also, somewhere the quick registration is selecting a device name. The name it selected looks suspiciously like a name I selected for the reference image (DEFAULTX86 and DEFAULTX64). I’m not sure if this is coincidence or something magical. If it is magical, it would be interesting how it would select the default name for a real computer instead of my reference images.
Provide an option where the FOG administrator can select (globally) if they want the quick registration or full registration post authorization at the target computer. That would keep the IT technician at the target computer in his deployment work flow and not jumping between consoles.
Btw, when clicking on the “Home” icon (dashboard link), I see the new hosts that needs to approve in a popup small java banner with a hyperlink “here” that directs to the hosts-waiting-for-approval webpage.
I can’t recall what git version I’m running though, will update tommorow.
It’s time for for me to show some
following are the steps I used today to register 2 computer labs to fog, hoping It’ll
help you a bit, specifically using mobile phone for the host approval.
In 2 days we have a competition for “cyber” classes between highschools. As those classes learn hacking and programming, I didn’t have enough time to prepare a golden security-best-practice image for those labs. I decided to update the software the students need for the contest on they’re already working windows 7 with their already implemented sandbox software (revert to base snapshot on restart). Those PCs doesn’t have any central management, specifically none sandbox management, nor aren’t attached to any server/ windows domain or other kind.
I quickly and dirtly scripted a batch file to check network, hiding fog and sandbox software dirs, changing settings, update required software, installing fogservice, starting “FogService” service, and taking sandbox snapshots.
7 Flash drives were reused serveral times while writing log progress for a few steps.
PCs : lab-A : HP 6200 Pro, Lab-B Dell 755
Steps used :
Restarting PC (returning to basic snapshot)
Starting in BIOS setup :
- Setting Admin setup password (on the
PCs that didn’t have any set)
- configure boot sequence (Network PXE, Hard Drive).
- removing other boot devices like USB storage, CD etc (to prevent cracking BIOS password).
- WOL-boot to server
- Disable quick boot
- Waiting for OS and running batch script as an admin.
Batch also pinging fog server 1 time and pause on error (to fix network infrastructure/ network cable replace/connect), then retries ping.
- Approving new hosts in my mobile
phone logged on to fog by wifi. +++
- Restarting PC for updated software to finish installation and taking 2nd snapshot on boot.
- Waiting for windows and running 2nd batch waits a few seconds, takes a final 3rd snapshot and copy fog. Iog to flash drive.
Tommorow I’ll write my steps used for new PCs with preimaging.
I’ll introduce myself in a different post.
Just have to say how much I appreciate all the open team work.
I follow the project since 2008 and was donating best amounts I can under different usersnames.
In the past 6 monthes I watch the project very close almost daily, I feel like personally know the big contributers that put so much time and effort and also detailes and helping a lot support the development and forums.
@george1421 George I really like your mini projects you
make helping fog development be more
efficient, @Wayne-Workman Wayne you are the best helping everyone so much and working on wiki and also practice coding on your projects, doing everything perfect to the last bit, @Jbob I really like your efficient code, contribution and focus on your targets, and ofcourse-
@Tom-Elliott I must get some personal tips from you, have no clue how you handle your wife after all the time you spent making fog alive again, I remember you had some relationship troubles putting all the effort in fog development and v0.32 code cleaning :)
And all others I must have forgotten, you must excuse me it is 4:15am here in Israel.
I’ll soon find the time to write an introduction, for now I can say my daily job in the past 6 monthes is IT
in a 350pc’s highschool+college. Mostly HP and Dell.
C’ya around !
Good night for now
@george1421 I see what you mean,
This what I tried to write in the post that have been deleted. I’ll try to reconstruct it (took some screenshots when I saw network is going to fail over here)
Not sure if it’s a bug, I use an older stable git,
If I recall, there is an option in the menu configuration allowing approve hosts, if you didn’t change nothing, possibly it’s a bug.
If I understand correctly, hosts approving this is not a new feature and Tom made it a few months ago (could be more).
I can guess you see it the first time because as you say, you’re using a new golden image stradegy.
@protools_operator Thank you for the feedback, but I’m not sure I’m following how that will address my issue.
This specific issue exists only around reference image building where the fog service is activated before the reference image computer is actually registered with FOG. If I register the vm with FOG before I build the reference image, then everything works like it has in the past.
@george1421 I’ve never even seen that message before. But I agree, why not a full registration?
I can duplicate this 5 times, its the fact that the FOG client is installed before the device is registered is where this anomaly is coming from. I can see the logic why its doing what it doing, I’d just like it to go about doing is slightly differently. I’m not sure if this post belongs in feature requests or bug fixes now. (Only Tom knows for sure).
This is what I did, maybe it can help:
On management webpage, under menu configuration,
- set quick or full registergistration as default item
- set quick or full registration to appear on non-registered hosts
*On the boot menu options set a 1-3 seconds menu apperance
(I also use Hide Menu, No Menu, and Advanced Login)
When a new unregistered host is identified, I can press the defined key combination (defaul is ESC) to quickly register a new host, and then approve it by my mobile phone very quickly.
You can also make a first logon script on your image to logon as administrator, (reg key next logon as user), wait a minute or a few, restart “FogService” service so you’ll have enough time to approve the new host/rebuild public key as necessary.
@george1421 I’ve never even seen that message before. But I agree, why not a full registration?
Just wrote a long post (my first after a few years) and had a power outage in my router, hate when it happens :package:
Long story short,
Can you log to fog webpage by your mobile phone?
You can use wifi, or if it’s restricted, possibly teamviewer/screenconnect or alternative.
OK that is the case (the fog client appears to be doing somthing). If the fog client is installed on the target computer, when I reboot this is the menu that is displayed.
Host is pending approval! ________________________________ Boot from hard disk Approve This Host Run Memtest86+ Quick Image Join Multicast Session Client System Information (Compatibility)
When I review the list of hosts this system is not listed. When I select
Approve this Hostthen this is displayed.
http://192.168.1.88/fog/service/ipxe/boot.php... OK Would you like to approve this host? (y/N) Y Host approved successfully
System appears to reboot then does quick inventory. Once the quick inventory is done then the system name shows up in the host management list.
At this time I’m not sure if this is a bug, or just the way it works. If it is the way it works, I would be grand if I could choose to do a full inventory to give me a chance to set the system name right at the target computer’s console. I understand this is a unique situation that only exists during reference image build and doesn’t appear to be an issue doing a bare metal build with new hardware.
I think I may have figured this out.
Here is the work flow I just tested
- Create a new vm
- PXE boot into FOG
- Results is normal unregistered menu (no problem here)
What I did earlier
- Create new vm
- iso boot into MDT
- Build my reference image
- Sysprep and power off
- pxe boot into FOG
- Different FOG menu with authorize system menu option.
When I selected authorize system, entered my user ID and password in, something ran that appeared to be a quick registration process.
The difference is that during the automated MDT process the fog client is installed. It must relay the name of the MDT image (DEFAULTX86) to FOG and a host record is created in the fog database. That explains the magic how FOG knew the host name of this machine and the normal unregistered menu was not displayed.
I just launched a quick MDT build of our reference image, to test my theory.
Well I guess I need to run through the process again, when I was doing it I was more concerned about jazzing up the 5 hour mdt image build, for the second time.
I don’t know that I’m understanding this request.
The “pending hosts” are named and registered to be approved. By the admin. The quick reg does not rename the host (or it shouldn’t I should say), it simply runs through to perform an inventory of the host as it’s now been approved. The registered hosts are put into a pending state to ensure hosts are known about at the administrator level.
If the host is named DEFAULTX86 before it is registered to the server, it’s name will be DEFAULTX86 even when the host is approved either by the GUI or by the “Approve Host” menu item. Device authorization is not a Full Registration piece because it’s already got the information in the system for it, we just need a way to say (yes, we authorize this host).