Managing Preferences

By default, Mac OS X Server doesn't have any managed preference settings enabled. Before you begin configuring these settings, you should consider all of your management options. For starters, Mac OS X Server lets you configure unique managed preferences separately for user, workgroup, and computer list accounts. In other words, you can configure some or all of the available managed preference settings for any account type independently of another account type's settings. To compound this already complicated situation, each user account can belong to multiple workgroups, and each workgroup account can belong to multiple computer lists.

With all these configuration options available, situations often arise in which a user account may have conflicting managed preference settings. Mac OS X resolves these conflicts by first narrowing the login to only one of each account type. Obviously, a user account is unique among other user accounts, but computers are also individually unique because they can belong to only one computer list account. The only variable that can occur is when a user is part of multiple workgroups. However, during login, this situation is resolved, because users must choose one workgroup to belong to during their session.

Once the login is narrowed to a single user, workgroup, and computer list account, conflicting managed preferences pan out into one of the following three situations:

• A managed setting is configured for only one account type. In this case, there are no conflicts among settings, so the resulting preference is inherited based on the one managed account type.

• A managed setting is configured for multiple account types, and the result is overridden based on the most specific managed account type. User account options are the most specific, followed by computer list account options, followed by workgroup account options. Most managed preferences follow this override rule.

• A managed setting is configured for multiple account types, and the setting uses list-type options. In this case, the conflicting results are combined based on all the managed account types. The Application Items, Dock Items, Printer List, and Login Items managed preferences follow this combined rule.

Tip

• You may find that an organizational tool such as a group outline or flowchart software like OmniGraffle (http://www.omnigroup.com) can help you plan the best implementation for your needs.

To configure managed preferences:

1.	Launch the Workgroup Manager tool located in /Applications/Server, and authenticate as the administrator (Figure 13.42). Figure 13.42. Launch Workgroup Manager, and authenticate.
2.	Click the Accounts icon in the Toolbar and the Computer Lists tab among the account types (Figure 13.43). Figure 13.43. Select the Computer Lists tab to manage computer lists.
3.	Click the directory authentication icon , and select the appropriate directory database from the pop-upmenu. Computer lists are always hosted from a parent directory database (Figure 13.44). Figure 13.44. Select the appropriate directory database from this pop-up menu.
4.	From the accounts list, select the user, workgroup, or computer list for which you wish to configure the managed preference settings (Figure 13.45): If you select a user or workgroup account, the Preferences frame appears, in which you can select 1 of 11 managed preference icons (Figure 13.46). Figure 13.45. Select an account from the list. In this case, a computer list is selected. Figure 13.46. The Preferences frame shows 11 options when you're configuring a user or workgroup account... If you select a computer list account, you have one additional managed preference icon (Energy Saver) (Figure 13.47). Figure 13.47. ...or 12 options when you're configuring a computer list account.
5.	Click the preference you wish to manage, to reveal the available options (Figure 13.48). Figure 13.48. Click the preference you wish to manage, to reveal the available options. In this case, the Dock item was selected.
6.	Select one of these three options, which appear at the top of every managed preference frame (Figure 13.49): Not Managed The default setting for every managed preference. For the selected account, this preference isn't managed. Once Available for all managed preferences. For the selected account, this preference is managed the first time a user logs in. Afterward, the user may configure their own custom preferences. Always Available for every managed preference. For the selected account, this preference is always managed; the user can't make any changes to this setting. Figure 13.49. Each managed preference requires that you select one of these three options.
7.	Make your configuration choices. The options available for each managed preference are too varied to discuss here. Refer to specific tasks later in this chapter for more information about each managed preference.
8.	If you wish to discard your changes, click the Revert button . Otherwise, when you've finished making changes, click the Apply Now button .
9.	Click the Done button to return to the managed preferences icon view (Figure 13.50). Figure 13.50. This Preferences frame shows that the Dock managed preferences are enabled for the selected account. The arrow icon next to a preference icon indicates that managed preferences are configured for this item. The changes you've made will automatically be updated to the client computers based on the cache schedule set in the computer lists or whenever the user logs in next. (See the task "To configure computer cache settings," earlier in this chapter, for more information regarding cache settings.)

Tips

• Refer to specific tasks later in this chapter for more specific information on each managed preference.

• To configure managed preferences for Mac OS 9 client computers, you must use the Macintosh Manager service and configuration tools.

• You can select more than one item in a list by holding down the Shift or Command key while making your selections.

• As is the case for group and user accounts, you can use account presets to automatically configure new computer lists. See Chapter 4, "User and Group Management," for more information.

MCX Is Behind the Scenes Managed preference settings, like all other account settings, are stored in your Mac OS X Server's Open Directory database. However, due to the complexity of these settings, they go beyond the standard attribute/value data specification. Managed preference settings use a format known as Machine Control XML (MCX). (More fun with acronymsXML is short for Extensible Markup Language.) These MCX files consist of text formatted in a certain manner that is understood by the preference system on the client computers. In fact, the MCX text file format is similar to the format used for other Mac OS X preference files called property lists. You can directly view and edit the MCX settings by using the Inspector view in Workgroup Manager (Figures 13.51 and 13.52). Take great care when editing this information directly, because human errors can cause some serious problems. See Chapter 4 for more information about using the Inspector. Figure 13.51. The Inspector frame in Workgroup Manager lets you view the MCX account settings. Figure 13.52. The Inspector edit dialog in Workgroup Manager lets you view and edit MCX account settings.

The Applications managed preference

Before you read this section, be sure you're familiar with the concepts discussed in the task "To configure managed preferences," earlier in this chapter. The figures in this section show a variety of managed preference configurations. These are only examples, and they should not be interpreted as the most appropriate configuration for your needs.

The Applications managed preference lets you restrict the launching of applications on Mac OS X computers. More specifically, you can do the following (Figure 13.53):

• Specify a list of approved or unapproved applications
  
  
• Restrict the launching of local applications
  
  
• Restrict approved applications from launching other applications
  
  
• Restrict the use of Unix tools
  
  

Figure 13.53. The Applications managed preference lets you restrict the launching of applications on Mac OS X computers.

The Applications managed preference is available to user, workgroup, and computer list account types. You can't manage this preference just once, because it's either unmanaged or always managed. If there are conflicting account settings, the resulting applications list is a combination of all the settings. Otherwise, all conflicting account settings for the Applications managed preference follow the override rule.

Tips

• Workgroup Manager automatically finds applications on the computer it's running on.

• When you're creating the applications list, it's best to use Workgroup Manager from one of the clients you'll be managing.

The Classic managed preference

Before you read this section, be sure you're familiar with the concepts discussed in the task "To configure managed preferences," earlier in this chapter. The figures in this section show a variety of managed preference configurations. These are only examples, and they should not be interpreted as the most appropriate configuration for your needs.

The Classic managed preference lets you configure the Classic environment and restrict access to Classic-related items on Mac OS X computers. More specifically, in the Startup tab you can do the following (Figure 13.54):

• Require that Classic launch after user login
  
  
• Warn the user before Classic attempts to launch
  
  
• Specify a custom location for the Classic system items
  
  

Figure 13.54. The Classic managed preference lets you configure the Classic environment and restrict access to Classic-related items on Mac OS X computers.

In the Advanced tab of the Classic managed preference, you can do the following (Figure 13.55):

• Allow special Classic startup modes
  
  
• Restrict access to Classic Apple menu items
  
  
• Specify the amount of time before Classic can go to sleep when idle, thereby saving both memory and CPU usage
  
  

Figure 13.55. The Advanced tab of the Classic managed preference frame offers additional options.

The Classic managed preference is available to user, workgroup, and computer list account types. You can't manage this preference just once, because it's either unmanaged or always managed. If there are conflicting account settings, all Classic managed preferences follow the override rule.

Tips

• Classic managed preferences work only if a copy of Mac OS 9 is installed or available as a disk image on the client computer.

• If you restrict access to the Classic Startup application using the Applications managed preference, then users won't be able to launch Classic.

The Dock managed preference

Before you read this section, be sure you're familiar with the concepts discussed in the task "To configure managed preferences," earlier in this chapter. The figures in this section show a variety of managed preference configurations. These are only examples, and they should not be interpreted as the most appropriate configuration for your needs.

The Dock managed preference lets you define the contents of the Dock and define the Dock's visual settings on Mac OS X computers. More specifically, in the Dock Items tab you can do the following (Figure 13.56):

• Populate the Dock with applications or documents
  
  
• Restrict the user from modifying the contents of the Dock
  
  

Figure 13.56. The Dock managed preference lets you define the contents of the Dock and define the Dock's visual settings on Mac OS X computers.

In the Dock Display tab of the Dock managed preference, you can do the following (Figure 13.57):

• Specify all the visual aspects of the Dock, including its size, location, and magnification
  
  
• Specify the minimize window animation
  
  

Figure 13.57. The Dock Display tab of the Dock managed preference frame offers additional options.

The Dock managed preference is available to user, workgroup, and computer list account types. In addition to leaving this preference unmanaged, you can manage this preference once or always. If there are conflicting account settings, the resulting Dock Items list is a combination of all the settings. Otherwise, all conflicting account settings for the Dock managed preferences follow the override rule.

Tip

• Make sure any item you add to the Dock Items list is accessible to the client computers. Otherwise, those items will show up with a question mark icon in the Dock.

The Energy Saver managed preference

Before you read this section, be sure you're familiar with the concepts discussed in the task "To configure managed preferences," earlier in this chapter. The figures in this section show a variety of managed preference configurations. These are only examples, and they should not be interpreted as the most appropriate configuration for your needs.

The Energy Saver managed preference lets you define the power-saving features for both desktop and probable Mac OS X computers. More specifically, in the Desktop tab you can do the following (Figure 13.58):

• Specify the amount of time the computer waits before it enters various sleep states
  
  
• Specify various wakeup options
  
  
• Specify unique sleep settings for either Mac OS X or Mac OS X Server
  
  

Figure 13.58. The Energy Saver managed preference lets you define the power-saving features for both desktop and probable Mac OS X computers.

In the Portable tab of the Energy Saver managed preference, you can do the following (Figure 13.59):

• Specify the amount of time the computer waits before it enters various sleep states
  
  
• Specify various wakeup and processor usage options
  
  
• Specify unique Entergy Saver settings for either using the power adapter or battery power
  
  

Figure 13.59. Additional options are available on the Portable tab...

In the Battery Menu tab of the Energy Saver managed preference, you can do the following (Figure 13.60):

• Enable the battery status for portable computers
  
  

Figure 13.60. ...the Battery Menu tab...

In the Schedule tab of the Energy Saver managed preference, you can do the following (Figure 13.61):

• Specify specific daily startup, sleep, or shutdown times
  
  
• Specify unique schedule settings for either Mac OS X or Mac OS X Server
  
  

Figure 13.61. ...and the Schedule tab.

The Energy Saver managed preference is only available to computer list accounts. You can't manage this preference just once, because it's either unmanaged or always managed. If there are conflicting account settings, all Energy Saver managed preferences follow the override rule.

Tips

• All of the Energy Saver managed preferences work only with Mac OS X 10.2.4 or above.

• The Schedule settings work only with Mac OS X 10.3 or above.

The Finder managed preference

Before you read this section, be sure you're familiar with the concepts discussed in the task "To configure managed preferences," earlier in this chapter. The figures in this section show a variety of managed preference configurations. These are only examples, and they should not be interpreted as the most appropriate configuration for your needs.

The Finder managed preference lets you define the Finder interface options for Mac OS X computers. More specifically, in the Preferences tab, you can do the following (Figure 13.62):

• Choose between normal or the more restrictive Simple Finder modes
  
  
• Specify the items that appear on the Desktop
  
  
• Specify various Finder view options
  
  

Figure 13.62. The Finder managed preference lets you define the Finder interface options for Mac OS X computers.

In the Commands tab of the Finder managed preference, you can do the following (Figure 13.63):

• Allow or restrict various Finder volume commands, such as ejecting disks or connecting to servers
  
  
• Allow or restrict the Go To Folder command
  
  
• Allow or restrict shutdown and restart commands
  
  

Figure 13.63. Additional options are available on the Commands tab...

In the Views tab of the Finder managed preference, you can do the following (Figure 13.64):

• Specify icon and list view settings separately for the Desktop, Default, and Computer views
  
  

Figure 13.64. ...and the Views tab.

The Finder managed preference is available to user, workgroup, and computer list account types. In addition to leaving settings in the Preferences tab and Views tab unmanaged, you can manage these settings once or always. Settings in the Commands tab can't be managed just once, because they're either unmanaged or always managed. If there are conflicting account settings, all Finder managed preferences follow the override rule.

Tip

• The Simple Finder is a limited interface that is great for new computer users or kiosk computers that are open to the public.

The Internet managed preference

Before you read this section, be sure you're familiar with the concepts discussed in the task "To configure managed preferences," earlier in this chapter. The figures in this section show a variety of managed preference configurations. These are only examples, and they should not be interpreted as the most appropriate configuration for your needs.

The Internet managed preference lets you define the Internet settings on Mac OS X computers. More specifically, in the Email tab, you can do the following (Figure 13.65):

• Specify the default email application
  
  
• Specify the user's email account configuration
  
  
• Specify email server and protocol information
  
  

Figure 13.65. The Internet managed preference lets you define the Internet settings on Mac OS X computers.

In the Web tab of the Internet managed preference, you can do the following (Figure 13.66):

• Specify the default Web browser application
  
  
• Specify Home and Search Web pages
  
  
• Specify the local location for downloaded files
  
  

Figure 13.66. The Web tab provides additional options.

The Internet managed preference is available to user, workgroup, and computer list account types. In addition to leaving this preference unmanaged, you can manage it once or always. If there are conflicting account settings, all Internet managed preferences follow the override rule.

Tips

• Be sure you allow access for the applications you define as the default email and Web browser if you're also using Applications managed preferences.

• The Email Address field should be managed only at the user account level. You can, however, leave it blank if you wish to manage other email settings.

The Login managed preference

Before you read this section, be sure you're familiar with the concepts discussed in the task "To configure managed preferences," earlier in this chapter. The figures in this section show a variety of managed preference configurations. These are only examples, and they should not be interpreted as the most appropriate configuration for your needs.

The Login managed preference lets you define the Login window options for Mac OS X computers. More specifically, in the Login Items tab, you can do the following (Figure 13.67):

• Create a list of applications to launch and server volumes to connect after the user logs in
  
  
• Restrict users from adding their own login items and temporarily disabling login items by holding down the Shift key at login
  
  

Figure 13.67. The Login managed preference lets you define the Login window options for Mac OS X computers.

In the Login Options tab of the Login managed preference, you can do the following (Figure 13.68):

• Choose between name and password fields or the user list to be displayed by the Login window
  
  
• Allow or restrict various Login window commands such as restart and shut down
  
  
• Enable fast user switching
  
  

Figure 13.68. Additional options are available on the Login Options tab...

In the Auto Log-Out tab of the Login managed preference, you can do the following (Figure 13.69):

• Configure the amount of idle time that can pass before the system automatically logs out the user
  
  

Figure 13.69. ...and the Auto Log-Out tab.

Settings in the Login Items tab of the Login managed preference are available to user, workgroup, and computer list account types. However, settings in the Login Options tab and the Auto Log-Out tab are available only to computer list accounts.

In addition to leaving settings in the Login Items tab unmanaged, you can manage these settings once or always. Settings in the Login Options tab and the Auto Log-Out tab can't be managed just once, because they're either unmanaged or always managed.

If there are conflicting account settings, the resulting Login Items list is a combination of all the settings. Otherwise, all conflicting account settings for the Login managed preference follow the override rule.

Tips

• Be sure you allow access for the applications in the Login Items list if you're also using Applications managed preferences.

• The Auto Log-Out settings work only with Mac OS X 10.3 or later.

The Media Access managed preference

Before you read this section, be sure you're familiar with the concepts discussed in the task "To configure managed preferences," earlier in this chapter. The figures in this section show a variety of managed preference configurations. These are only examples, and they should not be interpreted as the most appropriate configuration for your needs.

The Media Access managed preference lets you define controlled access to removable media on Mac OS X computers. More specifically, in the Disk Media tab, you can do the following (Figure 13.70):

• Completely restrict access to optical disk media, or require administrator authentication
  
  
• Completely restrict access to recordable optical disk media, or require administrator authentication
  
  

Figure 13.70. The Media Access managed preference lets you define controlled access to removable media on Mac OS X computers.

In the Other Media tab of the Media Access managed preference, you can do the following (Figure 13.71):

• Completely restrict access to internal disks, or require administrator authentication
  
  
• Completely restrict access to external disks, or require administrator authentication
  
  
• Force removable media to be ejected when the user logs out
  
  

Figure 13.71. The Other Media tab offers additional options.

The Media Access managed preference is available to user, workgroup, and computer list account types. You can't manage this preference just once, because it's either unmanaged or always managed. If there are conflicting account settings, all Media Access managed preferences follow the override rule.

Tip

• The only instance where you should completely restrict access to the internal disks is if your client computers start up from a NetBoot server.

The Mobile Accounts managed preference

Before you read this section, be sure you're familiar with the concepts discussed in the task "To configure managed preferences," earlier in this chapter. The figures in this section show a variety of managed preference configurations. These are only examples, and they should not be interpreted as the most appropriate configuration for your needs.

A typical network user account requires that the client computer be always connected to the directory server and the home folder share point. On the other hand, mobile accounts are special network user accounts that don't require a persistent connection to your servers. The first time a mobile-account user logs in to a computer, a new home folder is created for this user on the client computer's local startup volume. The user's account information and managed preference settings are cached in the client computer's local user database.

A mobile-account user can disconnect from your network at any time, and all their account settings remain intact on the local client computer. Any time the computer is on your network and the user logs in, the account information and managed preference settings caches are updated. However, the user's home folder on the client computer's local startup volume is not synchronized with that user's home folder on your file servers.

The Mobile Account managed preference lets you enable the mobile user account option on Mac OS X computers. More specifically, you can do the following (Figure 13.72):

• Enable the Mobile Account option
  
  
• Require administrator authentication to create the Mobile Account home folder on the local computer
  
  

Figure 13.72. The Mobile Account managed preference lets you enable the mobile user account option on Mac OS X computers.

The Mobile Account managed preference is available to user, workgroup, and computer list account types. You can't manage this preference just once, because it's either unmanaged or always managed. If there are conflicting account settings, all Mobile Account managed preferences follow the override rule.

Tips

• The Mobile Account settings work only with Mac OS X 10.3 or later.

• Use a third-party tool, such as RsyncX, to synchronize home folders stored on the client computers with the home folders saved on your file servers. RsyncX is freely available at http://www.macosxlabs.org/rsyncx/.

The Printing managed preference

Before you read this section, be sure you're familiar with the concepts discussed in the task "To configure managed preferences," earlier in this chapter. The figures in this section show a variety of managed preference configurations. These are only examples, and they should not be interpreted as the most appropriate configuration for your needs.

The Printing managed preference lets you define controlled access printers on Mac OS X computers. More specifically, in the Printer List tab, you can do the following (Figure 13.73):

• Specify the printers available in the Printer list
  
  
• Restrict the user from adding new printers to the local computer's Printer list
  
  
• Completely restrict access to directly connected local printers, or require administrator authentication
  
  

Figure 13.73. The Printing managed preference lets you define controlled access printers on Mac OS X computers.

In the Access tab of the Printing managed preference, you can do the following (Figure 13.74):

• Specify the default printer
  
  
• Require administrator authentication on a per-printer basis
  
  

Figure 13.74. The Access tab provides additional options.

The Printing managed preference is available to user, workgroup, and computer list account types. You can't manage this preference just once, because it's either unmanaged or always managed. If there are conflicting account settings, the resulting Printer list is a combination of all the settings. Otherwise, all conflicting account settings for the Printing managed preferences follow the override rule.

Tips

• Workgroup Manager automatically finds printers in the Printer list on the computer it's running on.

• When you're creating the Printer list, it's best to use Workgroup Manager from one of the clients you'll be managing.

• Printer quotas are managed in each user's account settings. See Chapter 4, "User and Group Management," for more information.

The System Preferences managed preference

Before you read this section, be sure you're familiar with the concepts discussed in the task "To configure managed preferences," earlier in this chapter. The figures in this section show a variety of managed preference configurations. These are only examples, and they should not be interpreted as the most appropriate configuration for your needs.

The System Preferences managed preference lets you restrict access to System Preferences panes on Mac OS X computers. More specifically, you can do the following (Figure 13.75):

• Specify a list of approved System Preferences panes
  
  
• Hide all other Preferences panes from the user
  
  

Figure 13.75. The System Preferences managed preference lets you restrict access to System Preferences panes on Mac OS X computers.

The System Preferences managed preference is available to user, workgroup, and computer list account types. You can't manage this preference just once, because it's either unmanaged or always managed. If there are conflicting account settings, the resulting System Preferences list is a combination of all the settings.

Tip

• If you restrict access to the System Preferences application using the Applications managed preference, then users won't be able to use any System Preference panes.

The Universal Access managed preference

Before you read this section, be sure you're familiar with the concepts discussed in the task "To configure managed preferences," earlier in this chapter. The figures in this section show a variety of managed preference configurations. These are only examples, and they should not be interpreted as the most appropriate configuration for your needs.

The Universal Access managed preference lets you define settings that help users who have physical limitations that impair their ability to use Mac OS X computers. More specifically, in the Seeing tab, you can do the following (Figure 13.76):

• Enable and specify screen zoom options that magnify the screen image
  
  
• Enable grayscale and inverted color options
  
  

Figure 13.76. The Universal Access managed preference lets you define settings that help users who have physical limitations that impair their ability to use Mac OS X computers.

In the Hearing tab of the Universal Access managed preference, you can do the following (Figure 13.77):

• Specify that the screen flash whenever the audible alert sounds
  
  

Figure 13.77. Additional options are available on the Hearing tab...

In the Keyboard tab of the Universal Access managed preference, you can do the following (Figure 13.78):

• Enable and specify Sticky Keys options that hold the modifier keys
  
  
• Enable and specify Slow Keys options that create a delay between when a key is pressed and when its input is selected
  
  

Figure 13.78. ...the Keyboard tab...

In the Mouse tab of the Universal Access managed preference, you can do the following (Figure 13.79):

• Enable and specify Mouse Keys options that let you control the cursor using the number keypad
  
  

Figure 13.79. ...the Mouse tab...

In the Options tab of the Universal Access managed preference, you can do the following (Figure 13.80):

• Enable the Universal Access keyboard shortcuts that let you toggle Universal Access features using various keyboard shortcuts
  
  

Figure 13.80. ...and the Options tab.

The Universal Access managed preference is available to user, workgroup, and computer list account types. In addition to leaving this preference unmanaged, you can manage it once or always. If there are conflicting account settings, all Universal Access managed preferences follow the override rule.

Tip

• Enabling Universal Access settings may drive a normal user completely insane if they aren't accustomed to them.