| By default, Mac OS X Server doesn't have any managed preference settings enabled. Before you begin configuring these settings, consider all of your management options. For starters, Mac OS X Server lets you configure unique managed preferences separately for user, workgroup, and computer list accounts. In other words, you can configure some or all of the available managed preference settings for any account type independently of another account type's settings. To compound this already complicated situation, each user account can belong to multiple workgroups, and each workgroup account can belong to multiple computer lists. Additionally, computer lists can also have network-managed preferences. That is, a computer that is managed via a computer list can have the network view specified. With all these configuration options available, situations often arise in which a user account may have conflicting managed preference settings. Mac OS X resolves these conflicts by first narrowing the login to only one of each account type. Obviously, a user account is unique among other user accounts, but computers are also individually unique because they can belong to only one computer list account. The only variable that can occur is when a user is part of multiple workgroups. However, during login, this situation is resolved, because users must choose one workgroup to belong to during their session. Best Practices for Managed Preferences A few best practices will help you avoid managed-preference conflict and, as a result, save time: Always start with a plan. Manage each preference only once at specific account types. For example, manage the Printer List settings only in the computer list accounts. Make exceptions only at the user account level. This approach keeps workgroups and your potential confusion to a minimum.
|
Once the login is narrowed to a single user, workgroup, and computer list account, conflicting managed preferences pan out into one of the following three situations: A managed setting is configured for only one account type. In this case, there are no conflicts among settings, so the resulting preference is inherited based on the one managed account type. A managed setting is configured for multiple account types, and the result is overridden based on the most specific managed account type. User account options are the most specific, followed by computer list account options, followed by workgroup account options. Most managed preferences follow this override rule. A managed setting is configured for multiple account types, and the setting uses list-type options. In this case, the conflicting results are combined based on all the managed account types. The Application Items, Dock Items, Printer List, and Login Items managed preferences follow this combined rule.
When a Mac OS X computer is managed, regardless of whether the management is based on user, group, or computer accounts, there are three areas where these settings are transferred down to the Mac OS X computer, allowing for the management to take place regardless of whether the user is subsequently connected and bound to the server or not. The settings are saved in the local NetInfo database under the Config records, in the /Library folder under managed settings, and in the logged-in user's Library folder. To rid the Mac OS X computer of these managed settings, all three locations must be cleared out and the computer restarted.  Tip
To configure managed preferences 1. | In Workgroup Manager, click the directory authentication icon and select the LDAP directory database from the pop-up menu (Figure 13.23).
Figure 13.23. Select the LDAP directory database from this pop-up menu. 
| 2. | From the accounts list, (the Groups list is shown here) select the desired user, workgroup, or computer list (Figure 13.24).
Figure 13.24. Choosing the appropriate group for managing preferences. 
| 3. | Click the Preferences icon in the toolbar, and depending on whether you chose a user, group, or computer list, you will see slightly different icons in the window below:
- If you selected a user or workgroup account, the Preferences window appears, in which you can select one of 13 managed preference icons (Figure 13.25).
Figure 13.25. Available preferences for user and group accounts. 
- If you selected a computer list account, you can choose from one additional managed preference icon (Energy Saver) (Figure 13.26).
Figure 13.26. Computer list account preferences include Energy Saver. 
| | | 4. | Click the preference you wish to manage to reveal the available options (Figure 13.27).
Figure 13.27. Selecting a preference reveals most of the managed options. 
| 5. | Depending on the preference you chose, you may select one of the following options, which appear at the top of every managed preference window (Figure 13.28):
- None The default setting for every managed preference. For the selected account, this preference isn't managed.
- Once Available for all managed preferences. For the selected account, this preference is managed the first time a user logs in. Afterward, the user may configure their own custom preferences.
- Always Available for every managed preference. For the selected account, this preference is always managed; the user can't make any changes to this setting.
Figure 13.28. Most preferences can be managed three ways: Never, Once, and Always. 
| 6. | To discard your changes, click Revert.
or
When you've finished making changes, click Apply Now.
| | | 7. | Click Done to return to the managed preferences icon view.
The arrow icon  next to a preference icon indicates that managed preferences are configured for this item. The changes you've made will automatically be updated to the client computers based on the cache schedule set in the computer lists or whenever the user logs in next.
|
Tips Each managed preference is saved in the same manner. Refer to tasks later in this chapter for more specific information on each managed preference. To configure managed preferences for Mac OS 9 computers, you must use the Macintosh Manager service and configuration tools. As is the case for group and user accounts, you can use account presets to automatically configure new computer lists. See Chapter 4 for more information.
About the Applications managed preference Before you read the following sections on different types of managed preferences, be sure you're familiar with the concepts discussed in the previous task. The figures in these sections show a variety of managed preference configurations. They are only examples and should not be interpreted as the most appropriate configuration for your needs. The Applications managed preference icon lets you restrict the launching of applications on Mac OS X computers. You can do the following (Figure 13.29): Specify a list of approved or unapproved applications. Restrict the launching of local applications. Restrict approved applications from launching other applications. Restrict the use of Unix tools. Figure 13.29. Choosing what applications can be launched via the Applications managed preferences. 
You should test before restricting Unix tools as many applications make calls to Unix executables (what Apple calls tools here). If you restrict Unix tools, you may find that some applications that are permitted to run will not function properly. Except where noted, all of the managed preferences discussed in the following sections are available to user, workgroup, and computer list account types. You can't manage these preferences just once, because most are either unmanaged or always managed. If there are conflicting account settings, the resulting lists will be a combination of all the settings. Otherwise, all conflicting account settings for these managed preferences follow the override rule. Tip
About the Classic managed preference The Classic managed preference icon lets you configure the Classic environment and restrict access to Classic-related items on Mac OS X computers. In the Startup tab you can do the following (Figure 13.30): - Require that Classic launch after user login.
- Warn the user before Classic attempts to launch.
- Specify a custom location for the Classic system items.
Figure 13.30. The Startup tab of the Classic managed preferences permits Classic to start up at login. 
On the Advanced tab, you can do the following (Figure 13.31): - Allow special Classic startup modes.
- Restrict access to Classic Apple menu items such as the Chooser and Network Browser.
- Specify the amount of time before Classic can go to sleep when idle, thereby saving both memory and CPU usage.
Figure 13.31. The Advanced tab of Classic managed preferences permits hiding certain classic Apple menu items. 
Tips Classic managed preferences work only if a copy of Mac OS 9 is installed or available as a disk image on the Mac OS X computer. If you restrict access to the Classic Startup application using the Applications managed preference, users won't be able to launch Classic.
About the Dock managed preference The Dock managed preference icon lets you define the contents of the Dock and define the Dock's visual settings on Mac OS X computers. In the Dock Items tab you can do the following (Figure 13.32): - Populate the Dock with applications or documents.
- Restrict the user from modifying the contents of the Dock.
- When managing group preferences, you have the additional option of adding the group folder to the Dock.
- Merge the Dock with the user's existing Dock.
Figure 13.32. The Dock managed preference lets you define the contents of the Dock and define the Dock's visual settings on Mac OS X computers. 
In the Dock Display tab, you can do the following (Figure 13.33): - Specify all the visual aspects of the Dock, including its size, location, and magnification.
- Specify the minimize window animation.
Figure 13.33. The Dock Display tab of the Dock managed preference window offers additional options. 
In addition to leaving this preference unmanaged, you can manage it once or always. Tip
About the Energy Saver managed preference The Energy Saver managed preference icon lets you define the power-saving features for both desktop and portable Mac OS X computers. In the Desktop tab, you can do the following to both Mac OS X and Mac OS X Server (Figure 13.34): - Specify the amount of time the computer waits before it enters various sleep states.
- Specify various wakeup options by choosing Options from the Settings pop-up menu (Figure 13.35).
Figure 13.34. The Energy Saver managed preference lets you define the power-saving features for both desktop and probable Mac OS X computers. 
Figure 13.35. Additional options are available when you select Options from the Settings pop-up. 
On the Portable tab, you can do the following (Figure 13.36): - Specify the amount of time the computer waits before it enters various sleep states.
- Specify various wakeup options by choosing Options from the Settings pop-up menu (Figure 13.37).
- Specify unique Energy Saver settings for either using the power adapter or battery power.
Figure 13.36. The Portable tab has choices when running portables on either battery power or plugged in. 
Figure 13.37. The Portable tab also has additional options available when you select Options from the Settings pop-up. 
In the Battery Menu tab, you can enable the battery status for portable computers (Figure 13.38). In the Schedule tab, you can specify daily startup, sleep, or shutdown times for both Mac OS X and Mac OS X Server (Figure 13.39). Figure 13.38. The Battery Menu tab permits the battery icon to be added to the menu bar. 
Figure 13.39. The Schedule tab is used to manage startup, sleep, and shutdown times. 
Unlike the other managed preferences discussed previously, the Energy Saver managed preference is only available to computer list accounts. Tip
About the Finder managed preference The Finder managed preference icon lets you define the Finder interface options for Mac OS X computers. In the Preferences tab, you can do the following (Figure 13.40): - Choose between normal or the more restrictive Simple Finder modes.
- Specify the items that appear on the Desktop.
- Specify various Finder view options.
Figure 13.40. The Finder managed preference lets you define the Finder interface options for Mac OS X computers. 
In the Commands tab, you can do the following (Figure 13.41): - Allow or restrict various Finder volume commands, such as ejecting disks or connecting to servers.
- Allow or restrict the Go To Folder command.
- Allow or restrict shutdown and restart commands.
Figure 13.41. Additional options are available on the Commands tab... 
In the Views tab, you can specify icon and list view settings separately for the Desktop, Default, and Computer views (Figure 13.42). Figure 13.42. ...and the Views tab, most of which are self-explanatory. 
In addition to leaving settings in the Preferences tab and Views tab unmanaged, you can manage these settings once or always. Settings in the Commands tab are either unmanaged or always managed. Tips Removing access to the Restart command only allows users to shut the machine down and start it back up with the power button. This may help flush stubborn temporary files that may linger if you simply restart. Removing access to the Go To Folder command reduces the chances that a user will go poking around in the hidden directories, such as /private, /usr, /bin, and others. Forcing the Desktop view to show icons as large as possible, snapped to a grid and organized by some attribute, is a great way to discourage users from saving files to their Desktop folder. The Simple Finder is a limited interface that is great for new computer users or kiosk computers that are open to the public.
About the Internet managed preference The Internet managed preference icon lets you define the Internet settings on Mac OS X computers. In the Email tab, you can do the following (Figure 13.43): - Specify the default email application.
- Specify the user's email account configuration.
- Specify email server and protocol information.
Figure 13.43. The Internet managed preference lets you define email settings on Mac OS X computers and... 
In the Web tab, you can do the following (Figure 13.44): - Specify the default Web browser application.
- Specify home and search Web pages.
- Specify the local location for downloaded files.
Figure 13.44. ...the Web tab provides additional options such as application preference and home page. 
In addition to leaving this preference unmanaged, you can manage it once or always. Tips Be sure you allow access for the applications you define as the default email and Web browser if you're also using Applications managed preferences. The Email Address field should be managed only at the user account level. You can, however, leave it blank if you wish to manage other email settings, such as incoming and outgoing mail server information.
About the Login managed preference The Login managed preference icon lets you define the Login window options for Mac OS X computers. Four types of login management are available, and only one is available to be managed via user, group, and/or computer list accounts (Login Items). The other three managed preferences devoted to login (login and logout scripts, login window interface variables, and auto-logout and Fast User Switching management) are only available to be managed via computer lists accounts. In the Login Items tab, you can do the following (Figure 13.45): - Create a list of applications to launch, server volumes to connect to, or folders to open after the user logs in.
- Restrict users from adding their own login items and temporarily disabling login items by holding down the Shift key at login.
- Add network home share points (if they are not automounted) and merge listed login items with the user's existing items; this option will only be available when setting managed preference for the initial login (Once).
Figure 13.45. The Login managed preference lets you define login items and potential mounts when a user logs in. 
In the Scripts tab, you can do the following (Figure 13.46): - Have scripts run at login and logout, regardless of user.
- Include local scripts on Mac OS X computers.
Figure 13.46. Login scripts can be managed efficiently by choosing a group or computer list account to which to apply these settings. 
Tips Trusted binding must be used for the scripts to work. (Refer to Chapter 3 for more information.) The root com.apple.loginwindow property list must contain a key EnableMCXLoginScripts and be set to True for the scripts to work.
In the Login Window tab, you can do the following (Figure 13.47): - Choose login window message and view options for listed users.
- Remove the auto-login setting.
- Disable other login window features such as Restart and Shutdown buttons and console login. Login window text appears the next time a user who is a member of that computer list starts up a bound computer (Figure 13.48).
Figure 13.47. The Login Window tab permits text and manipulation of other content on and surrounding the Login window. 
Figure 13.48. The view of a Login window on a Mac OS X computer that is being managed. 
In the Options tab, you can do the following (Figure 13.49): - Enable fast user switching.
- Configure the amount of idle time that can pass before the system automatically logs out the user.
Figure 13.49. The Options tab allows or denies access to fast user switching and auto-logout. 
Tips
About the Media Access managed preference The Media Access managed preference icon lets you define controlled access to removable media on Mac OS X computers. In the Disk Media tab, you can do the following (Figure 13.50): - Completely restrict access to optical disk media, or require administrator authentication.
- Completely restrict access to recordable optical disk media, or require administrator authentication.
Figure 13.50. The Media Access managed preference lets you define controlled access to removable media on Mac OS X computers. 
In the Other Media tab, you can do the following (Figure 13.51): - Completely restrict access to internal disks, or require administrator authentication.
- Completely restrict access to external disks, or require administrator authentication.
- Force removable media to be ejected when the user logs out.
Figure 13.51. The Other Media tab offers additional options, such as making a device mount as read-only. 
Tip
About the Mobile Accounts managed preference A typical network user account requires that the client computer be always connected to the directory server and the home folder share point. On the other hand, mobile accounts are special network user accounts that don't require a persistent connection to your servers. The first time a mobile-account user logs in to a computer, a new home folder is created for this user on the client computer's local startup volume based on the user template on that client computer. The user's account information and managed preference settings are cached in the client computer's local user database. A mobile-account user can disconnect from your network at any time, and all their account settings remain intact on the local client computer. Any time the computer is on your network and the user logs in, the account information and managed preference settings caches are updated (Figure 13.52). The user's home folder can be synchronized and various options exist on how that synchronization takes place, such as through a logged-in user's menu bar (Figure 13.53). Synchronization will be discussed later in this section. Figure 13.52. The window that appears after you log in with a username and password; but before the Desktop appears. 
Figure 13.53. Manual syncing of the local and network home folders via the Home Sync menu item. 
The Mobile Account managed preference icon lets you enable the mobile user account option on Mac OS X computers, including the following (Figure 13.54): - Enable the Mobile Account option.
- Require administrator authentication to create the Mobile Account home folder on the local computer.
Figure 13.54. The Mobile Account managed preference lets you enable the mobile user account option on Mac OS X computers. 
In the Rules tab, the Login & Logout Sync and Background Sync tabs permit the following (Figure 13.55): - Decide what directories should be synced andmore importantshould not.
- Specify whether to merge with the users settings
Figure 13.55. The Mobile Account managed preference Rules tab lets you choose how, when, and what is synchronized between the client and server. 
The Rules tab lets you specify how often you want synchronization to occur when using background syncing (Figure 13.56). Figure 13.56. When syncing client and server home directories, you can choose how often the automatic syncing takes place, or you can allow manual syncing. 
When you set up active syncing, take care to note exactly what Apple does not sync. Apple chose not to sync 13 items (all set to the full path of the final directory or file). When you add to this list, you can use the up/down arrows (shown in Figure 13.55) to choose how to locate items that should not be synced. Your choices appear in the pop-up menu (Figure 13.57). Figure 13.57. Parameters used to define how to locate items to be synced. 
Tips The Mobile Account settings work only with Mac OS X 10.3 or later; synchronization of accounts works only with Mac OS X 10.4 or later. Choosing the Once option when doing login/logout and/or background syncing allows users to choose when they sync from that point on, from the menu bar. This approach can backfire, as users may not be diligent about syncing their directories. It is wise to not sync users' Music, Pictures, and Movies folders unless absolutely necessary, due to the potentially large file transfers that may occur. If users are using Entourage, be aware that the entire Entourage database will be synchronized each time the synchronization process takes place. This file can become quite large, and in a managed environment with several hundred users, the synchronization process can cause a significant increase in network traffic.
About the Network managed preference The Network managed preference icon lets you define proxy settings on Mac OS X computers in the following ways (Figure 13.58): - Specify the proxies, if any, for FTP, Web, Secure Web, Streaming, and others.
- Bypass proxies for specific domains, such as internal or external mail servers.
Figure 13.58. The Network managed preference sets proxy information for a variety of sources. 
About the Printing managed preference The Printing managed preference icon lets you define controlled access printers on Mac OS X computers. In the Printer List tab, you can do the following (Figure 13.59): - Specify the printers available in the Printer list.
- Restrict the user from adding new printers to the local computer's Printer list.
- Completely restrict access to directly connected local printers, or require administrator authentication.
Figure 13.59. The Printing managed preference lets you define controlled access printers on Mac OS X computers. 
In the Access tab, you can specify the default printer and require administrator authentication on a per-printer basis (Figure 13.60). Figure 13.60. The Access tab provides additional options such as default printer and access control. 
Tips Workgroup Manager automatically finds printers in the Printer list on the computer it's running on, not the server if Workgroup Manager is running remotely. When you're creating the Printer list, it's best to use Workgroup Manager from one of the clients you'll be managing if running it directly on the server is not feasible. Printer quotas are managed in each user's account settings. See Chapter 4 for more information.
About the Software Update managed preference and Software Update service The Software Update managed preference lets you restrict access to where bound Mac OS X computers search for software updates by directing them to your Mac OS X Server instead of Apple's server (Figure 13.61). Figure 13.61. The Software Update managed preference points the computer to the correct location to receive software updates. 
Forcing the location of the Software Update server will not function properly unless you turn on the Software Update service, which you do via the Server Admin tool. When selecting the Software Update service, you have some choices as to how the updates are handled. System updates are then managed in two different fashions; updates are downloaded to the server and do not mirror Apple updates automatically. This enables you to push out specific updates you choose but not automatically download new updates until you click Check Now under the Updates tab in the Software Update service. The second method is to automatically enable mirrored updates, enabling users to get the latest updates from your server without you checking them first. They still come from your server, so bandwidth is conserved, but you do not discriminate on which updates they are allowed to install (Figure 13.62). Figure 13.62. Using Server Admin to decide how to implement the Software Update service. 
To enable the Software Update service 1. | Open the Server Admin tool, authenticate as the administrator, and select the Software Update service (Figure 13.63).
Figure 13.63. Locating the Software Update service using Server Admin. 
| 2. | Select the Updates tab and click Check Now (Figure 13.64).
Figure 13.64. A large collection of software updates from Apple are stored locally on the server for download by bound Mac OS X computers. 
Depending on your Internet connection, be prepared to wait as the Software Update service downloads almost every conceivable update to your server.
| 3. | Click the General tab and choose how to enable the service, as mirrored or not mirrored, and if mirrored, whether to enable all mirrored updates (Figure 13.65).
Figure 13.65. Check boxes in the Software Update service permit the mirroring of Apple downloads and the option to enable those downloads. 
| 4. | You then decide whether or not to limit bandwidth to a given speed and what port to choose.
Use port 8088 if you do not want to reconfigure all your Mac OS X computers to look over another port.
| | | 5. | Click the Updates tab again and deselect the updates that are not germane to your Mac OS X computers (Figure 13.66).
Figure 13.66. Disabling nonessential downloads. 
| 6. | Make sure you have managed accounts in one fashion or another (user, group, computer list) and enable the Software Update managed preference to point to your server (Figure 13.67).
Figure 13.67. Setting the location of the software update service server in Workgroup Manager. 
| 7. | Click Start in the toolbar of Server Admin to start the Software Update service.
or
You can also run this via the command line by navigating to the /usr/local/bin/ directory and running the swupd_syncd daemon.
|
Tips All downloaded updates are located in the /usr/share/swupd/html/ directory. You can view the Software Update log file by using Server Admin and clicking Software Update service, then clicking the Log tab at the bottom of the window. Should the Software Update service not behave as expected, remove the downloaded updates and click Check Now again to re-sync the updates.
About the System Preferences managed preference The System Preferences managed preference icon lets you restrict access to System Preferences panes on Mac OS X computers. In particular, you can specify a list of approved System Preferences panes and hide all other Preferences panes from the user (Figure 13.68). Figure 13.68. The System Preferences managed preference lets you restrict access to System Preferences panes on Mac OS X computers. 
Tips If you restrict access to the System Preferences application using the Applications managed preference, then users won't be able to use any System Preference panes. Unless absolutely necessary, you should disallow access to the QuickTime preference pane if you have a QuickTime Pro license. Any user can click on this preference pane and retrieve the name and serial number, making theft of another user's serial number a very easy task.
About the Universal Access managed preference The Universal Access managed preference icon lets you define settings that help users who have physical limitations that impair their ability to use Mac OS X computers. In the Seeing tab, you can do the following (Figure 13.69): - Enable and specify screen zoom options that magnify the screen image.
- Enable grayscale and inverted color options.
Figure 13.69. The Universal Access managed preference lets you define settings that help users who have physical limitations that impair their ability to use Mac OS X computers. 
In the Hearing tab of the Universal Access managed preference, you can specify that the screen flash whenever the audible alert sounds (Figure 13.70). Figure 13.70. Additional options are available on the Hearing tab... 
In the Keyboard tab, you can do the following (Figure 13.71): - Enable and specify Sticky Keys options that hold the modifier keys.
- Enable and specify Slow Keys options that create a delay between when a key is pressed and when its input is selected.
Figure 13.71. ...the Keyboard tab... 
In the Mouse tab, you can enable and specify Mouse Keys options that let you control the cursor using the number keypad (Figure 13.72). In the Options tab of the Universal Access managed preference, you can enable the Universal Access keyboard shortcuts that let you toggle Universal Access features using various keyboard shortcuts (Figure 13.73). Figure 13.72. ...the Mouse tab... 
Figure 13.73. ...and the Options tab. 
MCX Is Behind the Scenes Managed preference settings, like all other account settings, are stored in your Mac OS X Server's Open Directory database. However, due to the complexity of these settings, they go beyond the standard attribute/value data specification. Managed preference settings use a format known as Machine Control XML (MCX) (some say it also means Managed Client for X). (More fun with acronymsXML is short for Extensible Markup Language.) These MCX files consist of text formatted in a certain manner that is understood by the preference system on the client computers. In fact, the MCX text file format is similar to the format used for other Mac OS X preference files called property lists. You can directly view and edit the MCX settings by using the Inspector view in Workgroup Manager. Take great care when editing this information directly, because human errors can cause some serious problems. See Chapter 4 for more information about using the Inspector. |
|
