Defining the User Experience

As you've learned, there are multiple methods for managing the user experience through multiple levels of MCX settings. These methods target different users on different machines and at different frequencies. Now that you have an idea of the methods you can use to manage the user experience, you'll explore a sampling of the preferences you can set for your users, groups, and machines. Some preferences can't be applied to all three categories, but that's generally only the case when you wouldn't want to apply them anyway. An example of this is your inability to apply power-management settings to a user recordthey can be assigned only to computers.

For each of the areas outlined below, follow these steps to define the settings:

1.	Open Workgroup Manager.
2.	View the directory that contains your user records, and authenticate, if necessary.
3.	Click the Preferences button at the top of the Workgroup Manager window.
4.	Select the users, workgroups, or computers tab (on the left), depending on whom you want to apply the settings.
5.	Select one or more entries in the users, groups, or computers list.
6.	Click the icon of the preference you want to set.
7.	Click the radio button to indicate whether you want to manage these settings just once or always for that user, group, or computer list. Once an item is managed with a Once, Often, or Always designation, an arrow will appear in the main preferences overview pane, as seen in the above figure.

Setting Finder Preferences

The Finder preferences offer you a number of choices for configuring the appearance of the Finder. At the most basic level, you have the choice of using the normal Finder that you're accustomed to seeing, or setting up the computer to use a Simple Finder, in which the user isn't able to navigate to anything but is presented with just a Dock and very limited pull-down menus (as in the following figure). The user is restricted from navigating on the computer and, for the most part, can only run the applications on his or her Dock. You may wish to customize this setting using the Dock preferences.

If you wish to continue to use the normal Finder, you have many options for configuring the look and access of the Finder. You can select check boxes to determine whether the hard disks, removable media, or servers show up on the user's Desktop. You can also configure such Finder behavior as what happens when the user opens a new Finder window or empties the Trash.

In the Commands pane of Finder preferences, you'll find the following capabilities that you can make available or unavailable to users:

• Connect to Server

• Go to iDisk

• Eject (media and volumes)

• Burn Disc

• Go to Folder

• Restart

• Shut Down

These settings are very important when you want to restrict access to areas of the local computer or of the network. If the user has the Go to Folder ability, he or she can navigate to almost any location on the computer, even if the hard-disk icon isn't shown on his or her Desktop. By removing the ability to burn discs or connect to remote servers, you prevent the user from easily stealing licensed software that may be installed on a computer lab machine. Without access to external servers, it's also a bit more difficult to install additional software or files on the machine. By limiting Connect to Server, iDisk, and Safari access (as shown with Preference Manifests), you can create a a more restrictive computer environment in which users don't have unauthorized network access and can't transfer files to or from the machine.

Restricting commands a user can access using the managed Finder settings.

Finally, the Views pane can be used to configure the icon properties in the Finder. For the Desktop, default Finder windows, and Computer view, you can set the icon size, arrangement, and snap-to-grid behavior. These presets can be useful for enlarging icon views for young children or those with poor eyesight.

Setting Media Access Preferences

The Finder preferences concentrate primarily on controlling how the user sees objects already on the computer or on restricting the ability to connect to network shares. You can use the media preferences to restrict how a computer behaves when external media are plugged in.

The following media are listed:

• CDs and CD-ROMs

• DVDs

• Recordable Discs

• Internal Disks

• External Disks, including FireWire drives and keychain flash drives

In the Other Media pane, an option is also available that will eject all removable media at logout. This is a particularly good feature to enable in a computer lab situation to help keep users from leaving CDs in the drives.

Setting Dock Preferences

Setting the look and feel of the Dock goes hand in hand with configuring the user's Finder preferences. This is especially important for Simple Finder users who can only run the applications found in their Docks. In a classroom, you may also wish to remove some applications from the Dock such as Safari, Mail, and iChat.

The Dock preferences offer two tabs. The first tab opens a pane where you control the items that appear in the Dock. Just as a normal Dock is separated into two parts, one containing applications, and the other containing documents and folders, the preferences for the Dock also manage these preferences separately. You can add items to and remove items from the list as you see fit. Checking the box for "Merge with user's Dock" will combine what you define in the lists with whatever the user may already have in his or her Dock preferences. This is important if you're applying the Once setting and don't want to overwrite the items that users may already have in their Docks. Options are also present to dynamically add a user's Applications, Documents, and Network Home folders. If you're managing a group's preferences, and that group already has defined a network group share, you can check the box to automatically add that to the Dock.

Managing the contents of the selected group's Dock.

The second tab for the Dock preferences opens a pane where you control the Dock's behavior. This includes the size, position, magnification, and minimizing style.

Creating Group Shares

If you'd like to configure your Dock settings to automatically contain a group share, you must first create the group network share point, which is also done in Workgroup Manager. The network group share can be used for collaborative purposes, to share documents or other common files used by members of the group.

1.	Open Workgroup Manager.
2.	Connect to the LDAP directory containing your groups, and authenticate, if necessary.
3.	Click the Sharing icon, and select the Groups folder from the Share Point list.
4.	Click the Network Mount tab, and click the lock icon .
5.	Enter your LDAP directory administrator's short name and password.
6.	Select "Enable network mounting of this share point," and click Save.
7.	At the top of the Workgroup Manager window, click the Accounts button.
8.	Select the groups tab on the left side.
9.	Select the group(s) for which you'd like to define group folders.
10.	Select the Group Folder tab, and click the Refresh button in the toolbar to refresh the view.
11.	Select the share point that already contains or will soon contain your group folders. If the share point isn't in the list, you can add it using the Add (+) button. If you're adding a new share point, just list the root level of the share point as the URL, and identify the remaining portion of the path (without the leading slash) in the second field. For example, to reference the group shared folder at afp://server17.pretendco.com/GroupShares/finance/budget, you'd put afp://server17.pretendco.com/GroupShares in the URL field and finance/budget in the Path field.
12.	Specify the owner of the group folder using the Owner Name field. This user will have full access to the group folder. Using the Apple default Groups folder to host the group share point.

After you've defined all of your group share points, you can have the server create and populate each of the group folders with this command-line utility:

 sudo CreateGroupFolder -v 

This will create the folders, set their permissions, and set up Documents, Library, and Public folders (complete with Drop Box) for each group. The -v option sets the command in verbose mode, allowing you to see the output.

If you'd like the members of this group to automatically see their group folders, you can either select the checkbox in the Dock preferences for "Add group folder", or you can create a login item that automatically mounts their network folder.

Setting System Preferences Access

MCX settings can also be used to control which System Preferences can be accessed. Simply click the Preferences button and select each of the System Preferences that the user is allowed to access.

The primary benefit of this setting is security. Any items that users can't access according to their MCX settings are disabled and dimmed when they open System Preferences.

Setting Login Preferences

The login preferences offer many options in four panes. In the Login Items pane are options that control the traditional login items for the user. You can drag applications into this list with the option of hiding them, as you can with the login items available to users through the Accounts preference pane. At the bottom of the Login Items pane, you have a few options controlling the user's ability to modify this list or bypass it altogether. The option "Mount item with user's name and password" is used after selecting "Add network home share point" (if managing a user record) or "Add group share point" (if managing a group record).

The Scripts tab can be used only when editing the MCX settings for a computer list. This pane offers options to execute login and logout scripts.

Before enabling these scripts, you must first enable MCX script execution on the client. This is disabled by default as a security precaution.

[View full width]
 sudo defaults write /var/root/Library/Preferences/com.apple.loginwindow  EnableMCXLoginScripts -bool TRUE 

You must also set the trust level:

[View full width]
 sudo defaults write /var/root/Library/Preferences/com.apple.loginwindow MCXScriptTrust  PartialTrust 

The MCXScriptTrust setting can be any of the following:

• Anonymouswill run scripts from any directory server configured in Directory Access (least secure)

• DHCPwill only run scripts from the directory server given to the client during the DHCP negotiation

• Encryptionwill only run scripts from directory servers configured in Directory Access to Encrypt all packets

• Authenticatedwill only run scripts from directory servers with a trusted binding between the client and server

• PartialTrustwill only run scripts from directory servers configured in Directory Access to Digitally sign all packets

• FullTrustwill only run scripts from directory servers configured in Directory Access to Digitally sign all packets and Block man-in-the-middle attacks (most secure)

Note

If you're using Active Directory for your directory services, you can only use PartialTrust, as most AD servers cannot support the requirements of FullTrust.

Once you've enabled scripts on the client, you need to use Workgroup Manager to define the scripts. Compose a shell script on your local machine, and then use Workgroup Manager to select that script. Scripts must be smaller than 30 KB, since the script itself is stored inside the directory entry.

Additionally you can use these settings to enable or disable the traditional loginhook and logouthook scripts. These scripts are defined using the following two commands:

[View full width]
 sudo defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook /path/to /script sudo defaults write /var/root/Library/Preferences/com.apple.loginwindow LogoutHook /path/ to/script 

Any of these scripts could be used to modify the user's environment. The scripts are run as root and have the user name of the user that is logging in passed as the first argument. These scripts could be used for such things as preconfiguring Mail, adding items to the user's Desktop, recording login auditing information, or preconfiguring any other aspect of the user's session.

Adding scripts to a computer list that force the scripts to be run at login and logout.

The Login Window pane can be used only when editing the MCX settings for a computer list. The options in this pane control the look and behavior of the Login window on the client computer.

Options here include items available through the standard Accounts preference pane as well as some additional items normally only available through preference files. You can define whether to use name and password entry fields or a list of users, and you can also define which types of users should appear in that list.

Settings are also available to determine whether the Restart and Shut Down buttons are present, whether auto-login is enabled, and whether password hints should be shown. If desired, you can provide a small amount of text to be included in the Login window, as shown in the following figure. This text can be used for anything ranging from implied usage agreements to contact information for users that are having trouble using the machine.

Finally, you have the option to disable the >console option. Users can normally type >console in the user-name field of the Login window, which will drop them out of the GUI environment and into a text-based login prompt. Other similar shortcuts are available in the Login window:

• >power Shuts down the computer.

• >restart Restarts the computer.

• >console Exits the GUI session and drops to a text-based login prompt.

• >exit Restarts the Login window. This is useful when making changes to /etc/authorization or other settings that affect the Login window.

The Options pane in the login preferences has only two options:

• Enable Fast User Switching

• Log out users after: N minutes of inactivity

As with the previous two panes, these options are available only when editing MCX settings for a computer list, as shown in the following figure:

Limiting Application Access

After the user logs in, you may wish to control what applications he or she can run. You can do just that with Workgroup Manager's Application preferences. These settings can apply to users, groups, or computer lists, and can specify a list of applications the user is allowed to use or a list of applications the user is prohibited from using.

If you don't see an application in the list, you can add it. If you're trying to maintain tight control of which applications the user can run, you should be aware that a number of applications have the ability to launch other applications. Deselect "Allow approved applications to launch non-approved applications" if you'd prefer this. Note that some helper applications are required by other applications, so in this case you must add the specific helper applications to the main list of allowed applications.

Similarly, you can remove the user's ability to execute UNIX utilities. Although this is a good idea for high-security environments, many applications also use UNIX tools as helpers. Those applications may not be fully functional if this setting is unchecked. Depending on what your users should be doing, this may be good or bad.

Note

A creative user can find ways to circumvent the application access settings, so consider this setting more of a guideline that just keeps honest people honest.

Setting Classic Preferences

Macintosh Classic applications run inside the Classic environment. This, too, can be managed with Workgroup Manager. If your users are frequently using the Classic environment, you may wish to automatically start Classic when they login. For those users who don't need Classic regularly, you can enable a setting to warn users when the action of opening a document causes Classic to start.

Your environment may use multiple Classic configurations. By using Workgroup Manager's Classic preferences, you have the option of selecting which System Folder is used by this particular user, group, or computer. Leaving the "Use this System Folder when Classic starts" field blank will cause the regular location to be used.

The Advanced pane of Classic preferences includes some options related to security and other behaviors of Classic. If you'd like to ensure a consistent and secure Classic environment, you'll probably want to disable the special startup modes that disable extensions, as well as hide the Chooser, Network Browser, Control Panels, and other Apple Menu items. Other options in this pane help to bridge the gap between Classic and Mac OS X by storing the Classic preferences found in the user's Mac OS X home directories and control when the Classic environment will sleep if not in use.

Keep in mind that printing from Classic generally requires access to the Chooser. It should also be noted that your Application access preferences can also apply to applications running in Classic mode.

Note

Classic applications will not function on Macs using Intel processors.

Configuring Universal Access

Among the preferences available for management in Workgroup Manager are the Universal Access preferences. In most cases, they are used only to preconfigure systems for users with special needs. Through MCX settings, those users will be able to use different machines with the same Universal Access settings on each one. Since Universal Access is provided as a convenience for the user rather than as a restrictive security measure, you'll probably want to use the Once setting, rather than Always, which will allow the user to modify the extent to which he or she customizes the environment. For example, users may wish to alter the amount of screen zoom, repeating key delays, or mouse speeds.

Visually impaired users may need the Zoom features turned on, allowing them to zoom in on portions of the screen using Command-Option-+ (plus) or Command-Option- (minus). Users who have difficulty distinguishing between colors have the option of removing colors from the GUI to create a higher contrast environment. Users who are visually impaired can also modify the icon-size settings, available through the Finder preferences.

Hearing-impaired users have an option in the Hearing pane for the screen to flash when the alert sound is played. This can help to notify them to error conditions or new mail delivery.

Tip

The zoom feature is also great for presentations when displaying tiny text on a projection screen.

Keyboard-based options are available in the Keyboard pane of Universal Access preferences. Users who are unable to press two keys simultaneously, such as the Command-S key combo that saves a file, can turn on Sticky Keys. With this option, a user can press a modifier key (Command, Option, Control, Shift) and then release it. The next key pressed will be treated as if the user had pressed the modifier and key simultaneously. Pressing a modifier key twice in a row will create a caps-lock-like state, in which the user can press the final key multiple times to repeat an action. One use of this feature is for multiple successive undo actions. If it is enabled, an image of the enabled modifier key will be shown in the corner of the screen.

Other users may be unable to tap keys and may hold keys too long. The Keyboard pane of Universal Access also addresses these users with Slow Keys. This setting will help avoid repeated keystrokes due to held keys.

Users who have difficulty using a mouse can use the numeric keypad to move the pointer around the screen. Settings are also present to control the speed at which the mouse moves.

The Options pane contains a box than can be checked or unchecked to enable or disable the keyboard shortcuts that turn each of these accessibility options on or off. Some users may prefer to have these shortcuts, while others will prefer to use the Preferences pane for management.

If you're applying Universal Access settings for a computer list, the Options pane also contains a box you can check to enable access for assistive devices on that computer. A text reader would be one such device. Note that to enable this feature, you must select Always for the frequency that you wish to manage this option.

Setting Network Preferences

The Network preferences can be used to configure the proxy settings for users, groups, or computers. These settings are the same settings found in the normal System Preferences Proxies pane and allow you to configure which intermediate servers provide the path to various Internet traffic.

Setting Internet Preferences

The Internet preferences can be set to preconfigure email and Web settings. These settings include the user's default email-reading and Web-browsing applications. Email-configuration parameters such as the user's email address and mail servers can also be configured here.

The Web pane allows you to set the user's home and search pages and also define where his or her downloaded files are stored. These settings can help maintain a consistent environment throughout your company, or can be used to maintain correct settings on a kiosk machine.

Setting Printing Preferences

Depending on the printing habits of your users, you may be using the printing preferences for a variety of reasons. You may set up the lists of printers for the convenience of your users by defaulting their printers to the ones located closest to them, or you may use these MCX settings to restrict which printers the user can access.

Options are available on these preference panes that can restrict the ability for the user to change these settings.

Setting Software Update Preferences

Some organizations may have a local Software Update server hosted on a Mac OS X Server. This might be done for a number of reasons:

• Internet bandwidth savingsYour client machines all obtain their updates from a local server rather than each going to the Internet for its updates.

• Work around firewall settingsA tight firewall at an organization may not allow software update traffic outside of the organization. By mirroring updates, client machines don't need to talk to the public Apple Software Update servers.

• Approve updatesSome software updates may break functionality critical to an organization. The Software Update server allows the server administrator to test and approve updates before the client machines see them.

  Before you can restrict accounts to a specific Software Update server, you must first set up that server as a Software Update server.

  

See Lesson 1, "Developing a Deployment Strategy," and Lesson 6, "Maintenance," for information on setting up a Software Update server.

To configure clients to see your local Software Update server, enter the URL of your server.

You can also specify this on unmanaged computers from the command line:

[View full width]
 sudo defaults write com.apple.SoftwareUpdate CatalogURL http://your.server.name:8088/index .sucatalog 

Note

The Software Update server is not intended to host non-Apple software updates. Each software update is signed by Apple. Without this digital signature, the client on your network will not recognize an update. There are some work-arounds published on the Internet, but they involve replacing the public certificate on each of your clients and re-signing every Apple update. Not only is this tedious, but it could also be insecure. A much better approach is to use Apple Remote Desktop (ARD) to push out your non-Apple software updates.

Setting Energy Saver Preferences

The Energy Saver preferences are available only if you're assigning MCX settings to a computer list. The button will not be visible if you're looking at users or groups. This pane allows you to assign power-management settings to the computer. Note that there are separate tabs for Desktop and Portable. These panes are functionally identical, except the Desktop pane has a menu where you select whether you're using Mac OS X or Mac OS X Server, while the Portable pane allows you to set different options depending on whether your laptop is plugged in with the power adapter or is on battery power.

For each configuration, you can either set a preset configuration based on minimum energy usage or maximum performance, or move the slider to the left and use custom settings defining the computer sleep time, display sleep time, and whether the hard disks should spin down when not in use. By choosing Options in the Settings menu, you also have the following options available:

• Wake when the modem detects a ring

• Wake for Ethernet network administrator access (Wake-on-LAN)

• Restart automatically after a power failure

• Processor performance: Highest/Reduced/Automatic

The Battery Menu pane only contains an option to show the battery status in the menu bar. The Schedule pane allows you to configure Mac OS X or Mac OS X Server to start, sleep, or shut down the computer at specified times, as shown in the following figure:

Configuring the Shell

Workgroup Manager can also be used to configure aspects of the user's environment through the Accounts panes. These settings are not MCX rules, and can only be applied to individual users. After selecting a user in Workgroup Manager, you can click the Accounts button in the toolbar and then the Accounts tab on the left side of the window. Select a user or users there prior to changing that user's (or those users') account information. In the Advanced pane, you can change the user's login shell, as shown in the following figure. This has an effect on the behavior of the user's Terminal and SSH sessions.

There are two main variants of shellsthose based on the Bourne shell, including /bin/sh, /bin/bash, and /bin/zsh, and those based on the C Shell, /bin/csh and /bin/tcsh. Setting the user's shell to None sets the shell to /dev/null. This disables any Terminal shell access but does not disable the user's ability to run commands. He or she just can't do it from a shell prompt.

The default shell in Mac OS X is /bin/bash. Users may have a preferred shell, or your organization may wish to standardize on an alternate shell.