Mac Systems Management

johannacw writes "This story has in-depth info about managing Macs using Apple's Managed Preferences architecture. It covers how to use the 14 built-in systems-management areas, how preferences interact, how to secure workstations, and how to help users access resources including applications and printers. It's a must-read for any systems admin working in a Mac or mixed environment. Written by Ryan Faas, this is a follow-up to his popular Inside Apple's Workgroup Manager."

Interesting but....

[tonsofpcs]

How easily deployable are settings of this sort?

Re:Interesting but....

[_merlin]

Just as deployable as MS AD Group Policy: you define policy for the domain, and member computers pick it up. Obviously, you need a domain master, and you need to bind the target computers to the domain. But this is no different to any other directory service.

Re:Interesting but....

[rizzo320]

In most cases a "golden triangle" is used where the Mac is bound to both Active Directory and Open Directory. The login credentials for users are managed in Active Directory, where as the managed preferences for the workstations are managed in Open Directory. It's a pretty common setup.

If you really need to blend in with your Active Directory environment, you can bypass workgroup manager altogether and go with ADmit Mac by Thursby Software. Though on the pricey side, it allows you to do much more from with AD than the standard features of OS X. The last time I checked, it even allowed you to apply certain types of group policies onto the managed Macs... very cool stuff.

Re:Interesting but....

[somersault]

"If you really need to blend in with your Active Directory environment, you can" use a BlendTec blender!

Couldn't resist..

Another alternative - Centrify

[plsuh]

Another alternative to a Golden Triangle is to use Centrify for the Mac [centrify.com] if you have Windows sysadmins who just won't countenance a Mac server. Centrify uses the same underlying mechanisms as Workgroup Manager but lets a directory admin on a Windows server manage the Macs as though he were applying GPO's to Windows machines. While I think a Golden Triangle is preferable, Centrify works well when you just can't install a Mac OS X Server.

--Paul

Re: AdmitMac is bad software

[rbanzai]

I've spent the last year cleaning up the mess left behind by AdmitMac at my company. This software is awful, so bad in fact that Thursby has removed their online support forum due to the tidal wave of complaints.

The worst bug: AdmitMac will simply refuse to allow a user, and sometimes even a local administrator from logging in! It did this from the earliest version we used in 2006 to the last version in early 2007. I would get late night and weekend calls from the CFO or the CEO that they couldn't log in an

Re:

[nko321]

Forgive the newbiness, but how does one login on a Mac using an Active Directory account? Does this require 3rd party software? I looked into it a few months ago and gave up after a day or two.

Re:

[rizzo320]

Forgive the newbiness, but how does one login on a Mac using an Active Directory account? Does this require 3rd party software? I looked into it a few months ago and gave up after a day or two.

Make sure your Mac is plugged into the network, then go to /Applications/Utilities/Directory Access.app. In the services tab, make sure "Active Directory" is checked/enabled. Then click on "Active Directory" so it's highlighted, and press "Configure". It will ask you for your domain settings. In addition, go do

Re:

[nko321]

Thanks for the reply! I've set these settings... where do I go to login? On reboot, I've tried entering my AD username / password and DOMAIN\username / password but neither are understanding my intention. I had already binded myself to the domain, so to comply with your instructions, I first unbind-ed from the domain, then re-bind-ed. Am I bound properly?

Re:

[rizzo320]

It sounds like you added the computer to Active Directory correctly. Make sure the system time is correct. It needs to be within so many minutes of the domain controller, otherwise it will refuse to login. There could also be other issues going on. Check the system.log to see any error messages.

A basic article about a 2-year-old OS is news?

[Logic Bomb]

Why is this on Slashdot? I guess it might be of some interest to people who don't manage OS X professionally. But this is a fairly basic overview of features from an OS released over 2 years ago! I cannot imagine why anyone would spend time writing this now. It's not like the information isn't already out there... like in the product documentation. Seriously, why is this on Slashdot? Did the editor think it was about 10.5 or something?

Re:

[aichpvee]

I think they write it because they like ad revenue. But I could be wrong, it's bound to happen sooner or later.

Re:

[intx13]

It's not like the information isn't already out there... like in the product documentation.

FMs are less read than FAs!

Did the editor think it was about 10.5 or something?

I'm sorry, I don't understand... what is this "editor" you speak of? :)

Re:

[jasonwea]

I'm sorry, I don't understand... what is this "editor" you speak of? :)

I thought it was just another name for a drinking bird.

Re:A basic article about a 2-year-old OS is news?

[Whiney Mac Fanboy]

Seriously, why is this on Slashdot? Did the editor think it was about 10.5 or something?

Indeed - this so-called-article is taking up valuable iPhone fluff story screen real estate.

Re:

[The Orange Mage]

There's articles about Amiga stuff here on /. sometimes you know. :P

Re:

[mdwh2]

Yes, very occasionally, in proportion to when anything's happened. As opposed to articles everytime someone decides to write about something minor, as seems to be the case with Apple.

Re:

[bursch-X]

OK I'll bite, although you're AC and everything. This article said nowhere "why OS X blows Windows out of the water" it didn't say "why OS X is better than Windows", so I don't get why you would start advocating your borg mothership without anybody else involved even thinking about it.

Are you trying to turn any intelligent discussion into an OS flamewar? Yes, maybe your dick is bigger, but you still don't get laid. Get a life. Or a pussy. Or better both.

Re:

[Mister Whirly]

"This article said nowhere "why OS X blows Windows out of the water" it didn't say "why OS X is better than Windows""

Of course it didn't. On Slashdot, those two things are just assumed.

"Are you trying to turn any intelligent discussion into"
...a discussion about an AC's genitals??

Re:Manage your macs...

[Lehk228]

but managing macs IS easy

1) turn on mac

2)periodically remind typical mac user that the computer is not thirsty and does not require watering like a plant.

Re:

[somersault]

Word! Or Writer.. or something

Macs aren't supposed to be "managed"

[weak*]

iThey're ifree-spirited isystems ifor ifree-spirited ipeople, iremember?

Re:

[RuBLed]

Yup! Macs should be iManaged.

Re:

[mjcecil]

Now THAT's funny :) I love the iUniform. Standard-issue to free-thinkers everywhere.

I'm not even sure that they were supposed to even let me in this coffeeshop with my MS-laden beast. It doesn't even have a glowing logo on the lid. I think I was grandfathered in because I'm so "old".

iFree-spirited... hee.

Re:

[joeytmann]

Its funny that you compare this to a MS product that hasn't been around in atleast 5 years and was orginally developed over 10 years ago.

Re:You can hardly manage the Mac from there

[SideshowBob]

Um, no. What are you even talking about? When you connect to that computer you have to authenticate with a username and password. You will only be able to access data remotely that you could access if you were logged in as that user locally.

And I don't get what your second problem is. If you had personal file sharing turned on, then your Linux box must've been connecting to your Mac via afp.

I think you're just very confused.

Re:

[tsa]

So I'm modded Overrated and I have my sanity questioned by someone who didn't read my post well, just because I said something negative about Apple. What also is interesting is that the person who thinks I'm confused was modded Insightful. And I didn't get modded Offtopic. My post is Offtopic, because it's about the 'normal' version of OSX, not the server version. Way to go moderators.

no, you are wrong

[PDubNYC]

What the original poster is trying to say, and repeatedly getting misunderstood about, is that turning on either FileSharing or Windows Files Sharing shares his entire home directory, including all of his personal files, and any home directory applications, and there is no built-in way to only share particular folders.

I agree with this point, as I wish that I could specify a particular folder to share, but overall, since I am running client software, and use file servers when in an environment of other user

Re:

[MysteriousPreacher]

I think the other poster makes a valid point. You took a very sensationalist approach in your post and made some assertions that just don't stand-up.

Although you say that the applications and user data are available for all to see, this is only true if you've chosen very bad passwords. You can disable sharepoints by removing the Sharedir property. Also, a change of permissions will yield similar results. Personally I prefer a more locked-down system by default but this isn't OpenBSD we're talking about, so

Re:

[ickoonite]

If you want to share a folder for use on a Windows computer, you can only share all home directories, or nothing.

Valid point, although it's not as though they aren't passworded (which your post almost seems to imply). Complexity is sacrificed for ease-of-use, though whether this is a good thing or not is, I suppose, ultimately down to who is using the system. For the average user, it won't be a problem, because they probably won't know what Windows File Sharing is, and if they do, it will be sufficient.

Re:

[tsa]

You're right, I made a mistake. In my post I said that I had almost all file sharing switched on, and then I could see my harddisk with my Linux PC. That was wrong, I had it switched off. Only Samba and sshd were running. My sincere apologies for this stupid typing error and the confusion it caused. The fact that I could see my whole harddisk on my Linux PC even with Personal File Sharing switched off still puzzles me. I'm certain it was not a samba issue.

The password handling problems of Samba in OSX are k

Re:

[ickoonite]

The fact that I could see my whole harddisk on my Linux PC even with Personal File Sharing switched off still puzzles me. I'm certain it was not a samba issue.

Interesting. The key thing is, though, were you able to see the whole hard disk via Windows File Sharing (i.e. port 139, SMB/CIFS) or via Apple File Sharing (i.e. port 548, AFP). It takes some effort to get Linux to talk to AFP shares, if memory serves, which means that it is far more likely that it was via Windows File Sharing. In the latter case, i

Re:

[tsa]

Thanks again for your comments. I'm sure I saw the files via AFP. I don't know exactly what the problem is, but I am certain that samba definitely doesn't serve my whole harddisk.
As for the password handling in samba on my Mac, I'll look into that a bit more. It is confusing; I can't use the same smb.conf on my Mac as I have on my Linux box. For some reason that doesn't work properly. I'm at work now, and it has been a while since I last tried to configure Samba for the Mac, so unfortunately I can't tell yo

Re:

[tsa]

I use Ubuntu. Apparently I have these packages installed.

Re:

[ickoonite]

I can't use the same smb.conf on my Mac as I have on my Linux box.

Indeed you cannot, and this has a lot to do with what I alluded to in an earlier post - I suspect that rather than using the smbpasswd file (as Linux does), Mac OS X uses NetInfo. Just transplanting a Linux-oriented smb.conf into your Mac will thus not work.

I think you need to be a bit clearer about what's doing what. It is certainly true that Apple File Sharing will share your whole hard disk, but you need to log on as one of the users

Re:

[somersault]

"The problem in Windows is that there is no easy way to turn such sharing off"

Go to Control Panel, Networking, Right click on the interface you want to remove sharing from, and remove File and Printer sharing? You talk the talk, but can you walk the walk? (just kidding, I'm one of those mediocre Linux types, though I'd be fine with editing smb.conf now that I know it's there on OS X). Also you can check your shares by right clicking on My Computer, then choose Manage, then Shared Folders->Shares. Sad

Re:

[ickoonite]

Go to Control Panel, Networking, Right click on the interface you want to remove sharing from, and remove File and Printer sharing?

Ah yes. It's all coming back to me now. These days, I only venture into network device properties to turn off the fucking firewall...

iqu :P

Re:

[Nutsquasher]

SharePoints for Mac ( http://hornware.com/sharepoints/ [hornware.com]) lets you setup shares on your Mac from any directory you have rights to.

It's GUI based. You can either install the Application version, or the "System Preferences" version, both which are available in the download.

You can setup SMB shares for Windows/Linux/Mac clients, or AFS shares for Mac/Linux clients (not sure if Windows does AFS - never looked into it).

After setting up a SMB share, ensure that "Windows Sharing" is enabled under "Sharing" in

Re:

[GanjaManja]

Perhaps this program would make things easier?
http://www.macupdate.com/info.php/id/8658/sharepoi nts [macupdate.com]

it may give you some correctly configured config files that you can then just copy over to all the client computers.
Since it just uses an absolute path, you should be able to set up a Windoze shared folder that's the same path on every computer. I use this to share a non-home-folder folder, with it's own user/pw.

from the command-line

[mzs]

Or if you want to do it from the command line there is a perl script here to do it:

    http://www.macosxhints.com/article.php?story=20011 119095823908 [macosxhints.com]

Re:

[MCSEBear]

Turning on sharing doesn't share every users home directory. It shares the public directory inside their home directory.

Re:

[dana340]

well, normally I'd say RTFA, but i think we can go back to the old adage RTFM. Sideshow's right. What's your admin password set to on your mac. do you have other unsecured accounts? and please tell me you're running OSX. Also, I'd like to make a note, that i have personally worked in mixed windows domain, Mac environments. Macs handle the role of windows domain controllers better than windows machines. (over 5000 users)

system administration

[ianare]

But where are the ready-made commands to paste into terminal? The neat perl scripts? I thought the whole point of Mac was that you could use the UNIX underneath for administration? I mean if the extent of possibilities is "click here, then click here" you might as well run server 2003.

Re:

[lakeland]

You can, and it works fine. It isn't quite as easy as editing /etc/fstab (here's /etc/fstab from a computer I'm currently sshed into...

andrea-lakelands-computer:~ corrin$ cat /etc/fstab.hd
IGNORE THIS FILE.
This file does nothing, contains no useful data, and might go away in
future releases. Do not depend on this file or its contents.
--
As you can see, apart from the warning it now contains nothing (this is on 10.4.10). I think on 10.3 it contained the warning and mounted volumes ala /etc/mtab but that coul

Re:

[Lord of Hyphens]

It's the same kind of person who likes using the Windows GUI for server config. It's just they way they want to do it; it feels easier to them; companies are well within their rights to keep that market segment appeased. Now, don't let that stop your CLI/GUI holy wars [elsewhere.org][jargon file], though (see many of the comments in the recent story stating netcraft confirms IIS gaining on Apache [slashdot.org] for a decent example of these kind of people as well as a ongoing holy war fought on the shores of our own beloved /.).

I, f

Re:system administration

[Graff]

You mean like:
Mac OS X Server Command-Line Administration PDF [apple.com]

Here's a web page with all the manuals for Mac OS X Server, lots of good information there:
Apple Server Documentation [apple.com]

Re:

[Savage-Rabbit]

But where are the ready-made commands to paste into terminal? The neat perl scripts? I thought the whole point of Mac was that you could use the UNIX underneath for administration?

In my experience OS X administration is pretty much the same as administrating a BSD, Linux or Unix system. There are and always will be differences between them but the basic principles are the same. On OS X I very rarely go for point and click interfaces except the System Preferences and the Disk Utility and I can usually transfer what I know about Linux/BSD/Unix to OS X.

I mean if the extent of possibilities is "click here, then click here" you might as well run server 2003.

Contrary to what seems to be the popular opinion, Windows 2003 server has a quite powerful command-line interface. For some reason sur

Re:

[CtrlShiftEsc]

I wasn't going to mention that but --exactly. Windows Server Administration grew up on GUI's where the command-line equivalent utilities, in some areas, were implemented as an afterthought. I think this is why it put off a lot of Unix Admins that I used to know. Things have certainly changed and 2003 is almost as scriptable from the command line as the GUI. Server 2008 takes things to the next level entirely where you can deploy truly headless servers. I haven't even mentioned the Powershell. Unfortun

Re:

[Sandbags]

Mac OSX is UNIX, but as a UNIX admin you would know there are virtually no pre-defined scripts for administration. There are commands that can be run from shell for administration and remote administration, but they're almost all server based, not client, and the type of server your connecting to makes a BIG difference. With this central management system on a MAC OSX Server in the network, these settings can now become host environment independent, and it really doesn't matter if the domain is a UNIX, No

Re:

[Jellybob]

While a Mac OS X system can authenticate against an AD setup, the subject of this document is *OD* - or Open Directory. It's very similar, but it's not the same thing. An earlier post has pointed out that it can be done via Active Directory, but it's third party software.

At work we have both a Windows 2003 domain controller, which looks after authentication and file sharing for everybody, and a Mac OS X server, which provides the equivalent of group policies for the Apple machines used.

Workgroup Manager

[nevali]

It's worth noting that Workgroup Manager is a handy tool to run on your own Mac, even without an Open Directory domain, as it's a bit more flexible than Accounts.prefpane, especially for (for example) configuring limited accounts for family members.

It's part in the Server Admin Tools: http://www.apple.com/support/downloads/serveradmin tools104.html [apple.com]

I don't know if the license/installer says you have to have a Mac OS X Server installation to use them, because I haven't looked.

Mixed Messages

[MSTCrow5429]

What? Mac has systems management? That's impossible, everyone knows Mac is so easy to use, and virus-free, that it's the toaster of computers.

Used this for a long time

[guruevi]

I've used this in an all-Mac environment. You can't beat it with anything. I have it for home now.

It's kinda like Active Directory but much more simple, open and you can integrate it with other (non-Mac) systems since it's pure LDAP (over SSL) and Kerberos. There is even a feature to integrate and manage your Windows machines without using Active Directory. Combine it with Apple Remote Desktop and Apple's Software Update Service and you can deploy whatever package or update you want within seconds (it uses multicasting to save on bandwidth, eat that Microsoft)

Whoooo you can remotely manage a computer

[Coolhand2120]

The fact that this is a story show how far behind Apple is in remote management. Everything here I could do on *inx or MS computers for at least a decade, why is this news? I guess there has to be some padding between the regular blowjobs that /. likes to give Apple. oh wait, this is one of those huh. Geeze get a room.