Mac Management in a University Environment Kevin Hanson Emerging Pathogens Institute University of...
-
Upload
lesley-terry -
Category
Documents
-
view
216 -
download
1
Transcript of Mac Management in a University Environment Kevin Hanson Emerging Pathogens Institute University of...
Mac Management in a University Environment
Kevin Hanson
Emerging Pathogens InstituteUniversity of Florida
Topics
• Intro• Active Directory Authentication• Open Directory Management &
Preferences• Apple Remote Desktop• Third Party Options
Intro• Support Macs otherwise you have
unmanaged Hosts• Cost of entry
– UFAD Free!!!!!!!– Open Directory at a minimum $1,078
• Add value to the customer experience– Reduce non-science & non-academic work
• Be ever mindful of campus initiatives
AD Authentication
On the Windows Side• Use a valid AD Domain Name (i.e. ad.ufl.edu)
– Underscores are NOT valid characters, but AD will allow them. This WILL BREAK OS X AD integration. (http://support.apple.com/kb/TS1532?viewlocale=en_US )
• Avoid using more than 14 charactersOn the OS X side• Configure Network Preferences• Configure Sharing• Configure the AD Plugin
Configuring Network Preferences
• DNS Server must be able to resolve AD service records
• Search Domains should contain, at minimum, the AD domain name
Configuring Sharing• Set the computer
name under System Preferences>Sharing (must reboot after rename)
• Avoid using more than 14 characters
Configuring the AD Plugin
• System Preferences>Users & Groups>Login Options>Edit
• Open Directory Utility>Configure Active Directory Plugin
Configuring the AD Plugin
• Specify UFAD server as ad.ufl.edu
• Eliminate underscores ( _ )
• Provide domain credentials
Configuring the AD Plugin
• Set ‘Allow administration by’ and add appropriate groups to allow administrator rights
• ‘Allow authentication from any domain…’ should be enabled for troubleshooting purposes
Configuring the AD Plugin
• System Preferences>Users & Groups>Login Options
• Set ‘Display login window as’ name and password
• Turn off automatic login
• Reboot
Configuring the AD Plugin
(troubleshooting)• Directory Service Debug Logging (10.5,10.6)
– Has a “Level 7” flag that includes more information than typical DSDebug logging.
– http://support.apple.com/kb/HT3186 • Grepping & Tailing the DS Logs:
– Grep “Active Directory” /Library/Logs/DirectoryService/DirectoryService.debug.log
– Tail –F /Library/Logs/DirectoryService/DirectoryService.debug.log | grep <…>
• Reduce log level once done to avoid excessive log files
Configuring the AD Plugin
(troubleshooting)• Directory Service Debug Logging (10.7,10.8)
– Has two options debug & default levels – Debug level includes more information than typical
logging.– http://support.apple.com/kb/HT4696
• Grepping & Tailing the DS Logs:– Grep “Active Directory” /var/log/opendirectoryd.log– Tail –F /var/log/opendirectoryd.log | grep <…>
• Reduce log level once done to avoid excessive log files
Additional AD options• A Mac joined to AD
can utilize the home folder location set in the profile in ADUC
Open Directory
• Free Open Directory training from lynda.com (http://www.lynda.com/Mac-OS-Server-10-7-tutorials/Mac-OS-X-Lion-Server-Essential-Training/83740-2.html)
• Consult Apple documentation (http://www.apple.com/support/osxserver/)
• UF IT Wiki (http://wiki.it.ufl.edu/wiki/Apple_OS_X)
Open Directory
• Determine capacity needs and purchase appropriate hardware
• Set DNS record i.e. od.ns.ufl.edu, macserv1.epi.ufl.edu
• Join Mac Server to UFAD– Utilize UFAD accounts to apply policy preferences
• Setup Open Directory Master– Open Directory Replica
Open Directory Server Consoles
• 10.5 Leopard,10.6 Snow Leopard,10.7 Lion– Server Admin (Managing Open Directory and adding
services)• DHCP, DNS, Firewall, Software Update, NetBoot, RADIUS
– Server (Managing Services provided by server)• File sharing, Address Book, Mail, iCal, iChat, Web services,
Time Machine
– Workgroup Manager (Managing users, groups, policy preferences)
Open Directory Server Consoles
Open Directory Server Consoles
Open Directory Server Consoles
Open Directory Server Consoles
• 10.8 Mountain Lion– Server Admin (Managing Open Directory and adding
services)• DHCP, DNS, Firewall, Software Update, NetInstall, RADIUS
– Server (Managing Services provided by server)• file sharing, Address Book, Mail, iCal, iChat, Web services,
Time Machine
– Profile Manager (Delivers configuration profiles and Mobile Device Management for Macs running OS X 10.8, 10.7 & iOS devices. Allows configuration of pin and password policies and policy enforcement)
– Workgroup Manager still available as an option as a separate download (http://support.apple.com/kb/HT5308 )
Setup Server Services• Software Update (WSUS)
– 10.5,10.6,10.7 just local repository– http://macserv1.ufl.edu:8088/content/catalogs/others/
index-lion-snowleopard-leopard.merged-1.sucatalog.composite
– 10.8 new features for auto download and install of system and security updates
– http://macserv1.ufl.edu:8088/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.composite
• Time Machine– Time machine to backup OD server– Time Machine as a backup destination for
managed Macs– For Mac Mini can attach an external thunderbolt drive– Purchase a Mac Pro with internal drives
Setup Server Services• OS X Deployment
– NetBoot (WDS) https://help.apple.com/advancedserveradmin/mac/10.7
• Shares and protocols configured on server to support distribution
• Stores system images on server that EFI-based Intel Mac can access
• Renamed NetInstall for 10.8 https://help.apple.com/advancedserveradmin/mac/10.8/
– System Image Utility• Making Netboot and other image sets for Macs in
environment• Included in Server Admin tools
– 10.7 http://support.apple.com/kb/HT5315 – 10.8 This utility is installed with OS X in the
/System/Library/CoreServices/ folder.
– Boot Mac holding down the N key (blinking Grey globe)
Setup Server Services• Profile Manager (MDM Mobile Device
Management)– Apples solution for managing mobile iOS & OSX– First showed up in Lion 10.7 http
://www.apple.com/support/lionserver/profilemanager/
– Again in Mountain Lion 10.8 with more features including app push http://www.apple.com/support/osxserver/profilemanager/
– Review http://krypted.com/iphone/configuring-using-profile-manager-2-in-os-x-mountain-lion-server/
• Public IP requirements (security office review)– Certificates, encryption
Setup Managed Preferences
• Work Group Manager Console 10.6, 10.7, 10.8 (transition)
• Think GPO• Considerations
– UFAD handles authentication, OD handles computer behavior– Setup groups of computers as you would an OU in GPMC to
apply GPOs– Setup groups of UFAD accounts to allow exceptions to
preferences• Precedence is
– User preferences > – User Group preferences > – Workstation preferences > – Workstation Group preferences
Setup Managed Preferences
• Recommendations– Setup Login settings
• AUP/ULA Legalize for accessing UF equipment• Force Name and Password• Disable automatic login• Set screen saver i.e. 20min• MAP NETWORK DRIVES• Manage FileVault settings for portable Macbook Pro and Air
– Make all accounts mobile including desktops for that time when the network goes down.
• Same as windows caching credentials
– Inside System Preferences • Exclude Users & Groups (avoid local accounts, deleting IT account,
demotion or promotion of admin rights)• Exclude Sharing (avoid Macs sharing disks and customer turning off
remote desktop for remote administration)• Exclude Security & Privacy (mitigate avoidance of screen saver
password)
Setup Managed Preferences
• Recommendations– Manage Power settings
• save energy • software updating
– Deploy Printers• Bonjour
– Setup Software Update• More valuable in 10.8
– Manage network • Disable airport for hard wired iMac, Mac Pro, Mac Mini• Disable internet sharing
• Demo
Login Preferences
Options for login window text and style of login options
Login Preferences
Options for screensaver timing
Login Preferences
Options for automatically mounting network shares
Mobile Preferences
Options for creating mobile account (cache credentials) while off network
System Preferences
Options for restricting icons in system preferences to help avoid circumventing settings
Power Preferences
Options for energy usage
Print Preferences
Options for printer installation from network printers
Software Update Preferences
Options for pointing Macs to local update repository
Network Preferences
Options for disabling Airport on desktops
FileVault Preferences
Options for turning on FileVault for all managed Macs
Time Machine Preferences
Options for time machine to network location
Configure the OD Plugin
• System Preferences>Users & Groups>Login Options>Edit
• Open Directory Utility
• Highlight LDAPv3 and press the configure button
Configure the OD Plugin
• Expand the options chevron & press new
• Enter the Open Directory server name and press continue
• Verify Computer ID and provide credentials
Configure the OD Plugin
• Review LDAPv3 settings
• Note distinguished Name
Apple Remote Desktop
• Documentation– http://www.apple.com/remotedesktop/– http://manuals.info.apple.com/en_US/ARD_Task_Server.pdf
• Features– Remote Control– Remote Observe– Software installation– Copy files– Issue UNIX commands
• Licensing and Cost– $79.99 to manage 20 computers– $499.99 Unlimited Managed System Edition
• Install task server function on dedicated Mac server
Apple Remote Desktop
• ARD setup– Start with Scanner – Utilize local administrator account for administration
Apple Remote Desktop
• ARD Console
Apple Remote Desktop
• Useful Mac Commands– (add to administrators group) Dscl –u localadmin –P *********** . –
append /Groups/admin GroupMembership trusteduser– (improve network performance) sudo sysctl -w
net.inet.tcp.delayed_ack=0 • http://www.jeremycole.com/blog/2010/01/13/delayed-ack-in-o
s-x-is-incomprehensible/
– (enable spotlight indexing of network drive) mdutil /Volumes/name –i on
• http://jonathansblog.co.uk/how-to-enable-spotlight-indexing-on-a-network-drive
– (show hidden files in finder) defaults write com.apple.finder AppleShowAllFiles TRUE
– (change display sleep time) sudo pmset displaysleep 15– Boot from CD by holding down C– Reset NVRAM Command-Option-P-R
• http://support.apple.com/kb/ht1379 Startup disk help with BootCamp
Third Party Options
• SCCM 2012– UF Initiative– Hardware Inventory– Software Inventory– Application Deployment– Configuration deployment and compliance
• JAMF www.jamfsoftware.com – Casper suite
• OS X
– Inventory– Imaging– Patch management (more configuration options)– Software deployment– Settings Management
• iOS– Inventory– Configuration
– Can work on Linux, Windows 2008 R2 or Mac Server• Need Java, TomCat & MySQL
Third Party Options
• JAMF (continued)– Onsite setup and training $6,000 (required)– $90.00 per client fee waived because of academic pricing– Annual maintenance of $18.00 per device per year
• Absolute Manage (www.absolutesoftware.com)– Supports Windows, Linux, Mac, iOS & Android– Inventory, Imaging, Power Management, Patching, Application
Deployment– $30-$40 per seat
• OpenLDAP on Linux– Cost of a VM– Add Apple Schema– Add Mac attributes to LDAP– Use Workgroup manager
Outlook Auto discover• iMac, Mac Pro, Mac Mini
desktop devices are on campus typically and should utilize autodiscover to resolve mail.ufl.edu to https://outlook.mail.ufl.edu/EWS/Exchange.asmx– Private IP
• For Macbooks & Mac Air off campus and to avoid VPN usage disable autodiscover by using Apple Script syntax:– Tell application “Microsoft
Outlook”– set background autodiscover of
exchange account 1 to false– end tell
• Set server to https://mail.ufl.edu/EWS/Exchange.asmx– Public IP