Mac Management in a University Environment

Kevin Hanson

Emerging Pathogens InstituteUniversity of Florida

kshanson@ufl.edu

Topics

• Intro• Active Directory Authentication• Open Directory Management &

Preferences• Apple Remote Desktop• Third Party Options

Intro• Support Macs otherwise you have

unmanaged Hosts• Cost of entry

– UFAD Free!!!!!!!– Open Directory at a minimum $1,078

• Add value to the customer experience– Reduce non-science & non-academic work

• Be ever mindful of campus initiatives

AD Authentication

On the Windows Side• Use a valid AD Domain Name (i.e. ad.ufl.edu)

– Underscores are NOT valid characters, but AD will allow them. This WILL BREAK OS X AD integration. (http://support.apple.com/kb/TS1532?viewlocale=en_US )

• Avoid using more than 14 charactersOn the OS X side• Configure Network Preferences• Configure Sharing• Configure the AD Plugin

Configuring Network Preferences

• DNS Server must be able to resolve AD service records

• Search Domains should contain, at minimum, the AD domain name

Configuring Sharing• Set the computer

name under System Preferences>Sharing (must reboot after rename)

• Avoid using more than 14 characters

Configuring the AD Plugin

• System Preferences>Users & Groups>Login Options>Edit

• Open Directory Utility>Configure Active Directory Plugin

Configuring the AD Plugin

• Specify UFAD server as ad.ufl.edu

• Eliminate underscores ( _ )

• Provide domain credentials

Configuring the AD Plugin

• Set ‘Allow administration by’ and add appropriate groups to allow administrator rights

• ‘Allow authentication from any domain…’ should be enabled for troubleshooting purposes

Configuring the AD Plugin

• System Preferences>Users & Groups>Login Options

• Set ‘Display login window as’ name and password

• Turn off automatic login

• Reboot

Configuring the AD Plugin

(troubleshooting)• Directory Service Debug Logging (10.5,10.6)

– Has a “Level 7” flag that includes more information than typical DSDebug logging.

– http://support.apple.com/kb/HT3186 • Grepping & Tailing the DS Logs:

– Grep “Active Directory” /Library/Logs/DirectoryService/DirectoryService.debug.log

– Tail –F /Library/Logs/DirectoryService/DirectoryService.debug.log | grep <…>

• Reduce log level once done to avoid excessive log files

Configuring the AD Plugin

(troubleshooting)• Directory Service Debug Logging (10.7,10.8)

– Has two options debug & default levels – Debug level includes more information than typical

logging.– http://support.apple.com/kb/HT4696

• Grepping & Tailing the DS Logs:– Grep “Active Directory” /var/log/opendirectoryd.log– Tail –F /var/log/opendirectoryd.log | grep <…>

• Reduce log level once done to avoid excessive log files

Additional AD options• A Mac joined to AD

can utilize the home folder location set in the profile in ADUC

Open Directory

• Free Open Directory training from lynda.com (http://www.lynda.com/Mac-OS-Server-10-7-tutorials/Mac-OS-X-Lion-Server-Essential-Training/83740-2.html)

• Consult Apple documentation (http://www.apple.com/support/osxserver/)

• UF IT Wiki (http://wiki.it.ufl.edu/wiki/Apple_OS_X)

Open Directory

• Determine capacity needs and purchase appropriate hardware

• Set DNS record i.e. od.ns.ufl.edu, macserv1.epi.ufl.edu

• Join Mac Server to UFAD– Utilize UFAD accounts to apply policy preferences

• Setup Open Directory Master– Open Directory Replica

Open Directory Server Consoles

• 10.5 Leopard,10.6 Snow Leopard,10.7 Lion– Server Admin (Managing Open Directory and adding

services)• DHCP, DNS, Firewall, Software Update, NetBoot, RADIUS

– Server (Managing Services provided by server)• File sharing, Address Book, Mail, iCal, iChat, Web services,

Time Machine

– Workgroup Manager (Managing users, groups, policy preferences)

Open Directory Server Consoles

Open Directory Server Consoles

Open Directory Server Consoles

Open Directory Server Consoles

• 10.8 Mountain Lion– Server Admin (Managing Open Directory and adding

services)• DHCP, DNS, Firewall, Software Update, NetInstall, RADIUS

– Server (Managing Services provided by server)• file sharing, Address Book, Mail, iCal, iChat, Web services,

Time Machine

– Profile Manager (Delivers configuration profiles and Mobile Device Management for Macs running OS X 10.8, 10.7 & iOS devices. Allows configuration of pin and password policies and policy enforcement)

– Workgroup Manager still available as an option as a separate download (http://support.apple.com/kb/HT5308 )

Setup Server Services• Software Update (WSUS)

– 10.5,10.6,10.7 just local repository– http://macserv1.ufl.edu:8088/content/catalogs/others/

index-lion-snowleopard-leopard.merged-1.sucatalog.composite

– 10.8 new features for auto download and install of system and security updates

– http://macserv1.ufl.edu:8088/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.composite

• Time Machine– Time machine to backup OD server– Time Machine as a backup destination for

managed Macs– For Mac Mini can attach an external thunderbolt drive– Purchase a Mac Pro with internal drives

Setup Server Services• OS X Deployment

– NetBoot (WDS) https://help.apple.com/advancedserveradmin/mac/10.7

• Shares and protocols configured on server to support distribution

• Stores system images on server that EFI-based Intel Mac can access

• Renamed NetInstall for 10.8 https://help.apple.com/advancedserveradmin/mac/10.8/

– System Image Utility• Making Netboot and other image sets for Macs in

environment• Included in Server Admin tools

– 10.7 http://support.apple.com/kb/HT5315 – 10.8 This utility is installed with OS X in the

/System/Library/CoreServices/ folder.

– Boot Mac holding down the N key (blinking Grey globe)

Setup Server Services• Profile Manager (MDM Mobile Device

Management)– Apples solution for managing mobile iOS & OSX– First showed up in Lion 10.7 http

://www.apple.com/support/lionserver/profilemanager/

– Again in Mountain Lion 10.8 with more features including app push http://www.apple.com/support/osxserver/profilemanager/

– Review http://krypted.com/iphone/configuring-using-profile-manager-2-in-os-x-mountain-lion-server/

• Public IP requirements (security office review)– Certificates, encryption

Setup Managed Preferences

• Work Group Manager Console 10.6, 10.7, 10.8 (transition)

• Think GPO• Considerations

– UFAD handles authentication, OD handles computer behavior– Setup groups of computers as you would an OU in GPMC to

apply GPOs– Setup groups of UFAD accounts to allow exceptions to

preferences• Precedence is

– User preferences > – User Group preferences > – Workstation preferences > – Workstation Group preferences

Setup Managed Preferences

• Recommendations– Setup Login settings

• AUP/ULA Legalize for accessing UF equipment• Force Name and Password• Disable automatic login• Set screen saver i.e. 20min• MAP NETWORK DRIVES• Manage FileVault settings for portable Macbook Pro and Air

– Make all accounts mobile including desktops for that time when the network goes down.

• Same as windows caching credentials

– Inside System Preferences • Exclude Users & Groups (avoid local accounts, deleting IT account,

demotion or promotion of admin rights)• Exclude Sharing (avoid Macs sharing disks and customer turning off

remote desktop for remote administration)• Exclude Security & Privacy (mitigate avoidance of screen saver

password)

Setup Managed Preferences

• Recommendations– Manage Power settings

• save energy • software updating

– Deploy Printers• Bonjour

– Setup Software Update• More valuable in 10.8

– Manage network • Disable airport for hard wired iMac, Mac Pro, Mac Mini• Disable internet sharing

• Demo

Login Preferences

Options for login window text and style of login options

Login Preferences

Options for screensaver timing

Login Preferences

Options for automatically mounting network shares

Mobile Preferences

Options for creating mobile account (cache credentials) while off network

System Preferences

Options for restricting icons in system preferences to help avoid circumventing settings

Power Preferences

Options for energy usage

Print Preferences

Options for printer installation from network printers

Software Update Preferences

Options for pointing Macs to local update repository

Network Preferences

Options for disabling Airport on desktops

FileVault Preferences

Options for turning on FileVault for all managed Macs

Time Machine Preferences

Options for time machine to network location

Configure the OD Plugin

• System Preferences>Users & Groups>Login Options>Edit

• Open Directory Utility

• Highlight LDAPv3 and press the configure button

Configure the OD Plugin

• Expand the options chevron & press new

• Enter the Open Directory server name and press continue

• Verify Computer ID and provide credentials

Configure the OD Plugin

• Review LDAPv3 settings

• Note distinguished Name

Apple Remote Desktop

• Documentation– http://www.apple.com/remotedesktop/– http://manuals.info.apple.com/en_US/ARD_Task_Server.pdf

• Features– Remote Control– Remote Observe– Software installation– Copy files– Issue UNIX commands

• Licensing and Cost– $79.99 to manage 20 computers– $499.99 Unlimited Managed System Edition

• Install task server function on dedicated Mac server

Apple Remote Desktop

• ARD setup– Start with Scanner – Utilize local administrator account for administration

Apple Remote Desktop

• ARD Console

Apple Remote Desktop

• Useful Mac Commands– (add to administrators group) Dscl –u localadmin –P *********** . –

append /Groups/admin GroupMembership trusteduser– (improve network performance) sudo sysctl -w

net.inet.tcp.delayed_ack=0 • http://www.jeremycole.com/blog/2010/01/13/delayed-ack-in-o

s-x-is-incomprehensible/

– (enable spotlight indexing of network drive) mdutil /Volumes/name –i on

• http://jonathansblog.co.uk/how-to-enable-spotlight-indexing-on-a-network-drive

– (show hidden files in finder) defaults write com.apple.finder AppleShowAllFiles TRUE

– (change display sleep time) sudo pmset displaysleep 15– Boot from CD by holding down C– Reset NVRAM Command-Option-P-R

• http://support.apple.com/kb/ht1379 Startup disk help with BootCamp

Third Party Options

• SCCM 2012– UF Initiative– Hardware Inventory– Software Inventory– Application Deployment– Configuration deployment and compliance

• JAMF www.jamfsoftware.com – Casper suite

• OS X

– Inventory– Imaging– Patch management (more configuration options)– Software deployment– Settings Management

• iOS– Inventory– Configuration

– Can work on Linux, Windows 2008 R2 or Mac Server• Need Java, TomCat & MySQL

Third Party Options

• JAMF (continued)– Onsite setup and training $6,000 (required)– $90.00 per client fee waived because of academic pricing– Annual maintenance of $18.00 per device per year

• Absolute Manage (www.absolutesoftware.com)– Supports Windows, Linux, Mac, iOS & Android– Inventory, Imaging, Power Management, Patching, Application

Deployment– $30-$40 per seat

• OpenLDAP on Linux– Cost of a VM– Add Apple Schema– Add Mac attributes to LDAP– Use Workgroup manager

Outlook Auto discover• iMac, Mac Pro, Mac Mini

desktop devices are on campus typically and should utilize autodiscover to resolve mail.ufl.edu to https://outlook.mail.ufl.edu/EWS/Exchange.asmx– Private IP

• For Macbooks & Mac Air off campus and to avoid VPN usage disable autodiscover by using Apple Script syntax:– Tell application “Microsoft

Outlook”– set background autodiscover of

exchange account 1 to false– end tell

• Set server to https://mail.ufl.edu/EWS/Exchange.asmx– Public IP