Mac management for Windows IT folks

Tools and techniques for adding Macs to your network safely and effectively

1 2 3 4 Page 2
Page 2 of 4

Apple's managed preferences architecture

Apple has developed its own, very comprehensive client management architecture, commonly called MCX (Managed Client for OS X) or simply managed preferences. Like group policies, managed preferences are stored as records in Apple's native directory service, Open Directory. Also like group policies, managed preferences can be used to restrict access to many parts of the Mac OS X interface and control various user and system settings.

In fact, in Mac OS X Tiger and Leopard, administrators using Mac OS X Server's Workgroup Manager tool can define settings for any application or system component using a Preferences Editor. So long as an application is written to store its preferences data according to Apple's guidelines, any aspect of it should be controllable via managed preferences. (See "What's new in Leopard Server" for more about its administration tools.)

Editing preferences in Workgroup Manager

Editing preferences in Workgroup Manager

Click to view larger image

The process of deciphering the XML data that Mac OS X applications use to store preferences may be a little challenging, but it is possible. (Apple does offer the option for developers to explain the XML-based keys that they use in what is known as a preference manifest, which provides clearer explanations when looking at settings in Workgroup Manager, but many developers have yet to make use of the feature.)

General management options in Workgroup Manager

General management options in Workgroup Manager

Click to view larger image

In a simple GUI in Workgroup Manager, Apple also provides 15 categories of more general management options that let the administrator control users' access to applications, power management and automatic start-up settings, log-in settings, access to hard drives and removable media, mobile accounts and how they sync data with a network home directory, basic network settings and proxy servers, access to local printers and auto-configuration of network printers, access to the System Preferences utility and which features a user may change on a system, the designation of a file server for use as backup destination with Apple's Time Machine, and more.

For a thorough guide to Apple's managed preferences, check out John DeTroy's Tips & Tricks for Mac Mgmt.

Using Open Directory

Just as group policies are a product of Windows Active Directory, managed preferences are a product of Mac OS X's native directory service, Open Directory. This means that implementing them also means implementing Open Directory running on Mac OS X Server. Active Directory and Open Directory can be integrated in a dual-directory environment in which user and group records stored in Active Directory can have managed preferences associated with them, resulting in the best of both worlds.

There are a few approaches to implementing a dual-directory environment of this type. The first is to simply join both the Mac clients and Mac OS X Server to the Active Directory domain and then to also join (or "bind," in Apple jargon) the Mac clients to the Open Directory domain hosted by the Mac server. This approach, often referred to as the magic triangle, allows users to authenticate against Active Directory but also to have managed preferences enforced by Open Directory.

The result is that preferences can be set for individual computer accounts or computer groups as well as for Active Directory user accounts. This is done by creating user groups in the Open Directory domain and then populating them with user accounts stored in Active Directory.

While this approach is effective in many situations, it isn't always perfect. For one thing, it provides limited management at the user level. To achieve broader capabilities, it is possible to extend the Active Directory schema to include support for Apple's MCX attributes as well as for other Mac user account details.

1 2 3 4 Page 2
Page 2 of 4
  
Shop Tech Products at Amazon