Monthly Archives: July 2010

Mac OS X Mac OS X Server Mac Security Mass Deployment

Making Every User an Admin

If you deploy a large number of computers to users who are somewhat likely to play practical jokes on each other then you will run into some interesting issues. If you are deploying one computer to every user and you want each user to be an administrator of their computer then you might be tempted to allow all users to be administrators of all computers. If you do then prepare for an infinite number of sometimes amusing practical jokes. But really, being proactive about this brings up an interesting point: how do you deploy a computer and make only the user who you want to be an administrator an administrator.

In a large deployment of Mac OS X, you are going to likely have a map somewhere between what user has each computer. You may even go so far as to name the computers the same name that you name the user associated with the computer. If you do this, then you have a pretty straight-forward task ahead of you. Basically, you’ll add the user who you are handing the computer to an administrator by adding them to the admin group. In order to do so, can check the “Allow user to administer this computer” as you can see in the following figure. If you have a sizable deployment you’ll want to automate this task rather than log in as each user and set the setting. You can automate the task using the dscl command along with the append verb. For example to place the user cedge into the admin group:

sudo dscl . append /Groups/admin GroupMembership cedge

That works as a one-off operation but not in bulk. If your computer name is the same as the user who will be using the system you can then use the scutil command and “–get” the ComputerName:

scutil –get ComputerName

NOTE: The –get options in this article are two hyphens rather than one, WordPress just merges them for some reason…

You can then use this as the variable to use for augmenting the GroupMembership for admin:

sudo dscl . append /Groups/admin GroupMembership `scutil —get ComputerName`

Pop that into a post-flight package and you’ve got yourself a solution where you make the primary user of a system the admin of the local box and then make the subsequent users standard accounts. If your ComputerName doesn’t match your user name then all is not lost. One way to grab what admin user you’d like for each host would be to populate something on the client with that information. Another would be to put it in a csv and read the line for the csv that is associated to the computer in to obtain it. If you populate something on the client it could be the Text1 field from Apple Remote Desktop. This can be done using the Remote Management option in the Sharing System Preference, clicking on Computer Settings and then typing the data into the Info 1: field.

To insert the information at image time (or at least programmatically), you could use defaults to write it into com.apple.RemoteDesktop.plist, located in /Library/Preferences:

defaults write /Library/Preferences/com.apple.RemoteDesktop Text1 “cedge”

To then read that variable:

defaults read /Library/Preferences/com.apple.RemoteDesktop Text1

The command to set the admin user based on the Text1 field would then be:

sudo dscl . append /Groups/admin GroupMembership `defaults read /Library/Preferences/com.apple.RemoteDesktop Text1`

There are probably about as many other ways to go about this as there are Mac OS X mass deployments. For example, instead of inserting data into Text1 from a defaults command, you could use kickstart with the -computerinfo option to write data into -set1 -1 or something like that (which is likely safer than defaults, albeit more difficult if you decide to do it to your non-booted volume). But hopefully these options, somewhere down the road, will help someone (after all, that’s why we post this kind of thing, right?!?!).

personal

'The Internet' Playing In Minneapolis

Ever wonder what the Internet would be like if you could see it in person? There would be a lot of crap that you don’t want and you wouldn’t be able to find the few things you do want as you wouldn’t be able to constrain what was in front of you with search terms? You would also see a bunch of really geeky people trying to build things (often times as people are trying to use those things). Well, enter the Internet Variety Store. Part of the Storefront in a Box going is Internet in a box. No wait, that would be something you would stay home to access… If you feel like coding in person and using jump drives rather than CVS then this might just be the place for you, so at some point this weekend, you should get out of your box and check out real live people who share the same interests.

Here’s the lineup!

Mac OS X Server

Customizing the Wiki Banner

One of the best features of Mac OS X Server is the built-in blog and wiki services. While it is not the right solution for every type of environment, it is a very good medium for internally hosted user generated content. Especially if you are using Active Directory or Open Directory.¬†One of the most common requests I get when setting up a blog and wiki server is to customize the portal so that it is branded to the organization that it’s being set up for. One of the easiest ways to do this is to just edit (or more likely replace) the banner-bg.png file located in /usr/share/collaboration/css/serverhome_static/img directory.

There are other items here that can easily be replaced with items of the same size; however, the most impactful is the huge banner sitting atop the screen when users visit the page. Your new banner-bg.png file should usually be 990 by 197 pixels and be trimmed down to be as small a file as possible. I have to admit that I’m not great at Photoshop, so I often cheat a little and use Art Text, by BeLight Software. In order to make this easier for others who might do exactly this, here is a template (forgive my utter lack of any graphic design skills whatsoever) that you can use.

Happy Customizations (and feel free to submit any images/links that you’re proud of and I’ll be happy to post/link to them)!