Monthly Archives: April 2012

Mac OS X Mac OS X Server Mac Security Mass Deployment

Penn State MacAdmins Conference Schedule Now Available

Mac OS X Mac OS X Server Mac Security Mass Deployment

WWDC Tickets On Sale

Apple has put tickets on sale for the WorldWide Developer Conference, from June 11th to June 15th in San Francisco’s Moscone Center. Last year, the conference sold out really quickly, so might want to jump on buying tickets if you want to go. One thing can be pretty easily assumed, there will be plenty of talk about Mountain Lion (and maybe a new beta/DP as well).

Home Automation

Monster Delivers Z-Wave Win

Who knew, Monster is getting in on the whole Z-wave thing. I can’t even find “Z-wave”  on their official website. But their Z-wave dimmers are available at a few different websites, including Smarthome: http://www.smarthome.com/8500SD/Monster-Wall-Dimmer-Switch-Z-Wave-Lighting-Control/p.aspx. I ordered one of these and my system automatically saw it (as a Leviton btw) and I was controlling yet another light in my basement within about 5 minutes. Total Z-wave win.

While I don’t see the dimmers, what I do see on Monster’s website is a new Z-wave remote in their Revolution 200: http://www.monsterproducts.com/productdisplay.asp?pin=3369&id=9139.

 It’s a little fancy for me (I prefer things that are beige and covered in DIP switches), but it’s cool to see another household name with lots of sales people pushing their products into Target, Best Buy (who use Control4 systems in their stores) and Home Depot, as well as other large chains.

iPhone Mac OS X Mac OS X Server

Apple Configurator 1.0.1 Released

Apple has released version 1.0.1 of the Apple Configurator tool. To install the first update to Apple’s new tool, go to the App Store on a computer that has Apple Configurator installed, click on Updates and then click on the Update button for Apple Configurator.

The update has a number of new features and fixes. The first is that Enterprise Apps can be installed. Previously, when you went to install internally developed applications, you would get an error that the installation could not proceed. Another great fix is that commas are now escaped when importing application codes from the VPP spreadsheets (a comma in a CSV/comma separated value would kill the ability to import VPP codes before). Another fix is to let you pull redemption codes from unsupervised device (this makes me very happy).

The redemption codes that you buy an app with can also now be used in Configurator, according to the release notes. This worked for me anyway, but I’ve read reports that people had to burn an additional code to use them with Configurator. The remaining redemption codes are now listed properly, as well. Another fix is that Notes and Bookmarks pushed into iBooks and iTunes U are restored properly when supervising devices. The WPA2 passwords had been wonky (according to the content of that payload), so that’s been fixed as well.

Also, a bug I hadn’t noticed, the capacity of an 8GB iPod Touch is now displaying properly…

WordPress

WordPress Lightbox Made Easy

I wasn’t very happy with how images were handled on krypted.com. Which is why I added a new plugin, http://wordpress.org/extend/plugins/wp-jquery-lightbox to provide more of a lightbox feel when you click on my images.


Many of my images are pretty large, so I make them a little smaller on the site so they fit well on the page. Now, when you click on images on the site, it greys the rest of the page and zooms in on the image. I’ve tinkered with a lot of lightbox plugins, but this one makes me happy. You just install and activate and viola, you’re done. It doesn’t get a lot easier than this and it’s a much better way than the default method for handling images in WordPress.

Articles and Books Business

Amazon Now Has Book Trade Ins

When I was in college, at the end of each semester we’d go to the book store (you know, that place that fleeced us with $100 used books) and we’d sell back those books for about one tenth to one quarter what we bought them from. We’d then use that money to help fund one of our books for the next semester (or beer). Well, Amazon is doing something similar now. Although it has to do more with when new editions of the book are released. Each edition of a book allows you to trade the book in for new editions.

Take Practical C++ Programming, from O’Reilly. Apparently I bought the chipmunk book at some point. In fact, considering the fact I can see it on my shelf from where I’m sitting I am certain of it (unless I am hallucinatin’ again – in which case I would really hope for something better than a freakin’ tech book). When I go to the page for that book on Amazon, they know I bought it (they sold it to me after all) and they’re kind enough to offer to buy it off me for about a buck and a half (about 1 / 20th what I bought it for) and sell me the new edition for about $25.30 (or $6.53 used).

I know I’m poking at this just a little bit, but that’s just because it makes me think of college. I honestly think it’s a really great feature. There are so many options for things like books and this is just another that will keep me going back to Amazon!

Mac OS X Mac OS X Server Mac Security Mass Deployment

Moving Managed Preferences to Profiles

If you’ve been following my postings for the past few weeks you may have noticed that I’m putting the pieces together for a strategy to transition existing managed preferences in environments to profiles, most notably those managed using Lion Server’s Profile Manager as more than just a mobile device management tool, but also as a computer management tool. To put the articles into a bit more order, let’s look at the order that you’d likely use them to actually do an integration:

Not all of these will be applicable to every deployment, but the tasks covered are worth knowing how to do. Using Profile Manager and migrating the actual managed preferences from existing tools into Profile Manager I saved for last (after all, you need your infrastructure in place to do this). Here, I’m just going to look at Workgroup Manager and manually move each preference from Workgroup Manager into Profile Manager. To get started, I usually like to open a screen with Profile Manager and another with Workgroup Manager, lining them up side by side. This allows me to quickly and easily cut-copy-paste between the two. I also like to be very orderly, choosing to step through the Workgroup Manager list in order, moving each option I have selected in Workgroup Manager over to Profile Manager.

I usually start with user groups, then do computer groups, then look for specific computers I may have applied policies to and finally specific users that might have policies attached to them. The screens, by default, for my initial user groups, would look as follows (where there are some managed preferences in Workgroup Manager but not yet in Profile Manager):

Right off the bat, if you’re going in order of those displayed in the Workgroup Manager GUI, you’ll notice that there aren’t any listed for Applications in Profile Manager. This is because Applications, Media Access and System Preferences are located in the Restrictions payload for Mac OS X in Profile Manager. Click on it and click on Configure to enable the payload. Rather than go through each preference and each setting of each preference, suffice it to say that most are there. In some cases, you won’t see one, such as disabling Front Row, but you’ll have a cool new one, such as disabling AirDrop in its place.

The workflow is a little different in some places. For example, in Workgroup Manager, you can run the Workgroup Manager application on a computer that is not the server and easily add applications and printers to the preference that are not actually installed on the server. Annoyingly, because Profile Manager is a web application, you need to put the .app bundles and install the printers on the server in order to push them out through Profile Manager. While this caused some initial heartache, I just ended up taking the app bundle, copying it to the server temporarily and then adding it, whether the application was installed or not. Printers are easy enough to install on servers as well.

The Classic managed preference is pretty much no longer needed, so it has been removed. Finder and Universal Access are also gone in Profile Manager. But this doesn’t mean you can’t manage them. Just as you could manage custom preferences using the Details tab, you can manage custom preferences using the Custom Settings option as well. Simply open the Custom Settings payload and then use the plus sign to create each preference domain that you would like to manually configure. Click on the Upload File… button to import a property list manually and then delete the items that you don’t want getting pushed to clients (seems similar to how you did things in Managed Preferences, right?). Another managed setting that is missing from Profile Manager is Software Update. Here, we’ll add it by looking at the details in Workgroup Manager and then duplicating the settings in Profile Manager.

You can do this for any of the missing objects as well as any third party software. For example, we’ll click the plus sign (“+”) to add a preference and then enter com.microsoft.autoupdate2 into the Preference Domain field and HowToCheck as a key (String) with a value of Manual. This would disable Microsoft’s automatic updates so we can manage them through our patch management solution.

The biggest change in moving to profiles and Profile Manager is the fact that you no longer have the option to manage settings using the Once Often and Always settings we grew to love in Managed Preferences. There are trade-offs. Such as the fact that you can have many of the settings instantly updated on clients, wipe devices, etc. The way you remove an Always profile is to remove the payload. For those still needing Once and Often, you can stick with Managed Preferences for a bit longer, but you might want to start considering ways of not accessing those manifests. In exchange you can centrally push out SSIDs for wireless networks, automatically configure clients for Exchange (not the password) if you’re using Mail, iCal and Address Book, deploy certificates, configure password policies and even perform some fairly delicate 802.1x foo, without touching a script.

There’s definitely going to be some stir over the fact that, as with iOS, centralized management via Profile Manager is an opt-in experience. Users can remove their enrollment profile as they wish. Of course, if you’ve hidden the Profiles System Preference pane then they might have a problem getting rid of it, but get rid of it they may. Therefore, it’s worth considering a few strategies for dealing with that. One I like is automatically unbinding clients that are not listed in the devices table of the Profile Manager database. Another is to send ninjas to their house so they may be pelted with shurikens (1d6 of damage each, btw, so don’t throw too many). It’s also worth noting that data doesn’t always disappear with profiles in Mac OS X the same way it does with iOS and that profiles are a Lion and above experience, not working with Snow Leopard and older operating systems.

Whichever strategy you take with migrating to profiles, it’s worth starting to think about and test this new type of user experience now. Of course, if you have a 3rd party patch management tool, such as the Casper Suite, that allows for local managed preferences, you’re likely better off deploying policies through there. If not, then don’t feel rushed, as Managed Preferences are still how Profiles deploy their payloads to clients. However, the means with which you have been deploying Managed Preferences may be changing over the next few years, so it’s a good idea to start looking at this now in order to be prepared for future releases.

public speaking

MacTech InDepth In New York

I have been added as a speaker at MacTech InDepth in New York. If you haven’t signed up yet, and you work with Mac OS X Server then you should really check out the sessions that have been planned:

  • The Elephant in the Room: The New Lion OS X is out, now what? There are a lot of differences to contend with between Lion and Snow Leopard. Now with the new Mountain Lion update, what changes can we expect to see? We discuss the differences in advanced services, GUI simplicity, and Apache management GUI’s. We help you understand the updates in the new OS and make the transition easier. We go over the new updates of Lion over the Snow Leopard server.
  • Setting solid foundations: To truly grasp the power of Lion, you need to set up solid foundations. We go over minimum requirements for internet DNS, and tackle router tricks. We discuss open directory and what it was used for.
  • Mobile Device Management 101: Apple’s IPCU/Apple Configurator: Mobile Device Management is vital to businesses, large or small. We have an extensive overview of profile manager and how you can use mobile device management on OS X. For those still using Snow Leopard, we go over your options and discuss the possibility of using third parties as a solution.
  • DNS, Ahh, run away, run away: In this session, we tackle DNS and break it down and show how simple it is to work with. We go over how DNS works and cover different components such as internet DNS and internal DNS.
  • Administering a Server with just Server.app: We show you how to use server.app and control administrative programs. For the services, we go over Address Book, iCal, iChat, and Mail.
  • Web Administration of OS X Server : Web Admin on Lion Server versus Snow Leopard is covered, dealing with the differences and how to use each system effectively. On Lion server, we cover using FTP without a GUI.
  • Going old school, using the old tools: After getting used to Snow Leopard we go over the major differences between Snow and Lion and how you can handle the transition. We go over server admin and what is still left in the program and why it has been left.
  • Deployment Part I: Tools & Concepts: In tools and concepts we learn that there aren’t stark differences between Lion server and Snow Leopard. NetBoot, NetRestore and third party tools are covered; we talk about how NetBoot works and what the differences between NetBoot and NetRestore are. Along with this we cover Network configuration requirements and using software update server.
  • Deployment Part II: DeployStudio: DeployStudio is covered in-depth; we cover creation techniques and management techniques.

Overall, this represents a nice, fast way to update your skills to allow for managing Lion Server and to get up to speed with those new to the platform. One thing I like about the session list is that it goes beyond the stock server implementation and looks at DeployStudio, MDM and other important topics not purely server oriented. I hope to see you all there!

These vagabond shoes, are longing to stray
Right through the very heart of it – New York, New York

Mac OS X Mac OS X Server Mac Security Mass Deployment

Automating Profile Manager Enrollment Through DeployStudio

When planning to migrate from managed preferences to profiles, one of the important aspects to consider is automated enrollment. One of the more important aspects of automating a traditional managed preferences environment is to automate the binding to directory services. You do not bind to Profile Manager; however, you do enroll devices. Much like binding computers to Lion Server’s Open Directory (by default), certificates and host names are important aspects of the enrollment process.

Much as with local managed preferences, management via profiles can be done through the command line and without any involvement from a centralized source. I had written an article awhile back on using profiles from the command line.

You can also instead enroll devices into Profile Manager. Previously, I had looked at configuring Profile Manager. Manual enrollment in Profile Manager is the same as enrollment from iOS. But instead of using Apple Configurator to automate enrollment, you’ll use your existing imaging solution for automated enrollment of Mac OS X based clients. Therefore, we’ll use DeployStudio as an example for automating enrollment at imaging time.

To get started, you’ll need a functional DeployStudio configuration. You’ll also need a functional Profile Manager configuration. From within Profile Manager, click on the plus sign (“+”) in the lower left corner of DeployStudio and click on Enrollment Profile. Then click on the New Enrollment Profile entry that was created and click on the Download button to download the profile onto the server (when it attempts to install, simply click cancel to cache it to your ~/Downloads directory).

Click in the drop-down menu in the upper right hand corner of the screen and then click on Download Trust Profile. This will download the Trust Profile for the MDM solution to the client (when it attempts to install, simply click cancel to cache it to your ~/Downloads directory).

Next, drag the cached profiles into the ConfigurationProfiles directory of the DeployStudio repository. Now that you have the profiles that will be required for automated enrollment, open DeployStudio Admin (if it was open before, close it and then re-open it once you have copied the profiles to the DeployStudio repository). From within DeployStudio, we will create a new workflow, here called “Deploy Lion with Enrollment”. We will then choose to restore a target volume and automate the task.

Next, click on the plus sign (“+”) to add a new workflow item, sliding the task selection screen out automatically.

Next, drag the Automatic Enrollment Task item into the workflow. Once present, choose Previous task target from the Target Volume field. Next, choose the enrollment profile in the Enrollment profile field. Also choose the Trust profile that you just downloaded from the Trust profile field. Finally, check the Automate box and save your workflow.

Finally, we’ll add a Configure task to set the hostname (note that your workflows may already be far more flushed out than mine here. Click on Save and then test the workflow.

Once booted, if you are automatically enrolled then the process was a success. You should be able to see the device in Profile Manager.

iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment

Integrating Mac OS X Lion Server's Profile Manager With Active Directory

Over the years, the terms Magic, Golden, Triangle, Augments, Directory, Domains and Active have given the administrators of Mac OS X environments fits. So when you think about using Active Directory to manage iOS devices through the Profile Manager service, built into Lion Server, you may think that it’s a complicated thing to piece together. You may remember those days when you had to manually craft service principals because xgrid wouldn’t play nice with Acive Directory, or you might think of twisting augmented records to support CalDAV. But you’re gonna’ have to forget all that, ’cause getting Profile Manager to talk to Active Directory is one of the easiest things you’ll do.

Before we get started, architecture. Every Profile Manager instance is an Open Directory Master. Apple has included a local group in Mac OS X Server called Profile Manager ACL. Users and groups from any directory domain that can be viewed in dscl can be added to this group. Adding objects to this group enables them to authenticate to the MyDevices portal but not administrate. Kerberos isn’t really used here, nor are nested groups. You’ll apply policies directly to Active Directory groups in Profile Manager. For many long-term Apple administrators, this paragraph is all you need to read. If not, please continue on.

To get started, first set Profile Manager up, as shown in a previous article I did. Once configured, verify that Open Directory or local clients can authenticate, bind to Active Directory.

Bind to Active Directory

From within System Preferences, click on the Users & Groups System Preference pane and click on Login Options. Then click on the Edit… button for the Network Account Server. From here, click on the plus sign (“+”) and enter the domain name into the Server field.

Once bound, you will see the server listed. At this point, if you try to authenticate to the MyDevices portal as an Active Directory user, you will be able to authenticate, but you will not have permission to enroll devices. To log in, access the web service at the address of the server followed by /MyDevices (e.g. https://mdm.pretendco.com/MyDevices).

Provide the user name and password to the service. The Active Directory users are unable to access the MyDevices service.

Nest Groups Using Workgroup Manager

Click on Logout and we’ll fix this. There is no further configuration required for the Active Directory groups to function properly in regards to how they work with the server. However, we will need to open Workgroup Manager and nest some groups. You might think that you’d be doing something all kinds of complicated, but notsomuch. You also might think that you would be nesting the Active Directory users and groups inside Open Directory groups, given that you have to enable Open Directory in order to use Profile Manager. Again, notsomuch. To nest the groups, browse to the local directory and then then click on the com.apple.access_devicemanagement group.

Click on the lock icon to unlock the directory domain, authenticating when prompted.

Click on the Members tab and then click on the plus sign (“+”) to add members to the group.

Then in the menu that slid out, click on the domain browser at the top of that menu and select the Active Directory entry.

Test Access

Drag the user or group from the menu into the list of members and then click on the Save button.

Now log in again using the MyDevices portal and you’ll be able to Enroll. From within Profile Manager (log in here as a local administrator), you’ll see all of the users and groups and be able to apply policies directly to them by clicking on the Edit button for each (the information isn’t saved in the directory service on the server, but is cached into the directory service client on the client when using Mac OS X 10.7, Lion based clients).

 

Moving Mac OS X Management From MCX

You keep hearing that you need to move some of your managed preferences to profiles (or Profile Manager in most cases), but you can’t really think about that until you get Profile Manager integrated with Active Directory, can you? And getting those pesky iOS devices working with Active Directory style policies has been on your radar, but really, who has time?

Profiles then have a few distinct benefits over Managed Preferences (MCX) for some, which we’ll look at through the lens of Profile Manager. The first is that they’re instant. You can make a change to a profile on a device enrolled in an MDM service and you instantly see the changes on the client (most profile settings that is, not all), rather than having to log the client out and then back in. You can also wipe and lock devices and the interface is easier (I mean, no nesting thankyouverymuch).

But there are a few drawbacks as well. You can’t cluster Profile Manager, so there are some benefits to using 3rd party services in a move to profile based management. You also manage settings using the Always option, rather than being able to use the Once or Often settings. You can use custom property lists, though and importantly, MCX is used to actually implement most of these profiles on client systems, so those skills you’ve been honing for managing Managed Client workflows will not be totally lost in the transition. Overall, I had initially thought that management by profile would be much less granular than management via managed preferences, but I’ve found ways around any issues and have found it’s actually much easier and works as reliably as dual directory or Active Directory based managed preferences worked.