Tiny Deathstars of Foulness

The Command Line Fibre Channel Management and Setting up the Network Stack from the Command Line articles I did on Xsanity covered a couple of tasks that you more than likely perform on every client system you setup.  Now let’s look at another.   Whether you are deploying Xsan or managing it, assuming you have more than 1 machine to manage (and why would you use Xsan if you don’t) then a little Apple Remote Desktop (ARD) can make your life a lot easier.  You might be deploying a package to install the Final Cut or you might be installing Xsan remotely.  Or maybe you’re quitting Final Cut Pro or closing a Finder window so that you can unmount that volume that otherwise just won’t unmount.  Either way, centralized administration almost requires you to enable Remote Management and if you’re looking to automate every aspect of a deployment then you’ll certainly be doing so. To enable Remote Management for the ARD client is easy enough.  Simply open up System Preferences, click on the Sharing System Preference pane, check the box for Remote Management and then check the boxes for the features you’d like to enable (eg – Observe, Control, etc).  By default, all users have access to do whichever tasks you define.  Straight forward enough… But what if you are deploying 40 Xsan and Final Cut Server clients, 2-3 Metadata Controllers along with 20 members of a render farm?  Let’s just say that during the process you decide that you need to limit only your companies admin account to control the computers (otherwise users will start messing around with one anothers stuff)?  Even if you enabled Remote Management at installation time, now you need to go touch 65 computers?  Or what if you can SSH into a metadata controller but not tap in through Remote Management?  Or need to configure that shiny new Xserve that didn’t ship with a video dongle? Enter kickstart.  The kickstart command is located in the /System/Library/CoreServices/RemoteManagement/ directory (the rest of this article assumes this to be your working directory, and assumes you are running these commands with elevated privileges).  To start off, we’re going to configure Remote Management.  To do so we’re going to use the -configure option with kickstart and enable access to the host (-access), checking all the boxes from the Remote Management Options… button (-privs -all) for the xsan admin user (-users xsanadmin):
./kickstart -configure -access -on -privs -all -users -xsanadmin
You can also enable access to Open Directory accounts if your Xsan includes those.  In the following we’ll configure Remote Management to allow Open Directory logins (-setdirlogins yes and then enable the specific groups that will have access (-setdirgroups -dirgroups) to the Open Directory group called xsanadmins:
./kickstart -configure -clientopts -setdirlogins yes -setdirgroups -dirgroups xsanadmins
You can also configure each of the check boxes for each permission independently, using -DeleteFiles, -ControlObserve, -TextMessages, -ShowObserve, -OpenQuitApps, -GenerateReports, -RestartShutDown, -SendFiles, -ChangeSettings and -ObserveOnly. The global options for the Remote Desktop client can also be set.  To do so you would add the -clientopts option and specify which of the features to configure. Other than the Directory Services options, these include those settings accessible through the Computer Settings… button.  Show Remote Management status in menu bar can be enabled using -setmenuextra yes.  Anyone may request permission to control screen can be enabled using -setreqperm yes.  VNC viewers may control screen with password can be enabled using -vnclegacy yes.  You can also set the password using -vncpw followed by the password you would like to use.  You can also set the Computer Information fields using -computerinfo followed by -set1, -set2, -set3 and -set4. But kickstart isn’t just for setting up the ARD client.  You can also restart Remote Management when you are having problems by running the -restart option when SSH’d into a host:
./kickstart -restart -agent -console
And what the Xsan admin giveth the Xsan admin can taketh away; you can disable Remote Management access by setting -access to off:
./kickstart -configure -access -off
You can also use kickstart to install and uninstall packages, but in my experience you’re gonna’ want to use the Remote Desktop software to do that.  For more on the options available in kickstart, check out:
./kickstart -help
Finally, if you would rather perform a file drop to deploy settings (or use the defaults/plutil commands to deploy settings) then you’ll need to know the property lists, or domains that the preference files are stored in.  Because kickstart is not compiled you can find these in the variable definitions at the beginning of the script.

August 27th, 2009

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , ,