Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Mac-Management-in-a-University-Environment

advertisement 
Mac Management in a
University Environment
Kevin Hanson
Emerging Pathogens Institute
University of Florida
kshanson@ufl.edu
Topics
•
•
•
•
•
Intro
Active Directory Authentication
Open Directory Management & Preferences
Apple Remote Desktop
Third Party Options
Intro
• Support Macs otherwise you have
unmanaged Hosts
• Cost of entry
– UFAD Free!!!!!!!
– Open Directory at a minimum $1,078
• Add value to the customer experience
– Reduce non-science & non-academic work
• Be ever mindful of campus initiatives
AD Authentication
On the Windows Side
• Use a valid AD Domain Name (i.e. ad.ufl.edu)
– Underscores are NOT valid characters, but AD will
allow them. This WILL BREAK OS X AD integration.
(http://support.apple.com/kb/TS1532?viewlocale=en_US )
• Avoid using more than 14 characters
On the OS X side
• Configure Network Preferences
• Configure Sharing
• Configure the AD Plugin
Configuring Network
Preferences
• DNS Server must be able
to resolve AD service
records
• Search Domains should
contain, at minimum, the
AD domain name
Configuring Sharing
• Set the computer name
under System
Preferences>Sharing
(must reboot after
rename)
• Avoid using more than
14 characters
Configuring the AD
Plugin
• System
Preferences>Users &
Groups>Login
Options>Edit
• Open Directory
Utility>Configure
Active Directory Plugin
Configuring the AD
Plugin
• Specify UFAD server as
ad.ufl.edu
• Eliminate underscores
( _ )
• Provide domain
credentials
Configuring the AD
Plugin
• Set ‘Allow
administration by’ and
add appropriate
groups to allow
administrator rights
• ‘Allow authentication
from any domain…’
should be enabled for
troubleshooting
purposes
Configuring the AD
Plugin
• System
Preferences>Users &
Groups>Login Options
• Set ‘Display login
window as’ name and
password
• Turn off automatic
login
• Reboot
Configuring the AD
Plugin (troubleshooting)
• Directory Service Debug Logging (10.5,10.6)
– Has a “Level 7” flag that includes more information than
typical DSDebug logging.
– http://support.apple.com/kb/HT3186
• Grepping & Tailing the DS Logs:
– Grep “Active Directory”
/Library/Logs/DirectoryService/DirectoryService.debug.log
– Tail –F
/Library/Logs/DirectoryService/DirectoryService.debug.log |
grep <…>
• Reduce log level once done to avoid excessive log
files
Configuring the AD
Plugin (troubleshooting)
• Directory Service Debug Logging (10.7,10.8)
– Has two options debug & default levels
– Debug level includes more information than typical logging.
– http://support.apple.com/kb/HT4696
• Grepping & Tailing the DS Logs:
– Grep “Active Directory” /var/log/opendirectoryd.log
– Tail –F /var/log/opendirectoryd.log | grep <…>
• Reduce log level once done to avoid excessive log
files
Additional AD options
• A Mac joined to AD
can utilize the home
folder location set in
the profile in ADUC
Open Directory
• Free Open Directory training from lynda.com
(http://www.lynda.com/Mac-OS-Server-10-7-tutorials/Mac-OS-X-Lion-ServerEssential-Training/83740-2.html)
• Consult Apple documentation
(http://www.apple.com/support/osxserver/)
• UF IT Wiki
(http://wiki.it.ufl.edu/wiki/Apple_OS_X)
Open Directory
• Determine capacity needs and purchase appropriate
hardware
• Set DNS record i.e. od.ns.ufl.edu,
macserv1.epi.ufl.edu
• Join Mac Server to UFAD
– Utilize UFAD accounts to apply policy preferences
• Setup Open Directory Master
– Open Directory Replica
Open Directory Server
Consoles
• 10.5 Leopard,10.6 Snow Leopard,10.7 Lion
– Server Admin (Managing Open Directory and adding
services)
• DHCP, DNS, Firewall, Software Update, NetBoot, RADIUS
– Server (Managing Services provided by server)
• File sharing, Address Book, Mail, iCal, iChat, Web services, Time
Machine
– Workgroup Manager (Managing users, groups, policy
preferences)
Open Directory Server
Consoles
Open Directory Server
Consoles
Open Directory Server
Consoles
Open Directory Server
Consoles
• 10.8 Mountain Lion
– Server Admin (Managing Open Directory and adding
services)
• DHCP, DNS, Firewall, Software Update, NetInstall, RADIUS
– Server (Managing Services provided by server)
• file sharing, Address Book, Mail, iCal, iChat, Web services, Time
Machine
– Profile Manager (Delivers configuration profiles and Mobile
Device Management for Macs running OS X 10.8, 10.7 & iOS
devices. Allows configuration of pin and password policies
and policy enforcement)
– Workgroup Manager still available as an option as a
separate download (http://support.apple.com/kb/HT5308 )
Setup Server Services
• Software Update (WSUS)
– 10.5,10.6,10.7 just local repository
– http://macserv1.ufl.edu:8088/content/catalogs/others/index-lionsnowleopard-leopard.merged-1.sucatalog.composite
– 10.8 new features for auto download and install of system
and security updates
– http://macserv1.ufl.edu:8088/content/catalogs/others/indexmountainlion-lion-snowleopard-leopard.merged-1.sucatalog.composite
• Time Machine
– Time machine to backup OD server
– Time Machine as a backup destination for managed
Macs
– For Mac Mini can attach an external thunderbolt drive
– Purchase a Mac Pro with internal drives
Setup Server Services
• OS X Deployment
– NetBoot (WDS)
https://help.apple.com/advancedserveradmin/mac/10.7
• Shares and protocols configured on server to support
distribution
• Stores system images on server that EFI-based Intel Mac can
access
• Renamed NetInstall for 10.8
https://help.apple.com/advancedserveradmin/mac/10.8/
– System Image Utility
• Making Netboot and other image sets for Macs in environment
• Included in Server Admin tools
– 10.7 http://support.apple.com/kb/HT5315
– 10.8 This utility is installed with OS X in the
/System/Library/CoreServices/ folder.
– Boot Mac holding down the N key (blinking Grey globe)
Setup Server Services
• Profile Manager (MDM Mobile Device
Management)
– Apples solution for managing mobile iOS & OSX
– First showed up in Lion 10.7
http://www.apple.com/support/lionserver/profilemanager/
– Again in Mountain Lion 10.8 with more features
including app push
http://www.apple.com/support/osxserver/profilemanager/
http://krypted.com/iphone/configuring-using-profilemanager-2-in-os-x-mountain-lion-server/
– Review
• Public IP requirements (security office review)
– Certificates, encryption
Setup Managed Preferences
• Work Group Manager Console 10.6, 10.7, 10.8 (transition)
• Think GPO
• Considerations
– UFAD handles authentication, OD handles computer behavior
– Setup groups of computers as you would an OU in GPMC to apply GPOs
– Setup groups of UFAD accounts to allow exceptions to preferences
• Precedence is
–
–
–
–
User preferences >
User Group preferences >
Workstation preferences >
Workstation Group preferences
Setup Managed Preferences
• Recommendations
– Setup Login settings
•
•
•
•
•
•
AUP/ULA Legalize for accessing UF equipment
Force Name and Password
Disable automatic login
Set screen saver i.e. 20min
MAP NETWORK DRIVES
Manage FileVault settings for portable Macbook Pro and Air
– Make all accounts mobile including desktops for that time when
the network goes down.
• Same as windows caching credentials
– Inside System Preferences
• Exclude Users & Groups (avoid local accounts, deleting IT account, demotion
or promotion of admin rights)
• Exclude Sharing (avoid Macs sharing disks and customer turning off remote
desktop for remote administration)
• Exclude Security & Privacy (mitigate avoidance of screen saver password)
Setup Managed Preferences
• Recommendations
– Manage Power settings
• save energy
• software updating
– Deploy Printers
• Bonjour
– Setup Software Update
• More valuable in 10.8
– Manage network
• Disable airport for hard wired iMac, Mac Pro, Mac Mini
• Disable internet sharing
• Demo
Login Preferences
Options for login window text and style of login options
Login Preferences
Options for screensaver timing
Login Preferences
Options for automatically mounting network shares
Mobile Preferences
Options for creating mobile account (cache credentials) while off network
System Preferences
Options for restricting icons in system preferences to help avoid circumventing settings
Power Preferences
Options for energy usage
Print Preferences
Options for printer installation from network printers
Software Update
Preferences
Options for pointing Macs to local update repository
Network Preferences
Options for disabling Airport on desktops
FileVault Preferences
Options for turning on FileVault for all managed Macs
Time Machine
Preferences
Options for time machine to network location
Configure the OD Plugin
• System
Preferences>Users &
Groups>Login
Options>Edit
• Open Directory Utility
• Highlight LDAPv3 and
press the configure
button
Configure the OD Plugin
• Expand the options
chevron & press new
• Enter the Open
Directory server name
and press continue
• Verify Computer ID
and provide
credentials
Configure the OD Plugin
• Review LDAPv3
settings
• Note distinguished
Name
Apple Remote Desktop
• Documentation
– http://www.apple.com/remotedesktop/
– http://manuals.info.apple.com/en_US/ARD_Task_Server.pdf
• Features
–
–
–
–
–
Remote Control
Remote Observe
Software installation
Copy files
Issue UNIX commands
• Licensing and Cost
– $79.99 to manage 20 computers
– $499.99 Unlimited Managed System Edition
•
Install task server function on dedicated Mac server
Apple Remote Desktop
• ARD setup
–
–
Start with Scanner
Utilize local administrator account for administration
Apple Remote Desktop
• ARD Console
Apple Remote Desktop
• Useful Mac Commands
– (add to administrators group) Dscl –u localadmin –P *********** . –append
/Groups/admin GroupMembership trusteduser
– (improve network performance) sudo sysctl -w net.inet.tcp.delayed_ack=0
• http://www.jeremycole.com/blog/2010/01/13/delayed-ack-in-osx-is-incomprehensible/
– (enable spotlight indexing of network drive) mdutil /Volumes/name –i
on
• http://jonathansblog.co.uk/how-to-enable-spotlight-indexing-on-anetwork-drive
– (show hidden files in finder) defaults write com.apple.finder AppleShowAllFiles
TRUE
– (change display sleep time) sudo pmset displaysleep 15
– Boot from CD by holding down C
– Reset NVRAM Command-Option-P-R
• http://support.apple.com/kb/ht1379 Startup disk help with BootCamp
Third Party Options
• SCCM 2012
–
–
–
–
–
UF Initiative
Hardware Inventory
Software Inventory
Application Deployment
Configuration deployment and compliance
• JAMF www.jamfsoftware.com
– Casper suite
•
•
OS X
–
–
–
–
–
Inventory
Imaging
Patch management (more configuration options)
Software deployment
Settings Management
–
–
Inventory
Configuration
iOS
– Can work on Linux, Windows 2008 R2 or Mac Server
•
Need Java, TomCat & MySQL
Third Party Options
• JAMF (continued)
– Onsite setup and training $6,000 (required)
– $90.00 per client fee waived because of academic pricing
– Annual maintenance of $18.00 per device per year
• Absolute Manage (www.absolutesoftware.com)
– Supports Windows, Linux, Mac, iOS & Android
– Inventory, Imaging, Power Management, Patching, Application Deployment
– $30-$40 per seat
• OpenLDAP on Linux
–
–
–
–
Cost of a VM
Add Apple Schema
Add Mac attributes to LDAP
Use Workgroup manager
Outlook Auto discover
•
iMac, Mac Pro, Mac Mini desktop
devices are on campus typically
and should utilize autodiscover to
resolve mail.ufl.edu to
https://outlook.mail.ufl.edu/EWS/
Exchange.asmx
–
•
For Macbooks & Mac Air off
campus and to avoid VPN usage
disable autodiscover by using
Apple Script syntax:
–
–
–
•
Private IP
Tell application “Microsoft Outlook”
set background autodiscover of
exchange account 1 to false
end tell
Set server to
https://mail.ufl.edu/EWS/Exchang
e.asmx
–
Public IP
Related documents
Basic Apple Configurator Preferences
Basic Apple Configurator Preferences
Has Miley Cyrus gone to Number 1 in the singles and
Has Miley Cyrus gone to Number 1 in the singles and
File-Directory
File-Directory
InnoQuest-4-23-13 - The Entrepreneurs EDGE
InnoQuest-4-23-13 - The Entrepreneurs EDGE
Life Cycle of an Apple Tree
Life Cycle of an Apple Tree
Conflict Management Lecture 03
Conflict Management Lecture 03
Mac computers vs Windows
Mac computers vs Windows
Windows Azure Active Directory Overview
Windows Azure Active Directory Overview
Download
advertisement