Volume Number: 24 (2008)
Issue Number: 02
Column Tag: Operating Systems

Managed Preferences, Part 2

New options in Workgroup Manager in Leopard

By Philip Rinehart, Yale University

A couple of months ago, I talked a little about all of the new command line options for troubleshooting Managed Preferences. In short, many new options are available for the system administrator. Well, even more love was given to the Preference Manifest Editor. New to Tiger, any preference could be managed in theory, as long as the manifest existed in the application. In Leopard, Apple engineers added some new abilities, many of which are quite powerful.

To get started is pretty simple. It is explained in the Leopard server guide. However, I had to play with it a little bit to really understand it fully. Another useful tip, Leopard Server is not needed to play with the manifests. How, you ask? It is actually pretty easy. First, download a copy of the Leopard Server tools from the Apple download website. Install them, and launch Workgroup Manager. Now, instead of actually authenticating against a server, click Cancel. Next, click View Directories from the Server menu.

Figure 1

A window similar to Figure 1 should appear. Note that the Local Directory is being viewed, here not an Open Directory server. Click the Lock to authenticate, and enter an administrator account on the machine. For my testing, I created a testmcx user. This user will also appear in the System Preferences Accounts panel; the account appears as a managed account. So far, not so different from Tiger, right? Select a user, and click on Preferences. Nothing is managed initially, as expected. Click on the Details button. Nothing appears in the window. Now, here's where it begins to get interesting. Click the Plus button. The dialog box asks for a location. Use the Command-G option to navigate to the /System/Library/CoreServices directory. Next choose the ManagedClient application. Whoah, look at all of the applications that can now be managed! Your WGM screen should be similar to Figure 2:

Figure 2

Pretty interesting, eh? Many of these preferences cannot be managed via the standard Preferences interface. The next question is how do you actually manage these preferences? Let's look at two of them.

As noted on AFP548.com, a very interesting option is the use of Folder Redirection. Let's get started. First select the Folder Redirection option, and click the Edit icon. At first the Dictionary will appear to be empty. There's a bit of a trick to actually get it to work. Choose Always, and click the disclosure triangle so that it points downward. Next, click New Key. Still doesn't look very interesting does it? How do you pick the right key? Here's where the magic is, click on the new item.

Figure 3

Voila! There are now multiple ways to redirect, login, logout as shown in Figure 3. Select any one of them, and it will create an array of keys that are pre-populated. Keep clicking New Key if the key is not a string, but instead an array or dictionary. Try it out; it's pretty self-explanatory once you understand the little trick to get it working. Another tip, in the window at the bottom of the Workgroup Manager screen, a full explanation of how the key is used is given. Pay attention to it, as it is written fairly clearly.

Figure 4

Figure 4 shows how a fully populated Redirection key will look. The default option is to delete the folder in the local home directory and put in a symbolic link to the redirected folder. One other note, how does the redirector know the user? For all of these managed preferences, the %@ is used as a replacement for the currently logging in user. From a scriptwriter's perspective, this substitution is slightly different as script writers have gotten used to using the $1 substitution. One other note: this key can be managed as Once, Often or Always. Not all keys can be managed this way. Let's look at one that can only be managed as Always.

Bluetooth commonly needs to managed in more secure environments. In particular, the ability to even turn on Bluetooth may need to be disallowed. In this case, try adding the key as Often or Once. Note that there are no options available. The Bluetooth managed preference key can only be managed Always. It makes sense if you think about it, as from a security standpoint a system administrator would always want it be off. If you use the Always key, an option to Disable Bluetooth appears. In my book, this ability is long overdue!

Other keys can be managed, including iWork and QuickTime registrations, as well as a more extensive number of keys for mobile computing. A couple of keys have solved nagging problems right away in my work, including the ability to control the Safari downloads location, turning off Autofill for Safari, and Open Safe Downloads, all things that can make more sense to manage from a server.

One last thing, since this article talks about how to use the local directory for management, these modifications could be used as part of an image distribution mechanism, and not require Leopard Server. However, management in this way really isn't scalable, but might work for a test deployment to explore the new options available for system administration.

Well, that's about it for this month. I encourage you to explore the new options available, and if options are missing that you would like to manage, make sure to submit a Feature Request. Only through feature request submissions will more options be added! Until next month, I'll see you on the lists!

Philip Rinehart is co-chair of the steering committee leading the Mac OS X Enterprise Project (macenterprise.org) and is the Lead Mac Analyst at Yale University. He has been using Macintosh Computers since the days of the Macintosh SE, and Mac OS X since its Developer Preview Release. Before coming to Yale, he worked as a Unix system administrator for a dot-com company. He can be reached at: philip.rinehart@yale.edu.