TweetFollow Us on Twitter

MacEnterprise: MCX - No Excuses, Now!

Volume Number: 24
Issue Number: 11
Column Tag: MacEnterprise

MacEnterprise: MCX - No Excuses, Now!

New options for managing workstations in OS X Leopard

By Greg Neagle, MacEnterprise.org

Frequently Asked Questions

There is a certain type of question that pops up over and over again on the MacEnterprise mailing list, the radmind-users list, and other lists, forums, and discussion groups where Mac admins hang out. You'll also hear these questions at the Macworld IT track, and at WWDC. The questions go like this: "How do I manage the screen saver so it always asks for a password?" "How can I prevent the OS from asking the user if they want to use a newly connected FireWire/USB disk as a Time Machine backup destination?" "How do I get the Office 2008 Setup Assistant to not pop up for new users?" Or more generally, "How do I manage the user experience on all my machines?" Nine times out of ten, this question can be answered with "Use MCX!".

MCX

For several years, Apple has had a technology for managing workstations and the user experience, often referred to as MCX, or Managed Client for OS X. To take advantage of MCX to manage users, groups, and computers, an administrator uses Apple's Workgroup Manager utility to edit records in a directory service - typically Open Directory, but sometimes Active Directory or third-party LDAPv3 with Apple's schema extensions.

If your organization did not use Open Directory as its central directory service, and was unwilling or unable to extend the schema on its existing directory service, it was difficult to get the benefits of using MCX to manage your Macs and their users.

There were a few options: one, often referred to as the "Magic Triangle", involved binding client Macs to both the organization's central directory services, and to a locally-managed Open Directory server. Mac clients would then receive their user and group info from the central directory, and their client management data from Open Directory.

Another option was for admins to write scripts that replicated some of the behavior provided by MCX - usually by modifying plist files with the defaults command or PlistBuddy.

Far less frequently used was the option to store MCX data in the client's local directory service. This was possible with NetInfo, but the trouble was replicating those settings across multiple machines. You could not simply replicate the NetInfo database across multiple machines; you had to find a way to export the MCX data (and the objects it was attached to), and import this data on other machines.

So when a Mac administrator asked "How do I manage...", and you replied "Use MCX!", they'd often object: "But I don't have an Open Directory server, and my Active Directory admins won't let us extend the schema! So is there another way?" Using MCX data in the local NetInfo was too difficult, so they spent a lot of time writing scripts to manage things, and then pushed those scripts out to every machine.

Leopard changes the equation. Now there is really no excuse at all to not use MCX to manage your machines. If you don't have a central MCX-friendly directory service, you can store the MCX data in the local directory service. More importantly, since this data is stored as simple files, replicating this to other machines is as simple as copying a few files. If you manage multiple OS X machines, you must have a way to copy files to each machine - that might be a software distribution mechanism like Casper or FileWave, a filesystem management utility like radmind, or even something as basic as Apple Remote Desktop or the scp utility.

This method also allows administrators to ease into MCX management: you do not need an Open Directory server or extended schema to get started. Instead, you can start with the local directory service. Once the powers-that-be in your organization can see the benefits of MCX, they may be more inclined to invest in the resources needed to set up a "Magic Triangle" or extend the schema on your existing directory service.

Demo Time

Let's demonstrate what can be done with MCX and the local directory service.

You'll need Workgroup Manager, which is part of Apple's Server Admin Tools 10.5. Get them from your Leopard Server install media, or search Apple's website for "Server Admin Tools".

To work with the local directory service, launch Workgroup Manager on a OS X client machine. When presented with the dialog to connect to a server, type "localhost" as the server name, and enter the name and password of a local admin for the local machine.


You'll see a warning that you are working in a directory node that is not visible to the network. Check Do not show this warning again if you wish, and click OK to dismiss the panel.

For purposes of this demo, we'll manage aspects of the local machine using the guest computer object. Settings for this object apply to all computers that don't have an explicit computer account record in the directory, which makes it work well for this demo. Choose Create Guest Computer from the Server menu in Workgroup Manager. You'll now have a guest object in the Computer view:


Select the guest computer, then click the Preferences icon in the toolbar. We're going to set some options for the Login Window, so click the Login icon in the Preferences overview.


Under the Window tab, click Manage: Always, then make some changes to the managed settings. Below, I've changed the Heading to display the serial number instead of the machine name, added a message to the Login Window, and changed the Style to show only name and password fields (instead of the default list of users).


Click Apply Now to save your changes.

Now log out and you should see the Login Window display the changes. If you don't, a restart should get them to kick in.


Even more interesting: log back in and open System Preferences, select the Accounts preference pane, and choose Login Options. If you followed my example and set the Login Window to show name and password text fields, you'll see that option set in the preference pane, and grayed out so you cannot change it.


This is a huge advantage of using MCX instead of scripts that write to various plists - in many cases, the OS updates the user interface to reflect your management settings.

We've used Workgroup Manager to manage certain preferences for this machine, and stored the MCX record in the local directory service. But what exactly does that mean? To find out, login as an admin and open the Terminal application. You'll need root privileges, so type sudo -s and press return, entering your own password when prompted (your account will typically need to be admin level to work. If not, login with an admin-level account).

Now change to the local directory service directory, and list its contents:

root# cd /private/var/db/dslocal/nodes/Default
root# ls
aliases        computergroups config         machines       users
computer_lists computers      groups         networks

The guest computer object we created, since it's a computer object, is stored in the "computers" directory:

root# cd computers
root# ls
guest.plist

Let's examine guest.plist:

root# cat guest.plist

And you'll see a standard OS X plist, which is too long and boring to list here. But you don't really need to deal with the internal structure at all - to replicate these MCX settings on another machine, you need only copy this file to the same location on another machine (and most likely restart the other machine, or restart DirectoryService to get it to notice your changes). If you have a way to push out files to your managed machines, you can now push out MCX settings the same way.

Future Directions

The demonstration isn't very flexible: since all the managed settings are stored in guest.plist, it's hard to mix and match settings. Next time, we'll look at some MCX management strategies using Leopard's new ComputerGroups that allow you to mix and match management policies.

Greg Neagle is a member of the steering committee of the Mac OS X Enterprise Project (macenterprise.org) and is a senior systems engineer at a large animation studio. Greg has been working with the Mac since 1984, and with OS X since its release. He can be reached at gregneagle@mac.com.

 
AAPL
$467.36
Apple Inc.
+0.00
MSFT
$32.87
Microsoft Corpora
+0.00
GOOG
$885.51
Google Inc.
+0.00

MacTech Search:
Community Search:

Software Updates via MacUpdate

VueScan 9.2.23 - Scanner software with a...
VueScan is a scanning program that works with most high-quality flatbed and film scanners to produce scans that have excellent color fidelity and color balance. VueScan is easy to use, and has... Read more
Acorn 4.1 - Bitmap image editor. (Demo)
Acorn is a new image editor built with one goal in mind - simplicity. Fast, easy, and fluid, Acorn provides the options you'll need without any overhead. Acorn feels right, and won't drain your bank... Read more
Mellel 3.2.3 - Powerful word processor w...
Mellel is the leading word processor for OS X, and has been widely considered the industry standard since its inception. Mellel focuses on writers and scholars for technical writing and multilingual... Read more
Iridient Developer 2.2 - Powerful image...
Iridient Developer (was RAW Developer) is a powerful image conversion application designed specifically for OS X. Iridient Developer gives advanced photographers total control over every aspect of... Read more
Delicious Library 3.1.2 - Import, browse...
Delicious Library allows you to import, browse, and share all your books, movies, music, and video games with Delicious Library. Run your very own library from your home or office using our... Read more
Epson Printer Drivers for OS X 2.15 - Fo...
Epson Printer Drivers includes the latest printing and scanning software for OS X 10.6, 10.7, and 10.8. Click here for a list of supported Epson printers and scanners.OS X 10.6 or laterDownload Now Read more
Freeway Pro 6.1.0 - Drag-and-drop Web de...
Freeway Pro lets you build websites with speed and precision... without writing a line of code! With it's user-oriented drag-and-drop interface, Freeway Pro helps you piece together the website of... Read more
Transmission 2.82 - Popular BitTorrent c...
Transmission is a fast, easy and free multi-platform BitTorrent client. Transmission sets initial preferences so things "Just Work", while advanced features like watch directories, bad peer blocking... Read more
Google Earth Web Plug-in 7.1.1.1888 - Em...
Google Earth Plug-in and its JavaScript API let you embed Google Earth, a true 3D digital globe, into your Web pages. Using the API you can draw markers and lines, drape images over the terrain, add... Read more
Google Earth 7.1.1.1888 - View and contr...
Google Earth gives you a wealth of imagery and geographic information. Explore destinations like Maui and Paris, or browse content from Wikipedia, National Geographic, and more. Google Earth... Read more
 

See All

Strategy & Tactics: World War II Upd...
Strategy & Tactics: World War II Update Adds Two New Scenarios Posted by Andrew Stevens on August 12th, 2013 [ permalink ] Universal App - Designed for iPhone and iPad | Read more »
Expenses Planner Review
Expenses Planner Review By Angela LaFollette on August 12th, 2013 Our Rating: :: PLAIN AND SIMPLEUniversal App - Designed for iPhone and iPad Expenses Planner keeps track of future bills through due date reminders, and it also... | Read more »
Kinesis: Strategy in Motion Brings An Ad...
Kinesis: Strategy in Motion Brings An Adaptation Of The Classic Strategic Board Game To iOS Posted by Andrew Stevens on August 12th, 2013 [ | Read more »
Z-Man Games Creates New Studio, Will Bri...
Z-Man Games Creates New Studio, Will Bring A Digital Version of Pandemic! | Read more »
Minutely Review
Minutely Review By Jennifer Allen on August 12th, 2013 Our Rating: :: CROWDSOURCING WEATHERiPhone App - Designed for the iPhone, compatible with the iPad Work together to track proper weather conditions no matter what area of the... | Read more »
10tons Discuss Publishing Fantasy Hack n...
Recently announced, Trouserheart looks like quite the quirky, DeathSpank-style fantasy action game. Notably, it’s a game that is being published by established Finnish games studio, 10tons and developed by similarly established and Finnish firm,... | Read more »
Boat Watch Lets You Track Ships From Por...
Boat Watch Lets You Track Ships From Port To Port Posted by Andrew Stevens on August 12th, 2013 [ permalink ] Universal App - Designed for iPhone and iPad | Read more »
Expenses Review
Expenses Review By Ruairi O'Gallchoir on August 12th, 2013 Our Rating: :: STUNNINGiPhone App - Designed for the iPhone, compatible with the iPad Although focussing primarily on expenses, Expenses still manages to make tracking... | Read more »
teggle is Gameplay Made Simple, has Play...
teggle is Gameplay Made Simple, has Players Swiping for High Scores Posted by Andrew Stevens on August 12th, 2013 [ permalink ] | Read more »
How To: Manage iCloud Settings
iCloud, much like life, is a scary and often unknowable thing that doesn’t always work the way it should. But much like life, if you know the little things and tweaks, you can make it work much better for you. I think that’s how life works, anyway.... | Read more »
See All

Price Scanner via MacPrices.net

13″ 2.5GHz MacBook Pro on sale for $150 off M...
B&H Photo has the 13″ 2.5GHz MacBook Pro on sale for $1049.95 including free shipping. Their price is $150 off MSRP plus NY sales tax only. B&H will include free copies of Parallels Desktop... Read more
iPod touch (refurbished) available for up to...
The Apple Store is now offering a full line of Apple Certified Refurbished 2012 iPod touches for up to $70 off MSRP. Apple’s one-year warranty is included with each model, and shipping is free: -... Read more
27″ Apple Display (refurbished) available for...
The Apple Store has Apple Certified Refurbished 27″ Thunderbolt Displays available for $799 including free shipping. That’s $200 off the cost of new models. Read more
Apple TV (refurbished) now available for only...
The Apple Store has Apple Certified Refurbished 2012 Apple TVs now available for $75 including free shipping. That’s $24 off the cost of new models. Apple’s one-year warranty is standard. Read more
AnandTech Reviews 2013 MacBook Air (11-inch)...
AnandTech is never the first out with Apple new product reviews, but I’m always interested in reading their detailed, in-depth analyses of Macs and iDevices. AnandTech’s Vivek Gowri bought and tried... Read more
iPad, Tab, Nexus, Surface, And Kindle Fire: W...
VentureBeat’s John Koetsier says: The iPad may have lost the tablet wars to an army of Android tabs, but its still first in peoples hearts. Second place, however, belongs to a somewhat unlikely... Read more
Should You Buy An iPad mini Or An iPad 4?
Macworld UK’s David Price addresses the conundrum of which iPAd to buy? Apple iPad 4, iPad 2, iPad mini? Or hold out for the iPad mini 2 or the iPad 5? Price notes that potential Apple iPad... Read more
iDraw 2.3 A More Economical Alternative To Ad...
If you’re a working graphics pro, you can probably justify paying the stiff monthly rental fee to use Adobe’s Creative Cloud, including the paradigm-setting vector drawing app. Adobe Illustrator. If... Read more
New Documentary By Director Werner Herzog Sho...
Injuring or even killing someone because you were texting while driving is a life-changing experience. There are countless stories of people who took their eyes off the road for a second and ended up... Read more
AppleCare Protection Plans on sale for up to...
B&H Photo has 3-Year AppleCare Warranties on sale for up to $105 off MSRP including free shipping plus NY sales tax only: - Mac Laptops 15″ and Above: $244 $105 off MSRP - Mac Laptops 13″ and... Read more
 

Jobs Board

Sales Representative - *Apple* Honda - Appl...
APPLE HONDA AUTOMOTIVE CAREER FAIR! NOW HIRING AUTO SALES REPS, AUTO SERVICE BDC REPS & AUTOMOTIVE BILLER! NO EXPERIENCE NEEDED! Apple Honda is offering YOU a Read more
*Apple* Developer Support Advisor - Portugue...
Changing the world is all in a day's work at Apple . If you love innovation, here's your chance to make a career of it. You'll work hard. But the job comes with more than Read more
RBB - *Apple* OS X Platform Engineer - Barc...
RBB - Apple OS X Platform Engineer Ref 63198 Country USA…protected by law. Main Function | The engineering of Apple OS X based solutions, in line with customer and Read more
RBB - Core Software Engineer - Mac Platform (...
RBB - Core Software Engineer - Mac Platform ( Apple OS X) Ref 63199 Country USA City Dallas Business Area Global Technology Contract Type Permanent Estimated publish end Read more
*Apple* Desktop Analyst - Infinity Consultin...
Job Title: Apple Desktop Analyst Location: Yonkers, NY Job Type: Contract to hire Ref No: 13-02843 Date: 2013-07-30 Find other jobs in Yonkers Desktop Analyst The Read more

  • Generate a short URL for this page:



All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.