TweetFollow Us on Twitter

MacEnterprise: Snow Leopard Scavenger Hunt

Volume Number: 25
Issue Number: 11
Column Tag: MacEnterprise

MacEnterprise: Snow Leopard Scavenger Hunt

Changes in OS 10.6 of interest to systems administrators

By Greg Neagle,


With each new release of OS X, systems administrators have a bit of a scavenger hunt: hunting for what's new, what's changed, what's fixed, what's broken, what's moved, and what's gone. I have to admit that I find the hunt kind of fun - Apple's given us a new toy, and we get to find all the surprises inside. So instead of a column on a single topic or tool, this month we will be hunting through the new OS, looking for what's new and of interest to enterprise systems administrators!


In a recent MacEnterprise column on launchd, I covered some of the changes to launchd in Snow Leopard. The most important change of interest to systems administrators is the change in how launchd handles the Disabled key in launchd plists.

In Tiger and Leopard, if you disabled a launchd job using launchctl like this:

launchctl unload -w /path/to/launchd.plist

The job would be unloaded, and the Disabled key in the launchd plist would be set to true. In Snow Leopard, the job is still marked as disabled, but the plist is not changed. The value of the Disabled key is stored elsewhere. The launchctl man page doesn't say where it is stored, but some hunting finds it in /private/var/db/launchd.db/.

Inside this directory, there are subdirectories like these:

The directory holds info for LaunchDaemons, and the* directories hold info for LaunchAgents. Each of these directories contains an overrides.plist file. This file contains the current "effective" value of the Disabled key for each launchd job:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

To determine the current enabled/disabled state of a given launchd job, an admin must check the value of the Disabled key in the launchd job's plist, and then also check for an override in /private/var/db/launchd.db/.

An effect of this change is it now possible for non-admins to disable LaunchAgents that run when they login, by running

launchctl unload -w /Library/LaunchAgents/some_launchd.plist

This might be a problem if you rely on LaunchAgents to run at login and perform certain tasks for the user - the user can now turn these off.


OS X systems administrators should be familiar with the networksetup command, which allows you to configure network-related settings from the command line. This tool is ideal for use in setup scripts, or for remote configuration via SSH. In Snow Leopard, networksetup gains a few new tricks.

AirPort options

The AirPort options in networksetup have changed. If you have AirPort configuration scripts, you may need to revise them for Snow Leopard. The -getairportnetwork, -setairportnetwork, -getairportpower, and -setairportpower options all now require a hardware port to be specified. An example:

Prior to Snow Leopard:

networksetup -setairportpower  off

Snow Leopard:

networksetup -setairportpower "AirPort" off

Does this change portend Macs with multiple AirPort interfaces? Your guess is as good as mine.

There are four new options dealing with preferred wireless networks, which could be useful in a setup script that automatically added your organization's wireless network(s) to the preferred list:

   -listpreferredwirelessnetworks hardwareport
   -addpreferredwirelessnetworkatindex hardwareport network...
   -removepreferredwirelessnetwork hardwareport network
   -removeallpreferredwirelessnetworks hardwareport


networksetup can now work with network locations. This would allow you to script the creation and setup of Home and Work locations, for example.

   -createlocation location [populate]
   -deletelocation location
   -switchtolocation location


networksetup has gained the ability to work with 802.1X-secured networks. You can set the System profile, the login profile, or user profiles:

   -listloginprofiles service
   -enablesystemprofile service on | off
   -enableloginprofile service profile on | off
   -enableuserprofile profile on | off
   -import8021xProfiles service path
   -export8021xProfiles service path yes | no
   -export8021xUserProfiles path yes | no
   -export8021xLoginProfiles service path yes | no
   -export8021xSystemProfile service path yes | no
   -settlsidentityonsystemprofile service path passphrase
   -settlsidentityonuserprofile profile path passphrase

These new options don't help with the actual creation of 802.1X profiles, but with the import and export options, you should be able to create them on one machine and deploy them on others.

Lights-Out Management

Finally, networksetup gains options for configuring the Lights-Out Management interface on Intel Xserves:

   -setupBMC portindex static | dhcp ipaddress subnetmask 
         routeraddress adminname adminpassword

For more details on all of the new networksetup options, type "man networksetup" at a command prompt.

Cisco VPN Support

Since we're talking about network configurations, this is a good time to note that Snow Leopard now has Cisco VPN support, accessible from the Network preferences pane. When adding a VPN interface, "Cisco IPSec" now appears as an available VPN Type.

With Cisco's client, an administrator could distribute the client software and some pre-configured profiles. Administrative configuration looks to be more difficult with Apple's built-in client. networksetup did not gain any new capabilities as far as VPN configuration, so that's no help. You can export and import configurations, and since they are XML files, you might be able to generate configurations programmatically.

Figure 1 - Cisco VPN support


mcxrefresh is a new command-line tool to cause a client machine to re-read its MCX settings from the directory services. It must be run as root. You can specify a user id or shortname to refresh the Managed Preferences for a specific user as well as the computer settings. This might be useful when testing changes to MCX settings - you can instantly force a machine to refresh its Managed Preferences.

   mcxrefresh -n joeuser

Directory Utility

You've booted up your first Snow Leopard machine and you want to point it at your Open Directory or third-party LDAP server for directory services. In Leopard, you'd head to the /Applications/Utilities folder and look for Directory Utility. But on your Snow Leopard machine, it seems to be missing. Instead, you can open the Accounts pane in System Preferences as in Figure 2.

Figure 2 - Accounts Preference Pane

When you select Login Options, you'll see a new section for a "Network Account Server." Click Edit, and you'll see the sheet in Figure 3.

Figure 3 - Directory Services pane

From this pane, you can add directory servers, or open Directory Utility for more options. Or you can just skip all this, and go directly to the new location of Directory Utility: /System/Library/CoreServices/Directory

Keychain password Enhancements

A common problem in enterprise environments is keeping the login keychain password in sync with the directory services password. Many environments use a web page to allow their users to change passwords. In other environments, users may have access to multiple machines (say a Mac and a Linux box), sharing a common directory service. If they change their password on their Linux box, or use a web page to change their password, the login keychain on the Mac is not updated with the new password. When the user then logs into their Mac, the login keychain is not unlocked, and access to mail accounts, web pages, file servers and the like might be affected. Prior to Snow Leopard, many administrators used's Keychain Minder to handle this situation. When configured to run as a login item, Keychain Minder would check to see if the login keychain was unlocked at login, and offer to help the user reset the login keychain password if needed.

Snow Leopard builds in most of Keychain Minder's functionality. If the user password is changed, and the login keychain can't be unlocked at login, you'll see a dialog like the one in Figure 4.

Figure 4 - Update Keychain Password dialog

You can then update your keychain password, create a new keychain, or ignore the issue.

Screen Saver

Since the release of OS X 10.0, large organizations have wanted the ability to run a screen saver when the machine is at the login window. Apple's opinion always seemed to be that you should have your machines (or at least the displays) sleep when idle at the loginwindow for a long time. High schools, colleges, and other organizations instructional labs often wanted the machines to stay on with active displays so students could quickly identify available machines. When presented with a machine that was asleep, or with a darkened display, many students assumed the machine was broken. In my organization, we had a number of Macs connected to color-calibrated CRT monitors. These monitors needed to be left powered up and with an active display in order to maintain their calibration.

Whatever the reason, when an organization wanted/needed the display to remain active when the machine was at the loginwindow, they had a new challenge to deal with: screen burn-in. A machine left for hours or days at the loginwindow could burn the image of the loginwindow into the phosphors. (And although LCDs are supposedly immune to the effects of burn-in, I've seen evidence to the contrary.) So it's understandable to want the screen saver to run over the loginwindow to prevent burn-in. Some organizations also saw this as an opportunity to run a screensaver that presented news or announcements about the organization.

Unfortunately, Apple did not support running the screen saver at the login window. Various workarounds were developed. An application called Screen Preserver could be used to display slideshows over the loginwindow. In 10.3 and 10.4, enterprising administrators developed scripts that allowed Apple's screen saver to run over the login window. But Leopard brought that practice to an end, as the built-in screen saver no longer would run over the loginwindow.

So it was with some surprise when testing Snow Leopard this summer that I noticed the screen saver kick in while I was logged out. This new behavior persisted into the final release. There's no user interface to control which screen saver runs, or how long to wait until activation. I haven't yet figured out any other way to control these options, but I'm sure someone will before long. Still, this is a welcome change, and only took eight years for Apple to implement!

Exchange integration

We can't finish our scavenger hunt without mentioning a new feature of great interest to many enterprise systems administrators (and regular users!) - support for Microsoft Exchange. If your organization is running Exchange Server 2007 (and alas, my organization isn't yet...), you can configure Mail, iCal, and Address Book to talk to your organization's Exchange server. While this doesn't give you the full range of functionality you can get from Entourage 2008 Web Services Edition (let alone Outlook on Windows), it may be sufficient for some user's needs.

The Exchange integration in Snow Leopard is based on Exchange Web Services, a new protocol first available in Exchange Server 2007 SP1. Older Exchange servers support only MAPI (a protocol extremely difficult to replicate outside of Windows - even Entourage, a Microsoft product, doesn't use it), or the limited OWA (Outlook Web Access) protocol, which is on its way out. For this reason, the Exchange integration in Snow Leopard doesn't work with older Exchange servers.

Since this is a new feature, and Exchange support is notoriously difficult to implement (otherwise, why would Entourage still have issues?), it may work well in your environment, or not at all. Early reactions on the MacEnterprise mailing list are mixed: some organizations are reporting great success; others are having difficulties. If your organization is running Exchange 2007, try it yourself and see.

Figure 5 shows the dialog in for adding an Exchange 2007 account. Note the options to also setup Address Book and iCal. If you don't configure them here, each of these applications also has an interface for configuring Exchange 2007 accounts.

Figure 5 - Mail setup for Exchange 2007


That concludes our scavenger hunt. If there's a theme to the changes in Snow Leopard, it's "refinement". Lots of little things have been subtly refined, providing a better user experience, or making things work the way they should have earlier. We have by no means covered all the changes in OS X 10.6 - there are many more. Have fun on your hunt!

Greg Neagle is a member of the steering committee of the Mac OS X Enterprise Project ( and is a senior systems engineer at a large animation studio. Greg has been working with the Mac since 1984, and with OS X since its release. He can be reached at


Community Search:
MacTech Search:

Software Updates via MacUpdate

Google Chrome 54.0.2840.71 - Modern and...
Google Chrome is a Web browser by Google, created to be a modern platform for Web pages and applications. It utilizes very fast loading of Web pages and has a V8 engine, which is a custom built... Read more
HoudahSpot 4.2.6 - Advanced file-search...
HoudahSpot is a powerful file search tool. Use HoudahSpot to locate hard-to-find files and keep frequently used files within reach. HoudahSpot will immediately feel familiar. It works just the way... Read more
Yummy FTP Pro 1.11.11 - $29.99
Yummy FTP Pro is an advanced Mac file transfer app which provides a full-featured professional toolkit combined with blazing speeds and impeccable reliability, so whether you want to transfer a few... Read more
Shimo - VPN client – for everyon...
Shimo is the most versatile VPN client for OS X and it enables really everybody to master secure network. It supports more protocols than any other VPN application out there! CiscoVPN, AnyConnect,... Read more
Dash 3.4.0 - Instant search and offline...
Dash is an API documentation browser and code snippet manager. Dash helps you store snippets of code, as well as instantly search and browse documentation for almost any API you might use (for a full... Read more
AirRadar 3.1.9 - $9.95
With AirRadar, scanning for wireless networks is now easier and more personalized! It allows you to scan for open networks and tag them as favourites or filter them out. View detailed network... Read more
Printopia 2.1.22 - Share Mac printers wi...
Run Printopia on your Mac to share its printers to any capable iPhone, iPad or iPod Touch. Printopia will also add virtual printers, allowing you to save print-outs to your Mac and send to apps.... Read more
SteerMouse 5.0 - Powerful third-party mo...
SteerMouse is an advanced driver for USB and Bluetooth mice. It also supports Apple Mighty Mouse very well. SteerMouse can assign various functions to buttons that Apple's software does not allow,... Read more
Alarm Clock Pro 10.2.5 - $19.95
Alarm Clock Pro isn't just an ordinary alarm clock. Use it to wake you up in the morning, send and compose e-mails, remind you of appointments, randomize the iTunes selection, control an internet... Read more
Cocktail 10.1 - General maintenance and...
Cocktail is a general purpose utility for macOS that lets you clean, repair and optimize your Mac. It is a powerful digital toolset that helps hundreds of thousands of Mac users around the world get... Read more

Latest Forum Discussions

See All

Game of Dice is now available on Faceboo...
After celebrating its anniversary in style with a brand new update, there’s even more excitement in store for Game of Dice has after just being launched on Facebook Gameroom. A relatively new platform, Facebook Gameroom has been designed for PC... | Read more »
4 addictive clicker games like Best Fien...
Clickers are passive games that take advantage of basic human psychology to suck you in, and they're totally unashamed of that. As long as you're aware that this game has been created to take hold of your brain and leave you perfectly content to... | Read more »
Smile Inc. Guide: How not to die on the...
As if Mondays weren't bad enough, at Smile Inc. you have to deal with giant killer donuts, massive hungry staplers, and blasting zones. It's not exactly a happy, thriving work environment. In fact, you'll be lucky to survive the nine to five.... | Read more »
Oh...Sir! The Insult Simulator (Games)
Oh...Sir! The Insult Simulator 1.0 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0 (iTunes) Description: | Read more »
WitchSpring2 (Games)
WitchSpring2 1.27 Device: iOS Universal Category: Games Price: $3.99, Version: 1.27 (iTunes) Description: This is the story of Luna, the Moonlight Witch as she sets out into the world. This is a sequel to Witch Spring. Witch Spring 2... | Read more »
4 popular apps getting a Halloween makeo...
'Tis the season for all things spooky. So much, so, in fact, that even apps are getting into the spirt of things, dressing up in costume and spreading jack o' lanterns all about the place. These updates bring frightening new character skins, scary... | Read more »
Pokémon GO celebrates Halloween with can...
The folks behind Pokémon GO have some exciting things planned for their Halloween celebration, the first in-game event since it launched back in July. Starting October 26 and ending on November 1, trainers will be running into large numbers of... | Read more »
Best Fiends Forever Guide: How to collec...
The fiendship in Seriously's hit Best Fiends has been upgraded this time around in Best Fiends Forever. It’s a fast-paced clicker with lots of color and style--kind of reminiscent of a ‘90s animal mascot game like Crash Bandicoot. The game... | Read more »
5 apps for the budding mixologist
Creating your own cocktails is something of an art form, requiring a knack for unique tastes and devising interesting combinations. It's easy to get started right in your own kitchen, though, even if you're a complete beginner. Try using one of... | Read more »
5 mobile strategy games to try when you...
Strategy enthusiasts everywhere are celebrating the release of Civilization VI this week, and so far everyone seems pretty satisfied with the first full release in the series since 2010. The series has always been about ultra-addictive gameplay... | Read more »

Price Scanner via

Macs’ Superior Enterprise Deployment Cost Eco...
IBM’s debunking of conventional wisdom and popular mythology about the relative cost of using Apple Mac computers as opposed to PCs running Microsoft Windows at the sixth annual Jamf Nation User... Read more
12-inch WiFi Apple iPad Pros on sale for $50-...
B&H Photo has 12″ WiFi Apple iPad Pros on sale for $50-$70 off MSRP, each including free shipping. B&H charges sales tax in NY only: - 12″ Space Gray 32GB WiFi iPad Pro: $749 $50 off MSRP -... Read more
Apple refurbished 12-inch 128GB iPad Pros ava...
Apple has Certified Refurbished 12″ Apple iPad Pros available for up to $160 off the cost of new iPads. An Apple one-year warranty is included with each model, and shipping is free: - 32GB 12″ iPad... Read more
Apple refurbished iPad minis and iPad Air 2s...
Apple recently dropped prices on several Certified Refurbished iPad mini 4s and 2s as well as iPad Air 2s. An Apple one-year warranty is included with each model, and shipping is free: - 16GB iPad... Read more
MacHTTP-js Preview Full-featured Web Server f...
MacHTTP.Org has released MacHTTP-js Preview for macOS, a full-featured Web server for 21st Century desktops and servers. MacHTTP-js is a modern take on the classic stand-alone, desktop computer Web... Read more
Samsung Galaxy Tab A 10.1 with S Pen Makes US...
Samsung Electronics America, Inc. has announced the release of the Galaxy Tab A 10.1 with S Pen in a highly mobile, lightweight tablet. “With an embedded S Pen, consumers can discover more ways to... Read more
13-inch 2.5GHz MacBook Pro (Apple refurbished...
Apple has Certified Refurbished 13″ 2.5GHz MacBook Pros available for $829, or $270 off the cost of new models. Apple’s one-year warranty is standard, and shipping is free: - 13″ 2.5GHz MacBook Pros... Read more
27-inch iMacs on sale for up to $220 off MSRP
B&H Photo has 27″ Apple iMacs on sale for up to $200 off MSRP including free shipping plus NY sales tax only: - 27″ 3.3GHz iMac 5K: $2099 $200 off MSRP - 27″ 3.2GHz/1TB Fusion iMac 5K: $1899.99 $... Read more
13-inch 2.5GHz MacBook Pro available for $927...
Overstock has the 13″ 2.5GHz MacBook Pro available for $926.99 including free shipping. Their price is $172 off MSRP. Read more
Apple refurbished 2015 13-inch MacBook Airs a...
Apple has Certified Refurbished 2015 13″ MacBook Airs available starting at $759. An Apple one-year warranty is included with each MacBook, and shipping is free: - 2015 13″ 1.6GHz/4GB/128GB MacBook... Read more

Jobs Board

Security Data Analyst - *Apple* Information...
…data sources need to be collected to allow Information Security to better protect Apple employees and customers from a wide range of threats.Act as the subject Read more
*Apple* Retail - Multiple Positions - Apple,...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
*Apple* Solutions Consultant - Apple (United...
# Apple Solutions Consultant Job Number: 52812872 Houston, Texas, United States Posted: Oct. 18, 2016 Weekly Hours: 40.00 **Job Summary** As an Apple Solutions Read more
Lead *Apple* Solutions Consultant - Apple (...
# Lead Apple Solutions Consultant Job Number: 52812906 Houston, Texas, United States Posted: Oct. 18, 2016 Weekly Hours: 40.00 **Job Summary** The Lead ASC is an Read more
*Apple* Retail - Multiple Positions- Towson,...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.