Home > Articles > Apple > Operating Systems
![]() ␡
< BackPage 2 of 14Next >
Mac OS X 10.7: version 12.1.1 (support was dropped 12.1.4) Changes to Gatekeeper in Mac OS X 10.9.5, which affect the installer file, are addressed as of version 12.1.5. The Symantec Endpoint Protection client for Mac did not update for the following releases. Connect on the MAC OSX devices that you want to install Microsoft Intune client Open Safari and go to portal.manage.microsoft.com Click on This device is either not enrolled or the Company Portal can’t identify it.
This chapter is from the book
Apple Training Series: Mac OS X Deployment v10.6: A Guide to Deploying and Maintaining Mac OS X and Mac OS X Software
This chapter is from the bookThis chapter is from the book
Apple Training Series: Mac OS X Deployment v10.6: A Guide to Deploying and Maintaining Mac OS X and Mac OS X Software
Integrating with Managed Preferences
If you have used the Parental Controls preferences to manage a local Mac or the Preferences pane of Workgroup Manager on a Mac OS X Server to manage networked Macs, then you have used preference management. Both of these features are facilitated by the underlying managed preferences architecture. The Mac OS X managed preferences architecture, sometimes called MCX, is a method to control both system and user settings from a centralized source. In other words, you can use managed preferences to define policy for all your clients from a single administrative resource.
In this section, you will learn how you can leverage Mac OS X’s managed preferences as an alternative to deploying static settings as part of a system image. Planning and implementing this type of client management system is the best way to enforce usage policies and maintain a consistent configuration across your deployed systems. Nevertheless, managed preferences are not required to deploy system images. In fact, the flexibility of this system means that you could choose to deploy managed preferences well after you have deployed your system images.
For many deployments the managed preferences source is a network directory service that the client computers are bound to, like a Mac OS X Server with the Open Directory service enabled. By relying on a network directory service for acquiring configuration, you have much greater flexibility for deploying user and system settings. Storing configuration information on a directory server means you don’t have to include this configuration as part of your system image. Further, when managing preferences from a network directory service you can easily change configuration settings after your initial deployment.
Understanding the Managed Preferences Architecture
Mac OS X’s managed preferences architecture allows you to define policy at four different account levels; user, group, computer, and computer group. The background process MCXCompositor, found inside the /System/Library/CoreServices/ManagedClient.app bundle, is responsible for assessing any available managed preferences. At system startup the compositor process queries directory services for computer and computer group managed preferences, and during login queries for user and group managed preferences. These preferences are then cached to the local computer so the management remains active even if the Mac is disconnected from the directory service.
![]()
As you can see, managed preferences rely on directory services as the source for policy information. This allows you to store managed preferences in any location that Mac OS X’s directory service can access. This includes the local account database, a properly configured Lightweight Directory Access Protocol (LDAP) server like the one hosted from a Mac OS X Server, or a properly configured Active Directory (AD) server.
![]()
If you choose to host managed preferences in the local account database, then you will want to include this configuration in your system image. The downside is that your managed preferences are no longer centrally managed, and you will have to deploy changes to each client using a manual method.
A more common configuration is to have a network directory service like LDAP or AD host the managed preferences information. In this case, to take advantage of managed preferences, your system image must include steps for binding to the network directory service, as covered in Chapter 6, “Postimaging Deployment Considerations.”
Using Managed Preferences
The most comprehensive tool for configuring managed preferences is Workgroup Manager (WGM), located in the /Applications/Server folder on your Mac OS X Server computer. This application can also be installed as part of the Server Admin Tools v10.6 on any Mac OS X v10.6 computer. In fact there are several managed preferences settings that can be properly set only when you open WGM from a Mac client. For example, when building an allowed applications list, WGM can add applications to this list only from the Mac it’s currently open on. Many Mac servers don’t have all the additional applications that Mac clients use; thus you need to open WGM from a Mac client.
To apply basic managed preferences settings using WGM:
Finally, when configuring managed preferences, it’s important to thoroughly test these settings from a client Mac to verify the correct behavior. Any new preference changes will be applied the next time a user logs into any system that is currently connected to the directory service. If you’re having problematic results, try some of the troubleshooting tips covered in the “Troubleshooting Managed Preferences” section later in this chapter.
Understanding Custom Managed Preferences
Workgroup Manager (WGM) also provides a managed preferences Detailed view that allows you to import and manage preferences that don’t have a graphical interface in WGM’s default Preferences view. This includes the ability to centrally manage the preferences for both built-in and third-party applications that support Apple’s standard preference format, the property list or “.plist” file. In fact, the underlying format for managed preferences is the same XML (eXtensible Markup Language) encoded key/value pairs that you’ll find in local preference .plist files.
There are three methods for importing, and thus managing, a preference with WGM:
The primary caveat to custom managed preferences is that some items are difficult if not impossible to manage because they don’t fully support Mac OS X’s preference architecture. In fact, most third-party preferences do not respect the Always managed preferences option, thus making permanent management difficult. Because of this limitation, when you import custom preferences for management you are allowed a fourth management option, Often. Setting a preference to be managed Often instructs the MCXcompositor to rewrite the .plist file, wherever its default storage location is, every time the user logs in. The result is that the user may still be able to change the setting, but every time she logs into the Mac, the preference will be set to the managed state.
Using Custom Managed Preferences
To import and manage custom preferences:
Finally, when configuring managed preferences, it’s important to thoroughly test these settings from several client Macs to verify the correct behavior. This is especially true when dealing with custom managed preferences. It will probably take several attempts to nail down the exact combination of managed preferences options and settings to achieve your policy goals.
Again, any new preference changes will be applied the next time a user logs into any system that is currently connected to the directory service. If you’re having problematic results, try some of the troubleshooting tips covered in the following section.
Troubleshooting Managed Preferences
With so many different technologies responsible for implementing managed preferences, troubleshooting managed preferences issues can be complicated. As with any complicated issue, breaking it down into specific trouble spots is always the best plan.
Managed Preferences: Verify Directory Services
Start by troubleshooting any potential directory service issues, since this is the system through which the Mac acquires the managed preferences settings. Basically, you need to verify connectivity to the directory service hosting the managed preferences. You can do this by viewing the Network Account Server status in the Login Options pane of the Accounts preferences.
You can further verify connectivity by logging into the Mac with a network user account or use id username, where “username” is the account name of a network user account, in the command line to verify that your Mac can see a network account. If any of these tests fail, then you need to resolve the directory service issue before you hunt down the managed preferences issue.
If you are able to verify that directory services is working properly, then you can verify that the directory service is providing managed preferences information. The dscl command allows you to read the directory information, including any managed preferences settings. In the following example Michelle uses the dscl command with the –mcxread option to verify that the “lab1” computer group contains managed preferences settings.
Note that dscl indeed returns management settings. Also note that the output has been truncated to save space. It’s not uncommon for dscl to return several pages of text when asked to query managed preferences information. When using dscl in this manner, if you want to search for a different account type, simply enter that in the search path: for example, /Search/Users/user_name, /Search/Groups/group_name, or /Search/Computers/computer_name.
If you are unable to retrieve user information using the id command, or are unable to retrieve management settings using dscl, you will need to troubleshoot the directory services setup. Common issues include a loss of network connectivity, DNS problems, and not having the directory service node in the search path on the client.
Managed Preferences: Verify Compositor Output
Once you have verified that the Mac can view managed preferences settings from directory services, it’s time to verify the results of the MCXcompositor. As covered previously, the MCXcompositor collects all the managed preferences settings and then applies those to the user’s session during login. Managed preferences issues at this level stem from having unexpected MCXcompositor results. The symptoms are easily identified by simply logging in as a user and then opening various applications and system items to verify your managed preferences settings.
While logged in as a user with managed preferences, you can view the managed preferences results by opening /Applications/Utilities/System Profiler.app and selecting Managed Client from the Contents list. This will show the managed preferences results of this specific user logged in to this specific Mac.
You can test other managed preferences combinations using the mcxquery command. This command allows you to test the managed preferences results by specifying a user, group, and/or computer account combination. The following example shows Michelle querying for the managed preferences results of user “logan” in the group “dev” on the computer “lab1_12.”
In this example, again the results have been truncated to save space. If the compositor is returning what you think are improper results, then you have one of two main paths to follow. First, you can return to WGM on the server and try to verify the managed preferences settings. In this case, don’t forget to look in the WGM Details view, where you can manually inspect every key/value pair. The second path is to reset the Mac client’s managed preferences related service and settings, as covered next.
Managed Preferences: Reset Services and Caches
To enhance performance and provide for offline access, managed preferences are cached locally on each Mac. Sometimes the cache can become out of sync with the primary settings hosted from the directory servers. Mac clients will try to refresh on every directory service transition, such as a user login or network state change. You can also simulate this by restarting the directory service process, which may clear up any directory service issues as well. From the command line simply enter:
Another option, new in Mac OS X v10.6, is to use the mcxrefresh command. This command will attempt to re-query the managed preferences results and rebuild any local caches. In the following example Michelle refreshes the managed preferences results for the user “logan”.
Finally, as a last resort you can manually clear out the local managed preferences cache and restart the Mac. Simply delete the /Library/Managed Preferences/ folder and restart. If you are having problems with a particular user’s preferences, you can delete just that individual user’s folder from within the Managed Preferences folder.
Related Resources
![]() Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |