MANAGING MACS IN THE ENTERPRISEWalter Meyer

SUNY Purchase College

What is “Client Management”?

Software Updates and Installations•Update Apple Software (Mac OS 10.6.7, iTunes, Safari, etc.)•Update and Install Third-Party Software (Firefox, Adobe CS5, Microsoft Office, etc.)

Preference Management•Security Settings (Disable Airport, DVD/USB Access, Restrict Logins)•Application Preferences (iTunes, Microsoft Office, Safari Homepage, etc.)•System Preferences (Screensaver Timeout, Energy Settings, etc.)

Image Creation and Deployment•Automated/Scripted Image Creation•Network-based Image Deployment (Netboot, Multicast)•Other Initial Deployment Settings (Directory Service Binding, EFI Password)

Image Creation: What were we doing?

Manual Image Creation Process•Install Mac OS X on a Reference System•Install Applications•Configure System Preferences•Clean up junk from system (log files, caches, ssh keys, etc.)•Clone the Reference System

Problems•Time-Consuming (Manual Installs and Configuration)•Process is Error Prone (Technician Forgets Something)•Partially Hardware Dependent (Network Hardware)

Image Creation: What did we change?

New Requirements•Automated Image Build Process (Scripted)•“Clean”, Never-Booted System Images

New Solution•InstaDMG

•InstaDMG is a collection of scripts that allow for the automatic and “progmatic” creation of Mac OS X system images.

Features:•Free & Open Source•Leverages existing Apple technologies: Apple Installer & Sparse Disk Images•Written in Bash and Python•Actively used in enterprise and educational institutions•Actively developed•Active user and developer mailing list for support

What is InstaDMG?

Download @

http://code.google.com/p/instadmg/

What is InstaDMG?

1. Installs Base OS 2. Installs Updates 3. Installs Applications Sparse Disk Image

The Automated InstaDMG Workflow:

What is InstaDMG?

•InstaDMG is run from the command-line•When you want to build an image, you execute a simple command

sudo ./instaUp2Date.py -p faculty-staff-image.catalog

Run as root user Execute Python script Process A Catalog File

What is InstaDMG?

•InstaDMG is controlled using Catalog files that you create•Catalog files reference updates and/or other installers that are used to build your image

sudo ./instaUp2Date.py -p faculty-staff-image.catalog

What is InstaDMG?

•checksum.py is the InstaDMG tool you use to create your Catalog files.

./checksum.py vlc-1.1.10.dmg

Execute Python script A DMG/Installer

What is InstaDMG?

Enough talk, let’s try it!

Image Deployment: What were we doing?

Local Imaging•Put Mac into Target Disk Mode and Clone over Firewire Connection•Manually Bind to Domain, set EFI password, etc.

Problems•Extremely Time-Consuming•No automation•Required lots of Firewire cables

Image Deployment: What did we change?

New Requirements•Automated Image Deployment Process (Image, Bind to Domain, Set EFI Password, etc.)•Network-based deployment process•Support for Unicast and Multicast deployments•Secure (Active Directory/LDAP Authentication Support)

New Solution•DeployStudio

•DeployStudio is a collection of applications that allow you to image and configure thousands of Mac workstations in a centralized and granular fashion.

Features•Free•Flexible (Supports custom scripting and package installers)•Leverages/uses Apple’s Netboot•Actively used in enterprise and educational institutions•Actively developed•Active user and developer mailing list for support

Download @

http://www.deploystudio.com/

What is DeployStudio?

How DeployStudio Works

Mac OS X Server

Mac OS X Client

1. Client Looks for Netboot Server

2. Server Returns Boot Image

3. Client Boots Into DeployStudio

Netboot Service DeployStudio Service

What is DeployStudio?

What is DeployStudio?

Demo time!

Apple Software Update•Users needed admin rights to install and update software•Users called Helpdesk (sometimes) to get software installed or updated

Problems•Security: No automated installations or updates•Workload: Helpdesk intervention required for software installations/updates•Users Dissatisfied: Couldn’t install or update software without inconvenience•Third-party software cannot be updated via ASUS

Software Updates and Installations: What were we doing?

Software Updates and Installations: What did we change?

New Requirements•Update and Install Apple Software•Update and Install Third-Party Software•No admin rights required•Automated checks and installations•Ability to be more granular with software installs and updates (production and testing groups)•Optional Software Installations

New Solution•Munki

•Munki is a set of tools that, used together with a webserver-based repository of packages and package metadata, can be used by OS X administrators to manage software installs (and in many cases removals) on OS X client machines. (Source: Munki Google Code Page)

Features•Free & Open Source•Repository can be hosted on any standards-based web server (Apache, IIS)•Written in Cocoa/Python•Actively used in enterprise and educational institutions•Actively developed•Active user and developer mailing list for support

Download @

http://code.google.com/p/munki/

What is Munki?

How Munki works

What is Munki?

Munki Web Repository

InstallersXML Configuration Files

Munki Clients

1. Client Runs Periodic Check

2. Server Returns XML Config

3. Client Uses XML to Determine Installs and HTTP Requests Packages

4. Server Returns Packages

How the Munki server works•The Munki server is simply a web server that serves installers and configuration files•Any standards-based web server can be used (Apache, IIS, etc.)•With Munki, the client is “smart”, the web server is “dumb”•The Munki clients parse XML configuration files on the server to determine what needs to be installed•Clients then download package installers from the server as needed

What is Munki?

How Munki works continued...•Munki clients are set to check for new updates/installs hourly•Users are prompted on a daily basis to install new updates•If a user is NOT logged in, then Munki will install updates automatically•All of these default settings can be customized

What is Munki?

How Munki works continued...

What is Munki?

1. The client checks for updates...

2. If Updates are Found...

3. The client is prompted for installation.

What is Munki?

Let’s try it!

Local Preference Management•Set Preferences Manually Pre-Image Deployment•Set Preferences Using Apple Remote Desktop

Problems•Changes are Time-Consuming•Not Very Flexible (Settings Embedded in Image)•Changes Require Scripting or Manual Configuration•Computers Had to be ON to Get Changes•Disorganized (Technician Has to Document Settings)

Preference Management: What were we doing?

New Requirements•Centralized Preference Distribution•Ability to Apply Preferences in a Granular Fashion (Labs, Art Department, Staff, etc.)•Client Machines Pull Down Preferences Automatically

Preference Management: What did we change?

New Solution•MCX (Managed Client for Mac OS X)

•MCX: Managed Client for Mac OS X•Akin to Group Policy on Windows•Clients Get MCX (Managed Preferences) from a Directory Service•Any Standards-Based LDAP Server Can Be Used•Open Directory, Active Directory, OpenLDAP, or Local Directory•Can Used in Conjunction With Another Authentication Service (AD, Kerberos, etc.)

What is MCX?

•You Can Apply Managed Preferences to Your Macs in a Variety of Ways...

Mac OS X Clients

Open Directory Server Active Directory Server

Authentication and Authorization

Authentication and AuthorizationMCX Preferences

The “Magic Triangle” Configuration

Linux Directory Server

What is MCX?How to Implement Managed Preferences

•You Can Modify Your Third-Party LDAP Schema to Support MCX•Remember: MCX Preferences Can be Served from ANY LDAP Server!

Mac OS X Clients

Active Directory Server

Extending the LDAP Schema

Linux Directory Server

Authentication and AuthorizationMCX Preferences

What is MCX?How to Implement Managed Preferences

•Each Mac OS X Client Has a Local Directory Service•This Local Directory Can be Used to Store MCX Preferences•The Resulting Plist Generated Can then Be Deployed to All Clients

MCX Preferences

What is MCX?How to Implement Managed Preferences

Mac OS X Clients

Local MCX

Your Admin Machine

Generate Plist File

•How-to Deploy Local MCX (Video) http://goo.gl/muefo•Local MCX How-Tos (Blog) http://goo.gl/2OX0F•Modifying the Active Directory Schema for MCX (Video) http://goo.gl/xsaiv•Modifying the Active Directory Schema for MCX (PDF) http://goo.gl/txbDJ

MCX (Preferences)

Resource Wrap-Up

InstaDMG (Image Creation)•http://code.google.com/p/instadmg/

Munki (Software Updates)•http://code.google.com/p/munki/

DeployStudio (Image Deployment)•http://www.deploystudio.com/

•Email Me! walter.meyer@purchase.edu•Slides: http://students.purchase.edu/walter.meyer/stc2011.mov