Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mac Management in a University Environment Kevin Hanson Emerging Pathogens Institute University of Florida

Similar presentations


Presentation on theme: "Mac Management in a University Environment Kevin Hanson Emerging Pathogens Institute University of Florida"— Presentation transcript:

1 Mac Management in a University Environment Kevin Hanson Emerging Pathogens Institute University of Florida

2 Topics Intro Active Directory Authentication Open Directory Management & Preferences Apple Remote Desktop Third Party Options

3

4 Intro Support Macs otherwise you have unmanaged Hosts Cost of entry –UFAD Free!!!!!!! –Open Directory at a minimum $1,078 Add value to the customer experience –Reduce non-science & non-academic work Be ever mindful of campus initiatives

5 AD Authentication On the Windows Side Use a valid AD Domain Name (i.e. ad.ufl.edu) –Underscores are NOT valid characters, but AD will allow them. This WILL BREAK OS X AD integration. ( ) Avoid using more than 14 characters On the OS X side Configure Network Preferences Configure Sharing Configure the AD Plugin

6 Configuring Network Preferences DNS Server must be able to resolve AD service records Search Domains should contain, at minimum, the AD domain name

7 Configuring Sharing Set the computer name under System Preferences>Sharing (must reboot after rename) Avoid using more than 14 characters

8 Configuring the AD Plugin System Preferences>Users & Groups>Login Options>Edit Open Directory Utility>Configure Active Directory Plugin

9 Configuring the AD Plugin Specify UFAD server as ad.ufl.edu Eliminate underscores ( _ ) Provide domain credentials

10 Configuring the AD Plugin Set ‘Allow administration by’ and add appropriate groups to allow administrator rights ‘Allow authentication from any domain…’ should be enabled for troubleshooting purposes

11 Configuring the AD Plugin System Preferences>Users & Groups>Login Options Set ‘Display login window as’ name and password Turn off automatic login Reboot

12 Configuring the AD Plugin (troubleshooting) Directory Service Debug Logging (10.5,10.6) –Has a “Level 7” flag that includes more information than typical DSDebug logging. –http://support.apple.com/kb/HT3186http://support.apple.com/kb/HT3186 Grepping & Tailing the DS Logs: –Grep “Active Directory” /Library/Logs/DirectoryService/DirectoryService.debug.log –Tail –F /Library/Logs/DirectoryService/DirectoryService.debug.log | grep Reduce log level once done to avoid excessive log files

13 Configuring the AD Plugin (troubleshooting) Directory Service Debug Logging (10.7,10.8) –Has two options debug & default levels –Debug level includes more information than typical logging. –http://support.apple.com/kb/HT4696http://support.apple.com/kb/HT4696 Grepping & Tailing the DS Logs: –Grep “Active Directory” /var/log/opendirectoryd.log –Tail –F /var/log/opendirectoryd.log | grep Reduce log level once done to avoid excessive log files

14 Additional AD options A Mac joined to AD can utilize the home folder location set in the profile in ADUC

15 Open Directory Free Open Directory training from lynda.com (http://www.lynda.com/Mac-OS-Server-10-7-tutorials/Mac-OS-X-Lion-Server- Essential-Training/ html)http://www.lynda.com/Mac-OS-Server-10-7-tutorials/Mac-OS-X-Lion-Server- Essential-Training/ html Consult Apple documentation (http://www.apple.com/support/osxserver/)http://www.apple.com/support/osxserver/ UF IT Wiki (http://wiki.it.ufl.edu/wiki/Apple_OS_X)http://wiki.it.ufl.edu/wiki/Apple_OS_X

16 Open Directory Determine capacity needs and purchase appropriate hardware Set DNS record i.e. od.ns.ufl.edu, macserv1.epi.ufl.edu Join Mac Server to UFAD –Utilize UFAD accounts to apply policy preferences Setup Open Directory Master –Open Directory Replica

17 Open Directory Server Consoles 10.5 Leopard,10.6 Snow Leopard,10.7 Lion –Server Admin (Managing Open Directory and adding services) DHCP, DNS, Firewall, Software Update, NetBoot, RADIUS –Server (Managing Services provided by server) File sharing, Address Book, Mail, iCal, iChat, Web services, Time Machine –Workgroup Manager (Managing users, groups, policy preferences)

18 Open Directory Server Consoles

19

20

21 10.8 Mountain Lion –Server Admin (Managing Open Directory and adding services) DHCP, DNS, Firewall, Software Update, NetInstall, RADIUS –Server (Managing Services provided by server) file sharing, Address Book, Mail, iCal, iChat, Web services, Time Machine –Profile Manager (Delivers configuration profiles and Mobile Device Management for Macs running OS X 10.8, 10.7 & iOS devices. Allows configuration of pin and password policies and policy enforcement) –Workgroup Manager still available as an option as a separate download (http://support.apple.com/kb/HT5308 )http://support.apple.com/kb/HT5308

22 Setup Server Services Software Update (WSUS) –10.5,10.6,10.7 just local repository –http://macserv1.ufl.edu:8088/content/catalogs/others/index-lion- snowleopard-leopard.merged-1.sucatalog.composite –10.8 new features for auto download and install of system and security updates –http://macserv1.ufl.edu:8088/content/catalogs/others/index- mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.composite Time Machine –Time machine to backup OD server –Time Machine as a backup destination for managed Macs –For Mac Mini can attach an external thunderbolt drive –Purchase a Mac Pro with internal drives

23 Setup Server Services OS X Deployment –NetBoot (WDS) https://help.apple.com/advancedserveradmin/mac/10.7 https://help.apple.com/advancedserveradmin/mac/10.7 Shares and protocols configured on server to support distribution Stores system images on server that EFI-based Intel Mac can access Renamed NetInstall for 10.8 https://help.apple.com/advancedserveradmin/mac/10.8/ https://help.apple.com/advancedserveradmin/mac/10.8/ –System Image Utility Making Netboot and other image sets for Macs in environment Included in Server Admin tools –10.7 –10.8 This utility is installed with OS X in the /System/Library/CoreServices/ folder. –Boot Mac holding down the N key (blinking Grey globe)

24 Setup Server Services Profile Manager (MDM Mobile Device Management) –Apples solution for managing mobile iOS & OSX –First showed up in Lion –Again in Mountain Lion 10.8 with more features including app push –Review manager-2-in-os-x-mountain-lion-server/ manager-2-in-os-x-mountain-lion-server/ Public IP requirements (security office review) –Certificates, encryption

25 Setup Managed Preferences Work Group Manager Console 10.6, 10.7, 10.8 (transition) Think GPO Considerations –UFAD handles authentication, OD handles computer behavior –Setup groups of computers as you would an OU in GPMC to apply GPOs –Setup groups of UFAD accounts to allow exceptions to preferences Precedence is –User preferences > –User Group preferences > –Workstation preferences > –Workstation Group preferences

26 Setup Managed Preferences Recommendations –Setup Login settings AUP/ULA Legalize for accessing UF equipment Force Name and Password Disable automatic login Set screen saver i.e. 20min MAP NETWORK DRIVES Manage FileVault settings for portable Macbook Pro and Air –Make all accounts mobile including desktops for that time when the network goes down. Same as windows caching credentials –Inside System Preferences Exclude Users & Groups (avoid local accounts, deleting IT account, demotion or promotion of admin rights) Exclude Sharing (avoid Macs sharing disks and customer turning off remote desktop for remote administration) Exclude Security & Privacy (mitigate avoidance of screen saver password)

27 Setup Managed Preferences Recommendations –Manage Power settings save energy software updating –Deploy Printers Bonjour –Setup Software Update More valuable in 10.8 –Manage network Disable airport for hard wired iMac, Mac Pro, Mac Mini Disable internet sharing Demo

28 Login Preferences Options for login window text and style of login options

29 Login Preferences Options for screensaver timing

30 Login Preferences Options for automatically mounting network shares

31 Mobile Preferences Options for creating mobile account (cache credentials) while off network

32 System Preferences Options for restricting icons in system preferences to help avoid circumventing settings

33 Power Preferences Options for energy usage

34 Print Preferences Options for printer installation from network printers

35 Software Update Preferences Options for pointing Macs to local update repository

36 Network Preferences Options for disabling Airport on desktops

37 FileVault Preferences Options for turning on FileVault for all managed Macs

38 Time Machine Preferences Options for time machine to network location

39 Configure the OD Plugin System Preferences>Users & Groups>Login Options>Edit Open Directory Utility Highlight LDAPv3 and press the configure button

40 Configure the OD Plugin Expand the options chevron & press new Enter the Open Directory server name and press continue Verify Computer ID and provide credentials

41 Configure the OD Plugin Review LDAPv3 settings Note distinguished Name

42 Apple Remote Desktop Documentation –http://www.apple.com/remotedesktop/http://www.apple.com/remotedesktop/ –http://manuals.info.apple.com/en_US/ARD_Task_Server.pdfhttp://manuals.info.apple.com/en_US/ARD_Task_Server.pdf Features –Remote Control –Remote Observe –Software installation –Copy files –Issue UNIX commands Licensing and Cost –$79.99 to manage 20 computers –$ Unlimited Managed System Edition Install task server function on dedicated Mac server

43 Apple Remote Desktop ARD setup –Start with Scanner –Utilize local administrator account for administration

44 Apple Remote Desktop ARD Console

45 Apple Remote Desktop Useful Mac Commands –(add to administrators group) Dscl –u localadmin –P ***********. –append /Groups/admin GroupMembership trusteduser –(improve network performance) sudo sysctl -w net.inet.tcp.delayed_ack=0 x-is-incomprehensible/http://www.jeremycole.com/blog/2010/01/13/delayed-ack-in-os- x-is-incomprehensible/ –(enable spotlight indexing of network drive) mdutil /Volumes/name –i on network-drivehttp://jonathansblog.co.uk/how-to-enable-spotlight-indexing-on-a- network-drive –(show hidden files in finder) defaults write com.apple.finder AppleShowAllFiles TRUE –(change display sleep time) sudo pmset displaysleep 15 –Boot from CD by holding down C –Reset NVRAM Command-Option-P-R Startup disk help with BootCamphttp://support.apple.com/kb/ht1379

46 Third Party Options SCCM 2012 –UF Initiative –Hardware Inventory –Software Inventory –Application Deployment –Configuration deployment and compliance JAMF –Casper suite OS X –Inventory –Imaging –Patch management (more configuration options) –Software deployment –Settings Management iOS –Inventory –Configuration –Can work on Linux, Windows 2008 R2 or Mac Server Need Java, TomCat & MySQL

47 Third Party Options JAMF (continued) –Onsite setup and training $6,000 (required) –$90.00 per client fee waived because of academic pricing –Annual maintenance of $18.00 per device per year Absolute Manage (www.absolutesoftware.com)www.absolutesoftware.com –Supports Windows, Linux, Mac, iOS & Android –Inventory, Imaging, Power Management, Patching, Application Deployment –$30-$40 per seat OpenLDAP on Linux –Cost of a VM –Add Apple Schema –Add Mac attributes to LDAP –Use Workgroup manager

48 Outlook Auto discover iMac, Mac Pro, Mac Mini desktop devices are on campus typically and should utilize autodiscover to resolve mail.ufl.edu to https://outlook.mail.ufl.edu/EWS/ Exchange.asmx https://outlook.mail.ufl.edu/EWS/ Exchange.asmx –Private IP For Macbooks & Mac Air off campus and to avoid VPN usage disable autodiscover by using Apple Script syntax: –Tell application “Microsoft Outlook” –set background autodiscover of exchange account 1 to false –end tell Set server to https://mail.ufl.edu/EWS/Exchang e.asmx https://mail.ufl.edu/EWS/Exchang e.asmx –Public IP


Download ppt "Mac Management in a University Environment Kevin Hanson Emerging Pathogens Institute University of Florida"

Similar presentations


Ads by Google