Skip the navigation

Hands On: Inside Apple's Managed Preferences Architecture

By Ryan Faas
August 5, 2007 12:00 PM ET

Computerworld - Similar in concept to group policies in Active Directory, Mac OS X Server's managed preferences allow administrators to define virtually the entire user experience and restrict user access to many types of local and remote resources. These include applications, printers and local devices.

This functionality gives administrators in a Mac or mixed-platform environment wide-ranging tools for securing workstations, helping users access resources and providing a consistent computing experience.

Managed preferences information is stored in the MCXFlags and MCXSettings attributes in Open Directory. MCXFlags identifies that a record has been assigned managed preferences, and MCXSettings stores the information about each of the preferences that have been configured. When a user logs in, all related managed preferences data is cached to the local hard drive and applied to that user's session.

Managed computers will check for updates to this information at regular intervals, which can be specified for each computer list. (For more information about setting up computer lists, see my previous article, "Inside Apple's Workgroup Manager.")

Built-in preferences to manage

Mac OS X Server ships with 14 built-in areas that administrators can choose to manage. Options can be set for individual user accounts, groups or groups of computer accounts referred to as computer lists. Some preferences give administrators a choice. They can decide whether end users will be allowed to make changes to the preference that is being managed, or whether administrator-defined preferences will always be enforced. Defining an environment that users can later modify is known as managing it "once" and creates a preset experience that users can change to their liking.

Defining a preference as "always" creates an environment that users cannot modify.

Other preferences can only be defined as "always managed" or "always unmanaged" because they are used to restrict user access or define Mac OS X system settings. Administrators can, at any time, make adjustments to preferences that are always managed, including making them unmanaged or managed once. If available preferences are unmanaged, which is also referred to as being managed "never," then users can adjust those parts of the Mac OS X or application settings as they normally would in an unmanaged environment.

Following is a brief description of each of the built-in preferences.

Applications Allows administrators to define which applications users are permitted to launch by creating a list of allowed applications and denying access to any not in the list, or by creating a list of explicitly denied applications. Other options are to allow access to any application on a local volume, to allow approved applications to launch nonapproved helper applications and to allow or deny users access to Unix command-line tools. Because this preference restricts user access, only the "managed always" and "managed never" options are available when setting it.

Classic Allows administrators to set options for the environment used to run classic Mac OS applications. Options include whether to launch the Classic environment at log-in, to alert users when they are launching a Mac OS 9 application and give them the option to cancel the launch, choose a Mac OS 9 system folder to be used by Classic, allow user access to special Classic start-up modes and Apple Menu items, and to designate whether Classic application preferences are stored on the local hard drive or in a user's network home folder. Classic must be either managed or unmanaged.

Note: Even though Intel Macs cannot run the Classic environment, they can still be used to define Classic preferences using Workgroup Manager. If Classic preferences are being managed, when a user logs in at an Intel Mac (or a Power PC Mac without Classic), these preferences are effectively ignored, as there is no Classic environment.

Dock Allows administrators to place items in a user's dock and to configure the display options for the dock. Dock items can include any available applications, documents or folders. If application access is managed, a "My Applications" folder containing approved applications can be added. Also available are options to add a user's network home folder, a documents folder and a group folder (if managing for a group). Items can also be dragged into a specific order to create a consistent look and feel or in response to user requests. There is also the option to merge the specified items with a user's pre-existing dock items. Dock items can be managed once or always, as can Dock display options, which can be set independently of dock items. Dock display options mirror the settings available in the Dock System Preferences pane under Mac OS X.

Energy Saver Provides many of the management options found in the Energy Saver System Preferences pane in Mac OS X, including options for power management, whether a battery menu is displayed on portable Macs and the ability to schedule automatic start-up, shutdown and sleep of managed computers. While somewhat helpful for managing battery options for portable Macs, the most useful function of this preference is its ability to schedule shutdown and start-up for a large number of workstations. This reduces power consumption for computers that might otherwise be left running when users leave for the day and ensures that workstations -- particularly those in classroom, lab and kiosk environments -- are powered on and ready for use in the morning.

Finder Contains options for defining Finder preferences -- which mirror those that can be set under Mac OS X -- and the Finder commands users are allowed. It also sets view options for Finder windows and the desktop, such as icon size and arrangement, all of which can be managed independently of one another. Users can be restricted from commands including Connect to Server, Connect to iDisk, Eject, Burn Disc, Go to Folder, Restart and Shut Down. Unlike other Finder options, these must be either always managed or always unmanaged. Also, disallowing these commands does not prevent users from accessing some of these features via other applications or dialogs; it merely removes the commands from the typical Finder menus.

Internet Provides the option of setting default e-mail and Web browser information, each independent of the other. E-mail information can include both a default e-mail client and default mail server configuration for Apple's Mail. Web browser information can include a default browser as well as a home page, search page and location to store downloaded files.

Log in Allows administrators to set log-in items, including local and remote resources. It can also mount the share point containing network home folders and a group folder (when managed for a group). Options include merging with a user's existing log-in items and allowing the user to press the shift key at log-in to prevent log-in items from opening. When managed for computer lists, this preference also provides options for setting log-in scripts (which run as root), configuring the display of the log-in window (including an optional banner message) and logging users out after a period of inactivity. Another option here is deciding whether or not to allow Mac OS X's fast user switching, which allows multiple individuals to be logged in to a single computer using separate user accounts at one time and to quickly switch between those accounts rather than having to wait for one user to log off in order to switch accounts. Log-in items can be set once or always, while the other options must be either managed or unmanaged.

Media Access Administrators can prevent users from accessing inserted CDs, DVDs and recordable CD/DVD disks. It also offers the ability to prevent user access to internal and external hard drives or other storage devices. Disc media and other media options can be set separately and must be either managed or unmanaged. Administrators can also elect to allow access to prohibited media by authentication with an administrator account (useful in classroom environments) and can allow hard drives to be accessed as read-only.

Mobility Configures mobile account options. Mobile accounts are specialized Open Directory accounts intended for portable computers that leave the network. They create a local account on a workstation that is a copy of the user's network account and includes all managed preferences settings, allowing users to log in with their network account while off the network. A local home folder is also created. For Mac OS X 10.4 computers, options exist for synchronizing the local and network home folders. When the mobility preference is enabled, users will be asked at log-in if they want to create a mobile account on the computer; for this reason it is best to configure this preference by computer list to avoid users potentially setting up mobile accounts on multiple desktop computers.

Network Allows administrators to define proxy servers to be used within the network. Also allows the setting "passive FTP.") These settings are often used or required when accessing a remote FTP server across one or more firewalls. Network preferences can only be managed or unmanaged.

Printing Allows administrators to create a predefined list of network printers for users. In addition, user access to one or more printers can be restricted by requiring authentication with an administrator account. Optionally, local printers can be allowed and restricted like network printers, and users can be allowed to add or remove printers from the list. Managing this preference by computer list allows you to ensure that users will always be able to find and print to nearby printers. This preference must be either managed or unmanaged.

Software Update Must be either managed or unmanaged, and allows administrators to designate a local software update server. This requires configuration of the Software Update Service included with Mac OS X Server.

System Preferences Designates which panes in System Preferences users are allowed to access. All System Preferences panes can be restricted, and this preference must be managed or unmanaged.

Universal Access Mirrors the options in the Universal Access System Preferences pane that configures options for users with special needs. Features are available and can be set independently for seeing, hearing, keyboard and mouse and for allowing access to universal access shortcuts. Each feature can be managed once or always.

Setting by user, group or computer list

As mentioned above, each preference -- with the exception of energy saver and some of the log-in options -- can be managed at the user, group or computer list level. Managed preferences are set using Workgroup Manager and should be set only for accounts that reside in a directory services domain. To set a group, authenticate to the appropriate domain and then click the Preferences button in the Workgroup Manager tool bar (see Figure 1). Select the user(s), group(s) or computer list(s) in the right-hand pane and then click the preference that you wish to manage in the left-hand pane to configure management (see Figure 2).

Figure 1 - Selecting an account to manage  
Figure 1 - Selecting an account to manage
(Click image to see larger view)


Figure 2 – Setting the log-in preference  
Figure 2 - Setting the log-in preference
(Click image to see larger view)


When a preference is managed, a small pointer icon will appear next to it. If multiple accounts are selected and the preference is managed only for some of them, the pointer icon will appear grayed out.

When a user is a member of multiple managed groups, also called workgroups, the user will be asked to choose which group's managed preference configuration he wants to use. This can be confusing to users, particularly if the preferences assigned to different groups vary widely. As such, it is generally a good practice to limit the number of managed groups in a network and to try to limit users to a single managed group where possible.

How preferences interact

Since preferences can be managed at multiple levels, there's a good chance a user will receive multiple sets of managed preferences. In cases where different preferences are set at different levels -- such as Internet at the user level and log-in at the computer list level -- they are simply all applied at log-in.

When the same preference is managed at different levels, one of two things can occur. If the preference is list-based (such as allowed applications, dock items or printer lists), the contents of the list are cumulative and the user will see or have access to all the items in the list. This can be particularly helpful for situations where you want to ensure that users can find and have access to items they might need based on both their job function and their location.

For example, you might assign user access by group membership to a number of network printers operated by their department. But you might also want these users to have access to printers in a specific classroom or office if they happen to log in to a computer in that room. If access to departmental printers is assigned by group and classroom printers by computer list, then a user in that classroom would have access to both its printers as well as his typical set of departmental printers.

For preferences that are not list-based, including those that define the user experience and restrict access, the order of precedence is as follows: user-defined preferences override preferences set by computer list, which in turn override preferences set for a group. This allows you to ensure that any user-defined preferences that you configure are always respected. It can also become confusing if you develop complex combinations of permissions (particularly if users are members of multiple managed groups). As such, keeping choices simple and managing specific preferences at specific levels can help cut down some of the confusion.

Managing additional preferences

In addition to the built-in management options, you can also use Workgroup Manager to manage application preferences using the Details tab of the left-hand pane of Preferences, also referred to as the preference editor (see Figure 3).

Figure 3 - The preference editor  
Figure 3 - The preference editor
(Click image to see larger view)


Application preferences are a bit more complex. The property list (.plist) files that Mac OS X applications use to store preferences are XML files that contain keys that specify the various preferences options. Often these keys have cryptic names and values known only to their developers. With Mac OS X Tiger (10.4), Apple introduced the concept of Preference Manifests, which developers can include as part of their applications to explain what information keys actually store. However, Preference Manifests are not required to be included with applications and don't require that all keys be identified when they are included.

Note: If you manage any of the 14 built-in preferences, you will also see entries for them in the Details tab.

To use the Details tab to manage an application, click the Add button and then use the Open dialog to navigate to the application. If you leave the "Import application's preferences" check box selected in the dialog sheet, the preferences that the current user account has established for the application will be imported and can be used as is or modified.

If you uncheck this option and select an application that has a Preference Manifest, the manifest will be imported but without any existing preferences. If no Preference Manifest exists, nothing will be imported. You can also select a .plist created by a different account if you want to import a different set of preferences for an application.

When you import existing preferences, they are set to "Manage often." This is an additional managed preference option for applications in addition to the "managed once" or "always" options. "Managed often" allows users to make changes to an application's settings, which may be needed for some functionality or features, but those settings are not saved when the application is quit. On its next launch, the managed application will revert to the managed settings.

Configuring preferences for managed applications is accomplished by double-clicking the application in the Details list box. As you can see in Figure 4, the property list data is not particularly user-friendly. To switch to managing application preferences once or always, you will need to cut and paste each key into the appropriate location, which can be a tedious process.

Figure 4 - Editing p-list data  
Figure 4 - Editing p.list data
(Click image to see larger view)


Note: If you are working with preferences for applications that do not include a Preference Manifest, you should test the configuration extensively before implementing management in a production environment.

Managed network views

Although not directly part of Apple's managed preferences architecture, managed network views allow administrators to control what users see when they select the network globe icon in the Finder. Typically, the network globe displays a list of computers and servers that respond to self-discovering protocols including Apple's Bon Jour, AppleTalk, SMB/CIFS (Server Message Block/Common Internet File System, commonly used by Windows computers) and the open standard SLP (Service Locator Protocol).

This display, sometimes referred to as a flat view, has two limitations: It generally only displays servers and computers that are located on the same subnet, and it can include workstations and servers that you might not want people to see -- either to keep them hidden or to avoid confusing users. By using managed network views, you can provide users with an easy-to-navigate structure of only those servers that they need to see regardless of where the servers are located within your network.

Types of network views

There are three types of network views: named, default and public. A named view is one that is applied to specific computers either through a computer's record in Open Directory or by its network address. When assigned a view by network address, the name of the view must be either the MAC address of a specific computer's network card or the IP address of a single computer or of a subnet in CIDR notation (i.e., 192.168.100.0/22).

A default view is assigned to computers that do not have a named view associated with them but which are bound to an Open Directory domain. A public view is assigned to any computers within a network that are not bound to an Open Directory domain but that can query the domain. At start-up, a Mac OS X computer will look first for an appropriate named view within each domain in its Open Directory search path. If it doesn't find one, it will look for a default view within each domain in its search path. If it fails to find a default view, the computer will search all available domains for a public view. If it finds no public view it will display the contents of the network globe as an unmanaged flat view.

Creating views and neighborhoods

You create and manage network views by clicking the Network button in the Workgroup Manager tool bar. The right-hand pane will display a list of existing network views, and you can manage the layout and settings in the left-hand pane by selecting an existing view. Or you can create a new view using the New Network View button in the tool bar (see Figure 5). When you create a new network view, you will be asked if you want to create a named, default or public view, if you haven't already done so.

Figure 5 - Configuring a network view  
Figure 5 - Configuring a network view
(Click image to see larger view)

When adding items to a view using the Layout tab, you can add computers or servers, dynamic lists or neighborhoods. Neighborhoods act like folders, allowing you to group similar servers and create a hierarchy. Dynamic lists allow you to specify one or more self-discovery protocols that will be used to populate a view or neighborhood. This offers you the ability to continue to use Bon Jour and similar protocols for discovering local resources while also giving you the option of explicitly including remote resources.

You can also add individual servers or computers in one of two ways: either select from computers that have records in Open Directory, such as a server bound to a domain, or browse the network. Adding items to a view is done by using the Add (plus sign) menu, and browsing the network is done by using the browse (ellipsis) button.

The settings tab allows you to specify the computers that will receive a named view. Again, you can choose from existing computer records by using the Add menu to display a drawer of all computer records in Open Directory or by browsing. You can also manually add a computer record at this point. In addition, you can change the named view for a computer by editing its record in a computer list. The settings tab also allows you to specify how often clients will check for changes to the view and whether the contents of the view will replace or be added to the flat view that would normally be displayed in the Finder.


Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. In addition to writing for Computerworld, he is a frequent contributor to InformIT.com. Ryan was also the co-author of O'Reilly's "Essential Mac OS X Panther Server Administration." You can find more information about Ryan, his consulting services and recently published work at www.ryanfaas.com, and can e-mail him at ryan@ryanfaas.com.

Related Articles and Opinion


Our Commenting Policies
2015 Premier 100 nominations open
Premier 100

Computerworld has launched its annual search for outstanding IT leaders who align technology with business goals. Nominate a top IT executive for the 2015 Premier 100 IT Leaders awards now through July 18.