Similar in concept to group policies in Active Directory, Mac OS X Server's managed preferences allow administrators to define virtually the entire user experience and restrict user access to many types of local and remote resources. These include applications, printers and local devices.
This functionality gives administrators in a Mac or mixed-platform environment wide-ranging tools for securing workstations, helping users access resources and providing a consistent computing experience.
Managed preferences information is stored in the MCXFlags and MCXSettings attributes in Open Directory. MCXFlags identifies that a record has been assigned managed preferences, and MCXSettings stores the information about each of the preferences that have been configured. When a user logs in, all related managed preferences data is cached to the local hard drive and applied to that user's session.
Managed computers will check for updates to this information at regular intervals, which can be specified for each computer list. (For more information about setting up computer lists, see my previous article, "Inside Apple's Workgroup Manager.")
Built-in preferences to manage
Mac OS X Server ships with 14 built-in areas that administrators can choose to manage. Options can be set for individual user accounts, groups or groups of computer accounts referred to as computer lists. Some preferences give administrators a choice. They can decide whether end users will be allowed to make changes to the preference that is being managed, or whether administrator-defined preferences will always be enforced. Defining an environment that users can later modify is known as managing it "once" and creates a preset experience that users can change to their liking.
Defining a preference as "always" creates an environment that users cannot modify.
Other preferences can only be defined as "always managed" or "always unmanaged" because they are used to restrict user access or define Mac OS X system settings. Administrators can, at any time, make adjustments to preferences that are always managed, including making them unmanaged or managed once. If available preferences are unmanaged, which is also referred to as being managed "never," then users can adjust those parts of the Mac OS X or application settings as they normally would in an unmanaged environment.
Following is a brief description of each of the built-in preferences.
Applications Allows administrators to define which applications users are permitted to launch by creating a list of allowed applications and denying access to any not in the list, or by creating a list of explicitly denied applications. Other options are to allow access to any application on a local volume, to allow approved applications to launch nonapproved helper applications and to allow or deny users access to Unix command-line tools. Because this preference restricts user access, only the "managed always" and "managed never" options are available when setting it.
Classic Allows administrators to set options for the environment used to run classic Mac OS applications. Options include whether to launch the Classic environment at log-in, to alert users when they are launching a Mac OS 9 application and give them the option to cancel the launch, choose a Mac OS 9 system folder to be used by Classic, allow user access to special Classic start-up modes and Apple Menu items, and to designate whether Classic application preferences are stored on the local hard drive or in a user's network home folder. Classic must be either managed or unmanaged.
Note: Even though Intel Macs cannot run the Classic environment, they can still be used to define Classic preferences using Workgroup Manager. If Classic preferences are being managed, when a user logs in at an Intel Mac (or a Power PC Mac without Classic), these preferences are effectively ignored, as there is no Classic environment.
Dock Allows administrators to place items in a user's dock and to configure the display options for the dock. Dock items can include any available applications, documents or folders. If application access is managed, a "My Applications" folder containing approved applications can be added. Also available are options to add a user's network home folder, a documents folder and a group folder (if managing for a group). Items can also be dragged into a specific order to create a consistent look and feel or in response to user requests. There is also the option to merge the specified items with a user's pre-existing dock items. Dock items can be managed once or always, as can Dock display options, which can be set independently of dock items. Dock display options mirror the settings available in the Dock System Preferences pane under Mac OS X.
Energy Saver Provides many of the management options found in the Energy Saver System Preferences pane in Mac OS X, including options for power management, whether a battery menu is displayed on portable Macs and the ability to schedule automatic start-up, shutdown and sleep of managed computers. While somewhat helpful for managing battery options for portable Macs, the most useful function of this preference is its ability to schedule shutdown and start-up for a large number of workstations. This reduces power consumption for computers that might otherwise be left running when users leave for the day and ensures that workstations -- particularly those in classroom, lab and kiosk environments -- are powered on and ready for use in the morning.
Finder Contains options for defining Finder preferences -- which mirror those that can be set under Mac OS X -- and the Finder commands users are allowed. It also sets view options for Finder windows and the desktop, such as icon size and arrangement, all of which can be managed independently of one another. Users can be restricted from commands including Connect to Server, Connect to iDisk, Eject, Burn Disc, Go to Folder, Restart and Shut Down. Unlike other Finder options, these must be either always managed or always unmanaged. Also, disallowing these commands does not prevent users from accessing some of these features via other applications or dialogs; it merely removes the commands from the typical Finder menus.
Internet Provides the option of setting default e-mail and Web browser information, each independent of the other. E-mail information can include both a default e-mail client and default mail server configuration for Apple's Mail. Web browser information can include a default browser as well as a home page, search page and location to store downloaded files.
Log in Allows administrators to set log-in items, including local and remote resources. It can also mount the share point containing network home folders and a group folder (when managed for a group). Options include merging with a user's existing log-in items and allowing the user to press the shift key at log-in to prevent log-in items from opening. When managed for computer lists, this preference also provides options for setting log-in scripts (which run as root), configuring the display of the log-in window (including an optional banner message) and logging users out after a period of inactivity. Another option here is deciding whether or not to allow Mac OS X's fast user switching, which allows multiple individuals to be logged in to a single computer using separate user accounts at one time and to quickly switch between those accounts rather than having to wait for one user to log off in order to switch accounts. Log-in items can be set once or always, while the other options must be either managed or unmanaged.
Media Access Administrators can prevent users from accessing inserted CDs, DVDs and recordable CD/DVD disks. It also offers the ability to prevent user access to internal and external hard drives or other storage devices. Disc media and other media options can be set separately and must be either managed or unmanaged. Administrators can also elect to allow access to prohibited media by authentication with an administrator account (useful in classroom environments) and can allow hard drives to be accessed as read-only.
Mobility Configures mobile account options. Mobile accounts are specialized Open Directory accounts intended for portable computers that leave the network. They create a local account on a workstation that is a copy of the user's network account and includes all managed preferences settings, allowing users to log in with their network account while off the network. A local home folder is also created. For Mac OS X 10.4 computers, options exist for synchronizing the local and network home folders. When the mobility preference is enabled, users will be asked at log-in if they want to create a mobile account on the computer; for this reason it is best to configure this preference by computer list to avoid users potentially setting up mobile accounts on multiple desktop computers.
Network Allows administrators to define proxy servers to be used within the network. Also allows the setting "passive FTP.") These settings are often used or required when accessing a remote FTP server across one or more firewalls. Network preferences can only be managed or unmanaged.
Printing Allows administrators to create a predefined list of network printers for users. In addition, user access to one or more printers can be restricted by requiring authentication with an administrator account. Optionally, local printers can be allowed and restricted like network printers, and users can be allowed to add or remove printers from the list. Managing this preference by computer list allows you to ensure that users will always be able to find and print to nearby printers. This preference must be either managed or unmanaged.
Software Update Must be either managed or unmanaged, and allows administrators to designate a local software update server. This requires configuration of the Software Update Service included with Mac OS X Server.
System Preferences Designates which panes in System Preferences users are allowed to access. All System Preferences panes can be restricted, and this preference must be managed or unmanaged.
Universal Access Mirrors the options in the Universal Access System Preferences pane that configures options for users with special needs. Features are available and can be set independently for seeing, hearing, keyboard and mouse and for allowing access to universal access shortcuts. Each feature can be managed once or always.
Setting by user, group or computer list
As mentioned above, each preference -- with the exception of energy saver and some of the log-in options -- can be managed at the user, group or computer list level. Managed preferences are set using Workgroup Manager and should be set only for accounts that reside in a directory services domain. To set a group, authenticate to the appropriate domain and then click the Preferences button in the Workgroup Manager tool bar (see Figure 1). Select the user(s), group(s) or computer list(s) in the right-hand pane and then click the preference that you wish to manage in the left-hand pane to configure management (see Figure 2).
When a preference is managed, a small pointer icon will appear next to it. If multiple accounts are selected and the preference is managed only for some of them, the pointer icon will appear grayed out.
When a user is a member of multiple managed groups, also called workgroups, the user will be asked to choose which group's managed preference configuration he wants to use. This can be confusing to users, particularly if the preferences assigned to different groups vary widely. As such, it is generally a good practice to limit the number of managed groups in a network and to try to limit users to a single managed group where possible.
How preferences interact
Since preferences can be managed at multiple levels, there's a good chance a user will receive multiple sets of managed preferences. In cases where different preferences are set at different levels -- such as Internet at the user level and log-in at the computer list level -- they are simply all applied at log-in.
When the same preference is managed at different levels, one of two things can occur. If the preference is list-based (such as allowed applications, dock items or printer lists), the contents of the list are cumulative and the user will see or have access to all the items in the list. This can be particularly helpful for situations where you want to ensure that users can find and have access to items they might need based on both their job function and their location.
For example, you might assign user access by group membership to a number of network printers operated by their department. But you might also want these users to have access to printers in a specific classroom or office if they happen to log in to a computer in that room. If access to departmental printers is assigned by group and classroom printers by computer list, then a user in that classroom would have access to both its printers as well as his typical set of departmental printers.