Hands On: Inside Apple's Managed Preferences Architecture

1 2 Page 2
Page 2 of 2

For preferences that are not list-based, including those that define the user experience and restrict access, the order of precedence is as follows: user-defined preferences override preferences set by computer list, which in turn override preferences set for a group. This allows you to ensure that any user-defined preferences that you configure are always respected. It can also become confusing if you develop complex combinations of permissions (particularly if users are members of multiple managed groups). As such, keeping choices simple and managing specific preferences at specific levels can help cut down some of the confusion.

Managing additional preferences

In addition to the built-in management options, you can also use Workgroup Manager to manage application preferences using the Details tab of the left-hand pane of Preferences, also referred to as the preference editor (see Figure 3).

Figure 3 - The preference editor

Figure 3 - The preference editor

(Click image to see larger view)

Application preferences are a bit more complex. The property list (.plist) files that Mac OS X applications use to store preferences are XML files that contain keys that specify the various preferences options. Often these keys have cryptic names and values known only to their developers. With Mac OS X Tiger (10.4), Apple introduced the concept of Preference Manifests, which developers can include as part of their applications to explain what information keys actually store. However, Preference Manifests are not required to be included with applications and don't require that all keys be identified when they are included.

Note: If you manage any of the 14 built-in preferences, you will also see entries for them in the Details tab.

To use the Details tab to manage an application, click the Add button and then use the Open dialog to navigate to the application. If you leave the "Import application's preferences" check box selected in the dialog sheet, the preferences that the current user account has established for the application will be imported and can be used as is or modified.

If you uncheck this option and select an application that has a Preference Manifest, the manifest will be imported but without any existing preferences. If no Preference Manifest exists, nothing will be imported. You can also select a .plist created by a different account if you want to import a different set of preferences for an application.

When you import existing preferences, they are set to "Manage often." This is an additional managed preference option for applications in addition to the "managed once" or "always" options. "Managed often" allows users to make changes to an application's settings, which may be needed for some functionality or features, but those settings are not saved when the application is quit. On its next launch, the managed application will revert to the managed settings.

Configuring preferences for managed applications is accomplished by double-clicking the application in the Details list box. As you can see in Figure 4, the property list data is not particularly user-friendly. To switch to managing application preferences once or always, you will need to cut and paste each key into the appropriate location, which can be a tedious process.

Figure 4 - Editing p-list data

Figure 4 - Editing p.list data

(Click image to see larger view)

Note: If you are working with preferences for applications that do not include a Preference Manifest, you should test the configuration extensively before implementing management in a production environment.

Managed network views

Although not directly part of Apple's managed preferences architecture, managed network views allow administrators to control what users see when they select the network globe icon in the Finder. Typically, the network globe displays a list of computers and servers that respond to self-discovering protocols including Apple's Bon Jour, AppleTalk, SMB/CIFS (Server Message Block/Common Internet File System, commonly used by Windows computers) and the open standard SLP (Service Locator Protocol).

This display, sometimes referred to as a flat view, has two limitations: It generally only displays servers and computers that are located on the same subnet, and it can include workstations and servers that you might not want people to see -- either to keep them hidden or to avoid confusing users. By using managed network views, you can provide users with an easy-to-navigate structure of only those servers that they need to see regardless of where the servers are located within your network.

Types of network views

There are three types of network views: named, default and public. A named view is one that is applied to specific computers either through a computer's record in Open Directory or by its network address. When assigned a view by network address, the name of the view must be either the MAC address of a specific computer's network card or the IP address of a single computer or of a subnet in CIDR notation (i.e.,

A default view is assigned to computers that do not have a named view associated with them but which are bound to an Open Directory domain. A public view is assigned to any computers within a network that are not bound to an Open Directory domain but that can query the domain. At start-up, a Mac OS X computer will look first for an appropriate named view within each domain in its Open Directory search path. If it doesn't find one, it will look for a default view within each domain in its search path. If it fails to find a default view, the computer will search all available domains for a public view. If it finds no public view it will display the contents of the network globe as an unmanaged flat view.

Creating views and neighborhoods

You create and manage network views by clicking the Network button in the Workgroup Manager tool bar. The right-hand pane will display a list of existing network views, and you can manage the layout and settings in the left-hand pane by selecting an existing view. Or you can create a new view using the New Network View button in the tool bar (see Figure 5). When you create a new network view, you will be asked if you want to create a named, default or public view, if you haven't already done so.

Figure 5 - Configuring a network view

Figure 5 - Configuring a network view

(Click image to see larger view)

When adding items to a view using the Layout tab, you can add computers or servers, dynamic lists or neighborhoods. Neighborhoods act like folders, allowing you to group similar servers and create a hierarchy. Dynamic lists allow you to specify one or more self-discovery protocols that will be used to populate a view or neighborhood. This offers you the ability to continue to use Bon Jour and similar protocols for discovering local resources while also giving you the option of explicitly including remote resources.

You can also add individual servers or computers in one of two ways: either select from computers that have records in Open Directory, such as a server bound to a domain, or browse the network. Adding items to a view is done by using the Add (plus sign) menu, and browsing the network is done by using the browse (ellipsis) button.

The settings tab allows you to specify the computers that will receive a named view. Again, you can choose from existing computer records by using the Add menu to display a drawer of all computer records in Open Directory or by browsing. You can also manually add a computer record at this point. In addition, you can change the named view for a computer by editing its record in a computer list. The settings tab also allows you to specify how often clients will check for changes to the view and whether the contents of the view will replace or be added to the flat view that would normally be displayed in the Finder.

Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. In addition to writing for Computerworld, he is a frequent contributor to InformIT.com. Ryan was also the co-author of O'Reilly's "Essential Mac OS X Panther Server Administration." You can find more information about Ryan, his consulting services and recently published work at www.ryanfaas.com, and can e-mail him at ryan@ryanfaas.com.

Related Articles and Opinion

Copyright © 2007 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon