Mac in The Enterprise IT Configuration Guide

!
!
!
!
!
Mac in the Enterprise

IT Configuration Guide
For Your Mac Evaluation and
Deployment
(Version 6.0)
IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)
Table of Contents
Introduction
Packaging and Thin Imaging .................................................ii
1.1
1.2
1.2.1
1.3
1.3.1
1.3.2
1.3.3
1.4
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.5
1.5.1
1.5.2
1.5.3
1.6
1.6.1
Image Mac Computers

iii
Create Packages
iv
Create Packages Using Third-Party Utilities .............................................................v
Manage Local Images
6
Create Images with Disk Utility
7
Create a Disk Image from the Command Line ....................................................12
Deploy Images with Disk Utility
13
Network Images
14
Create a Bootable NetBoot Disk
15
Create NetInstall Images
19
Configure a NetInstall Server
22
Start Up to a NetInstall Image
26
Unicast Apple Software Restore
28
Multicast Apple Software Restore
29
Third-Party Deployment Solutions
31
Prepare Networks for Image Deployment .............................................................32
Set Clients to NetBoot Using the bless Command ............................................33
Use NetBoot DHCP Helpers
34
Relay bootpd
35
Minimal Touch Deployments
36
Streamlined Device Enrollment
37
Support and Maintenance
2.1
2.2
2.3
2.3.1
2.3.2
2.4
2.5
Use Asset Tags

39
Configure the OS X Server Caching Service .........................................................40
Configure the OS X Server Software Update Service .......................................42
Configure Software Update Server Clients ...........................................................44
Cascade Software Update Services
46
Leverage Third-Party Software Update Services .................................................48
Acquire Client Management Suites
49
Directory Services
3.1
3.1.1
3.1.1.1
3.1.1.2
3.1.1.3
3.1.2
Local Directory Services

51
Create Local Administrative Accounts ...................................................................53
Create Local Administrative Accounts in System Preferences ......................54
Create Local Administrative Accounts from the Command Line.................57
Change Local Administrative Accounts from the Command Line ..............59
Nest Network Administrators from Active Directory in a Local
Administrative Group
60
Create Local Administrative Accounts with a Package or Script ................62
Active Directory
63
Bind to Active Directory
64
Bind to Active Directory Using Directory Utility .................................................65
3.1.3
3.2
3.2.1
3.2.1.1
38
50
3.2.1.2
3.2.1.3
3.2.1.4
3.2.1.5
3.2.1.6
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.3
3.4
3.5
3.6
3.7
3.7.1
3.7.2
3.7.3
3.8
3.9
3.9.1
Bind to Active Directory with a Profile ....................................................................70

Bind to Active Directory from the Command Line ............................................76
Bind to Active Directory Using a Script .................................................................78
Bind to Active Directory Using a Post-Install Script ..........................................79
Active Directory Plug-in Troubleshooting Commands ...................................80
Set a User Home Directory
84
Namespace Support
89
Active Directory Packet Encryption Options ........................................................90
SSL Binding Instructions
91
Manage Certificates from the Command Line ....................................................93
Change Active Directory Computer Passwords ..................................................94
Third-Party Active Directory Plug-ins ......................................................................95
Kerberos
96
LDAP
97
Open Directory
98
Distributed File Sharing
99
Connect to DFS Shares
100
View DFS Shares with smbutil
101
Third-Party DFS Solutions
102
SMB2 Support
103
Smart Card Support
105
Third-Party Smart Card Service Options ..............................................................106
Configuration Management .............................................107
4.1
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.1.9
4.1.10
4.1.11
4.1.12
4.1.13
4.1.14
4.1.15
4.1.16
4.1.17
4.1.18
4.1.19
4.1.20
4.1.21
4.1.22
4.2
4.2.1
4.2.2
4.2.3
Configure a Profile Manager Server

108
Configure Network Settings
109
Configure Users
112
Add Groups
114
Review Certificates
116
Acquire Apple Push Notification Certificates .....................................................119
Enable Profile Manager
121
Automatic Push versus Manual Download Profiles ........................................125
Edit Management Profiles
126
Create Device Groups
130
Use Device Placeholders
133
Enroll OS X Devices
135
Lock a Device via the User Portal
139
Wipe a Device from the User Portal
141
Lock a Device Using Profile Manager ...................................................................143
Wipe a Device Using Profile Manager ..................................................................146
Remove a Mac from Management via the User Portal ..................................149
Remove Management via Profile Manager .........................................................151
Profile System Preferences
153
Non-Removable Configuration Profiles ...............................................................155
Restrict Access to System Preferences ..................................................................157
profiles Command
160
dscl Command
161
Manage Profiles
162
View the Contents of Profiles
163
Configure the Location of the Dock
164
Manage Third-Party Application Preferences .....................................................168
ii
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9
4.3
4.3.1
4.3.2
4.4
Manage Printers
172
Restrict Applications Using Profile Manager ......................................................176
Deploy VPN Connections Using Profile Manager .............................................181
Force Password Policies Using Profile Manager ................................................184
Configure Single Sign-On Using Profile Manager ............................................186
Limit Access to Sites Using Profile Manager .......................................................189
Password Policies
192
Audit Local Password Policies
193
Configure Local Password Policies
196
Use the Volume Purchase Program to Deploy Apps ......................................197
Security
5.1
5.2
5.2.1
5.3
5.4
5.5
5.6
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.7
5.8
5.8.1
5.8.1.1
5.8.1.2
5.8.2
5.9
5.9.1
5.9.2
5.9.3
5.9.4
5.9.5
5.9.6
5.9.7
Use Security Resources

199
Use Gatekeeper
200
Use Gatekeeper to Validate Application Downloads ......................................201
Enforce Firmware Passwords
204
Manage Remote Logins
205
Use Key-Based SSH Access
207
Use FileVault 2
209
Enable FileVault from the Command Line ...........................................................217
Use fdesetup to Validate Escrowed Recovery Keys ..........................................218
Enable FileVault on an External Volume ..............................................................220
Configure Master Passwords
222
Manage FileVault 2 Keys
224
Use Third-Party Full Disk Encryption .....................................................................228
Manage the Network Firewall
229
Use the Application-Layer Firewall
230
Configure the Application-Layer Firewall ............................................................231
Manage the Application-Layer Firewall from Terminal ..................................235
Use the pf Firewall
237
Manage Keychains
239
View Keychain Contents
241
Install Certificates Using Profile Manager ............................................................243
Enable Directory Services Searching for Certificates ......................................247
Enable Certificate Revocation Checking ..............................................................248
Import Items into a Keychain
250
Export Items from a Keychain
251
Configure iCloud Keychain
253
Networking/Wireless
6.1
6.2
6.3
Manage IPv4 Settings

256
266
Set Up Wired and Wireless Connections Using the Network Setup
Assistant
269
Run Network Diagnostics
272
Configure Networking from the Command Line .............................................275
Configure VPN Settings
281
802.1x and Network Security Overview ..............................................................296
Configure WPA / TKIP PSK
297
Configure WPA2 / AES PSK
300
Create 802.1x Profiles
303
6.4
6.5
6.6
6.7
6.7.1
6.7.2
6.7.3
198
255
iii
6.8
6.9
6.10
6.11
6.12
Import and Export 802.1x Profiles

309
Configure 802.1x to Join Corporate Networks....................................................312
Obtain a Certificate from a Windows CA ..............................................................314
Trust Certificates from the Command Line..........................................................317
Create Active Directory Certificates
318
Collaboration
7.1
7.1.1
7.1.2
7.1.3
7.1.4
7.1.5
7.2
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.3
7.3.1
7.4
7.4.1
7.4.2
7.5
7.5.1
7.5.2
7.6
7.6.1
7.6.2
7.6.3
7.7
7.8
Integrate with Microsoft Exchange

323
Use Mail, Contacts, and Calendar with Exchange ............................................324
Enable S/MIME in Mail
327
Enable Out-of-Office Responses in Mail ...............................................................328
Configure Exchange ActiveSync Certificate-Based Authentication ..........330
Set Certificate-Based Authentication for Mail, Contacts, and Calendar...331
Troubleshoot Mail, Contacts, and Calendar with Microsoft Exchange ....335
Check Autodiscover with DNS
336
Address Improper Redirects / Certificate Errors ................................................337
Limit Message Size
338
Access Additional Troubleshooting Resources .................................................340
Support Exchange Autodiscover
341
Troubleshoot Outlook
342
Access Additional Outlook Information ...............................................................344
Leverage SharePoint
345
Connect to SharePoint
346
Access Additional SharePoint Information .........................................................348
Access Instant Messaging
349
Configure Messages and FaceTime
350
Manage Lync for Mac
353
Use AirDrop
356
Disable AirDrop
358
Debug AirDrop
360
Access Additional AirDrop Information ................................................................361
Leverage iCloud
362
Use iWork for iCloud
363
322
iv
!
!!
!
2013 Apple Inc. All rights reserved.

Apple, the Apple logo, AirDrop, AirPort, Bonjour, FaceTime, FileVault, Finder, FireWire, iMac, iMessages,
iPad, iPhone, iPod touch, iTunes, iWork, Keychain, Keynote, Mac, MacBook Air, MacBook Pro, Mac Pro,
Numbers, OS X, Pages, Retina, Safari, and Xcode are registered trademarks of Apple Inc., registered in
the U.S. and other countries. Apple Remote Desktop is a trademark of Apple Inc., registered in the U.S.
and other countries. App Store is a service mark of Apple Inc., registered in the U.S. and other countries. iCloud is a registered service mark of Apple Inc., registered in the U.S. and other countries. Thunderbolt is a trademark of Intel Corp. in the U.S. and other countries. FileMaker is a registered trademark
of FileMaker Inc. in the U.S. and other countries. UNIX is a registered trademark of The Open Group.
The Bluetooth word mark is a registered trademark owned by Bluetooth SIG, Inc. and any use of such
mark by Apple is under license. Other product and company names mentioned herein may be trademarks of their respective companies. Product specifications are subject to change without notice. This
material is provided for information purposes only; Apple assumes no liability related to its use.
Introduction
This configuration guide is designed to help IT professionals evaluate and deploy
OS X on Mac computers in medium to large organizations. Each section
contains modules that cover different topics with step-by-step instructions. This
guide provides accelerated testing and planning so organizations can efficiently
begin a proof of concept or broader end-user deployment of Mac computers.
This guide is a reference document. Not all modules are required reading for
every Mac deployment plan, and many plans will leverage third-party software.
The guide covers a wide range of topics critical to successfully deploying Mac
systems including:
Packaging and Thin Imaging
Support and Maintenance
Directory Services
Configuration Management
Security
Networking/Wireless
Collaboration
Before using this guide, consult with your Apple sales representative or Apple
Authorized Reseller for assistance determining the right modules for your
environment.
1 Packaging and Thin Imaging

This section covers several methods that can be used to deploy Mac systems. Thin
Imaging, or remediation, is a workflow by which an out-of-the-box system is
updated with settings, software patches, and application software using a patchmanagement system rather than by creating and deploying an entire image. A
thin-imaged system can also be a computer shipped from Apple along with an
installer package that is run from a portal. Thin images leverage the modular
imaging paradigm and further simplify the deployment process.
In the monolithic imaging paradigm, a single large image is maintained in a
pristine state and must be updated when new patches or software updates are
released. With modular imaging, the system administrator leverages a script and
individual packages of software to automagically build each machine. The
administrator can introduce updates by simply copying the new package to the
build file storage location. Thin images are very similar to the modular imaging
that Mac administrators have traditionally managed. However, instead of creating
an image in a batch process, each package is updated when needed in the patch
management system. Keeping all installers in the patch-management or devicemanagement system, rather than duplicating the data, helps streamline the
environment, reduces required storage space, and simplifies management.
If a larger monolithic image is needed, Disk Utility can be used locally to image
clients. Alternatively, a NetBoot server running on OS X Server can image clients
over a network. Using Disk Utility is straightforward, and when imaging over
Thunderbolt interfaces can be completed quickly. Imaging over a network takes
time and requires physical Ethernet interfaces in order to image client systems
concurrently.
1.1
Image Mac Computers

The first step in deploying most computer systems, including those running
OS X, is to create disk images for deployment. Apple includes robust imaging
tools that can be used on their own or in conjunction with third-party tools to
create images.
A wide range of imaging strategies are available, and administrators can choose
between various methodologies to create deployment images. A traditional
monolithic-system imaging approach works well for small proof of concept
deployments, allowing for rapid deployment and user testing. Production
deployments should leverage the power of programmatic, or modular, imagecreation workflows to properly scale. In these situations, deployment images are
still required to rapidly deploy systems en masse, although Thin Imaging can be
used as well.
This section covers creating images with Disk Utility and using the Apple
NetInstall server, which includes NetBoot and Apple Software Restore (ASR).
1.2
Create Packages
Imaging often includes packaging software for distribution. There are a number
of tools for creating installation packages and package distribution.
Most application installers place files on a file system, and scripts interact with the
operating system in some way (such as activating files that were placed on the
file system). A package is a file, or bundle of files, with a .pkg extension. The
package bundle contains an archive of files to install, scripts that perform
specified actions (which can run before or after file archives are placed into the
appropriate directories), and information about how the operating system should
interpret the installer (such as the order in which these operations occur). A
package can also include licensing documents and other information.
Packages have a number of uses related to installing and managing software. For
example, application developers often use packages to build installers for their
software. Apple uses packages to provide system or application upgrades using
Updates in the App StoreSM. Administrators use packages to deploy scripted
changes to client systems, such as binding to a directory service.
A meta package is a lesser-used type of package. Meta packages are sets of
packages that are distributed in one structure with a *.mpkg file extension. The
meta package typically provides a list of checkboxes used to choose which
packages or components of a larger installation framework are installed.
To install a package, double-click its icon in the Finder. The Installer application
opens and guides you through the necessary steps of the installation, defined at
the time the package was created. Packages can also run silently through the
command line, with Apple Remote Desktop, or using third-party patch
management software solutions.
Many applications come bundled as standard Apple Installer packages. In
situations where an application installer is already a package, custom packages
may not be required. Vendors that distribute packages often have a process for
preparing a package for mass deployment (such as instructions on embedding
license keys and other important settings the software should have). Contacting
the vendor for the proper mass deployment method of each title can save
valuable time, minimize the amount of user interaction required to install a
package, and help prevent unintended consequences.
Packages can be created using a number of tools such as Xcode, from the
command line with pkgbuild, and with third-party tools. Packages can be built
manually or by using a snapshot of the operating system. Snapshot-based
packages are great for those new to building packages, but keep in mind that
extraneous data may be unintentionally captured if changes unrelated to
installation take place between snapshots. To avoid this, always review the files
and folders to be installed when making a snapshot and remove those not
required.
The process is similar to creating installers for other operating systems. If a team
member is already trained in creating installers for Microsoft Windows (that is,
.msi or .mst installers) or for Linux, it should be easy for them to quickly grasp
the concepts needed to build packages in OS X.
! !
1.2.1
Create Packages Using Third-Party Utilities

A number of third-party products have compelling features for environments
based on the imaging needs. These include:
Composer from JAMF Software. www.jamfsoftware.com

Composer can be leveraged to inspect a computer and create a package of
each application that has been installed on the system, thus offering a
smooth transition from monolithic imaging environments to package-based
imaging environments.
InstallEase from Absolute Software. www.absolute.com

InstallEase is a basic snapshot-based package generation tool for OS X that
lets you create installer packages with minimal effort.
Rudix. www.rudix.org
Rudix is a website that offers a number of tools created for various UNIX
platforms built into standard Mac installation packages. By having access to
packages that can perform a number of tasks, without having to build your
own, software can be deployed more quickly and in a repeatable fashion.
!
!
1.3
Manage Local Images

Local images are created on a local drive and are used to duplicate the contents
of that drive to another computer. This section covers how to use Disk Utility to
image one volume to another. There are also a number of third-party tools that
can be used to image locallyincluding DeployStudio, Lightning Imaging from
FileWave, and Casper Imaging from JAMF Software, which can be used to
perform imaging over a network connection as well.
Local image deployment is a simple form of deployment for Mac computers.
Taking advantage of native tools such as Apple Software Restore, Disk Utility, and
target-disk mode, administrators can more efficiently test deployment images
using direct connections between computerswithout the need to move
images to production or test servers.
Local imaging techniques dont scale well for the deployment of a large number
of Mac computers in most environments but are most suitable for test
environments to determine how a larger-scale deployment process will work.
1.3.1
Create Images with Disk Utility

An image is a representation of a computer and its related information at a given
point in time, including the kernel, file systems, libraries, and programs. A disk
image is a representation of the file system, captured while offline to create a
complete image of the system.
For the purposes of this guide, an image is one of the following:
A single .dmg file that stores a monolithic representation of a Mac and can be
copied in full to other Mac computers (or a creation of packages that make up
a modular representation of that .dmg file).
A Mac that can be duplicated to other Mac computers.
Images can be deployed directly through target-disk mode or from one disk to
another. Images can also be deployed over a network using NetInstall, NetRestore,
or a third-party product. This module explains how to create an image of a hard
drive and copy that image to another hard drive.
There are many options for imaging Mac computers. In this module, use Disk
Utility (located in /Applications/Utilities) to create an image of a hard drive. This is
the most basic way that many organizations begin imaging.
To create an image of a system with Disk Utility:
1.
Build the perfect system image. Install the operating system and required
software, preferably using Volume License Agreement (VLA) licensing, and
configure settings specific for your environment.
2.
Restart the system in target-disk mode by holding down the T key during the
startup process.
3.
Connect the image source computer to an image creation computer and

verify that the hard drive mounts.
4.
Select the prepared volume.
5.
Choose Get Info from the File menu (or press Command-I).
6.
Verify that the Ignore ownership on this volume checkbox isnt selected.
Figure 1.3.1_1
!
!
7.
Open Disk Utility from /Applications/Utilities to see a Disk Utility window.
8.
Click the disk to be imaged, if it appears in the list.
Figure 1.3.1_2
!
9.
In the File menu, choose New.
10. Choose Disk Image from Folder.
Figure 1.3.1_3
11. The Select Folder to Image dialog lets you choose the volume from which to
create the image. Select the name of the prepared client hard drive (which
should be started up in target-disk mode).
!
!
!
!
!
!
12. Click the Image button.
Figure 1.3.1_4
13. In the New Image from Folder window, provide a name for the image. In this
example, its Pretendco Image.
14. Use the Where menu to define where on the system the image file will be
created.
15. Choose compressed in the Image Format menu and none in the
Encryption menu, as images deploy faster when compressed.
16. Click the Save button to create the image.
Figure 1.3.1_5
!
!
Wait for the image to complete. The time required is dependent on the size
of image and speed of media for both source and destination.
10
17. Once the image is complete, unmount the hard drive.

18. Remove the hard drive used as the source of the image.
19. In Disk Utility, choose Scan Image for Restore in the Images menu.
20. Select the image previously created.
21. Once complete, test the image.
11
1.3.2
Create a Disk Image from the Command Line

Apple Software Restore is a tool administrators use to create images from a disk.
In this example, well create an image from the command lineallowing for
maximum granularity in terms of control over what is going on behind the
scenes, and to show how the hdiutil and asr commands can be leveraged in
an imaging process.
To use Apple Software Restore to scan an image for restore:
1.
The hdiutil command can be used to manipulate disk images. This allows
users to burn, create, expand, and verify disk images. In this module, use the
hdiutil command to create the image .dmg file by invoking the create
verb when you run it. Then mount a drive called MACOSX that houses an
image of a clean OS X installation on your computer and create an image of
it. Call the image MavericksImage and place it in the desktop folder on the
computer. The following command illustrates how to create the .dmg file:
hdiutil create -srcfolder /Volumes/MACOSX ~/Desktop/
MavericksImage.dmg
2.
Now have the asr utility scan the image using the following command:
asr imagescan --source ~/Desktop/MavericksImage.dmg
Here asr is used with the imagescan verb to calculate the checksums of
the contents of the image file and store them in the image. These checksums
will be used to verify that restores occur properly. The -imagescan verb will
also reorder files so that the image can be deployed in a multicast fashion.
Note: The --filechecksum and --nostream options can be used with the
imagescan verb. When used, these commands calculate checksums on a
per-file basis and bypass reordering of the files, respectively. This is often
used as a troubleshooting mechanism when images are problematic.
12
1.3.3
Deploy Images with Disk Utility

In this module, take a prepared image and copy it from one hard drive to another
using Disk Utility.
To deploy an image with Disk Utility:
1.
Open Disk Utility.
2.
Select the destination, or target drive, and click Restore.
3.
Drag the image file into the Source field from the Finder, or browse to the
image using the Image button.
4.
Drag the logical volume to the Destination field.

Youve now selected an image as the source and the destination drive to
which youre restoring.
!
!
Figure 1.3.3_1
5.
Click the Restore button to initiate the restore process.
13
1.4
Network Images
Once youve created your deployment payloads, the next step is to deploy them.
A simple form of deployment is to locally apply an image from one Mac to
another via FireWire or Thunderbolt. Because this process is cumbersome to
scale, this section covers additional techniques to help enable a minimal-touch
deployment.
Network images are created especially for imaging a large number of computers
over a network. These images are prepared specifically for publishing over a
network connection and have special functionality built for making each system
unique when the imaging process is complete.
Because a computer cannot image over a live operating system, this section
includes setting up a NetBoot set as well as booting to a NetBoot image so that a
Mac can reformat and reimage over the boot volume.
OS X includes a tool called System Image Utility (SIU), used to create NetBoot,
NetInstall, and NetRestore images. System Image Utility allows you to create
images and configure powerful customizations that reduce the time required to
image client computers.
System Image Utility is a standard tool installed in /System/Library/CoreServices
on every Mac running OS X.
NetBoot. Starts up client computers to an operating system located on a

server. This operating system can be in a completely diskless boot
environment (where there are no hard drives in client systems), or it can
leverage a disk in the client to cache the operating system to reduce network
congestion.
NetInstall. Creates a customized operating system installer that runs over a

network. The installation process is then customized with easy-to-use
Automator actions that perform tasks before or after the OS X installation
process. In environments where customizations have not been used,
NetInstall users may be presented with the same user interface as if they
were using the OS X installer on the local drive, or the process can be
automated. Examples of customizations include repartitioning hard drives,
using predefined operating system installation choices, binding systems to
directory services, renaming client systems, and installing additional software
packages.
NetRestore. Images client systems using a prebuilt image (referred to in this

document as a prepared disk) with block-copy Apple Software Restore
(ASR). There are several options to create NetRestore sets, including imaging
existing OS X computers, creating an image programmatically with a custom
set of packages, and allowing for the arbitrary sourcing of ASR images (that
is, choosing an image located on a web server or NFS server, or using
multicast ASR). Leveraging NetRestore, a single boot image is prepopulated
with predefined choices. Or clients can browse for multicast ASR streams
using Bonjour networking technology from Apple.
14
1.4.1
Create a Bootable NetBoot Disk

This module describes how to create a minimal NetRestore image that allows the
source location of ASR images (for example file, URL, and so on) to be either
predefined or manually entered when booted to a NetBoot image. Or in the case
of those accessible via Bonjour, you can browse for the source location.
To create a NetBoot set for NetRestore using System Image Utility:
1.
Open System Image Utility from the Tools menu of the Server application.
2.
Click the Add (+) button in the lower-left corner of the System Image Utility
window.
3.
Click Continue to create a new workflow.
Figure 1.4.1_1
15
4.
Click Agree when prompted to accept the OS X Licensing Agreement from

Apple, provided the terms are acceptable.
Figure 1.4.1_2
5.
In the window that shows the NetRestore options, remove the Define Image
Source and Create Image panes on the right by clicking the Close (x) button
in the upper-right corner of each. This will leave the workflow area empty.
6.
Drag the Define NetRestore Source action from the Automator Library in the
left pane to the workflow area.
Figure 1.4.1_3
!!
16
7.
Click the Add (+) button in the Define NetRestore Source pane, and enter the
path where the .dmg can be found. You may define either an HTTP or ASR
source URI (uniform resource identifier).
8.
Select the ASR multicast streams checkbox in the Enable browsing for
section, to see a list of all available ASR multicast streams.
9.
To ascertain other NetRestore sources from the network (such as HTTP),

select the Other NetRestore sources checkbox.
10. To allow users to manually provide a path to a .dmg, select the Allow manual
source entry checkbox.
Figure 1.4.1_4
11. Drag the Create Image action from the Automator Library into the workflow,
below the Define NetRestore Source area.
12. Leave Type set to NetBoot, and provide a name for the image.
13. Provide a name for the Network Disk.
17
14. Provide a description to help keep track of NetBoot sets. Also provide an
image index, an identifier unique to NetRestore NetBoot sets.
Figure 1.4.1_5
15. Click Save.

16. Save the workflow with a name that enables you to easily access it or share it
with other administrators at a later date.
17. Click Run.
18. Wait for the NetBoot set for NetRestore to complete. The time required for
this process is dependent on the size of the NetBoot set and the speed of the
volumes to which the NetBoot set is being written.
18
1.4.2
Create NetInstall Images

In OS X Server, NetInstall publishes an installer to client systems. NetInstall takes
the logic and options built into the OS X installer and moves them into a vehicle
that can be used on networked client computers.
In this module, create a NetInstall Image of an OS X installer using System Image
Utility.
To create a NetInstall image using System Image Utility:
1.
Purchase and download OS X from the Mac App Store (dont install OS X or
restart on completion).
2.
An application called Install OS X Mavericks is placed in the

/Applications directory.
3.
Close any dialogs the Install OS X Mavericks installer may automatically open.
4.
Open System Image Utility using the Tools menu in the Server application.
Because the Install OS X Mavericks installer is detected on the system, the
initial window of System Image Utility provides the option to Create a
Network Disk Image and asks you to select the type of image youll create.
Figure 1.4.2_1
!
5.
Choose Install OS X 10.9 from the Sources menu to select an installer on

which to base the image.
6.
Click NetInstall Image. This will tell the image, when NetBoot loads it, to
install an operating system.
7.
Click Continue.
19
8.
Provide a name and description for the image.
9.
If the image will be hosted by multiple NetBoot servers, select the Image
will be served from more than one server checkbox.
Figure 1.4.2_2
10. Click Agree when prompted to accept the OS X Licensing Agreement from
Apple, provided the terms are acceptable.
Figure 1.4.2_3
20
11. In the Save As field, enter a name for the files that will be saved.
12. Use the Where menu to choose a location for the image.
13. If the location isnt listed in the Where menu, click the disclosure button to
the right of the Save As field to browse for a location.
Figure 1.4.2_4
14. Click Save.

15. When prompted, provide an administrative account and password for the
system being used to generate the image.
16. Once the process is complete, move the image into the
/Library/NetBoot/NetBootSP0 directory. The NetInstall image is then available
within the Server application in the NetInstall section.
21
1.4.3
Configure a NetInstall Server

NetInstall and NetRestore both rely on the NetInstall service in OS X Server to
start up an operating environment, freeing the internal drive for an operating
system image or upgrade. NetBoot starts up a Mac computer to an operating
system stored within an nbi (.nbi) bundle hosted on a NetInstall server.
OS X Server acts as a NetInstall server and is covered in this module.
To configure a NetInstall server:
1.
Open the OS X Server application on the server.
2.
Click Show when you highlight the Advanced section of the sidebar.
Figure 1.4.3_1
3.
Click NetInstall in the sidebar.
4.
Click the Settings tab.
22
5.
Click the Edit button next to Enable NetInstall on.
Figure 1.4.3_2
6.
Select the Enable checkbox for each interface on which NetInstall should run.
7.
Click OK.
Figure 1.4.3_3
8.
Click the Images tab.
9.
Click the cog wheel icon.
10. Click the Edit Storage Settings button.

11. Click the Volume menu for the volume that will host the images.
23
12. Choose Images & Client Data from the Stored Data menu to enable images
for that volume.
Figure 1.4.3_4
13. Click OK.

14. Place the NetBoot images previously created into the
/Library/NetBoot/NetBootSP0 directory of the volume just selected.
15. Once the image is in the correct location, quit and reopen the Server
application if the image does not appear in the Images list.
16. Click NetInstall under Services in the sidebar.
Figure 1.4.3_5
24
17. Double-click the image.

18. Select the Make available over checkbox.
19. Choose NFS from the Make available over menu.
Figure 1.4.3_6
20. Click the image previously created.

21. Click the cog wheel icon to open a menu of options for the image.
22. Choose Use as Default Boot Image to set the image as the default image
used for systems that start up to the server.
23. Toggle the On/Off switch to start the service.
Figure 1.4.3_7
24. To test starting up a client system to the image, hold down the N key at
startup. Or select the NetBoot server you just set up by using the Startup Disk
System Preferences pane on the client system.
25
1.4.4
Start Up to a NetInstall Image

Once a NetRestore or NetInstall NetBoot set are enabled on an OS X Server
system, start up a client to the NetInstall set to begin imaging.
The easiest way to start up a client to a NetBoot server is to hold down the N key
at startup. Provided the client can see the NetBoot server, and that the
environment allows for the client to obtain an IP address from a DHCP server, this
is often the easiest way to start up into a NetBoot environment.
In some cases, holding down the N key at startup wont provide the desired
results. In this module, configure a client to start up to the NetBoot/NetInstall set
using the Startup System Preferences pane.
To start up to a NetBoot set for NetRestore:
1.
Open System Preferences.
Figure 1.4.4_1
26
2.
Click Startup Disk to open the Startup Disk pane.
Figure 1.4.4_2
3.
Click the name of the NetBoot set created for NetRestore.
4.
Click the Restart button.
The computer is booted into the NetRestore environment, to a screen

showing the icon for System Image Utility. Choose the image to restore or
enter the path to the image manually.
27
1.4.5
Unicast Apple Software Restore

Apple Software Restore allows for both multicast and unicast restores when the
source image is accessed over a network. Both operations can be performed by
any Mac computer (the ASR server and the ASR client). Neither operation requires
a computer with OS X Server, although OS X Server does make the task simpler
with Bonjour-enabled NetRestore. When booted to a NetBoot image, you can use
the path to an image (in the form of a URI) to define the location to which the
computer will boot. When the path is to a flat file on a server, then you are
performing a unicast restore.
In a unicast restore, each Mac target establishes a separate connection to the
server hosting the image in much the same way different users access the same
read-only file on a file server. The following command can be used to image
clients programmatically:
sudo asr restore --source /Users/USERNAME/Desktop/OS\ X\
Mavericks\ Image.dmg --target Mac\ OS\ X/ -erase
In the above command, the restore verb is used, the --source and --target
settings are defined, and finally the -erase checkbox is used. In this way,
programmatically creating system images is possible with only a single
command.
Rather than using direct-attached storage, such as ThunderBolt, administrators
can use the asr command to restore images from a file hosted by HTTP. To do so,
place the image on a web server and use a command similar to the following,
where the fully qualified domain name (FQDN) of the web server is
mywebserver.pretendco.com and the name of the image is mavimage.dmg.
sudo asr restore --source http://mywebserver.pretendco.com/
mavimage.dmg --target /Volumes/Mac\ OS\ X/ -erase
In the above command, the source is defined with the URL that it would be
accessible from using HTTP. The file was renamed myimage.dmg to make it
friendlier to HTTP requests. Defining the -erase option speeds up the
restoration and makes the image blessed (that is, bootable).
Note: This method assumes that the source Mac is being started up in target-disk
mode because the image cant be placed on top of a running operating system
another valuable feature of NetRestore on OS X Server.
28
1.4.6
Multicast Apple Software Restore

Multicast Apple Software Restore (mASR) broadcasts disk images as streams that
any machine can listen to and image from. The mASR server plays the streams
over the network and Mac computers connect to the streams to copy the image,
block by block, to their local drives. Streams are looped so that if a Mac connects
to a stream midway through, or drops packets due to network congestion, the
stream download completes the current loop and then retrieves the remaining
data on the next loop.
Because data is streamed to all client systems, performance on the mASR servers
isnt impacted when more client systems are added.
To set up a multicast Apple Software Restore environment:
Use the same command-line utility used to create the images (asr) to set up an
mASR server. Before starting, contact your network team for valid multicast
addresses and rates for your network.
The asr command requires a property list (plist) to set the configuration settings
for the server. To configure an mASR server:
1.
Set up the plist file. To do so, you need a multicast address and the data rate
at which you want the server to provide the multicast traffic. Using this
information, create a file. For this example, use an asrsetup.plist
filename in a folder called /asrconfig. Then create the directory using the
following command:
mkdir /asrconfig
2.
Create the plist file using the following command:

touch /asrconfig/asrsetup.plist
3.
Use the defaults command to populate the file with the settings planned
for earlier.
defaults write /asrconfig/asrsetup.plist "Data Rate" -int
10000000
defaults write /asrconfig/asrsetup.plist "Multicast
Address" 244.0.0.1
4.
Provide optional information in the asrsetup.plist configuration file. The

Client Data Rate can be defined, which is the slowest rate a client can operate
without errors. DNS Service Discovery will be defined as a -bool for boolean,
which defines whether the ASR server should use Bonjour. Loop Suspend is
an integer that limits the number of times an image is streamed without any
clients using it, prior to stopping the ASR server and waiting for new clients.
Multicast TTL and port can be customized as well, although this option is
rarely used. For more information on Loop Suspend, see:
developer.apple.com/library/mac/#documentation/Darwin/Reference/
ManPages/man8/asr.8.html.
5.
Once the .plist file is created, move an image (in the form of a .dmg file) into
the /asrconfig directory.
29
6.
Once moved, start up the ASR server using the following command:
sudo asr -server /asrconfig/asrsetup.plist -source /
asrconfig/myimage.dmg
7.
The server then states Ready to start accepting clients. To test the server, tell
a client to look to the server for connectivity. Testing can be done by
providing a path (in the form of a URI) to the asr:// location using a NetBoot
image, Disk Utility, or the asr command with the restore verb. Here the
source computer is myasrserver.pretendco.com and the image is called
myimage.
sudo asr restore --source asr://myasrserver.pretendco.com/
myimage.dmg --target /Volumes/Mac\ OS\ X/ -erase
30
1.4.7
Third-Party Deployment Solutions

Apple provides a robust set of solutions for imaging a computer, deploying the
image, and keeping systems in alignment with the change management,
configuration management, and release management of both Apple and thirdparty solutions in imaging.
Some third-party application developers also provide solutions that take a
number of deployment aspects into account. These solutions include, but are not
limited to:
DeployStudio. www.deploystudio.com
A free application with a comprehensive set of tools wrapped around the
command line asr options. DeployStudio also offers the ability to PXE boot
Windows computers for mass deployment.
Casper Suite. www.jamfsoftware.com

JAMF Softwares Casper Imaging Server also leverages NetBoot and ASR
technology, although it extends beyond deployment and into patch
management. One component of the suite, Composer, can be leveraged to
build package-based images quickly using existing software installed on a
monolithic image or prepared volume.
Absolute Manage. www.absolute.com

This solution allows for upgrades, but is more widely adopted as a patch
management solution for both Mac and Windows PC computers.
FileWave. www.filewave.com
This cross-platform solution offers administrators a way to prepare systems
for the deployment of packages, and provides a way to roll packages and
images back to previously deployed images.
Additionally, Mobile Device Management (MDM) solutions can be used to deploy

software and manage settings on Apple equipment. Most vendors that develop
patch management solutions also offer MDM solutions. It is recommended to
check with your vendor to make sure youre using the right tool for each task
performed on your Apple devices.
31
1.5
Prepare Networks for Image Deployment

One of the biggest challenges that occurs when imaging over a network
connection is when the computer cant be booted to the volume being imaged.
In this case, most imaging environments need a NetBoot server.
NetBoot typically works by sending broadcast data to locate a NetBoot server.
Many environments often require NetBoot helpers configured on routers,
NetBoot/bootpd relays, or statically assigning the NetBoot server in cases where
broadcast traffic cant find a NetBoot server (for example due to VLANs). The
following few sections cover the standard troubleshooting steps involved in
getting a NetBoot server to work so you can reliably image systems in large-scale
environments.
32
1.5.1
Set Clients to NetBoot Using the bless Command

To start up a client system to a NetBoot/NetInstall server, hold down the N key to
boot the default image off the first server, or use the Option key to select a server.
You can also click Startup Disk in System Preferences to select which NetBoot
server to boot to, provided the client can find the NetBoot server using standard
broadcast traffic.
To start up to an IP address, use the command line with the bless command in
OS X. The bless command allows administrators to specify which volume or
folder from which to boot, as well as to define a network volume from which a
client should boot, as is the case with NetBoot.
In this example, the IP of the NetBoot Server is 10.0.9.2 and the client is on the
same subnet as the server, booting through DHCP (Dynamic Host Configuration
Protocol). Replace this sample IP address with that of any environment when
using the following setup.
To use the bless command to define a NetBoot volume that resides on a
server:
1.
Open Terminal from /Applications/Utilities.
2.
Use the command bless without any arguments to get comfortable with
the syntax and available options.
3.
Run the following command:

bless --netboot --server bsdp://10.0.9.2
The options used in this command are --netboot, which invokes NetBoot
Mode, and --server, which specifies the IP address (or DNS name) rather
than relying on a discovery protocol for this information. Notice that the
server is a URL, telling the system that BSDP (Boot Service Discovery Protocol)
would be used in front of the server name. This is because the
--booter option allows administrators to specify the tftp server for NetBoot
along with the nfs or afp location of the NetInstall .dmg file.
4.
Use the following to verify that the bless command worked as needed:
bless --info 10.0.9.2
Using bless, administrators can directly target a NetBoot server even if that
server is in a different subnet from the client systems.
5.
If the correct information appears, the configuration is complete. For more

information on using the bless command, see the man page for bless by
running the following command:
man bless
33
1.5.2
Use NetBoot DHCP Helpers

As with any network or discovery protocol, NetBoot can be problematic on
certain networks. To quickly find out whether NetBoot will work on a server
combination, enable DHCP on a NetBoot server, connect a network cable from
the server directly to a client computer, and start up the client while holding
down the N key. Then disable DHCP and try the same process when running
through network switches. If NetBoot works when directly connected, but doesnt
work when going through the switching and routing infrastructure, the
environment more than likely has an infrastructure problem.
There are a number of ways to avoid infrastructure problems that cause NetBoot
to fail. Chief among them is to set up a router/route for Boot Service Discovery
Protocol (BSDP). One way to do this is to enable UDP (User Datagram Protocol)
forwarding to forward all UDP packets for BSDP to the NetBoot server in question,
which would allow that server to host as many NetBoot environments as needed.
This is similar to how the forwarding for all DHCP traffic is configured for most
environments, no matter which subnet its sourced on, to a specified server.
If this isnt an option, another method is to look to DHCP, which allows for a
number of extensions. These extensions offer administrators options via DHCP, in
addition to the standard IP address and subnet mask common in DHCP leases.
These include options such as DNS servers, NIS servers, SMTP servers, and so on.
For more on DHCP extensions, see www.ietf.org/rfc/rfc2132.txt.
DHCP provides for a number of standard services but also has options for vendors
to leverage. BSDP is one such vendor extension, developed by Apple. The DHCP
options include option 41, also known as vendor-specific information, and option
60, also known as the vendor class identifier. The full protocol documentation is
available at opensource.apple.com in the bootpd project.
Each router and DHCP server is different. This should help administrators find out
what is required to enable and configure DHCP helper addresses on routers to
allow for NetBooting server discovery across subnets.
34
1.5.3
Relay bootpd
DHCP is required for NetBoot. Many environments already have DHCP servers on
each segment, VLAN (Virtual LAN), or a subnet of the network where a Mac might
attempt to initiate NetBoot. If administrators can see a NetBoot server in the
Startup Disk pane in System Preferences, but cant initiate a NetBoot session into
that server by holding down the N key at startup, a bootpd relay for BSDP and its
parent DHCP server may be needed.
This module covers how to configure a Mac running OS X Server to provide a
bootpd relay agent to enable NetBoot server discovery across subnets.
To edit the bootpd.plist file on the system to act as the relay:
1.
Enable Internet Sharing in System Preferences. Doing so enables Network

Address Translation (NAT) on your server, but you dont have to use NAT.
2.
3.
Type sudo pico /etc/bootpd.plist.
4.
Find the section of the file that indicates the following:

<key>relay_enabled</key>
<false/>
<key>relay_ip_list</key>
<array/>
5.
Edit the <false/> value for the relay_enabled key so that it reads
<true/>.
6.
Replace the <array/> empty array for relay_ip_list with the NetBoot
server IP address as follows:
<array>
<string>192.168.210.1</string>
</array>
7.
The resultant section of the file should appear as follows:

<key>relay_enabled</key>
<true/>
<key>relay_ip_list</key>
<array>
<string>192.168.210.1</string>
</array>
8.
Once the parameters are configured, load the bootps LaunchDaemon, as

follows:
sudo launchctl load -w /System/Library/LaunchDaemons/
bootps.plist
9.
Finally, start the bootpd process using launchctl as follows:

sudo launchctl start com.apple.bootpd
35
1.6
Minimal Touch Deployments

By following Apple best practices, its possible to achieve minimal-touch, or even
zero-touch, deployments with OS X. There are three main components to a
minimal-touch deployment.
Deployment imaging. The first step of any deployment (especially a minimaltouch deployment) is the development of a good deployment image. A
deployment image contains as few customizations as possible to protect it
from constant revisions and to make it as business-unit agnostic as possible.
Ideally, the deployment image only contains OS X, local settings, and
keystone applications, if that. Keystone applications are software packages
installed on 100 percent of the Mac computers in an organization. The
deployment image can skip all these if enrolled in a patch management
systemmeaning a computer can be deployed with just the operating
system and enrollment in a patch management system. The patch
management system then takes over installing all software, including
keystone applications.
Directory services. By fully utilizing directory services, administrators gain

centralized control over user identities and centralized management of user
data, while also providing for the delivery of a cohesive management policy
framework. A script that binds the Mac to a directory service can be built into
most deployment images or deployed as part of a client management or
mobile device management solution.
Client management. Use of a client management system is the critical step

of a minimal-touch deployment. Client management agents, or enrollment in
mobile device management, should be built into deployment images so that,
on first startup, the Mac systems will contact the client management suite
and upload inventory information. This includes when any unit-specific
software is provisioned, along with any update deltas that exist for the
current deployment image. With most client management suites, optional
applications are delivered to Mac client computers via self-service software
tools. Workflows that consist of images that only contain client management
agents, and that have the agent load all other automations, are known as
thin-imaging workflows and are the preferred methodology for large-scale
deployments in order to ensure as few touches as possible.
A zero-touch deployment can be achieved when a thin-imaging workflow is
used with systems imaged at the factory (or by an Apple Authorized Reseller)
before they arrive at your organization. When combined with centrally
managed Mac App Store software and licenses, a thin image can be
compiled with very few custom packages, allowing for streamlined and
efficient workflows that also require little time to develop and manage.
!
!
36
1.6.1
Streamlined Device Enrollment

Streamlined MDM Enrollment is a new process introduced in OS X Mavericks for
simplifying device distribution, configuration, and rollout. Institutionally owned
devices can be automatically enrolled in MDM during activation. As a result, IT
can ship a device to an end user without unboxing it, and the system will connect
to the companys MDM solution, skip basic setup steps, and fully configure itself
with corporate settings and policies.
!
!
37
2 Support and Maintenance

Once a system has been built, configured, and deployed it has to be supported
and maintained. Ongoing tasks include software updates, patch management,
hardware support, inventory management, remote management, and basic
troubleshooting. Apple offers a variety of tools and resources to help streamline
and simplify these tasks. The topics covered in this section help organizations
plan and implement long-term adoption and support of Mac systems.
38
2.1Use Asset Tags

Many asset management systems use the primary MAC address of the
computers logic board as a unique identifier. Given how common this practice is,
Apple prints the MAC address, as well as a bar code associated with that address,
on the outside of the box. This strategy works well unless that MAC address
changes due to a hardware failure or repair. To be safe, administrators should use
both a MAC address and a hardware asset tag to identify client computers.
Hardware asset tags provide a more reliable way to link the physical and
electronic identities of a Mac computer. By using physical tags, the identity of a
computer is always known unless its physically destroyed. Asset tags can then be
linked to the MAC address in most asset management systems.
Many resellers and other solution providers offer asset tag systems or engraved
asset tagging. Asset tags are also provided as a service from Apple. Contact your
Apple account team or Apple Authorized Reseller to learn more about the
options available for both asset tagging and asset management systems.
!
!
39
2.2
Configure the OS X Server Caching Service

The Caching service is used by OS X clients to dynamically locate servers and pull
updates from those servers, as they pull updates from Apple. This cache includes
all App Store and iTunes content downloaded by users on your subnet.
To install the Caching service for OS X Server:
1.
Open the Server application.
2.
Click Caching in the sidebar.
3.
Using the Cache Size slider, choose the amount of space updates can utilize,
up to Unlimited.
Figure 2.2_1
!
4.
Click the Edit button to choose a location for cached data.
5.
In the selection dialog, choose the volume to use for storing cached updates.
Figure 2.2_2
40
6.
Click Choose.
7.
Click the On button to start the Caching service.
Figure 2.2_3
!
8.
Once the service is started, use the Reset button if you need to clear the
cache.
Note: If more advanced options are needed for caching, see

support.apple.com/kb/HT5590 for a full list of features available from the
command line.
41
2.3
Configure the OS X Server Software Update Service

OS X Server can be used as a Software Update server that mirrors updates from
the Apple Software Update service. This keeps Apple updates from saturating the
Internet connection in environments with large deployments, and affords IT
departments a built-in methodology for managing Apple updates. Many thirdparty tools also leverage the Apple Software Update service to supply patches to
client systems.
The Apple Software Update service runs on the Apache web server in
OS X Server. Updates are synchronized from Apple Software Update servers, with
update digests stored in XML files. Client systems poll the XML files for which
updates to install, and then download and install them routinely.
To install the Software Update service for OS X Server:
1.
2.
Click Show when you highlight the Advanced section of the sidebar.
3.
Click Software Update in the list provided.
4.
In the Settings tab, choose whether updates should be Manualthereby

giving administrators the choice to release each patch provided from Apple
or Automatic, immediately mirroring updates from Apple.
Figure 2.3_1
!
5.
Turn on Software Update to begin caching the available patches from Apple.
42
6.
Click the Updates tab.
Figure 2.3_2
!
!
Note: You may not immediately see the updates, as it can take a number of hours
for updates to appear.
7.
To control updates once theyve cached onto the system, change the update
settings from Automatic back to Manual.
8.
Click an update to highlight it.
9.
To control the status of an update, use the cog wheel icon toward the
bottom of the pane or click the Status pop-up menu for each update listed.
Choose Download to just cache an update.
If the update has not yet been downloaded, choose Download and
Enable to cache and serve it to client systems.
Choose Disable if the update has been downloaded and is not required.
(This option is only available when Automatic has been selected in the
Settings tab.)
Figure 2.3_3
43
2.3.1
Configure Software Update Server Clients

Once the Software Update service is configured, use it to serve updates to client
computers. Verify that the clients are updating as intended in a lab environment
before pushing settings en masse, whether using a configuration profile or
changes to the com.apple.SoftwareUpdate.plist to do so.
To test the Software Update service:
Use a profile to configure a computer to use the new Software Update service. In
this example, use the Apple Profile Manager service to create the profile.
1.
To configure a policy for a specific computer, open the Profile Manager web
interface.
2.
Authenticate to Profile Manager as an administrator.
3.
Click the device or device group, or use any OS X device to create a generic
profile with just the one setting applied by the profile.
4.
Click Edit for the profile.
5.
In the Settings pane sidebar, click Software Update.
6.
Click the Configure button to enable the manifest.
Figure 2.3.1_1
!
7.
Enter the appropriate URL in the Software Update server field.
8.
Click the OK button.
9.
Click the Save button.
10. Click Save in the Save Changes dialog.

11. Click the Download button to download the profile.
12. To use the newly created profile, install the .mobileconfig file by doubleclicking the file.
44
13. If the client systems cant be managed by profiles, use the following
command to augment the default software update settings, replacing
server.pretendco.com with the actual IP address or DNS name of the host
running the Software Update service, as follows:
defaults write /Library/Preferences/
com.apple.SoftwareUpdate CatalogURL
http://server.pretendco.com:8088/index.sucatalog;
Once configured, test to ensure software updates are available by clicking

Software Update in System Preferences, or by using the command line.
14. To test via the command line, use the softwareupdate command. To get
a list of available updates from your newly defined Software Update server,
use the -list option as follows:
softwareupdate -list
15. To install specific updates, use the following command, obtaining the label
from the -list option:
softwareupdate -i <label>
16. To install all available updates, use the -all option as follows:
softwareupdate all
17. Once testing is complete, reset the Software Update settings to factory
defaults by deleting the
/Library/Preferences/SoftwareUpdate.plist file and allowing the
system to generate a new one based on the default settings.
45
2.3.2
Cascade Software Update Services

The Software Update server in OS X Server can cache updates from Apple and
redistribute them to other systems with OS X Server running the Software Update
servicethus cascading updates between servers.
Running a Software Update server reduces the bandwidth consumed on Internet
connections when new software and security patches are released. For large,
distributed organizations, multiple Software Update servers will be needed.
Administrators can gain centralized control over updates by releasing them
hierarchically. For example, the initial server can be set to release updates
according to a release management schedule. Subsequent servers can either
release all updates from the upstream Software Update service, or can release
updates based on the release management process for the geographical or
business-unit boundary, which allows for optimal granularity.
In this module, the first server with OS X Server running the Software Update
service will be server09.pretendco.com and the second will be
SUS2.pretendco.com.
To set up a Software Update server to use a second Software Update server
to get updates:
1.
Enable the Software Update service on the first server (in this case,
server09.pretendco.com).
Figure 2.3.2_1
!
2.
Make a copy of the /Library/Server/Software Update/Config/swupd.plist file

on the second, or child, server (for example, on the desktop) in case you need
to revert to a previous version.
3.
Edit the metaindexURL key (by default set as swscan.apple.com) of the file
/Library/Server/Software Update/Config/swupd.plist.
46
4.
Change the key to be as follows:

http://server09.pretendco.com/content/meta/mirror-config-1.plist.
5.
Start the Software Update service, and complete setup of the new Software
Update service with your specific requirements.
Once all updates complete as required, your cascaded software-update

service environment has been successfully set up.
47
2.4
Leverage Third-Party Software Update Services

Third-party patch management solutions rely on an out-of-band management
technique for Mac-based software updates and patches.
These include an open source project called Reposado (github.com/wdas/
reposado), which is a set of Python-based tools that replicate the Software
Update service found in OS X Server. Reposado transfers updates from Apple via
cURL and synchronizes them to a local web server, generating the indexes and
plists as needed. Reposado functions on any operating system provided cURL,
Apache, and Python are supported.
Another option is for the client management software to download packages
from Apple and host them on staging servers. Agents running on client systems
can then download Apple updates from staging servers rather than from Apple.
Both Absolute Manage and JAMF offer the ability to force agents to obtain
software updates from a local staging server. This functionality can be run on OS
X Server, Linux Server, or Microsoft Windows Server.
!
!
!
!
!
48
2.5
Acquire Client Management Suites

The workflow an administrative team develops for software delivery and
management, patching, and remediation is often centralized around a software
package called a client management suite. This centralization can result in a
software package workflow that redefines the imaging workflow in a number of
ways.
Available solutions include software that can perform the following:
Imaging Only
Apple NetInstall and NetRestore. www.apple.com/osx/server
DeployStudio. www.deploystudio.com
Imaging and Client Management
JAMF Casper Suite. www.jamfsoftware.com
Absolute Manage. www.absolute.com
Patch Management Only
Apple Remote Desktop. www.apple.com/remotedesktop
Client Management Only (MDM)
AirWatch. www.air-watch.com
MobileIron. www.mobileiron.com
Centrify. www.centrify.com
Maas360. www.maas360.com
!
!
49
3 Directory Services
A directory service stores information about users, groups, and network resources
for an organization. OS X has a local directory service for local accounts and can
connect to network directory services, which obtain account information from a
centralized source. On a default installation of OS X, directory services may be
configured to access directory information via LDAP (Lightweight Directory
Access Protocol), Active Directory, and NIS (Network Information Service). LDAP
and Active Directory are the most commonly used.
When an application, daemon, or utility needs information about a user, group, or
computer, it does a directory service lookup. In OS X, information is always looked
up in the local directory service first. Then, if the information isnt located in the
local directory, the query is sent to other directory services that have been
configured. This search path is specified in the
/System/Library/CoreServices/Directory Utility application, and allows
administrators to specify the order in which information such as users and groups
is searched for.
Directory services in OS X are built using a modular framework. This allows the
operating system to be extended with third-party directory modules. These
modules provide additional functionality as well as support for other directory
services not included in the default operating system.
50
3.1Local Directory Services

Local directory services information is stored in property list (.plist) files, located in
the /var/db/dslocal/nodes/Default directory. This allows the administrator to read,
write, and change these files directly without requiring an intermediary daemon
or utility. Files can also be dropped into the file system to create accounts. This
flexibility is useful when making mass changes to systems or when
troubleshooting a system in single-user mode. Because files can be accessed and
modified directly, making scripting modifications to directory services is
straightforward.
Accounts for users and groups are stored in flat files located in subdirectories in
the /var/db/dslocal/nodes/Default directory. Users are stored in the
/var/db/dslocal/nodes/Default/users directory. Groups are stored in the
/var/db/dslocal/nodes/Default/groups directory. Each user and group account has
a corresponding .plist file that holds XML content describing the user or group.
Account names that begin with an underscore are reserved for system users and
groups.
Inside each .plist file are XML keys with arrays. These keys contain a variety of
values that include information, or attributes, defining how the user or group
account is used. Comparing the local directory services files to an LDAP query, the
file would be the object and associated keys, and the values would be the
attribute names and values for those objects. These keys in the local directory
node closely resemble registry keys for local accounts, with one exception
theyre distributed across files rather than in a single location.
Local directory service information can be edited by different applications. Click
Users & Groups in System Preferences to add, edit, or delete user accounts and
groups. Use Directory Utility to directly modify any attribute in directory services.
While you can directly edit account property lists, direct edits arent registered
with the system immediately and error checking isnt performed on the files. Its a
safer practice to use directory services command-line utilities to edit user, group,
and computer information because error checking is typically applied.
The command-line utilities for managing directory services data include the
following:
odutil. Monitor directory services and manage directory services logging.
dscl. Directory services command-line utility.
dscacheutil. Look up information, flush caches, and gather statistics on
directory services.
dseditgroup. Alter group membership information.
dsenableroot. Enable or disable the root account.
dserr. Show descriptions of directory services error codes.
dsexport. Export directory services information.
dsimport. Import directory services information.
dsmemberutil. Check group memberships and UUIDs, and perform certain
debugging operations.
51
id. Validate user and group information.
For more information on these commands, open Terminal in

/Applications/Utilities. Then enter the man command followed by the name of
each utility.
52
3.1.1
Create Local Administrative Accounts

Centralized management requires known local administrative accounts on client
systems for centralized management purposes. Apple Remote Desktop uses these
accounts to remotely control machines, to run local scripts on systems as postimaging tasks, and for utility and troubleshooting purposes.
There are two methods commonly used to create local administrative accounts.
The first is using the Users & Groups pane in System Preferences. The second is
through the command line, using the dscl utility.
To facilitate the distribution of managed tasks, the Active Directory plug-in built
into OS X can also supply local administrative accounts based on Active Directory
group memberships.
53
3.1.1.1
Create Local Administrative Accounts in System Preferences

In this module, create a new local administrative account in OS X using the
Users & Groups pane in System Preferences.
To create a new local administrative account:
1.
Figure 3.1.1.1_1
2.
Choose System Preferences from the Apple menu and click Users & Groups.
Click the lock icon in the lower-left of the window and provide the password
of an existing administrative user.
Figure 3.1.1.1_2
54
3.
Click the Add (+) button in the bottom-left corner.
Figure 3.1.1.1_3
4.
In the dialog, choose Administrator from the New Account menu.
5.
Enter the new users full name and account name. (These should be unique
and different from one another).
6.
Enter the same password in both the Password and Verify fields, then click
the Create User button.
Figure 3.1.1.1_4
55
The newly created account appears under Other Users in the Accounts list on the
Users & Groups pane in System Preferences.
Figure 3.1.1.1_5
!
7.
To ensure the account was created successfully with the appropriate

administrative privileges, log out and then log in again as the new user.
8.
To test that the user is now a local administrator, open the Users & Groups
pane in System Preferences. Unlock the pane with a user account thats in the
nested group. If the pane is successfully unlocked, the user is now a local
administrator.
56
3.1.1.2
Create Local Administrative Accounts from the Command Line

The dscl command-line utility can be used to create local administrative
accounts through the command line as well as to customize the location of home
directories, add or change account names, and automate the process of creating
accounts.
To create a local account using the command line:
In the following steps, replace pretendcoadmin with the account name for the
new account, and replace Pretendco Administrator with the full name of the new
administrative account.
1.
Add the user name to the local directory services database using the
following command:
sudo dscl /Local/Default create /Users/pretendcoadmin
2.
Set the default shell. Bash is the default, with a path of /bin/bash:
UserShell /bin/bash
3.
Set the full name of the user account, replacing Pretendco Administrator with
the users full name.
RealName "Pretendco Administrator"
4.
Set the User ID (UID) as a unique integer value. In this example, run the
following command to set the UID to 1100. Subsequent users will need
additional unique UIDs. UIDs from 0500 are reserved for system use.
UniqueID 1100
5.
Once a UID is assigned to an account, set the default group ID (GID) using
the following command. Note that the GID must be different from other GIDs
but can be the same as the UID used in the previous step.
PrimaryGroupID 1100
6.
Now that the user has a GID, set the home directory for the user using the
following command:
NFSHomeDirectory /Users/pretendcoadmin
7.
Add the user to the existing admin group. If converting an existing user
account into an administrative account, use the append verb as follows:
sudo dscl /Local/Default append /Groups/admin
GroupMembership pretendcoadmin
8.
Set the users password using the -passwd option, as follows:

sudo dscl /Local/Default -passwd /Users/pretendcoadmin
Optionally, the password may be included at the end of the command

instead, as follows:
sudo dscl . -passwd /Users/pretendcoadmin newpassword
57
When generating a shell script from these commands, prompt the user for the
password in the script and use the provided value. Otherwise the password will
be available when editing the script.
Note: Using this account for anything other than standard administrative
purposes requires populating the account with more attributes. In this case the
account does not need to be fully usable.
58
3.1.1.3
Change Local Administrative Accounts from the Command Line

The most common change to a local administrative account is altering the users
password. To do so, use the dscl command with the passwd option.
In the following example, the -passwd option changes the password of the
pretendco administrative account.
dscl /Local/Users -passwd /Users/pretendcoadmin
Additionally, you can change items, such as the home directory or real name, by
using dscl options.
59
3.1.2
Nest Network Administrators from Active Directory in a Local

Administrative Group
To allow specific people in your organization to administer local settings, install
software, and perform maintenance locally on a client computer, give those users
local administrator rights through nested administrative groups. To do this, use
the dseditgroup command to nest a network group into the local
administrative group.
To nest network groups from Active Directory into local administrative
groups:
1.
Before nesting the Active Directory group, verify that it resolves correctly on
the client. To do so, resolve group membership with the following
dseditgroup command, using the -o option along with the read verb.
dseditgroup -o read <active directory group name>
The -o read code performs a read operation on the specified group.

Therefore, when running the command dseditgroup -o read
mac_admins, you should receive the following output:
27 attribute(s) found
...
Attribute[5] is <dsAttrTypeNative:member>
Value[1] <CN=Ken Weaver,CN=Users,DC=pretendco,DC=com>
Value[2] <CN=Gary Dunn,CN=Users,DC=pretendco,DC=com>
...
As seen from the output, the member section lists group members. If you
dont receive the desired output, make sure youre bound to a directory
service and that the group exists within Active Directory.
2.
Verify that OS X can resolve group membership for that group. Use the id
command to see in which groups a user is included.
id <account name>
For example, if you run the command id jkaiser (assuming jkaiser is in an

administrative group), youll receive the following information:
uid=142413031(jkaiser) gid=63826092(pretendco\domain
users) groups=63826092(pretendco\domain users),
103(com.apple.sharepoint.group.3),
104(com.apple.sharepoint.group.4),98(_lpadmin),
1166270692(pretendco\mac_admins),
102(com.apple.sharepoint.group.2),
101(com.apple.sharepoint.group.1),80(admin),20(staff)
60
3.
To nest Active Directory groups, use dseditgroup with the -o edit option
(edit operation), the -a option followed by the appropriate group name from
Active Directory, the -t option followed by the word group (which specifies
that the type to add is a group), and the -n option followed by
/Local/Default, which specifies to add to the local directory service.
sudo dseditgroup -o edit -a <group name> -t group -n
/Local/Default admin
Using the above syntax, a sample of the command is as follows:

sudo dseditgroup -o edit -a mac_admins -t group -n
/Local/Default admin
Note: Add network users to the admin group by using the same command
but changing the type (-t).
sudo dseditgroup -o edit -a <network user name> -t user
-n /Local/Default admin
4.
To test that the nested user is now a local administrator, open the
Users & Groups pane in System Preferences and unlock the pane with a user
account thats in the nested group. If the pane is successfully unlocked, the
user is now a local administrator.
Note: The command-line utility used to run commands as root, sudo, does
not recognize nested groups. To nest administrative accounts, edit the
/etc/sudoers file. Within that file, find the user privilege specification section.
# User privilege specification
root
ALL=(ALL) ALL
%admin
ALL=(ALL) ALL
Then add %<AD group name> ALL=(ALL) ALL to that section. For
example:
# User privilege specification
root
ALL=(ALL) ALL
%admin
ALL=(ALL) ALL
%mac_admins ALL=(ALL) ALL
61
3.1.3
Create Local Administrative Accounts with a Package or Script

The local administrative account can be created programmatically using a script,
which can, in turn, be placed into a package. This process can then be automated.
In this module, create the local administrative account using a simple shell script,
with a .bash suffix at the end.
To create a local administrative account using a shell script:
1.
2.
Create a file called createuser.bash using the touch command.

touch createuser.bash
3.
Make the script executable, as follows:

chmod 777 createuser.bash
4.
Paste the following text:

#!/bin/bash
dscl /Local/Default -create /Users/hidden
dscl /Local/Default -create /Users/hidden NFSHomeDirectory
/Users/hidden
dscl /Local/Default -create /Users/hidden RealName "Hidden
Admin"
dscl /Local/Default -create /Users/hidden PrimaryGroupID
499
dscl /Local/Default -create /Users/hidden UserShell /bin/
bash
dscl /Local/Default -create /Users/hidden UniqueID 499
Each line in the script uses dscl (directory services command line) to create
the user account and its attributes. The above script uses an ID below 500, so
the newly created account is hidden at the login window.
5.
Since a password has not yet been assigned to the account, include the
password in the script in clear text. This requires the directory services
daemon to be running when the script runs. To do so, append the following
line to the end of the above script:
dscl /Local/Default -passwd /Users/hidden 'mypass'
62
3.2
Active Directory
Active Directory is the default Microsoft directory services solution. Active
Directory provides information on users, groups, and computers (information
stored in LDAP), password management and encryption (using Kerberos), and
the ability to find objects on a network. Information in Active Directory is used to
manage users, computers, groups, printers, and other resources.
Active Directory deployments vary from smaller environments with hundreds of
objects to larger environments with thousands (or millions) of users and systems
distributed across a number of sites.
Mac computers can be bound to Active Directory through the Network Account
Settings located in the Users & Groups pane in System Preferences, or via the
Active Directory module in Directory Utility. From the command line, use
dsconfigad to bind and specify Active Directory-specific options.
This section contains modules that explore the administrative tasks of managing
OS X using Active Directory.
63
3.2.1
Bind to Active Directory

Mac computers are bound to Active Directory using the Users & Groups pane in
System Preferences, through Directory Utility located in /System/Library/
CoreServices/Directory Utility, or using the command-line utility dsconfigad.
While dsconfigad does contain some additional options, the majority of
functionality is available through Directory Utility, so no command-line options
are required for everyday use.
To bind OS X to Active Directory, you need local administrator credentials on the
Mac as well as an Active Directory user account with authority to join computers
to the Organizational Unit (OU) youll be leveraging in Active Directory.
Once bound to Active Directory, set the client computer to allow Active Directory
administrators, or any Active Directory user you choose, to also be local
administrators on that local Mac client.
Note: This step isnt done automatically.
During initial setup, youll need the local administrative user name and password
for the Mac. This user is the first user set up during Setup Assistant after
installation or a local administrative account created on the system during
imaging.
64
3.2.1.1
Bind to Active Directory Using Directory Utility

To bind to Active Directory using Directory Utility:
1.
Choose System Preferences from the Apple menu.
2.
Open the Users & Groups pane.
Figure 3.2.1.1_1
!
3.
Click Login Options in the left sidebar.
Figure 3.2.1.1_2
65
4.
Click Join to the right of Network Account Server.
Figure 3.2.1.1_3
5.
Enter the name of the domain in the Server field.

The dialog expands to include Admin User credentials and Client Computer
ID, which are already entered.
Figure 3.2.1.1_4
!
66
6.
Once joined, review the binding information and provide more details as
needed.
7.
If more information is required, access the Active Directory options in

Directory Utility. To open Directory Utility, click the Edit button, which
replaces the Join button in the Users & Groups pane in System Preferences.
Note: If the initial attempt at binding failed, click the Join button.
8.
Click the Open Directory Utility button.
Figure 3.2.1.1_5
67
9.
Double-click Active Directory (or click Active Directory, then the pencil icon).
Figure 3.2.1.1_6
10. Enter the Active Directory domain name to join (if youve not yet bound).
11. Change the computer ID, if necessary, and click OK.
Note: When the system is bound, youll see an Unbind button.
Figure 3.2.1.1_7
68
12. If binding, enter the Active Directory user that has the delegated authority to
bind a machine to the Organizational Unit (OU) you specify for Computer OU.
13. Enter the Active Directory users password, then click OK.
14. In the Users & Groups pane in System Preferences, a green circle icon next to
the domain indicates that network accounts are accessible.
Figure 3.2.1.1_8
69
3.2.1.2
Bind to Active Directory with a Profile

Active Directory binding can be accomplished with a profile. These profiles are
either saved as a file used with imaging and patch management solutions, or are
deployed as part of a full MDM (Mobile Device Management) solution, such as
Profile Manager. When installed, the profile will then bind a Mac to Active
Directory, or to another directory service that might be in use.
In this module, create the profile and install it onto a Mac manually, as might be
done as part of an imaging process.
To create the profile in Profile Manager:
1.
On the server, open the OS X Server app running Profile Manager. (Setting up
Profile Manager is covered in detail in Section 4 of this guide).
Figure 3.2.1.2_1
!
2.
Click Profile Manager under Services in the sidebar.
Figure 3.2.1.2_2
70
3.
Click Open Profile Manager at the bottom of the Profile Manager pane.
4.
Authenticate to the service if needed.
5.
Browse to a device or device group under Library in the sidebar.
6.
7.
Click the Edit button.
Figure 3.2.1.2_3
!
8.
Locate and click the Directory in the Settings sidebar.
9.
Click the Configure button.
Figure 3.2.1.2_4
10. In the Server Hostname field, provide the name of the Active Directory
domain the client systems will join when the profile is installed.
71
11. For Username, provide an administrative password for the Active Directory
domain.
12. Include the password for the username provided in the Password field.
13. Optionally, enter a Client ID. If no Client ID is provided, the computer name
will be used as the Client ID.
Figure 3.2.1.2_5
14. Click OK to save the changes to the Directory portion of the profile.
15. Optionally, edit the login window policy to make it easier for users to log in
using Active Directory accounts. Click Login Window in the Settings sidebar.
Figure 3.2.1.2_6
!
!
72
16. Configure what users will see before logging into the computer.
a.
In the Heading menu, choose Directory Status. This is useful for seeing
whether Active Directory is available.
b.
The Message field is used to display key information or acceptable-use

policies for users to see prior to logging into their computers.
c.
For Style, select Name and password text fields to simply show a
username and password dialog box. Or select List of users able to use
these computers to show previously logged-in users or locally available
users.
d.
If you selected List of users able to use these computers, you can also
get more granular by clicking the appropriate checkboxes for which
types of users will appear. If a system is bound to Active Directory or
another directory service, the Other option will still appear, so that users
can log in as users not previously used on that computer.
e.
The Options tab includes settings for disabling guest users and allowing
the screen saver to run over the top of the login window. In the Options
tab, you can also choose to match the computer name to the directory
name.
f.
The Access tab provides options for who may or may not log into the
computer as well as the ability to control workgroup settings.
Figure 3.2.1.2_7
17. Click OK when you are happy with the configuration of the login window.
18. Click Login Items in the Settings sidebar.
19. Click Configure.
20. Select the appropriate options for automatically mounting directories.
Note: If using mobile homes, you can add a network home share and mount
the share at login.
73
21. Click Mobility in the sidebar.

23. Here you will see the following options:
a.
Select Create mobile account when user logs in to network account to

create mobile accounts when a user logs in as an Active Directory user. A
mobile account allows the user to log in again, after the first
authentication, when not connected to Active Directory.
b.
Select Require confirmation before creating mobile account to prompt

users to choose whether they want the account to be created on the
local system.
c.
The Create home using buttons determine whether the new account is
created based on the network home or the default local home directory
template.
d.
The Home folder location buttons indicate where on the local

computer the home directory will be created when the Active Directory
user first logs in.
e.
Click the Account Expiry tab to configure how long a user can remain
logged out before their home directory is removed from the local
system.
f.
Click the Rules tab to configure which data, and how frequently that
data, synchronizes to the serverwhen synchronization occurs.
Figure 3.2.1.2_8
74
24. If certificates are required, click AD Certificate in the Settings sidebar.

26. On the AD Certificate screen, indicate the location and information to be
used if a certificate is required to bind to the Active Directory environment.
Figure 3.2.1.2_9
27. Click OK when all settings are correct.

28. Click the Save button to save the settings for the profile.
29. Click Save again to confirm.
30. Any devices that are members of the group will automatically receive the
bind profile. To download the profile for manual installation (for example
during imaging), click the Download button.
Figure 3.2.1.2_10
31. The profile is accessible in the Downloads folder.

75
3.2.1.3
Bind to Active Directory from the Command Line

Binding to Active Directory can be accomplished using the Active Directory
plug-in from the command line by using the dsconfigad command.
Basic use of the dsconfigad command only requires the inclusion of a
computer name, a domain name, and the credentials for that domain name. In
this example, bind to the Active Directory domain by providing the
computername (mycomputername), the username for the Active Directory bind
account (domainadmin), the password (domainadminpassword), and the domain
to bind to (mydomain).
dsconfigad -force -add mycomputername -username domainadmin password domainadminspassword -domain mydomain.com
To set up the mobile home directory for the Active Directory account to exist on
the local system, add the -mobile switch to the end of the dsconfigad
command with a setting of enable, as follows:
dsconfigad -force -add mycomputername -username domainadmin password domainadminspassword -domain mydomain.com -mobile
enable
Other options available to the dsconfigad command include the following,

broken out by type.
Basic OptionsCommonly Used
-computer computerid
Name of computer to add to domain.
-force
Force the process (that is, join/remove the existing

account).
-remove
Remove computer from domain.
-localuser username
User name of a privileged local user.
-localpassword
password
Password of a privileged local user.
-username username
User name of a privileged network user.
-password password
Password of a privileged network user.
-ou dn
Fully qualified LDAP DN of container for the computer

(defaults to CN=Computers).
-domain fqdn
Fully qualified DNS name of Active Directory domain.
-show
Show current configuration for Active Directory.
-help
Lists the options for calling dsconfigad.
-xml
Output configuration in plist format.
76
Advanced OptionsUser Experience

-mobile flag
Enable or disable mobile user accounts for offline use.
-mobileconfirm
Flag enable or disable warning for mobile account

creation.
-localhome flag
Enable or disable force home directory to local drive.
-useuncpath flag
Enable or disable use Windows UNC for network home.
-protocol type
Afp, smb, or nsf change protocol used when mounting

home.
-shell value
Use none for no shell, or specify a default shell /bin/bash.
-sharepoint flag
Enable or disable mounting of network home as sharepoint.
Advanced OptionsMappings
-uid attribute
Name of attribute to be used for UNIX UID field.
-nouid
Generate the UID from the Active Directory GUID.
-gid attribute
Name of attribute to be used for UNIX GID field.
-nogid
Generate the GID from the Active Directory information.
-ggid attribute
Name of attribute to be used for UNIX group GID field.
-noggid
Generate the group GID from the Active Directory GUID.
-authority enable
or disable
Enable or disable the generation of the Kerberos authority.
Advanced OptionsAdministrative
-preferred server
Fully-qualified domain name of preferred server to query.
-nopreferred
Dont use a preferred server for queries.
-groups "1,2,..."
List of groups that are granted Admin privileges on local

workstation.
-nogroups
Disable the use of groups for granting Admin privileges.
-alldomains flag
Enable or disable allow authentication from any domain.
-packetsign flag
Disable, allow, or require packet signing.
-packetencrypt flag Disable, allow, require, or SSL packet encryption.

-namespace flag
Use forest or domain, where forest qualifies all user

names.
-passinterval days
How often (in days) to change computer trust account

password.
-restrictDDNS
Disable the creation of a dynamic DNS record in Active

Directory-integrated DNS environments.
-enableSSO
Enable SSO for all supported services (OS X Server only).
-remove
Remove this computer from the current domain.
77
3.2.1.4
Bind to Active Directory Using a Script

Not only is it possible to bind to Active Directory from the command line, its also
possible to write a script to automate the task in a fairly straightforward manner
as with most command-line options. To automate binding to Active Directory,
create a simple script as follows.
Note: Replace the information in brackets with information matching your own
environment.
#!/bin/bash
dsconfigad -add <computername> -username <binduser> password <binduserpass> -domain <domain>
exit 0
Most environments are more complicated than this example. Further customize
the dsconfigad script using more switches to denote items such as local
administrative user names and passwords.
78
3.2.1.5
Bind to Active Directory Using a Post-Install Script

To use an Active Directory bind script as a post-installation task during imaging,
make the script launch at startup, or place the script into a package and add it to
your deployment scenario. With either option, you can set the script to
automatically delete itself. For the purposes of this module, place the script in
the /Library/StartupItems directory and call it adbind.bash.
1.
To create the script, use the following command:

touch /Library/StartupItems/adbind/adbind.bash
2.
Open the new empty shell script in your favorite text editor and paste the
previously created script from 3.2.1.4 Bind to Active Directory Using a Script.
3.
With the script inserted, add a line at the bottom to remove the script and
then (optionally) provide an exit code. The whole script is as follows:
#!/bin/bash
ipconfig waitall
sleep 60
dsconfigad -add <computername> -username <binduser> password <binduserpass> -domain <domain>
srm $0 /Library/StartupItems/adbind/adbind.bash
exit 0
79
3.2.1.6
Active Directory Plug-in Troubleshooting Commands

To perform Active Directory validation:
When having problems connecting to Active Directory resources, verify
connectivity. Because Mac computers that are Active Directory clients use DNS
service records to locate Active Directory services, its important to verify that
DNS is working properly.
1.
Open Terminal from /Applications/Utilities and enter the following command

(replacing pretendco with the name of the Active Directory name) to do a
lookup on the service record to locate the global catalog.
dig -t SRV _gc._tcp.pretendco.com
; <<>> DiG 9.4.1-P1 <<>> -t SRV _gc._tcp.pretendco.com
;; global options:
printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34512
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
ADDITIONAL: 1
;; QUESTION SECTION:
;_gc._tcp.pretendco.com.
IN
SRV
600
IN
SRV
IN
192.168.55.47
;; ANSWER SECTION:
_gc._tcp.pretendco.com.
dc.pretendco.com.
0 100 3268
;; ADDITIONAL SECTION:
dc.pretendco.com.
3600
;; Query time: 83 msec

;; SERVER: 192.168.1.6#53(192.168.55.47)
;; WHEN: Thu Jul 31 14:09:32 2008
;; MSG SIZE
2.
rcvd: 92
If the response doesnt include an answer section with the name of a domain
controller, check to make sure the network settings in OS X are correct and
that the DNS specified is one that will return service record information for
your Active Directory forest. Other roles can be verified in the same manner.
To check port accessibility:

If the FSMO (Flexible Single Master Operation) roles for an Active Directory forest
cant be read, the system cant bind. One possible cause of read failure is that a
routing or switching issue is keeping the client being bound from being able to
communicate with the servers. Port 389 should be available to the client system
for the domain controllers.
80
To check whether the port is accessible:

1.
Open Network Utility from /Applications/Utilities.
2.
Click Port Scan.
3.
Enter the IP address of the closest Domain Controller.
4.
In both Only test ports between fields, enter port 389.
5.
Click Scan.
If no entries are listed during the scan, correct the routing or switching issues.
The account being used to bind also needs to have access to bind. In many cases,
this means having access to a specific OU. Required access may include having
access to remove objects from an OU, as when binding and placing into a new
OU, or full control over the domain. The access required for the account used to
bind OS X should mirror that required to bind Windows clients.
To perform Active Directory verification:
1.
Once bound, verify accounts are reachable using dscl and id.
2.
To use id, open Terminal from /Applications/Utilities. Enter the following

command to do a lookup using id, which will return both the user
information as well as the group information for the account:
id <username>
For example:
id jfoster
uid=818406992(jfoster) gid=1450179434(PRETENDCO\domain
users) groups=1450179434(PRETENDCO\domain users)
If you cant look up a single account, the Active Directory connection isnt
functional.
dscl is another tool that can isolate where in the directory services tree a
problem has occurred. Run the following command to see the plug-ins
enabled on the system, and to enter into the dscl runtime environment.
dscl
Once in the runtime environment, cd as with a filesystem. First cd into the

Active Directory plug-in as follows:
cd Active\ Directory
Or quote the text following the cd command.

> cd 'Active Directory'
/Active Directory > ls
All Domains
3.
Navigate into the All Domains node by using cd and performing another ls
to show the contents of the node. The node should contain the Users node,
as follows:
/Active Directory > cd 'All Domains'
81
/Active Directory/All Domains > ls

CertificateAuthorities
Computers
FileMakerServers
Groups
Mounts
People
Printers
Users
If you cant cd into All Domains, youre unable to communicate with a

domain controller. If you can cd into All Domains, navigate into the Users
node by using cd and perform another ls to show the contents of the
node. The node should contain all users in the forest. If you have a large
number of users, dont enter ls to list the contents of the node. Instead, use
read to read the attributes of that user.
/Active Directory/All Domains > cd Users
/Active Directory/All Domains/Users > read jfoster
dsAttrTypeNative:accountExpires: 9223372036854775807
dsAttrTypeNative:ADDomain: pretendco.com
dsAttrTypeNative:badPasswordTime: 0
dsAttrTypeNative:badPwdCount: 0
dsAttrTypeNative:cn:
Tim Lee
dsAttrTypeNative:codePage: 0
dsAttrTypeNative:countryCode: 0
dsAttrTypeNative:displayName:
Tim Lee
dsAttrTypeNative:distinguishedName:
CN=Jimmy Foster,CN=Users,DC=pretendco,DC=com
more...
If you arent able to read the attributes of a user, check access controls in
Active Directory and verify the correct OU is used.
4.
Exit dscl using the exit command, as follows:

/Active Directory/All Domains/Users > exit
Goodbye
82
To verify the user password:

To verify that users can be authenticated, use the su command.
1.
Open Terminal from /Applications/Utilities and enter su <AD username>

For example:
Client-1:~ Admin$ su jfoster
Password:
2.
Enter the Active Directory users password. If successful, the Terminal session
should respond as that user. To verify, use the whoami command.
For example:
bash-3.2$ whoami
jfoster
Note: If warnings appear about not having a home directory, disregard them
at this point. The home directory will be created on initial login.
If this doesnt work, verify that there arent multiple users with the same
account name in the Active Directory forest. If namespace conflicts exist,
enable namespace support via dsconfigad. For such testing, enter a user
name that has a unique account name forest-wide.
83
3.2.2
Set a User Home Directory

Active Directory attributes define where the home directory for user accounts is
stored. The home directory can be in a custom location on the local computer to
which users log in, on an accessible network share, or synchronized between a
local directory and a network share.
In Active Directory, the location for profiles is defined in Active Directory Users
and Computers for each user. Based on this information, the network location
that contains the home directory can be synchronized with the local home folder.
To configure home directory management:
1.
2.
Open Users & Groups.
Figure 3.2.2_1
84
3.
Click Login Options in the left sidebar.
Figure 3.2.2_2
!
4.
Click the Join button to the right of Network Account Server. This button will
say Edit if the system has been bound to a directory service.
Figure 3.2.2_3
85
5.
Click Open Directory Utility.
6.
Authenticate as a local administrator by clicking the lock icon in the lowerleft corner, if not already unlocked.
Figure 3.2.2_4
!
7.
Click the Active Directory plug-in.
8.
Click the pencil icon to edit.
Figure 3.2.2_5
86
9.
Click the Show Advanced Options disclosure triangle, then click User
Experience.
Figure 3.2.2_6
87
This pane includes the Create mobile account at login checkbox. Select this
option to create an account on the local system that enables the user to log in
even if unable to contact the Active Directory servers.
Figure 3.2.2_7
Optionally, select the Use UNC path from Active Directory to derive network
home location checkbox to enable home folder synchronization. Once enabled,
additional settings are displayed in the Network protocol to be used menu. In
Active Directory, when setting a users profile setting (where a drive letter is
mapped), that setting would look like: \\server\share\folder. The Active Directory
plug-in converts this path to /server/share/folder and places either an afp: or an
smb: in front of the request, resulting in afp://server/share/folder or
smb://server/share/folder, respectively.
88
3.2.3
Namespace Support
While it isnt a recommended configuration, Active Directory has the capacity to
allow two accounts with the same user name, provided theyre in different
domains in the same forest. This represents a namespace collision for OS X client
computers. To accommodate for namespace collisions, the Active Directory
module allows administrators to set the forest and domain independently,
specifying which domain in a given forest against which to authenticate.
By default, the Active Directory module supports authenticating to any domain in
the forest. To limit authentication to specific domains, disable Allow
authentication from any domain in the forest in the Advanced Options pane of
Directory Utility. Or use the following command in Terminal:
dsconfigad -alldomains disable
Then specific domains can be added to the Directory Domain search path.
By default, namespace support is set to domain, which assumes there are no
conflicting user accounts across all domains. If the Active Directory forest has
conflicts, change the namespace to forest with this command:
dsconfigad -namespace forest
Note: An unbind and rebind isnt required to change these settings. They are
global for all users on a system where the command is run.
Once the namespace has been set to forest, users home folders and user
accounts are then prefixed with DOMAIN\ to ensure unique naming for
accounts between domains.
To return to the default behavior, use the following command:
dsconfigad -namespace domain
Note: When run, the -namespace command changes the primary ID for all
accounts and any user profiles for accounts from the Active Directory domain on
each client computer need to be copied/moved into the new profile thats
created.
89
3.2.4
Active Directory Packet Encryption Options

The Active Directory plug-in can be used to customize the encryption options
used when communicating with Active Directory domain controllers in much the
same way policies can be used to limit communications on domain controllers. To
customize the encryption options, use the dsconfigad command-line tool.
Packet signing is an option many Active Directory environments require to block
man-in-the-middle attacks and to verify the authenticity of data exchanged with
Active Directory Domain Controllers. Configuring packet signing options is a
policy configured from an Active Directory domain controller. In environments
where packet signing has been enabled, you can allow or require packet signing
from the client.
By default, packet signing is allowed in Windows Server 2003 and Windows
Server 2008. Running various security tools automatically requires packet signing
for Active Directory clients, and many environments require packet signing as a
matter of security policy. In OS X, set the packet signing setting to require to
require packet signing for the client to communicate with the server. If you
require packet signing from either the domain controller or OS X, verify that its
an option before doing so on the other system.
To change packet signing options in OS X, use the -packetsign flag with
dsconfigad. Settings available with the -packetsign flag are allow, disable,
and require. To configure dsconfigad to require packet signing, use the
following command:
dsconfigad -packetsign require
If the change is successful, youll see the following:

Settings changed successfully
If needed, set the signing back to default using the following command:
dsconfigad -packetsign allow
Packet encryption is also available in OS X. Packet encryption helps keep the

contents of packets as secure as they are authentic. To enable packet encryption,
use the -packetencrypt flag along with the same settings available with the
-packetsign flag. The same issues persist with verifying that the server
supports packet encryption as with packet signing. To require -packetencrypt,
use the following command:
dsconfigad -packetencrypt require
To use TLS to encrypt packets, use the ssl option, as follows:

dsconfigad -packetencrypt ssl
The SSL option requires a trusted certificate chain from Active Directory. If the
certificate chain doesnt have a trusted root, youll need to install and trust the
root certificate in the root keychain.
If the change is successful, youll receive the following message:
Settings changed successfully
If needed, set encryption back to default using the following command:

dsconfigad -packetencrypt allow
90
3.2.5
SSL Binding Instructions

Environments that require SSL to encrypt traffic between domain controllers and
clients can use -packetencrypt with the ssl option. When using SSL, clients
receive certificates from domain controllers and verify the certificates are trusted
by evaluating the certificate trust chain. If the root certificate isnt already trusted
on the system, it must be imported and trusted, or certificate verification needs to
be turned off.
To install SSL certificates:
1.
Copy the SSL root certificate to the Mac.
2.
Open Keychain Access from the /Applications/Utilities folder.
Figure 3.2.5_1
!
3.
Choose Import Items from the File menu.
Figure 3.2.5_2
91
4.
Choose System from the Destination Keychain menu.
Figure 3.2.5_3
!
5.
Browse to the SSL root certificate and choose the certificate to import.
6.
Click Open.
7.
Authenticate as an administrative user when prompted.
8.
A trust dialog appears. Click the Always Trust button.
Figure 3.2.5_4
!
!
!
!
92
3.2.6
Manage Certificates from the Command Line

To import certificates from the command line, use the security command. The
security command contains many of the features in Keychain Access, including
importing and exporting certificates. To simply import a certificate, use the
security command along with the import option.
To import a certificate:
security import ~/Desktop/pretendco.p12 -f pkcs12
To trust the certificate:

security add-trusted-cert -d ~/Desktop/pretendco.p12
To add the certificate to the System keychain, making it available to all users:
sudo security add-certificate -k /Library/Keychains/
System.keychain ~/Desktop/pretendco.p12
The openssl command is used to test connectivity to a server that requires the
certificate, as follows:
openssl s_client -connect pretendco.com:389
Once youve validated the certificate functionality, use dsconfigad to set the
-packetencrypt option to ssl, as follows:
dsconfigad -packetencrypt ssl
To ignore trust:
By default, OS X requires that a certificate received from a domain controller be
trusted. To modify this policy, configure the ldap.conf file. To disable certificate
verification, change the TLSR_EQCERT value by editing
/etc/openldap/ldap.conf and changing the TLS_REQCERT setting to read never,
rather than demand.
By default, the settings read as follows:
#SIZELIMIT
12
#TIMELIMIT
15
#DEREF
never
TLS_REQCERT
demand
They should read as follows when complete:

#SIZELIMIT
12
#TIMELIMIT
15
#DEREF
never
TLS_REQCERT
never
93
3.2.7
Change Active Directory Computer Passwords

The OS X Active Directory plug-in supports changing computer trust account
passwords for the Active Directory computer accounts on systems bound to
Active Directory domains via dsconfigad. This module covers how to set up a
Mac to rotate the computer trust account using a custom interval for changes.
The default time period of computer trust account passwords is every 14 days.
Password change frequency is managed using the -passinterval flag followed
by the number of days between each change. For example, to set up your
password interval to be 7 days rather than 14, use the following command:
dsconfigad -passinterval 7
The -passinterval option must be set after binding.

Note: Setting the -passinterval to 0 disables changing the computer account.
94
3.3
Third-Party Active Directory Plug-ins

Although the Active Directory plug-in in OS X works well for the majority of
deployments, there are situations that require a third-party solution. If you need
to support native Active Directory Group Policy or SmartCards, third-party
plug-ins may help provide that functionality.
Thursbys ADmitMac. www.thursby.com
Quest Management Xtensions (QMX). www.quest.com
Beyondtrust. www.beyondtrust.com
95
3.4
Kerberos
Kerberos is a network authentication protocol used to prove an identity when
communicating over an insecure network in a secure fashion. Kerberos provides a
client-server architecture where mutual authentication, both the user and the
server, verify each others identity. This protects Kerberos against various attacks
including eavesdropping and the resulting potential of replay attacks.
Kerberos makes use of a Key Distribution Center (KDC) that consists of two parts
the Authentication Server (AS) and a Ticket Granting Server (TGS) that issues
Ticket Granting Tickets (TGT). Kerberos works on the basis of tickets, which serve
to prove the identity of users. The KDC maintains a database of secret keys. All
clients on the network share a secret key and use this secret key to acquire a TGT.
Once the client has a TGT, it can present it to the KDC to get service tickets, which
act as authentication to kerberized services on the network.
Note: For communication between two kerberized entities, the KDC generates
session keys, which are used to secure communications.
Along with authenticating the identity of a host in a Kerberos environment,
safeguards are also put into place to protect the authenticity of each service
running on a system as a Service Principal. For a client to obtain tickets, the client
requests a ticket using a TGT. This information, in the form of Service Principals,
can be viewed in OS X by using the klist command from the Mac.
A more detailed overview of Kerberos is beyond the scope of this document, but
its important to know that when a user first authenticates to a KDC (whether its
Active Directory, Open Directory, or an MIT/Heimdel-based KDC), the client
receives a TGT. Once the client authenticates to a kerberized service, the client will
have both a TGT and a service ticket for that service. This assists in
troubleshooting authentication issues.
To access information regarding Kerberos tickets using a graphical interface, open
Keychain Access from /Applications/Utilities. Choose Ticket Viewer from the
Keychain Access menu.
Figure 3.4_1
Kerberos can also be managed from the command line using kinit, kswitch,
kdestroy, klist, kgetcred, and kpasswd.
96
3.5
LDAP
Lightweight Directory Access Protocol (LDAP) is the protocol used in most
modern directory services systems, including Novell eDirectory, Microsoft
Active Directory, and Apple Open Directory.
LDAP defines how clients create, query, and update information in directory
services. It then supplies that data, stored in a database, to clients and servers. OS
X supports binding to any directory service that supports LDAP using the LDAPv3
Directory Service plug-in, which is configured in the Users & Groups pane in
System Preferences by using Directory Utility (located in
/System/Library/CoreServices) or by using the dsconfigldap command.
LDAP is lightweight and flexible, and supports different options for connecting,
binding, and mapping to and from attributes, the fields of the LDAP database.
Both Directory Utility and dsconfigldap allow you to specify all these options.
In LDAP, a schema is a set of rules about the data in the directory service.
Depending on the schema, you may have to provide custom mappings of
directory service data in OS X with data in your directory service. Directory Utility
provides templates, and the ability to create new templates for easy migration
between hosts, to map to commonly used schemas. Directory Utility also
supports network configuration of the plug-in via DHCP and mapping via special
record in the Directory Service.
97
3.6
Open Directory
A directory service is software that stores and organizes information about an
environment (users, groups, computer, and other network resources), allowing
network administrators to centrally manage resources. Open Directory is the
directory service implementation built into OS X Server.
In the context of OS X Server, Open Directory includes a shared LDAPv3-based
directory domain along with a number of Apple-created schema attributes. These
attributes use registered OID (Object Identifier) space through IANA (Internet
Assigned Numbers Authority), the Apple Password Server, and Kerberos 5all
integrated using a modular Directory Services subsystem.
Open Directory allows for a number of services that run on OS X, or other
operating systems, to be kerberized.
98
3.7
Distributed File Sharing

Distributed File Sharing (DFS) manages how storage is presented to users
through Active Directory. DFS allows administrators of Windows Server
environments to replicate data for redundancy and to virtualize the location of
shares. Shares can then be moved between servers without affecting the
experience of end users. Shares can also be replicated across sites and servers.
SMB/CIFS is a file-sharing protocol, and users access DFS shares via SMB.
OS X Mavericks natively supports SMB2 and the legacy SMB1 filesystems. The
Finder in OS X resolves DFS links properly, making DFS shares accessible. DFS
shares are then accessed as a regular file share would be.
99
3.7.1
Connect to DFS Shares

In OS X, the Finder resolves DFS links to shares, allowing the Mac to access data
located on DFS shares. These shares are SMB shares. OS X looks up the root of DFS
shares and handles them as a standard SMB file share is handled.
To connect to a DFS share using OS X:
1.
In the Finder, click the Go menu.
2.
Choose Connect to Server (or use keyboard shortcut Command-K).
3.
In the dialog, provide the path to the DFS share being accessed. (This may or
may not be the root share.)
Figure 3.7.1_1
!
4.
Alternatively, click the Browse button to bring up a list of servers on the

network and choose a share from the list.
5.
Click Connect.
6.
If using Kerberos, and if the user has permission to connect to the share, the
Finder displays a window with the contents of the share.
7.
If Kerberos isnt being used, the user is prompted to provide a password.

Enter the user name and password.
8.
Click Connect.
100
3.7.2
View DFS Shares with smbutil

Troubleshooting connectivity issues with DFS can be a challenge, given that the
root shares are obfuscated by a virtualization layer. To ease the process of
troubleshooting DFS issues and to assist network administrators with scripting
the end user experience, a tool called smbutil is included with OS X.
As the name implies, smbutil is used to interface with SMB servers. A common
use of smbutil is to inspect referrals provided by a given host. To see if a server
hosts DFS referrals, use the dfs option with smbutil followed by the path to the
server. For example, for test.pretendco.com, use:
smbutil dfs smb://test.pretendco.com
The output contains the expanded name of the server (the name prefixed by the
host name). The listing will also display the single-line domain name.
Adding each portion of a DFS path to the connection string shows more in-depth
information about that portion of the DFS root. The previous server is a mobile
home directory server with a share called HomeDirectories. Using the command
smbutil dfs smb://test.pretendco.com/DFS shows the paths and
referrals for each share that is part of a namespace server called DFS, as follows:
Referral requested: /WIN-MIE2GCGNMU0.test.pretendco.com/DFS
list item 1 : Path: /WIN-MIE2GCGNMU0.test.pretendco.com/DFS
list item 1 : Network Address: /WIN-MIE2GCGNMU0/DFS
list item 1 : New Referral: /WIN-MIE2GCGNMU0/DFS
To see the referrals available for each namespace within, use the following:
smbutil dfs smb://test.pretendco.com/DFS/HomeDirectories
The output ends with a number of lines that show referral information, as follows:
Referral requested: /WIN-MIE2GCGNMU0.test.pretendco.com/DFS/
HomeDirectories
list item 1 : Path: /WIN-MIE2GCGNMU0.test.pretendco.com/DFS/
HomeDirectories
list item 1 : Network Address: /WIN-MIE2GCGNMU0/DFS/
HomeDirectories
list item 1 : New Referral: /WIN-MIE2GCGNMU02/DFS/
HomeDirectories
HomeDirectories
HomeDirectories
The user name and password can also be added into smbutil options for testing
purposes. The following example shows this, using testuser as the user name
from Active Directory and testpassword as that users password:
smbutil dfs smb://testuser:testpassword@test.pretendco.com/
DFS/HomeDirectories
101
3.7.3
Third-Party DFS Solutions

Some third-party clients for DFS may offer supported features not available in
OS X. The following third-party client-side solutions work with DFS shares.
Thursbys DAVE. www.thursby.com
DAVE doesnt depend on the built-in SMB client in the Finder. Instead, it uses its
own browser (DAVE Browser), mounter (mount_cifs), and filesystem
(cifs.fs) to browse DFS shares. DAVE is bundled with Thursbys AdmitMac for
Active Directory authentication, but DAVE does not require AdmitMac and can
be used with the Active Directory plug-in built into OS X.
Sharity. www.obdev.at/products/sharity
Sharity uses its own graphical user interface to configure mounts, and a
daemon that creates a virtual DFS mount that mounts volumes as you navigate
the virtual DFS filesystem.
GroupLogic. www.grouplogic.com
GroupLogic provides DFS link resolution via the ExtremeZ-IP AFP server
solution. ExtremeZ-IP runs on a Windows server. The client application for DFS
is a widget running on the Mac. The widget resolves DFS links by providing
configuration to the mounting system on OS X or by using their client
application to query the ExtremeZ-IP web services running on a Windows
server.
102
3.8
SMB2 Support
OS X Mavericks now uses SMB2 as the default protocol for accessing files on a
network. Administrators can leverage the smbutil command to access shares,
access information about shares, and script any features that are needed around
SMB2. If the share is made accessible from DFS, the Finder will automatically
connect to the underlying share.
Users can access shares manually through the Finder sidebar via Bonjour if the
computer is available in the list.
To access shares manually via Bonjour:
1.
Open a Finder window.
2.
Click a host in the sidebar. Then click the server listed under Shared.
Figure 3.8_1
!
3.
In the upper-right of the Finder window, click Connect As.
4.
In the dialog, enter the Name and Password for the server, then click the
Connect button.
Figure 3.8_2
103
If the SMB2 or DFS share is not browsable, the share can still be accessed
manually using the Connect to Server dialog.
To access shares manually via Connect to Server dialog:
1.
Click the Go menu in the Finder.
2.
Click Connect to Server (or use keyboard shortcut Command-K).
3.
In the dialog, enter the hostname with the SMB2 share on it, then click the
Connect button. You will be prompted to authenticate.
Figure 3.8_3
The options available in OS X provide a seamless experience when connecting to

Windows and Mac shares. If SMB2 is not an available protocol, OS X will
automatically attempt to mount a share through AFP. You can prefix the address
with either smb:// or afp:// to force a specific protocol.
104
3.9
Smart Card Support

As described on the Apple Support website, a U.S. Department of Defense
Common Access Card (CAC) or Personal Identity Verification (PIV) card is used to
access PK-enabled websites, VPNs, 802.1x networks, disk encryption, and
keychains (support.apple.com/kb/PH10872). CAC access typically requires a
certificate revocation list (CRL) or Online Certificate Status Protocol (OCSP) to
verify certificates.
Integration of smart cards for two-factor authentication in OS X is available using
tools available on the Mac OS Forge website. Software to enable CAC use is
available in the SmartCard services section at smartcardservices.macosforge.org.
105
3.9.1
Third-Party Smart Card Service Options

Integration of smart cards for two-factor authentication in OS X can be obtained
from commercial providers and open source projects.
Open Source Providers
The Smart Card Services and Token support continues to be developed, and is
available from the Apple-sponsored SmartCardServices project at
smartcardservices.macosforge.org.
This project has been providing support for the following smart card profiles:
BELPIC. Belgian National ID
CAC. U.S. Department of Defense Common Access Card
CAC-NG. U.S. Department of Defense, Common Access Card, Next Generation
(CACv2 and PIV)
PIV. U.S. Government Personal Identity Verification
A second open source project that provides support for OS X is the OpenSC
project, available at github.com/OpenSC/OpenSC/wiki.
Open Source Software (OSS) projects are helpful for accessing source code, for
obtaining working and/or emerging support, and even for viewing technology
instructions such as for smart cards. However, OSS doesnt include a roadmap,
timeline commitments, or enterprise support, which may preclude an
organization from leveraging these readily available project resources. For
enterprise-level support and timely feature advances, a commercial product is
often better suited.
Commercial Providers
Enterprise-based commercial products and corresponding support-level
agreements are acquired from dedicated smart-card middleware providers.
Several provide smart-card middleware to replace or augment built-in OS X
services.
Some leading smart-card middleware providers for OS X include:
.beID. eid.belgium.be
ActivIDentity. www.actividentity.com
Charismathics. www.charismathics.com
HID. www.hidglobal.com
SafeNet. www.safenet-inc.com
Thursby Software. www.thursby.com
Smart-card hardware compliant with CCID that can be purchased from Apple:
SCM Smart Card Reader. store.apple.com/us/product/H2312LL/A
106
4 Configuration
Management
Policy-based management is a robust way to manage nearly any setting in OS X.
Mac computers, as well as iOS devices, are managed using configuration profiles.
Using the same management structure for both platforms allows enterprises to
leverage the same Mobile Device Management (MDM) platforms to manage both
types of devices.
Profiles are used to manage settings for Mac computers. Profiles are created with
the Profile Manager service in OS X Server or using the Apple Configurator app,
which supports settings shared between OS X and iOS, and is available on the
Mac App Store. Profile Manager offers a number of options, such as locking
devices, performing remote wipes, and binding to a directory service. Profiles are
also the only way to configure 802.1x profiles on a Mac.
107
4.1Configure a Profile Manager Server

OS X Server includes the Profile Manager service, which manages devices running
both OS X and iOS. Profile Manager can be used for pilot groups of Mac
computers and iOS devices. As your environment scales, consider a third-party
tool to replace Profile Manager. MDM packages often include additional features
for scaling environments, while providing all the same options available in Profile
Manager.
1.
To set up Profile Manager, first install OS X and OS X Server from the Mac App
Store.
2.
Once the server is set up, verify that the host name and SSL certificates are
valid (a process covered in the following modules).
3.
If using Active Directory, bind your server to the Active Directory

environment. The Open Directory service is automatically installed with
OS X Server during the Profile Manager setup, even when the server
leverages Active Directory as a directory service.
108
4.1.1
Configure Network Settings

Configuring the network settings of OS X Server is simple with the application
from Apple called Server, located in /Applications once installed from the Mac
App Store. This step should be completed before any other services are
configured, including Profile Manager.
The Server application makes it easy to correctly set up network interfaces and
host names. If a servers IP address has no resolvable DNS name, or if the DNS
name doesnt match the host name provided at setup, a local DNS server will
automatically be set up to provide local name resolution when Server is installed
from the Mac App Store.
If changes to a servers IP or host name need to be made, use the Host Name
Assistant to automatically update all services to use the new host name.
To configure network settings:
1.
Open the Server application from /Applications.
2.
Authenticate to the local server.
3.
Click the name of the server listed in the sidebar (the first item), if not already
highlighted.
4.
Click the Edit button next to the Host Name in the Overview pane.
Figure 4.1.1_1
!
!
109
5.
In the Accessing your Server dialog, click the Domain Name radio button.
6.
Click Next.
Figure 4.1.1_2
!
7.
In the Connecting to Your Server dialog, provide the name (which in this
example is Pretendco MDM Server) and the host name, which should have
corresponding DNS entries (in this example, it is mdm.pretendco.com).
Figure 4.1.1_3
!
!
110
8.
In the Server app, the new name is displayed in the sidebar, in the Host Name
field, and in the Computer Name field.
Figure 4.1.1_4
111
4.1.2
Configure Users
Before accessing most services on a server running OS X Server, users need
accounts created on the server. All accounts created with the Server application
reside in a directory service known as Open Directory. Open Directory is
automatically configured when the Server application is installed in OS X Server.
If a server is bound to a directory service, such as Microsoft Active Directory, no
further work is needed because accounts from the third-party directory service
can be used with the OS X Server service. Otherwise, create users before setting
up profiles in Profile Manager.
To create network service users in OS X Server:
1.
2.
Click Users, listed under Accounts in the sidebar.
Figure 4.1.2_1
!
3.
Click the Add (+) button to add users.
4.
Enter the users name in the Full Name field.

For example, Pretendco Administrator.
5.
Enter a shortened name for the user in the Account Name field.
For example, pretendcoadmin.
6.
Optionally, provide an email address for the user in the Email Address field.
For example, admin@pretendco.com.
7.
Enter the password this account will use in the Password field.
8.
Enter the password again in the Verify field.
9.
Optionally, choose to give the user administrative access to the server by

selecting the Allow user to administer this server checkbox.
112
10. If portable home directories or network home directories will be used,

choose the share on which the users home directory resides using the Home
Folder menu.
Note: This list is automatically populated based on the contents of the Open
Directory automounts.
Figure 4.1.2_2
11. Click the Create button when the settings are as intended for the user.
113
4.1.3
Add Groups
Most large-scale systems management should be done using groups. This
module covers creating groups using the Server application.
Note: If the server is bound to another directory service, for example Active
Directory, manage users from the third-party directory service rather than from
OS X Server to make sure all applicable attributes are created.
To create users in OS X Server:
1.
Figure 4.1.3_1
!
2.
Choose Groups, listed under Accounts in the sidebar.
Figure 4.1.3_2
!
3.
Click the Add (+) button.

114
4.
When prompted, provide a name for the group in the Full Name field.
5.
The Group Name short name is automatically generated based on the Full
Name. Alternatively, provide your own short name in the Group Name field.
Figure 4.1.3_3
!
!
6.
Click Create to create the group.
115
4.1.4
Review Certificates
Each server running OS X Server is installed with a default self-signed certificate.
For security purposes, review the certificates installed on the server.
Most services, such as Profile Manager, require SSL certificates. These certificates
can either be created by the organizations Certificate Authority (CA), purchased
from an outside vendor, or created as a self-signed certificate directly in
OS X Server.
To manage certificates in OS X Server:
1.
Figure 4.1.4_1
!
2.
Select Certificates, under Server in the sidebar.
Figure 4.1.4_2
116
3.
Click the cog wheel icon to open the action pop-up menu.
4.
Choose Show All Certificates.
5.
Double-click the certificate.
Figure 4.1.4_3
!
6.
On the certificate pane, verify that all the required settings are correct.
Figure 4.1.4_4
!
!
117
7.
If you need to install a third-party certificate from a trusted certificate

authority, use the Add (+) button. Then choose Get a Trusted Certificate to
generate a CSR.
Figure 4.1.4_5
118
4.1.5
Acquire Apple Push Notification Certificates

To push profile changes to devices, first configure a server to use Apple Push
Notification Services. Apple Push Notification Certificates must be acquired for
the service from Apple, which can be done using the Server application.
To acquire an Apple Push Notification Certificate:
1.
Figure 4.1.5_1
!
2.
Figure 4.1.5_2
!
!
3.
Click the Enable Apple push notifications checkbox.
119
4.
On the Apple Push Notifications dialog, provide an organizational Apple ID

and a password for that ID.
Note: This Apple ID should not be a personal Apple ID, nor one used to
purchase apps. This Apple ID is for the use of Apple Push Notifications. You
will need to renew this certificate every year, so make sure the ID is
accessible and documented.
Figure 4.1.5_3
!
5.
Click Get Certificate.
6.
Click OK.
Note: It is recommended that you set a reminder for the expiration date of
the Apple Push Notification Certificate in a calendar application such as
Calendar from Apple or Microsoft Outlook.
120
4.1.6
Enable Profile Manager

Enabling Profile Manager allows administrators to easily manage Mac computers
and iOS devices. Before enabling this service, its important to configure the
network, user, and certificate settings for OS X Server as shown in previous
modules.
To configure and enable Profile Manager:
1.
Figure 4.1.6_1
!
2.
Click Profile Manager from the Services list in the sidebar.
Figure 4.1.6_2
!
!
121
3.
Click Configure.
Note: If there isnt a Configure button, turn on Profile Manager in the upperright of the window. If this doesnt work, run the wipeDB.sh script located in
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/
backend/WipeDB.sh to restart the process. Then restart the computer when
the script is complete. If any of the features have been configured prior to
this step, those steps are skipped in this process.
4.
Click Next in the Configure Device Management dialog.
Figure 4.1.6_3
!
5.
In the Organization Information dialog, provide any available information

pertinent to the domain (phone number and address are optional).
6.
Click the Next button.
Figure 4.1.6_4
!
!
122
7.
In the Configure an SSL Certificate dialog, choose the appropriate certificate

for your environment.
8.
Click the Next button.
Figure 4.1.6_5
!
9.
In the Confirm Settings dialog, click Finish. The Profile Manager database is
now created.
Figure 4.1.6_6
!
!
123
10. Provided the service is configured correctly, Enabled appears next to Device
Management.
Figure 4.1.6_7
11. To change the name of the default configuration profile, click the Edit button
next to the current name and enter a new name.
12. Once finished configuring settings, turn Profile Manager on in the upperright corner of the window.
After the Profile Manager service completes startup, configure Profile Manager
settings and enroll user devices.
124
4.1.7
Automatic Push versus Manual Download Profiles

When setting up configuration profiles, there are two types of profiles to choose
fromautomatic push and manual download. Both are assigned to devices
either directly or through inheritance, but are deployed to clients in different
ways.
Manual download profiles function as their name indicates. These configuration
profiles must be manually installed by end users on their devices. These profiles
are commonly emailed directly to users or downloaded from a web page and
installed. The Profile Manager service makes these profiles available for download
on the device portal page following user authentication. These profiles are static,
and the payload isnt updated unless the user manually downloads and installs an
updated profile.
In contrast, automatic push profiles are distributed without user interaction
following the initial deployment of the profile. Once a device is enrolled via the
device portal page, devices are notified of any new profiles or changes to existing
profiles by an Apple push notification. Any change made to the settings of an
automatic push profile results in client notification.
Its important to realize that the actual profile isnt distributed via the push
notification system. The push notification alerts the device that the device needs
to check in with the MDM server. Once the device has connected to the MDM
server, it can retrieve and apply an updated configuration profile. For these
notifications to work properly, administrators must allow the Apple Push
Notification service to pass through the network border, which consists of
outgoing traffic from the server and client systems.
125
4.1.8
Edit Management Profiles

Use the web-based Apple Profile Manager interface to create, edit, and delete
profiles as well as to create device groups for controlling profile distribution.
Users and groups from enterprise directory services (such as Active Directory)
appear in Profile Manager provided OS X Server has been properly bound.
Its important to remember that while each user, group, device group, or device
record can only have one profile assigned to it in Profile Manager, each device
may belong to many groups. This enables the layering of settings via profile
inheritance.
To edit configuration profiles:
1.
Figure 4.1.8_1
!
!
126
2.
Figure 4.1.8_2
!
3.
Click Open Profile Manager in the lower-left corner, or open a web browser
and go to https://servername/profilemanager, where servername is the fully
qualified domain name of the server running Profile Manager.
4.
Authenticate as needed with administrative credentials.
Figure 4.1.8_3
127
5.
Select the user, group, device, or device group to edit.
6.
Figure 4.1.8_4
!
7.
Click the Edit button for the profile.
Figure 4.1.8_5
!
!
128
8.
Configure the profile as desired.
9.
Click OK.
Figure 4.1.8_6
10. Click Save to update the profile settings.
Figure 4.1.8_7
11. Click Save again to commit the changes to the database.

Note: Updating settings for an automatic push profile will result in an Apple
push notification being sent to devices.
129
4.1.9
Create Device Groups

Device groups enable assignment of profile settings for specific groups of
devices, for example when Mac devices are separated into iMac, MacBook Pro,
and Macbook Air groups, or when computers are divided based on business
unit. This allows administrators to quickly apply settings appropriate for each
logical grouping of devices.
To create a device group:
1.
Figure 4.1.9_1
!
2.
Figure 4.1.9_2
!
3.
Click Open Profile Manager in the lower-left corner.
130
4.
Authenticate as needed with administrator credentials.
5.
Choose Device Groups from the Library list in the sidebar.
Figure 4.1.9_3
!
6.
Click the Add (+) button to create a new device group.
7.
Configure the group settings and profile as desired.
Figure 4.1.9_4
!
!
8.
Click Save to create the group.
131
9.
With the new group highlighted, click the Add (+) button in the Group pane
to add devices or other device groups as members.
Figure 4.1.9_5
10. Click Save when finished adding devices.
132
4.1.10
Use Device Placeholders

Device placeholders enable administrators to populate device records and groups
with profile settings before getting devices configured for Profile Manager. Create
a placeholder record based on the serial number, UDID (Unique Device Identifier),
IMEI (International Mobile Equipment Identity), or MEID (Mobile Equipment
Identifier) of a device. When a matching device is enrolled, the newly enrolled
device assumes the identity of the placeholder record.
If the Mac is removed from management or if the record is deleted, the
placeholder account isnt automatically recreated.
To create a device placeholder:
1.
Figure 4.1.10_1
!
2.
Choose Profile Manager from the Services list in the sidebar.
Figure 4.1.10_2
133
3.
4.
Authenticate as needed with the credentials for an administrative account.
5.
Choose Devices from the Library list in the sidebar.
Figure 4.1.10_3
!
6.
Click the Add (+) button and choose Add Placeholder.
Figure 4.1.10_4
!
7.
Choose a type from the Device Type menu, and enter a name and serial
number for the device.
Figure 4.1.10_5
!
8.
Click Add.
Note: Device placeholders can be imported for bulk placeholder creation. To do

so, choose Import Placeholders instead (above in step 6). Then select the
appropriate file of device names and serial numbers.
134
4.1.11
Enroll OS X Devices
Once the Profile Manager server is configured, devices need to be enrolled to
make use of the new configuration. When logging into the User Portal, there are
two tabs. The Devices tab provides an overview of devices registered by that user
and allows for the enrollment of new devices. The Profiles tab shows download
profiles that are available for the logged-in user.
When using a self-signed SSL certificate, users will begin by installing the Trust
Profile from the Profiles tab. This profile will install the certificates needed for the
client devices to trust your Profile Manager SSL and code-signing certificates.
To enroll an OS X computer:
1.
Open a web browser and navigate to https://<yourserver>/mydevices.
2.
Authenticate with an account.
Figure 4.1.11_1
135
3.
Click Enroll to enroll the device into the Mobile Device Management
environment.
Figure 4.1.11_2
!
4.
The profile downloads and automatically opens in the Profiles pane in

System Preferences.
5.
When prompted, click Continue to install the Remote Management profile.
Figure 4.1.11_3
136
6.
If the certificate is not provided by a previously trusted source, a dialog will

appear warning that the profiles authorship is unknown. Click the Install
button.
Figure 4.1.11_4
!
7.
The Mac is now enrolled in Profile Manager and appears under Devices both
in Profile Manager and on the My Devices portal.
Figure 4.1.11_5
137
8.
The Remote Management profile is also shown in the Profiles pane in System
Preferences.
Figure 4.1.11_6
138
4.1.12
Lock a Device via the User Portal

Once a device is enrolled using Profile Manager, the user responsible for that
device can perform basic security tasks. The most basic task is a remote lock,
helpful when a device has temporarily fallen outside the control of the
organization.
To remote-lock a device:
1.

Note: <yourserver> is the name of an OS X Server system running the Profile
Manager service.
2.
Authenticate as the user who enrolled the device.
3.
See the enrolled devices in the Devices tab. Click the Lock button for the
appropriate device.
Figure 4.1.12_1
!
!
139
4.
Enter a passcode when prompted.
Figure 4.1.12_2
!
5.
When prompted to confirm the task, click OK.
Figure 4.1.12_3
!
6.
When locking a Mac, it immediately restarts to a PIN pad. Only the passcode
entered in the User Portal can unlock the device. When the passcode is
provided to the client computer, the computer restarts as normal and
remains enrolled.
7.
Administrators can confirm that the lock has been applied from Profile
Manager.
140
4.1.13
Wipe a Device from the User Portal

Once a device is enrolled using Profile Manager, the user responsible for it can
perform basic security tasks. The most intrusive action is a remote wipe, erasing
all data on the device.
To remote-wipe a Mac, it must also have a recovery partition.
To remote-wipe a device:
1.

Note: <yourserver> is the name or IP address of an OS X Server system
running the Profile Manager service.
2.
Figure 4.1.13_1
!
!
141
3.
Enrolled Mac computers appear in the Devices tab. If a passcode field is

present, the client system has already been locked. This is often a preliminary
measure before wiping devices. Click the Wipe button for the appropriate
device.
Figure 4.1.13_2
!
4.
Performing a wipe requires the use of a PIN. Enter the PIN and then click the
Wipe button.
5.
When prompted to confirm the wipe, click OK to confirm.
Figure 4.1.13_3
!
6.
The Mac is wiped and all data is erased. Confirm the wipe has been sent in
the Tasks section of Profile Manager.
142
4.1.14
Lock a Device Using Profile Manager

Once a device is enrolled using Profile Manager, the user responsible for the
device can perform basic security tasks. The Profile Manager portal also provides
administrators the ability to perform security tasks on remote devices.
To remote-lock a device using Profile Manager:
1.
2.
3.
4.
Authenticate with administrative credentials.
Figure 4.1.14_1
!
!
143
5.
Choose Devices or Device Groups from the Library list in the sidebar.
6.
Select the device or device group to lock.
Figure 4.1.14_2
!
7.
In the device or device group pane, click the cog wheel icon to open the
action pop-up menu.
8.
Choose Lock.
Figure 4.1.14_3
!
!
144
9.
Enter a lock passcode.
Figure 4.1.14_4
10. When locking OS X, the Mac immediately restarts to a PIN pad. Only the
passcode entered in Profile Manager can unlock the computer.
11. Confirm the lock has been completed in the Completed Tasks section of
Profile Manager.
145
4.1.15
Wipe a Device Using Profile Manager

Once a device is enrolled with Profile Manager, the user responsible for the device
can perform basic security tasks. Profile Manager also gives administrators the
ability to perform these same security tasks on remote devices.
To remote-wipe a device using Profile Manager:
1.
2.
3.
4.
Authenticate with administrator credentials.
Figure 4.1.15_1
!
!
146
5.
Choose Devices or Device Groups from the Library list in the sidebar.
6.
Select the device or device group to wipe.
Figure 4.1.15_2
!
7.
In the device or device group pane, click the cog wheel icon to open the
action pop-up menu.
8.
Choose Wipe.
Figure 4.1.15_3
!
!
147
9.
Enter a wipe passcode.
10. Click Wipe.
Figure 4.1.15_4
11. The device is wiped and all data is lost.

12. Confirm the wipe has been completed in the Completed Tasks section of
Profile Manager.
148
4.1.16
Remove a Mac from Management via the User Portal

Users can perform basic security tasks using the My Devices portal once they
have enrolled devices in Profile Manager. Just as users can enroll, lock, and wipe a
device from the User Portal in Profile Manager, they can also disable remote
management of devices.
Note: Removing a device from management removes the enrollment and
management profiles, as well as any access configured by those profiles. The trust
profile isnt removed. While the profiles from the portal are removed in this
module, they can also be removed from the Profiles pane in System Preferences.
To remove a device from management:
1.

(<yourserver> is the name or IP address of an OS X Server system running
the Profile Manager service.)
2.
3.
Click the Devices tab to view all Mac computers enrolled by the user account.
To enroll additional devices for the same account, click the Enroll button.
Click the Remove button for the device to disable remote management.
Figure 4.1.16_1
!
!
149
4.
Verify that you want to remove the device.
Figure 4.1.16_2
!
5.
The device record is removed from Profile Manager, and the device is no
longer considered managed. Additionally, the Remote Management profile is
no longer listed in the Profiles pane in System Preferences on the client
computer.
150
4.1.17
Remove Management via Profile Manager

Users can utilize the user portal in Profile Manager to enroll, lock, and wipe
devices, as well as to disable remote management. Profile Manager also gives
administrators the ability to act on remote devices.
Note: Removing a device from management also removes the configuration
profiles and any access configured by those profiles. Trust profiles are left on
devices when removed, easing the burden of subsequent enrollments.
To remove a device from management with Profile Manager:
1.
2.
Click Profile Manager in the Services list in the sidebar.
3.
4.
Authenticate with administrator credentials.
5.
Click Devices from the sidebar list under Library.
6.
Select the device to remove.
Figure 4.1.17_1
!
!
7.
Click the minus (-) button located at the bottom of the middle pane.
151
8.
Click Delete to confirm the device should be removed.
Figure 4.1.17_2
!
9.
Remote configuration profiles will now be removed.
10. Confirm the device no longer appears in the Devices section of the Profile
Manager Library.
!
!
152
4.1.18
Profile System Preferences

After installing any configuration profiles in OS X, the Profiles pane in System
Preferences will appear. Initially, there is no Profiles pane in System Preferences.
The Profiles pane in System Preferences is used to review which profiles are
installed. The Profiles pane is also used for adding profiles and removing or
verifying existing profiles. Configuration profiles can also be installed by doubleclicking them in the Finder or by downloading profiles using Safari, provided the
web server is capable of serving the proper MIME types.
Note: Any user with administrative access can remove a device profile.
To remove a profile:
1.
2.
Click the lock icon in the lower-left corner.
3.
Provide an administrative user name and password.
4.
Click the Device Profiles pane.
5.
Select the profile to remove.
Figure 4.1.18_1
!
!
6.
Click the minus (-) button to remove the profile.
153
7.
When prompted to verify profile removal, click Remove.
Figure 4.1.18_2
154
4.1.19
Non-Removable Configuration Profiles

Configuration profiles are a policy enforcement system. When creating profiles in
Profile Manager, administrators have options for controlling how those profiles
can be removed.
The default removal setting always allows removal of a profile, meaning a user
profile can be removed by the user to which it applies. Device profiles can then
be removed by any administrative user on a Mac. However, some policies should
be enforced whether the user wishes to have them or not.
The Authorization feature secures profile removal, forcing a specific password to
be used to edit a profile. Only users with the profile password may remove it.
The Never removal setting indicates that a profile may not be removed. The
device must be wiped in order to remove the profile.
To change profile removal rules:
1.
2.
3.
4.
Authenticate with the credentials for an administrative account.
5.
Choose Users, Groups, Devices, or Device Groups from the Library list in the
sidebar.
6.
Figure 4.1.19_1
155
7.
Click the Edit button for the profile.
Figure 4.1.19_2
!
8.
Change the Security settings for the profile as needed.
Figure 4.1.19_3
!
9.
Set any other settings that should be deployed with the profile.
10. Click OK to close the Settings pane.

156
4.1.20
Restrict Access to System Preferences

The System Preferences in OS X are where many of the options are configured for
how a computer behaves. By limiting access to System Preferences, you
effectively restrict users from changing the behavior of the system (and can
therefore aim to limit the number of tickets submitted for issues that likely
shouldnt have occurred in the first place).
To limit access to System Preferences using Profile Manager:
1.
2.
3.
4.
Authenticate with the credentials for an administrative account.
5.
Choose Users, Groups, Devices, or Device Groups from the Library list in the
sidebar. Then select the user, group, device, or device group to edit.
6.
Figure 4.1.20_1
!
!
7.
Click Edit.
157
8.
Click Restrictions in the Profile Manager sidebar.
Figure 4.1.20_2
!
9.
Click Configure.
Figure 4.1.20_3
!
!
158
10. Select the Restrict Items in System Preferences checkbox.

11. Choose whether to disable or enable the selected items.
Note: If disabling items for which you want to restrict access, users can still
access third-party System Preferences panes.
12. Deselect each preference for which youd like to restrict access.
13. Click OK to close the Settings pane.
159
4.1.21
profiles Command
The profiles command allows programatic control of configuration profiles so
that administrators can script or remotely run configuration profile installation,
removal, and auditing. To list the configuration profiles installed for a given user,
run the profiles command with the -L option, as follows:
profiles -L
To see all configuration profiles installed on the system, run the profiles
command with the -P option, as follows:
sudo profiles -P
To install a configuration profile for a user, run the profiles command with the
-I option (for install), followed by the -F option (for file), and ending with the
path to the profile file. For example, the following command installs a
configuration profile called 8021xSetup.mobileconfig, previously copied to /tmp.
profiles -I -F /tmp/8021xSetup.mobileconfig
To remove that profile, use the following command:

profiles -R -F /tmp/8021xSetup.mobileconfig
An effective way to troubleshoot profile problems is to remove all configuration

profiles using the -D option, as follows:
profiles -D
Profiles installed from a Profile Manager instance are tracked using unique
identifiers similar to a default domain. For example, if an organization is called
pretendco and the profile to install is for 802.1x configuration, that profile might
be called com.pretendco.8021xSetup. To remove this profile, use the -R option
followed by -p to denote a profile, as follows:
profiles -R -p com.pretendco.8021xSetup
To see the version number of the profiles command, use the -x option:
profiles -x
For more information, see the man page for profiles using the following
command:
man profiles
160
4.1.22
dscl Command
As of OS X Mavericks, the dscl command has extensions for dealing with profiles.
These include the following:
MCX Profile Extensions:
-profileimport
<record path> <profile file path>
-profiledelete
<record path> <profile specifier>
-profilelist
<record path> [optArgs]
-profileexport
<output folder path>
<record path> <profile specifier>
-profilehelp
To make a list of all profiles for a given object from a directory service, use the
-profilelist extension. To run the command to list the profile information, follow
the dscl command with the -u option to identify a directory services user, -P to
identify the password of that user, the IP address of the directory services server,
followed by profilelist and then the path of the object. Assuming a username of
diradmin for the directory, a password of apple and then sydneybailey user:
dscl -u diradmin -P apple 192.168.210.201 profilelist /
LDAPv3/127.0.0.1/Users/sydneybailey
To delete that information for the given user, swap the profilelist extension with
profiledelete:
dscl -u diradmin -P apple 192.168.210.201 profilelist /
LDAPv3/127.0.0.1/Users/sydneybailey
If you would rather export all information to a directory called ProfileExports on

the root of the drive:
dscl -u diradmin -P apple 192.168.210.201 profileexport . all
-o /ProfileExports
161
4.2
Manage Profiles
Profile Manager enables administrators to configure almost any setting in OS X
and manage devices en masse.
Profiles can also be managed using third-party mobile device management
solutions. These solutions support profile management in the same fashion, using
tasks similar to those in this section.
162
4.2.1
View the Contents of Profiles

In previous modules, enrolling a device in Profile Manager created items in the
Profiles pane in System Preferences. These items result in additional profiles
containing settings that get implemented on client systems.
To view profiles in System Preferences:
1.
2.
Click Profiles.
3.
Click a profile.
Figure 4.2.1_1
!
4.
The following information is displayed:

a.
Installed. The date the profile was installed or last changed.
b.
Settings. The payloads being managed.
c.
Details. The settings being managed within each payload and the
contents of the managed keys.
163
4.2.2
Configure the Location of the Dock

OS X displays the icons of various applications in the Dock, located by default
across the bottom of the screen. The location of the Dock can be changed to the
right or left side of the screen.
In this module, manage the location of the Dock so that it appears on the right
side of the screen. This is one example of managing settings using Profile
Manager.
To change the location of the Dock:
1.
2.
3.
4.
5.
Click Users, Groups, Devices, or Device Groups in the Library list in the
sidebar.
6.
Figure 4.2.2_1
164
5.
Figure 4.2.2_2
!
6.
In the sidebar of the Settings window, scroll down and click Dock.
Figure 4.2.2_3
!
!
165
7.
8.
Next to Position, click the Right radio button.
9.
Click OK to return to the Profile window.
Figure 4.2.2_4
10. In the Profile window, verify that the Dock payload is listed.
Figure 4.2.2_5
!
!
166
11. Click Save to save the changes. The dock on the client system is immediately
moved to the right side of the screen.
Figure 4.2.2_6
167
4.2.3
Manage Third-Party Application Preferences

Configuration profiles also manage third-party applications by editing the
defaults domain of settings. These defaults domains typically map back to a
property list (.plist) file and are typically represented by a key in each of those
files.
The key to managing a given preference is to locate the appropriate preference
file, the key to use, and the options available for that key. While this may seem
daunting given the variety of preferences and the key names they often
comprise, there are a number of tools available to help make this easier.
Many developers publish a list of their preference files with a listing of keys and
the options available per key. For example, Microsoft publishes a list of preference
files at www.microsoft.com/mac/itpros/default.mspx, but not a listing of each key
nor the ramifications of using them. Using a search engine can yield fast results at
times, however these arent always accurate.
While this module focuses on using Profile Manager to deploy custom settings to
client systems, it isnt always possible because third-party developers may not
always follow Apple standards. For example, Firefox uses a .js file to store a
variety of settings rather than using property lists. If the settings arent in a plist
file, scripting login events to deploy settings may be required.
Here we use providing a Gateway server to Microsoft Office Communicator as
an example of controlling settings for a third-party app using Profile Manager.
To set up Microsoft Office Communicator with a gateway server:
1.
2.
3.
4.
5.
Figure 4.2.3_1
168
6.
In the Settings tab in the right-most pane, click the Edit button.
Figure 4.2.3_2
!
7.
In the Settings sidebar, scroll down and select Custom Settings.
Figure 4.2.3_3
!
!
8.
169
9.
Enter com.microsoft.configurator in the Preference Domain field.
Figure 4.2.3_4
10. Click the Add Item button to add a key to the domain.
11. Enter GatewayServer in the Key field.
12. Leave the Type menu set to String.
13. In the Value field, enter the name or IP address of the gateway server for
Office Communicator.
14. Click OK.
Note: If there are a number of preferences to add, consider importing a
prepared property list using the Upload File button.
Figure 4.2.3_5
170
15. Click Save and the setting is deployed to all client systems in the group, all
systems for the user (if configuring for users), or a single device if applicable.
Figure 4.2.3_6
171
4.2.4
Manage Printers
Printers can also be managed using configuration profiles.
To use Profile Manager to manage a printer:
1.
2.
3.
4.
5.
Figure 4.2.4_1
!
6.
Figure 4.2.4_2
172
7.
In the sidebar, scroll down and click Printing.
8.
Figure 4.2.4_3
!
9.
Figure 4.2.4_4
10. A list of printers installed on the Profile Manager server is provided in the
Add Printers dialog. If the required printer isnt listed, install it on the Profile
Manager server. Otherwise, click the Add button for the printer.
173
11. Click Done once all desired printers have been added.
Figure 4.2.4_5
12. Click the OK button to return to the Profiles pane.

13. Select the checkbox for the printer just added.
14. Click OK.
Figure 4.2.4_6
!
!
174
15. Confirm that Printing is now listed.
Figure 4.2.4_7
16. Click the Save button. Then click Save again to confirm Save Changes.
Figure 4.2.4_8
175
4.2.5
Restrict Applications Using Profile Manager

Whitelisting applications can be simple or complicated depending on the
approach. The simplest approach is to allow only the applications in the
Applications folder to be opened. Alternatively, restrict specific applications using
the Blacklisting option. Note, however, that blacklisting only accounts for
applications specifically restricted by administrators. By limiting permissions on
the Applications folder, administrators further create a sandbox that keeps users
within predefined boundaries.
To use Profile Manager to limit users to opening only implicitly allowed
applications:
1.
2.
3.
4.
5.
Figure 4.2.5_1
!
!
176
6.
Figure 4.2.5_2
7.
In the sidebar, scroll down to OS X and click Restrictions.
8.
In the Configuration Restrictions pane, click the Configure button.
Figure 4.2.5_3
177
9.
Click the Apps tab.
Figure 4.2.5_4
10. Click the Restrict which applications are allowed to launch checkbox.
Figure 4.2.5_5
178
11. Click the Add (+) button for Allow Folders.

12. Enter /Applications in the provided text field.
Figure 4.2.5_6
13. Click the OK button to return to the Profiles pane. Users in the selected
object can only open applications in /Applications (the default in OS X).
14. Confirm that Restrictions is now listed.
Figure 4.2.5_7
!
!
179
15. Click the Save button. Then click Save again to confirm Save Changes.
Figure 4.2.5_8
180
4.2.6
Deploy VPN Connections Using Profile Manager

VPN connections are cumbersome to set up manually. Profile Manager provides a
mechanism for pushing out configurations automatically to end users so they
have a configuration on their device when it is provisionedoffering users a
simple experience for connecting to a corporate VPN.
To use Profile Manager to push out VPN configurations:
1.
2.
3.
4.
5.
6.
7.
Click Edit.
Figure 4.2.6_1
!
!
8.
Click Restrictions in the left sidebar.
181
9.
Figure 4.2.6_2
10. Click VPN in the left sidebar.

11. Provide a name in the Connection Name field.
12. Select a type of connection from the Connection Type menu.
Note: Many types are vendor specific, and their subsequent settings are
obtained from your IT staff or the vendor of the VPN hardware/software.
13. Enter the settings required to connect to the VPN.
Figure 4.2.6_3
182
!
14. Click OK.
15. Click the Save button.
16. Click Save again to confirm Save Changes.
183
4.2.7
Force Password Policies Using Profile Manager

OS X functions well in an Active Directory environment. However, many systems
administrators today choose to run without directory services. Security
professionals need to keep passwords complex and changing at a frequency that
matches the organizations security policy. Therefore, Apple provides a facility in
Profile Manager to enforce good security passwords with regard to local
password policies.
To use Profile Manager to push out password policies:
1.
2.
3.
4.
5.
6.
7.
Click Edit.
Figure 4.2.7_1
!
!
8.
Click Passcode in the left sidebar.
184
9.
Figure 4.2.7_2
10. Choose the appropriate settings for your environment.
Figure 4.2.7_3
11. Click OK.

185
4.2.8
Configure Single Sign-On Using Profile Manager

OS X functions well in an Active Directory and LDAP environment. One aspect
that works with such environments is the ability to configure single sign-on
authentication for Kerberos-based environments. Profile Manager can deploy
Active Directory information, which allows users to log in at the login window.
However, if you choose not to configure Active Directory accounts as login
accounts, you can still push out single sign-on configurations for local accounts.
To use Profile Manager to push out single sign-on configurations:
1.
2.
3.
4.
5.
6.
7.
Click Edit.
Figure 4.2.8_1
!
!
8.
Click Single Sign-On in the left sidebar.
186
9.
Figure 4.2.8_2
10. Provide the appropriate information for your environment. This includes:
a.
Account Name. How the information is displayed on the device.
b.
Principal Name. The UPN, or UserPrincipalName, from within Active

Directory of the Kerberos provider. Note: UPNs are derived using the
Get-ADUser cmdlet, as follows:
Get-ADUser -Filter * -SearchBase
'ou=Users,dc=pretendco,dc=com' -Properties
userPrincipalName
c.
Realm. The realm name of your Kerberos environment (for example the
Active Directory domain name).
187
Figure 4.2.8_3
11. Click OK.

188
4.2.9
Limit Access to Sites Using Profile Manager

Kiosk systems and systems not covered by proxy servers can have certain
websites denied, or all websites denied and only certain sites allowed. This is
deployable via Profile Manager.
To use Profile Manager to restrict access to certain sites:
1.
2.
3.
4.
5.
6.
7.
Click Edit.
Figure 4.2.9_1
!
!
8.
Click Web Content Filter in the left sidebar.
189
9.
Figure 4.2.9_2
10. Provide the appropriate information for your environment. From the Allowed
Websites menu, select from the following:
a.
b.
Limit Adult Content. This option restricts information considered to be

adult content.
Permitted URLs. Click the Add (+) button to whitelist certain sites.
Blacklisted URLs. Click the Add (+) button to list sites for which
access is explicitly denied (whether adult content or not).
Specific Websites Only. This option only allows access to specific sites
(This is useful with kiosks, for example).
Specific Websites. List each site the device can access.
190
Figure 4.2.9_3
11. Click OK.

191
4.3
Password Policies
A variety of password policies are applied to clients through configuration
profiles, Active Directory, or command-line tools. These policies should conform to
the requirements set forth by an organizations security policy.
When using Active Directory, the Active Directory password policies are respected
by OS X. Clients are notified of expiring passwords, and users can change their
Active Directory passwords in OS X.
192
4.3.1
Audit Local Password Policies

Setting up password policies in Active Directory or OS X Server enforces policies
on directory-service-based accounts. Many of these policies also exist in OS X but
need to be set from the command line when not managed centrally.
The tool to audit (and configure) password policies in OS X is pwpolicy. The
following example covers using pwpolicy to check which policies are enforced
and what their settings are as part of an audit of password policies.
To view the global password policy (enforceable on all users) on a local computer,
run pwpolicy, specifying the -n option and /Local/Default to indicate the
local default node. Then use -getglobalpolicy (having defined where to look
for the policy information earlier), as follows:
pwpolicy -n /Local/Default -getglobalpolicy
This results in a list of all OS X global password policies and their settings on the
client system, as follows:
usingHistory=0 canModifyPasswordforSelf=1
usingExpirationDate=0 usingHardExpirationDate=0
requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69
hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0
maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0
maxFailedLoginAttempts=0 minChars=8 maxChars=0
passwordCannotBeName=0 requiresMixedCase=0 requiresSymbol=0
newPasswordRequired=0 minutesUntilFailedLoginReset=0
notGuessablePattern=0
Use the pwpolicy command to see the policies for a given user. For example, run
the following command to see any user-based passwords for a user with a short
name of jfoster:
pwpolicy -n /Local/Default -u jfoster
In this command, administrators use pwpolicy to search in the local directory

service, but specify the user jfoster following the -u option. To have pwpolicy
look at the users policy, follow it up with a -getpolicy at the end, as follows:
pwpolicy -n /Local/Default -u jfoster -getpolicy
Getting policy for testing
newPasswordRequired=0
Once the users password policy and the global password policy for the computer
are known, composite the two to obtain a resultant set of policies (or an effective
policy) manually. To do so, run the pwpolicy, specifying
--get-effective-policy. In the following example, provide the password for
user jfoster (indicated with the -u option), followed by the
--get-effective-password option for a resultant policy enforced for
jfoster:
pwpolicy -n /Local/Default -u jfoster -p jimmypassword --geteffective-password
193
When auditing password policies, its important to understand what each policy
does. The following is a description of global password policies (obtained from
the man page for pwpolicy).
usingHistory
0 User can reuse the current password.

1 User cant reuse the current password.
215 User cant reuse the last n passwords.
usingExpirationDate
If 1, user is required to change password on the

date in expirationDateGMT.
usingHardExpirationDate
If 1, users account is disabled on the date in

hardExpireDateGMT.
requiresAlpha
If 1, users password is required to have a character

in [AZ][az].
requiresNumeric
If 1, users password is required to have a character

in [09].
expirationDateGMT
Date for the password to expire, format must be

mm/dd/yy.
hardExpireDateGMT
Date for the users account to be disabled, format

must be mm/dd/yy.
maxMinutesUntilChangePas User is required to change the password at this

interval.
sword
maxMinutesUntilDisabled
Users account is disabled after this interval.
maxMinutesOfNonUse
Users account is disabled if it isnt accessed by this

interval.
maxFailedLoginAttempts
Users account is disabled if the failed login count

exceeds this number.
minChars
Passwords must contain at least minChars.
maxChars
Passwords are limited to maxChars.
Global password policies configure each users password policies. Additionally,

users can have specific password policies that arent available with global users. A
description of the additional user password policies includes the following:
isDisabled
If 1, user account isnt allowed to authenticate,

ever.
isAdminUser
If 1, this user can administer accounts on the

password server.
newPasswordRequired
If 1, the user will be prompted for a new password

at the next authentication. Applications that dont
support change password wont authenticate.
canModifyPasswordforSelf
If 1, the user can change the password.
!
194
A description of allowed password hash types that will be used to store

passwords (configurable with pwpolicy) includes the following:
CRAM-MD5
Required for IMAP.
RECOVERABLE
Required for APOP and WebDAV.
SALTED-SHAS512-PBKDF2
The default for loginwindow.
SALTED-SHA512
Legacy hash for loginwindow.
SMB-NT
Required for compatibility with Windows NT/XP file

sharing.
195
4.3.2
Configure Local Password Policies

Administrators use configuration profiles to manage local password policies, or
pwpolicy, to audit local password policies in OS X programatically. The
pwpolicy command can also be used to set policies. In the following module,
set the policies discussed previously. To set a password policy, run pwpolicy but
substitute the -getglobalpolicy and -getpolicy options with the
-setglobalpolicy and -setpolicy options, respectively.
To set a password policy:
1.
Set the user password policy for the currently logged-in account (assuming
its a local account) to require a minimum number of eight characters in a
users password. To do so, run the following command:
pwpolicy -n /Local/Default -setpolicy minChars=8
2.
To change this setting for the jfoster user, use the following command,
which adds a -u and the user name as follows:
pwpolicy -n /Local/Default -u jfoster -setpolicy
minChars=8
3.
Review the other password policies previously discussed, and decide which
ones to apply to your user accounts on the local system. Each additional
policy is added inside quotation marks () and separated by spaces.
Note: Keep in mind that administrative users wont have password policies
applied.
4.
In cases with multiple users on a system, instead of setting password policies

for each user, set a global password policy. To set a global password policy,
invoke the pwpolicy command, specify the local node, and use
-setglobalpolicy, as in the following example:
sudo pwpolicy -n /Local/Default -setglobalpolicy
requiresNumeric=1
Using this command enables the requiresNumeric option. In any boolean

password policy, the number 1 as the setting acts as an on switch, and the
number 0 acts as an off switch.
5.
Once global password policies are set, configure many of your user password
policies to be identical to the global policies. To do so, use the
--setpolicyglobal option. For example, the following command is used
to configure the jfoster user to have the same policy as the global password
policy:
pwpolicy -n /Local/Default -u jfoster -setpolicyglobal
The commands used to adhere OS X to an organizations security policy are

placed into an organizations image, built into a package, or pushed out through
Apple Remote Desktop or another client management suite.
196
4.4
Use the Volume Purchase Program to Deploy Apps

To deploy applications through the Volume Purchase Program (VPP) for Business,
first purchase application licenses from the Enterprise App Store. Then use the
VPP to give each relevant users Apple ID access to the appropriate apps.
Applications can be deployed to user computers using Profile Manager or thirdparty MDM tools that have VPP integration. Users can also self-deploy apps by
opening the App Store, clicking Purchases, and selecting an application that has
been assigned to their account.
Once downloaded, applications can be deployed to a computer using patch
management tools and by simply copying the .app bundle from computer to
computer. When a user leaves the organization, licenses for the applications once
installed on their computer may be reused by another user. These strategies
provide the simplest deployment experience for administrators.
197
5 Security
There are a number of features built into OS X that provide added layers of
security. This guide covers those most commonly looked for in enterprise
environmentsfrom where to find additional resources to more technical
options such as setting up full disk encryption.
198
5.1
Use Security Resources
Apple Product Security Page. www.apple.com/support/security

The Apple website offers a section dedicated to the security of Apple
products called the Apple Product Security page.
Security Updates. support.apple.com/kb/HT1222

Apple security updates are listed on the Apple Support website. Each update
has a link to its description, which references corresponding CVE IDs
(Common Vulnerabilities and Exposures Identifiers) for the vulnerabilities
patched with each update.
Security Mailing List.

Apple also maintains a mailing list that includes product security
notifications and announcements. To join this list, visit
lists.apple.com/mailman/listinfo/security-announce.
199
5.2
Use Gatekeeper
Gatekeeper manages the execution of applications, allowing administrators to
limit access to applications not downloaded from the Mac App Store or
applications not signed by a member of the Apple Developer ID program. By only
allowing signed applications and apps from the Mac App Store or a known
developer, the risk of malicious software in an email attachment or web
download is significantly mitigated. The default setting in OS X is to allow only
Mac App Store applications. OS X can also restrict access to applications based on
configuration profile settings delivered through Profile Manager and third-party
mobile device management solutions. Application whitelisting is based on
unique app signatures, whole directories that contain applications, or both.
200
5.2.1
Use Gatekeeper to Validate Application Downloads

Gatekeeper uses code signatures to validate the source of applications at
download. Administrators can restrict installation based on where the software is
downloaded fromMac App Store only, Mac App Store and identified developers
who have signed their code using an Apple-issued developer certificate, or any
source.
In Figure 5.2.1_1, Profile Manager limits a Mac to software from the Mac App Store
and identified developers.
Figure 5.2.1_1
!
!
201
To set application launch security through Profile Manager:

1.
In Profile Manager, select a Mac (or group of Mac computers) to manage

from the Library list in the sidebar.
Figure 5.2.1_2
!
2.
Click the Settings tab, then click the Edit button for the profile.
3.
In the Settings sidebar, click Security & Privacy.
4.
Click the Configure button to create a Security & Privacy payload.
Figure 5.2.1_3
202
5.
Click the checkbox for Do not allow user to override Gatekeeper setting
(OS X only).
Figure 5.2.1_4
!
6.
Once finished managing the Application Launch Security settings, click OK.
7.
Click Save to apply the settings.
8.
Click Save again to save the settings.
!
Figure 5.2.1_5
!
!
!
!
203
5.3
Enforce Firmware Passwords

The Intel Mac firmware used in Apple computers is known as EFI. A firmware
password can be added to the startup process for a computer. Keep in mind that
an EFI password does not provide encryption on the boot volume and should be
implemented as another layer in your security solution.
The nvram command is used to set an EFI password. To disable EFI passwords,
use the following commands:
nvram -d security-mode
nvram -d security-password
204
5.4
Manage Remote Logins

On client computers, SSH (Secure Shell) allows administrators access to a system
currently in use by a user.
To enable Remote Login in the Sharing pane in System Preferences:
1.
2.
Click Sharing.
3.
Select the Remote Login checkbox.
4.
Administrators should also enable a SACL (Service Access Control List) for the
service. To do so, select the Only these users checkbox and click the Add (+)
button to add those users allowed to leverage the SSH service on the Mac.
Figure 5.4_1
Many client management systems use SSH to communicate with their agent
software and to control client systems. Enabling SSH, also called Remote Login,
can be done through the command line in order to facilitate mass deployment of
SSH to client systems.
!
!
205
To use Remote Login for mass deployment of SSH to client systems:

1.
Enable SSH using the systemsetup command along with the

-setremotelogin option, as follows:
systemsetup -setremotelogin on
2.
Linux administrators may be tempted to configure the list of accounts that

can access SSH in /etc/sshd_config. However, this only works when All Users
is selected in the SACL in the Sharing pane in System Preferences. Therefore,
limit the users with SSH access to those in the com.apple.access_ssh group.
Start by creating the group using dseditgroup, as follows:
dseditgroup -o create -q com.apple.access_ssh
3.
!
!
!
Add each user into the com.apple.access_ssh group, using dseditgroup to

add (-a) the localadmin account into the com.apple.access_ssh
group (-t), as follows:
dseditgroup -o edit -a localadmin -t group
com.apple.access_ssh
206
5.5
Use Key-Based SSH Access

SSH is one of the primary ways to obtain a shell on another host in UNIX, Linux,
and OS X. SSH is also used to exchange files in an automated fashion between
systems (for example scp for secure copy).
When automating tasks for obtaining logs (to be converted into reports) from
client systems, performing file operations, or remotely running commands and
scripts, administrators must authenticate each time automations are run. Consider
a preshared key approach to achieving authentication for routine SSH tasks so
that passwords arent placed in scripts. Use passwords in conjunction with
preshared keys for more day-to-day operations, thus enhancing the security of
the communications by two factors.
In this module, use preshared keys to connect from one host to another over SSH
without the use of a password.
To use key-based SSH access:
1.
Generate an rsa key by using the following command:

ssh-keygen -t rsa1
The system will respond with the following:

Generating public/private rsa1 key pair
2.
When prompted for a location for the key, leave this blank.
The key is saved to a folder called .ssh in your user home folder. If logged in
as a user called jfoster, youll receive output similar to the following:
Your identification has been saved in
/Users/jfoster/.ssh/identity.
Your public key has been saved in
/Users/jfoster/.ssh/identity.pub.
The key fingerprint will be similar to the following:

b8:ed:b5:92:d6:dd:ea:4b:00:45:41:16:33:4d:5a:3a
jfoster@client16.pretendco.com
Now that you have your key exported for your identity, export keys for use
with SSH clients. These need to be in dsa and then rsa formats (rather than
rsa1 as previously used).
3.
Run the following commands, providing a password when requested:

ssh-keygen -t dsa
ssh-keygen -t rsa
When the keys are generated, they reside in the ~/.ssh directory. Copy the
keys to the target host and merge them into an authorized_keys file.
207
4.
To copy the keys to the target host, use scp as follows:

scp ~/.ssh/*.pub root@192.168.210.249:/Users/jfoster/.ssh/
tmp_authorized_keys
Note: Replace the IP address in the command above with that of the target.
5.
Merge keys into the authorized_keys file on that host using the following
command on the target system:
cat /Users/jfoster/.ssh/tmp_authorized_keys/*.pub > /
Users/jfoster/.ssh/authorized_keys
6.
Once complete, remove /Users/jfoster/.ssh/tmp_authorized_keys as follows:

rm /Users/jfoster/.ssh/tmp_authorized_keys/*.pub
Establish an SSH session on the target host without the use of a password to
test communications.
208
5.6
Use FileVault 2
FileVault 2 provides full disk encryption for data-at-rest (DAR) protection and is
built into OS X. FileVault 2 keeps all files on a Mac secure using XTS-AES-128
(256-bit keys) data encryption at the disk level. With FileVault 2 turned on, all
information on the computer is kept safe from unauthorized access.
In this module, enable FileVault 2 full disk encryption.
To enable FileVault:
1.
Open System Preferences from the Apple menu.
2.
Click Security & Privacy.
Figure 5.6_1
!
!
209
3.
Click the FileVault tab.
Figure 5.6_2
!
4.
Click the Turn On FileVault button.
Figure 5.6_3
210
5.
If the system has multiple users, click Enable User for each authorized user.
Then have the user enter his or her login password. Users who have provided
passwords will be shown with a checkmark icon, while users who still require
a password will be shown with an Enable User button. Users who dont have
any password set will be shown with a Set Password button.
Note: Logging in after the system disk has been unlocked by another user is
still possible, even if the user isnt enabled here.
Figure 5.6_4
!
6.
When prompted, provide the password.
7.
Click OK, and repeat for each user.
Figure 5.6_5
!
!
211
8.
Click Continue once all authorized users are enabled.
9.
Document the displayed recovery key provided in the Recovery Key dialog.
10. Click Continue.
Figure 5.6_6
11. (Optional) To store the recovery key with Apple:

a.
Click the Store the recovery key with Apple radio button to store the
protected key on Apple servers.
b.
Select three security questions to which youll always remember the

responses.
c.
Provide a response below each question. You will need to reenter the
exact same responses should the recovery keys need to be retrieved.
d.
The recovery key will be wrapped by a key generated from the selected
questions and responses.
12. Click Continue.
212
Figure 5.6_7
13. Click Restart to restart the Mac and begin the encryption process.
Figure 5.6_8
213
To verify FileVault 2 full disk encryption status:

1.
2.
3.
Figure 5.6_9
!
!
214
4.
Note the displayed FileVault status:

a.
FileVault is turned on for the disk <disk name>. This indicates that Full
Disk Encryption (FDE) has been enabled for the disk.
b.
FileVault is turned off for the disk <disk name>. This indicates that FDE
hasnt been enabled for the disk.
c.
A recovery key has been set. This indicates that the protected recovery
key is stored on Apple servers.
d.
A recovery key has been set by your company, school, or institution.

This indicates that an administrator has set the institutional recovery key.
e.
Encryption Finished. This indicates that the drive has completed the
conversion process and is now fully encrypted.
Figure 5.6_10
To disable FileVault:
1.
2.
3.
215
4.
Click the Turn Off FileVault button.
Figure 5.6_11
!
5.
Click Turn Off Encryption to confirm you wish to turn off FileVault.
Figure 5.6_12
216
5.6.1
Enable FileVault from the Command Line

OS X includes a command-line tool called fdesetup that allows system
administrators to remotely manage FileVault. Use fdesetup to enable or disable
FileVault, to add and remove users that may unlock the volume, and to determine
whether FileVault is active on a particular Mac.
In this module, use fdesetup to enable FileVault.
To enable FileVault from the command line:
1.
Start a command-line session using Terminal or the Remote Login service.
2.
Examine the current status of FileVault by entering the command:

fdesetup status
3.
After confirming FileVault is off, enable FileVault with the command:

fdesetup enable
4.
Unless additional parameters are specified, an interactive session will prompt

for the primary users short name and password.
5.
On enabling FileVault, a Recovery key is returned by the fdesetup

command. It should be recorded or otherwise stored by IT.
Once enabled, FileVault can be disabled provided the recovery key is available. To
disable, use fdesetup with the disable flag.
217
5.6.2
Use fdesetup to Validate Escrowed Recovery Keys

The fdesetup command is used to enable FileVault from the command line. One
of the most important tasks when deploying FileVault company-wide is to escrow
the recovery keys to a centralized location and verify that the keys will work when
needed.
There are two types of keys, a personal recovery key and an institutional recovery
key. When FileVault is enabled using the Security & Privacy pane in System
Preferences, the personal recovery key is displayed. The institutional key is a key
that can be shared between multiple hosts.
Note: The institutional key can be used to unlock every FileVault 2 instance on
which it is deployed. Therefore, special precautions should be instituted around
the password and the storage of that key, and measured policies should be
enacted for its use.
To use the fdesetup command to check whether a computer has a personal
recovery key:
1.
2.
Examine whether FileVault uses a personal recovery key by entering the

command:
fdesetup haspersonalrecoverykey
To use the fdesetup command to check whether a computer has an

institutional recovery key:
1.
2.
Examine whether FileVault uses an institutional recovery key by entering the

command:
fdesetup hasinstitutionalrecoverykey
To enable a specific personal recovery key:

1.
2.
Set the recovery key by using the changerecovery verb along with a
-personal option, as follows:
fdesetup changerecovery -personal
3.
!
!
When prompted, enter the personal key to use.
218
To enable a specific institutional recovery key (in the form of a certificate):

1.
2.
Set the recovery key by using the changerecovery verb, along with a
-institutional option, followed by the -certificate option that lists
the path to a certificate, as follows:
fdesetup changerecovery -institutional -verbose
-certificate /tmp/institutional.cer
3.
When prompted, enter the key to the certificate.
Once deployed, use the validaterecovery option to verify that a recovery key
will indeed unlock the encrypted boot volume of a system.
To verify the recovery key will unlock the encrypted boot volume:
1.
2.
Run fdesetup with the validaterecovery verb, followed by the

-recoverykey option and a key, as follows:
fdesetup validaterecovery -recoverykey ABCD-ABCD-ABCDABCD-ABCD
3.
The output will either be a true or a false.
219
5.6.3
Enable FileVault on an External Volume

FileVault can be used for more than just the boot volume. Enable FileVault on any
volume connected to the computer to keep all your removable media secure.
To encrypt an external volume using FileVault:
1.
View a volume using the Finder.
2.
Control-click or right-click the volume name.
3.
Choose Encrypt <Name of Volume> from the pop-up menu.
Figure 5.6.3_1
!
4.
In the encryption dialog, provide a password and a hint for remembering the
password. Then click the Encrypt Disk button.
Figure 5.6.3_2
FileVault 2 is scriptable. The fdesetup command is used to encrypt and manage

keys for boot volumes, and the diskutil command is used to encrypt external
volumes. To encrypt a non-boot volume, first run diskutil along with the list
verb to see what disks and volumes are available, as follows:
diskutil list
220
The output is similar to the following:

#: TYPE
NAME
0: GUID_partition_scheme
1: EFI
2: Apple_HFS Macintosh HD
3: Apple_Boot Recovery HD
4: GUID_partition_scheme
5: EFI
6: Apple_HFS ExternalHD
SIZE
*251.0 GB
209.7 MB
250.1 GB
650.0 MB
*292.0 GB
209.7 MB
250.1 GB
IDENTIFIER
disk0
disk0s1
disk0s2
disk0s3
disk1
disk1s1
disk1s2
The device for the ExternalHD, above, is disk1s2. This is the volume to be
encrypted. The diskutil command is used to encrypt that volume, using the cs
(short for CoreStorage) option, along with the convert verb, the identifier, and
the -passphrase optionin that order. The command would then be as follows:
diskutil cs convert /dev/disk1s2 -passphrase
Use the list verb with the diskutil command to watch the status, as follows:
diskutil cs list
221
5.6.4
Configure Master Passwords

When using monolithic images, deploying Full Disk Encryption can be
problematic if relying on each user to enable encryption or if IT must touch each
computer to enter the standard master password.
The FileVault Master Password is configured on a monolithic image for all clients
concurrently. This keeps users from setting their own FileVault Master Password.
Setting a master password to a value known by IT personnel is helpful in the
event IT needs access to a FileVault-encrypted Mac. It also helps with support
when assistance is required and the master password is needed.
To set a FileVault Master Password in System Preferences:
1.
2.
Click Users & Groups.
3.
Click the lock icon and authenticate to make changes.
Figure 5.6.4_1
222
4.
Click the cog wheel icon to open the action pop-up menu. Then choose Set
Master Password.
Figure 5.6.4_2
!
5.
Enter the desired master password, then again to Verify.
6.
Click the OK button.
Figure 5.6.4_3
The Master Password is now set in a master image.
223
5.6.5
Manage FileVault 2 Keys

Managing keys for all users can require multiple approaches. To use the best
deployment technique for FileVault 2, first consider how the encrypted drives will
be supported and how data will be recovered when doing so as a required part
of standard support operations.
For a detailed look at different approaches for managing FileVault 2, refer to the
Apple Technical White Paper, Best Practices for Deploying FileVault 2, available at
training.apple.com/pdf/WP_FileVault2.pdf.
224
5.6.6
Encrypt Time Machine Backups

Time Machine backups stored on locally selected volumes can be encrypted
using a custom password.
To enable encrypted Time Machine backups:
1.
2.
Click Time Machine.
Figure 5.6.6_1
!
3.
Click Options.
Figure 5.6.6_2
225
4.
Figure 5.6.6_3
!
5.
Select any files or folders to exclude from the backup.
6.
Click Exclude.
Figure 5.6.6_4
!
7.
Repeat this process until all files and folders to exclude from the backup have
been selected.
8.
Click Save.
9.
Click Select Backup Disk.

226
10. Select a disk from the list.

11. Click the Encrypt backups checkbox.
Figure 5.6.6_5
12. Click Use Disk.

13. Enter a backup password in the provided field. Then reenter the same
password in the Verify password field.
Note: Time Machine uses this password to encrypt the backup disk you
selected. For help creating a strong password, click the key icon to the right.
14. Click the Encrypt Disk button to begin the encryption and backup processes.
Figure 5.6.6_6
Backups are encrypted and will protect all files stored inside the encrypted Time
Machine location. Reenter the same backup password when attempting to
recover a system from this encrypted Time Machine backup.
227
5.7
Use Third-Party Full Disk Encryption

Full disk encryption (FDE) software manages fully encrypted volumes in an
organization and provides centralized key escrow for recovering access to the
encrypted data. Third-party options are available that encrypt the boot volume of
a Mac computer.
There are several enterprise software-based full disk encryption solutions, such as:
Check Point Full Disk Encryption. www.checkpoint.com
Symantec Drive Encryption. www.symantec.com/drive-encryption
Sophos SafeGuard Encryption. www.sophos.com
WinMagic SecureDoc for Mac. www.winmagic.com

WinMagic integrates both software- and hardware-based full disk encryption,
with self-encrypting hard disk drives (SEDs).
All major developers of full disk encryption solutions provide the ability to
centrally manage encryption keys, thus allowing for centralized key recovery. All
third-party FDE solutions have the ability to be mass deployed, as needed, so that
the full disk encryption process isnt laborious to set up.
!
!
228
5.8
Manage the Network Firewall

Network firewalls help protect client computers in an organization. While most
systems on a corporate network are protected at the network perimeter, client
computers can be exposed to a variety of threats, whether used inside or outside
the organization. Therefore, running a firewall on each client system is
recommended.
Most environments leverage a layered approach to security, including a software
firewall. OS X includes two firewalls, an application-layer firewall and a pf firewall.
This module covers both types of firewalls, starting with the application-layer
firewall, which operates by validating the processes attempting to communicate
and how theyre allowed to communicate.
229
5.8.1
Use the Application-Layer Firewall

OS X includes an application-layer firewall that secures network traffic by limiting
which applications are allowed to establish network sockets in order to
communicate with other hosts.
The application-layer firewall limits which applications establish sockets by
leveraging an application-signing framework. An application cant establish a
network connection without first being digitally signed. Application sources are
tracked based on signatures and signature checking when initiating connections.
Once an application makes a network connection, the application-layer firewall
tracks whether the application can be used for incoming traffic.
When using the application-layer firewall, if an application attempts to establish a
connection on the network for the first time, the user is prompted to accept the
communication. Only after acceptance is the application connection allowed
through the firewall. The firewall can also be configured to deny all incoming
communication so that users arent prompted to accept incoming traffic.
230
5.8.1.1
Configure the Application-Layer Firewall

The application-layer firewall in OS X is configured using the Security & Privacy
pane in System Preferences.
To configure the application-layer firewall:
1.
2.
3.
Click the lock icon to make changes.
Figure 5.8.1.1_1
231
4.
Click the Firewall tab.
5.
Click the Turn On Firewall button.

Note: Items enabled in the Sharing pane in System Preferences are now
allowed to accept incoming connections. The only other services allowing
incoming connections are the essential services. These services are
configd for network configuration, mDNSResponder for discovering
services, and the racoond process for IPSec.
Figure 5.8.1.1_2
6.
Click the Firewall Options button.
232
7.
Click the Block all incoming connections checkbox to block all connections
for nonessential services.
Figure 5.8.1.1_3
!
8.
Alternatively, use the Add (+) button to enable specific applications.
9.
To add an application, navigate to and select the application.
10. Once selected, click the Add button.
Figure 5.8.1.1_4
233
11. Choose whether the application will allow or deny incoming connections
using the menu next to the application name.
12. The application now appears in the list of allowed applications.
Figure 5.8.1.1_5
13. Click the Enable stealth mode checkbox to prevent the firewall from
sending an acknowledgement of attempts to open sockets without listeners
running. Stealth mode mimics what would occur if a computer were not
running at the IP address being scanned. Without stealth mode, the
computer will let a possible attacker know the ports are closed, alerting them
to the presence of the host. This option enables stealth mode for TCP traffic,
but not UDP traffic.
14. Automatically enable any signed software, software signed by a valid
certificate authority, to provide network services. To do so, click Advanced
and choose Automatically allow signed software to receive incoming
connections.
234
5.8.1.2
Manage the Application-Layer Firewall from Terminal

The application-layer firewall is also configured from the command line. This
enables programmatic control, which allows for automation in the form of scripts
and packaging. These automations can be included in a modular image or
enforced using a client management suite.
In this module, use the socketfilterfw command to configure the
application-layer firewall from the command line.
To manage the application-layer firewall from the command line:
1.
Change the working directory to /usr/libexec/ApplicationFirewall by using

the following command:
cd /usr/libexec/ApplicationFirewall
The firewall command in this directory is a system daemon that runs the
application-layer firewall.
2.
The socketfilterfw command in the same directory allows administrators

to configure the firewall. To get started, review the tools used to view trusted
applications by using the -l option, as follows:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw -l
The --listapps option will also provide information about the status of
each application that socketfilterfw will filter, as follows:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw -listapps
A list is displayed of the number of exceptions, explicitly allowed applications,

and signed exceptions. The output also shows the process name and status
of each application allowed. Most of this information comes preentered by
Apple for applications that provide their own integrity validation method
that doesnt conflict with the application-based firewalls ad hoc digital
signing process. There is also a list of TRUSTEDAPPS. These have sharing
capabilities preinstalled by Apple, such as httpd (Apache).
The options available in the Firewall pane in System Preferences map to
options in the socketfilterfw command line. For example, the
--setglobalstate option enables the global firewall. To enable the
firewall using a script, simply run the following:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw
--setglobalstate on
Or to disable it, run the following:

--setglobalstate off
3.
To enable the allow signed applications option, use the following:

--setallowsigned on
235
4.
To enable stealth mode, use the following:

--setstealthmode on
5.
To enable firewall logging, use the following:

--setloggingmode on
Or to just block all incoming traffic, use the following:

sduo /usr/libexec/ApplicationFirewall/socketfilterfw
--setblockall on
6.
To set up a trusted application, use the socketfilterfw command, using

the --add option followed by the application to be set as trusted. The
following command sets VMware as a trusted application:
--add /Applications/VMware Fusion.app/Contents/MacOS/
vmware
Note: Here the vmware binary, hidden a few levels within the .app bundle,
was used rather than the VMware Fusion.app application bundle.
Also use the socketfilterfw command to sign applications by using the
-s option followed by the name of the file, as follows:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw -s
/Applications/VMware Fusion.app/Contents/MacOS/vmware
7.
Once signed, verify the signatures by using the -v option followed by the
name of the file. To verify the binary that was signed above, use the following
command:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw -v
/Applications/VMware Fusion.app/Contents/MacOS/vmware
8.
To stop the application-layer firewall, use the following commands:

sudo launchctl unload /System/Library/LaunchAgents/
com.apple.alf.useragent.plist
sudo launchctl unload /System/Library/LaunchDaemons/
com.apple.alf.agent.plist
9.
Remove the com.apple.alf.plist file from /Library/Preferences and

replace it with the template /usr/libexec/ApplicationFirewall/
com.apple.alf.plist. The debugging feature of the firewall application
can also be invoked by using the -d option to assist with troubleshooting, as
follows:
./socketfilterfw -d
236
5.8.2
Use the pf Firewall

Similar to ipfw, pfctl is used to filter packets at the lowest device level of the
operating system. The pf toolset can do much more, including NAT (in the
manner of Internet Sharing), bandwidth control/shaping, and macros to build up
rules more dynamically. These rules handle traffic by feeding options to the
pfctl utility or by loading named rulesets as part of configuration files.
Addresses and/or network ranges are grouped into structures called tables to
efficiently deal with a large number of hosts. The pf daemon then acts on the
specified information in a preset order. In addition to macros and tables (of IP
addresses), tuning options, normalization, queueing, and network translation
come before finally actually filtering packets by passing or blocking themthe
most basic reason for using any firewall or packet filter.
The default configuration file is /etc/pf.conf, which displays how, if pf were
enabled for custom behavior, certain services that rely on pf could still be
enabled on demand. In addition to the switches included in the original version
of pf from FreeBSD, the operating system can dynamically affect its state with
triggers called by passing -X to pfctl. In addition to Internet Sharing, AirDrop,
the developer-friendly Network Link Conditioner utility, and the higher-level
application-layer firewall are all referenced in the com.apple file, located in the
/etc/pf.anchors directory. (The grouping of rulesets and address tables are
referred to as anchors in pf parlance.)
To use pf.conf:
The /etc/pf.conf configuration file begins with handling for fragmentation and
network inconsistencies by prioritizing the scrub directive.
Internet Sharing ties into the NAT and redirection functionality, and
NetworkLinkConditioner hands off traffic via dummynet for processing. Custom
files can be incorporated in the pf.conf by adding rulesets as standalone
anchors. Logs are captured by creating a pflog interface, then invoking
tcpdump.
To block all incoming traffic not otherwise allowed, make sure this line is in the
file:
block in all
To block all outgoing traffic not otherwise allowed, make sure this line is in the
rules defined in pf.conf:
block out all
Below that, the rules are then set to pass traffic in or out of an interface for a
specified protocol. For example, to allow outgoing icmp traffic for en1:
pass out quick on en1 proto icmp
The power and flexibility pf provides to administrators adds many new options
to the firewall in OS X.
237
To use pfctl:
pfctl is the tool used to dynamically change the configuration of pf, so there
are a few command options administrators should learn. The first of these is the
-e option, which enables pf, as follows:
sudo pfctl -e
When run, the return code should be:

pf enabled
The next step is to check the configuration file for any errors, as follows:
sudo pfctl -v -n -f /etc/pf.conf
The configuration then needs to be loaded, which can be done by specifying the
-f option along with the path to the configuration file (/etc/pf.conf ), as follows:
sudo pfctl -f /etc/pf.conf
Because a lot of work is done remotely, its important to check the rulesets, tables,
show counters, and so on. Here are a few of the logging and sanity-checking
options available with pfctl.
The first (-sa) shows all available information about pf:
sudo pfctl -sa
Because the amount of information provided can be difficult to digest, use the
-sr option to just look at the current rules:
sudo pfctl -sr
Or use the -si option to only show statistics:

sudo pfctl -si
To watch pf:
Administrators must be able to see, and possibly parse the output of, pf. To do so,
first set up pflog as a network interface using ifconfig, as follows:
ifconfig pflog1 create
Once the pflog1 has been set up, run tcpdump using pflog1 as the interface:
tcpdump -n -v -ttt -i pflog1
For more information on using pf:

Use the following commands to see more information about using the tools that
comprise pf:
man pfctl
man pf.conf
man pflog
238
5.9
Manage Keychains
Users are authenticating to and accessing an ever-increasing number of
protected services. These services include email, file sharing, social networking,
banking, and system administration. With so many credentials, users need an easy
way to store and retrieve credentials on demand, without risking exposure to
unauthorized access. To address this, Apple includes a feature called Keychain.
A keychain is a container for securely storing user and system credentials on local
systems, enabling quick retrieval when needed. Keychains are integrated so
deeply into OS X that they cant be disabled or shut off.
There are five default keychains with each new system account, each providing a
very specific purpose, protection, and storage. They are login, iCloud, Directory
Services, System, and System Roots.
Every keychain in the keychain list is used by the system and administrator for
locating and retrieving appropriate credentials, as follows:
Login. Stored in /Users/<shortname>/Library/Keychains/login.keychain, the
login keychain allows every user on a Mac to start with an empty keychain
named login for storing their own credentials. All passwords, keys, secure notes,
and user identities can be stored here. OS X populates the keychain with
certificates acquired during the parsing of digitally signed email messages
within the Mail.app. This user keychain is protected with a passphrase initially
set to the same value as the users login password and can be set to any
passphrase desired.
iCloud. Shows iCloud Keychain entries, or entries synchronized between
computers and stored in an iCloud account.
Directory Services. Locally configured directory servers allow systems
configured for external directory services such as Active Directory, LDAP, and
NIS to be enabled to search directory services for certificates from that same
directory serviceretrieving X.509 certificates for other users.
System. Stored in /Library/Keychains/System.keychain, the System keychain is
an operating-system- and system-administrator-managed store for the
purposes of machine (system) authentication to network services and storage
of corporate root Certificate Authority (CA) certificates for system-wide trust.
The System keychain is always accessible by the operating system,
independent of any user login. Any network servicessuch as 802.1X, VPN, and
WPA/WPA2with machine authentication require that the credential and any
corresponding trust chain be stored in the System keychain if those certificates
were issued from a corporate CA or from any root CA not included in the
System Roots keychain.
System Roots. Stored in /System/Library/Keychains/
SystemRootCertificates.keychain, the System Roots keychain is an operatingsystem-managed store for the purpose of retaining the pretrusted root CA
certificates of OS X. Administrators can alter the trust on any of the root
certificates to reflect desired systemwide CA trust, but cant remove or delete
any root certificates from this unchangeable store. Apple updates the
certificates in this keychain during OS X software and security updates.
239
Keychain Access provides simplified GUI management of the various keychains

and their contents. The following sections take a closer look at what keychains are
and how to manage them using Keychain Access.
240
5.9.1
View Keychain Contents

1.
2.
Select a keychain from the list by clicking its name in the sidebar.
Figure 5.9.1_1
!
3.
The right side of the Keychain Access window displays all items currently
stored within that keychain, with the following column headings:
Name. The name of the keychain item, such as mail.company.com.
Kind. The type of keychain item, such as certificate or web form password.
Date Modified. The date the keychain item was last modified.
Expires. The expiration date of an x.509 certificate.
Keychain. The name of the keychain in which the item is stored.
241
4.
Click a keychain item to see top-level information about it.
5.
Double-click the keychain item or click the Information (i) button at the
bottom of the window to open the information pane for the item.
Figure 5.9.1_2
!
!
!
!
6.
Drag any keychain item to another location to generate a copy of that item.
242
5.9.2
Install Certificates Using Profile Manager

Certificates are deployed using configuration profiles. Commonly added in the
form of .cer and .p12 files, leveraging a profile to deploy a certificate requires a
certificate, and optionally a passphrase for the certificate.
To use Profile Manager to deploy certificates:
1.
2.
3.
Click Open Profile Manager in the lower-right corner.
4.
5.
Click Users, Groups, Devices, or Device Groups in Library list in the sidebar.
Then select the user, group, device, or device group to edit.
6.
7.
Figure 5.9.2_1
!
!
243
8.
Scroll down and click Certificate in the sidebar.
Figure 5.9.2_2
!
9.
In the Configuration Certificate pane, click the Configure button.
Figure 5.9.2_3
244
10. Provide a name for the certificate in the Certificate Name field.
11. Enter the password for the certificate you are about to upload in the
Passphrase field.
12. Click the Add Certificate button.
Figure 5.9.2_4
13. Browse to the certificate with the certificate passphrase.

14. Click Choose.
Figure 5.9.2_5
!
!
245
15. Once uploaded, click OK.
Figure 5.9.2_6
16. Click Save.

17. Click Save again to confirm changing the profile.
18. Click Download to download a copy of the profile for manual installation or
to apply it to a client system for MDM-based installation.
!!
!!
246
5.9.3
Enable Directory Services Searching for Certificates

Keychain can search a directory service for a certificate.
To enable directory services searching for certificates:
1.
2.
Click Keychain Access, then click Preferences.
3.
Click the General tab.
4.
Click the Search directory services for certificates checkbox to enable

searching all directory services configured for the system.
Figure 5.9.3_1
!
5.
Directory services now appears as an item that can be searched in the

Keychains list.
Figure 5.9.3_2
!
!
247
5.9.4
Enable Certificate Revocation Checking

1.
2.
Choose Preferences in the Keychain Access menu.
3.
Click the Certificates tab.
Figure 5.9.4_1
!
4.
In the Online Certificate Status Protocol (OCSP) menu, choose Off, Best
attempt, or Require if certificate indicates.
Figure 5.9.4_2
!
5.
To enforce OCSP verification for all certificates, hold down the Option key
while choosing from this menu.
Figure 5.9.4_3
!
!
248
6.
Choose the desired enforcement from the Certificate Revocation List (CRL)
menu. To enforce CRL verification for all certificates, hold down the Option
key while choosing from this menu.
Figure 5.9.4_4
!
7.
!
!
!
When both OCSP and CRL are enabled, choose which protocol response
takes priority, or whether to require both responses for full validation.
Note: When configuring both options to Require, if either server isnt
responding, the system will be unable to verify the certificate. This can cause
the use of this certificate to fail.
249
5.9.5
Import Items into a Keychain

1.
2.
In the File menu, choose Import.
Figure 5.9.5_1
!
3.
Select a valid credential, such as an X.509 identity file (.p12 file) or a .pem file.
4.
Keychain Access automatically launches and asks for the password for the
certificate, if one is required. When importing an X.509 Identity (.p12 file),
enter the password used when the wrapped file was created.
5.
In the Keychain column, choose the appropriate keychain, either login for
user credentials or system for system-wide credentials.
6.
View the item(s) in the selected keychain.
Figure 5.9.5_2
250
5.9.6
Export Items from a Keychain

1.
Open Keychain Access from the /Application/Utilities folder.
2.
Locate the item to export by choosing the appropriate keychain or category

in the sidebar, or by using the search field.
Figure 5.9.6_1
!
3.
In the File menu, choose Export Items. Or use the keyboard shortcut
Command-Shift-E.
4.
In the Save File dialog, navigate through the file system to select a location to
export the item(s).
5.
Click Save.
FIgure 5.9.6_2
!
!
!
251
6.
If the items to export are encrypted in the keychain, enter a password to

protect the items. Use a strong password to ensure the credential cant be
unlocked by an unauthorized individual.
7.
If the items to export are encrypted in the keychain, youll be required to

unlock the keychain currently protecting the items by entering the keychain
password.
8.
If encrypted, click Allow.
9.
The items are now stored at your selected location.
252
5.9.7
Configure iCloud Keychain

Keychains are used to store passwords, notes, certificates, and keys. When you
choose to have OS X remember the password to a wireless network, encrypted
drive, or file server, that information is put into a keychain. When you accept a
certificate through Safari or the Mail application, that information is put into a
keychain. And when you choose to have OS X remember a password to
authenticate to a website or to certain applications, that information is also
stored in a keychain.
iCloud stores keychain items and synchronizes those items between computers.
These keychain items can then be accessed from any computer that a given
Apple ID is installed on using iCloud Keychain. Additionally, applications that are
built to access iCloud Keychain can access entries directly.
To enable iCloud Keychain:
1. Open System Preferences from the Apple menu.
2. Click iCloud.
3. Click the Keychain checkbox to enable Keychain.
Figure 5.9.7_1
253
4.
iCloud appears under Keychains in the sidebar.
Figure 5.9.7_2
To disable iCloud Keychain, deselect the Keychain checkbox in the list of objects
synchronized with iCloud in the iCloud pane in System Preferences.
Note: If your organization has a policy against password managers, you can use a
profile to disable iCloud Keychain on client computers.
254
6 Networking/Wireless
OS X supports nearly all standards-compliant network configurations. Every Mac
ships with a minimum of one network interface, as follows:
One 802.11n (2.4GHz and 5GHz Wi-Fi) or 802.11ac network interface.
One Bluetooth 2.1+ interface.
At least one wired (802.3) Ethernet network interface (except MacBook Air
and MacBook Pro with Retina display).
Two wired Ethernet network interfaces (Mac Pro only).
The networking stack in OS X is configured for IPv4 and IPv6 through the
Network pane in System Preferences and through the command line. 802.1x
options are also tied into System Preferences, via configuration profiles, and into
the command line using the networksetup command.
The MAC address for each interface is printed on the outside of the box the
computer is shipped in, along with a corresponding bar code. This allows for
quick mass deployments using the bar code to scan a computer into an asset
management database. MAC addresses are tied to logic boards, so in the event
that a computer requires a logic board replacement, the MAC address(es) will
change. The only exceptions are the USB or Thunderbolt dongles used by
MacBook Air or MacBook Pro, which hold the Ethernet MAC address for the wired
Ethernet interface.
255
6.1Manage IPv4 Settings

OS X supports all the standard tasks required to configure a client to operate on
an IPv4 network. By default, OS X runs DHCP on each interface. IP addresses can
be assigned statically as well, with each interface having more than one address
installed on it if desired.
To configure an IPv4 address in OS X:
1.
2.
Click Network.
Figure 6.1_1
3.
Click the network interface youd like to configure. For example, Ethernet,
Wi-Fi, and so on.
4.
Wired interfaces show the following fields. (The IP Address and Subnet Mask
fields are required. The other fields are required only in order to route traffic
and resolve names properly.)
Status. The state of the Ethernet interface. If an Ethernet cable isnt

plugged in, the indicator is red. If a cable is plugged in (and a switch is
available on the other side of the cable), the indicator is either green, if a
DHCP address is available and the network interface is set to obtain IP
addresses automatically, or amber, if theres no IP address available.
Configure IPv4 menu.

-
Manually. IP addresses are provided statically rather than

dynamically.
256
Using DHCP. IP addresses are provided automatically via the DHCP

protocol. For more on DHCP, see the following requests for
comment (RFCs) 1531, 2131, 3315 and 3633 at
tools.ietf.org/html.
Using DHCP with a Manual Address. The IP address is provided

statically while the rest of the information is provided by DHCP.
Using BootP. IP addresses are provided via the Bootstrap protocol.

For more on BootP, see RFC 951 at tools.ietf.org/html/rfc951.
IP Address. The IP address the host will use when an interface isnt
obtaining the IP address automatically.
Subnet Mask. The subnet mask to be used with the IP address provided.
Router. The router, or default gateway, to be used to route traffic for the
client using the IP address provided.
DNS Server. The DNS servers to be used for the environment, with
multiple addresses separated by a comma.
Search Domains. Information from this field is appended to the end of

host names not otherwise fully qualified. For example, if the search
domain is configured as pretendco.com, entering www in a Safari
window automatically expands to www.pretendco.com.
Advanced. Configures proxy server settings and the speed of network

interfaces.
Figure 6.1_2
257
5.
The Wi-Fi pane shows fewer fields, including:
Turn Wi-Fi On or Turn Wi-Fi Off button. Controls whether wireless

networking is enabled.
Status. Shows whether the Mac is connected to a wireless network and,

if connected, shows the name and IP address being used. Wireless IP
addresses can be static or dynamic.
Network Name menu. The name of the wireless network.
Connect button. This button is used if there is an 802.1x network.
Advanced button. Used to configure more detailed controls, such as

proxy server settings.
Figure 6.1_3
258
6.
Wired Ethernet (802.3) and wireless (802.11) interfaces both include an

Advanced button. Use the Wi-Fi tab in the advanced screen to configure to
which networks a client is allowed to connect and what wireless network
tasks require an administrative password.
Figure 6.1_4
259
7.
The TCP/IP and DNS tabs show similar options as those outlined in step 4,
with the exception that here is where IPv6 is configured.
Figure 6.1_5
260
8.
The WINS tab shows discovery information for legacy (workgroup) Windowsoriented networks, including:
NetBIOS. A NetBIOS name for the computer being configured.
Workgroup. A NetBIOS workgroup name for discovering other hosts on

the network.
WINS. The WINS server that manages NetBIOS communications when

discovery isnt automatic or when master browser conflicts are
encountered while using sharing on a client system. DHCP can
configure these fields automatically and can be manually overwritten.
Figure 6.1_6
261
9.
The 802.1x tab displays information about profiles, including details of

installed 802.1x security configurations. These configuration profiles are
installed as .mobileconfig files. Create, edit, and manage .mobileconfig files
using tools such as iPhone Configuration Utility, Apple Configurator, Profile
Manager, and various third-party MDM tools.
Figure 6.1_7
262
10. Click the Proxies tab to configure a proxy server for the environment. Proxies
are broken down per client-side protocol or by using a SOCKS proxy. Proxies
can also be bypassed for certain addresses. Passive FTP Mode can be
configured here as well.
Figure 6.1_8
263
11. Click the Hardware tab to configure the behavior of Ethernet interfaces
including network speeds, duplex states, and MTU sizes (up to, but not
including, jumbo frames). Interface performance can be improved with a
correct value and decreased with an incorrect value.
Figure 6.1_9
12. At the top of the Network pane in System Preferences, there is a Location
menu. Each location has different settings for interfaces, making it useful
when computers roam between networks, such as home and office.
Figure 6.1_10
264
13. To enable, disable, and duplicate services (or interfaces), click the cog wheel
icon to open the action pop-up menu. Use this same menu to create a
second IP address, set up Link Aggregation, or configure an internal VLAN.
Figure 6.1_11
All the options available in the Network pane in System Preferences have parallel
settings at the command line, allowing for scripting deployment and packaging
the configuration of network settings.
265
6.2

OS X is IPv6 compliant and is able to:
Accept automatically assigned addresses using IPv6-based DHCP services.
Obtain addresses using link-local addressing (the IPv6 version of Automatic

Private IP Addressing, or APIPA).
Interpret addressing schemes in DNS.
Operate on IPv6 networks without the use of IPv4 networking or bridging.
By default, OS X leverages what is known as a dual stack, where both IPv4 and
IPv6 are used concurrently. All sharing services are also IPv6-aware, allowing Mac
computers to communicate with one another using IPv6. Each enabled sharing
service (for example, screen sharing) has a listener bound to both the IPv4 and
IPv6 interface by default.
To configure IPv6 networking:
1.
2.
Click Network.
3.
In the sidebar, click the interface to configure.
4.
Click Advanced.
Figure 6.2_1
266
5.
Click the TCP/IP tab.
6.
The Configure IPv6 menu is set to Automatically by default, to obtain IPv6

addresses dynamically. Alternately, choose Manually or Link-local only.
Figure 6.2_2
a.
If changing the Configure IPv6 menu to Manually, provide the Router,

IPv6 address, and prefix link (provided by a network administrator).
Note: The prefix length is typically 64 characters.
Figure 6.2_3
267
7.
Click OK.
Figure 6.2_4
!
8.
Click Apply.
9.
Test the settings. Use the ping6 command to ping other IPv6 addresses. Or
use the Netstat command with the -l option to show IPv6 addresses.
Additionally, ndp (Network Discovery Protocol) can be used.
OS X can also relay communications between IPv6 and IPv4. To do this, select 6
to 4 in the Add new interface dialog. Then either allow the relay address to be
obtained automatically or provide one.
268
6.3
Set Up Wired and Wireless Connections Using the

Network Setup Assistant
The Network Setup Assistant provides a guided wizard for setting up wired and
wireless network connections in OS X. The Assistant can be run multiple times,
setting up a new location each time. Each location can have different interface
settings, suitable for when computers roam between networks (for example,
between home and office networks).
To use the Network Setup Assistant in OS X:
1.
Open Network Setup Assistant from /System/Library/CoreServices.
2.
Enter a location name in the Introduction window. Then click Continue.

Note: The location is where the system will reside. For example, you can
configure two locationshome and office. Home could have simpler
settings for a home network, while office could have more detailed office
network settings specific to your organization, such as proxy servers.
Figure 6.3_1
3.
In the How Do You Connect to the Internet? window, click the method used
to connect to the network, as follows:
If using Wi-Fi, select the I use AirPort to connect to the Internet

wirelessly button.
If behind a router or firewall, select the I connect to my local area

network (LAN) button.
If directly connected to a cable or DSL modem, select the corresponding

cable or DSL modem button.
269
Figure 6.3_2
4.
If selecting I use AirPort to connect to the Internet wirelessly, a dialog will

prompt you to select the wireless network and provide a password. If a
broadcast isnt detected for a given wireless network, choose Other Wi-Fi
Network from the menu.
Note: This step isnt required for Ethernet-based networking.
Figure 6.3_3
!
5.
Click Continue.
270
6.
In the Ready to Connect? window, click Continue. Here, you can also open
AirPort Utility to configure an AirPort base station.
Note: This isnt required for wired (802.3) Ethernet networking.
Figure 6.3_4
7.
The Network Setup Assistant configures the appropriate network interface

and creates a location. If the process fails, an Unable to establish a network
connection dialog appears, giving you the option to diagnose the problem.
Figure 6.3_5
271
6.4
Run Network Diagnostics

Network Diagnostics is an Apple tool that checks Ethernet, modem, Wi-Fi
(AirPort), and other interfaces for common networking problems. In this module,
use Network Diagnostics to check the Wi-Fi interface for connectivity to the
wireless network, appropriate network settings, connectivity to an ISP, and to
validate communication with the Internet.
To run Network Diagnostics to check the Wi-Fi interface:
1.
Open Network Diagnostics from /System/Library/CoreServices.
2.
Confirm the network location.
3.
Click Continue.
Note: You wont see the Select Location window unless you have configured
multiple locations in the Network pane in System Preferences.
Figure 6.4_1
!
!
272
4.
Select the Wi-Fi radio button.
5.
Click Continue.
Figure 6.4_2
!
6.
Select a W-Fi network from the list.
7.
When prompted, provide the network password. If a broadcast isnt detected

for a given wireless network (for example if youre using SSID suppression),
click the Use hidden network button.
8.
Click Continue.
Figure 6.4_3
273
9.
Select DSL or cable modem for connecting to the Internet, if prompted. If the
system is unable to reach beyond the router, a prompt to restart the device
appears.
10. Network Diagnostics attempts to connect to the network and reports back
any failures encountered.
11. If any other problems are reported, click Continue to take corrective action.
The Network Diagnostics tool is just one of the many applications that systems
administrators, desktop support engineers, and help desk technicians can use to
effectively troubleshoot issues that may arise on Mac computers.
274
6.5
Configure Networking from the Command Line

Network settings are easily configured using the networksetup command. Use
this command to script location setup, IP address settings, wireless network
connections, and VLANs, and to prepare systems for 802.1x-based networks.
To use networksetup:
The networksetup command is most commonly used to set up wireless
networking. Network ports in UNIX, Linux, BSD, and OS X are usually referred to as
en followed by a number to identify the port. This is easily seen when running
the ifconfig command from any of these operating system families. By default,
most Mac computers with an Ethernet port use en0 to identify the physical
Ethernet port and en1 to identify the Wi-Fi port. The MacBook Air is an
exceptionwith its Wi-Fi port using en0. The networksetup command, along
with the -listallhardwareports option, shows the physical ports present in
each computer, as follows:
networksetup -listallhardwareports
Networksetup then shows existing wireless networks visible to a Mac using the
-addpreferredwirelessnetworkatindex option. Follow this with the

hardware port for the Wi-Fi adapter, the name of the wireless network to join, the
index number to be assigned (or 0 to automatically choose a unique internal ID
for the network), the security type of the wireless network (OPEN, WEP, WPA,
WPA2, WPAE, or WPA2E), and, if pertinent, the actual credentials to join the
network. For example, use the following command to add a network called
pretendco:
networksetup -addpreferredwirelessnetworkatindex en1
pretendco 0 NONE
If the pretendco wireless network uses WPA for security, use the following
command to assign the WPA password of mypassword:
networksetup -addpreferredwirelessnetworkatindex en1
pretendco 0 WPA mypassword
To verify that a wireless network is properly added, use the

-listpreferredwirelessnetworks option followed by the interface, as
follows:
networksetup -listpreferredwirelessnetworks en1
To remove items from the list, use the -removepreferredwirelessnetwork

option, followed by the hardware port, and then the name of the network to be
removed. Continuing with en1 as the Wi-Fi interface, to remove a network called
Cisco, use the following command:
networksetup -removepreferredwirelessnetwork en1 Cisco
To remove all preferred wireless networks (a common pre-imaging task), use the
-removeallpreferredwirelessnetworks option followed by the hardware
port, as follows:
networksetup -removeallpreferredwirelessnetworks en1
275
Note: When using a script to deploy 802.1x settings, the certificate should be
deployed prior to setting up the 802.1x profile. Certificates are managed using the
security command.
To manage network services with networksetup:
Other network settings are also configured using networksetup, including
services. A service is a virtual interface to a hardware port. Each hardware port
can have many network services running on it, each with a unique IP address.
Services are also put in the order connections are attempted. For example, if there
are two services, one called Wi-Fi and another called Ethernet, when the Ethernet
cable is plugged in, Wi-Fi should not be used (assuming theyre on the same
network) for any traffic that is local to the Ethernet interface.
To order network services:
List the network services installed by default using the
-listallnetworkservices option for the networksetup command, as
follows:
networksetup -listallnetworkservices
By default, most systems return the following output:

Ethernet
Wi-Fi
FireWire
To change the name of the Wired network service, run the networksetup
command again. This time use the -renamenetworkservice option, as follows:
networksetup -renamenetworkservice Ethernet Wired
Next, make sure the Wired network service is listed above Wi-Fi. Use the same
order in which the services are listed using networksetup with a
-listnetworkserviceorder option, as follows:
networksetup -listnetworkserviceorder
This returns the following list (although potentially in a different order according
to your configuration):
(1) Wi-Fi
(Hardware Port: Ethernet, Device: en1)
(2) Wired
(Hardware Port: Ethernet, Device: en0)
(3) FireWire
(Hardware Port: FireWire, Device: fw0)
Wi-Fi is listed first in the network service order. In this example, the Wired
interface should be listed instead so that Ethernet traffic has a higher priority
than Wi-Fi traffic (given that its a faster interface). To change the order of network
services, use the networksetup command with the
-ordernetworkservices option. Then list each service in the desired order, as
follows:
networksetup -ordernetworkservices Wired Wi-Fi FireWire
276
Note: Not all interfaces shown in this example are available on all Apple notebook
models. For example, by default a MacBook Air doesnt come with an Ethernet
port installed.
Next, disable FireWire for networking. (It will still be available for storage devices.)
Set FireWire to off using networksetup with the
-setnetworkserviceenabled option, as follows:
networksetup -setnetworkserviceenabled FireWire off
In this example, also disable IPv6, using the -setv6off option to disable IPv6 for
the Wired and Wi-Fi network services, since many environments do no yet
support IPv6.
networksetup -setv6off Wired
networksetup -setv6off Wi-Fi
Next, set Wi-Fi to use DHCP using the following -setdhcp option:
networksetup -setdhcp Wi-Fi
The Wired network service can use DHCP. For this example, set the service to a
static IP address of 192.168.210.8 with a subnet mask of 255.255.255.0 and a
gateway of 192.168.210.1. The configuration is performed in one networksetup
command, using the -setmanual option, followed by the name of the service.
Its then followed by the IP address, subnet, and router. For this example the
command is:
networksetup -setmanual Wired 192.168.210.8 255.255.255.0
192.168.210.1
Or for USB Ethernet interfaces, such as those used with MacBook Air, use the
following syntax:
networksetup -setmanual USB Ethernet 192.168.210.8
255.255.255.0 192.168.210.1
Next, assign name servers using the -setdnsservers option with

networksetup. Set the DNS servers to 192.168.210.2 and 192.168.210.3. When
using the -setdnsservers option, list the name servers in the order they
should be utilized, as follows:
networksetup -setdnsservers Wired 192.168.210.2 192.168.210.3
networksetup can be used for much more, including location management,
proxy configurations, and even managing IPv6 settings. For more information on
the networksetup command, see the following man page command:
man networksetup
To use ifconfig:
Other network settings can be displayed and monitored from the command line
using tools such as ifconfig, ipconfig, and airport. Manual pages exist for
all the commands and can be invoked by typing man followed by the name of
the command.
ifconfig is used to set, modify, and display interface properties and status.
Changes wont be saved on restart by default.
277
The following is an example output of ifconfig:

en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST>
mtu 1500
ether 68:a8:6d:19:02:18
inet6 fe80::6aa8:6dff:fe19:218%en1 prefixlen 64 scopeid 0x5
inet 192.168.5.99 netmask 0xffffff00 broadcast 192.168.5.255
media: autoselect
status: active
ifconfig can also be used to create additional interfaces, add VLANs, bond
common media interfaces together for link aggregation grouping (LAG), and
many other options.
To use ipconfig:
ipconfig is used to view and control the state of IP addresses.
One example of using ipconfig is to display the DHCP properties of the

interface, including the DHCP server that assigned the address. To see the
information tracked about IP addresses, use the getpacket verb for ipconfig
along with the interface to be run on, as follows:
ipconfig getpacket en1
This command returns information similar to the following:

op = BOOTREPLY
htype = 1
flags = 0
hlen = 6
hops = 1
xid = 2021502854
secs = 1
ciaddr = 0.0.0.0
yiaddr = 192.168.5.99
siaddr = 0.0.0.0
giaddr = 0.0.0.0
chaddr = 68:a8:6d:19:2:18
sname =
file =
options:
Options count is 8
dhcp_message_type (uint8): ACK 0x5
server_identifier (ip): 1.1.1.1
278
lease_time (uint32): 0x1c20

subnet_mask (ip): 255.255.255.0
router (ip_mult): {192.168.5.1}
domain_name_server (ip_mult): {192.168.5.1}
domain_name (string): home.local
end (none):
Using the airport command:

A number of command-line tools in OS X are embedded in applications and
frameworks. The airport command is one such application. Located in /System/
Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/, the
airport command displays information about wireless interfaces. This
command is also used to scan for wireless networks, set wireless preferences, and
sniff wireless packets.
For example, assuming /System/Library/PrivateFrameworks/
Apple80211.framework/Versions/A/Resources is the current working directory, the
following command:
./airport -s
Returns the following output:

SSID BSSID
Apple
RSSI CHANNEL HT CC SECURITY
b0:48:7a:ed:9c:d4
Topeka ba:c7:5d:0c:ac:d0
Atlanta
Tampa
!
!
c4:3d:c7:64:2a:8b
c4:0a:cb:a0:ac:30
-83 6 N US WPA2(PSK/AES,TKIP/TKIP)
-85 6
-90
-36
US WPA2(PSK/AES/AES)
11
11
N
Y
--
WEP
US WPA2(PSK/AES/AES)
279
To see extended wireless network information, hold down the Option key and
click the Airport icon in the Apple menu bar.
Figure 6.5_1
The wireless information displayed is the same as the output from the airport
command-line utility.
280
6.6
Configure VPN Settings

Users in many organizations must be able to access corporate networks when
working from home. The most common way to accomplish remote access is
through a Virtual Private Network (VPN). VPNs create secure tunnels between two
otherwise untrusted networks so that traffic between them is encrypted.
OS X acts as a native client to PPTP, L2TP over IPSec, and Cisco IPSec VPNswith
no third-party software required. In this module, configure the VPN client in OS X
using each of these three client types.
To configure a PPTP client:
1.
2.
Click Network.
3.
Click the lock icon to be able to make changes.
4.
Provide the user name and password, then click OK.
5.
Click the Add (+) button in the lower-left corner.
Figure 6.6_1
281
6.
In the Interface menu, choose VPN.
7.
In the VPN Type menu, choose PPTP.
8.
In the Service Name field, provide the name youd like users to see when
referencing the VPN connection.
9.
Click Create.
Figure 6.6_2
282
10. In the Server Address field, provide the host name or IP address of the server.
11. In the Account Name field, enter the appropriate user name.
12. In the Encryption menu, choose an encryption type (the default value will
work for most environments).
13. Click the Authentication Settings button.
Figure 6.6_3
!
!
283
14. Choose the authentication mechanism to be used. For PPTP, a password is

most commonly used. To prompt the user for a password each time they
connect, click Cancel.
15. Click OK.
Figure 6.6_4
!
!
284
16. Optionally, click the Show VPN status in menu bar checkbox to allow users
to connect to the VPN from the Apple menu.
Figure 6.6_5
17. Click the Apply button.

18. Test the connection by clicking Connect or by choosing it from the Apple
menu.
285
To configure an L2TP client:
1.
2.
Click Network.
Figure 6.6_6
3.
If present, click the lock icon to be able to make changes.
4.
Provide the user name and password.
5.
Click OK.
6.
286
7.
8.
In the VPN Type menu, choose L2TP over IPSec.
9.
In the Service Name field, provide the name youd like users to see when
referencing the VPN connection.
Figure 6.6_7
10. Click Create.
287
Figure 6.6_8
288
14. Choose the appropriate authentication mechanisms listed under User

Authentication and Machine Authentication. This is often a password and a
shared secret. However, Certificate can be chosen for Machine
Authentication, and RSA SecurID, Certificate, Kerberos, or CryptoCard can be
chosen for User Authentication.
Figure 6.6_9
15. Enter a Group Name if needed (frequently required for Cisco L2TP over IPSec
connections).
16. Click OK.
289
Figure 6.6_10

19. Test the connection by clicking Connect or by choosing it from the Apple
menu.
290
To configure a Cisco IPSec client:
1.
2.
Click Network.
Figure 6.6_11
3.
Click the lock icon to be able to make changes.
4.
Provide the user name and password, then click OK.
5.
291
6.
7.
In the VPN Type menu, choose Cisco IPSec.
8.
In the Service Name field, provide the name users will see when referencing
the VPN connection.
Figure 6.6_12
9.
Click Create.
292
12. In the Password field, enter a password for that user name.
Figure 6.6_13
293
14. Provide a shared secret or select a certificate (see the network administrator
for this information).
15. Optionally, provide a Group Name if one is needed for your environment.
16. Click OK.
Figure 6.6_14
294
Figure 6.6_15
19. Test the connection by clicking Connect (or by choosing it from the Apple
menu).
295
6.7
802.1x and Network Security Overview

OS X supports connecting to WEP, WPA, WPA2, WEP Enterprise, WPA Enterprise,
and WPA2 Enterprise networks. For more secure networks, OS X also supports
most 802.1x options.
802.1x is the most widely accepted form of port-based network access control in
use. The most modern method to secure a network interface is to install an SSL
certificate on client systems to secure network traffic. Once a certificate has been
installed, there are a number of 802.1x implementations that can be leveraged.
802.1x is used to force authentication against a centralized authentication
mechanism (generally RADIUS) in order to gain access to a physical network.
Mac computers can join an 802.1x network as a standards-compliant Supplicant.
Once joined, a Mac can authenticate against the Authenticator using a variety of
standards-based protocols, including multifactor authentication mechanisms. This
authentication helps further secure both wired and wireless environments by
putting clients that havent authenticated to the Authenticator into an
unauthorized state, limiting communications to only bastion hosts providing
network authentication.
802.1x authentication (as a client) is implemented in OS X in the Network pane in
System Preferences, per adapter used. 802.1x can be deployed to an environment
depending on the protocols in use for authentication. OS X supports TLS, TTLS,
PEAP, LEAP, EAP-FAST, and MD5. The following examples outline the steps for
setting up a Mac computer to communicate with an 802.1x environment.
In many environments, the distribution of SSL certificates occurs during the
imaging process. This certificate establishes a trust relationship with servers,
enabling traffic to be encrypted more than would otherwise be possible.
802.1x uses SSL certificates to encapsulate network traffic, as well as a users
user name and password. This multifactor form of security is widespread, and the
implementation of the client side of 802.1x is covered in the following modules.
802.1x profiles are created and distributed using Profile Manager or Apple
Configurator. The following examples cover how to set up each of the most
widely used 802.1x configurations in OS X. The configuration profiles are then
deployed to client systems to set up the 802.1x profiles.
296
6.7.1
Configure WPA / TKIP PSK

Wi-Fi Protected Access (WPA) is a protocol for securing wireless networks. OS X
can act as a WPA access point or as a WPA client. WPA networks use Temporal Key
Integrity Protocol (TKIP) for security. TKIP is also commonly used in WEP networks,
but WEP provides less security than WPA. Both are supported by
OS X.
In this module, use OS X as a WPA client, browse to a network, and join wireless
networks.
To join a WPA network:
1.
2.
Click Network.
Figure 6.7.1_1
!
3.
4.
Provide the appropriate administrative credentials to authenticate.
5.
Click Wi-Fi in the sidebar.
297
6.
If the Status is shown as Disabled, click the Turn Wi-Fi On button.
7.
In the Network Name menu, choose the WPA network.
Figure 6.7.1_2
!
8.
Provide a password when prompted.
Figure 6.7.1_3
!
9.
The connection is established, and signal strength is shown in the upperright corner of the screen.
10. Click the Advanced button.
298
11. The WPA network is now included in the list of preferred networks. To reorder
interfaces by priority, drag each network into the appropriate order. To
enable users without administrative privileges to create or change wireless
networks and to disable the Wi-Fi adapter entirely, select the appropriate
checkboxes.
Figure 6.7.1_4
12. When satisfied with the configuration, click OK.
299
6.7.2
Configure WPA2 / AES PSK

Wi-Fi Protected Access II (WPA2) is a protocol for securing wireless networks.
OS X can act as a WPA2 client. WPA2 is similar to WPA, but rather than TKIP it uses
Advanced Encryption Standard (AES) for encryption by default.
In this module, use OS X as a WPA2 client, browse to a wireless network, and join
that network (or provide the network information manually if SSIDs have been
suppressed).
To join a WPA2 network:
1.
2.
Click Network.
Figure 6.7.2_1
!
3.
4.
Provide the appropriate administrative credentials.
5.
Click Wi-Fi in the sidebar.
300
6.
If the Status is shown as Disabled, click the Turn Wi-Fi On button.
7.
In the Network Name menu, choose Join other network.
Figure 6.7.2_2
!
8.
Provide a name for the network and a password when prompted.
Figure 6.7.2_3
!
9.
The connection is established and signal strength is displayed in the upperright corner of the screen.
301
10. Click the Advanced button.

11. The WPA2 network is included in the list of preferred networks. To reorder
networks by priority, drag each network into the appropriate order. To enable
users without administrative privileges to create or change wireless networks,
and to disable the Wi-Fi adapter entirely select the appropriate checkboxes.
12. When satisfied with the configuration, click OK.
302
6.7.3
Create 802.1x Profiles

802.1x is the most widely accepted form of port-based network access control.
Extensible Authentication Protocol (EAP) is an authentication framework used for
keys. Supported EAP authentication protocols include Protected Extensible
Authentication Protocol (PEAP), which is used to encapsulate EAP traffic within
Transport Layer Security (TLS).
PEAP authenticates clients to a network using a user name and password as well
as a certificate. OS X supports 802.1x PEAP connectivity. Configurations are
imported using a configuration profile (in the form of a .mobileconfig file) created
in Profile Manager, Apple Configurator, or iPhone Configuration Utility.
In this module, start with a functional installation of Profile Manager. Next create
a configuration profile that will then be installed on a client system.
To create a configuration profile for 802.1x/PEAP:
1.
On an OS X Server system, open the Server application from /Applications.
2.
Figure 6.7.3_1
303
3.
Click Open Profile Manager.
Figure 6.7.3_2
!
4.
Click a Device, User, or Group to create the profile for that object.
5.
6.

Note: If the Edit button isnt available, first create a new configuration by
clicking the Add (+) button. Then click the Edit button.
Figure 6.7.3_3
304
7.
Install the certificate. (If a certificate isnt required, skip this step.)
a.
Click Certificate in the sidebar.
b.
Figure 6.7.3_4
c.
Provide a name for the certificate in the Certificate Name field.
d.
Click the Add Certificate button.
Figure 6.7.3_5
!
!
e.
Browse to the certificate file (for example .cer, .pem, or .p12).
305
f.
Click the Choose button.
Figure 6.7.3_6
g.
In the Passphrase field, provide the passphrase for the certificate.
h.
Click OK.
Figure 6.7.3_7
!
8.
Configure 802.1x.
a.
Click Network in the sidebar.
b.
Figure 6.7.3_8
306
c.
In the Network Interface menu, select the appropriate interface to

configure.
Choose Wi-Fi:
i.
Provide the name (SSID) of the wireless network in the Service

Set Identifier (SSID) field.
ii.
Click the Hidden Network checkbox if the SSID has been

suppressed.
iii. In the Security Type menu, choose WPA/WPA2 Enterprise.

iv. Click the Protocols tab.
v.
Under Accepted EAP Types, click the PEAP checkbox.
vi. Click OK.
Figure 6.7.3_9
307
Choose Ethernet (OS X Only):

i.
Click the Protocols tab.
ii.
Under Accepted EAP Types, click the PEAP checkbox.
iv. Click OK.
Figure 6.7.3_10
d.
Click Save.
e.
Deploy the profile to a client system to test functionality.
308
6.8
Import and Export 802.1x Profiles

Once .mobileconfig files are created, profiles can be installed on client systems to
deploy 802.1x settings as part of an imaging workflow, on the device over the
network, or manually by users.
In this module, install profiles with 802.1x settings, first exporting the profile so
there is a file that can be distributed.
To export a configuration profile:
1.
Open the Profile Manager web page located at

http://<server name>/profilemanager.
2.
Browse to the profile created.
3.
Click Download.
Note: This not only exports 802.1x information, but also any other settings for
that profile, including any certificates installed.
Figure 6.8_1
!
!
309
4.
Cancel the attempt to install the Profile. Then copy it from the currently
logged-in users download directory to a secure location.
Figure 6.8_2
To install a configuration profile on a client computer:

1.
Double-click the configuration profile.
2.
Click Show Profile.
Figure 6.8_3
!
!
3.
Verify that the settings are correct.
310
4.
Click Continue.
Figure 6.8_4
!
5.
Click Install.
6.
Because 802.1x requires a local administrator for configuration, provide the

local administrators user name and password.
Note: To see profiles (and remove them, if needed), use the Profiles pane in
System Preferences, which will only appear once a profile has been installed.
Figure 6.8_5
Note: If the profile is signed using a self-signed certificate, you will see a prompt
to install the profile again, along with a warning that the certificate is self-signed.
311
6.9
Configure 802.1x to Join Corporate Networks

The 802.1x protocol authenticates users to networks. OS X supports 802.1x clients
joining standard networks via a number of the more common protocols used
when configuring 802.1x.
To see settings and to establish a manual connection with 802.1x:
1.
2.
Click Network.
3.
Click the interface with an 802.1x profile.
4.
Next to the 802.1x field, click the Connect button.
Figure 6.9_1
312
5.
Optionally, set the connection to occur automatically.

a.
Click the Advanced button.
b.
Click the 802.1x tab.
c.
Click the checkbox for Enable automatic connection.
d.
Click OK.
Figure 6.9_2
313
6.10
Obtain a Certificate from a Windows CA

Many environments use a Windows-based Certificate Authority (CA). The CA
distributes certificates to client systems, including Mac computers.
When using any type of CA, certificates need to be made available in a form that
OS X understands. Common certificate formats include, but are not limited to:
.cer, .crt, .der Binary certificates.
.pem Base64 DER certificates.
.p12 Public and private certificates.
To obtain a .crt certificate:
1.
Install the certificate from a CA using Safari. For example, visit the https
version of the site. When prompted, click Show Certificate.
Figure 6.10_1
!
2.
Click the Always trust <server name> when connecting to <IP address>
checkbox so the certificate is cached on the client computer.
3.
Click Continue.
Figure 6.10_2
!
4.
Authenticate if prompted.
5.
Open Keychain Access, located in /Applications/Utilities.

314
6.
Search for the certificate name.
7.
Export the certificate by either dragging it to the desktop or by choosing

Export Items in the File menu if the certificate should have a password, as
described previously in this guide.
Figure 6.10_3
To install the certificate:

1.
Double-click the exported certificate. This opens Keychain Access.
2.
Click Certificates in the Category list in the sidebar.
3.
4.
In the Keychain menu, choose the keychain into which to install the
certificate. For certificates that should be available to all users, choose
System. Otherwise, choose login.
5.
Click the Add button.
Figure 6.10_4
!
!
315
6.
If installing the certificate into the System Keychain, provide a user account
or an administrative account in the Authenticate window
Figure 6.10_5
!
7.
In the When using this certificate menu, choose Always Trust.
8.
Click the keychain into which the certificate was imported.
9.
Click the certificate and verify that its valid.
Certificates are also added programmatically or by double-clicking them.
!
!
316
6.11
Trust Certificates from the Command Line

When imaging systems, SSL certificates often need to be distributed as part of a
base image, enabling computers to authenticate to network resources.
To obtain a certificate, the certificate must be downloaded from a valid Certificate
Authority. This modules uses the curl command to download a certificate called
mycert.crt and place it into the /tmp directory of the local client by specifying the
path using the -o option, as follows:
curl -o /tmp/mycert.crt http://myserver.mydomain.org/
mycert.crt
Once a client system has a certificate, it must be imported using the security
command along with the import verb. Specify the certificate file following the
import verb, followed by the -k option to specify into which keychain the
certificate will be installed (run with sudo to install into the System.keychain).
sudo security import /tmp/mycert.crt -k /Library/Keychains/
System.keychain -x
Adding the -x flag to this command prevents the private key
from being exported from the keychain.
Once a certificate has been installed, the .crt file can be removed using the rm
command followed by the path of the file, as follows:
rm /tmp/mycert.crt
!
!
!
317
6.12
Create Active Directory Certificates

An Active Directory Certificate Authority (CA) can issue certificates based on
users. Previous modules covered .pfx certificates exported from a CA, but
enrolling into CA provides certificates without manually installing the certificates.
This allows for easier revocation and helps manage certificate expirationthat is,
the amount of time before a certificate expires is configured on the CA, typically
by policy.
Because user- or machine-based certificates are becoming more common, Profile
Manager now comes with a profile to configure these Active Directory-based
certificates. This allows for mass enrollment of client systems into an Active
Directory-based CA infrastructure.
To configure an Active Directory certificate:
1.
On an OS X Server system, open the Server application from /Applications.
2.
Figure 6.12_1
318
3.
Click Open Profile Manager.
Figure 6.12_2
!
4.
Click a device, user, or group.
5.
6.
Click Edit.
Figure 6.12_3
!
!
7.
Click AD Certificate in the Settings sidebar.
319
8.
In the Configure AD Certificate pane, click the Configure button.
Figure 6.12_4
!
9.
Click the Description field and type a description for the name of the
payload. This is what you will see when selecting this profile in 802.1x or
other windows.
10. Click the Certificate Server field and provide a name for the CA Server.
11. Click the Certificate Authority field and provide the name of the CA.
12. Click the Certificate template and provide a name for the template (such as
Machine or User). Optionally, provide a user name and password in the
Username and Password fields, respectively.
Note: When left blank, the Username and Password fields prompt users for
their Active Directory user name and password when the profile is installed.
Figure 6.12_5
320
13. Click OK.

14. Click Save.
15. Click Save again to verify, and the profile change is saved.
The profile can then be pushed to the user or manually downloaded using the
Download button.
There are more actions that can be accomplished with these profiles. For a more
detailed explanation of use and functionality, see training.apple.com/pdf/
WP_8021X_Authentication.pdf.
Certificate Expiration
By design, certificates expire. Configuration profiles need to be reinstalled to
reissue new identities. Notification Center in OS X issues a profile notification
when the certificate is within 15 days of expiration. Users then click the
notification and see an Update button in the Profiles pane in System Preferences.
The Update button reissues the identity, tears down the existing EAP-TLS
configuration, and rebuilds the EAP-TLS configuration with the new identity.
Note: During the reconfiguration process, as with the initial configuration process,
there should not be any interruption in connectivity. The client computer also
needs a valid route to the issuing CA.
321
7 Collaboration
Information is essential for the knowledge worker. One of the great challenges for
IT is to optimize the sharing, storage, and retrieval of institutional knowledge,
from managing access to sensitive data to enabling valuable group collaboration.
Apple offers a number of innovative features built into OS X that promote
streamlined collaboration. To collaborate effectively, users may also need to
access groupware and corporate data centers that leverage Microsoft servers.
This section covers how to integrate Apple tools and technologies with an
organizations existing collaboration solutions. And a good portion of this section
also covers how to access Microsoft Exchange and Microsoft SharePoint, two of
the most common collaboration tools for the enterprise.
322
7.1
Integrate with Microsoft Exchange

The Exchange Web Services (EWS) application programming interface (API) was
designated Microsofts next-generation API for collaboration services, starting
with Microsoft Exchange 2007. EWS replaces Messaging Application Programming
Interface (MAPI) and Collaboration Data Objects (CDO). The EWS protocol
communicates over HTTP by default, and includes a subset of features that
implement the Autodiscover protocol.
EWS is a robust API targeting rich client platforms. It should not to be confused
with Microsoft Exchange ActiveSync (EAS), which only targets delivering services
to mobile devices.
OS X ships with native support for Microsoft Exchange 2007 and later. This native
integration with the Mail, Contacts, and Calendar applications in OS X relies on
EWS.
!
!
323
7.1.1
Use Mail, Contacts, and Calendar with Exchange

Mail, Contacts, and Calendar can be configured to work with Microsoft Exchange
in three ways:
1.
Through the Internet Accounts pane in System Preferences.
2.
By setting up Mail with Exchange Autodiscover, which also automatically

configures Contacts and Calendar.
3.
Using a configuration profile that can be created with iPhone Configuration

Utility, Apple Configurator, or the Profile Manager service in OS X Server.
To configure Mail in System Preferences:

1.
2.
Click Internet Accounts.
Figure 7.1.1_1
!
!
324
3.
Figure 7.1.1_2
4.
Click Microsoft Exchange.
5.
Enter the users name, email address, and password in the appropriate fields.
Figure 7.1.1_3
325
6.
Click Continue.
7.
Autodiscover should provide the user name, password, and server address for
the account.
8.
Click Continue.
Figure 7.1.1_4
Note: If Autodiscover doesnt complete the setup process for you, see the
troubleshooting section later in this document.
326
7.1.2
Enable S/MIME in Mail

S/MIME (Secure/Multipurpose Internet Mail Extensions) is used to sign mail and
can be enabled if a mail encryption certificate for the user account is available
from the OS X keychain. In this module, enable S/MIME for an email account
when a certificate has already been installed.
To enable S/MIME:
1.
Open the Mail application on a computer that has a configured account.
2.
Choose Preferences in the Mail menu.
3.
Click Accounts.
4.
Choose the appropriate certificate from the TLS Certificate menu.

(This information is loaded from the users keychain.)
Figure 7.1.2_1
!
5.
Close the Accounts window.

Signed and encrypted mail can be sent once the certificate is enabled. To
compose a new message, click the icons for Sign and/or Encrypt in the menu
bar and click OK.
Note: The Sign or Encrypt option is only available if the account sending the
email has a valid TLS certificate installed.
327
7.1.3
Enable Out-of-Office Responses in Mail

Out-of-office responses are for users who are unavailable to check email for a
variety of reasons, such as vacation or illness. While out-of-office responses can be
configured in the Microsoft Exchange web client, they can also be configured in
the Mail application in OS X. In this module, review how to configure an out-ofoffice response.
To configure out-of-office messages for Exchange accounts in Mail:
1.
Open Mail from /Applications.
2.
Right-click the name of the account in the sidebar. Or if theres only one
account, click Inbox.
3.
Choose Get Account Info from the pop-up menu.
Figure 7.1.3_1
!
!
328
4.
Click the Out of Office tab.
Figure 7.1.3_2
5.
Click the Send Out of Office replies checkbox.
6.
Choose the duration of time during which replies will be sent. For example,
Until disabled.
7.
Enter a message for users of your domain in the Internal Reply field and a
message for those outside your domain in the External Reply field.
8.
Close the Account Info window.

Out-of-office replies are now sent by the server on behalf of the user
account.
329
7.1.4
Configure Exchange ActiveSync Certificate-Based Authentication

ActiveSync certificate-based authentication is an option for Exchange clients that
allows users to change their password without having to reenter that password
on every device they use. Mail supports Exchange ActiveSync certificate-based
authentication.
In order to use certificate-based authentication, use an Exchange 2010 server
connected to an enterprise CA. ActiveSync must be configured to accept
certificate-based authentication, and user certificates should be exported. The IIS
(Internet Information Server) Client Certificate Mapping authentication role
service must also be installed and configured properly. The authentication
method for the ActiveSync site should then be set to Require client certificates.
Each user being configured will need a certificate exported from the
Certificates.mmc. Prior to enrolling on behalf of each user, an Active Directory
Enrollment Policy will be required. In the next module, the example covers the
process of installing the account using the certificate in a simple pfx form.
The next module also covers creating a profile to install an email account on a
device that leverages certificate-based authentication. By creating profiles to
install email accounts, those accounts can be deployed en masse.
330
7.1.5
Set Certificate-Based Authentication for Mail, Contacts, and Calendar

This module describes the actual implementation of certificate-based
authentication for Mail, Contacts, and Calendar. This process is covered by using a
profile to provide a functional mass-deployment scenario. However, such
authentication can be configured manually as well.
To configure certificate-based authentication:
1.
Open the Server application on an OS X Server system.
2.
Click the Profile Manager service.
3.
Click Open Profile Manager, and authenticate if prompted.
4.
Click Users in the Library list in the sidebar. Then select the relevant user.
Figure 7.1.5_1
!
5.
In the Settings tab, click Edit.
6.
Click Certificate in the sidebar.
Figure 7.1.5_2
331
7.
8.
Provide a name for the certificate in the Certificate Name field.
9.
Enter the passphrase for the certificate in the Passphrase field.
10. Click the Add Certificate button.
Figure 7.1.5_3
11. Locate and select the certificate.

12. Click Choose.
Figure 7.1.5_4
!
!
13. In the sidebar, scroll up and click Exchange.
332
14. Click the Configure button.
Figure 7.1.5_5
15. Provide a name for the account in the Account Name field.
16. In the Connection Type menu, choose Exchange Web Services (OS X only).
17. Enter the domain name in the Domain field.
18. Enter the user name in the User field.
19. Enter the email address in the Email Address field.
20. Enter the password for the user in the Password field.
21. Enter the name of the Exchange server in the Internal Exchange Host field.
Figure 7.1.5_6
333
22. Click OK.

Figure 7.1.5_7
24. Click Save again to confirm.

Once the profile has been created, click the Download button to download a
profile that can be manually applied to the server. Or enroll a device using the
user name identified in the profile and the account will be created on the Mac
using the information supplied in the profile.
334
7.2
Troubleshoot Mail, Contacts, and Calendar with Microsoft

Exchange
Troubleshooting Exchange connectivity typically only happens during the initial
integration of OS X, or during upgrades when new versions of client software are
released. Many organizations rely on Autodiscover to allow client computers to
easily connect to user mailboxes regardless of physical location. Autodiscover
relies on Domain Name Service (DNS) to point clients to required resources.
An Autodiscover request is sent over HTTP when setting up Mail, Contacts, and
Calendar with Exchange. The Mail application then queries DNS for the location of
the Autodiscover service, which should be the Client Access Server (CAS) for the
Exchange organization.
At that point, the Internet Information Server hosting EWS responds to the client
with a request for authentication. The client then authenticates using the
credentials provided to Mail. Once authenticated, the EWS service responds with
the location of the Lightweight Directory Access Protocol (LDAP) service, the EWS
servers, and other required configuration information.
The Autodiscover protocol is designed to perform setup any time a known mail
server is unreachable. This enables administrators to move mailboxes based on
server capacity without impacting user uptime or experience. In accordance with
this practice, Mail.app will run the Autodiscover process again if/when mailboxes
are moved on the Exchange server.
Troubleshooting connectivity to Exchange can be broken down into several areas
including DNS, Improper Redirects, Certificate Errors, and Limits on Message Size.
335
7.2.1
Check Autodiscover with DNS

In many organizations, Autodiscover has been implemented via Service
Connection Points (SCPs). This is usually sufficient for Windows clients running
Microsoft Outlook. However, if the proper forward and reverse DNS entries for
Autodiscover havent been configured on the DNS servers, a Mac cant find the
Exchange Web Services service on the Client Access Server.
Check the DNS information using nslookup from a Windows client to verify
service (SRV) DNS record results, as follows:
1.
Click Start, then click Run.
2.
In the Open window, type cmd.
3.
At the command prompt, type nslookup and press the Enter key.
4.
At the nslookup prompt, type set type=all and press the Enter key.
5.
Type _autodiscover._tcp.pretendco.com, where pretendco.com is

the domain of the primary email address.
6.
Press the Enter key.

The output appears similar to the following. If it doesnt, continue to the next
troubleshooting steps.
***************************************************
> set type=all
> _autodiscover._tcp.pretendco.com
Server: casserver.mail.pretendco.com
Address: 192.168.1.100
Non-authoritative answer:
_autodiscover._tcp.pretendco.com
primary name server = ns2.pretendco.com
responsible mail addr = mailserver.pretendco.com
serial
= 1
refresh = 10000 (2 hours 46 mins 40 secs)

retry
= 1800 (30 mins)
expire
= 1814400 (21 days)
default TTL = 300 (5 mins)

ns2.pretendco.com
nameserver =
ns1.pretendco.com
nameserver =
336
7.2.2
Address Improper Redirects / Certificate Errors

If the client has problems connecting to the Exchange server, even with the
service record set properly, the Client Access Server may not be properly
configured to accept Autodiscover requests. There could also be a Host Name
mismatch, or the server certificate may not have the proper Subject Alternative
Name (SAN) and reverse IP lookup.
To trace these errors while setting up Mail, execute the following command in
Terminal:
/Applications/System\ Preferences.app/Contents/MacOS/System\
Preferences -LogEWSAutodiscoveryActivity YES >& ~/Desktop/
ConnectionLog.txt &
This will launch the Mail, Contacts, & Calendars pane in System Preferences to
begin setup and log all traffic generated into a text file on the desktop. This log
file will greatly assist in troubleshooting connectivity issues.
To trace regular Mail activity beyond EWS Autodiscover, type:
/Applications/Mail.app/Contents/MacOS/Mail
-LogHTTPActivity YES >& Desktop/yourmaildebug.log & defaults
write -g LogHTTPActivity YES
!
!
!
337
7.2.3
Limit Message Size

Exchange has a complex hierarchy of settings governing the maximum message
size for each mailbox. These are configured using the Set
-TransportConfig commandlet in the Exchange Management Shell. Because
Mail relies on EWS, the EWS website in the Internet Information Server instance
coupled with Exchange must be modified to lift these restrictions.
To increase the send size for an entire organization to an unlimited number, use
the Set-TransportConfig commandlet as follows:
Set-TransportConfig -MaxSendSize unlimited
To increase the send size for individual users, use the Set-Mailbox commandlet.
For example, set MaxSendSize and MaxReceiveSize for a user called testuser
to 20 MB, as follows:
Set-Mailbox -Identity testuser -MaxSendSize 20MB
-MaxReceiveSize 20MB
In addition to configuring maxMessageSize, maxReceiveSize, and

maxSendSize for Connectors and Hub Transport servers, the
maxRequestLength in the EWS site's Web.config file must be changed to a
similar scale value. This allows files of those sizes to actually be downloaded
without first timing out. The interaction of Mail with an Exchange server is routed
through the EWS site, and is therefore governed by this setting above all other
message-size limits, as with other tools that interface with EWS.
To locate the Web.config file:
For Exchange 2007, Web.config resides in

\Program Files\Microsoft\Exchange Server\ClientAccess\exchweb\ews.
For Exchange 2010 and 2013, find the Outlook Web App Web.config file on
the Client Access server. The default location is \Program Files\Microsoft
\Exchange Server\V14\ClientAccess\exchweb\ews.
To limit message size, for example to 20MB, the message size limits and the
Web.config file must be changed as follows:
1.
Make a backup of the Web.config file.
2.
Edit the Web.config file (for example using Notepad).
3.
Find the httpRuntime tag, subordinate to system.web.
4.
Change the value for maxRequestLength to 20000, as the units are

kilobytes.
5.
Save the file.
6.
Stop and restart the Default Website for the setting to take effect.
Alternatively, you can simply restart IIS.
If other Exchange settings for message size limits are configured accordingly,
changing this setting will give Mail users in OS X connected to an Exchange
server the ability to send messages as large as 20MB. The size of a message is
roughly determined by the size of the message body in addition to any attached
files.
338
Note: The configuration of maxRequestLength in the EWS Web.config file isnt

currently documented by Microsoft. However, its documented for the Outlook
Web App (OWA). The steps listed above are therefore subject to change.
For more information about managing Exchange message sizes, see these
Microsoft articles:
For Exchange 2007.

technet.microsoft.com/en-us/library/bb124345(EXCHG.80).aspx
For Exchange 2010 and 2013.

technet.microsoft.com/en-us/library/bb124345.aspx
339
7.2.4
Access Additional Troubleshooting Resources

The following web pages address many of the most common challenges
encountered when integrating Mail, Contacts, and Calendar into Exchange
environments.
Understanding Autodiscover Service in Exchange.

Configuring DNS to Support SRV Records.

support.microsoft.com/kb/940881
Exchange 2007: Managing Message Size Limits.

technet.microsoft.com/en-us/library/bb124345(EXCHG.80).aspx
Exchange 2007: Managing Maximum Message Size in Outlook Web App.

technet.microsoft.com/en-us/library/aa996835(EXCHG.80).aspx
Exchange 2010/2013: Managing Message Size Limits.

Exchange 2010: Configuring Maximum Message Size in Outlook Web App.

technet.microsoft.com/en-us/library/aa996835.aspx
!
!
!
340
7.2.5
Support Exchange Autodiscover

The Mail application and other client apps used to access Exchange must first be
configured with settings for the name or IP address of the server, potentially SSL
certificates, user names, domain names, passwords, and so on. These settings are
too numerous for end users to remember or configure on their own.
Autodiscover is a protocol that attempts to connect to an Exchange server on
behalf of the user. Introduced in Microsoft Exchange Server 2007, Autodiscover
enables an Exchange-capable email client to automatically configure a user's
account using just the email address and password. Autodiscover data populates
the correct server addresses, port numbers, user name, and authentication
settings.
Autodiscover uses the domain of the email address to contact an authoritative
DNS server for the address of an available Exchange server. Mail then contacts the
Exchange server and provides the necessary credentials. The server returns the
settings needed to complete the setup.
Administrators often move Exchange mailboxes around within an Exchange
organization. To help keep client computers connected even when the address of
the server changes, Autodiscover also periodically checks settings and
automatically updates those settings if the server address or mailbox location
changes.
Users benefit from Autodiscover by not having to know or understand email
server settings, and by connecting to their email accounts without assistance
from technical support staff. And technical support staff benefits from fewer
support calls.
The Mail, Contacts, and Calendar applications leverage Autodiscover to connect
to Exchange. To set them up initially, simply select the Microsoft Exchange option
in the Internet Accounts pane in System Preferences. Or open each of these builtin applications in OS X and configure an Exchange account by choosing
Preferences in the application menu.
341
7.3
Troubleshoot Outlook
Microsoft Outlook relies on the Exchange Web Services protocol for setup and
connectivity. The DNS troubleshooting steps discussed in previous modules may
be useful since EWS is used. This is important to note because an Exchange
administrator may assume that because the product says Outlook it can use
Service Connection Point objects to discover the email location. This isnt the case
in Outlook.
To activate logging for Outlook:
1.
Open Outlook.
2.
Select Error Log in the Window menu.
3.
Click the cog wheel icon in the upper-right corner to open the action pop-up
menu.
Figure 7.3_1
342
4.
Click the Turn on logging for troubleshooting checkbox.
Figure 7.3_2
Outlook uses a database to track each email message. The database is comprised
of pointers, not the actual messages. Each time a user receives mail, a database
write occurs that can trigger activity from an antivirus application. If theres a lot
of activity, antivirus scanning can cause database corruption and crashed email
services. One potential solution is to make the following exceptions in the
antivirus realtime scanner:
/Library/Preferences/.GlobalPreferences.plist
~/Library
/Users/.*/Documents/.*/Database/.*
/.*\.log
Note: These changes should only be undertaken if the incoming mail is scanned
at the messaging gateway and the server.
343
7.3.1
Access Additional Outlook Information

There are a number of additional resources available for Outlook.
Learning Roadmap for Outlook for Mac 2011.
office.microsoft.com/en-us/mac-outlook-help/learning-roadmap-for-outlookfor-mac-2011-HA103528304.aspx
Planning for Outlook for Mac 2011.
technet.microsoft.com/en-us/library/jj984221(v=office.14).aspx
How the Autodiscover Service Works with Outlook for Mac 2011.
Turning Logging On or Off in Outlook for Mac 2011.
Adding Support for Information Rights Management into Outlook for Mac 2011.
go.microsoft.com/fwlink/?LinkId=201940
344
7.4
Leverage SharePoint
SharePoint connectivity in OS X is through a web browser or through the
Microsoft Document Connection app, included in Office for Mac.
Microsoft Document Connection is added to the Dock by default when Office is
installed. Its also available in the /Applications/Microsoft Office folder or in the
/Applications/Microsoft Office 2008 folder.
Document Connection works with SharePoint 2007 or later, and lets users check
documents in and out of SharePoint Servers. Document Connection can
authenticate using Kerberos and NTLM credentials, if the Mac isnt yet bound to
the Active Directory domain or if the SharePoint server isnt yet kerberized to the
domain.
Many of the common tasks performed with SharePoint can be done using Safari
(SharePoint 2007 and forward). However, any features that require an ActiveX
control arent available for Mac computers.
345
7.4.1
Connect to SharePoint
Microsoft includes the Document Connection application in Office.
To use Document Connection with SharePoint:
1.
Open Document Connection from /Applications/Microsoft Office 2011.
2.
Click the Add Location button in the toolbar.
Figure 7.4.1_1
!
3.
In the pop-up menu, choose Connect to a SharePoint Site.
Figure 7.4.1_2
346
4.
Enter the address of the site.
Figure 7.4.1_3
5.
Provide the user name and password of the site.
6.
Under SharePoint in the sidebar, browse to the location of a file.
7.
Click the file name.
8.
Click the button in the toolbar that corresponds to the task at hand.
Figure 7.4.1_4
347
7.4.2
Access Additional SharePoint Information

For more information on how to use OS X to connect to SharePoint through
Office for Mac, see:
Office for Mac 2011 and SharePoint Integration Features.
348
7.5
Access Instant Messaging

Instant messaging enables users to communicate with each other in real time.
Instant messaging has been a text-based communication tool for many years, but
most modern instant messaging solutions also support the ability to
communicate through video and audio messaging.
OS X supports many of the standard instant messaging platforms. The following
modules cover Messages, FaceTime, and Microsoft Lync.
349
7.5.1
Configure Messages and FaceTime

Messages
Messages is a multiprotocol chat client that enables users to send unlimited
iMessages to any Mac, iPad, iPhone, or iPod touch. It also supports the XMPP
instant messaging protocol commonly known as Jabber, and works with AOL
Instant Messenger (AIM), iCloud.com, and Yahoo!. Jabber can be integrated
with any instant messaging platform that also has an XMPP gateway, such as
Google Chat and Apple Messages server, built into OS X Server.
To configure Messages:
1.
Open Messages from /Applications.
2.
To enter an Apple ID for use with iMessage, provide the appropriate Apple ID
and password when prompted.
Figure 7.5.1_1
350
3.
To enter other types of accounts, click Not Now. When prompted, select the
type of account. In this example, click the Other Messages account radio
button to set up a Jabber account.
Figure 7.5.1_2
!
4.
Click Continue.
5.
In the Add a Messages Account dialog, choose Jabber from the Account Type
menu.
Figure 7.5.1_3
351
6.
Enter an account name and password in the appropriate fields.
7.
Provide a server name or IP address in the Server field.
8.
If applicable, click the Use SSL checkbox and the Use Kerberos v5 for
authentication checkbox.
9.
Click the Create button.
Figure 7.5.1_4
10. Close the Accounts window.

11. Test the connection by adding other users to the Messages Buddy List and
chatting with them.
Apple provides a number of tools for troubleshooting Messages. One is Network
Utility, located in /System/Library/CoreServices/Applications/. Network Utility is
used to check that private Jabber servers are accessible via name and IP address,
and that ports are accessible. Debug logging is also helpful. To debug Messages
communications, first make sure to quit Messages. Then reopen Messages by
entering the following string in Terminal. This command will log debug output,
and will possibly show what the specific problem is:
/Applications/Messages.app/Contents/MacOS/Messages
-errorLogLevel 7
Note: Common issues with connection quality can usually be traced to poor
bandwidth, gateway filters, and antivirus applications.
FaceTime
In addition to Messages, the FaceTime application is also built into OS X. FaceTime
is also available on the Mac App Store at itunes.apple.com/us/app/facetime/
id414307850?mt=12.
352
7.5.2
Manage Lync for Mac

The Office suite includes the Lync for Mac chat program, with support for Lync
Server 2010 and Lync Online. For the Lync for Mac 2011 Deployment Guide, see
technet.microsoft.com/en-us/library/jj984275(v=office.14).aspx.
To set up Lync for Mac:
1.
Open Lync for Mac from /Applications/Microsoft Office 2011.

Note: The first time the application opens, a prompt appears requesting to
make Lync the default application for phone calls. Choose to make Lync your
default telephony application by clicking Use Lync.
2.
In the Microsoft Lync login window, enter the appropriate information.
Figure 7.5.2_1
!
3.
In the Lync menu, choose Preferences.
353
4.
Click the Account button in the toolbar.
5.
The account name is shown next to Sign In Address. Click Edit to assign a
new account name. Or if an address isnt yet listed, go back to the login page
and provide one.
Figure 7.5.2_2
!
6.
In the Account window, Connection Settings is set to Automatic

configuration by default. If you have a private Microsoft Lync server, click the
Advanced button to enter the information manually.
354
7.
Provide the server host name or IP address.
8.
Next to Connect using, choose either TCP or TLS. If you dont know which to
use, contact the Communications Server administrator.
Figure 7.5.2_3
!
9.
Click OK.
10. Click Sign-In.

Users can send files and email, video, or telephone contacts added to the Contact
List. For more on Lync, see: www.microsoft.com/mac/enterprise/lync.
Integrating Messages with Microsoft Communications Server.

To leverage the Messages application built into OS X when integrating into an
existing Lync Server 2010 environment, install the XMPP gateway service on the
Lync Server 2010 host. To download the XMPP services package, see
www.microsoft.com/en-us/download/details.aspx?id=8403.
For more information about adding an XMPP gateway, see this blog entry by
Microsoft employee Lync Guy about adding XMPP services
ocsguy.com/2010/11/29/deploying-lync-for-xmpp.
355
7.6
Use AirDrop
AirDrop is the Apple implementation of the Wi-Fi Direct protocol. AirDrop
enables users to find other nearby users (via Bonjour, the Apple multicast DNS
implementation) and transfer files directly to other client computers over an
encrypted connection.
To turn on AirDrop on a supported Mac:
1.
Click AirDrop in the sidebar of any Finder window.
2.
To exchange files with a nearby user, also have that user click AirDrop in the
Finder sidebar on their Mac. Each computer is now listed in the others
AirDrop window.
Figure 7.6_1
!
!
356
3.
To transfer a file, drag and drop the file on the other users AirDrop icon. The
nearby user is prompted to accept the file. Transfer progress is indicated
within the circle icon.
Figure 7.6_2
!
4.
To turn off AirDrop, simply close that Finder window or click another sidebar
item.
The intentional nature of activating AirDrop, coupled with the Accept dialog,
provides a strong measure of security and prevention from hijacking.
Deliberate steps are required to accept file transfers.
Note: As of iOS 7, AirDrop supports iOS based devices.
357
7.6.1
Disable AirDrop
While AirDrop is a great feature for many environments, some organizations may
wish to disable the AirDrop feature in OS X to meet their information assurance
and/or security guidelines.
To disable AirDrop, enter the following command in Terminal:
sudo defaults write /Library/Preferences/
com.apple.NetworkBrowser DisableAirDrop -bool YES
To reenable AirDrop, send the same command with a boolean payload of NO, as
follows:
sudo defaults write /Library/Preferences/
com.apple.NetworkBrowser DisableAirDrop -bool NO
To no longer see AirDrop, either restart the system or restart the Finder by
running the following command:
sudo killall Finder
Preferences are stored in the defaults domain. These can be changed using
Mobile Configuration (.mobileconfig) files. Environments running OS X Server or a
third-party mobile device management solution can use the Custom Settings
feature to assign a value to the com.apple.NetworkBrowser defaults domain.
To use the Custom Settings feature in Profile Manager:
1.
Open the Server application on an OS X Server system.
2.
Click the Profile Manager service.
3.
Click Open Profile Manager, and authenticate if prompted.
4.
To assign custom settings, click the relevant Device or Device Group.
Figure 7.6.1_1
!
5.
Click Edit in the Settings tab.
6.
Click Custom Settings in the sidebar.
358
7.
Figure 7.6.1_2
!
8.
Enter com.apple.NetworkBrowser in the Preference Domain field.
9.
Click the Add Item button.
10. Rename the initial key DisableAirDrop.

11. Choose Boolean from the Type menu.
12. Click the Value checkbox.
Figure 7.6.1_3
13. Click OK.

14. Click Save. Then click Save again to confirm.
15. Send the profile to the Mac running OS X. Then restart the Mac and verify
that the key is enforced.
359
7.6.2
Debug AirDrop
To increase logging verbose mode for AirDrop, set the logging level (0=off, 1=on)
as follows:
defaults write com.apple.finder EnableAirDropLogging 1
AirDrop logs are written to: /var/log/system.log.
360
7.6.3
Access Additional AirDrop Information

For more information on Wi-Fi Direct and about AirDrop, see:
AirDrop Supported Machines.

support.apple.com/kb/HT4783
Wi-Fi Direct FAQ.

www.wi-fi.org/files/faq_20100916_Wi-Fi_Direct_FAQ.pdf
!
!
361
7.7
Leverage iCloud
iCloud is an Apple cloud service that stores contacts, photos, and more. iCloud
wirelessly pushes data to all of a users devices to keep them in sync,
automatically and seamlessly, with no user file-level interaction necessary.*
The iCloud Document Library is a convenient, consistent way to access iCloud
documents across Mac computers and iOS devices. To find an iCloud document,
just open its app. The iCloud Document Library shows the iCloud documents for
the app, with the most recent one at the top.
To organize documents into folders, drag one document onto another, similar to
organizing documents on iPhone or iPad. Folders created on one device
automatically appear in the iCloud Document Library when the app on another
device is opened.
Administrators can restrict the storage of iCloud data, including documents on
the iCloud servers, by using configuration profiles.
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
*iCloud requires iOS 5 or later on iPhone 3GS or later, iPod touch (3rd generation or later), iPad, or iPad
mini; a Mac computer with OS X Lion v10.7.5 or later; or a PC with Windows 7 or Windows 8 (Outlook
2007 or later or an up-to-date browser is required for accessing email, contacts, and calendars). Some
features require iOS 7 and OS X Mavericks. Some features require a Wi-Fi connection. Some features
are not available in all countries. Access to some services is limited to 10 devices.
362
7.8
Use iWork for iCloud

iWork is a collection of productivity applications available on the Mac App Store.
iWork includes the following apps:
Pages. Used to create and edit documents.
Numbers. Used to create and edit spreadsheets.
Keynote. Used to create and edit presentations.
All iWork apps are available for iCloud, so users can edit and access documents in
a browser or using a client application. Documents stored in iCloud are available
on iOS devices, via the iCloud web interface, or using the iWork applications
available on the Mac App Store.
iWork for iCloud edits and saves documents so theyre compatible with Microsoft
Office documents. iWork for iCloud documents can be stored in iCloud, shared to
other applications, or sent using iCloud Mail.
363

Mac in The Enterprise IT Configuration Guide

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Mac in The Enterprise IT Configuration Guide

Caricato da

Copyright:

Formati disponibili

!

Mac in the Enterprise

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

Packaging and Thin Imaging .................................................ii

Image Mac Computers

Support and Maintenance

Use Asset Tags

Local Directory Services

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

Bind to Active Directory with a Profile ....................................................................70

Configuration Management .............................................107

Configure a Profile Manager Server

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

Use Security Resources

Manage IPv4 Settings

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

Import and Export 802.1x Profiles

Integrate with Microsoft Exchange

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

2013 Apple Inc. All rights reserved.

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

Packaging and Thin Imaging

Support and Maintenance

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

1 Packaging and Thin Imaging

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

Image Mac Computers

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

Create Packages Using Third-Party Utilities

Composer from JAMF Software. www.jamfsoftware.com

InstallEase from Absolute Software. www.absolute.com

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

Manage Local Images

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

Create Images with Disk Utility

Connect the image source computer to an image creation computer and

Select the prepared volume.

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

Open Disk Utility from /Applications/Utilities to see a Disk Utility window.

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

Click the disk to be imaged, if it appears in the list.

In the File menu, choose New.

10. Choose Disk Image from Folder.

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

12. Click the Image button.

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

17. Once the image is complete, unmount the hard drive.

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

Create a Disk Image from the Command Line

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

Deploy Images with Disk Utility

Open Disk Utility.

Select the destination, or target drive, and click Restore.

Drag the logical volume to the Destination field.

Click the Restore button to initiate the restore process.

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

NetBoot. Starts up client computers to an operating system located on a

NetInstall. Creates a customized operating system installer that runs over a

NetRestore. Images client systems using a prebuilt image (referred to in this

IT Configuration GuideFor Your Mac Evaluation and Deployment (Version 6.0)

Create a Bootable NetBoot Disk

Click Continue to create a new workflow.