Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
!
!
!
!
(Version 6.0)
Table of Contents
Introduction
1.1
1.2
1.2.1
1.3
1.3.1
1.3.2
1.3.3
1.4
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.5
1.5.1
1.5.2
1.5.3
1.6
1.6.1
2.1
2.2
2.3
2.3.1
2.3.2
2.4
2.5
Directory Services
3.1
3.1.1
3.1.1.1
3.1.1.2
3.1.1.3
3.1.2
3.1.3
3.2
3.2.1
3.2.1.1
38
50
3.2.1.2
3.2.1.3
3.2.1.4
3.2.1.5
3.2.1.6
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.3
3.4
3.5
3.6
3.7
3.7.1
3.7.2
3.7.3
3.8
3.9
3.9.1
4.1
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.1.9
4.1.10
4.1.11
4.1.12
4.1.13
4.1.14
4.1.15
4.1.16
4.1.17
4.1.18
4.1.19
4.1.20
4.1.21
4.1.22
4.2
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9
4.3
4.3.1
4.3.2
4.4
Manage Printers
172
Restrict Applications Using Profile Manager ......................................................176
Deploy VPN Connections Using Profile Manager .............................................181
Force Password Policies Using Profile Manager ................................................184
Configure Single Sign-On Using Profile Manager ............................................186
Limit Access to Sites Using Profile Manager .......................................................189
Password Policies
192
Audit Local Password Policies
193
Configure Local Password Policies
196
Use the Volume Purchase Program to Deploy Apps ......................................197
Security
5.1
5.2
5.2.1
5.3
5.4
5.5
5.6
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.7
5.8
5.8.1
5.8.1.1
5.8.1.2
5.8.2
5.9
5.9.1
5.9.2
5.9.3
5.9.4
5.9.5
5.9.6
5.9.7
Networking/Wireless
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.7.1
6.7.2
6.7.3
198
255
iii
6.8
6.9
6.10
6.11
6.12
Collaboration
7.1
7.1.1
7.1.2
7.1.3
7.1.4
7.1.5
7.2
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.3
7.3.1
7.4
7.4.1
7.4.2
7.5
7.5.1
7.5.2
7.6
7.6.1
7.6.2
7.6.3
7.7
7.8
322
iv
!
!!
!
Introduction
This configuration guide is designed to help IT professionals evaluate and deploy
OS X on Mac computers in medium to large organizations. Each section
contains modules that cover different topics with step-by-step instructions. This
guide provides accelerated testing and planning so organizations can efficiently
begin a proof of concept or broader end-user deployment of Mac computers.
This guide is a reference document. Not all modules are required reading for
every Mac deployment plan, and many plans will leverage third-party software.
The guide covers a wide range of topics critical to successfully deploying Mac
systems including:
Directory Services
Configuration Management
Security
Networking/Wireless
Collaboration
Before using this guide, consult with your Apple sales representative or Apple
Authorized Reseller for assistance determining the right modules for your
environment.
1.1
1.2
Create Packages
Imaging often includes packaging software for distribution. There are a number
of tools for creating installation packages and package distribution.
Most application installers place files on a file system, and scripts interact with the
operating system in some way (such as activating files that were placed on the
file system). A package is a file, or bundle of files, with a .pkg extension. The
package bundle contains an archive of files to install, scripts that perform
specified actions (which can run before or after file archives are placed into the
appropriate directories), and information about how the operating system should
interpret the installer (such as the order in which these operations occur). A
package can also include licensing documents and other information.
Packages have a number of uses related to installing and managing software. For
example, application developers often use packages to build installers for their
software. Apple uses packages to provide system or application upgrades using
Updates in the App StoreSM. Administrators use packages to deploy scripted
changes to client systems, such as binding to a directory service.
A meta package is a lesser-used type of package. Meta packages are sets of
packages that are distributed in one structure with a *.mpkg file extension. The
meta package typically provides a list of checkboxes used to choose which
packages or components of a larger installation framework are installed.
To install a package, double-click its icon in the Finder. The Installer application
opens and guides you through the necessary steps of the installation, defined at
the time the package was created. Packages can also run silently through the
command line, with Apple Remote Desktop, or using third-party patch
management software solutions.
Many applications come bundled as standard Apple Installer packages. In
situations where an application installer is already a package, custom packages
may not be required. Vendors that distribute packages often have a process for
preparing a package for mass deployment (such as instructions on embedding
license keys and other important settings the software should have). Contacting
the vendor for the proper mass deployment method of each title can save
valuable time, minimize the amount of user interaction required to install a
package, and help prevent unintended consequences.
Packages can be created using a number of tools such as Xcode, from the
command line with pkgbuild, and with third-party tools. Packages can be built
manually or by using a snapshot of the operating system. Snapshot-based
packages are great for those new to building packages, but keep in mind that
extraneous data may be unintentionally captured if changes unrelated to
installation take place between snapshots. To avoid this, always review the files
and folders to be installed when making a snapshot and remove those not
required.
The process is similar to creating installers for other operating systems. If a team
member is already trained in creating installers for Microsoft Windows (that is,
.msi or .mst installers) or for Linux, it should be easy for them to quickly grasp
the concepts needed to build packages in OS X.
! !
1.2.1
Rudix. www.rudix.org
Rudix is a website that offers a number of tools created for various UNIX
platforms built into standard Mac installation packages. By having access to
packages that can perform a number of tasks, without having to build your
own, software can be deployed more quickly and in a repeatable fashion.
!
!
1.3
1.3.1
Build the perfect system image. Install the operating system and required
software, preferably using Volume License Agreement (VLA) licensing, and
configure settings specific for your environment.
2.
Restart the system in target-disk mode by holding down the T key during the
startup process.
3.
4.
5.
Choose Get Info from the File menu (or press Command-I).
6.
Verify that the Ignore ownership on this volume checkbox isnt selected.
Figure 1.3.1_1
!
!
7.
8.
Figure 1.3.1_2
!
9.
Figure 1.3.1_3
11. The Select Folder to Image dialog lets you choose the volume from which to
create the image. Select the name of the prepared client hard drive (which
should be started up in target-disk mode).
!
!
!
!
!
!
Figure 1.3.1_4
13. In the New Image from Folder window, provide a name for the image. In this
example, its Pretendco Image.
14. Use the Where menu to define where on the system the image file will be
created.
15. Choose compressed in the Image Format menu and none in the
Encryption menu, as images deploy faster when compressed.
16. Click the Save button to create the image.
Figure 1.3.1_5
!
!
Wait for the image to complete. The time required is dependent on the size
of image and speed of media for both source and destination.
10
11
1.3.2
The hdiutil command can be used to manipulate disk images. This allows
users to burn, create, expand, and verify disk images. In this module, use the
hdiutil command to create the image .dmg file by invoking the create
verb when you run it. Then mount a drive called MACOSX that houses an
image of a clean OS X installation on your computer and create an image of
it. Call the image MavericksImage and place it in the desktop folder on the
computer. The following command illustrates how to create the .dmg file:
hdiutil create -srcfolder /Volumes/MACOSX ~/Desktop/
MavericksImage.dmg
2.
Now have the asr utility scan the image using the following command:
asr imagescan --source ~/Desktop/MavericksImage.dmg
Here asr is used with the imagescan verb to calculate the checksums of
the contents of the image file and store them in the image. These checksums
will be used to verify that restores occur properly. The -imagescan verb will
also reorder files so that the image can be deployed in a multicast fashion.
Note: The --filechecksum and --nostream options can be used with the
imagescan verb. When used, these commands calculate checksums on a
per-file basis and bypass reordering of the files, respectively. This is often
used as a troubleshooting mechanism when images are problematic.
12
1.3.3
2.
3.
Drag the image file into the Source field from the Finder, or browse to the
image using the Image button.
4.
!
!
Figure 1.3.3_1
5.
13
1.4
Network Images
Once youve created your deployment payloads, the next step is to deploy them.
A simple form of deployment is to locally apply an image from one Mac to
another via FireWire or Thunderbolt. Because this process is cumbersome to
scale, this section covers additional techniques to help enable a minimal-touch
deployment.
Network images are created especially for imaging a large number of computers
over a network. These images are prepared specifically for publishing over a
network connection and have special functionality built for making each system
unique when the imaging process is complete.
Because a computer cannot image over a live operating system, this section
includes setting up a NetBoot set as well as booting to a NetBoot image so that a
Mac can reformat and reimage over the boot volume.
OS X includes a tool called System Image Utility (SIU), used to create NetBoot,
NetInstall, and NetRestore images. System Image Utility allows you to create
images and configure powerful customizations that reduce the time required to
image client computers.
System Image Utility is a standard tool installed in /System/Library/CoreServices
on every Mac running OS X.
14
1.4.1
Open System Image Utility from the Tools menu of the Server application.
2.
Click the Add (+) button in the lower-left corner of the System Image Utility
window.
3.
Figure 1.4.1_1
15
4.
Figure 1.4.1_2
5.
In the window that shows the NetRestore options, remove the Define Image
Source and Create Image panes on the right by clicking the Close (x) button
in the upper-right corner of each. This will leave the workflow area empty.
6.
Drag the Define NetRestore Source action from the Automator Library in the
left pane to the workflow area.
Figure 1.4.1_3
!!
16
7.
Click the Add (+) button in the Define NetRestore Source pane, and enter the
path where the .dmg can be found. You may define either an HTTP or ASR
source URI (uniform resource identifier).
8.
Select the ASR multicast streams checkbox in the Enable browsing for
section, to see a list of all available ASR multicast streams.
9.
10. To allow users to manually provide a path to a .dmg, select the Allow manual
source entry checkbox.
Figure 1.4.1_4
11. Drag the Create Image action from the Automator Library into the workflow,
below the Define NetRestore Source area.
12. Leave Type set to NetBoot, and provide a name for the image.
13. Provide a name for the Network Disk.
17
14. Provide a description to help keep track of NetBoot sets. Also provide an
image index, an identifier unique to NetRestore NetBoot sets.
Figure 1.4.1_5
18
1.4.2
Purchase and download OS X from the Mac App Store (dont install OS X or
restart on completion).
2.
3.
Close any dialogs the Install OS X Mavericks installer may automatically open.
4.
Open System Image Utility using the Tools menu in the Server application.
Because the Install OS X Mavericks installer is detected on the system, the
initial window of System Image Utility provides the option to Create a
Network Disk Image and asks you to select the type of image youll create.
Figure 1.4.2_1
!
5.
6.
Click NetInstall Image. This will tell the image, when NetBoot loads it, to
install an operating system.
7.
Click Continue.
19
8.
9.
If the image will be hosted by multiple NetBoot servers, select the Image
will be served from more than one server checkbox.
Figure 1.4.2_2
10. Click Agree when prompted to accept the OS X Licensing Agreement from
Apple, provided the terms are acceptable.
Figure 1.4.2_3
20
11. In the Save As field, enter a name for the files that will be saved.
12. Use the Where menu to choose a location for the image.
13. If the location isnt listed in the Where menu, click the disclosure button to
the right of the Save As field to browse for a location.
Figure 1.4.2_4
21
1.4.3
1.
2.
Click Show when you highlight the Advanced section of the sidebar.
Figure 1.4.3_1
3.
4.
22
5.
Figure 1.4.3_2
6.
Select the Enable checkbox for each interface on which NetInstall should run.
7.
Click OK.
Figure 1.4.3_3
8.
9.
23
12. Choose Images & Client Data from the Stored Data menu to enable images
for that volume.
Figure 1.4.3_4
Figure 1.4.3_5
24
Figure 1.4.3_6
Figure 1.4.3_7
24. To test starting up a client system to the image, hold down the N key at
startup. Or select the NetBoot server you just set up by using the Startup Disk
System Preferences pane on the client system.
25
1.4.4
Figure 1.4.4_1
26
2.
Figure 1.4.4_2
3.
4.
27
1.4.5
In the above command, the restore verb is used, the --source and --target
settings are defined, and finally the -erase checkbox is used. In this way,
programmatically creating system images is possible with only a single
command.
Rather than using direct-attached storage, such as ThunderBolt, administrators
can use the asr command to restore images from a file hosted by HTTP. To do so,
place the image on a web server and use a command similar to the following,
where the fully qualified domain name (FQDN) of the web server is
mywebserver.pretendco.com and the name of the image is mavimage.dmg.
sudo asr restore --source http://mywebserver.pretendco.com/
mavimage.dmg --target /Volumes/Mac\ OS\ X/ -erase
In the above command, the source is defined with the URL that it would be
accessible from using HTTP. The file was renamed myimage.dmg to make it
friendlier to HTTP requests. Defining the -erase option speeds up the
restoration and makes the image blessed (that is, bootable).
Note: This method assumes that the source Mac is being started up in target-disk
mode because the image cant be placed on top of a running operating system
another valuable feature of NetRestore on OS X Server.
28
1.4.6
Set up the plist file. To do so, you need a multicast address and the data rate
at which you want the server to provide the multicast traffic. Using this
information, create a file. For this example, use an asrsetup.plist
filename in a folder called /asrconfig. Then create the directory using the
following command:
mkdir /asrconfig
2.
3.
Use the defaults command to populate the file with the settings planned
for earlier.
defaults write /asrconfig/asrsetup.plist "Data Rate" -int
10000000
defaults write /asrconfig/asrsetup.plist "Multicast
Address" 244.0.0.1
4.
5.
Once the .plist file is created, move an image (in the form of a .dmg file) into
the /asrconfig directory.
29
6.
Once moved, start up the ASR server using the following command:
sudo asr -server /asrconfig/asrsetup.plist -source /
asrconfig/myimage.dmg
7.
The server then states Ready to start accepting clients. To test the server, tell
a client to look to the server for connectivity. Testing can be done by
providing a path (in the form of a URI) to the asr:// location using a NetBoot
image, Disk Utility, or the asr command with the restore verb. Here the
source computer is myasrserver.pretendco.com and the image is called
myimage.
sudo asr restore --source asr://myasrserver.pretendco.com/
myimage.dmg --target /Volumes/Mac\ OS\ X/ -erase
30
1.4.7
DeployStudio. www.deploystudio.com
A free application with a comprehensive set of tools wrapped around the
command line asr options. DeployStudio also offers the ability to PXE boot
Windows computers for mass deployment.
FileWave. www.filewave.com
This cross-platform solution offers administrators a way to prepare systems
for the deployment of packages, and provides a way to roll packages and
images back to previously deployed images.
31
1.5
32
1.5.1
2.
Use the command bless without any arguments to get comfortable with
the syntax and available options.
3.
The options used in this command are --netboot, which invokes NetBoot
Mode, and --server, which specifies the IP address (or DNS name) rather
than relying on a discovery protocol for this information. Notice that the
server is a URL, telling the system that BSDP (Boot Service Discovery Protocol)
would be used in front of the server name. This is because the
--booter option allows administrators to specify the tftp server for NetBoot
along with the nfs or afp location of the NetInstall .dmg file.
4.
Use the following to verify that the bless command worked as needed:
bless --info 10.0.9.2
Using bless, administrators can directly target a NetBoot server even if that
server is in a different subnet from the client systems.
5.
33
1.5.2
34
1.5.3
Relay bootpd
DHCP is required for NetBoot. Many environments already have DHCP servers on
each segment, VLAN (Virtual LAN), or a subnet of the network where a Mac might
attempt to initiate NetBoot. If administrators can see a NetBoot server in the
Startup Disk pane in System Preferences, but cant initiate a NetBoot session into
that server by holding down the N key at startup, a bootpd relay for BSDP and its
parent DHCP server may be needed.
This module covers how to configure a Mac running OS X Server to provide a
bootpd relay agent to enable NetBoot server discovery across subnets.
To edit the bootpd.plist file on the system to act as the relay:
1.
2.
3.
4.
5.
Edit the <false/> value for the relay_enabled key so that it reads
<true/>.
6.
Replace the <array/> empty array for relay_ip_list with the NetBoot
server IP address as follows:
<array>
<string>192.168.210.1</string>
</array>
7.
8.
9.
1.6
Deployment imaging. The first step of any deployment (especially a minimaltouch deployment) is the development of a good deployment image. A
deployment image contains as few customizations as possible to protect it
from constant revisions and to make it as business-unit agnostic as possible.
Ideally, the deployment image only contains OS X, local settings, and
keystone applications, if that. Keystone applications are software packages
installed on 100 percent of the Mac computers in an organization. The
deployment image can skip all these if enrolled in a patch management
systemmeaning a computer can be deployed with just the operating
system and enrollment in a patch management system. The patch
management system then takes over installing all software, including
keystone applications.
!
!
36
1.6.1
!
!
37
38
!
!
39
2.2
2.
3.
Using the Cache Size slider, choose the amount of space updates can utilize,
up to Unlimited.
Figure 2.2_1
!
4.
5.
In the selection dialog, choose the volume to use for storing cached updates.
Figure 2.2_2
40
6.
Click Choose.
7.
Figure 2.2_3
!
8.
Once the service is started, use the Reset button if you need to clear the
cache.
41
2.3
2.
Click Show when you highlight the Advanced section of the sidebar.
3.
4.
Figure 2.3_1
!
5.
Turn on Software Update to begin caching the available patches from Apple.
42
6.
Figure 2.3_2
!
!
Note: You may not immediately see the updates, as it can take a number of hours
for updates to appear.
7.
To control updates once theyve cached onto the system, change the update
settings from Automatic back to Manual.
8.
9.
To control the status of an update, use the cog wheel icon toward the
bottom of the pane or click the Status pop-up menu for each update listed.
If the update has not yet been downloaded, choose Download and
Enable to cache and serve it to client systems.
Choose Disable if the update has been downloaded and is not required.
(This option is only available when Automatic has been selected in the
Settings tab.)
Figure 2.3_3
43
2.3.1
To configure a policy for a specific computer, open the Profile Manager web
interface.
2.
3.
Click the device or device group, or use any OS X device to create a generic
profile with just the one setting applied by the profile.
4.
5.
6.
Figure 2.3.1_1
!
7.
8.
9.
44
13. If the client systems cant be managed by profiles, use the following
command to augment the default software update settings, replacing
server.pretendco.com with the actual IP address or DNS name of the host
running the Software Update service, as follows:
defaults write /Library/Preferences/
com.apple.SoftwareUpdate CatalogURL
http://server.pretendco.com:8088/index.sucatalog;
15. To install specific updates, use the following command, obtaining the label
from the -list option:
softwareupdate -i <label>
16. To install all available updates, use the -all option as follows:
softwareupdate all
17. Once testing is complete, reset the Software Update settings to factory
defaults by deleting the
/Library/Preferences/SoftwareUpdate.plist file and allowing the
system to generate a new one based on the default settings.
45
2.3.2
Enable the Software Update service on the first server (in this case,
server09.pretendco.com).
Figure 2.3.2_1
!
2.
3.
Edit the metaindexURL key (by default set as swscan.apple.com) of the file
/Library/Server/Software Update/Config/swupd.plist.
46
4.
5.
Start the Software Update service, and complete setup of the new Software
Update service with your specific requirements.
47
2.4
!
!
!
!
!
48
2.5
DeployStudio. www.deploystudio.com
AirWatch. www.air-watch.com
MobileIron. www.mobileiron.com
Centrify. www.centrify.com
Maas360. www.maas360.com
!
!
49
3 Directory Services
A directory service stores information about users, groups, and network resources
for an organization. OS X has a local directory service for local accounts and can
connect to network directory services, which obtain account information from a
centralized source. On a default installation of OS X, directory services may be
configured to access directory information via LDAP (Lightweight Directory
Access Protocol), Active Directory, and NIS (Network Information Service). LDAP
and Active Directory are the most commonly used.
When an application, daemon, or utility needs information about a user, group, or
computer, it does a directory service lookup. In OS X, information is always looked
up in the local directory service first. Then, if the information isnt located in the
local directory, the query is sent to other directory services that have been
configured. This search path is specified in the
/System/Library/CoreServices/Directory Utility application, and allows
administrators to specify the order in which information such as users and groups
is searched for.
Directory services in OS X are built using a modular framework. This allows the
operating system to be extended with third-party directory modules. These
modules provide additional functionality as well as support for other directory
services not included in the default operating system.
50
directory services.
dseditgroup. Alter group membership information.
dsenableroot. Enable or disable the root account.
dserr. Show descriptions of directory services error codes.
dsexport. Export directory services information.
dsimport. Import directory services information.
dsmemberutil. Check group memberships and UUIDs, and perform certain
debugging operations.
51
52
3.1.1
53
3.1.1.1
Figure 3.1.1.1_1
2.
Choose System Preferences from the Apple menu and click Users & Groups.
Click the lock icon in the lower-left of the window and provide the password
of an existing administrative user.
Figure 3.1.1.1_2
54
3.
Figure 3.1.1.1_3
4.
5.
Enter the new users full name and account name. (These should be unique
and different from one another).
6.
Enter the same password in both the Password and Verify fields, then click
the Create User button.
Figure 3.1.1.1_4
55
The newly created account appears under Other Users in the Accounts list on the
Users & Groups pane in System Preferences.
Figure 3.1.1.1_5
!
7.
8.
To test that the user is now a local administrator, open the Users & Groups
pane in System Preferences. Unlock the pane with a user account thats in the
nested group. If the pane is successfully unlocked, the user is now a local
administrator.
56
3.1.1.2
Add the user name to the local directory services database using the
following command:
sudo dscl /Local/Default create /Users/pretendcoadmin
2.
Set the default shell. Bash is the default, with a path of /bin/bash:
sudo dscl /Local/Default create /Users/pretendcoadmin
UserShell /bin/bash
3.
Set the full name of the user account, replacing Pretendco Administrator with
the users full name.
sudo dscl /Local/Default create /Users/pretendcoadmin
RealName "Pretendco Administrator"
4.
Set the User ID (UID) as a unique integer value. In this example, run the
following command to set the UID to 1100. Subsequent users will need
additional unique UIDs. UIDs from 0500 are reserved for system use.
sudo dscl /Local/Default create /Users/pretendcoadmin
UniqueID 1100
5.
Once a UID is assigned to an account, set the default group ID (GID) using
the following command. Note that the GID must be different from other GIDs
but can be the same as the UID used in the previous step.
sudo dscl /Local/Default create /Users/pretendcoadmin
PrimaryGroupID 1100
6.
Now that the user has a GID, set the home directory for the user using the
following command:
sudo dscl /Local/Default create /Users/pretendcoadmin
NFSHomeDirectory /Users/pretendcoadmin
7.
Add the user to the existing admin group. If converting an existing user
account into an administrative account, use the append verb as follows:
sudo dscl /Local/Default append /Groups/admin
GroupMembership pretendcoadmin
8.
When generating a shell script from these commands, prompt the user for the
password in the script and use the provided value. Otherwise the password will
be available when editing the script.
Note: Using this account for anything other than standard administrative
purposes requires populating the account with more attributes. In this case the
account does not need to be fully usable.
58
3.1.1.3
Additionally, you can change items, such as the home directory or real name, by
using dscl options.
59
3.1.2
Before nesting the Active Directory group, verify that it resolves correctly on
the client. To do so, resolve group membership with the following
dseditgroup command, using the -o option along with the read verb.
dseditgroup -o read <active directory group name>
As seen from the output, the member section lists group members. If you
dont receive the desired output, make sure youre bound to a directory
service and that the group exists within Active Directory.
2.
Verify that OS X can resolve group membership for that group. Use the id
command to see in which groups a user is included.
id <account name>
60
3.
To nest Active Directory groups, use dseditgroup with the -o edit option
(edit operation), the -a option followed by the appropriate group name from
Active Directory, the -t option followed by the word group (which specifies
that the type to add is a group), and the -n option followed by
/Local/Default, which specifies to add to the local directory service.
sudo dseditgroup -o edit -a <group name> -t group -n
/Local/Default admin
Note: Add network users to the admin group by using the same command
but changing the type (-t).
sudo dseditgroup -o edit -a <network user name> -t user
-n /Local/Default admin
4.
To test that the nested user is now a local administrator, open the
Users & Groups pane in System Preferences and unlock the pane with a user
account thats in the nested group. If the pane is successfully unlocked, the
user is now a local administrator.
Note: The command-line utility used to run commands as root, sudo, does
not recognize nested groups. To nest administrative accounts, edit the
/etc/sudoers file. Within that file, find the user privilege specification section.
# User privilege specification
root
ALL=(ALL) ALL
%admin
ALL=(ALL) ALL
Then add %<AD group name> ALL=(ALL) ALL to that section. For
example:
# User privilege specification
root
ALL=(ALL) ALL
%admin
ALL=(ALL) ALL
61
3.1.3
2.
3.
4.
Each line in the script uses dscl (directory services command line) to create
the user account and its attributes. The above script uses an ID below 500, so
the newly created account is hidden at the login window.
5.
Since a password has not yet been assigned to the account, include the
password in the script in clear text. This requires the directory services
daemon to be running when the script runs. To do so, append the following
line to the end of the above script:
dscl /Local/Default -passwd /Users/hidden 'mypass'
62
3.2
Active Directory
Active Directory is the default Microsoft directory services solution. Active
Directory provides information on users, groups, and computers (information
stored in LDAP), password management and encryption (using Kerberos), and
the ability to find objects on a network. Information in Active Directory is used to
manage users, computers, groups, printers, and other resources.
Active Directory deployments vary from smaller environments with hundreds of
objects to larger environments with thousands (or millions) of users and systems
distributed across a number of sites.
Mac computers can be bound to Active Directory through the Network Account
Settings located in the Users & Groups pane in System Preferences, or via the
Active Directory module in Directory Utility. From the command line, use
dsconfigad to bind and specify Active Directory-specific options.
This section contains modules that explore the administrative tasks of managing
OS X using Active Directory.
63
3.2.1
64
3.2.1.1
2.
Figure 3.2.1.1_1
!
3.
Figure 3.2.1.1_2
65
4.
Figure 3.2.1.1_3
5.
Figure 3.2.1.1_4
!
66
6.
Once joined, review the binding information and provide more details as
needed.
7.
8.
Figure 3.2.1.1_5
67
9.
Double-click Active Directory (or click Active Directory, then the pencil icon).
Figure 3.2.1.1_6
10. Enter the Active Directory domain name to join (if youve not yet bound).
11. Change the computer ID, if necessary, and click OK.
Note: When the system is bound, youll see an Unbind button.
Figure 3.2.1.1_7
68
12. If binding, enter the Active Directory user that has the delegated authority to
bind a machine to the Organizational Unit (OU) you specify for Computer OU.
13. Enter the Active Directory users password, then click OK.
14. In the Users & Groups pane in System Preferences, a green circle icon next to
the domain indicates that network accounts are accessible.
Figure 3.2.1.1_8
69
3.2.1.2
On the server, open the OS X Server app running Profile Manager. (Setting up
Profile Manager is covered in detail in Section 4 of this guide).
Figure 3.2.1.2_1
!
2.
Figure 3.2.1.2_2
70
3.
Click Open Profile Manager at the bottom of the Profile Manager pane.
4.
5.
6.
7.
Figure 3.2.1.2_3
!
8.
9.
Figure 3.2.1.2_4
10. In the Server Hostname field, provide the name of the Active Directory
domain the client systems will join when the profile is installed.
71
11. For Username, provide an administrative password for the Active Directory
domain.
12. Include the password for the username provided in the Password field.
13. Optionally, enter a Client ID. If no Client ID is provided, the computer name
will be used as the Client ID.
Figure 3.2.1.2_5
14. Click OK to save the changes to the Directory portion of the profile.
15. Optionally, edit the login window policy to make it easier for users to log in
using Active Directory accounts. Click Login Window in the Settings sidebar.
Figure 3.2.1.2_6
!
!
72
16. Configure what users will see before logging into the computer.
a.
In the Heading menu, choose Directory Status. This is useful for seeing
whether Active Directory is available.
b.
c.
For Style, select Name and password text fields to simply show a
username and password dialog box. Or select List of users able to use
these computers to show previously logged-in users or locally available
users.
d.
If you selected List of users able to use these computers, you can also
get more granular by clicking the appropriate checkboxes for which
types of users will appear. If a system is bound to Active Directory or
another directory service, the Other option will still appear, so that users
can log in as users not previously used on that computer.
e.
The Options tab includes settings for disabling guest users and allowing
the screen saver to run over the top of the login window. In the Options
tab, you can also choose to match the computer name to the directory
name.
f.
The Access tab provides options for who may or may not log into the
computer as well as the ability to control workgroup settings.
Figure 3.2.1.2_7
17. Click OK when you are happy with the configuration of the login window.
18. Click Login Items in the Settings sidebar.
19. Click Configure.
20. Select the appropriate options for automatically mounting directories.
Note: If using mobile homes, you can add a network home share and mount
the share at login.
73
b.
c.
The Create home using buttons determine whether the new account is
created based on the network home or the default local home directory
template.
d.
e.
Click the Account Expiry tab to configure how long a user can remain
logged out before their home directory is removed from the local
system.
f.
Click the Rules tab to configure which data, and how frequently that
data, synchronizes to the serverwhen synchronization occurs.
Figure 3.2.1.2_8
74
Figure 3.2.1.2_9
Figure 3.2.1.2_10
3.2.1.3
To set up the mobile home directory for the Active Directory account to exist on
the local system, add the -mobile switch to the end of the dsconfigad
command with a setting of enable, as follows:
dsconfigad -force -add mycomputername -username domainadmin password domainadminspassword -domain mydomain.com -mobile
enable
-force
-remove
-localuser username
-localpassword
password
-username username
-password password
-ou dn
-domain fqdn
-show
-help
-xml
76
-mobileconfirm
-localhome flag
-useuncpath flag
-protocol type
-shell value
-sharepoint flag
Advanced OptionsMappings
-uid attribute
-nouid
-gid attribute
-nogid
-ggid attribute
-noggid
-authority enable
or disable
Advanced OptionsAdministrative
-preferred server
-nopreferred
-groups "1,2,..."
-nogroups
-alldomains flag
-packetsign flag
-passinterval days
-restrictDDNS
-enableSSO
-remove
77
3.2.1.4
Most environments are more complicated than this example. Further customize
the dsconfigad script using more switches to denote items such as local
administrative user names and passwords.
78
3.2.1.5
2.
Open the new empty shell script in your favorite text editor and paste the
previously created script from 3.2.1.4 Bind to Active Directory Using a Script.
3.
With the script inserted, add a line at the bottom to remove the script and
then (optionally) provide an exit code. The whole script is as follows:
#!/bin/bash
ipconfig waitall
sleep 60
dsconfigad -add <computername> -username <binduser> password <binduserpass> -domain <domain>
srm $0 /Library/StartupItems/adbind/adbind.bash
exit 0
79
3.2.1.6
printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34512
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
ADDITIONAL: 1
;; QUESTION SECTION:
;_gc._tcp.pretendco.com.
IN
SRV
600
IN
SRV
IN
192.168.55.47
;; ANSWER SECTION:
_gc._tcp.pretendco.com.
dc.pretendco.com.
0 100 3268
;; ADDITIONAL SECTION:
dc.pretendco.com.
3600
2.
rcvd: 92
If the response doesnt include an answer section with the name of a domain
controller, check to make sure the network settings in OS X are correct and
that the DNS specified is one that will return service record information for
your Active Directory forest. Other roles can be verified in the same manner.
80
2.
3.
4.
5.
Click Scan.
If no entries are listed during the scan, correct the routing or switching issues.
The account being used to bind also needs to have access to bind. In many cases,
this means having access to a specific OU. Required access may include having
access to remove objects from an OU, as when binding and placing into a new
OU, or full control over the domain. The access required for the account used to
bind OS X should mirror that required to bind Windows clients.
To perform Active Directory verification:
1.
Once bound, verify accounts are reachable using dscl and id.
2.
For example:
id jfoster
uid=818406992(jfoster) gid=1450179434(PRETENDCO\domain
users) groups=1450179434(PRETENDCO\domain users)
If you cant look up a single account, the Active Directory connection isnt
functional.
dscl is another tool that can isolate where in the directory services tree a
problem has occurred. Run the following command to see the plug-ins
enabled on the system, and to enter into the dscl runtime environment.
dscl
3.
Navigate into the All Domains node by using cd and performing another ls
to show the contents of the node. The node should contain the Users node,
as follows:
/Active Directory > cd 'All Domains'
81
dsAttrTypeNative:accountExpires: 9223372036854775807
dsAttrTypeNative:ADDomain: pretendco.com
dsAttrTypeNative:badPasswordTime: 0
dsAttrTypeNative:badPwdCount: 0
dsAttrTypeNative:cn:
Tim Lee
dsAttrTypeNative:codePage: 0
dsAttrTypeNative:countryCode: 0
dsAttrTypeNative:displayName:
Tim Lee
dsAttrTypeNative:distinguishedName:
CN=Jimmy Foster,CN=Users,DC=pretendco,DC=com
more...
If you arent able to read the attributes of a user, check access controls in
Active Directory and verify the correct OU is used.
4.
82
2.
Enter the Active Directory users password. If successful, the Terminal session
should respond as that user. To verify, use the whoami command.
For example:
bash-3.2$ whoami
jfoster
Note: If warnings appear about not having a home directory, disregard them
at this point. The home directory will be created on initial login.
If this doesnt work, verify that there arent multiple users with the same
account name in the Active Directory forest. If namespace conflicts exist,
enable namespace support via dsconfigad. For such testing, enter a user
name that has a unique account name forest-wide.
83
3.2.2
2.
Figure 3.2.2_1
84
3.
Figure 3.2.2_2
!
4.
Click the Join button to the right of Network Account Server. This button will
say Edit if the system has been bound to a directory service.
Figure 3.2.2_3
85
5.
6.
Authenticate as a local administrator by clicking the lock icon in the lowerleft corner, if not already unlocked.
Figure 3.2.2_4
!
7.
8.
Figure 3.2.2_5
86
9.
Click the Show Advanced Options disclosure triangle, then click User
Experience.
Figure 3.2.2_6
87
This pane includes the Create mobile account at login checkbox. Select this
option to create an account on the local system that enables the user to log in
even if unable to contact the Active Directory servers.
Figure 3.2.2_7
Optionally, select the Use UNC path from Active Directory to derive network
home location checkbox to enable home folder synchronization. Once enabled,
additional settings are displayed in the Network protocol to be used menu. In
Active Directory, when setting a users profile setting (where a drive letter is
mapped), that setting would look like: \\server\share\folder. The Active Directory
plug-in converts this path to /server/share/folder and places either an afp: or an
smb: in front of the request, resulting in afp://server/share/folder or
smb://server/share/folder, respectively.
88
3.2.3
Namespace Support
While it isnt a recommended configuration, Active Directory has the capacity to
allow two accounts with the same user name, provided theyre in different
domains in the same forest. This represents a namespace collision for OS X client
computers. To accommodate for namespace collisions, the Active Directory
module allows administrators to set the forest and domain independently,
specifying which domain in a given forest against which to authenticate.
By default, the Active Directory module supports authenticating to any domain in
the forest. To limit authentication to specific domains, disable Allow
authentication from any domain in the forest in the Advanced Options pane of
Directory Utility. Or use the following command in Terminal:
dsconfigad -alldomains disable
Then specific domains can be added to the Directory Domain search path.
By default, namespace support is set to domain, which assumes there are no
conflicting user accounts across all domains. If the Active Directory forest has
conflicts, change the namespace to forest with this command:
dsconfigad -namespace forest
Note: An unbind and rebind isnt required to change these settings. They are
global for all users on a system where the command is run.
Once the namespace has been set to forest, users home folders and user
accounts are then prefixed with DOMAIN\ to ensure unique naming for
accounts between domains.
To return to the default behavior, use the following command:
dsconfigad -namespace domain
Note: When run, the -namespace command changes the primary ID for all
accounts and any user profiles for accounts from the Active Directory domain on
each client computer need to be copied/moved into the new profile thats
created.
89
3.2.4
If needed, set the signing back to default using the following command:
dsconfigad -packetsign allow
The SSL option requires a trusted certificate chain from Active Directory. If the
certificate chain doesnt have a trusted root, youll need to install and trust the
root certificate in the root keychain.
If the change is successful, youll receive the following message:
Settings changed successfully
3.2.5
2.
Figure 3.2.5_1
!
3.
Figure 3.2.5_2
91
4.
Figure 3.2.5_3
!
5.
Browse to the SSL root certificate and choose the certificate to import.
6.
Click Open.
7.
8.
Figure 3.2.5_4
!
!
!
!
92
3.2.6
To add the certificate to the System keychain, making it available to all users:
sudo security add-certificate -k /Library/Keychains/
System.keychain ~/Desktop/pretendco.p12
The openssl command is used to test connectivity to a server that requires the
certificate, as follows:
openssl s_client -connect pretendco.com:389
Once youve validated the certificate functionality, use dsconfigad to set the
-packetencrypt option to ssl, as follows:
dsconfigad -packetencrypt ssl
To ignore trust:
By default, OS X requires that a certificate received from a domain controller be
trusted. To modify this policy, configure the ldap.conf file. To disable certificate
verification, change the TLSR_EQCERT value by editing
/etc/openldap/ldap.conf and changing the TLS_REQCERT setting to read never,
rather than demand.
By default, the settings read as follows:
#SIZELIMIT
12
#TIMELIMIT
15
#DEREF
never
TLS_REQCERT
demand
12
#TIMELIMIT
15
#DEREF
never
TLS_REQCERT
never
93
3.2.7
94
3.3
95
3.4
Kerberos
Kerberos is a network authentication protocol used to prove an identity when
communicating over an insecure network in a secure fashion. Kerberos provides a
client-server architecture where mutual authentication, both the user and the
server, verify each others identity. This protects Kerberos against various attacks
including eavesdropping and the resulting potential of replay attacks.
Kerberos makes use of a Key Distribution Center (KDC) that consists of two parts
the Authentication Server (AS) and a Ticket Granting Server (TGS) that issues
Ticket Granting Tickets (TGT). Kerberos works on the basis of tickets, which serve
to prove the identity of users. The KDC maintains a database of secret keys. All
clients on the network share a secret key and use this secret key to acquire a TGT.
Once the client has a TGT, it can present it to the KDC to get service tickets, which
act as authentication to kerberized services on the network.
Note: For communication between two kerberized entities, the KDC generates
session keys, which are used to secure communications.
Along with authenticating the identity of a host in a Kerberos environment,
safeguards are also put into place to protect the authenticity of each service
running on a system as a Service Principal. For a client to obtain tickets, the client
requests a ticket using a TGT. This information, in the form of Service Principals,
can be viewed in OS X by using the klist command from the Mac.
A more detailed overview of Kerberos is beyond the scope of this document, but
its important to know that when a user first authenticates to a KDC (whether its
Active Directory, Open Directory, or an MIT/Heimdel-based KDC), the client
receives a TGT. Once the client authenticates to a kerberized service, the client will
have both a TGT and a service ticket for that service. This assists in
troubleshooting authentication issues.
To access information regarding Kerberos tickets using a graphical interface, open
Keychain Access from /Applications/Utilities. Choose Ticket Viewer from the
Keychain Access menu.
Figure 3.4_1
Kerberos can also be managed from the command line using kinit, kswitch,
kdestroy, klist, kgetcred, and kpasswd.
96
3.5
LDAP
Lightweight Directory Access Protocol (LDAP) is the protocol used in most
modern directory services systems, including Novell eDirectory, Microsoft
Active Directory, and Apple Open Directory.
LDAP defines how clients create, query, and update information in directory
services. It then supplies that data, stored in a database, to clients and servers. OS
X supports binding to any directory service that supports LDAP using the LDAPv3
Directory Service plug-in, which is configured in the Users & Groups pane in
System Preferences by using Directory Utility (located in
/System/Library/CoreServices) or by using the dsconfigldap command.
LDAP is lightweight and flexible, and supports different options for connecting,
binding, and mapping to and from attributes, the fields of the LDAP database.
Both Directory Utility and dsconfigldap allow you to specify all these options.
In LDAP, a schema is a set of rules about the data in the directory service.
Depending on the schema, you may have to provide custom mappings of
directory service data in OS X with data in your directory service. Directory Utility
provides templates, and the ability to create new templates for easy migration
between hosts, to map to commonly used schemas. Directory Utility also
supports network configuration of the plug-in via DHCP and mapping via special
record in the Directory Service.
97
3.6
Open Directory
A directory service is software that stores and organizes information about an
environment (users, groups, computer, and other network resources), allowing
network administrators to centrally manage resources. Open Directory is the
directory service implementation built into OS X Server.
In the context of OS X Server, Open Directory includes a shared LDAPv3-based
directory domain along with a number of Apple-created schema attributes. These
attributes use registered OID (Object Identifier) space through IANA (Internet
Assigned Numbers Authority), the Apple Password Server, and Kerberos 5all
integrated using a modular Directory Services subsystem.
Open Directory allows for a number of services that run on OS X, or other
operating systems, to be kerberized.
98
3.7
99
3.7.1
2.
3.
In the dialog, provide the path to the DFS share being accessed. (This may or
may not be the root share.)
Figure 3.7.1_1
!
4.
5.
Click Connect.
6.
If using Kerberos, and if the user has permission to connect to the share, the
Finder displays a window with the contents of the share.
7.
8.
Click Connect.
100
3.7.2
The output contains the expanded name of the server (the name prefixed by the
host name). The listing will also display the single-line domain name.
Adding each portion of a DFS path to the connection string shows more in-depth
information about that portion of the DFS root. The previous server is a mobile
home directory server with a share called HomeDirectories. Using the command
smbutil dfs smb://test.pretendco.com/DFS shows the paths and
referrals for each share that is part of a namespace server called DFS, as follows:
Referral requested: /WIN-MIE2GCGNMU0.test.pretendco.com/DFS
list item 1 : Path: /WIN-MIE2GCGNMU0.test.pretendco.com/DFS
list item 1 : Network Address: /WIN-MIE2GCGNMU0/DFS
list item 1 : New Referral: /WIN-MIE2GCGNMU0/DFS
To see the referrals available for each namespace within, use the following:
smbutil dfs smb://test.pretendco.com/DFS/HomeDirectories
The output ends with a number of lines that show referral information, as follows:
Referral requested: /WIN-MIE2GCGNMU0.test.pretendco.com/DFS/
HomeDirectories
list item 1 : Path: /WIN-MIE2GCGNMU0.test.pretendco.com/DFS/
HomeDirectories
list item 1 : Network Address: /WIN-MIE2GCGNMU0/DFS/
HomeDirectories
list item 1 : New Referral: /WIN-MIE2GCGNMU02/DFS/
HomeDirectories
list item 1 : New Referral: /WIN-MIE2GCGNMU03/DFS/
HomeDirectories
list item 1 : New Referral: /WIN-MIE2GCGNMU04/DFS/
HomeDirectories
The user name and password can also be added into smbutil options for testing
purposes. The following example shows this, using testuser as the user name
from Active Directory and testpassword as that users password:
smbutil dfs smb://testuser:testpassword@test.pretendco.com/
DFS/HomeDirectories
101
3.7.3
102
3.8
SMB2 Support
OS X Mavericks now uses SMB2 as the default protocol for accessing files on a
network. Administrators can leverage the smbutil command to access shares,
access information about shares, and script any features that are needed around
SMB2. If the share is made accessible from DFS, the Finder will automatically
connect to the underlying share.
Users can access shares manually through the Finder sidebar via Bonjour if the
computer is available in the list.
To access shares manually via Bonjour:
1.
2.
Click a host in the sidebar. Then click the server listed under Shared.
Figure 3.8_1
!
3.
4.
In the dialog, enter the Name and Password for the server, then click the
Connect button.
Figure 3.8_2
103
If the SMB2 or DFS share is not browsable, the share can still be accessed
manually using the Connect to Server dialog.
To access shares manually via Connect to Server dialog:
1.
2.
3.
In the dialog, enter the hostname with the SMB2 share on it, then click the
Connect button. You will be prompted to authenticate.
Figure 3.8_3
104
3.9
105
3.9.1
.beID. eid.belgium.be
ActivIDentity. www.actividentity.com
Centrify. www.centrify.com
Charismathics. www.charismathics.com
HID. www.hidglobal.com
SafeNet. www.safenet-inc.com
Smart-card hardware compliant with CCID that can be purchased from Apple:
SCM Smart Card Reader. store.apple.com/us/product/H2312LL/A
106
4 Configuration
Management
Policy-based management is a robust way to manage nearly any setting in OS X.
Mac computers, as well as iOS devices, are managed using configuration profiles.
Using the same management structure for both platforms allows enterprises to
leverage the same Mobile Device Management (MDM) platforms to manage both
types of devices.
Profiles are used to manage settings for Mac computers. Profiles are created with
the Profile Manager service in OS X Server or using the Apple Configurator app,
which supports settings shared between OS X and iOS, and is available on the
Mac App Store. Profile Manager offers a number of options, such as locking
devices, performing remote wipes, and binding to a directory service. Profiles are
also the only way to configure 802.1x profiles on a Mac.
107
To set up Profile Manager, first install OS X and OS X Server from the Mac App
Store.
2.
Once the server is set up, verify that the host name and SSL certificates are
valid (a process covered in the following modules).
3.
108
4.1.1
2.
3.
Click the name of the server listed in the sidebar (the first item), if not already
highlighted.
4.
Click the Edit button next to the Host Name in the Overview pane.
Figure 4.1.1_1
!
!
109
5.
In the Accessing your Server dialog, click the Domain Name radio button.
6.
Click Next.
Figure 4.1.1_2
!
7.
In the Connecting to Your Server dialog, provide the name (which in this
example is Pretendco MDM Server) and the host name, which should have
corresponding DNS entries (in this example, it is mdm.pretendco.com).
Figure 4.1.1_3
!
!
110
8.
In the Server app, the new name is displayed in the sidebar, in the Host Name
field, and in the Computer Name field.
Figure 4.1.1_4
111
4.1.2
Configure Users
Before accessing most services on a server running OS X Server, users need
accounts created on the server. All accounts created with the Server application
reside in a directory service known as Open Directory. Open Directory is
automatically configured when the Server application is installed in OS X Server.
If a server is bound to a directory service, such as Microsoft Active Directory, no
further work is needed because accounts from the third-party directory service
can be used with the OS X Server service. Otherwise, create users before setting
up profiles in Profile Manager.
To create network service users in OS X Server:
1.
2.
Figure 4.1.2_1
!
3.
4.
5.
Enter a shortened name for the user in the Account Name field.
For example, pretendcoadmin.
6.
Optionally, provide an email address for the user in the Email Address field.
For example, admin@pretendco.com.
7.
Enter the password this account will use in the Password field.
8.
9.
112
Figure 4.1.2_2
11. Click the Create button when the settings are as intended for the user.
113
4.1.3
Add Groups
Most large-scale systems management should be done using groups. This
module covers creating groups using the Server application.
Note: If the server is bound to another directory service, for example Active
Directory, manage users from the third-party directory service rather than from
OS X Server to make sure all applicable attributes are created.
To create users in OS X Server:
1.
Figure 4.1.3_1
!
2.
Figure 4.1.3_2
!
3.
4.
When prompted, provide a name for the group in the Full Name field.
5.
The Group Name short name is automatically generated based on the Full
Name. Alternatively, provide your own short name in the Group Name field.
Figure 4.1.3_3
!
!
6.
115
4.1.4
Review Certificates
Each server running OS X Server is installed with a default self-signed certificate.
For security purposes, review the certificates installed on the server.
Most services, such as Profile Manager, require SSL certificates. These certificates
can either be created by the organizations Certificate Authority (CA), purchased
from an outside vendor, or created as a self-signed certificate directly in
OS X Server.
To manage certificates in OS X Server:
1.
Figure 4.1.4_1
!
2.
Figure 4.1.4_2
116
3.
Click the cog wheel icon to open the action pop-up menu.
4.
5.
Figure 4.1.4_3
!
6.
On the certificate pane, verify that all the required settings are correct.
Figure 4.1.4_4
!
!
117
7.
Figure 4.1.4_5
118
4.1.5
Figure 4.1.5_1
!
2.
Figure 4.1.5_2
!
!
3.
119
4.
Figure 4.1.5_3
!
5.
6.
Click OK.
Note: It is recommended that you set a reminder for the expiration date of
the Apple Push Notification Certificate in a calendar application such as
Calendar from Apple or Microsoft Outlook.
120
4.1.6
Figure 4.1.6_1
!
2.
Figure 4.1.6_2
!
!
121
3.
Click Configure.
Note: If there isnt a Configure button, turn on Profile Manager in the upperright of the window. If this doesnt work, run the wipeDB.sh script located in
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/
backend/WipeDB.sh to restart the process. Then restart the computer when
the script is complete. If any of the features have been configured prior to
this step, those steps are skipped in this process.
4.
Figure 4.1.6_3
!
5.
6.
Figure 4.1.6_4
!
!
122
7.
8.
Figure 4.1.6_5
!
9.
In the Confirm Settings dialog, click Finish. The Profile Manager database is
now created.
Figure 4.1.6_6
!
!
123
10. Provided the service is configured correctly, Enabled appears next to Device
Management.
Figure 4.1.6_7
11. To change the name of the default configuration profile, click the Edit button
next to the current name and enter a new name.
12. Once finished configuring settings, turn Profile Manager on in the upperright corner of the window.
After the Profile Manager service completes startup, configure Profile Manager
settings and enroll user devices.
124
4.1.7
125
4.1.8
Figure 4.1.8_1
!
!
126
2.
Figure 4.1.8_2
!
3.
Click Open Profile Manager in the lower-left corner, or open a web browser
and go to https://servername/profilemanager, where servername is the fully
qualified domain name of the server running Profile Manager.
4.
Figure 4.1.8_3
127
5.
6.
Figure 4.1.8_4
!
7.
Figure 4.1.8_5
!
!
128
8.
9.
Click OK.
Figure 4.1.8_6
Figure 4.1.8_7
129
4.1.9
Figure 4.1.9_1
!
2.
Figure 4.1.9_2
!
3.
130
4.
5.
Figure 4.1.9_3
!
6.
7.
Figure 4.1.9_4
!
!
8.
131
9.
With the new group highlighted, click the Add (+) button in the Group pane
to add devices or other device groups as members.
Figure 4.1.9_5
132
4.1.10
Figure 4.1.10_1
!
2.
Figure 4.1.10_2
133
3.
4.
5.
Figure 4.1.10_3
!
6.
Figure 4.1.10_4
!
7.
Choose a type from the Device Type menu, and enter a name and serial
number for the device.
Figure 4.1.10_5
!
8.
Click Add.
4.1.11
Enroll OS X Devices
Once the Profile Manager server is configured, devices need to be enrolled to
make use of the new configuration. When logging into the User Portal, there are
two tabs. The Devices tab provides an overview of devices registered by that user
and allows for the enrollment of new devices. The Profiles tab shows download
profiles that are available for the logged-in user.
When using a self-signed SSL certificate, users will begin by installing the Trust
Profile from the Profiles tab. This profile will install the certificates needed for the
client devices to trust your Profile Manager SSL and code-signing certificates.
To enroll an OS X computer:
1.
2.
Figure 4.1.11_1
135
3.
Click Enroll to enroll the device into the Mobile Device Management
environment.
Figure 4.1.11_2
!
4.
5.
Figure 4.1.11_3
136
6.
Figure 4.1.11_4
!
7.
The Mac is now enrolled in Profile Manager and appears under Devices both
in Profile Manager and on the My Devices portal.
Figure 4.1.11_5
137
8.
The Remote Management profile is also shown in the Profiles pane in System
Preferences.
Figure 4.1.11_6
138
4.1.12
2.
3.
See the enrolled devices in the Devices tab. Click the Lock button for the
appropriate device.
Figure 4.1.12_1
!
!
139
4.
Figure 4.1.12_2
!
5.
Figure 4.1.12_3
!
6.
When locking a Mac, it immediately restarts to a PIN pad. Only the passcode
entered in the User Portal can unlock the device. When the passcode is
provided to the client computer, the computer restarts as normal and
remains enrolled.
7.
Administrators can confirm that the lock has been applied from Profile
Manager.
140
4.1.13
2.
Figure 4.1.13_1
!
!
141
3.
Figure 4.1.13_2
!
4.
Performing a wipe requires the use of a PIN. Enter the PIN and then click the
Wipe button.
5.
Figure 4.1.13_3
!
6.
The Mac is wiped and all data is erased. Confirm the wipe has been sent in
the Tasks section of Profile Manager.
142
4.1.14
2.
3.
4.
Figure 4.1.14_1
!
!
143
5.
Choose Devices or Device Groups from the Library list in the sidebar.
6.
Figure 4.1.14_2
!
7.
In the device or device group pane, click the cog wheel icon to open the
action pop-up menu.
8.
Choose Lock.
Figure 4.1.14_3
!
!
144
9.
Figure 4.1.14_4
10. When locking OS X, the Mac immediately restarts to a PIN pad. Only the
passcode entered in Profile Manager can unlock the computer.
11. Confirm the lock has been completed in the Completed Tasks section of
Profile Manager.
145
4.1.15
2.
3.
4.
Figure 4.1.15_1
!
!
146
5.
Choose Devices or Device Groups from the Library list in the sidebar.
6.
Figure 4.1.15_2
!
7.
In the device or device group pane, click the cog wheel icon to open the
action pop-up menu.
8.
Choose Wipe.
Figure 4.1.15_3
!
!
147
9.
Figure 4.1.15_4
148
4.1.16
2.
3.
Click the Devices tab to view all Mac computers enrolled by the user account.
To enroll additional devices for the same account, click the Enroll button.
Click the Remove button for the device to disable remote management.
Figure 4.1.16_1
!
!
149
4.
Figure 4.1.16_2
!
5.
The device record is removed from Profile Manager, and the device is no
longer considered managed. Additionally, the Remote Management profile is
no longer listed in the Profiles pane in System Preferences on the client
computer.
150
4.1.17
2.
3.
4.
5.
6.
Figure 4.1.17_1
!
!
7.
Click the minus (-) button located at the bottom of the middle pane.
151
8.
Figure 4.1.17_2
!
9.
10. Confirm the device no longer appears in the Devices section of the Profile
Manager Library.
!
!
152
4.1.18
2.
3.
4.
5.
Figure 4.1.18_1
!
!
6.
153
7.
Figure 4.1.18_2
154
4.1.19
2.
3.
4.
5.
Choose Users, Groups, Devices, or Device Groups from the Library list in the
sidebar.
6.
Figure 4.1.19_1
155
7.
Figure 4.1.19_2
!
8.
Figure 4.1.19_3
!
9.
Set any other settings that should be deployed with the profile.
156
4.1.20
2.
3.
4.
5.
Choose Users, Groups, Devices, or Device Groups from the Library list in the
sidebar. Then select the user, group, device, or device group to edit.
6.
Figure 4.1.20_1
!
!
7.
Click Edit.
157
8.
Figure 4.1.20_2
!
9.
Click Configure.
Figure 4.1.20_3
!
!
158
159
4.1.21
profiles Command
The profiles command allows programatic control of configuration profiles so
that administrators can script or remotely run configuration profile installation,
removal, and auditing. To list the configuration profiles installed for a given user,
run the profiles command with the -L option, as follows:
profiles -L
To see all configuration profiles installed on the system, run the profiles
command with the -P option, as follows:
sudo profiles -P
To install a configuration profile for a user, run the profiles command with the
-I option (for install), followed by the -F option (for file), and ending with the
path to the profile file. For example, the following command installs a
configuration profile called 8021xSetup.mobileconfig, previously copied to /tmp.
profiles -I -F /tmp/8021xSetup.mobileconfig
Profiles installed from a Profile Manager instance are tracked using unique
identifiers similar to a default domain. For example, if an organization is called
pretendco and the profile to install is for 802.1x configuration, that profile might
be called com.pretendco.8021xSetup. To remove this profile, use the -R option
followed by -p to denote a profile, as follows:
profiles -R -p com.pretendco.8021xSetup
To see the version number of the profiles command, use the -x option:
profiles -x
For more information, see the man page for profiles using the following
command:
man profiles
160
4.1.22
dscl Command
As of OS X Mavericks, the dscl command has extensions for dealing with profiles.
These include the following:
MCX Profile Extensions:
-profileimport
-profiledelete
-profilelist
-profileexport
<output folder path>
-profilehelp
To make a list of all profiles for a given object from a directory service, use the
-profilelist extension. To run the command to list the profile information, follow
the dscl command with the -u option to identify a directory services user, -P to
identify the password of that user, the IP address of the directory services server,
followed by profilelist and then the path of the object. Assuming a username of
diradmin for the directory, a password of apple and then sydneybailey user:
dscl -u diradmin -P apple 192.168.210.201 profilelist /
LDAPv3/127.0.0.1/Users/sydneybailey
To delete that information for the given user, swap the profilelist extension with
profiledelete:
dscl -u diradmin -P apple 192.168.210.201 profilelist /
LDAPv3/127.0.0.1/Users/sydneybailey
161
4.2
Manage Profiles
Profile Manager enables administrators to configure almost any setting in OS X
and manage devices en masse.
Profiles can also be managed using third-party mobile device management
solutions. These solutions support profile management in the same fashion, using
tasks similar to those in this section.
162
4.2.1
2.
Click Profiles.
3.
Click a profile.
Figure 4.2.1_1
!
4.
b.
c.
Details. The settings being managed within each payload and the
contents of the managed keys.
163
4.2.2
1.
2.
3.
4.
5.
Click Users, Groups, Devices, or Device Groups in the Library list in the
sidebar.
6.
Figure 4.2.2_1
164
5.
Figure 4.2.2_2
!
6.
In the sidebar of the Settings window, scroll down and click Dock.
Figure 4.2.2_3
!
!
165
7.
8.
9.
Figure 4.2.2_4
10. In the Profile window, verify that the Dock payload is listed.
Figure 4.2.2_5
!
!
166
11. Click Save to save the changes. The dock on the client system is immediately
moved to the right side of the screen.
Figure 4.2.2_6
167
4.2.3
2.
3.
4.
5.
Click Users, Groups, Devices, or Device Groups in the Library list in the
sidebar. Then select the user, group, device, or device group to edit.
Figure 4.2.3_1
168
6.
In the Settings tab in the right-most pane, click the Edit button.
Figure 4.2.3_2
!
7.
Figure 4.2.3_3
!
!
8.
169
9.
Figure 4.2.3_4
10. Click the Add Item button to add a key to the domain.
11. Enter GatewayServer in the Key field.
12. Leave the Type menu set to String.
13. In the Value field, enter the name or IP address of the gateway server for
Office Communicator.
14. Click OK.
Note: If there are a number of preferences to add, consider importing a
prepared property list using the Upload File button.
Figure 4.2.3_5
170
15. Click Save and the setting is deployed to all client systems in the group, all
systems for the user (if configuring for users), or a single device if applicable.
Figure 4.2.3_6
171
4.2.4
Manage Printers
Printers can also be managed using configuration profiles.
To use Profile Manager to manage a printer:
1.
2.
3.
4.
5.
Click Users, Groups, Devices, or Device Groups in the Library list in the
sidebar. Then select the user, group, device, or device group to edit.
Figure 4.2.4_1
!
6.
Figure 4.2.4_2
172
7.
8.
Figure 4.2.4_3
!
9.
Figure 4.2.4_4
10. A list of printers installed on the Profile Manager server is provided in the
Add Printers dialog. If the required printer isnt listed, install it on the Profile
Manager server. Otherwise, click the Add button for the printer.
173
11. Click Done once all desired printers have been added.
Figure 4.2.4_5
Figure 4.2.4_6
!
!
174
Figure 4.2.4_7
16. Click the Save button. Then click Save again to confirm Save Changes.
Figure 4.2.4_8
175
4.2.5
2.
3.
4.
5.
Click Users, Groups, Devices, or Device Groups in the Library list in the
sidebar. Then select the user, group, device, or device group to edit.
Figure 4.2.5_1
!
!
176
6.
Figure 4.2.5_2
7.
8.
Figure 4.2.5_3
177
9.
Figure 4.2.5_4
10. Click the Restrict which applications are allowed to launch checkbox.
Figure 4.2.5_5
178
Figure 4.2.5_6
13. Click the OK button to return to the Profiles pane. Users in the selected
object can only open applications in /Applications (the default in OS X).
14. Confirm that Restrictions is now listed.
Figure 4.2.5_7
!
!
179
15. Click the Save button. Then click Save again to confirm Save Changes.
Figure 4.2.5_8
180
4.2.6
2.
3.
4.
5.
Click Users, Groups, Devices, or Device Groups in the Library list in the
sidebar. Then select the user, group, device, or device group to edit.
6.
7.
Click Edit.
Figure 4.2.6_1
!
!
8.
181
9.
Figure 4.2.6_2
Figure 4.2.6_3
182
!
14. Click OK.
15. Click the Save button.
16. Click Save again to confirm Save Changes.
183
4.2.7
2.
3.
4.
5.
Click Users, Groups, Devices, or Device Groups in the Library list in the
sidebar. Then select the user, group, device, or device group to edit.
6.
7.
Click Edit.
Figure 4.2.7_1
!
!
8.
184
9.
Figure 4.2.7_2
Figure 4.2.7_3
4.2.8
2.
3.
4.
5.
Click Users, Groups, Devices, or Device Groups in the Library list in the
sidebar. Then select the user, group, device, or device group to edit.
6.
7.
Click Edit.
Figure 4.2.8_1
!
!
8.
186
9.
Figure 4.2.8_2
10. Provide the appropriate information for your environment. This includes:
a.
b.
c.
Realm. The realm name of your Kerberos environment (for example the
Active Directory domain name).
187
Figure 4.2.8_3
188
4.2.9
2.
3.
4.
5.
Click Users, Groups, Devices, or Device Groups in the Library list in the
sidebar. Then select the user, group, device, or device group to edit.
6.
7.
Click Edit.
Figure 4.2.9_1
!
!
8.
189
9.
Figure 4.2.9_2
10. Provide the appropriate information for your environment. From the Allowed
Websites menu, select from the following:
a.
b.
Permitted URLs. Click the Add (+) button to whitelist certain sites.
Blacklisted URLs. Click the Add (+) button to list sites for which
access is explicitly denied (whether adult content or not).
Specific Websites Only. This option only allows access to specific sites
(This is useful with kiosks, for example).
190
Figure 4.2.9_3
191
4.3
Password Policies
A variety of password policies are applied to clients through configuration
profiles, Active Directory, or command-line tools. These policies should conform to
the requirements set forth by an organizations security policy.
When using Active Directory, the Active Directory password policies are respected
by OS X. Clients are notified of expiring passwords, and users can change their
Active Directory passwords in OS X.
192
4.3.1
This results in a list of all OS X global password policies and their settings on the
client system, as follows:
usingHistory=0 canModifyPasswordforSelf=1
usingExpirationDate=0 usingHardExpirationDate=0
requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69
hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0
maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0
maxFailedLoginAttempts=0 minChars=8 maxChars=0
passwordCannotBeName=0 requiresMixedCase=0 requiresSymbol=0
newPasswordRequired=0 minutesUntilFailedLoginReset=0
notGuessablePattern=0
Use the pwpolicy command to see the policies for a given user. For example, run
the following command to see any user-based passwords for a user with a short
name of jfoster:
pwpolicy -n /Local/Default -u jfoster
Once the users password policy and the global password policy for the computer
are known, composite the two to obtain a resultant set of policies (or an effective
policy) manually. To do so, run the pwpolicy, specifying
--get-effective-policy. In the following example, provide the password for
user jfoster (indicated with the -u option), followed by the
--get-effective-password option for a resultant policy enforced for
jfoster:
pwpolicy -n /Local/Default -u jfoster -p jimmypassword --geteffective-password
193
When auditing password policies, its important to understand what each policy
does. The following is a description of global password policies (obtained from
the man page for pwpolicy).
usingHistory
usingExpirationDate
usingHardExpirationDate
requiresAlpha
requiresNumeric
expirationDateGMT
hardExpireDateGMT
maxMinutesOfNonUse
maxFailedLoginAttempts
minChars
maxChars
isAdminUser
newPasswordRequired
canModifyPasswordforSelf
!
194
RECOVERABLE
SALTED-SHAS512-PBKDF2
SALTED-SHA512
SMB-NT
195
4.3.2
Set the user password policy for the currently logged-in account (assuming
its a local account) to require a minimum number of eight characters in a
users password. To do so, run the following command:
pwpolicy -n /Local/Default -setpolicy minChars=8
2.
To change this setting for the jfoster user, use the following command,
which adds a -u and the user name as follows:
pwpolicy -n /Local/Default -u jfoster -setpolicy
minChars=8
3.
Review the other password policies previously discussed, and decide which
ones to apply to your user accounts on the local system. Each additional
policy is added inside quotation marks () and separated by spaces.
Note: Keep in mind that administrative users wont have password policies
applied.
4.
Once global password policies are set, configure many of your user password
policies to be identical to the global policies. To do so, use the
--setpolicyglobal option. For example, the following command is used
to configure the jfoster user to have the same policy as the global password
policy:
pwpolicy -n /Local/Default -u jfoster -setpolicyglobal
196
4.4
197
5 Security
There are a number of features built into OS X that provide added layers of
security. This guide covers those most commonly looked for in enterprise
environmentsfrom where to find additional resources to more technical
options such as setting up full disk encryption.
198
5.1
199
5.2
Use Gatekeeper
Gatekeeper manages the execution of applications, allowing administrators to
limit access to applications not downloaded from the Mac App Store or
applications not signed by a member of the Apple Developer ID program. By only
allowing signed applications and apps from the Mac App Store or a known
developer, the risk of malicious software in an email attachment or web
download is significantly mitigated. The default setting in OS X is to allow only
Mac App Store applications. OS X can also restrict access to applications based on
configuration profile settings delivered through Profile Manager and third-party
mobile device management solutions. Application whitelisting is based on
unique app signatures, whole directories that contain applications, or both.
200
5.2.1
Figure 5.2.1_1
!
!
201
Figure 5.2.1_2
!
2.
Click the Settings tab, then click the Edit button for the profile.
3.
4.
Figure 5.2.1_3
202
5.
Click the checkbox for Do not allow user to override Gatekeeper setting
(OS X only).
Figure 5.2.1_4
!
6.
Once finished managing the Application Launch Security settings, click OK.
7.
8.
!
Figure 5.2.1_5
!
!
!
!
203
5.3
204
5.4
2.
Click Sharing.
3.
4.
Administrators should also enable a SACL (Service Access Control List) for the
service. To do so, select the Only these users checkbox and click the Add (+)
button to add those users allowed to leverage the SSH service on the Mac.
Figure 5.4_1
Many client management systems use SSH to communicate with their agent
software and to control client systems. Enabling SSH, also called Remote Login,
can be done through the command line in order to facilitate mass deployment of
SSH to client systems.
!
!
205
2.
3.
!
!
!
206
5.5
2.
When prompted for a location for the key, leave this blank.
The key is saved to a folder called .ssh in your user home folder. If logged in
as a user called jfoster, youll receive output similar to the following:
Your identification has been saved in
/Users/jfoster/.ssh/identity.
Your public key has been saved in
/Users/jfoster/.ssh/identity.pub.
Now that you have your key exported for your identity, export keys for use
with SSH clients. These need to be in dsa and then rsa formats (rather than
rsa1 as previously used).
3.
When the keys are generated, they reside in the ~/.ssh directory. Copy the
keys to the target host and merge them into an authorized_keys file.
207
4.
Note: Replace the IP address in the command above with that of the target.
5.
Merge keys into the authorized_keys file on that host using the following
command on the target system:
cat /Users/jfoster/.ssh/tmp_authorized_keys/*.pub > /
Users/jfoster/.ssh/authorized_keys
6.
208
5.6
Use FileVault 2
FileVault 2 provides full disk encryption for data-at-rest (DAR) protection and is
built into OS X. FileVault 2 keeps all files on a Mac secure using XTS-AES-128
(256-bit keys) data encryption at the disk level. With FileVault 2 turned on, all
information on the computer is kept safe from unauthorized access.
In this module, enable FileVault 2 full disk encryption.
To enable FileVault:
1.
2.
Figure 5.6_1
!
!
209
3.
Figure 5.6_2
!
4.
Figure 5.6_3
210
5.
If the system has multiple users, click Enable User for each authorized user.
Then have the user enter his or her login password. Users who have provided
passwords will be shown with a checkmark icon, while users who still require
a password will be shown with an Enable User button. Users who dont have
any password set will be shown with a Set Password button.
Note: Logging in after the system disk has been unlocked by another user is
still possible, even if the user isnt enabled here.
Figure 5.6_4
!
6.
7.
Figure 5.6_5
!
!
211
8.
9.
Document the displayed recovery key provided in the Recovery Key dialog.
Figure 5.6_6
Click the Store the recovery key with Apple radio button to store the
protected key on Apple servers.
b.
c.
Provide a response below each question. You will need to reenter the
exact same responses should the recovery keys need to be retrieved.
d.
The recovery key will be wrapped by a key generated from the selected
questions and responses.
212
Figure 5.6_7
13. Click Restart to restart the Mac and begin the encryption process.
Figure 5.6_8
213
2.
3.
Figure 5.6_9
!
!
214
4.
FileVault is turned on for the disk <disk name>. This indicates that Full
Disk Encryption (FDE) has been enabled for the disk.
b.
FileVault is turned off for the disk <disk name>. This indicates that FDE
hasnt been enabled for the disk.
c.
A recovery key has been set. This indicates that the protected recovery
key is stored on Apple servers.
d.
e.
Encryption Finished. This indicates that the drive has completed the
conversion process and is now fully encrypted.
Figure 5.6_10
To disable FileVault:
1.
2.
3.
215
4.
Figure 5.6_11
!
5.
Click Turn Off Encryption to confirm you wish to turn off FileVault.
Figure 5.6_12
216
5.6.1
2.
3.
4.
5.
Once enabled, FileVault can be disabled provided the recovery key is available. To
disable, use fdesetup with the disable flag.
217
5.6.2
2.
fdesetup haspersonalrecoverykey
2.
fdesetup hasinstitutionalrecoverykey
2.
Set the recovery key by using the changerecovery verb along with a
-personal option, as follows:
fdesetup changerecovery -personal
3.
!
!
218
2.
Set the recovery key by using the changerecovery verb, along with a
-institutional option, followed by the -certificate option that lists
the path to a certificate, as follows:
fdesetup changerecovery -institutional -verbose
-certificate /tmp/institutional.cer
3.
Once deployed, use the validaterecovery option to verify that a recovery key
will indeed unlock the encrypted boot volume of a system.
To verify the recovery key will unlock the encrypted boot volume:
1.
2.
3.
219
5.6.3
2.
3.
Figure 5.6.3_1
!
4.
In the encryption dialog, provide a password and a hint for remembering the
password. Then click the Encrypt Disk button.
Figure 5.6.3_2
SIZE
*251.0 GB
209.7 MB
250.1 GB
650.0 MB
*292.0 GB
209.7 MB
250.1 GB
IDENTIFIER
disk0
disk0s1
disk0s2
disk0s3
disk1
disk1s1
disk1s2
The device for the ExternalHD, above, is disk1s2. This is the volume to be
encrypted. The diskutil command is used to encrypt that volume, using the cs
(short for CoreStorage) option, along with the convert verb, the identifier, and
the -passphrase optionin that order. The command would then be as follows:
diskutil cs convert /dev/disk1s2 -passphrase
Use the list verb with the diskutil command to watch the status, as follows:
diskutil cs list
221
5.6.4
1.
2.
3.
Figure 5.6.4_1
222
4.
Click the cog wheel icon to open the action pop-up menu. Then choose Set
Master Password.
Figure 5.6.4_2
!
5.
6.
Figure 5.6.4_3
223
5.6.5
224
5.6.6
2.
Figure 5.6.6_1
!
3.
Click Options.
Figure 5.6.6_2
225
4.
Figure 5.6.6_3
!
5.
6.
Click Exclude.
Figure 5.6.6_4
!
7.
Repeat this process until all files and folders to exclude from the backup have
been selected.
8.
Click Save.
9.
Figure 5.6.6_5
Figure 5.6.6_6
Backups are encrypted and will protect all files stored inside the encrypted Time
Machine location. Reenter the same backup password when attempting to
recover a system from this encrypted Time Machine backup.
227
5.7
All major developers of full disk encryption solutions provide the ability to
centrally manage encryption keys, thus allowing for centralized key recovery. All
third-party FDE solutions have the ability to be mass deployed, as needed, so that
the full disk encryption process isnt laborious to set up.
!
!
228
5.8
229
5.8.1
230
5.8.1.1
1.
2.
3.
Figure 5.8.1.1_1
231
4.
5.
Figure 5.8.1.1_2
6.
232
7.
Click the Block all incoming connections checkbox to block all connections
for nonessential services.
Figure 5.8.1.1_3
!
8.
9.
Figure 5.8.1.1_4
233
11. Choose whether the application will allow or deny incoming connections
using the menu next to the application name.
12. The application now appears in the list of allowed applications.
Figure 5.8.1.1_5
13. Click the Enable stealth mode checkbox to prevent the firewall from
sending an acknowledgement of attempts to open sockets without listeners
running. Stealth mode mimics what would occur if a computer were not
running at the IP address being scanned. Without stealth mode, the
computer will let a possible attacker know the ports are closed, alerting them
to the presence of the host. This option enables stealth mode for TCP traffic,
but not UDP traffic.
14. Automatically enable any signed software, software signed by a valid
certificate authority, to provide network services. To do so, click Advanced
and choose Automatically allow signed software to receive incoming
connections.
234
5.8.1.2
The firewall command in this directory is a system daemon that runs the
application-layer firewall.
2.
The --listapps option will also provide information about the status of
each application that socketfilterfw will filter, as follows:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw -listapps
3.
235
4.
5.
6.
Note: Here the vmware binary, hidden a few levels within the .app bundle,
was used rather than the VMware Fusion.app application bundle.
Also use the socketfilterfw command to sign applications by using the
-s option followed by the name of the file, as follows:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw -s
/Applications/VMware Fusion.app/Contents/MacOS/vmware
7.
Once signed, verify the signatures by using the -v option followed by the
name of the file. To verify the binary that was signed above, use the following
command:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw -v
/Applications/VMware Fusion.app/Contents/MacOS/vmware
8.
9.
236
5.8.2
To block all outgoing traffic not otherwise allowed, make sure this line is in the
rules defined in pf.conf:
block out all
Below that, the rules are then set to pass traffic in or out of an interface for a
specified protocol. For example, to allow outgoing icmp traffic for en1:
pass out quick on en1 proto icmp
The power and flexibility pf provides to administrators adds many new options
to the firewall in OS X.
237
To use pfctl:
pfctl is the tool used to dynamically change the configuration of pf, so there
are a few command options administrators should learn. The first of these is the
-e option, which enables pf, as follows:
sudo pfctl -e
The next step is to check the configuration file for any errors, as follows:
sudo pfctl -v -n -f /etc/pf.conf
The configuration then needs to be loaded, which can be done by specifying the
-f option along with the path to the configuration file (/etc/pf.conf ), as follows:
sudo pfctl -f /etc/pf.conf
Because a lot of work is done remotely, its important to check the rulesets, tables,
show counters, and so on. Here are a few of the logging and sanity-checking
options available with pfctl.
The first (-sa) shows all available information about pf:
sudo pfctl -sa
Because the amount of information provided can be difficult to digest, use the
-sr option to just look at the current rules:
sudo pfctl -sr
To watch pf:
Administrators must be able to see, and possibly parse the output of, pf. To do so,
first set up pflog as a network interface using ifconfig, as follows:
ifconfig pflog1 create
Once the pflog1 has been set up, run tcpdump using pflog1 as the interface:
tcpdump -n -v -ttt -i pflog1
man pfctl
man pf.conf
man pflog
238
5.9
Manage Keychains
Users are authenticating to and accessing an ever-increasing number of
protected services. These services include email, file sharing, social networking,
banking, and system administration. With so many credentials, users need an easy
way to store and retrieve credentials on demand, without risking exposure to
unauthorized access. To address this, Apple includes a feature called Keychain.
A keychain is a container for securely storing user and system credentials on local
systems, enabling quick retrieval when needed. Keychains are integrated so
deeply into OS X that they cant be disabled or shut off.
There are five default keychains with each new system account, each providing a
very specific purpose, protection, and storage. They are login, iCloud, Directory
Services, System, and System Roots.
Every keychain in the keychain list is used by the system and administrator for
locating and retrieving appropriate credentials, as follows:
Login. Stored in /Users/<shortname>/Library/Keychains/login.keychain, the
login keychain allows every user on a Mac to start with an empty keychain
named login for storing their own credentials. All passwords, keys, secure notes,
and user identities can be stored here. OS X populates the keychain with
certificates acquired during the parsing of digitally signed email messages
within the Mail.app. This user keychain is protected with a passphrase initially
set to the same value as the users login password and can be set to any
passphrase desired.
iCloud. Shows iCloud Keychain entries, or entries synchronized between
computers and stored in an iCloud account.
Directory Services. Locally configured directory servers allow systems
configured for external directory services such as Active Directory, LDAP, and
NIS to be enabled to search directory services for certificates from that same
directory serviceretrieving X.509 certificates for other users.
System. Stored in /Library/Keychains/System.keychain, the System keychain is
an operating-system- and system-administrator-managed store for the
purposes of machine (system) authentication to network services and storage
of corporate root Certificate Authority (CA) certificates for system-wide trust.
The System keychain is always accessible by the operating system,
independent of any user login. Any network servicessuch as 802.1X, VPN, and
WPA/WPA2with machine authentication require that the credential and any
corresponding trust chain be stored in the System keychain if those certificates
were issued from a corporate CA or from any root CA not included in the
System Roots keychain.
System Roots. Stored in /System/Library/Keychains/
SystemRootCertificates.keychain, the System Roots keychain is an operatingsystem-managed store for the purpose of retaining the pretrusted root CA
certificates of OS X. Administrators can alter the trust on any of the root
certificates to reflect desired systemwide CA trust, but cant remove or delete
any root certificates from this unchangeable store. Apple updates the
certificates in this keychain during OS X software and security updates.
239
240
5.9.1
2.
Select a keychain from the list by clicking its name in the sidebar.
Figure 5.9.1_1
!
3.
The right side of the Keychain Access window displays all items currently
stored within that keychain, with the following column headings:
Name. The name of the keychain item, such as mail.company.com.
Kind. The type of keychain item, such as certificate or web form password.
Date Modified. The date the keychain item was last modified.
Expires. The expiration date of an x.509 certificate.
241
4.
5.
Double-click the keychain item or click the Information (i) button at the
bottom of the window to open the information pane for the item.
Figure 5.9.1_2
!
!
!
!
6.
Drag any keychain item to another location to generate a copy of that item.
242
5.9.2
2.
3.
4.
5.
Click Users, Groups, Devices, or Device Groups in Library list in the sidebar.
Then select the user, group, device, or device group to edit.
6.
7.
Figure 5.9.2_1
!
!
243
8.
Figure 5.9.2_2
!
9.
Figure 5.9.2_3
244
10. Provide a name for the certificate in the Certificate Name field.
11. Enter the password for the certificate you are about to upload in the
Passphrase field.
12. Click the Add Certificate button.
Figure 5.9.2_4
Figure 5.9.2_5
!
!
245
Figure 5.9.2_6
!!
!!
246
5.9.3
2.
3.
4.
Figure 5.9.3_1
!
5.
Figure 5.9.3_2
!
!
247
5.9.4
2.
3.
Figure 5.9.4_1
!
4.
In the Online Certificate Status Protocol (OCSP) menu, choose Off, Best
attempt, or Require if certificate indicates.
Figure 5.9.4_2
!
5.
To enforce OCSP verification for all certificates, hold down the Option key
while choosing from this menu.
Figure 5.9.4_3
!
!
248
6.
Choose the desired enforcement from the Certificate Revocation List (CRL)
menu. To enforce CRL verification for all certificates, hold down the Option
key while choosing from this menu.
Figure 5.9.4_4
!
7.
!
!
!
When both OCSP and CRL are enabled, choose which protocol response
takes priority, or whether to require both responses for full validation.
Note: When configuring both options to Require, if either server isnt
responding, the system will be unable to verify the certificate. This can cause
the use of this certificate to fail.
249
5.9.5
2.
Figure 5.9.5_1
!
3.
Select a valid credential, such as an X.509 identity file (.p12 file) or a .pem file.
4.
Keychain Access automatically launches and asks for the password for the
certificate, if one is required. When importing an X.509 Identity (.p12 file),
enter the password used when the wrapped file was created.
5.
In the Keychain column, choose the appropriate keychain, either login for
user credentials or system for system-wide credentials.
6.
Figure 5.9.5_2
250
5.9.6
2.
Figure 5.9.6_1
!
3.
In the File menu, choose Export Items. Or use the keyboard shortcut
Command-Shift-E.
4.
In the Save File dialog, navigate through the file system to select a location to
export the item(s).
5.
Click Save.
FIgure 5.9.6_2
!
!
!
251
6.
7.
8.
9.
252
5.9.7
Figure 5.9.7_1
253
4.
Figure 5.9.7_2
To disable iCloud Keychain, deselect the Keychain checkbox in the list of objects
synchronized with iCloud in the iCloud pane in System Preferences.
Note: If your organization has a policy against password managers, you can use a
profile to disable iCloud Keychain on client computers.
254
6 Networking/Wireless
OS X supports nearly all standards-compliant network configurations. Every Mac
ships with a minimum of one network interface, as follows:
At least one wired (802.3) Ethernet network interface (except MacBook Air
and MacBook Pro with Retina display).
The networking stack in OS X is configured for IPv4 and IPv6 through the
Network pane in System Preferences and through the command line. 802.1x
options are also tied into System Preferences, via configuration profiles, and into
the command line using the networksetup command.
The MAC address for each interface is printed on the outside of the box the
computer is shipped in, along with a corresponding bar code. This allows for
quick mass deployments using the bar code to scan a computer into an asset
management database. MAC addresses are tied to logic boards, so in the event
that a computer requires a logic board replacement, the MAC address(es) will
change. The only exceptions are the USB or Thunderbolt dongles used by
MacBook Air or MacBook Pro, which hold the Ethernet MAC address for the wired
Ethernet interface.
255
1.
2.
Click Network.
Figure 6.1_1
3.
Click the network interface youd like to configure. For example, Ethernet,
Wi-Fi, and so on.
4.
Wired interfaces show the following fields. (The IP Address and Subnet Mask
fields are required. The other fields are required only in order to route traffic
and resolve names properly.)
256
IP Address. The IP address the host will use when an interface isnt
obtaining the IP address automatically.
Subnet Mask. The subnet mask to be used with the IP address provided.
Router. The router, or default gateway, to be used to route traffic for the
client using the IP address provided.
DNS Server. The DNS servers to be used for the environment, with
multiple addresses separated by a comma.
Figure 6.1_2
257
5.
Figure 6.1_3
258
6.
Figure 6.1_4
259
7.
The TCP/IP and DNS tabs show similar options as those outlined in step 4,
with the exception that here is where IPv6 is configured.
Figure 6.1_5
260
8.
The WINS tab shows discovery information for legacy (workgroup) Windowsoriented networks, including:
Figure 6.1_6
261
9.
Figure 6.1_7
262
10. Click the Proxies tab to configure a proxy server for the environment. Proxies
are broken down per client-side protocol or by using a SOCKS proxy. Proxies
can also be bypassed for certain addresses. Passive FTP Mode can be
configured here as well.
Figure 6.1_8
263
11. Click the Hardware tab to configure the behavior of Ethernet interfaces
including network speeds, duplex states, and MTU sizes (up to, but not
including, jumbo frames). Interface performance can be improved with a
correct value and decreased with an incorrect value.
Figure 6.1_9
12. At the top of the Network pane in System Preferences, there is a Location
menu. Each location has different settings for interfaces, making it useful
when computers roam between networks, such as home and office.
Figure 6.1_10
264
13. To enable, disable, and duplicate services (or interfaces), click the cog wheel
icon to open the action pop-up menu. Use this same menu to create a
second IP address, set up Link Aggregation, or configure an internal VLAN.
Figure 6.1_11
All the options available in the Network pane in System Preferences have parallel
settings at the command line, allowing for scripting deployment and packaging
the configuration of network settings.
265
6.2
By default, OS X leverages what is known as a dual stack, where both IPv4 and
IPv6 are used concurrently. All sharing services are also IPv6-aware, allowing Mac
computers to communicate with one another using IPv6. Each enabled sharing
service (for example, screen sharing) has a listener bound to both the IPv4 and
IPv6 interface by default.
To configure IPv6 networking:
1.
2.
Click Network.
3.
4.
Click Advanced.
Figure 6.2_1
266
5.
6.
Figure 6.2_2
a.
Figure 6.2_3
267
7.
Click OK.
Figure 6.2_4
!
8.
Click Apply.
9.
Test the settings. Use the ping6 command to ping other IPv6 addresses. Or
use the Netstat command with the -l option to show IPv6 addresses.
Additionally, ndp (Network Discovery Protocol) can be used.
OS X can also relay communications between IPv6 and IPv4. To do this, select 6
to 4 in the Add new interface dialog. Then either allow the relay address to be
obtained automatically or provide one.
268
6.3
2.
Figure 6.3_1
3.
In the How Do You Connect to the Internet? window, click the method used
to connect to the network, as follows:
269
Figure 6.3_2
4.
Figure 6.3_3
!
5.
Click Continue.
270
6.
In the Ready to Connect? window, click Continue. Here, you can also open
AirPort Utility to configure an AirPort base station.
Note: This isnt required for wired (802.3) Ethernet networking.
Figure 6.3_4
7.
Figure 6.3_5
271
6.4
2.
3.
Click Continue.
Note: You wont see the Select Location window unless you have configured
multiple locations in the Network pane in System Preferences.
Figure 6.4_1
!
!
272
4.
5.
Click Continue.
Figure 6.4_2
!
6.
7.
8.
Click Continue.
Figure 6.4_3
273
9.
Select DSL or cable modem for connecting to the Internet, if prompted. If the
system is unable to reach beyond the router, a prompt to restart the device
appears.
10. Network Diagnostics attempts to connect to the network and reports back
any failures encountered.
11. If any other problems are reported, click Continue to take corrective action.
The Network Diagnostics tool is just one of the many applications that systems
administrators, desktop support engineers, and help desk technicians can use to
effectively troubleshoot issues that may arise on Mac computers.
274
6.5
If the pretendco wireless network uses WPA for security, use the following
command to assign the WPA password of mypassword:
networksetup -addpreferredwirelessnetworkatindex en1
pretendco 0 WPA mypassword
To remove all preferred wireless networks (a common pre-imaging task), use the
-removeallpreferredwirelessnetworks option followed by the hardware
port, as follows:
networksetup -removeallpreferredwirelessnetworks en1
275
Note: When using a script to deploy 802.1x settings, the certificate should be
deployed prior to setting up the 802.1x profile. Certificates are managed using the
security command.
To manage network services with networksetup:
Other network settings are also configured using networksetup, including
services. A service is a virtual interface to a hardware port. Each hardware port
can have many network services running on it, each with a unique IP address.
Services are also put in the order connections are attempted. For example, if there
are two services, one called Wi-Fi and another called Ethernet, when the Ethernet
cable is plugged in, Wi-Fi should not be used (assuming theyre on the same
network) for any traffic that is local to the Ethernet interface.
To order network services:
List the network services installed by default using the
-listallnetworkservices option for the networksetup command, as
follows:
networksetup -listallnetworkservices
To change the name of the Wired network service, run the networksetup
command again. This time use the -renamenetworkservice option, as follows:
networksetup -renamenetworkservice Ethernet Wired
Next, make sure the Wired network service is listed above Wi-Fi. Use the same
order in which the services are listed using networksetup with a
-listnetworkserviceorder option, as follows:
networksetup -listnetworkserviceorder
This returns the following list (although potentially in a different order according
to your configuration):
(1) Wi-Fi
(Hardware Port: Ethernet, Device: en1)
(2) Wired
(Hardware Port: Ethernet, Device: en0)
(3) FireWire
(Hardware Port: FireWire, Device: fw0)
Wi-Fi is listed first in the network service order. In this example, the Wired
interface should be listed instead so that Ethernet traffic has a higher priority
than Wi-Fi traffic (given that its a faster interface). To change the order of network
services, use the networksetup command with the
-ordernetworkservices option. Then list each service in the desired order, as
follows:
networksetup -ordernetworkservices Wired Wi-Fi FireWire
276
Note: Not all interfaces shown in this example are available on all Apple notebook
models. For example, by default a MacBook Air doesnt come with an Ethernet
port installed.
Next, disable FireWire for networking. (It will still be available for storage devices.)
Set FireWire to off using networksetup with the
-setnetworkserviceenabled option, as follows:
networksetup -setnetworkserviceenabled FireWire off
In this example, also disable IPv6, using the -setv6off option to disable IPv6 for
the Wired and Wi-Fi network services, since many environments do no yet
support IPv6.
networksetup -setv6off Wired
networksetup -setv6off Wi-Fi
Next, set Wi-Fi to use DHCP using the following -setdhcp option:
networksetup -setdhcp Wi-Fi
The Wired network service can use DHCP. For this example, set the service to a
static IP address of 192.168.210.8 with a subnet mask of 255.255.255.0 and a
gateway of 192.168.210.1. The configuration is performed in one networksetup
command, using the -setmanual option, followed by the name of the service.
Its then followed by the IP address, subnet, and router. For this example the
command is:
networksetup -setmanual Wired 192.168.210.8 255.255.255.0
192.168.210.1
Or for USB Ethernet interfaces, such as those used with MacBook Air, use the
following syntax:
networksetup -setmanual USB Ethernet 192.168.210.8
255.255.255.0 192.168.210.1
proxy configurations, and even managing IPv6 settings. For more information on
the networksetup command, see the following man page command:
man networksetup
To use ifconfig:
Other network settings can be displayed and monitored from the command line
using tools such as ifconfig, ipconfig, and airport. Manual pages exist for
all the commands and can be invoked by typing man followed by the name of
the command.
ifconfig is used to set, modify, and display interface properties and status.
Changes wont be saved on restart by default.
277
common media interfaces together for link aggregation grouping (LAG), and
many other options.
To use ipconfig:
ipconfig is used to view and control the state of IP addresses.
b0:48:7a:ed:9c:d4
Topeka ba:c7:5d:0c:ac:d0
Atlanta
Tampa
!
!
c4:3d:c7:64:2a:8b
c4:0a:cb:a0:ac:30
-83 6 N US WPA2(PSK/AES,TKIP/TKIP)
-85 6
-90
-36
US WPA2(PSK/AES/AES)
11
11
N
Y
--
WEP
US WPA2(PSK/AES/AES)
279
To see extended wireless network information, hold down the Option key and
click the Airport icon in the Apple menu bar.
Figure 6.5_1
The wireless information displayed is the same as the output from the airport
command-line utility.
280
6.6
2.
Click Network.
3.
4.
5.
Figure 6.6_1
281
6.
7.
8.
In the Service Name field, provide the name youd like users to see when
referencing the VPN connection.
9.
Click Create.
Figure 6.6_2
282
10. In the Server Address field, provide the host name or IP address of the server.
11. In the Account Name field, enter the appropriate user name.
12. In the Encryption menu, choose an encryption type (the default value will
work for most environments).
13. Click the Authentication Settings button.
Figure 6.6_3
!
!
283
Figure 6.6_4
!
!
284
16. Optionally, click the Show VPN status in menu bar checkbox to allow users
to connect to the VPN from the Apple menu.
Figure 6.6_5
285
1.
2.
Click Network.
Figure 6.6_6
3.
4.
5.
Click OK.
6.
286
7.
8.
9.
In the Service Name field, provide the name youd like users to see when
referencing the VPN connection.
Figure 6.6_7
287
11. In the Server Address field, provide the host name or IP address of the server.
12. In the Account Name field, enter the appropriate user name.
Figure 6.6_8
288
Figure 6.6_9
15. Enter a Group Name if needed (frequently required for Cisco L2TP over IPSec
connections).
16. Click OK.
289
17. Optionally, click the Show VPN status in menu bar checkbox to allow users
to connect to the VPN from the Apple menu.
Figure 6.6_10
290
1.
2.
Click Network.
Figure 6.6_11
3.
4.
5.
291
6.
7.
8.
In the Service Name field, provide the name users will see when referencing
the VPN connection.
Figure 6.6_12
9.
Click Create.
292
10. In the Server Address field, provide the host name or IP address of the server.
11. In the Account Name field, enter the appropriate user name.
12. In the Password field, enter a password for that user name.
Figure 6.6_13
293
14. Provide a shared secret or select a certificate (see the network administrator
for this information).
15. Optionally, provide a Group Name if one is needed for your environment.
16. Click OK.
Figure 6.6_14
294
17. Optionally, click the Show VPN status in menu bar checkbox to allow users
to connect to the VPN from the Apple menu.
Figure 6.6_15
19. Test the connection by clicking Connect (or by choosing it from the Apple
menu).
295
6.7
296
6.7.1
2.
Click Network.
Figure 6.7.1_1
!
3.
4.
5.
297
6.
7.
Figure 6.7.1_2
!
8.
Figure 6.7.1_3
!
9.
The connection is established, and signal strength is shown in the upperright corner of the screen.
298
11. The WPA network is now included in the list of preferred networks. To reorder
interfaces by priority, drag each network into the appropriate order. To
enable users without administrative privileges to create or change wireless
networks and to disable the Wi-Fi adapter entirely, select the appropriate
checkboxes.
Figure 6.7.1_4
299
6.7.2
2.
Click Network.
Figure 6.7.2_1
!
3.
4.
5.
300
6.
7.
Figure 6.7.2_2
!
8.
Figure 6.7.2_3
!
9.
The connection is established and signal strength is displayed in the upperright corner of the screen.
301
302
6.7.3
2.
Figure 6.7.3_1
303
3.
Figure 6.7.3_2
!
4.
Click a Device, User, or Group to create the profile for that object.
5.
6.
Figure 6.7.3_3
304
7.
Install the certificate. (If a certificate isnt required, skip this step.)
a.
b.
Figure 6.7.3_4
c.
d.
Figure 6.7.3_5
!
!
e.
305
f.
Figure 6.7.3_6
g.
h.
Click OK.
Figure 6.7.3_7
!
8.
Configure 802.1x.
a.
b.
Figure 6.7.3_8
306
c.
Choose Wi-Fi:
i.
ii.
Figure 6.7.3_9
307
ii.
Figure 6.7.3_10
d.
Click Save.
e.
308
6.8
2.
3.
Click Download.
Note: This not only exports 802.1x information, but also any other settings for
that profile, including any certificates installed.
Figure 6.8_1
!
!
309
4.
Cancel the attempt to install the Profile. Then copy it from the currently
logged-in users download directory to a secure location.
Figure 6.8_2
2.
Figure 6.8_3
!
!
3.
310
4.
Click Continue.
Figure 6.8_4
!
5.
Click Install.
6.
Figure 6.8_5
Note: If the profile is signed using a self-signed certificate, you will see a prompt
to install the profile again, along with a warning that the certificate is self-signed.
311
6.9
2.
Click Network.
3.
4.
Figure 6.9_1
312
5.
b.
c.
d.
Click OK.
Figure 6.9_2
313
6.10
Install the certificate from a CA using Safari. For example, visit the https
version of the site. When prompted, click Show Certificate.
Figure 6.10_1
!
2.
Click the Always trust <server name> when connecting to <IP address>
checkbox so the certificate is cached on the client computer.
3.
Click Continue.
Figure 6.10_2
!
4.
Authenticate if prompted.
5.
6.
7.
Figure 6.10_3
2.
3.
4.
In the Keychain menu, choose the keychain into which to install the
certificate. For certificates that should be available to all users, choose
System. Otherwise, choose login.
5.
Figure 6.10_4
!
!
315
6.
If installing the certificate into the System Keychain, provide a user account
or an administrative account in the Authenticate window
Figure 6.10_5
!
7.
8.
9.
!
!
316
6.11
Once a client system has a certificate, it must be imported using the security
command along with the import verb. Specify the certificate file following the
import verb, followed by the -k option to specify into which keychain the
certificate will be installed (run with sudo to install into the System.keychain).
sudo security import /tmp/mycert.crt -k /Library/Keychains/
System.keychain -x
Adding the -x flag to this command prevents the private key
from being exported from the keychain.
Once a certificate has been installed, the .crt file can be removed using the rm
command followed by the path of the file, as follows:
rm /tmp/mycert.crt
!
!
!
317
6.12
2.
Figure 6.12_1
318
3.
Figure 6.12_2
!
4.
5.
6.
Click Edit.
Figure 6.12_3
!
!
7.
319
8.
Figure 6.12_4
!
9.
Click the Description field and type a description for the name of the
payload. This is what you will see when selecting this profile in 802.1x or
other windows.
10. Click the Certificate Server field and provide a name for the CA Server.
11. Click the Certificate Authority field and provide the name of the CA.
12. Click the Certificate template and provide a name for the template (such as
Machine or User). Optionally, provide a user name and password in the
Username and Password fields, respectively.
Note: When left blank, the Username and Password fields prompt users for
their Active Directory user name and password when the profile is installed.
Figure 6.12_5
320
Certificate Expiration
By design, certificates expire. Configuration profiles need to be reinstalled to
reissue new identities. Notification Center in OS X issues a profile notification
when the certificate is within 15 days of expiration. Users then click the
notification and see an Update button in the Profiles pane in System Preferences.
The Update button reissues the identity, tears down the existing EAP-TLS
configuration, and rebuilds the EAP-TLS configuration with the new identity.
Note: During the reconfiguration process, as with the initial configuration process,
there should not be any interruption in connectivity. The client computer also
needs a valid route to the issuing CA.
321
7 Collaboration
Information is essential for the knowledge worker. One of the great challenges for
IT is to optimize the sharing, storage, and retrieval of institutional knowledge,
from managing access to sensitive data to enabling valuable group collaboration.
Apple offers a number of innovative features built into OS X that promote
streamlined collaboration. To collaborate effectively, users may also need to
access groupware and corporate data centers that leverage Microsoft servers.
This section covers how to integrate Apple tools and technologies with an
organizations existing collaboration solutions. And a good portion of this section
also covers how to access Microsoft Exchange and Microsoft SharePoint, two of
the most common collaboration tools for the enterprise.
322
7.1
!
!
323
7.1.1
2.
3.
2.
Figure 7.1.1_1
!
!
324
3.
Figure 7.1.1_2
4.
5.
Enter the users name, email address, and password in the appropriate fields.
Figure 7.1.1_3
325
6.
Click Continue.
7.
Autodiscover should provide the user name, password, and server address for
the account.
8.
Click Continue.
Figure 7.1.1_4
Note: If Autodiscover doesnt complete the setup process for you, see the
troubleshooting section later in this document.
326
7.1.2
2.
3.
Click Accounts.
4.
Figure 7.1.2_1
!
5.
327
7.1.3
1.
2.
Right-click the name of the account in the sidebar. Or if theres only one
account, click Inbox.
3.
Figure 7.1.3_1
!
!
328
4.
Figure 7.1.3_2
5.
6.
Choose the duration of time during which replies will be sent. For example,
Until disabled.
7.
Enter a message for users of your domain in the Internal Reply field and a
message for those outside your domain in the External Reply field.
8.
329
7.1.4
330
7.1.5
2.
3.
4.
Click Users in the Library list in the sidebar. Then select the relevant user.
Figure 7.1.5_1
!
5.
6.
Figure 7.1.5_2
331
7.
8.
9.
Figure 7.1.5_3
Figure 7.1.5_4
!
!
332
Figure 7.1.5_5
15. Provide a name for the account in the Account Name field.
16. In the Connection Type menu, choose Exchange Web Services (OS X only).
17. Enter the domain name in the Domain field.
18. Enter the user name in the User field.
19. Enter the email address in the Email Address field.
20. Enter the password for the user in the Password field.
21. Enter the name of the Exchange server in the Internal Exchange Host field.
Figure 7.1.5_6
333
Figure 7.1.5_7
334
7.2
335
7.2.1
2.
3.
At the command prompt, type nslookup and press the Enter key.
4.
At the nslookup prompt, type set type=all and press the Enter key.
5.
6.
= 1
expire
nameserver =
_autodiscover._tcp.pretendco.com
ns1.pretendco.com
nameserver =
336
7.2.2
This will launch the Mail, Contacts, & Calendars pane in System Preferences to
begin setup and log all traffic generated into a text file on the desktop. This log
file will greatly assist in troubleshooting connectivity issues.
To trace regular Mail activity beyond EWS Autodiscover, type:
/Applications/Mail.app/Contents/MacOS/Mail
-LogHTTPActivity YES >& Desktop/yourmaildebug.log & defaults
write -g LogHTTPActivity YES
!
!
!
337
7.2.3
To increase the send size for individual users, use the Set-Mailbox commandlet.
For example, set MaxSendSize and MaxReceiveSize for a user called testuser
to 20 MB, as follows:
Set-Mailbox -Identity testuser -MaxSendSize 20MB
-MaxReceiveSize 20MB
For Exchange 2010 and 2013, find the Outlook Web App Web.config file on
the Client Access server. The default location is \Program Files\Microsoft
\Exchange Server\V14\ClientAccess\exchweb\ews.
To limit message size, for example to 20MB, the message size limits and the
Web.config file must be changed as follows:
1.
2.
3.
4.
5.
6.
Stop and restart the Default Website for the setting to take effect.
Alternatively, you can simply restart IIS.
If other Exchange settings for message size limits are configured accordingly,
changing this setting will give Mail users in OS X connected to an Exchange
server the ability to send messages as large as 20MB. The size of a message is
roughly determined by the size of the message body in addition to any attached
files.
338
339
7.2.4
!
!
!
340
7.2.5
341
7.3
Troubleshoot Outlook
Microsoft Outlook relies on the Exchange Web Services protocol for setup and
connectivity. The DNS troubleshooting steps discussed in previous modules may
be useful since EWS is used. This is important to note because an Exchange
administrator may assume that because the product says Outlook it can use
Service Connection Point objects to discover the email location. This isnt the case
in Outlook.
To activate logging for Outlook:
1.
Open Outlook.
2.
3.
Click the cog wheel icon in the upper-right corner to open the action pop-up
menu.
Figure 7.3_1
342
4.
Figure 7.3_2
Outlook uses a database to track each email message. The database is comprised
of pointers, not the actual messages. Each time a user receives mail, a database
write occurs that can trigger activity from an antivirus application. If theres a lot
of activity, antivirus scanning can cause database corruption and crashed email
services. One potential solution is to make the following exceptions in the
antivirus realtime scanner:
/Library/Preferences/.GlobalPreferences.plist
~/Library
/Users/.*/Documents/.*/Database/.*
/.*\.log
Note: These changes should only be undertaken if the incoming mail is scanned
at the messaging gateway and the server.
343
7.3.1
344
7.4
Leverage SharePoint
SharePoint connectivity in OS X is through a web browser or through the
Microsoft Document Connection app, included in Office for Mac.
Microsoft Document Connection is added to the Dock by default when Office is
installed. Its also available in the /Applications/Microsoft Office folder or in the
/Applications/Microsoft Office 2008 folder.
Document Connection works with SharePoint 2007 or later, and lets users check
documents in and out of SharePoint Servers. Document Connection can
authenticate using Kerberos and NTLM credentials, if the Mac isnt yet bound to
the Active Directory domain or if the SharePoint server isnt yet kerberized to the
domain.
Many of the common tasks performed with SharePoint can be done using Safari
(SharePoint 2007 and forward). However, any features that require an ActiveX
control arent available for Mac computers.
345
7.4.1
Connect to SharePoint
Microsoft includes the Document Connection application in Office.
To use Document Connection with SharePoint:
1.
2.
Figure 7.4.1_1
!
3.
Figure 7.4.1_2
346
4.
Figure 7.4.1_3
5.
6.
7.
8.
Click the button in the toolbar that corresponds to the task at hand.
Figure 7.4.1_4
347
7.4.2
348
7.5
349
7.5.1
2.
To enter an Apple ID for use with iMessage, provide the appropriate Apple ID
and password when prompted.
Figure 7.5.1_1
350
3.
To enter other types of accounts, click Not Now. When prompted, select the
type of account. In this example, click the Other Messages account radio
button to set up a Jabber account.
Figure 7.5.1_2
!
4.
Click Continue.
5.
In the Add a Messages Account dialog, choose Jabber from the Account Type
menu.
Figure 7.5.1_3
351
6.
7.
8.
If applicable, click the Use SSL checkbox and the Use Kerberos v5 for
authentication checkbox.
9.
Figure 7.5.1_4
Note: Common issues with connection quality can usually be traced to poor
bandwidth, gateway filters, and antivirus applications.
FaceTime
In addition to Messages, the FaceTime application is also built into OS X. FaceTime
is also available on the Mac App Store at itunes.apple.com/us/app/facetime/
id414307850?mt=12.
352
7.5.2
2.
Figure 7.5.2_1
!
3.
353
4.
5.
The account name is shown next to Sign In Address. Click Edit to assign a
new account name. Or if an address isnt yet listed, go back to the login page
and provide one.
Figure 7.5.2_2
!
6.
354
7.
8.
Next to Connect using, choose either TCP or TLS. If you dont know which to
use, contact the Communications Server administrator.
Figure 7.5.2_3
!
9.
Click OK.
355
7.6
Use AirDrop
AirDrop is the Apple implementation of the Wi-Fi Direct protocol. AirDrop
enables users to find other nearby users (via Bonjour, the Apple multicast DNS
implementation) and transfer files directly to other client computers over an
encrypted connection.
To turn on AirDrop on a supported Mac:
1.
2.
To exchange files with a nearby user, also have that user click AirDrop in the
Finder sidebar on their Mac. Each computer is now listed in the others
AirDrop window.
Figure 7.6_1
!
!
356
3.
To transfer a file, drag and drop the file on the other users AirDrop icon. The
nearby user is prompted to accept the file. Transfer progress is indicated
within the circle icon.
Figure 7.6_2
!
4.
To turn off AirDrop, simply close that Finder window or click another sidebar
item.
The intentional nature of activating AirDrop, coupled with the Accept dialog,
provides a strong measure of security and prevention from hijacking.
Deliberate steps are required to accept file transfers.
357
7.6.1
Disable AirDrop
While AirDrop is a great feature for many environments, some organizations may
wish to disable the AirDrop feature in OS X to meet their information assurance
and/or security guidelines.
To disable AirDrop, enter the following command in Terminal:
sudo defaults write /Library/Preferences/
com.apple.NetworkBrowser DisableAirDrop -bool YES
To reenable AirDrop, send the same command with a boolean payload of NO, as
follows:
sudo defaults write /Library/Preferences/
com.apple.NetworkBrowser DisableAirDrop -bool NO
To no longer see AirDrop, either restart the system or restart the Finder by
running the following command:
sudo killall Finder
Preferences are stored in the defaults domain. These can be changed using
Mobile Configuration (.mobileconfig) files. Environments running OS X Server or a
third-party mobile device management solution can use the Custom Settings
feature to assign a value to the com.apple.NetworkBrowser defaults domain.
To use the Custom Settings feature in Profile Manager:
1.
2.
3.
4.
Figure 7.6.1_1
!
5.
6.
358
7.
Figure 7.6.1_2
!
8.
9.
Figure 7.6.1_3
7.6.2
Debug AirDrop
To increase logging verbose mode for AirDrop, set the logging level (0=off, 1=on)
as follows:
defaults write com.apple.finder EnableAirDropLogging 1
360
7.6.3
!
!
361
7.7
Leverage iCloud
iCloud is an Apple cloud service that stores contacts, photos, and more. iCloud
wirelessly pushes data to all of a users devices to keep them in sync,
automatically and seamlessly, with no user file-level interaction necessary.*
The iCloud Document Library is a convenient, consistent way to access iCloud
documents across Mac computers and iOS devices. To find an iCloud document,
just open its app. The iCloud Document Library shows the iCloud documents for
the app, with the most recent one at the top.
To organize documents into folders, drag one document onto another, similar to
organizing documents on iPhone or iPad. Folders created on one device
automatically appear in the iCloud Document Library when the app on another
device is opened.
Administrators can restrict the storage of iCloud data, including documents on
the iCloud servers, by using configuration profiles.
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
*iCloud requires iOS 5 or later on iPhone 3GS or later, iPod touch (3rd generation or later), iPad, or iPad
mini; a Mac computer with OS X Lion v10.7.5 or later; or a PC with Windows 7 or Windows 8 (Outlook
2007 or later or an up-to-date browser is required for accessing email, contacts, and calendars). Some
features require iOS 7 and OS X Mavericks. Some features require a Wi-Fi connection. Some features
are not available in all countries. Access to some services is limited to 10 devices.
362
7.8
363