! !
� ! ! ! ! Mac in the Enterprise IT Configuration Guide For Your Mac Evaluation and Deployment (Version 6.0) IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0) Table of Contents
Introduction i 1 Packaging and Thin Imaging ...... ii 1.1 Image Mac Computers iii 1.2 Create Packages iv 1.2.1 Create Packages Using Third-Party Utilities ...... v 1.3 Manage Local Images 6 1.3.1 Create Images with Disk Utility 7 1.3.2 Create a Disk Image from the Command Line ...... 12 1.3.3 Deploy Images with Disk Utility 13 1.4 Network Images 14 1.4.1 Create a Bootable NetBoot Disk 15 1.4.2 Create NetInstall Images 19 1.4.3 Configure a NetInstall Server 22 1.4.4 Start Up to a NetInstall Image 26 1.4.5 Unicast Apple Software Restore 28 1.4.6 Multicast Apple Software Restore 29 1.4.7 Third-Party Deployment Solutions 31 1.5 Prepare Networks for Image Deployment ...... 32 1.5.1 Set Clients to NetBoot Using the bless Command ...... 33 1.5.2 Use NetBoot DHCP Helpers 34 1.5.3 Relay bootpd 35 1.6 Minimal Touch Deployments 36 1.6.1 Streamlined Device Enrollment 37 2 Support and Maintenance 38 2.1 Use Asset Tags 39 2.2 Configure the OS X Server Caching Service ...... 40 2.3 Configure the OS X Server Software Update Service ...... 42 2.3.1 Configure Software Update Server Clients ...... 44 2.3.2 Cascade Software Update Services 46 2.4 Leverage Third-Party Software Update Services ...... 48 2.5 Acquire Client Management Suites 49 3 Directory Services 50 3.1 Local Directory Services 51 3.1.1 Create Local Administrative Accounts ...... 53 3.1.1.1 Create Local Administrative Accounts in System Preferences ...... 54 3.1.1.2 Create Local Administrative Accounts from the Command Line ...... 57 3.1.1.3 Change Local Administrative Accounts from the Command Line ...... 59 3.1.2 Nest Network Administrators from Active Directory in a Local Administrative Group 60 3.1.3 Create Local Administrative Accounts with a Package or Script ...... 62 3.2 Active Directory 63 3.2.1 Bind to Active Directory 64 3.2.1.1 Bind to Active Directory Using Directory Utility ...... 65
�i IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.2.1.2 Bind to Active Directory with a Profile ...... 70 3.2.1.3 Bind to Active Directory from the Command Line ...... 76 3.2.1.4 Bind to Active Directory Using a Script ...... 78 3.2.1.5 Bind to Active Directory Using a Post-Install Script ...... 79 3.2.1.6 Active Directory Plug-in Troubleshooting Commands ...... 80 3.2.2 Set a User Home Directory 84 3.2.3 Namespace Support 89 3.2.4 Active Directory Packet Encryption Options ...... 90 3.2.5 SSL Binding Instructions 91 3.2.6 Manage Certificates from the Command Line ...... 93 3.2.7 Change Active Directory Computer Passwords ...... 94 3.3 Third-Party Active Directory Plug-ins ...... 95 3.4 Kerberos 96 3.5 LDAP 97 3.6 Open Directory 98 3.7 Distributed File Sharing 99 3.7.1 Connect to DFS Shares 100 3.7.2 View DFS Shares with smbutil 101 3.7.3 Third-Party DFS Solutions 102 3.8 SMB2 Support 103 3.9 Smart Card Support 105 3.9.1 Third-Party Smart Card Service Options ...... 106 4 Configuration Management ...... 107 4.1 Configure a Profile Manager Server 108 4.1.1 Configure Network Settings 109 4.1.2 Configure Users 112 4.1.3 Add Groups 114 4.1.4 Review Certificates 116 4.1.5 Acquire Apple Push Notification Certificates ...... 119 4.1.6 Enable Profile Manager 121 4.1.7 Automatic Push versus Manual Download Profiles ...... 125 4.1.8 Edit Management Profiles 126 4.1.9 Create Device Groups 130 4.1.10 Use Device Placeholders 133 4.1.11 Enroll OS X Devices 135 4.1.12 Lock a Device via the User Portal 139 4.1.13 Wipe a Device from the User Portal 141 4.1.14 Lock a Device Using Profile Manager ...... 143 4.1.15 Wipe a Device Using Profile Manager ...... 146 4.1.16 Remove a Mac from Management via the User Portal ...... 149 4.1.17 Remove Management via Profile Manager ...... 151 4.1.18 Profile System Preferences 153 4.1.19 Non-Removable Configuration Profiles ...... 155 4.1.20 Restrict Access to System Preferences ...... 157 4.1.21 profiles Command 160 4.1.22 dscl Command 161 4.2 Manage Profiles 162 4.2.1 View the Contents of Profiles 163 4.2.2 Configure the Location of the Dock 164 4.2.3 Manage Third-Party Application Preferences ...... 168
�ii IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.2.4 Manage Printers 172 4.2.5 Restrict Applications Using Profile Manager ...... 176 4.2.6 Deploy VPN Connections Using Profile Manager ...... 181 4.2.7 Force Password Policies Using Profile Manager ...... 184 4.2.8 Configure Single Sign-On Using Profile Manager ...... 186 4.2.9 Limit Access to Sites Using Profile Manager ...... 189 4.3 Password Policies 192 4.3.1 Audit Local Password Policies 193 4.3.2 Configure Local Password Policies 196 4.4 Use the Volume Purchase Program to Deploy Apps ...... 197 5 Security 198 5.1 Use Security Resources 199 5.2 Use Gatekeeper 200 5.2.1 Use Gatekeeper to Validate Application Downloads ...... 201 5.3 Enforce Firmware Passwords 204 5.4 Manage Remote Logins 205 5.5 Use Key-Based SSH Access 207 5.6 Use FileVault 2 209 5.6.1 Enable FileVault from the Command Line ...... 217 5.6.2 Use fdesetup to Validate Escrowed Recovery Keys ...... 218 5.6.3 Enable FileVault on an External Volume ...... 220 5.6.4 Configure Master Passwords 222 5.6.5 Manage FileVault 2 Keys 224 5.7 Use Third-Party Full Disk Encryption ...... 228 5.8 Manage the Network Firewall 229 5.8.1 Use the Application-Layer Firewall 230 5.8.1.1 Configure the Application-Layer Firewall ...... 231 5.8.1.2 Manage the Application-Layer Firewall from Terminal ...... 235 5.8.2 Use the pf Firewall 237 5.9 Manage Keychains 239 5.9.1 View Keychain Contents 241 5.9.2 Install Certificates Using Profile Manager ...... 243 5.9.3 Enable Directory Services Searching for Certificates ...... 247 5.9.4 Enable Certificate Revocation Checking ...... 248 5.9.5 Import Items into a Keychain 250 5.9.6 Export Items from a Keychain 251 5.9.7 Configure iCloud Keychain 253 6 Networking/Wireless 255 6.1 Manage IPv4 Settings 256 6.2 Manage IPv6 Settings 266 6.3 Set Up Wired and Wireless Connections Using the Network Setup Assistant 269 6.4 Run Network Diagnostics 272 6.5 Configure Networking from the Command Line ...... 275 6.6 Configure VPN Settings 281 6.7 802.1x and Network Security Overview ...... 296 6.7.1 Configure WPA / TKIP — PSK 297 6.7.2 Configure WPA2 / AES — PSK 300 6.7.3 Create 802.1x Profiles 303
�iii IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.8 Import and Export 802.1x Profiles 309 6.9 Configure 802.1x to Join Corporate Networks ...... 312 6.10 Obtain a Certificate from a Windows CA ...... 314 6.11 Trust Certificates from the Command Line ...... 317 6.12 Create Active Directory Certificates 318 7 Collaboration 322 7.1 Integrate with Microsoft Exchange 323 7.1.1 Use Mail, Contacts, and Calendar with Exchange ...... 324 7.1.2 Enable S/MIME in Mail 327 7.1.3 Enable Out-of-Office Responses in Mail ...... 328 7.1.4 Configure Exchange ActiveSync Certificate-Based Authentication ...... 330 7.1.5 Set Certificate-Based Authentication for Mail, Contacts, and Calendar ... 331 7.2 Troubleshoot Mail, Contacts, and Calendar with Microsoft Exchange .... 335 7.2.1 Check Autodiscover with DNS 336 7.2.2 Address Improper Redirects / Certificate Errors ...... 337 7.2.3 Limit Message Size 338 7.2.4 Access Additional Troubleshooting Resources ...... 340 7.2.5 Support Exchange Autodiscover 341 7.3 Troubleshoot Outlook 342 7.3.1 Access Additional Outlook Information ...... 344 7.4 Leverage SharePoint 345 7.4.1 Connect to SharePoint 346 7.4.2 Access Additional SharePoint Information ...... 348 7.5 Access Instant Messaging 349 7.5.1 Configure Messages and FaceTime 350 7.5.2 Manage Lync for Mac 353 7.6 Use AirDrop 356 7.6.1 Disable AirDrop 358 7.6.2 Debug AirDrop 360 7.6.3 Access Additional AirDrop Information ...... 361 7.7 Leverage iCloud 362 7.8 Use iWork for iCloud 363
�iv IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0) ! ! ! © 2013 Apple Inc. All rights reserved. Apple, the Apple logo, AirDrop, AirPort, Bonjour, FaceTime, FileVault, Finder, FireWire, iMac, iMessages, iPad, iPhone, iPod touch, iTunes, iWork, Keychain, Keynote, Mac, MacBook Air, MacBook Pro, Mac Pro, Numbers, OS X, Pages, Retina, Safari, and Xcode are registered trademarks of Apple Inc., registered in the U.S. and other countries. Apple Remote Desktop is a trademark of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc., registered in the U.S. and other coun- tries. iCloud is a registered service mark of Apple Inc., registered in the U.S. and other countries. Thun- derbolt is a trademark of Intel Corp. in the U.S. and other countries. FileMaker is a registered trademark of FileMaker Inc. in the U.S. and other countries. UNIX is a registered trademark of The Open Group. The Bluetooth® word mark is a registered trademark owned by Bluetooth SIG, Inc. and any use of such mark by Apple is under license. Other product and company names mentioned herein may be trade- marks of their respective companies. Product specifications are subject to change without notice. This material is provided for information purposes only; Apple assumes no liability related to its use.
�v IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0) Introduction
This configuration guide is designed to help IT professionals evaluate and deploy OS X® on Mac® computers in medium to large organizations. Each section contains modules that cover different topics with step-by-step instructions. This guide provides accelerated testing and planning so organizations can efficiently begin a proof of concept or broader end-user deployment of Mac computers. This guide is a reference document. Not all modules are required reading for every Mac deployment plan, and many plans will leverage third-party software. The guide covers a wide range of topics critical to successfully deploying Mac systems including: • Packaging and Thin Imaging • Support and Maintenance • Directory Services • Configuration Management • Security • Networking/Wireless • Collaboration Before using this guide, consult with your Apple® sales representative or Apple Authorized Reseller for assistance determining the right modules for your environment. !
1� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0) 1 Packaging and Thin Imaging
This section covers several methods that can be used to deploy Mac systems. Thin Imaging, or remediation, is a workflow by which an out-of-the-box system is updated with settings, software patches, and application software using a patch- management system rather than by creating and deploying an entire image. A thin-imaged system can also be a computer shipped from Apple along with an installer package that is run from a portal. Thin images leverage the modular imaging paradigm and further simplify the deployment process. In the monolithic imaging paradigm, a single large image is maintained in a pristine state and must be updated when new patches or software updates are released. With modular imaging, the system administrator leverages a script and individual packages of software to automagically build each machine. The administrator can introduce updates by simply copying the new package to the build file storage location. Thin images are very similar to the modular imaging that Mac administrators have traditionally managed. However, instead of creating an image in a batch process, each package is updated when needed in the patch management system. Keeping all installers in the patch-management or device- management system, rather than duplicating the data, helps streamline the environment, reduces required storage space, and simplifies management. If a larger monolithic image is needed, Disk Utility can be used locally to image clients. Alternatively, a NetBoot server running on OS X Server can image clients over a network. Using Disk Utility is straightforward, and when imaging over Thunderbolt™ interfaces can be completed quickly. Imaging over a network takes time and requires physical Ethernet interfaces in order to image client systems concurrently. !
2� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.1 Image Mac Computers
The first step in deploying most computer systems, including those running OS X, is to create disk images for deployment. Apple includes robust imaging tools that can be used on their own or in conjunction with third-party tools to create images. A wide range of imaging strategies are available, and administrators can choose between various methodologies to create deployment images. A traditional monolithic-system imaging approach works well for small proof of concept deployments, allowing for rapid deployment and user testing. Production deployments should leverage the power of programmatic, or modular, image- creation workflows to properly scale. In these situations, deployment images are still required to rapidly deploy systems en masse, although Thin Imaging can be used as well. This section covers creating images with Disk Utility and using the Apple NetInstall server, which includes NetBoot and Apple Software Restore (ASR). !
3� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.2 Create Packages
Imaging often includes packaging software for distribution. There are a number of tools for creating installation packages and package distribution. Most application installers place files on a file system, and scripts interact with the operating system in some way (such as activating files that were placed on the file system). A package is a file, or bundle of files, with a “.pkg” extension. The package bundle contains an archive of files to install, scripts that perform specified actions (which can run before or after file archives are placed into the appropriate directories), and information about how the operating system should interpret the installer (such as the order in which these operations occur). A package can also include licensing documents and other information. Packages have a number of uses related to installing and managing software. For example, application developers often use packages to build installers for their software. Apple uses packages to provide system or application upgrades using Updates in the App StoreSM. Administrators use packages to deploy scripted changes to client systems, such as binding to a directory service. A meta package is a lesser-used type of package. Meta packages are sets of packages that are distributed in one structure with a “*.mpkg” file extension. The meta package typically provides a list of checkboxes used to choose which packages or components of a larger installation framework are installed. To install a package, double-click its icon in the Finder®. The Installer application opens and guides you through the necessary steps of the installation, defined at the time the package was created. Packages can also run silently through the command line, with Apple Remote Desktop™, or using third-party patch management software solutions. Many applications come bundled as standard Apple Installer packages. In situations where an application installer is already a package, custom packages may not be required. Vendors that distribute packages often have a process for preparing a package for mass deployment (such as instructions on embedding license keys and other important settings the software should have). Contacting the vendor for the proper mass deployment method of each title can save valuable time, minimize the amount of user interaction required to install a package, and help prevent unintended consequences. Packages can be created using a number of tools such as Xcode®, from the command line with pkgbuild, and with third-party tools. Packages can be built manually or by using a snapshot of the operating system. Snapshot-based packages are great for those new to building packages, but keep in mind that extraneous data may be unintentionally captured if changes unrelated to installation take place between snapshots. To avoid this, always review the files and folders to be installed when making a snapshot and remove those not required. The process is similar to creating installers for other operating systems. If a team member is already trained in creating installers for Microsoft® Windows® (that is, “.msi” or “.mst” installers) or for Linux, it should be easy for them to quickly grasp the concepts needed to build packages in OS X. ! !
4� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.2.1 Create Packages Using Third-Party Utilities A number of third-party products have compelling features for environments based on the imaging needs. These include: • Composer™ from JAMF Software™. www.jamfsoftware.com Composer can be leveraged to inspect a computer and create a package of each application that has been installed on the system, thus offering a smooth transition from monolithic imaging environments to package-based imaging environments. • InstallEase™ from Absolute® Software. www.absolute.com InstallEase is a basic snapshot-based package generation tool for OS X that lets you create installer packages with minimal effort. • Rudix. www.rudix.org Rudix is a website that offers a number of tools created for various UNIX® platforms built into standard Mac installation packages. By having access to packages that can perform a number of tasks, without having to build your own, software can be deployed more quickly and in a repeatable fashion. ! !
5� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.3 Manage Local Images
Local images are created on a local drive and are used to duplicate the contents of that drive to another computer. This section covers how to use Disk Utility to image one volume to another. There are also a number of third-party tools that can be used to image locally—including DeployStudio, Lightning Imaging from FileWave™, and Casper Imaging from JAMF Software, which can be used to perform imaging over a network connection as well. Local image deployment is a simple form of deployment for Mac computers. Taking advantage of native tools such as Apple Software Restore, Disk Utility, and target-disk mode, administrators can more efficiently test deployment images using direct connections between computers—without the need to move images to production or test servers. Local imaging techniques don’t scale well for the deployment of a large number of Mac computers in most environments but are most suitable for test environments to determine how a larger-scale deployment process will work. !
6� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.3.1 Create Images with Disk Utility
An image is a representation of a computer and its related information at a given point in time, including the kernel, file systems, libraries, and programs. A disk image is a representation of the file system, captured while offline to create a complete image of the system. For the purposes of this guide, an image is one of the following: • A single .dmg file that stores a monolithic representation of a Mac and can be copied in full to other Mac computers (or a creation of packages that make up a modular representation of that .dmg file). • A Mac that can be duplicated to other Mac computers. Images can be deployed directly through target-disk mode or from one disk to another. Images can also be deployed over a network using NetInstall, NetRestore, or a third-party product. This module explains how to create an image of a hard drive and copy that image to another hard drive. There are many options for imaging Mac computers. In this module, use Disk Utility (located in /Applications/Utilities) to create an image of a hard drive. This is the most basic way that many organizations begin imaging.
To create an image of a system with Disk Utility: 1. Build the perfect system image. Install the operating system and required software, preferably using Volume License Agreement (VLA) licensing, and configure settings specific for your environment. 2. Restart the system in target-disk mode by holding down the T key during the startup process. 3. Connect the image source computer to an image creation computer and verify that the hard drive mounts. 4. Select the prepared volume. 5. Choose Get Info from the File menu (or press Command-I).
7� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. Verify that the “Ignore ownership on this volume” checkbox isn’t selected.
� Figure 1.3.1_1 ! 7. Open Disk Utility from /Applications/Utilities to see a Disk Utility window. !
8� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
8. Click the disk to be imaged, if it appears in the list.
� Figure 1.3.1_2 ! 9. In the File menu, choose New. 10. Choose Disk Image from Folder.
� Figure 1.3.1_3 ! 11. The Select Folder to Image dialog lets you choose the volume from which to create the image. Select the name of the prepared client hard drive (which should be started up in target-disk mode). ! ! ! ! ! !
9� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
12. Click the Image button.
� Figure 1.3.1_4 ! 13. In the New Image from Folder window, provide a name for the image. In this example, it’s Pretendco Image. 14. Use the Where menu to define where on the system the image file will be created. 15. Choose “compressed” in the Image Format menu and “none” in the Encryption menu, as images deploy faster when compressed. 16. Click the Save button to create the image.
� Figure 1.3.1_5 ! Wait for the image to complete. The time required is dependent on the size of image and speed of media for both source and destination. !
10� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
17. Once the image is complete, unmount the hard drive. 18. Remove the hard drive used as the source of the image. 19. In Disk Utility, choose Scan Image for Restore in the Images menu. 20. Select the image previously created. 21. Once complete, test the image.
11� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.3.2 Create a Disk Image from the Command Line Apple Software Restore is a tool administrators use to create images from a disk. In this example, we’ll create an image from the command line—allowing for maximum granularity in terms of control over what is going on behind the scenes, and to show how the hdiutil and asr commands can be leveraged in an imaging process.
To use Apple Software Restore to scan an image for restore:
1. The hdiutil command can be used to manipulate disk images. This allows users to burn, create, expand, and verify disk images. In this module, use the hdiutil command to create the image .dmg file by invoking the create verb when you run it. Then mount a drive called MACOSX that houses an image of a clean OS X installation on your computer and create an image of it. Call the image MavericksImage and place it in the desktop folder on the computer. The following command illustrates how to create the .dmg file: hdiutil create -srcfolder /Volumes/MACOSX ~/Desktop/ MavericksImage.dmg
2. Now have the asr utility scan the image using the following command:
asr imagescan --source ~/Desktop/MavericksImage.dmg
Here asr is used with the imagescan verb to calculate the checksums of the contents of the image file and store them in the image. These checksums will be used to verify that restores occur properly. The -imagescan verb will also reorder files so that the image can be deployed in a multicast fashion.
Note: The --filechecksum and --nostream options can be used with the imagescan verb. When used, these commands calculate checksums on a per-file basis and bypass reordering of the files, respectively. This is often used as a troubleshooting mechanism when images are problematic.
12� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.3.3 Deploy Images with Disk Utility In this module, take a prepared image and copy it from one hard drive to another using Disk Utility.
To deploy an image with Disk Utility: 1. Open Disk Utility. 2. Select the destination, or target drive, and click Restore. 3. Drag the image file into the Source field from the Finder, or browse to the image using the Image button. 4. Drag the logical volume to the Destination field. You’ve now selected an image as the source and the destination drive to which you’re restoring.
� Figure 1.3.3_1
! 5. Click the Restore button to initiate the restore process. ! ! !
13� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.4 Network Images
Once you’ve created your deployment payloads, the next step is to deploy them. A simple form of deployment is to locally apply an image from one Mac to another via FireWire® or Thunderbolt. Because this process is cumbersome to scale, this section covers additional techniques to help enable a minimal-touch deployment. Network images are created especially for imaging a large number of computers over a network. These images are prepared specifically for publishing over a network connection and have special functionality built for making each system unique when the imaging process is complete. Because a computer cannot image over a live operating system, this section includes setting up a NetBoot set as well as booting to a NetBoot image so that a Mac can reformat and reimage over the boot volume. OS X includes a tool called System Image Utility (SIU), used to create NetBoot, NetInstall, and NetRestore images. System Image Utility allows you to create images and configure powerful customizations that reduce the time required to image client computers. System Image Utility is a standard tool installed in /System/Library/CoreServices on every Mac running OS X. • NetBoot. Starts up client computers to an operating system located on a server. This operating system can be in a completely diskless boot environment (where there are no hard drives in client systems), or it can leverage a disk in the client to cache the operating system to reduce network congestion. • NetInstall. Creates a customized operating system installer that runs over a network. The installation process is then customized with easy-to-use Automator actions that perform tasks before or after the OS X installation process. In environments where customizations have not been used, NetInstall users may be presented with the same user interface as if they were using the OS X installer on the local drive, or the process can be automated. Examples of customizations include repartitioning hard drives, using predefined operating system installation choices, binding systems to directory services, renaming client systems, and installing additional software packages. • NetRestore. Images client systems using a prebuilt image (referred to in this document as a “prepared disk”) with block-copy Apple Software Restore (ASR). There are several options to create NetRestore sets, including imaging existing OS X computers, creating an image programmatically with a custom set of packages, and allowing for the arbitrary sourcing of ASR images (that is, choosing an image located on a web server or NFS server, or using multicast ASR). Leveraging NetRestore, a single boot image is prepopulated with predefined choices. Or clients can browse for multicast ASR streams using Bonjour® networking technology from Apple.
14� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.4.1 Create a Bootable NetBoot Disk This module describes how to create a minimal NetRestore image that allows the source location of ASR images (for example file, URL, and so on) to be either predefined or manually entered when booted to a NetBoot image. Or in the case of those accessible via Bonjour, you can browse for the source location. To create a NetBoot set for NetRestore using System Image Utility: 1. Open System Image Utility from the Tools menu of the Server application. 2. Click the Add (+) button in the lower-left corner of the System Image Utility window. 3. Click Continue to create a new workflow.
� Figure 1.4.1_1 !
15� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Click Agree when prompted to accept the OS X Licensing Agreement from Apple, provided the terms are acceptable.
� Figure 1.4.1_2
! 5. In the window that shows the NetRestore options, remove the Define Image Source and Create Image panes on the right by clicking the Close (x) button in the upper-right corner of each. This will leave the workflow area empty. 6. Drag the Define NetRestore Source action from the Automator Library in the left pane to the workflow area.
� Figure 1.4.1_3 !
16� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7. Click the Add (+) button in the Define NetRestore Source pane, and enter the path where the .dmg can be found. You may define either an HTTP or ASR source URI (uniform resource identifier). 8. Select the “ASR multicast streams” checkbox in the ”Enable browsing for” section, to see a list of all available ASR multicast streams. 9. To ascertain other NetRestore sources from the network (such as HTTP), select the “Other NetRestore sources” checkbox. 10. To allow users to manually provide a path to a .dmg, select the “Allow manual source entry” checkbox.
� Figure 1.4.1_4 ! 11. Drag the Create Image action from the Automator Library into the workflow, below the Define NetRestore Source area. 12. Leave Type set to NetBoot, and provide a name for the image. 13. Provide a name for the Network Disk.
17� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
14. Provide a description to help keep track of NetBoot sets. Also provide an image index, an identifier unique to NetRestore NetBoot sets.
� Figure 1.4.1_5
! 15. Click Save. 16. Save the workflow with a name that enables you to easily access it or share it with other administrators at a later date. 17. Click Run. 18. Wait for the NetBoot set for NetRestore to complete. The time required for this process is dependent on the size of the NetBoot set and the speed of the volumes to which the NetBoot set is being written.
18� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.4.2 Create NetInstall Images In OS X Server, NetInstall publishes an installer to client systems. NetInstall takes the logic and options built into the OS X installer and moves them into a vehicle that can be used on networked client computers. In this module, create a NetInstall Image of an OS X installer using System Image Utility.
To create a NetInstall image using System Image Utility: 1. Purchase and download OS X from the Mac App Store (don’t install OS X or restart on completion). 2. An application called Install OS X Mavericks is placed in the /Applications directory. 3. Close any dialogs the Install OS X Mavericks installer may automatically open. 4. Open System Image Utility using the Tools menu in the Server application. Because the Install OS X Mavericks installer is detected on the system, the initial window of System Image Utility provides the option to Create a Network Disk Image and asks you to select the type of image you’ll create.
� Figure 1.4.2_1 ! 5. Choose Install OS X 10.9 from the Sources menu to select an installer on which to base the image. 6. Click NetInstall Image. This will tell the image, when NetBoot loads it, to install an operating system. 7. Click Continue.
19� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
8. Provide a name and description for the image. 9. If the image will be hosted by multiple NetBoot servers, select the ”Image will be served from more than one server” checkbox.
� Figure 1.4.2_2 ! 10. Click Agree when prompted to accept the OS X Licensing Agreement from Apple, provided the terms are acceptable.
� Figure 1.4.2_3
20� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
11. In the Save As field, enter a name for the files that will be saved. 12. Use the Where menu to choose a location for the image. 13. If the location isn’t listed in the Where menu, click the disclosure button to the right of the Save As field to browse for a location.
� !Figure 1.4.2_4 14. Click Save. 15. When prompted, provide an administrative account and password for the system being used to generate the image. 16. Once the process is complete, move the image into the /Library/NetBoot/NetBootSP0 directory. The NetInstall image is then available within the Server application in the NetInstall section.
21� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.4.3 Configure a NetInstall Server NetInstall and NetRestore both rely on the NetInstall service in OS X Server to start up an operating environment, freeing the internal drive for an operating system image or upgrade. NetBoot starts up a Mac computer to an operating system stored within an nbi (.nbi) bundle hosted on a NetInstall server. OS X Server acts as a NetInstall server and is covered in this module. To configure a NetInstall server: 1. Open the OS X Server application on the server. 2. Click Show when you highlight the Advanced section of the sidebar.
� Figure 1.4.3_1 ! 3. Click NetInstall in the sidebar. 4. Click the Settings tab. !
22� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5. Click the Edit button next to “Enable NetInstall on.”
� Figure 1.4.3_2 ! 6. Select the Enable checkbox for each interface on which NetInstall should run. 7. Click OK.
� Figure 1.4.3_3 ! 8. Click the Images tab. 9. Click the cog wheel icon. 10. Click the Edit Storage Settings button. 11. Click the Volume menu for the volume that will host the images.
23� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
12. Choose “Images & Client Data” from the Stored Data menu to enable images for that volume.
� Figure 1.4.3_4 ! 13. Click OK. 14. Place the NetBoot images previously created into the /Library/NetBoot/NetBootSP0 directory of the volume just selected. 15. Once the image is in the correct location, quit and reopen the Server application if the image does not appear in the Images list. 16. Click NetInstall under Services in the sidebar.
� Figure 1.4.3_5
24� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
17. Double-click the image. 18. Select the “Make available over” checkbox. 19. Choose NFS from the “Make available over” menu.
� Figure 1.4.3_6 ! 20. Click the image previously created. 21. Click the cog wheel icon to open a menu of options for the image. 22. Choose Use as Default Boot Image to set the image as the default image used for systems that start up to the server. 23. Toggle the On/Off switch to start the service.
� !Figure 1.4.3_7 24. To test starting up a client system to the image, hold down the N key at startup. Or select the NetBoot server you just set up by using the Startup Disk System Preferences pane on the client system.
25� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.4.4 Start Up to a NetInstall Image Once a NetRestore or NetInstall NetBoot set are enabled on an OS X Server system, start up a client to the NetInstall set to begin imaging. The easiest way to start up a client to a NetBoot server is to hold down the N key at startup. Provided the client can see the NetBoot server, and that the environment allows for the client to obtain an IP address from a DHCP server, this is often the easiest way to start up into a NetBoot environment. In some cases, holding down the N key at startup won’t provide the desired results. In this module, configure a client to start up to the NetBoot/NetInstall set using the Startup System Preferences pane.
To start up to a NetBoot set for NetRestore: 1. Open System Preferences.
� Figure 1.4.4_1 ! !
26� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
2. Click Startup Disk to open the Startup Disk pane.
� Figure 1.4.4_2
! 3. Click the name of the NetBoot set created for NetRestore. 4. Click the Restart button. The computer is booted into the NetRestore environment, to a screen showing the icon for System Image Utility. Choose the image to restore or enter the path to the image manually. !
27� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.4.5 Unicast Apple Software Restore Apple Software Restore allows for both multicast and unicast restores when the source image is accessed over a network. Both operations can be performed by any Mac computer (the ASR server and the ASR client). Neither operation requires a computer with OS X Server, although OS X Server does make the task simpler with Bonjour-enabled NetRestore. When booted to a NetBoot image, you can use the path to an image (in the form of a URI) to define the location to which the computer will boot. When the path is to a flat file on a server, then you are performing a unicast restore. In a unicast restore, each Mac target establishes a separate connection to the server hosting the image in much the same way different users access the same read-only file on a file server. The following command can be used to image clients programmatically: sudo asr restore --source /Users/USERNAME/Desktop/OS\ X\ Mavericks\ Image.dmg --target Mac\ OS\ X/ -erase
In the above command, the restore verb is used, the --source and --target settings are defined, and finally the -erase checkbox is used. In this way, programmatically creating system images is possible with only a single command. Rather than using direct-attached storage, such as ThunderBolt, administrators can use the asr command to restore images from a file hosted by HTTP. To do so, place the image on a web server and use a command similar to the following, where the fully qualified domain name (FQDN) of the web server is mywebserver.pretendco.com and the name of the image is mavimage.dmg. sudo asr restore --source http://mywebserver.pretendco.com/ mavimage.dmg --target /Volumes/Mac\ OS\ X/ -erase
In the above command, the source is defined with the URL that it would be accessible from using HTTP. The file was renamed myimage.dmg to make it friendlier to HTTP requests. Defining the -erase option speeds up the restoration and makes the image blessed (that is, bootable). Note: This method assumes that the source Mac is being started up in target-disk mode because the image can’t be placed on top of a running operating system— another valuable feature of NetRestore on OS X Server.
28� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.4.6 Multicast Apple Software Restore Multicast Apple Software Restore (mASR) broadcasts disk images as streams that any machine can listen to and image from. The mASR server plays the streams over the network and Mac computers connect to the streams to copy the image, block by block, to their local drives. Streams are looped so that if a Mac connects to a stream midway through, or drops packets due to network congestion, the stream download completes the current loop and then retrieves the remaining data on the next loop. Because data is streamed to all client systems, performance on the mASR servers isn’t impacted when more client systems are added.
To set up a multicast Apple Software Restore environment:
Use the same command-line utility used to create the images (asr) to set up an mASR server. Before starting, contact your network team for valid multicast addresses and rates for your network.
The asr command requires a property list (plist) to set the configuration settings for the server. To configure an mASR server: 1. Set up the plist file. To do so, you need a multicast address and the data rate at which you want the server to provide the multicast traffic. Using this information, create a file. For this example, use an asrsetup.plist filename in a folder called /asrconfig. Then create the directory using the following command:
mkdir /asrconfig 2. Create the plist file using the following command:
touch /asrconfig/asrsetup.plist
3. Use the defaults command to populate the file with the settings planned for earlier.
defaults write /asrconfig/asrsetup.plist "Data Rate" -int 10000000 defaults write /asrconfig/asrsetup.plist "Multicast Address" 244.0.0.1
4. Provide optional information in the asrsetup.plist configuration file. The Client Data Rate can be defined, which is the slowest rate a client can operate without errors. DNS Service Discovery will be defined as a -bool for boolean, which defines whether the ASR server should use Bonjour. Loop Suspend is an integer that limits the number of times an image is streamed without any clients using it, prior to stopping the ASR server and waiting for new clients. Multicast TTL and “port” can be customized as well, although this option is rarely used. For more information on Loop Suspend, see: developer.apple.com/library/mac/#documentation/Darwin/Reference/ ManPages/man8/asr.8.html. 5. Once the .plist file is created, move an image (in the form of a .dmg file) into the /asrconfig directory.
29� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. Once moved, start up the ASR server using the following command:
sudo asr -server /asrconfig/asrsetup.plist -source / asrconfig/myimage.dmg
7. The server then states “Ready to start accepting clients.” To test the server, tell a client to look to the server for connectivity. Testing can be done by providing a path (in the form of a URI) to the asr:// location using a NetBoot image, Disk Utility, or the asr command with the restore verb. Here the source computer is myasrserver.pretendco.com and the image is called myimage.
sudo asr restore --source asr://myasrserver.pretendco.com/ myimage.dmg --target /Volumes/Mac\ OS\ X/ -erase
30� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.4.7 Third-Party Deployment Solutions Apple provides a robust set of solutions for imaging a computer, deploying the image, and keeping systems in alignment with the change management, configuration management, and release management of both Apple and third- party solutions in imaging. Some third-party application developers also provide solutions that take a number of deployment aspects into account. These solutions include, but are not limited to: • DeployStudio. www.deploystudio.com A free application with a comprehensive set of tools wrapped around the command line asr options. DeployStudio also offers the ability to PXE boot Windows computers for mass deployment. • Casper Suite™. www.jamfsoftware.com JAMF Software’s Casper Imaging Server also leverages NetBoot and ASR technology, although it extends beyond deployment and into patch management. One component of the suite, Composer, can be leveraged to build package-based images quickly using existing software installed on a monolithic image or prepared volume. • Absolute Manage. www.absolute.com This solution allows for upgrades, but is more widely adopted as a patch management solution for both Mac and Windows PC computers. • FileWave. www.filewave.com This cross-platform solution offers administrators a way to prepare systems for the deployment of packages, and provides a way to roll packages and images back to previously deployed images. Additionally, Mobile Device Management (MDM) solutions can be used to deploy software and manage settings on Apple equipment. Most vendors that develop patch management solutions also offer MDM solutions. It is recommended to check with your vendor to make sure you’re using the right tool for each task performed on your Apple devices.
31� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.5 Prepare Networks for Image Deployment One of the biggest challenges that occurs when imaging over a network connection is when the computer can’t be booted to the volume being imaged. In this case, most imaging environments need a NetBoot server. NetBoot typically works by sending broadcast data to locate a NetBoot server. Many environments often require NetBoot helpers configured on routers, NetBoot/bootpd relays, or statically assigning the NetBoot server in cases where broadcast traffic can’t find a NetBoot server (for example due to VLANs). The following few sections cover the standard troubleshooting steps involved in getting a NetBoot server to work so you can reliably image systems in large-scale environments.
32� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.5.1 Set Clients to NetBoot Using the bless Command To start up a client system to a NetBoot/NetInstall server, hold down the N key to boot the default image off the first server, or use the Option key to select a server. You can also click Startup Disk in System Preferences to select which NetBoot server to boot to, provided the client can find the NetBoot server using standard broadcast traffic.
To start up to an IP address, use the command line with the bless command in OS X. The bless command allows administrators to specify which volume or folder from which to boot, as well as to define a network volume from which a client should boot, as is the case with NetBoot. In this example, the IP of the NetBoot Server is 10.0.9.2 and the client is on the same subnet as the server, booting through DHCP (Dynamic Host Configuration Protocol). Replace this sample IP address with that of any environment when using the following setup.
To use the bless command to define a NetBoot volume that resides on a server: 1. Open Terminal from /Applications/Utilities.
2. Use the command bless without any arguments to get comfortable with the syntax and available options. 3. Run the following command: bless --netboot --server bsdp://10.0.9.2
The options used in this command are --netboot, which invokes NetBoot Mode, and --server, which specifies the IP address (or DNS name) rather than relying on a discovery protocol for this information. Notice that the server is a URL, telling the system that BSDP (Boot Service Discovery Protocol) would be used in front of the server name. This is because the --booter option allows administrators to specify the tftp server for NetBoot along with the nfs or afp location of the NetInstall .dmg file.
4. Use the following to verify that the bless command worked as needed:
bless --info 10.0.9.2
Using bless, administrators can directly target a NetBoot server even if that server is in a different subnet from the client systems. 5. If the correct information appears, the configuration is complete. For more information on using the bless command, see the man page for bless by running the following command: man bless
33� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.5.2 Use NetBoot DHCP Helpers As with any network or discovery protocol, NetBoot can be problematic on certain networks. To quickly find out whether NetBoot will work on a server combination, enable DHCP on a NetBoot server, connect a network cable from the server directly to a client computer, and start up the client while holding down the N key. Then disable DHCP and try the same process when running through network switches. If NetBoot works when directly connected, but doesn’t work when going through the switching and routing infrastructure, the environment more than likely has an infrastructure problem. There are a number of ways to avoid infrastructure problems that cause NetBoot to fail. Chief among them is to set up a router/route for Boot Service Discovery Protocol (BSDP). One way to do this is to enable UDP (User Datagram Protocol) forwarding to forward all UDP packets for BSDP to the NetBoot server in question, which would allow that server to host as many NetBoot environments as needed. This is similar to how the forwarding for all DHCP traffic is configured for most environments, no matter which subnet it’s sourced on, to a specified server. If this isn’t an option, another method is to look to DHCP, which allows for a number of extensions. These extensions offer administrators options via DHCP, in addition to the standard IP address and subnet mask common in DHCP leases. These include options such as DNS servers, NIS servers, SMTP servers, and so on. For more on DHCP extensions, see www.ietf.org/rfc/rfc2132.txt. DHCP provides for a number of standard services but also has options for vendors to leverage. BSDP is one such vendor extension, developed by Apple. The DHCP options include option 41, also known as vendor-specific information, and option 60, also known as the vendor class identifier. The full protocol documentation is available at opensource.apple.com in the bootpd project. Each router and DHCP server is different. This should help administrators find out what is required to enable and configure DHCP helper addresses on routers to allow for NetBooting server discovery across subnets.
34� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.5.3 Relay bootpd DHCP is required for NetBoot. Many environments already have DHCP servers on each segment, VLAN (Virtual LAN), or a subnet of the network where a Mac might attempt to initiate NetBoot. If administrators can see a NetBoot server in the Startup Disk pane in System Preferences, but can’t initiate a NetBoot session into that server by holding down the N key at startup, a bootpd relay for BSDP and its parent DHCP server may be needed. This module covers how to configure a Mac running OS X Server to provide a bootpd relay agent to enable NetBoot server discovery across subnets.
To edit the bootpd.plist file on the system to act as the relay: 1. Enable Internet Sharing in System Preferences. Doing so enables Network Address Translation (NAT) on your server, but you don’t have to use NAT. 2. Open Terminal from /Applications/Utilities.
3. Type sudo pico /etc/bootpd.plist. 4. Find the section of the file that indicates the following:
5. Edit the
6. Replace the
8. Once the parameters are configured, load the bootps LaunchDaemon, as follows: sudo launchctl load -w /System/Library/LaunchDaemons/ bootps.plist
9. Finally, start the bootpd process using launchctl as follows:
sudo launchctl start com.apple.bootpd
35� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.6 Minimal Touch Deployments
By following Apple best practices, it’s possible to achieve minimal-touch, or even zero-touch, deployments with OS X. There are three main components to a minimal-touch deployment. • Deployment imaging. The first step of any deployment (especially a minimal- touch deployment) is the development of a good deployment image. A deployment image contains as few customizations as possible to protect it from constant revisions and to make it as business-unit agnostic as possible. Ideally, the deployment image only contains OS X, local settings, and keystone applications, if that. Keystone applications are software packages installed on 100 percent of the Mac computers in an organization. The deployment image can skip all these if enrolled in a patch management system—meaning a computer can be deployed with just the operating system and enrollment in a patch management system. The patch management system then takes over installing all software, including keystone applications. • Directory services. By fully utilizing directory services, administrators gain centralized control over user identities and centralized management of user data, while also providing for the delivery of a cohesive management policy framework. A script that binds the Mac to a directory service can be built into most deployment images or deployed as part of a client management or mobile device management solution. • Client management. Use of a client management system is the critical step of a minimal-touch deployment. Client management agents, or enrollment in mobile device management, should be built into deployment images so that, on first startup, the Mac systems will contact the client management suite and upload inventory information. This includes when any unit-specific software is provisioned, along with any update deltas that exist for the current deployment image. With most client management suites, optional applications are delivered to Mac client computers via self-service software tools. Workflows that consist of images that only contain client management agents, and that have the agent load all other automations, are known as thin-imaging workflows and are the preferred methodology for large-scale deployments in order to ensure as few touches as possible. A zero-touch deployment can be achieved when a thin-imaging workflow is used with systems imaged at the factory (or by an Apple Authorized Reseller) before they arrive at your organization. When combined with centrally managed Mac App Store software and licenses, a thin image can be compiled with very few custom packages, allowing for streamlined and efficient workflows that also require little time to develop and manage. ! ! !
36� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
1.6.1 Streamlined Device Enrollment Streamlined MDM Enrollment is a new process introduced in OS X Mavericks for simplifying device distribution, configuration, and rollout. Institutionally owned devices can be automatically enrolled in MDM during activation. As a result, IT can ship a device to an end user without unboxing it, and the system will connect to the company’s MDM solution, skip basic setup steps, and fully configure itself with corporate settings and policies. ! !
37� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0) 2 Support and Maintenance
Once a system has been built, configured, and deployed it has to be supported and maintained. Ongoing tasks include software updates, patch management, hardware support, inventory management, remote management, and basic troubleshooting. Apple offers a variety of tools and resources to help streamline and simplify these tasks. The topics covered in this section help organizations plan and implement long-term adoption and support of Mac systems. !
38� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
2.1 Use Asset Tags
Many asset management systems use the primary MAC address of the computer’s logic board as a unique identifier. Given how common this practice is, Apple prints the MAC address, as well as a bar code associated with that address, on the outside of the box. This strategy works well unless that MAC address changes due to a hardware failure or repair. To be safe, administrators should use both a MAC address and a hardware asset tag to identify client computers. Hardware asset tags provide a more reliable way to link the physical and electronic identities of a Mac computer. By using physical tags, the identity of a computer is always known unless it’s physically destroyed. Asset tags can then be linked to the MAC address in most asset management systems. Many resellers and other solution providers offer asset tag systems or engraved asset tagging. Asset tags are also provided as a service from Apple. Contact your Apple account team or Apple Authorized Reseller to learn more about the options available for both asset tagging and asset management systems. ! !
39� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
2.2 Configure the OS X Server Caching Service
The Caching service is used by OS X clients to dynamically locate servers and pull updates from those servers, as they pull updates from Apple. This cache includes all App Store and iTunes® content downloaded by users on your subnet.
To install the Caching service for OS X Server: 1. Open the Server application. 2. Click Caching in the sidebar. 3. Using the Cache Size slider, choose the amount of space updates can utilize, up to Unlimited.
� Figure 2.2_1 ! 4. Click the Edit button to choose a location for cached data. 5. In the selection dialog, choose the volume to use for storing cached updates.
� Figure 2.2_2 !
40� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. Click Choose. 7. Click the On button to start the Caching service.
� Figure 2.2_3 ! 8. Once the service is started, use the Reset button if you need to clear the cache. Note: If more advanced options are needed for caching, see support.apple.com/kb/HT5590 for a full list of features available from the command line.
41� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
2.3 Configure the OS X Server Software Update Service
OS X Server can be used as a Software Update server that mirrors updates from the Apple Software Update service. This keeps Apple updates from saturating the Internet connection in environments with large deployments, and affords IT departments a built-in methodology for managing Apple updates. Many third- party tools also leverage the Apple Software Update service to supply patches to client systems. The Apple Software Update service runs on the Apache™ web server in OS X Server. Updates are synchronized from Apple Software Update servers, with update digests stored in XML files. Client systems poll the XML files for which updates to install, and then download and install them routinely.
To install the Software Update service for OS X Server: 1. Open the Server application. 2. Click Show when you highlight the Advanced section of the sidebar. 3. Click Software Update in the list provided. 4. In the Settings tab, choose whether updates should be Manual—thereby giving administrators the choice to release each patch provided from Apple —or Automatic, immediately mirroring updates from Apple.
� Figure 2.3_1 !
5. Turn on Software Update to begin caching the available patches from Apple.
42� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. Click the Updates tab.
� Figure 2.3_2 ! Note: You may not immediately see the updates, as it can take a number of hours for updates to appear.
! 7. To control updates once they’ve cached onto the system, change the update settings from Automatic back to Manual. 8. Click an update to highlight it. 9. To control the status of an update, use the cog wheel icon toward the bottom of the pane or click the Status pop-up menu for each update listed. • Choose Download to just cache an update. • If the update has not yet been downloaded, choose Download and Enable to cache and serve it to client systems. • Choose Disable if the update has been downloaded and is not required. (This option is only available when Automatic has been selected in the Settings tab.)
� Figure 2.3_3
43� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
2.3.1 Configure Software Update Server Clients Once the Software Update service is configured, use it to serve updates to client computers. Verify that the clients are updating as intended in a lab environment before pushing settings en masse, whether using a configuration profile or changes to the com.apple.SoftwareUpdate.plist to do so.
To test the Software Update service: Use a profile to configure a computer to use the new Software Update service. In this example, use the Apple Profile Manager service to create the profile. 1. To configure a policy for a specific computer, open the Profile Manager web interface. 2. Authenticate to Profile Manager as an administrator. 3. Click the device or device group, or use any OS X device to create a generic profile with just the one setting applied by the profile. 4. Click Edit for the profile. 5. In the Settings pane sidebar, click Software Update. 6. Click the Configure button to enable the manifest.
� Figure 2.3.1_1 ! 7. Enter the appropriate URL in the “Software Update server” field. 8. Click the OK button. 9. Click the Save button. 10. Click Save in the Save Changes dialog. 11. Click the Download button to download the profile. 12. To use the newly created profile, install the .mobileconfig file by double- clicking the file.
44� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
13. If the client systems can’t be managed by profiles, use the following command to augment the default software update settings, replacing server.pretendco.com with the actual IP address or DNS name of the host running the Software Update service, as follows: defaults write /Library/Preferences/ com.apple.SoftwareUpdate CatalogURL “http://server.pretendco.com:8088/index.sucatalog”; Once configured, test to ensure software updates are available by clicking Software Update in System Preferences, or by using the command line. 14. To test via the command line, use the softwareupdate command. To get a list of available updates from your newly defined Software Update server, use the -list option as follows:
softwareupdate -list 15. To install specific updates, use the following command, obtaining the label from the -list option:
softwareupdate -i
16. To install all available updates, use the -all option as follows:
softwareupdate –all 17. Once testing is complete, reset the Software Update settings to factory defaults by deleting the /Library/Preferences/SoftwareUpdate.plist file and allowing the system to generate a new one based on the default settings.
45� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
2.3.2 Cascade Software Update Services The Software Update server in OS X Server can cache updates from Apple and redistribute them to other systems with OS X Server running the Software Update service—thus cascading updates between servers. Running a Software Update server reduces the bandwidth consumed on Internet connections when new software and security patches are released. For large, distributed organizations, multiple Software Update servers will be needed. Administrators can gain centralized control over updates by releasing them hierarchically. For example, the initial server can be set to release updates according to a release management schedule. Subsequent servers can either release all updates from the upstream Software Update service, or can release updates based on the release management process for the geographical or business-unit boundary, which allows for optimal granularity. In this module, the first server with OS X Server running the Software Update service will be server09.pretendco.com and the second will be SUS2.pretendco.com.
To set up a Software Update server to use a second Software Update server to get updates: 1. Enable the Software Update service on the first server (in this case, server09.pretendco.com).
� !Figure 2.3.2_1 ! 2. Make a copy of the /Library/Server/Software Update/Config/swupd.plist file on the second, or child, server (for example, on the desktop) in case you need to revert to a previous version.
3. Edit the metaindexURL key (by default set as swscan.apple.com) of the file /Library/Server/Software Update/Config/swupd.plist.
46� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Change the key to be as follows: http://server09.pretendco.com/content/meta/mirror-config-1.plist.
! 5. Start the Software Update service, and complete setup of the new Software Update service with your specific requirements. Once all updates complete as required, your cascaded software-update service environment has been successfully set up. !
47� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
2.4 Leverage Third-Party Software Update Services
Third-party patch management solutions rely on an out-of-band management technique for Mac-based software updates and patches. These include an open source project called Reposado (github.com/wdas/ reposado), which is a set of Python-based tools that replicate the Software Update service found in OS X Server. Reposado transfers updates from Apple via cURL and synchronizes them to a local web server, generating the indexes and plists as needed. Reposado functions on any operating system provided cURL, Apache, and Python are supported. Another option is for the client management software to download packages from Apple and host them on staging servers. Agents running on client systems can then download Apple updates from staging servers rather than from Apple. Both Absolute Manage and JAMF offer the ability to force agents to obtain software updates from a local staging server. This functionality can be run on OS X Server, Linux® Server, or Microsoft Windows Server®. ! ! ! ! !
48� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
2.5 Acquire Client Management Suites
The workflow an administrative team develops for software delivery and management, patching, and remediation is often centralized around a software package called a client management suite. This centralization can result in a software package workflow that redefines the imaging workflow in a number of ways. Available solutions include software that can perform the following: Imaging Only • Apple NetInstall and NetRestore. www.apple.com/osx/server • DeployStudio. www.deploystudio.com ! Imaging and Client Management • JAMF Casper Suite. www.jamfsoftware.com • Absolute Manage. www.absolute.com ! Patch Management Only • Apple Remote Desktop. www.apple.com/remotedesktop ! Client Management Only (MDM) • AirWatch®. www.air-watch.com • MobileIron®. www.mobileiron.com • Centrify®. www.centrify.com • Maas360™. www.maas360.com ! !
49� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0) 3 Directory Services
A directory service stores information about users, groups, and network resources for an organization. OS X has a local directory service for local accounts and can connect to network directory services, which obtain account information from a centralized source. On a default installation of OS X, directory services may be configured to access directory information via LDAP (Lightweight Directory Access Protocol), Active Directory®, and NIS (Network Information Service). LDAP and Active Directory are the most commonly used. When an application, daemon, or utility needs information about a user, group, or computer, it does a directory service lookup. In OS X, information is always looked up in the local directory service first. Then, if the information isn’t located in the local directory, the query is sent to other directory services that have been configured. This search path is specified in the /System/Library/CoreServices/Directory Utility application, and allows administrators to specify the order in which information such as users and groups is searched for. Directory services in OS X are built using a modular framework. This allows the operating system to be extended with third-party directory modules. These modules provide additional functionality as well as support for other directory services not included in the default operating system. !
50� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.1 Local Directory Services
Local directory services information is stored in property list (.plist) files, located in the /var/db/dslocal/nodes/Default directory. This allows the administrator to read, write, and change these files directly without requiring an intermediary daemon or utility. Files can also be dropped into the file system to create accounts. This flexibility is useful when making mass changes to systems or when troubleshooting a system in single-user mode. Because files can be accessed and modified directly, making scripting modifications to directory services is straightforward. Accounts for users and groups are stored in flat files located in subdirectories in the /var/db/dslocal/nodes/Default directory. Users are stored in the /var/db/dslocal/nodes/Default/users directory. Groups are stored in the /var/db/dslocal/nodes/Default/groups directory. Each user and group account has a corresponding .plist file that holds XML content describing the user or group. Account names that begin with an underscore are reserved for system users and groups. Inside each .plist file are XML keys with arrays. These keys contain a variety of values that include information, or attributes, defining how the user or group account is used. Comparing the local directory services files to an LDAP query, the file would be the object and associated keys, and the values would be the attribute names and values for those objects. These keys in the local directory node closely resemble registry keys for local accounts, with one exception— they’re distributed across files rather than in a single location. Local directory service information can be edited by different applications. Click Users & Groups in System Preferences to add, edit, or delete user accounts and groups. Use Directory Utility to directly modify any attribute in directory services. While you can directly edit account property lists, direct edits aren’t registered with the system immediately and error checking isn’t performed on the files. It’s a safer practice to use directory services command-line utilities to edit user, group, and computer information because error checking is typically applied. The command-line utilities for managing directory services data include the following:
• odutil. Monitor directory services and manage directory services logging.
• dscl. Directory services command-line utility.
• dscacheutil. Look up information, flush caches, and gather statistics on directory services.
• dseditgroup. Alter group membership information.
• dsenableroot. Enable or disable the root account.
• dserr. Show descriptions of directory services error codes.
• dsexport. Export directory services information.
• dsimport. Import directory services information.
• dsmemberutil. Check group memberships and UUIDs, and perform certain debugging operations.
51� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
• id. Validate user and group information. For more information on these commands, open Terminal in /Applications/Utilities. Then enter the man command followed by the name of each utility.
52� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.1.1 Create Local Administrative Accounts Centralized management requires known local administrative accounts on client systems for centralized management purposes. Apple Remote Desktop uses these accounts to remotely control machines, to run local scripts on systems as post- imaging tasks, and for utility and troubleshooting purposes. There are two methods commonly used to create local administrative accounts. The first is using the Users & Groups pane in System Preferences. The second is through the command line, using the dscl utility. To facilitate the distribution of managed tasks, the Active Directory plug-in built into OS X can also supply local administrative accounts based on Active Directory group memberships.
53� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.1.1.1 Create Local Administrative Accounts in System Preferences
In this module, create a new local administrative account in OS X using the Users & Groups pane in System Preferences.
To create a new local administrative account: 1. Choose System Preferences from the Apple menu and click Users & Groups.
� Figure 3.1.1.1_1 ! 2. Click the lock icon in the lower-left of the window and provide the password of an existing administrative user.
� Figure 3.1.1.1_2 ! !
54� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3. Click the Add (+) button in the bottom-left corner.
� Figure 3.1.1.1_3 ! 4. In the dialog, choose Administrator from the New Account menu. 5. Enter the new user’s full name and account name. (These should be unique and different from one another). 6. Enter the same password in both the Password and Verify fields, then click the Create User button.
� Figure 3.1.1.1_4 !
55� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
The newly created account appears under Other Users in the Accounts list on the Users & Groups pane in System Preferences.
� Figure 3.1.1.1_5 ! 7. To ensure the account was created successfully with the appropriate administrative privileges, log out and then log in again as the new user. 8. To test that the user is now a local administrator, open the Users & Groups pane in System Preferences. Unlock the pane with a user account that’s in the nested group. If the pane is successfully unlocked, the user is now a local administrator.
56� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.1.1.2 Create Local Administrative Accounts from the Command Line
The dscl command-line utility can be used to create local administrative accounts through the command line as well as to customize the location of home directories, add or change account names, and automate the process of creating accounts. To create a local account using the command line: In the following steps, replace pretendcoadmin with the account name for the new account, and replace Pretendco Administrator with the full name of the new administrative account. 1. Add the user name to the local directory services database using the following command: sudo dscl /Local/Default create /Users/pretendcoadmin 2. Set the default shell. Bash is the default, with a path of /bin/bash: sudo dscl /Local/Default create /Users/pretendcoadmin UserShell /bin/bash 3. Set the full name of the user account, replacing Pretendco Administrator with the user’s full name. sudo dscl /Local/Default create /Users/pretendcoadmin RealName "Pretendco Administrator" 4. Set the User ID (UID) as a unique integer value. In this example, run the following command to set the UID to 1100. Subsequent users will need additional unique UIDs. UIDs from 0–500 are reserved for system use. sudo dscl /Local/Default create /Users/pretendcoadmin UniqueID 1100 5. Once a UID is assigned to an account, set the default group ID (GID) using the following command. Note that the GID must be different from other GIDs but can be the same as the UID used in the previous step. sudo dscl /Local/Default create /Users/pretendcoadmin PrimaryGroupID 1100 6. Now that the user has a GID, set the home directory for the user using the following command: sudo dscl /Local/Default create /Users/pretendcoadmin NFSHomeDirectory /Users/pretendcoadmin 7. Add the user to the existing admin group. If converting an existing user account into an administrative account, use the append verb as follows:
sudo dscl /Local/Default append /Groups/admin GroupMembership pretendcoadmin
8. Set the user’s password using the -passwd option, as follows:
sudo dscl /Local/Default -passwd /Users/pretendcoadmin Optionally, the password may be included at the end of the command instead, as follows: sudo dscl . -passwd /Users/pretendcoadmin newpassword
57� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
When generating a shell script from these commands, prompt the user for the password in the script and use the provided value. Otherwise the password will be available when editing the script. Note: Using this account for anything other than standard administrative purposes requires populating the account with more attributes. In this case the account does not need to be fully usable.
58� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.1.1.3 Change Local Administrative Accounts from the Command Line The most common change to a local administrative account is altering the user’s password. To do so, use the dscl command with the passwd option.
In the following example, the -passwd option changes the password of the pretendco administrative account. dscl /Local/Users -passwd /Users/pretendcoadmin Additionally, you can change items, such as the home directory or real name, by using dscl options. !
59� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.1.2 Nest Network Administrators from Active Directory in a Local Administrative Group To allow specific people in your organization to administer local settings, install software, and perform maintenance locally on a client computer, give those users local administrator rights through nested administrative groups. To do this, use the dseditgroup command to nest a network group into the local administrative group. To nest network groups from Active Directory into local administrative groups: 1. Before nesting the Active Directory group, verify that it resolves correctly on the client. To do so, resolve group membership with the following dseditgroup command, using the -o option along with the read verb.
dseditgroup -o read
The -o read code performs a read operation on the specified group. Therefore, when running the command dseditgroup -o read mac_admins, you should receive the following output:
27 attribute(s) found ... Attribute[5] is
2. Verify that OS X can resolve group membership for that group. Use the id command to see in which groups a user is included. id
For example, if you run the command id jkaiser (assuming jkaiser is in an administrative group), you’ll receive the following information:
uid=142413031(jkaiser) gid=63826092(pretendco\domain users) groups=63826092(pretendco\domain users), 103(com.apple.sharepoint.group.3), 104(com.apple.sharepoint.group.4),98(_lpadmin), 1166270692(pretendco\mac_admins), 102(com.apple.sharepoint.group.2), 101(com.apple.sharepoint.group.1),80(admin),20(staff)
60� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3. To nest Active Directory groups, use dseditgroup with the -o edit option (edit operation), the -a option followed by the appropriate group name from Active Directory, the -t option followed by the word “group” (which specifies that the type to add is a group), and the -n option followed by /Local/Default, which specifies to add to the local directory service. sudo dseditgroup -o edit -a
sudo dseditgroup -o edit -a
Note: The command-line utility used to run commands as root, sudo, does not recognize nested groups. To nest administrative accounts, edit the /etc/sudoers file. Within that file, find the user privilege specification section.
# User privilege specification root ALL=(ALL) ALL %admin ALL=(ALL) ALL
Then add %
61� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.1.3 Create Local Administrative Accounts with a Package or Script The local administrative account can be created programmatically using a script, which can, in turn, be placed into a package. This process can then be automated. In this module, create the local administrative account using a simple shell script, with a .bash suffix at the end. To create a local administrative account using a shell script: 1. Open Terminal from /Applications/Utilities.
2. Create a file called createuser.bash using the touch command.
touch createuser.bash 3. Make the script executable, as follows: chmod 777 createuser.bash 4. Paste the following text: #!/bin/bash dscl /Local/Default -create /Users/hidden dscl /Local/Default -create /Users/hidden NFSHomeDirectory /Users/hidden dscl /Local/Default -create /Users/hidden RealName "Hidden Admin" dscl /Local/Default -create /Users/hidden PrimaryGroupID 499 dscl /Local/Default -create /Users/hidden UserShell /bin/ bash dscl /Local/Default -create /Users/hidden UniqueID 499
Each line in the script uses dscl (directory services command line) to create the user account and its attributes. The above script uses an ID below 500, so the newly created account is hidden at the login window. 5. Since a password has not yet been assigned to the account, include the password in the script in clear text. This requires the directory services daemon to be running when the script runs. To do so, append the following line to the end of the above script: dscl /Local/Default -passwd /Users/hidden 'mypass' !
62� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.2 Active Directory
Active Directory is the default Microsoft directory services solution. Active Directory provides information on users, groups, and computers (information stored in LDAP), password management and encryption (using Kerberos™), and the ability to find objects on a network. Information in Active Directory is used to manage users, computers, groups, printers, and other resources. Active Directory deployments vary from smaller environments with hundreds of objects to larger environments with thousands (or millions) of users and systems distributed across a number of sites. Mac computers can be bound to Active Directory through the Network Account Settings located in the Users & Groups pane in System Preferences, or via the Active Directory module in Directory Utility. From the command line, use dsconfigad to bind and specify Active Directory-specific options. This section contains modules that explore the administrative tasks of managing OS X using Active Directory.
63� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.2.1 Bind to Active Directory Mac computers are bound to Active Directory using the Users & Groups pane in System Preferences, through Directory Utility located in /System/Library/ CoreServices/Directory Utility, or using the command-line utility dsconfigad. While dsconfigad does contain some additional options, the majority of functionality is available through Directory Utility, so no command-line options are required for everyday use. To bind OS X to Active Directory, you need local administrator credentials on the Mac as well as an Active Directory user account with authority to join computers to the Organizational Unit (OU) you’ll be leveraging in Active Directory. Once bound to Active Directory, set the client computer to allow Active Directory administrators, or any Active Directory user you choose, to also be local administrators on that local Mac client. Note: This step isn’t done automatically. During initial setup, you’ll need the local administrative user name and password for the Mac. This user is the first user set up during Setup Assistant after installation or a local administrative account created on the system during imaging.
64� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.2.1.1 Bind to Active Directory Using Directory Utility To bind to Active Directory using Directory Utility: 1. Choose System Preferences from the Apple menu. 2. Open the Users & Groups pane.
� Figure 3.2.1.1_1 ! 3. Click Login Options in the left sidebar.
� Figure 3.2.1.1_2
65� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Click Join to the right of Network Account Server.
� Figure 3.2.1.1_3 ! 5. Enter the name of the domain in the Server field. The dialog expands to include Admin User credentials and Client Computer ID, which are already entered.
� Figure 3.2.1.1_4 !
66� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. Once joined, review the binding information and provide more details as needed. 7. If more information is required, access the Active Directory options in Directory Utility. To open Directory Utility, click the Edit button, which replaces the Join button in the Users & Groups pane in System Preferences. Note: If the initial attempt at binding failed, click the Join button. 8. Click the Open Directory Utility button.
� Figure 3.2.1.1_5 !
67� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
9. Double-click Active Directory (or click Active Directory, then the pencil icon).
� Figure 3.2.1.1_6 ! 10. Enter the Active Directory domain name to join (if you’ve not yet bound). 11. Change the computer ID, if necessary, and click OK. Note: When the system is bound, you’ll see an Unbind button.
� ! Figure 3.2.1.1_7
68� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
12. If binding, enter the Active Directory user that has the delegated authority to bind a machine to the Organizational Unit (OU) you specify for Computer OU. 13. Enter the Active Directory user’s password, then click OK. 14. In the Users & Groups pane in System Preferences, a green circle icon next to the domain indicates that network accounts are accessible.
� Figure 3.2.1.1_8
69� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.2.1.2 Bind to Active Directory with a Profile Active Directory binding can be accomplished with a profile. These profiles are either saved as a file used with imaging and patch management solutions, or are deployed as part of a full MDM (Mobile Device Management) solution, such as Profile Manager. When installed, the profile will then bind a Mac to Active Directory, or to another directory service that might be in use. In this module, create the profile and install it onto a Mac manually, as might be done as part of an imaging process. To create the profile in Profile Manager: 1. On the server, open the OS X Server app running Profile Manager. (Setting up Profile Manager is covered in detail in Section 4 of this guide).
� Figure 3.2.1.2_1 ! 2. Click Profile Manager under Services in the sidebar.
� Figure 3.2.1.2_2
70� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3. Click Open Profile Manager at the bottom of the Profile Manager pane. 4. Authenticate to the service if needed. 5. Browse to a device or device group under Library in the sidebar. 6. Click the Settings tab. 7. Click the Edit button.
� Figure 3.2.1.2_3 ! 8. Locate and click the Directory in the Settings sidebar. 9. Click the Configure button.
� Figure 3.2.1.2_4 ! 10. In the Server Hostname field, provide the name of the Active Directory domain the client systems will join when the profile is installed.
71� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
11. For Username, provide an administrative password for the Active Directory domain. 12. Include the password for the username provided in the Password field. 13. Optionally, enter a Client ID. If no Client ID is provided, the computer name will be used as the Client ID.
� Figure 3.2.1.2_5 ! 14. Click OK to save the changes to the Directory portion of the profile. 15. Optionally, edit the login window policy to make it easier for users to log in using Active Directory accounts. Click Login Window in the Settings sidebar.
� Figure 3.2.1.2_6 ! !
72� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
16. Configure what users will see before logging into the computer. a. In the Heading menu, choose Directory Status. This is useful for seeing whether Active Directory is available. b. The Message field is used to display key information or acceptable-use policies for users to see prior to logging into their computers. c. For Style, select “Name and password text fields” to simply show a username and password dialog box. Or select “List of users able to use these computers” to show previously logged-in users or locally available users. d. If you selected “List of users able to use these computers,” you can also get more granular by clicking the appropriate checkboxes for which types of users will appear. If a system is bound to Active Directory or another directory service, the Other option will still appear, so that users can log in as users not previously used on that computer. e. The Options tab includes settings for disabling guest users and allowing the screen saver to run over the top of the login window. In the Options tab, you can also choose to match the computer name to the directory name. f. The Access tab provides options for who may or may not log into the computer as well as the ability to control workgroup settings.
� Figure 3.2.1.2_7 ! 17. Click OK when you are happy with the configuration of the login window. 18. Click Login Items in the Settings sidebar. 19. Click Configure. 20. Select the appropriate options for automatically mounting directories. Note: If using mobile homes, you can add a network home share and mount the share at login. !
73� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
21. Click Mobility in the sidebar. 22. Click Configure. 23. Here you will see the following options: a. Select “Create mobile account when user logs in to network account” to create mobile accounts when a user logs in as an Active Directory user. A mobile account allows the user to log in again, after the first authentication, when not connected to Active Directory. b. Select “Require confirmation before creating mobile account” to prompt users to choose whether they want the account to be created on the local system. c. The “Create home using” buttons determine whether the new account is created based on the network home or the default local home directory template. d. The “Home folder location” buttons indicate where on the local computer the home directory will be created when the Active Directory user first logs in. e. Click the Account Expiry tab to configure how long a user can remain logged out before their home directory is removed from the local system. f. Click the Rules tab to configure which data, and how frequently that data, synchronizes to the serverwhen synchronization occurs.
� Figure 3.2.1.2_8 !
74� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
24. If certificates are required, click AD Certificate in the Settings sidebar. 25. Click Configure. 26. On the AD Certificate screen, indicate the location and information to be used if a certificate is required to bind to the Active Directory environment.
� Figure 3.2.1.2_9 ! 27. Click OK when all settings are correct. 28. Click the Save button to save the settings for the profile. 29. Click Save again to confirm. 30. Any devices that are members of the group will automatically receive the bind profile. To download the profile for manual installation (for example during imaging), click the Download button.
� Figure 3.2.1.2_10 ! 31. The profile is accessible in the Downloads folder.
75� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.2.1.3 Bind to Active Directory from the Command Line Binding to Active Directory can be accomplished using the Active Directory plug-in from the command line by using the dsconfigad command.
Basic use of the dsconfigad command only requires the inclusion of a computer name, a domain name, and the credentials for that domain name. In this example, bind to the Active Directory domain by providing the computername (mycomputername), the username for the Active Directory bind account (domainadmin), the password (domainadminpassword), and the domain to bind to (mydomain). dsconfigad -force -add mycomputername -username domainadmin - password domainadminspassword -domain mydomain.com To set up the mobile home directory for the Active Directory account to exist on the local system, add the -mobile switch to the end of the dsconfigad command with a setting of enable, as follows:
dsconfigad -force -add mycomputername -username domainadmin - password domainadminspassword -domain mydomain.com -mobile enable
Other options available to the dsconfigad command include the following, broken out by type.
Basic Options—Commonly Used
-computer computerid Name of computer to add to domain. -force Force the process (that is, join/remove the existing account). -remove Remove computer from domain. -localuser username User name of a privileged local user. -localpassword Password of a privileged local user. password -username username User name of a privileged network user. -password password Password of a privileged network user. -ou dn Fully qualified LDAP DN of container for the computer (defaults to CN=Computers). -domain fqdn Fully qualified DNS name of Active Directory domain. -show Show current configuration for Active Directory. -help Lists the options for calling dsconfigad. -xml Output configuration in plist format. !
76� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
Advanced Options—User Experience
-mobile flag Enable or disable mobile user accounts for offline use. -mobileconfirm Flag “enable” or “disable” warning for mobile account creation. -localhome flag Enable or disable force home directory to local drive. -useuncpath flag Enable or disable use Windows UNC for network home. -protocol type Afp, smb, or nsf change protocol used when mounting home. -shell value Use “none” for no shell, or specify a default shell “/bin/bash.” -sharepoint flag Enable or disable mounting of network home as sharepoint.
Advanced Options—Mappings
-uid attribute Name of attribute to be used for UNIX UID field. -nouid Generate the UID from the Active Directory GUID. -gid attribute Name of attribute to be used for UNIX GID field. -nogid Generate the GID from the Active Directory information. -ggid attribute Name of attribute to be used for UNIX group GID field. -noggid Generate the group GID from the Active Directory GUID. -authority enable Enable or disable the generation of the Kerberos authority. or disable
Advanced Options—Administrative
-preferred server Fully-qualified domain name of preferred server to query. -nopreferred Don’t use a preferred server for queries. -groups "1,2,..." List of groups that are granted Admin privileges on local workstation. -nogroups Disable the use of groups for granting Admin privileges. -alldomains flag Enable or disable allow authentication from any domain. -packetsign flag Disable, allow, or require packet signing. -packetencrypt flag Disable, allow, require, or SSL packet encryption. -namespace flag Use “forest” or “domain,” where forest qualifies all user names. -passinterval days How often (in days) to change computer trust account password. -restrictDDNS Disable the creation of a dynamic DNS record in Active Directory-integrated DNS environments. -enableSSO Enable SSO for all supported services (OS X Server only). -remove Remove this computer from the current domain. !
77� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.2.1.4 Bind to Active Directory Using a Script Not only is it possible to bind to Active Directory from the command line, it’s also possible to write a script to automate the task in a fairly straightforward manner as with most command-line options. To automate binding to Active Directory, create a simple script as follows. Note: Replace the information in brackets with information matching your own environment. #!/bin/bash dsconfigad -add
78� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.2.1.5 Bind to Active Directory Using a Post-Install Script To use an Active Directory bind script as a post-installation task during imaging, make the script launch at startup, or place the script into a package and add it to your deployment scenario. With either option, you can set the script to automatically delete itself. For the purposes of this module, place the script in the /Library/StartupItems directory and call it adbind.bash. 1. To create the script, use the following command: touch /Library/StartupItems/adbind/adbind.bash 2. Open the new empty shell script in your favorite text editor and paste the previously created script from 3.2.1.4 Bind to Active Directory Using a Script. 3. With the script inserted, add a line at the bottom to remove the script and then (optionally) provide an exit code. The whole script is as follows: #!/bin/bash ipconfig waitall sleep 60 dsconfigad -add
79� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.2.1.6 Active Directory Plug-in Troubleshooting Commands To perform Active Directory validation: When having problems connecting to Active Directory resources, verify connectivity. Because Mac computers that are Active Directory clients use DNS service records to locate Active Directory services, it’s important to verify that DNS is working properly. 1. Open Terminal from /Applications/Utilities and enter the following command (replacing pretendco with the name of the Active Directory name) to do a lookup on the service record to locate the global catalog.
dig -t SRV _gc._tcp.pretendco.com ; <<>> DiG 9.4.1-P1 <<>> -t SRV _gc._tcp.pretendco.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34512 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, !ADDITIONAL: 1 ;; QUESTION SECTION: !;_gc._tcp.pretendco.com. IN SRV ;; ANSWER SECTION: _gc._tcp.pretendco.com. 600 IN SRV 0 100 3268 !dc.pretendco.com. ;; ADDITIONAL SECTION: !dc.pretendco.com. 3600 IN A 192.168.55.47 ;; Query time: 83 msec ;; SERVER: 192.168.1.6#53(192.168.55.47) ;; WHEN: Thu Jul 31 14:09:32 2008 ;; MSG SIZE rcvd: 92 2. If the response doesn’t include an answer section with the name of a domain controller, check to make sure the network settings in OS X are correct and that the DNS specified is one that will return service record information for your Active Directory forest. Other roles can be verified in the same manner. To check port accessibility: If the FSMO (Flexible Single Master Operation) roles for an Active Directory forest can’t be read, the system can’t bind. One possible cause of read failure is that a routing or switching issue is keeping the client being bound from being able to communicate with the servers. Port 389 should be available to the client system for the domain controllers. !
80� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
To check whether the port is accessible: 1. Open Network Utility from /Applications/Utilities. 2. Click Port Scan. 3. Enter the IP address of the closest Domain Controller. 4. In both “Only test ports between” fields, enter port 389. 5. Click Scan. If no entries are listed during the scan, correct the routing or switching issues. The account being used to bind also needs to have access to bind. In many cases, this means having access to a specific OU. Required access may include having access to remove objects from an OU, as when binding and placing into a new OU, or full control over the domain. The access required for the account used to bind OS X should mirror that required to bind Windows clients. To perform Active Directory verification: 1. Once bound, verify accounts are reachable using dscl and id. 2. To use id, open Terminal from /Applications/Utilities. Enter the following command to do a lookup using id, which will return both the user information as well as the group information for the account: id
dscl Once in the runtime environment, cd as with a filesystem. First cd into the Active Directory plug-in as follows:
cd Active\ Directory Or quote the text following the cd command. > cd 'Active Directory' /Active Directory > ls All Domains 3. Navigate into the All Domains node by using cd and performing another ls to show the contents of the node. The node should contain the Users node, as follows:
/Active Directory > cd 'All Domains'
81� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
/Active Directory/All Domains > ls CertificateAuthorities Computers FileMakerServers Groups Mounts People Printers Users If you can’t cd into All Domains, you’re unable to communicate with a domain controller. If you can cd into All Domains, navigate into the Users node by using cd and perform another ls to show the contents of the node. The node should contain all users in the forest. If you have a large number of users, don’t enter ls to list the contents of the node. Instead, use read to read the attributes of that user.
/Active Directory/All Domains > cd Users /Active Directory/All Domains/Users > read jfoster ! dsAttrTypeNative:accountExpires: 9223372036854775807 dsAttrTypeNative:ADDomain: pretendco.com dsAttrTypeNative:badPasswordTime: 0 dsAttrTypeNative:badPwdCount: 0 dsAttrTypeNative:cn: Tim Lee dsAttrTypeNative:codePage: 0 dsAttrTypeNative:countryCode: 0 dsAttrTypeNative:displayName: Tim Lee dsAttrTypeNative:distinguishedName: CN=Jimmy Foster,CN=Users,DC=pretendco,DC=com more... If you aren’t able to read the attributes of a user, check access controls in Active Directory and verify the correct OU is used.
4. Exit dscl using the exit command, as follows:
/Active Directory/All Domains/Users > exit Goodbye
82� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
To verify the user password: To verify that users can be authenticated, use the su command. 1. Open Terminal from /Applications/Utilities and enter su
For example: Client-1:~ Admin$ su jfoster Password: 2. Enter the Active Directory user’s password. If successful, the Terminal session should respond as that user. To verify, use the whoami command. For example: bash-3.2$ whoami jfoster Note: If warnings appear about not having a home directory, disregard them at this point. The home directory will be created on initial login. If this doesn’t work, verify that there aren’t multiple users with the same account name in the Active Directory forest. If namespace conflicts exist, enable namespace support via dsconfigad. For such testing, enter a user name that has a unique account name forest-wide.
83� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.2.2 Set a User Home Directory Active Directory attributes define where the home directory for user accounts is stored. The home directory can be in a custom location on the local computer to which users log in, on an accessible network share, or synchronized between a local directory and a network share. In Active Directory, the location for profiles is defined in Active Directory Users and Computers for each user. Based on this information, the network location that contains the home directory can be synchronized with the local home folder.
To configure home directory management: 1. Choose System Preferences from the Apple menu. 2. Open Users & Groups.
� Figure 3.2.2_1 !
84� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3. Click Login Options in the left sidebar.
� Figure 3.2.2_2 ! 4. Click the Join button to the right of Network Account Server. This button will say Edit if the system has been bound to a directory service.
� ! Figure 3.2.2_3
85� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5. Click Open Directory Utility. 6. Authenticate as a local administrator by clicking the lock icon in the lower- left corner, if not already unlocked.
� Figure 3.2.2_4 ! 7. Click the Active Directory plug-in. 8. Click the pencil icon to edit.
� Figure 3.2.2_5
86� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
9. Click the Show Advanced Options disclosure triangle, then click User Experience.
� Figure 3.2.2_6 ! !
87� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
This pane includes the “Create mobile account at login” checkbox. Select this option to create an account on the local system that enables the user to log in even if unable to contact the Active Directory servers.
� Figure 3.2.2_7 ! Optionally, select the “Use UNC path from Active Directory to derive network home location” checkbox to enable home folder synchronization. Once enabled, additional settings are displayed in the “Network protocol to be used” menu. In Active Directory, when setting a user’s profile setting (where a drive letter is mapped), that setting would look like: \\server\share\folder. The Active Directory plug-in converts this path to /server/share/folder and places either an “afp:” or an “smb:” in front of the request, resulting in afp://server/share/folder or smb://server/share/folder, respectively.
88� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.2.3 Namespace Support While it isn’t a recommended configuration, Active Directory has the capacity to allow two accounts with the same user name, provided they’re in different domains in the same forest. This represents a namespace collision for OS X client computers. To accommodate for namespace collisions, the Active Directory module allows administrators to set the forest and domain independently, specifying which domain in a given forest against which to authenticate. By default, the Active Directory module supports authenticating to any domain in the forest. To limit authentication to specific domains, disable “Allow authentication from any domain in the forest” in the Advanced Options pane of Directory Utility. Or use the following command in Terminal:
dsconfigad -alldomains disable Then specific domains can be added to the Directory Domain search path. By default, namespace support is set to “domain,” which assumes there are no conflicting user accounts across all domains. If the Active Directory forest has conflicts, change the namespace to “forest” with this command: dsconfigad -namespace forest Note: An unbind and rebind isn’t required to change these settings. They are global for all users on a system where the command is run. Once the namespace has been set to forest, users’ home folders and user accounts are then prefixed with “DOMAIN\” to ensure unique naming for accounts between domains. To return to the default behavior, use the following command: dsconfigad -namespace domain
Note: When run, the -namespace command changes the primary ID for all accounts and any user profiles for accounts from the Active Directory domain on each client computer need to be copied/moved into the new profile that’s created.
89� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.2.4 Active Directory Packet Encryption Options The Active Directory plug-in can be used to customize the encryption options used when communicating with Active Directory domain controllers in much the same way policies can be used to limit communications on domain controllers. To customize the encryption options, use the dsconfigad command-line tool. Packet signing is an option many Active Directory environments require to block man-in-the-middle attacks and to verify the authenticity of data exchanged with Active Directory Domain Controllers. Configuring packet signing options is a policy configured from an Active Directory domain controller. In environments where packet signing has been enabled, you can allow or require packet signing from the client. By default, packet signing is allowed in Windows Server® 2003 and Windows Server 2008. Running various security tools automatically requires packet signing for Active Directory clients, and many environments require packet signing as a matter of security policy. In OS X, set the packet signing setting to require to require packet signing for the client to communicate with the server. If you require packet signing from either the domain controller or OS X, verify that it’s an option before doing so on the other system.
To change packet signing options in OS X, use the -packetsign flag with dsconfigad. Settings available with the -packetsign flag are allow, disable, and require. To configure dsconfigad to require packet signing, use the following command: dsconfigad -packetsign require If the change is successful, you’ll see the following: Settings changed successfully If needed, set the signing back to default using the following command: dsconfigad -packetsign allow Packet encryption is also available in OS X. Packet encryption helps keep the contents of packets as secure as they are authentic. To enable packet encryption, use the -packetencrypt flag along with the same settings available with the -packetsign flag. The same issues persist with verifying that the server supports packet encryption as with packet signing. To require -packetencrypt, use the following command: dsconfigad -packetencrypt require
To use TLS to encrypt packets, use the ssl option, as follows: dsconfigad -packetencrypt ssl The SSL option requires a trusted certificate chain from Active Directory. If the certificate chain doesn’t have a trusted root, you’ll need to install and trust the root certificate in the root keychain. If the change is successful, you’ll receive the following message: Settings changed successfully If needed, set encryption back to default using the following command: dsconfigad -packetencrypt allow
90� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.2.5 SSL Binding Instructions Environments that require SSL to encrypt traffic between domain controllers and clients can use -packetencrypt with the ssl option. When using SSL, clients receive certificates from domain controllers and verify the certificates are trusted by evaluating the certificate trust chain. If the root certificate isn’t already trusted on the system, it must be imported and trusted, or certificate verification needs to be turned off. To install SSL certificates: 1. Copy the SSL root certificate to the Mac. 2. Open Keychain Access from the /Applications/Utilities folder.
� Figure 3.2.5_1 ! 3. Choose Import Items from the File menu.
� Figure 3.2.5_2
91� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Choose System from the Destination Keychain menu.
� Figure 3.2.5_3 ! 5. Browse to the SSL root certificate and choose the certificate to import. 6. Click Open. 7. Authenticate as an administrative user when prompted. 8. A trust dialog appears. Click the Always Trust button.
� Figure 3.2.5_4 ! ! ! !
92� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.2.6 Manage Certificates from the Command Line
To import certificates from the command line, use the security command. The security command contains many of the features in Keychain Access, including importing and exporting certificates. To simply import a certificate, use the security command along with the import option. To import a certificate: security import ~/Desktop/pretendco.p12 -f pkcs12 To trust the certificate: security add-trusted-cert -d ~/Desktop/pretendco.p12 To add the certificate to the System keychain, making it available to all users: sudo security add-certificate -k /Library/Keychains/ System.keychain ~/Desktop/pretendco.p12
The openssl command is used to test connectivity to a server that requires the certificate, as follows: openssl s_client -connect pretendco.com:389
Once you’ve validated the certificate functionality, use dsconfigad to set the -packetencrypt option to ssl, as follows: dsconfigad -packetencrypt ssl To ignore trust: By default, OS X requires that a certificate received from a domain controller be trusted. To modify this policy, configure the ldap.conf file. To disable certificate verification, change the TLSR_EQCERT value by editing /etc/openldap/ldap.conf and changing the TLS_REQCERT setting to read never, rather than demand. By default, the settings read as follows: #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_REQCERT demand They should read as follows when complete: #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_REQCERT never
93� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.2.7 Change Active Directory Computer Passwords The OS X Active Directory plug-in supports changing computer trust account passwords for the Active Directory computer accounts on systems bound to Active Directory domains via dsconfigad. This module covers how to set up a Mac to rotate the computer trust account using a custom interval for changes. The default time period of computer trust account passwords is every 14 days. Password change frequency is managed using the -passinterval flag followed by the number of days between each change. For example, to set up your password interval to be 7 days rather than 14, use the following command: dsconfigad -passinterval 7
The -passinterval option must be set after binding.
Note: Setting the -passinterval to 0 disables changing the computer account. !
94� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.3 Third-Party Active Directory Plug-ins
Although the Active Directory plug-in in OS X works well for the majority of deployments, there are situations that require a third-party solution. If you need to support native Active Directory Group Policy or SmartCards, third-party plug-ins may help provide that functionality. • Centrify®. www.centrify.com • Thursby’s ADmitMac®. www.thursby.com • Quest® Management Xtensions (QMX). www.quest.com • Beyondtrust®. www.beyondtrust.com !
95� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.4 Kerberos
Kerberos is a network authentication protocol used to prove an identity when communicating over an insecure network in a secure fashion. Kerberos provides a client-server architecture where mutual authentication, both the user and the server, verify each other’s identity. This protects Kerberos against various attacks including eavesdropping and the resulting potential of replay attacks. Kerberos makes use of a Key Distribution Center (KDC) that consists of two parts —the Authentication Server (AS) and a Ticket Granting Server (TGS) that issues Ticket Granting Tickets (TGT). Kerberos works on the basis of tickets, which serve to prove the identity of users. The KDC maintains a database of secret keys. All clients on the network share a secret key and use this secret key to acquire a TGT. Once the client has a TGT, it can present it to the KDC to get service tickets, which act as authentication to kerberized services on the network. Note: For communication between two kerberized entities, the KDC generates session keys, which are used to secure communications. Along with authenticating the identity of a host in a Kerberos environment, safeguards are also put into place to protect the authenticity of each service running on a system as a Service Principal. For a client to obtain tickets, the client requests a ticket using a TGT. This information, in the form of Service Principals, can be viewed in OS X by using the klist command from the Mac. A more detailed overview of Kerberos is beyond the scope of this document, but it’s important to know that when a user first authenticates to a KDC (whether it’s Active Directory, Open Directory, or an MIT/Heimdel-based KDC), the client receives a TGT. Once the client authenticates to a kerberized service, the client will have both a TGT and a service ticket for that service. This assists in troubleshooting authentication issues. To access information regarding Kerberos tickets using a graphical interface, open Keychain Access from /Applications/Utilities. Choose Ticket Viewer from the Keychain Access menu.
� !Figure 3.4_1 Kerberos can also be managed from the command line using kinit, kswitch, kdestroy, klist, kgetcred, and kpasswd.
96� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.5 LDAP
Lightweight Directory Access Protocol (LDAP) is the protocol used in most modern directory services systems, including Novell® eDirectory™, Microsoft Active Directory, and Apple Open Directory. LDAP defines how clients create, query, and update information in directory services. It then supplies that data, stored in a database, to clients and servers. OS X supports binding to any directory service that supports LDAP using the LDAPv3 Directory Service plug-in, which is configured in the Users & Groups pane in System Preferences by using Directory Utility (located in /System/Library/CoreServices) or by using the dsconfigldap command. LDAP is lightweight and flexible, and supports different options for connecting, binding, and mapping to and from attributes, the fields of the LDAP database. Both Directory Utility and dsconfigldap allow you to specify all these options. In LDAP, a schema is a set of rules about the data in the directory service. Depending on the schema, you may have to provide custom mappings of directory service data in OS X with data in your directory service. Directory Utility provides templates, and the ability to create new templates for easy migration between hosts, to map to commonly used schemas. Directory Utility also supports network configuration of the plug-in via DHCP and mapping via special record in the Directory Service. !
97� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.6 Open Directory
A directory service is software that stores and organizes information about an environment (users, groups, computer, and other network resources), allowing network administrators to centrally manage resources. Open Directory is the directory service implementation built into OS X Server. In the context of OS X Server, Open Directory includes a shared LDAPv3-based directory domain along with a number of Apple-created schema attributes. These attributes use registered OID (Object Identifier) space through IANA (Internet Assigned Numbers Authority), the Apple Password Server, and Kerberos 5—all integrated using a modular Directory Services subsystem. Open Directory allows for a number of services that run on OS X, or other operating systems, to be kerberized. !
98� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.7 Distributed File Sharing
Distributed File Sharing (DFS) manages how storage is presented to users through Active Directory. DFS allows administrators of Windows Server environments to replicate data for redundancy and to virtualize the location of shares. Shares can then be moved between servers without affecting the experience of end users. Shares can also be replicated across sites and servers. SMB/CIFS is a file-sharing protocol, and users access DFS shares via SMB. OS X Mavericks natively supports SMB2 and the legacy SMB1 filesystems. The Finder in OS X resolves DFS links properly, making DFS shares accessible. DFS shares are then accessed as a regular file share would be. !
99� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.7.1 Connect to DFS Shares In OS X, the Finder resolves DFS links to shares, allowing the Mac to access data located on DFS shares. These shares are SMB shares. OS X looks up the root of DFS shares and handles them as a standard SMB file share is handled. To connect to a DFS share using OS X: 1. In the Finder, click the Go menu. 2. Choose Connect to Server (or use keyboard shortcut Command-K). 3. In the dialog, provide the path to the DFS share being accessed. (This may or may not be the root share.)
� Figure 3.7.1_1 ! 4. Alternatively, click the Browse button to bring up a list of servers on the network and choose a share from the list. 5. Click Connect. 6. If using Kerberos, and if the user has permission to connect to the share, the Finder displays a window with the contents of the share. 7. If Kerberos isn’t being used, the user is prompted to provide a password. Enter the user name and password. 8. Click Connect.
100� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.7.2 View DFS Shares with smbutil Troubleshooting connectivity issues with DFS can be a challenge, given that the root shares are obfuscated by a virtualization layer. To ease the process of troubleshooting DFS issues and to assist network administrators with scripting the end user experience, a tool called smbutil is included with OS X.
As the name implies, smbutil is used to interface with SMB servers. A common use of smbutil is to inspect referrals provided by a given host. To see if a server hosts DFS referrals, use the dfs option with smbutil followed by the path to the server. For example, for test.pretendco.com, use: smbutil dfs smb://test.pretendco.com The output contains the expanded name of the server (the name prefixed by the host name). The listing will also display the single-line domain name. Adding each portion of a DFS path to the connection string shows more in-depth information about that portion of the DFS root. The previous server is a mobile home directory server with a share called HomeDirectories. Using the command smbutil dfs smb://test.pretendco.com/DFS shows the paths and referrals for each share that is part of a namespace server called DFS, as follows: Referral requested: /WIN-MIE2GCGNMU0.test.pretendco.com/DFS list item 1 : Path: /WIN-MIE2GCGNMU0.test.pretendco.com/DFS list item 1 : Network Address: /WIN-MIE2GCGNMU0/DFS list item 1 : New Referral: /WIN-MIE2GCGNMU0/DFS To see the referrals available for each namespace within, use the following: smbutil dfs smb://test.pretendco.com/DFS/HomeDirectories The output ends with a number of lines that show referral information, as follows: Referral requested: /WIN-MIE2GCGNMU0.test.pretendco.com/DFS/ HomeDirectories list item 1 : Path: /WIN-MIE2GCGNMU0.test.pretendco.com/DFS/ HomeDirectories list item 1 : Network Address: /WIN-MIE2GCGNMU0/DFS/ HomeDirectories list item 1 : New Referral: /WIN-MIE2GCGNMU02/DFS/ HomeDirectories list item 1 : New Referral: /WIN-MIE2GCGNMU03/DFS/ HomeDirectories list item 1 : New Referral: /WIN-MIE2GCGNMU04/DFS/ HomeDirectories
The user name and password can also be added into smbutil options for testing purposes. The following example shows this, using testuser as the user name from Active Directory and testpassword as that user’s password: smbutil dfs smb://testuser:[email protected]/ DFS/HomeDirectories !
101� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.7.3 Third-Party DFS Solutions Some third-party clients for DFS may offer supported features not available in OS X. The following third-party client-side solutions work with DFS shares. • Thursby’s DAVE®. www.thursby.com DAVE doesn’t depend on the built-in SMB client in the Finder. Instead, it uses its own browser (DAVE Browser), mounter (mount_cifs), and filesystem (cifs.fs) to browse DFS shares. DAVE is bundled with Thursby’s AdmitMac for Active Directory authentication, but DAVE does not require AdmitMac and can be used with the Active Directory plug-in built into OS X. • Sharity. www.obdev.at/products/sharity Sharity uses its own graphical user interface to configure mounts, and a daemon that creates a virtual DFS mount that mounts volumes as you navigate the virtual DFS filesystem. • GroupLogic®. www.grouplogic.com GroupLogic provides DFS link resolution via the ExtremeZ-IP® AFP server solution. ExtremeZ-IP runs on a Windows server. The client application for DFS is a widget running on the Mac. The widget resolves DFS links by providing configuration to the mounting system on OS X or by using their client application to query the ExtremeZ-IP web services running on a Windows server. !
102� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.8 SMB2 Support
OS X Mavericks now uses SMB2 as the default protocol for accessing files on a network. Administrators can leverage the smbutil command to access shares, access information about shares, and script any features that are needed around SMB2. If the share is made accessible from DFS, the Finder will automatically connect to the underlying share. Users can access shares manually through the Finder sidebar via Bonjour if the computer is available in the list. To access shares manually via Bonjour: 1. Open a Finder window. 2. Click a host in the sidebar. Then click the server listed under Shared.
� Figure 3.8_1 ! 3. In the upper-right of the Finder window, click Connect As. 4. In the dialog, enter the Name and Password for the server, then click the Connect button.
� Figure 3.8_2
103� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
If the SMB2 or DFS share is not browsable, the share can still be accessed manually using the Connect to Server dialog. To access shares manually via Connect to Server dialog: 1. Click the Go menu in the Finder. 2. Click Connect to Server (or use keyboard shortcut Command-K). 3. In the dialog, enter the hostname with the SMB2 share on it, then click the Connect button. You will be prompted to authenticate.
� Figure 3.8_3 ! The options available in OS X provide a seamless experience when connecting to Windows and Mac shares. If SMB2 is not an available protocol, OS X will automatically attempt to mount a share through AFP. You can prefix the address with either smb:// or afp:// to force a specific protocol.
104� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.9 Smart Card Support
As described on the Apple Support website, a U.S. Department of Defense Common Access Card (CAC) or Personal Identity Verification (PIV) card is used to access PK-enabled websites, VPNs, 802.1x networks, disk encryption, and keychains (support.apple.com/kb/PH10872). CAC access typically requires a certificate revocation list (CRL) or Online Certificate Status Protocol (OCSP) to verify certificates. Integration of smart cards for two-factor authentication in OS X is available using tools available on the Mac OS Forge website. Software to enable CAC use is available in the SmartCard services section at smartcardservices.macosforge.org. !
105� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3.9.1 Third-Party Smart Card Service Options Integration of smart cards for two-factor authentication in OS X can be obtained from commercial providers and open source projects.
Open Source Providers The Smart Card Services and Token support continues to be developed, and is available from the Apple-sponsored SmartCardServices project at smartcardservices.macosforge.org. This project has been providing support for the following smart card profiles: • BELPIC. Belgian National ID • CAC. U.S. Department of Defense Common Access Card • CAC-NG. U.S. Department of Defense, Common Access Card, Next Generation (CACv2 and PIV) • PIV. U.S. Government Personal Identity Verification A second open source project that provides support for OS X is the OpenSC project, available at github.com/OpenSC/OpenSC/wiki. Open Source Software (OSS) projects are helpful for accessing source code, for obtaining working and/or emerging support, and even for viewing technology instructions such as for smart cards. However, OSS doesn’t include a roadmap, timeline commitments, or enterprise support, which may preclude an organization from leveraging these readily available project resources. For enterprise-level support and timely feature advances, a commercial product is often better suited. Commercial Providers Enterprise-based commercial products and corresponding support-level agreements are acquired from dedicated smart-card middleware providers. Several provide smart-card middleware to replace or augment built-in OS X services. Some leading smart-card middleware providers for OS X include: • .beID. eid.belgium.be • ActivIDentity®. www.actividentity.com • Centrify. www.centrify.com • Charismathics™. www.charismathics.com • HID®. www.hidglobal.com • SafeNet®. www.safenet-inc.com • Thursby Software. www.thursby.com ! Smart-card hardware compliant with CCID that can be purchased from Apple: • SCM Smart Card Reader. store.apple.com/us/product/H2312LL/A !
106� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0) 4 Configuration Management
Policy-based management is a robust way to manage nearly any setting in OS X. Mac computers, as well as iOS devices, are managed using configuration profiles. Using the same management structure for both platforms allows enterprises to leverage the same Mobile Device Management (MDM) platforms to manage both types of devices. Profiles are used to manage settings for Mac computers. Profiles are created with the Profile Manager service in OS X Server or using the Apple Configurator app, which supports settings shared between OS X and iOS, and is available on the Mac App Store. Profile Manager offers a number of options, such as locking devices, performing remote wipes, and binding to a directory service. Profiles are also the only way to configure 802.1x profiles on a Mac. !
107� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1 Configure a Profile Manager Server
OS X Server includes the Profile Manager service, which manages devices running both OS X and iOS. Profile Manager can be used for pilot groups of Mac computers and iOS devices. As your environment scales, consider a third-party tool to replace Profile Manager. MDM packages often include additional features for scaling environments, while providing all the same options available in Profile Manager. 1. To set up Profile Manager, first install OS X and OS X Server from the Mac App Store. 2. Once the server is set up, verify that the host name and SSL certificates are valid (a process covered in the following modules). 3. If using Active Directory, bind your server to the Active Directory environment. The Open Directory service is automatically installed with OS X Server during the Profile Manager setup, even when the server leverages Active Directory as a directory service.
108� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.1 Configure Network Settings Configuring the network settings of OS X Server is simple with the application from Apple called Server, located in /Applications once installed from the Mac App Store. This step should be completed before any other services are configured, including Profile Manager. The Server application makes it easy to correctly set up network interfaces and host names. If a server’s IP address has no resolvable DNS name, or if the DNS name doesn’t match the host name provided at setup, a local DNS server will automatically be set up to provide local name resolution when Server is installed from the Mac App Store. If changes to a server’s IP or host name need to be made, use the Host Name Assistant to automatically update all services to use the new host name. To configure network settings: 1. Open the Server application from /Applications. 2. Authenticate to the local server. 3. Click the name of the server listed in the sidebar (the first item), if not already highlighted. 4. Click the Edit button next to the Host Name in the Overview pane.
� Figure 4.1.1_1 ! !
109� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5. In the Accessing your Server dialog, click the Domain Name radio button. 6. Click Next.
� Figure 4.1.1_2 ! 7. In the Connecting to Your Server dialog, provide the name (which in this example is Pretendco MDM Server) and the host name, which should have corresponding DNS entries (in this example, it is mdm.pretendco.com).
� Figure 4.1.1_3 ! !
110� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
8. In the Server app, the new name is displayed in the sidebar, in the Host Name field, and in the Computer Name field.
� Figure 4.1.1_4
111� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.2 Configure Users Before accessing most services on a server running OS X Server, users need accounts created on the server. All accounts created with the Server application reside in a directory service known as Open Directory. Open Directory is automatically configured when the Server application is installed in OS X Server. If a server is bound to a directory service, such as Microsoft Active Directory, no further work is needed because accounts from the third-party directory service can be used with the OS X Server service. Otherwise, create users before setting up profiles in Profile Manager. To create network service users in OS X Server: 1. Open the Server application from /Applications. 2. Click Users, listed under Accounts in the sidebar.
� Figure 4.1.2_1 ! 3. Click the Add (+) button to add users. 4. Enter the user’s name in the Full Name field. For example, Pretendco Administrator. 5. Enter a shortened name for the user in the Account Name field. For example, pretendcoadmin. 6. Optionally, provide an email address for the user in the Email Address field. For example, [email protected]. 7. Enter the password this account will use in the Password field. 8. Enter the password again in the Verify field. 9. Optionally, choose to give the user administrative access to the server by selecting the “Allow user to administer this server” checkbox.
112� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
10. If portable home directories or network home directories will be used, choose the share on which the user’s home directory resides using the Home Folder menu. Note: This list is automatically populated based on the contents of the Open Directory automounts.
� Figure 4.1.2_2 ! 11. Click the Create button when the settings are as intended for the user.
113� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.3 Add Groups Most large-scale systems management should be done using groups. This module covers creating groups using the Server application. Note: If the server is bound to another directory service, for example Active Directory, manage users from the third-party directory service rather than from OS X Server to make sure all applicable attributes are created. To create users in OS X Server: 1. Open the Server application from /Applications.
� Figure 4.1.3_1 ! 2. Choose Groups, listed under Accounts in the sidebar.
� Figure 4.1.3_2 ! 3. Click the Add (+) button.
114� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. When prompted, provide a name for the group in the Full Name field. 5. The Group Name short name is automatically generated based on the Full Name. Alternatively, provide your own short name in the Group Name field.
� Figure 4.1.3_3 ! 6. Click Create to create the group. !
115� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.4 Review Certificates Each server running OS X Server is installed with a default self-signed certificate. For security purposes, review the certificates installed on the server. Most services, such as Profile Manager, require SSL certificates. These certificates can either be created by the organization’s Certificate Authority (CA), purchased from an outside vendor, or created as a self-signed certificate directly in OS X Server. To manage certificates in OS X Server: 1. Open the Server application from /Applications.
� Figure 4.1.4_1 ! 2. Select Certificates, under Server in the sidebar.
� Figure 4.1.4_2 !
116� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3. Click the cog wheel icon to open the action pop-up menu. 4. Choose Show All Certificates. 5. Double-click the certificate.
� Figure 4.1.4_3 ! 6. On the certificate pane, verify that all the required settings are correct.
� Figure 4.1.4_4 ! !
117� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7. If you need to install a third-party certificate from a trusted certificate authority, use the Add (+) button. Then choose Get a Trusted Certificate to generate a CSR.
� Figure 4.1.4_5
118� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.5 Acquire Apple Push Notification Certificates To push profile changes to devices, first configure a server to use Apple Push Notification Services. Apple Push Notification Certificates must be acquired for the service from Apple, which can be done using the Server application. To acquire an Apple Push Notification Certificate: 1. Open the Server application from /Applications.
� Figure 4.1.5_1 ! 2. Click the Settings tab.
� Figure 4.1.5_2 ! 3. Click the “Enable Apple push notifications” checkbox. !
119� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. On the Apple Push Notifications dialog, provide an organizational Apple ID and a password for that ID. Note: This Apple ID should not be a personal Apple ID, nor one used to purchase apps. This Apple ID is for the use of Apple Push Notifications. You will need to renew this certificate every year, so make sure the ID is accessible and documented.
� Figure 4.1.5_3 ! 5. Click Get Certificate. 6. Click OK. Note: It is recommended that you set a reminder for the expiration date of the Apple Push Notification Certificate in a calendar application such as Calendar from Apple or Microsoft Outlook®.
120� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.6 Enable Profile Manager Enabling Profile Manager allows administrators to easily manage Mac computers and iOS devices. Before enabling this service, it’s important to configure the network, user, and certificate settings for OS X Server as shown in previous modules. To configure and enable Profile Manager: 1. Open the Server application from /Applications.
� Figure 4.1.6_1 ! 2. Click Profile Manager from the Services list in the sidebar.
� Figure 4.1.6_2 ! !
121� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3. Click Configure. Note: If there isn’t a Configure button, turn on Profile Manager in the upper- right of the window. If this doesn’t work, run the wipeDB.sh script located in /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/ backend/WipeDB.sh to restart the process. Then restart the computer when the script is complete. If any of the features have been configured prior to this step, those steps are skipped in this process. 4. Click Next in the Configure Device Management dialog.
� Figure 4.1.6_3 ! 5. In the Organization Information dialog, provide any available information pertinent to the domain (phone number and address are optional). 6. Click the Next button.
� Figure 4.1.6_4 ! !
122� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7. In the Configure an SSL Certificate dialog, choose the appropriate certificate for your environment. 8. Click the Next button.
� Figure 4.1.6_5 ! 9. In the Confirm Settings dialog, click Finish. The Profile Manager database is now created.
� Figure 4.1.6_6 ! !
123� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
10. Provided the service is configured correctly, Enabled appears next to Device Management.
� Figure 4.1.6_7 ! 11. To change the name of the default configuration profile, click the Edit button next to the current name and enter a new name. 12. Once finished configuring settings, turn Profile Manager on in the upper- right corner of the window. ! After the Profile Manager service completes startup, configure Profile Manager settings and enroll user devices. !
124� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.7 Automatic Push versus Manual Download Profiles When setting up configuration profiles, there are two types of profiles to choose from—automatic push and manual download. Both are assigned to devices either directly or through inheritance, but are deployed to clients in different ways. Manual download profiles function as their name indicates. These configuration profiles must be manually installed by end users on their devices. These profiles are commonly emailed directly to users or downloaded from a web page and installed. The Profile Manager service makes these profiles available for download on the device portal page following user authentication. These profiles are static, and the payload isn’t updated unless the user manually downloads and installs an updated profile. In contrast, automatic push profiles are distributed without user interaction following the initial deployment of the profile. Once a device is enrolled via the device portal page, devices are notified of any new profiles or changes to existing profiles by an Apple push notification. Any change made to the settings of an automatic push profile results in client notification. It’s important to realize that the actual profile isn’t distributed via the push notification system. The push notification alerts the device that the device needs to check in with the MDM server. Once the device has connected to the MDM server, it can retrieve and apply an updated configuration profile. For these notifications to work properly, administrators must allow the Apple Push Notification service to pass through the network border, which consists of outgoing traffic from the server and client systems. !
125� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.8 Edit Management Profiles Use the web-based Apple Profile Manager interface to create, edit, and delete profiles as well as to create device groups for controlling profile distribution. Users and groups from enterprise directory services (such as Active Directory) appear in Profile Manager provided OS X Server has been properly bound. It’s important to remember that while each user, group, device group, or device record can only have one profile assigned to it in Profile Manager, each device may belong to many groups. This enables the layering of settings via profile inheritance. To edit configuration profiles: 1. Open the Server application from /Applications.
� Figure 4.1.8_1 ! !
126� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
2. Click Profile Manager from the Services list in the sidebar.
� Figure 4.1.8_2 ! 3. Click Open Profile Manager in the lower-left corner, or open a web browser and go to https://servername/profilemanager, where servername is the fully qualified domain name of the server running Profile Manager. 4. Authenticate as needed with administrative credentials.
� Figure 4.1.8_3
127� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5. Select the user, group, device, or device group to edit. 6. Click the Settings tab.
� Figure 4.1.8_4 ! 7. Click the Edit button for the profile.
� Figure 4.1.8_5 ! !
128� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
8. Configure the profile as desired. 9. Click OK.
� Figure 4.1.8_6 ! 10. Click Save to update the profile settings.
� Figure 4.1.8_7 ! 11. Click Save again to commit the changes to the database. Note: Updating settings for an automatic push profile will result in an Apple push notification being sent to devices.
129� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.9 Create Device Groups Device groups enable assignment of profile settings for specific groups of devices, for example when Mac devices are separated into iMac®, MacBook Pro®, and Macbook Air® groups, or when computers are divided based on business unit. This allows administrators to quickly apply settings appropriate for each logical grouping of devices. To create a device group: 1. Open the Server application from /Applications.
� Figure 4.1.9_1 ! 2. Click Profile Manager from the Services list in the sidebar.
� Figure 4.1.9_2 ! 3. Click Open Profile Manager in the lower-left corner.
130� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Authenticate as needed with administrator credentials. 5. Choose Device Groups from the Library list in the sidebar.
� Figure 4.1.9_3 ! 6. Click the Add (+) button to create a new device group. 7. Configure the group settings and profile as desired.
� Figure 4.1.9_4 ! 8. Click Save to create the group. !
131� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
9. With the new group highlighted, click the Add (+) button in the Group pane to add devices or other device groups as members.
� Figure 4.1.9_5 ! 10. Click Save when finished adding devices.
132� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.10 Use Device Placeholders Device placeholders enable administrators to populate device records and groups with profile settings before getting devices configured for Profile Manager. Create a placeholder record based on the serial number, UDID (Unique Device Identifier), IMEI (International Mobile Equipment Identity), or MEID (Mobile Equipment Identifier) of a device. When a matching device is enrolled, the newly enrolled device assumes the identity of the placeholder record. If the Mac is removed from management or if the record is deleted, the placeholder account isn’t automatically recreated. To create a device placeholder: 1. Open the Server application from /Applications.
� Figure 4.1.10_1 ! 2. Choose Profile Manager from the Services list in the sidebar.
� Figure 4.1.10_2
133� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3. Click Open Profile Manager in the lower-left corner. 4. Authenticate as needed with the credentials for an administrative account. 5. Choose Devices from the Library list in the sidebar.
� Figure 4.1.10_3 ! 6. Click the Add (+) button and choose Add Placeholder.
� Figure 4.1.10_4 ! 7. Choose a type from the Device Type menu, and enter a name and serial number for the device.
� Figure 4.1.10_5 ! 8. Click Add. Note: Device placeholders can be imported for bulk placeholder creation. To do so, choose Import Placeholders instead (above in step 6). Then select the appropriate file of device names and serial numbers.
134� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.11 Enroll OS X Devices Once the Profile Manager server is configured, devices need to be enrolled to make use of the new configuration. When logging into the User Portal, there are two tabs. The Devices tab provides an overview of devices registered by that user and allows for the enrollment of new devices. The Profiles tab shows download profiles that are available for the logged-in user. When using a self-signed SSL certificate, users will begin by installing the Trust Profile from the Profiles tab. This profile will install the certificates needed for the client devices to trust your Profile Manager SSL and code-signing certificates. To enroll an OS X computer: 1. Open a web browser and navigate to https://
� Figure 4.1.11_1 !
135� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3. Click Enroll to enroll the device into the Mobile Device Management environment.
� Figure 4.1.11_2 ! 4. The profile downloads and automatically opens in the Profiles pane in System Preferences. 5. When prompted, click Continue to install the Remote Management profile.
� Figure 4.1.11_3
136� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. If the certificate is not provided by a previously trusted source, a dialog will appear warning that the profile’s authorship is unknown. Click the Install button.
� Figure 4.1.11_4 ! 7. The Mac is now enrolled in Profile Manager and appears under Devices both in Profile Manager and on the My Devices portal.
� !Figure 4.1.11_5
137� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
8. The Remote Management profile is also shown in the Profiles pane in System Preferences.
� Figure 4.1.11_6
138� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.12 Lock a Device via the User Portal Once a device is enrolled using Profile Manager, the user responsible for that device can perform basic security tasks. The most basic task is a remote lock, helpful when a device has temporarily fallen outside the control of the organization. To remote-lock a device: 1. Open a web browser and navigate to https://
� Figure 4.1.12_1 ! !
139� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Enter a passcode when prompted.
� Figure 4.1.12_2 ! 5. When prompted to confirm the task, click OK.
� Figure 4.1.12_3 ! 6. When locking a Mac, it immediately restarts to a PIN pad. Only the passcode entered in the User Portal can unlock the device. When the passcode is provided to the client computer, the computer restarts as normal and remains enrolled. 7. Administrators can confirm that the lock has been applied from Profile Manager. !
140� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.13 Wipe a Device from the User Portal Once a device is enrolled using Profile Manager, the user responsible for it can perform basic security tasks. The most intrusive action is a remote wipe, erasing all data on the device. To remote-wipe a Mac, it must also have a recovery partition. To remote-wipe a device: 1. Open a web browser and navigate to https://
� Figure 4.1.13_1 ! !
141� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3. Enrolled Mac computers appear in the Devices tab. If a passcode field is present, the client system has already been locked. This is often a preliminary measure before wiping devices. Click the Wipe button for the appropriate device.
� Figure 4.1.13_2 ! 4. Performing a wipe requires the use of a PIN. Enter the PIN and then click the Wipe button. 5. When prompted to confirm the wipe, click OK to confirm.
� Figure 4.1.13_3 ! 6. The Mac is wiped and all data is erased. Confirm the wipe has been sent in the Tasks section of Profile Manager. !
142� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.14 Lock a Device Using Profile Manager Once a device is enrolled using Profile Manager, the user responsible for the device can perform basic security tasks. The Profile Manager portal also provides administrators the ability to perform security tasks on remote devices. To remote-lock a device using Profile Manager: 1. Open the Server application from /Applications. 2. Choose Profile Manager from the Services list in the sidebar. 3. Click Open Profile Manager in the lower-left corner. 4. Authenticate with administrative credentials.
� Figure 4.1.14_1 ! !
143� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5. Choose Devices or Device Groups from the Library list in the sidebar. 6. Select the device or device group to lock.
� Figure 4.1.14_2 ! 7. In the device or device group pane, click the cog wheel icon to open the action pop-up menu. 8. Choose Lock.
� Figure 4.1.14_3 ! !
144� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
9. Enter a lock passcode.
� Figure 4.1.14_4 ! 10. When locking OS X, the Mac immediately restarts to a PIN pad. Only the passcode entered in Profile Manager can unlock the computer. 11. Confirm the lock has been completed in the Completed Tasks section of Profile Manager.
145� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.15 Wipe a Device Using Profile Manager Once a device is enrolled with Profile Manager, the user responsible for the device can perform basic security tasks. Profile Manager also gives administrators the ability to perform these same security tasks on remote devices. To remote-wipe a device using Profile Manager: 1. Open the Server application from /Applications. 2. Choose Profile Manager from the Services list in the sidebar. 3. Click Open Profile Manager in the lower-left corner. 4. Authenticate with administrator credentials.
� Figure 4.1.15_1 ! !
146� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5. Choose Devices or Device Groups from the Library list in the sidebar. 6. Select the device or device group to wipe.
� Figure 4.1.15_2 ! 7. In the device or device group pane, click the cog wheel icon to open the action pop-up menu. 8. Choose Wipe.
� Figure 4.1.15_3 ! !
147� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
9. Enter a wipe passcode. 10. Click Wipe.
� Figure 4.1.15_4 ! 11. The device is wiped and all data is lost. 12. Confirm the wipe has been completed in the Completed Tasks section of Profile Manager.
148� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.16 Remove a Mac from Management via the User Portal Users can perform basic security tasks using the My Devices portal once they have enrolled devices in Profile Manager. Just as users can enroll, lock, and wipe a device from the User Portal in Profile Manager, they can also disable remote management of devices. Note: Removing a device from management removes the enrollment and management profiles, as well as any access configured by those profiles. The trust profile isn’t removed. While the profiles from the portal are removed in this module, they can also be removed from the Profiles pane in System Preferences. To remove a device from management: 1. Open a web browser and navigate to https://
� Figure 4.1.16_1 ! !
149� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Verify that you want to remove the device.
� Figure 4.1.16_2 ! 5. The device record is removed from Profile Manager, and the device is no longer considered managed. Additionally, the Remote Management profile is no longer listed in the Profiles pane in System Preferences on the client computer.
150� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.17 Remove Management via Profile Manager Users can utilize the user portal in Profile Manager to enroll, lock, and wipe devices, as well as to disable remote management. Profile Manager also gives administrators the ability to act on remote devices. Note: Removing a device from management also removes the configuration profiles and any access configured by those profiles. Trust profiles are left on devices when removed, easing the burden of subsequent enrollments. To remove a device from management with Profile Manager: 1. Open the Server application from /Applications. 2. Click Profile Manager in the Services list in the sidebar. 3. Click Open Profile Manager in the lower-left corner. 4. Authenticate with administrator credentials. 5. Click Devices from the sidebar list under Library. 6. Select the device to remove.
� Figure 4.1.17_1 ! 7. Click the minus (-) button located at the bottom of the middle pane. !
151� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
8. Click Delete to confirm the device should be removed.
� Figure 4.1.17_2 ! 9. Remote configuration profiles will now be removed. 10. Confirm the device no longer appears in the Devices section of the Profile Manager Library. ! !
152� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.18 Profile System Preferences After installing any configuration profiles in OS X, the Profiles pane in System Preferences will appear. Initially, there is no Profiles pane in System Preferences. The Profiles pane in System Preferences is used to review which profiles are installed. The Profiles pane is also used for adding profiles and removing or verifying existing profiles. Configuration profiles can also be installed by double- clicking them in the Finder or by downloading profiles using Safari®, provided the web server is capable of serving the proper MIME types. Note: Any user with administrative access can remove a device profile. To remove a profile: 1. Choose System Preferences from the Apple menu. 2. Click the lock icon in the lower-left corner. 3. Provide an administrative user name and password. 4. Click the Device Profiles pane. 5. Select the profile to remove.
� Figure 4.1.18_1 ! 6. Click the minus (-) button to remove the profile. !
153� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7. When prompted to verify profile removal, click Remove.
� Figure 4.1.18_2 !
154� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.19 Non-Removable Configuration Profiles Configuration profiles are a policy enforcement system. When creating profiles in Profile Manager, administrators have options for controlling how those profiles can be removed. The default removal setting always allows removal of a profile, meaning a user profile can be removed by the user to which it applies. Device profiles can then be removed by any administrative user on a Mac. However, some policies should be enforced whether the user wishes to have them or not. The Authorization feature secures profile removal, forcing a specific password to be used to edit a profile. Only users with the profile password may remove it. The Never removal setting indicates that a profile may not be removed. The device must be wiped in order to remove the profile. To change profile removal rules: 1. Open the Server application from /Applications. 2. Choose Profile Manager from the Services list in the sidebar. 3. Click Open Profile Manager in the lower-left corner. 4. Authenticate with the credentials for an administrative account. 5. Choose Users, Groups, Devices, or Device Groups from the Library list in the sidebar. 6. Select the user, group, device, or device group to edit.
� Figure 4.1.19_1
155� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7. Click the Edit button for the profile.
� Figure 4.1.19_2 ! 8. Change the Security settings for the profile as needed.
� Figure 4.1.19_3 ! 9. Set any other settings that should be deployed with the profile. 10. Click OK to close the Settings pane. 11. Click Save to update the profile settings.
156� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.20 Restrict Access to System Preferences The System Preferences in OS X are where many of the options are configured for how a computer behaves. By limiting access to System Preferences, you effectively restrict users from changing the behavior of the system (and can therefore aim to limit the number of tickets submitted for issues that likely shouldn’t have occurred in the first place). To limit access to System Preferences using Profile Manager: 1. Open the Server application from /Applications. 2. Choose Profile Manager from the Services list in the sidebar. 3. Click Open Profile Manager in the lower-left corner. 4. Authenticate with the credentials for an administrative account. 5. Choose Users, Groups, Devices, or Device Groups from the Library list in the sidebar. Then select the user, group, device, or device group to edit. 6. Click the Settings tab.
� Figure 4.1.20_1 ! 7. Click Edit. !
157� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
8. Click Restrictions in the Profile Manager sidebar.
� Figure 4.1.20_2 ! 9. Click Configure.
� Figure 4.1.20_3 ! !
158� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
10. Select the “Restrict Items in System Preferences” checkbox. 11. Choose whether to disable or enable the selected items. Note: If disabling items for which you want to restrict access, users can still access third-party System Preferences panes. 12. Deselect each preference for which you’d like to restrict access. 13. Click OK to close the Settings pane. 14. Click Save to update the profile settings.
159� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.21 profiles Command
The profiles command allows programatic control of configuration profiles so that administrators can script or remotely run configuration profile installation, removal, and auditing. To list the configuration profiles installed for a given user, run the profiles command with the -L option, as follows:
profiles -L
To see all configuration profiles installed on the system, run the profiles command with the -P option, as follows:
sudo profiles -P
To install a configuration profile for a user, run the profiles command with the -I option (for install), followed by the -F option (for file), and ending with the path to the profile file. For example, the following command installs a configuration profile called 8021xSetup.mobileconfig, previously copied to /tmp.
profiles -I -F /tmp/8021xSetup.mobileconfig To remove that profile, use the following command: profiles -R -F /tmp/8021xSetup.mobileconfig An effective way to troubleshoot profile problems is to remove all configuration profiles using the -D option, as follows:
profiles -D Profiles installed from a Profile Manager instance are tracked using unique identifiers similar to a default domain. For example, if an organization is called pretendco and the profile to install is for 802.1x configuration, that profile might be called com.pretendco.8021xSetup. To remove this profile, use the -R option followed by -p to denote a profile, as follows:
profiles -R -p com.pretendco.8021xSetup
To see the version number of the profiles command, use the -x option:
profiles -x
For more information, see the man page for profiles using the following command: man profiles
160� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.1.22 dscl Command As of OS X Mavericks, the dscl command has extensions for dealing with profiles. These include the following: MCX Profile Extensions: -profileimport
161� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.2 Manage Profiles
Profile Manager enables administrators to configure almost any setting in OS X and manage devices en masse. Profiles can also be managed using third-party mobile device management solutions. These solutions support profile management in the same fashion, using tasks similar to those in this section.
162� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.2.1 View the Contents of Profiles In previous modules, enrolling a device in Profile Manager created items in the Profiles pane in System Preferences. These items result in additional profiles containing settings that get implemented on client systems.
To view profiles in System Preferences: 1. Choose System Preferences from the Apple menu. 2. Click Profiles. 3. Click a profile.
� Figure 4.2.1_1 ! 4. The following information is displayed: a. Installed. The date the profile was installed or last changed. b. Settings. The payloads being managed. c. Details. The settings being managed within each payload and the contents of the managed keys.
163� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.2.2 Configure the Location of the Dock OS X displays the icons of various applications in the Dock, located by default across the bottom of the screen. The location of the Dock can be changed to the right or left side of the screen. In this module, manage the location of the Dock so that it appears on the right side of the screen. This is one example of managing settings using Profile Manager.
To change the location of the Dock: 1. Open the Server application. 2. Click Profile Manager from the Services list in the sidebar. 3. Click Open Profile Manager in the lower-left corner. 4. Authenticate as needed with administrative credentials. 5. Click Users, Groups, Devices, or Device Groups in the Library list in the sidebar. 6. Select the user, group, device, or device group to edit.
� ! Figure 4.2.2_1
164� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5. Click the Edit button.
� Figure 4.2.2_2 ! 6. In the sidebar of the Settings window, scroll down and click Dock.
� Figure 4.2.2_3 ! !
165� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7. Click the Configure button. 8. Next to Position, click the Right radio button. 9. Click OK to return to the Profile window.
� Figure 4.2.2_4 ! 10. In the Profile window, verify that the Dock payload is listed.
� Figure 4.2.2_5 ! !
166� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
11. Click Save to save the changes. The dock on the client system is immediately moved to the right side of the screen.
� Figure 4.2.2_6
167� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.2.3 Manage Third-Party Application Preferences Configuration profiles also manage third-party applications by editing the defaults domain of settings. These defaults domains typically map back to a property list (.plist) file and are typically represented by a key in each of those files. The key to managing a given preference is to locate the appropriate preference file, the key to use, and the options available for that key. While this may seem daunting given the variety of preferences and the key names they often comprise, there are a number of tools available to help make this easier. Many developers publish a list of their preference files with a listing of keys and the options available per key. For example, Microsoft publishes a list of preference files at www.microsoft.com/mac/itpros/default.mspx, but not a listing of each key nor the ramifications of using them. Using a search engine can yield fast results at times, however these aren’t always accurate. While this module focuses on using Profile Manager to deploy custom settings to client systems, it isn’t always possible because third-party developers may not always follow Apple standards. For example, Firefox® uses a .js file to store a variety of settings rather than using property lists. If the settings aren’t in a plist file, scripting login events to deploy settings may be required. Here we use providing a Gateway server to Microsoft Office® Communicator® as an example of controlling settings for a third-party app using Profile Manager.
To set up Microsoft Office Communicator with a gateway server: 1. Open the Server application from /Applications. 2. Click Profile Manager from the Services list in the sidebar. 3. Click Open Profile Manager in the lower-left corner. 4. Authenticate as needed with administrative credentials. 5. Click Users, Groups, Devices, or Device Groups in the Library list in the sidebar. Then select the user, group, device, or device group to edit.
� Figure 4.2.3_1
168� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. In the Settings tab in the right-most pane, click the Edit button.
� Figure 4.2.3_2 ! 7. In the Settings sidebar, scroll down and select Custom Settings.
� Figure 4.2.3_3 ! 8. Click the Configure button. !
169� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
9. Enter com.microsoft.configurator in the Preference Domain field.
� Figure 4.2.3_4 ! 10. Click the Add Item button to add a key to the domain. 11. Enter GatewayServer in the Key field. 12. Leave the Type menu set to String. 13. In the Value field, enter the name or IP address of the gateway server for Office Communicator. 14. Click OK. Note: If there are a number of preferences to add, consider importing a prepared property list using the Upload File button.
� Figure 4.2.3_5 !
170� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
15. Click Save and the setting is deployed to all client systems in the group, all systems for the user (if configuring for users), or a single device if applicable.
� Figure 4.2.3_6 !
171� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.2.4 Manage Printers Printers can also be managed using configuration profiles.
To use Profile Manager to manage a printer: 1. Open the Server application from /Applications. 2. Click Profile Manager from the Services list in the sidebar. 3. Click Open Profile Manager in the lower-left corner. 4. Authenticate as needed with administrative credentials. 5. Click Users, Groups, Devices, or Device Groups in the Library list in the sidebar. Then select the user, group, device, or device group to edit.
� Figure 4.2.4_1 ! 6. Click the Edit button.
� Figure 4.2.4_2
172� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7. In the sidebar, scroll down and click Printing. 8. Click the Configure button.
� !Figure 4.2.4_3 9. Click the Add (+) button.
� Figure 4.2.4_4 ! 10. A list of printers installed on the Profile Manager server is provided in the Add Printers dialog. If the required printer isn’t listed, install it on the Profile Manager server. Otherwise, click the Add button for the printer. !
173� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
11. Click Done once all desired printers have been added.
� Figure 4.2.4_5 ! 12. Click the OK button to return to the Profiles pane. 13. Select the checkbox for the printer just added. 14. Click OK.
� Figure 4.2.4_6 ! !
174� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
15. Confirm that Printing is now listed.
� Figure 4.2.4_7 ! 16. Click the Save button. Then click Save again to confirm Save Changes.
� Figure 4.2.4_8
175� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.2.5 Restrict Applications Using Profile Manager Whitelisting applications can be simple or complicated depending on the approach. The simplest approach is to allow only the applications in the Applications folder to be opened. Alternatively, restrict specific applications using the Blacklisting option. Note, however, that blacklisting only accounts for applications specifically restricted by administrators. By limiting permissions on the Applications folder, administrators further create a sandbox that keeps users within predefined boundaries.
To use Profile Manager to limit users to opening only implicitly allowed applications: 1. Open the Server application from /Applications. 2. Click Profile Manager from the Services list in the sidebar. 3. Click Open Profile Manager in the lower-left corner. 4. Authenticate as needed with administrative credentials. 5. Click Users, Groups, Devices, or Device Groups in the Library list in the sidebar. Then select the user, group, device, or device group to edit.
� Figure 4.2.5_1 ! !
176� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. Click the Edit button.
� Figure 4.2.5_2 ! 7. In the sidebar, scroll down to OS X and click Restrictions. 8. In the Configuration Restrictions pane, click the Configure button.
� Figure 4.2.5_3
177� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
9. Click the Apps tab.
� Figure 4.2.5_4 ! 10. Click the “Restrict which applications are allowed to launch” checkbox.
� Figure 4.2.5_5 !
178� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
11. Click the Add (+) button for Allow Folders. 12. Enter /Applications in the provided text field.
� Figure 4.2.5_6 ! 13. Click the OK button to return to the Profiles pane. Users in the selected object can only open applications in /Applications (the default in OS X). 14. Confirm that Restrictions is now listed.
� Figure 4.2.5_7 ! !
179� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
15. Click the Save button. Then click Save again to confirm Save Changes.
� Figure 4.2.5_8
180� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.2.6 Deploy VPN Connections Using Profile Manager VPN connections are cumbersome to set up manually. Profile Manager provides a mechanism for pushing out configurations automatically to end users so they have a configuration on their device when it is provisioned—offering users a simple experience for connecting to a corporate VPN. To use Profile Manager to push out VPN configurations: 1. Open the Server application from /Applications. 2. Click Profile Manager from the Services list in the sidebar. 3. Click Open Profile Manager in the lower-left corner. 4. Authenticate as needed with administrative credentials. 5. Click Users, Groups, Devices, or Device Groups in the Library list in the sidebar. Then select the user, group, device, or device group to edit. 6. Click the Settings tab. 7. Click Edit.
� Figure 4.2.6_1 ! 8. Click Restrictions in the left sidebar. !
181� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
9. Click the Configure button.
� Figure 4.2.6_2 ! 10. Click VPN in the left sidebar. 11. Provide a name in the Connection Name field. 12. Select a type of connection from the Connection Type menu. Note: Many types are vendor specific, and their subsequent settings are obtained from your IT staff or the vendor of the VPN hardware/software. 13. Enter the settings required to connect to the VPN.
� Figure 4.2.6_3
182� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0) ! 14. Click OK. 15. Click the Save button. 16. Click Save again to confirm Save Changes. !
183� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.2.7 Force Password Policies Using Profile Manager OS X functions well in an Active Directory environment. However, many systems administrators today choose to run without directory services. Security professionals need to keep passwords complex and changing at a frequency that matches the organization’s security policy. Therefore, Apple provides a facility in Profile Manager to enforce good security passwords with regard to local password policies. To use Profile Manager to push out password policies: 1. Open the Server application from /Applications. 2. Click Profile Manager from the Services list in the sidebar. 3. Click Open Profile Manager in the lower-left corner. 4. Authenticate as needed with administrative credentials. 5. Click Users, Groups, Devices, or Device Groups in the Library list in the sidebar. Then select the user, group, device, or device group to edit. 6. Click the Settings tab. 7. Click Edit.
� Figure 4.2.7_1 ! 8. Click Passcode in the left sidebar. !
184� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
9. Click the Configure button.
� Figure 4.2.7_2 ! 10. Choose the appropriate settings for your environment.
� Figure 4.2.7_3 ! 11. Click OK. 12. Click the Save button. 13. Click Save again to confirm Save Changes.
185� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.2.8 Configure Single Sign-On Using Profile Manager OS X functions well in an Active Directory and LDAP environment. One aspect that works with such environments is the ability to configure single sign-on authentication for Kerberos-based environments. Profile Manager can deploy Active Directory information, which allows users to log in at the login window. However, if you choose not to configure Active Directory accounts as login accounts, you can still push out single sign-on configurations for local accounts. To use Profile Manager to push out single sign-on configurations: 1. Open the Server application from /Applications. 2. Click Profile Manager from the Services list in the sidebar. 3. Click Open Profile Manager in the lower-left corner. 4. Authenticate as needed with administrative credentials. 5. Click Users, Groups, Devices, or Device Groups in the Library list in the sidebar. Then select the user, group, device, or device group to edit. 6. Click the Settings tab. 7. Click Edit.
� Figure 4.2.8_1 ! 8. Click Single Sign-On in the left sidebar. !
186� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
9. Click the Configure button.
� Figure 4.2.8_2 ! 10. Provide the appropriate information for your environment. This includes: a. Account Name. How the information is displayed on the device. b. Principal Name. The UPN, or UserPrincipalName, from within Active Directory of the Kerberos provider. Note: UPNs are derived using the Get-ADUser cmdlet, as follows: Get-ADUser -Filter * -SearchBase 'ou=Users,dc=pretendco,dc=com' -Properties userPrincipalName c. Realm. The realm name of your Kerberos environment (for example the !Active Directory domain name).
187� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
� Figure 4.2.8_3
11. Click OK. 12. Click the Save button. 13. Click Save again to confirm Save Changes. !
188� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.2.9 Limit Access to Sites Using Profile Manager Kiosk systems and systems not covered by proxy servers can have certain websites denied, or all websites denied and only certain sites allowed. This is deployable via Profile Manager. To use Profile Manager to restrict access to certain sites: 1. Open the Server application from /Applications. 2. Click Profile Manager from the Services list in the sidebar. 3. Click Open Profile Manager in the lower-left corner. 4. Authenticate as needed with administrative credentials. 5. Click Users, Groups, Devices, or Device Groups in the Library list in the sidebar. Then select the user, group, device, or device group to edit. 6. Click the Settings tab. 7. Click Edit.
� Figure 4.2.9_1 ! 8. Click Web Content Filter in the left sidebar. !
189� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
9. Click the Configure button.
� Figure 4.2.9_2 ! 10. Provide the appropriate information for your environment. From the Allowed Websites menu, select from the following: a. Limit Adult Content. This option restricts information considered to be adult content. • Permitted URLs. Click the Add (+) button to whitelist certain sites. • Blacklisted URLs. Click the Add (+) button to list sites for which access is explicitly denied (whether adult content or not). b. Specific Websites Only. This option only allows access to specific sites (This is useful with kiosks, for example). • Specific Websites. List each site the device can access.
190� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
� Figure 4.2.9_3 ! 11. Click OK. 12. Click the Save button. 13. Click Save again to confirm Save Changes.
191� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.3 Password Policies
A variety of password policies are applied to clients through configuration profiles, Active Directory, or command-line tools. These policies should conform to the requirements set forth by an organization’s security policy. When using Active Directory, the Active Directory password policies are respected by OS X. Clients are notified of expiring passwords, and users can change their Active Directory passwords in OS X. !
192� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.3.1 Audit Local Password Policies Setting up password policies in Active Directory or OS X Server enforces policies on directory-service-based accounts. Many of these policies also exist in OS X but need to be set from the command line when not managed centrally.
The tool to audit (and configure) password policies in OS X is pwpolicy. The following example covers using pwpolicy to check which policies are enforced and what their settings are as part of an audit of password policies. To view the global password policy (enforceable on all users) on a local computer, run pwpolicy, specifying the -n option and /Local/Default to indicate the local default node. Then use -getglobalpolicy (having defined where to look for the policy information earlier), as follows: pwpolicy -n /Local/Default -getglobalpolicy This results in a list of all OS X global password policies and their settings on the client system, as follows: usingHistory=0 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=8 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0 requiresSymbol=0 newPasswordRequired=0 minutesUntilFailedLoginReset=0 notGuessablePattern=0 Use the pwpolicy command to see the policies for a given user. For example, run the following command to see any user-based passwords for a user with a short name of jfoster: pwpolicy -n /Local/Default -u jfoster In this command, administrators use pwpolicy to search in the local directory service, but specify the user jfoster following the -u option. To have pwpolicy look at the user’s policy, follow it up with a -getpolicy at the end, as follows: pwpolicy -n /Local/Default -u jfoster -getpolicy Getting policy for testing newPasswordRequired=0 Once the user’s password policy and the global password policy for the computer are known, composite the two to obtain a resultant set of policies (or an effective policy) manually. To do so, run the pwpolicy, specifying --get-effective-policy. In the following example, provide the password for user jfoster (indicated with the -u option), followed by the --get-effective-password option for a resultant policy enforced for jfoster: pwpolicy -n /Local/Default -u jfoster -p jimmypassword --get- effective-password
193� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
When auditing password policies, it’s important to understand what each policy does. The following is a description of global password policies (obtained from the man page for pwpolicy).
usingHistory 0 — User can reuse the current password. 1 — User can’t reuse the current password. 2–15 — User can’t reuse the last n passwords. usingExpirationDate If 1, user is required to change password on the date in expirationDateGMT. usingHardExpirationDate If 1, user’s account is disabled on the date in hardExpireDateGMT. requiresAlpha If 1, user’s password is required to have a character in [A–Z][a–z]. requiresNumeric If 1, user’s password is required to have a character in [0–9]. expirationDateGMT Date for the password to expire, format must be mm/dd/yy. hardExpireDateGMT Date for the user’s account to be disabled, format must be mm/dd/yy. maxMinutesUntilChangePas User is required to change the password at this sword interval. maxMinutesUntilDisabled User’s account is disabled after this interval. maxMinutesOfNonUse User’s account is disabled if it isn’t accessed by this interval. maxFailedLoginAttempts User’s account is disabled if the failed login count exceeds this number. minChars Passwords must contain at least minChars. maxChars Passwords are limited to maxChars.
Global password policies configure each user’s password policies. Additionally, users can have specific password policies that aren’t available with global users. A description of the additional user password policies includes the following:
isDisabled If 1, user account isn’t allowed to authenticate, ever.
isAdminUser If 1, this user can administer accounts on the password server.
newPasswordRequired If 1, the user will be prompted for a new password at the next authentication. Applications that don’t support change password won’t authenticate. canModifyPasswordforSelf If 1, the user can change the password. ! !
194� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
A description of allowed password hash types that will be used to store passwords (configurable with pwpolicy) includes the following:
CRAM-MD5 Required for IMAP. RECOVERABLE Required for APOP and WebDAV. SALTED-SHAS512-PBKDF2 The default for loginwindow. SALTED-SHA512 Legacy hash for loginwindow. SMB-NT Required for compatibility with Windows NT/XP file sharing.
195� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.3.2 Configure Local Password Policies Administrators use configuration profiles to manage local password policies, or pwpolicy, to audit local password policies in OS X programatically. The pwpolicy command can also be used to set policies. In the following module, set the policies discussed previously. To set a password policy, run pwpolicy but substitute the -getglobalpolicy and -getpolicy options with the -setglobalpolicy and -setpolicy options, respectively. To set a password policy: 1. Set the user password policy for the currently logged-in account (assuming it’s a local account) to require a minimum number of eight characters in a user’s password. To do so, run the following command: pwpolicy -n /Local/Default -setpolicy “minChars=8”
2. To change this setting for the jfoster user, use the following command, which adds a -u and the user name as follows:
pwpolicy -n /Local/Default -u jfoster -setpolicy “minChars=8” 3. Review the other password policies previously discussed, and decide which ones to apply to your user accounts on the local system. Each additional policy is added inside quotation marks (“) and separated by spaces. Note: Keep in mind that administrative users won’t have password policies applied. 4. In cases with multiple users on a system, instead of setting password policies for each user, set a global password policy. To set a global password policy, invoke the pwpolicy command, specify the local node, and use -setglobalpolicy, as in the following example:
sudo pwpolicy -n /Local/Default -setglobalpolicy “requiresNumeric=1” Using this command enables the requiresNumeric option. In any boolean password policy, the number 1 as the setting acts as an on switch, and the number 0 acts as an off switch. 5. Once global password policies are set, configure many of your user password policies to be identical to the global policies. To do so, use the --setpolicyglobal option. For example, the following command is used to configure the jfoster user to have the same policy as the global password policy: pwpolicy -n /Local/Default -u jfoster -setpolicyglobal The commands used to adhere OS X to an organization’s security policy are placed into an organization’s image, built into a package, or pushed out through Apple Remote Desktop or another client management suite. !
196� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4.4 Use the Volume Purchase Program to Deploy Apps
To deploy applications through the Volume Purchase Program (VPP) for Business, first purchase application licenses from the Enterprise App Store. Then use the VPP to give each relevant user’s Apple ID access to the appropriate apps. Applications can be deployed to user computers using Profile Manager or third- party MDM tools that have VPP integration. Users can also self-deploy apps by opening the App Store, clicking Purchases, and selecting an application that has been assigned to their account. Once downloaded, applications can be deployed to a computer using patch management tools and by simply copying the .app bundle from computer to computer. When a user leaves the organization, licenses for the applications once installed on their computer may be reused by another user. These strategies provide the simplest deployment experience for administrators. !
197� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0) 5 Security
There are a number of features built into OS X that provide added layers of security. This guide covers those most commonly looked for in enterprise environments—from where to find additional resources to more technical options such as setting up full disk encryption. !
198� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.1 Use Security Resources
• Apple Product Security Page. www.apple.com/support/security The Apple website offers a section dedicated to the security of Apple products called the Apple Product Security page. • Security Updates. support.apple.com/kb/HT1222 Apple security updates are listed on the Apple Support website. Each update has a link to its description, which references corresponding CVE IDs (Common Vulnerabilities and Exposures Identifiers) for the vulnerabilities patched with each update. • Security Mailing List. Apple also maintains a mailing list that includes product security notifications and announcements. To join this list, visit lists.apple.com/mailman/listinfo/security-announce. !
199� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.2 Use Gatekeeper
Gatekeeper manages the execution of applications, allowing administrators to limit access to applications not downloaded from the Mac App Store or applications not signed by a member of the Apple Developer ID program. By only allowing signed applications and apps from the Mac App Store or a known developer, the risk of malicious software in an email attachment or web download is significantly mitigated. The default setting in OS X is to allow only Mac App Store applications. OS X can also restrict access to applications based on configuration profile settings delivered through Profile Manager and third-party mobile device management solutions. Application whitelisting is based on unique app signatures, whole directories that contain applications, or both.
200� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.2.1 Use Gatekeeper to Validate Application Downloads Gatekeeper uses code signatures to validate the source of applications at download. Administrators can restrict installation based on where the software is downloaded from—Mac App Store only, Mac App Store and identified developers who have signed their code using an Apple-issued developer certificate, or any source. In Figure 5.2.1_1, Profile Manager limits a Mac to software from the Mac App Store and identified developers.
� Figure 5.2.1_1 ! !
201� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
To set application launch security through Profile Manager: 1. In Profile Manager, select a Mac (or group of Mac computers) to manage from the Library list in the sidebar.
� Figure 5.2.1_2 ! 2. Click the Settings tab, then click the Edit button for the profile. 3. In the Settings sidebar, click Security & Privacy. 4. Click the Configure button to create a Security & Privacy payload.
� Figure 5.2.1_3 !
202� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5. Click the checkbox for “Do not allow user to override Gatekeeper setting” (OS X only).
� Figure 5.2.1_4 ! 6. Once finished managing the Application Launch Security settings, click OK. 7. Click Save to apply the settings. 8. Click Save again to save the settings.
! Figure 5.2.1_5 ! ! ! !
203� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.3 Enforce Firmware Passwords
The Intel® Mac firmware used in Apple computers is known as EFI. A firmware password can be added to the startup process for a computer. Keep in mind that an EFI password does not provide encryption on the boot volume and should be implemented as another layer in your security solution.
The nvram command is used to set an EFI password. To disable EFI passwords, use the following commands: nvram -d security-mode nvram -d security-password !
204� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.4 Manage Remote Logins
On client computers, SSH (Secure Shell) allows administrators access to a system currently in use by a user. To enable Remote Login in the Sharing pane in System Preferences: 1. Choose System Preferences from the Apple menu. 2. Click Sharing. 3. Select the Remote Login checkbox. 4. Administrators should also enable a SACL (Service Access Control List) for the service. To do so, select the “Only these users” checkbox and click the Add (+) button to add those users allowed to leverage the SSH service on the Mac.
� Figure 5.4_1 ! Many client management systems use SSH to communicate with their agent software and to control client systems. Enabling SSH, also called Remote Login, can be done through the command line in order to facilitate mass deployment of SSH to client systems. ! !
205� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
To use Remote Login for mass deployment of SSH to client systems:
1. Enable SSH using the systemsetup command along with the -setremotelogin option, as follows:
systemsetup -setremotelogin on 2. Linux administrators may be tempted to configure the list of accounts that can access SSH in /etc/sshd_config. However, this only works when All Users is selected in the SACL in the Sharing pane in System Preferences. Therefore, limit the users with SSH access to those in the com.apple.access_ssh group. Start by creating the group using dseditgroup, as follows:
dseditgroup -o create -q com.apple.access_ssh
3. Add each user into the com.apple.access_ssh group, using dseditgroup to add (-a) the localadmin account into the com.apple.access_ssh group (-t), as follows:
dseditgroup -o edit -a localadmin -t group com.apple.access_ssh ! ! ! !
206� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.5 Use Key-Based SSH Access
SSH is one of the primary ways to obtain a shell on another host in UNIX, Linux, and OS X. SSH is also used to exchange files in an automated fashion between systems (for example scp for secure copy). When automating tasks for obtaining logs (to be converted into reports) from client systems, performing file operations, or remotely running commands and scripts, administrators must authenticate each time automations are run. Consider a preshared key approach to achieving authentication for routine SSH tasks so that passwords aren’t placed in scripts. Use passwords in conjunction with preshared keys for more day-to-day operations, thus enhancing the security of the communications by two factors. In this module, use preshared keys to connect from one host to another over SSH without the use of a password. To use key-based SSH access:
1. Generate an rsa key by using the following command: ssh-keygen -t rsa1 The system will respond with the following: Generating public/private rsa1 key pair 2. When prompted for a location for the key, leave this blank. The key is saved to a folder called .ssh in your user home folder. If logged in as a user called jfoster, you’ll receive output similar to the following:
Your identification has been saved in /Users/jfoster/.ssh/identity. Your public key has been saved in /Users/jfoster/.ssh/identity.pub. The key fingerprint will be similar to the following: b8:ed:b5:92:d6:dd:ea:4b:00:45:41:16:33:4d:5a:3a [email protected] Now that you have your key exported for your identity, export keys for use with SSH clients. These need to be in dsa and then rsa formats (rather than rsa1 as previously used). 3. Run the following commands, providing a password when requested: ssh-keygen -t dsa ssh-keygen -t rsa When the keys are generated, they reside in the ~/.ssh directory. Copy the keys to the target host and merge them into an authorized_keys file. !
207� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. To copy the keys to the target host, use scp as follows:
scp ~/.ssh/*.pub [email protected]:/Users/jfoster/.ssh/ tmp_authorized_keys Note: Replace the IP address in the command above with that of the target. 5. Merge keys into the authorized_keys file on that host using the following command on the target system:
cat /Users/jfoster/.ssh/tmp_authorized_keys/*.pub > / Users/jfoster/.ssh/authorized_keys 6. Once complete, remove /Users/jfoster/.ssh/tmp_authorized_keys as follows:
rm /Users/jfoster/.ssh/tmp_authorized_keys/*.pub Establish an SSH session on the target host without the use of a password to test communications. !
208� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.6 Use FileVault 2
FileVault® 2 provides full disk encryption for data-at-rest (DAR) protection and is built into OS X. FileVault 2 keeps all files on a Mac secure using XTS-AES-128 (256-bit keys) data encryption at the disk level. With FileVault 2 turned on, all information on the computer is kept safe from unauthorized access. In this module, enable FileVault 2 full disk encryption. To enable FileVault: 1. Open System Preferences from the Apple menu. 2. Click Security & Privacy.
� Figure 5.6_1 ! !
209� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3. Click the FileVault tab.
� Figure 5.6_2 ! 4. Click the Turn On FileVault button.
� Figure 5.6_3 !
210� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5. If the system has multiple users, click Enable User for each authorized user. Then have the user enter his or her login password. Users who have provided passwords will be shown with a checkmark icon, while users who still require a password will be shown with an Enable User button. Users who don’t have any password set will be shown with a Set Password button. Note: Logging in after the system disk has been unlocked by another user is still possible, even if the user isn’t enabled here.
� Figure 5.6_4 ! 6. When prompted, provide the password. 7. Click OK, and repeat for each user.
� Figure 5.6_5 ! !
211� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
8. Click Continue once all authorized users are enabled. 9. Document the displayed recovery key provided in the Recovery Key dialog. 10. Click Continue.
� !Figure 5.6_6 11. (Optional) To store the recovery key with Apple: a. Click the “Store the recovery key with Apple” radio button to store the protected key on Apple servers. b. Select three security questions to which you’ll always remember the responses. c. Provide a response below each question. You will need to reenter the exact same responses should the recovery keys need to be retrieved. d. The recovery key will be wrapped by a key generated from the selected questions and responses. 12. Click Continue.
212� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
� Figure 5.6_7 ! 13. Click Restart to restart the Mac and begin the encryption process.
� Figure 5.6_8 !
213� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
To verify FileVault 2 full disk encryption status: 1. Open System Preferences from the Apple menu. 2. Click Security & Privacy. 3. Click the FileVault tab.
� Figure 5.6_9 ! !
214� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Note the displayed FileVault status: a. FileVault is turned on for the disk
� Figure 5.6_10 ! To disable FileVault: 1. Open System Preferences from the Apple menu. 2. Click Security & Privacy. 3. Click the FileVault tab. !
215� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Click the Turn Off FileVault button.
� Figure 5.6_11 ! 5. Click Turn Off Encryption to confirm you wish to turn off FileVault.
� Figure 5.6_12 !
216� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.6.1 Enable FileVault from the Command Line
OS X includes a command-line tool called fdesetup that allows system administrators to remotely manage FileVault. Use fdesetup to enable or disable FileVault, to add and remove users that may unlock the volume, and to determine whether FileVault is active on a particular Mac.
In this module, use fdesetup to enable FileVault. To enable FileVault from the command line: 1. Start a command-line session using Terminal or the Remote Login service. 2. Examine the current status of FileVault by entering the command: fdesetup status 3. After confirming FileVault is off, enable FileVault with the command: fdesetup enable 4. Unless additional parameters are specified, an interactive session will prompt for the primary user’s short name and password.
5. On enabling FileVault, a Recovery key is returned by the fdesetup command. It should be recorded or otherwise stored by IT. Once enabled, FileVault can be disabled provided the recovery key is available. To disable, use fdesetup with the disable flag.
217� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.6.2 Use fdesetup to Validate Escrowed Recovery Keys
The fdesetup command is used to enable FileVault from the command line. One of the most important tasks when deploying FileVault company-wide is to escrow the recovery keys to a centralized location and verify that the keys will work when needed. There are two types of keys, a personal recovery key and an institutional recovery key. When FileVault is enabled using the Security & Privacy pane in System Preferences, the personal recovery key is displayed. The institutional key is a key that can be shared between multiple hosts. Note: The institutional key can be used to unlock every FileVault 2 instance on which it is deployed. Therefore, special precautions should be instituted around the password and the storage of that key, and measured policies should be enacted for its use.
To use the fdesetup command to check whether a computer has a personal recovery key: 1. Start a command-line session using Terminal or the Remote Login service. 2. Examine whether FileVault uses a personal recovery key by entering the command: fdesetup haspersonalrecoverykey ! To use the fdesetup command to check whether a computer has an institutional recovery key: 1. Start a command-line session using Terminal or the Remote Login service. 2. Examine whether FileVault uses an institutional recovery key by entering the command: fdesetup hasinstitutionalrecoverykey ! To enable a specific personal recovery key: 1. Start a command-line session using Terminal or the Remote Login service.
2. Set the recovery key by using the changerecovery verb along with a -personal option, as follows: fdesetup changerecovery -personal 3. When prompted, enter the personal key to use. ! !
218� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
To enable a specific institutional recovery key (in the form of a certificate): 1. Start a command-line session using Terminal or the Remote Login service.
2. Set the recovery key by using the changerecovery verb, along with a -institutional option, followed by the -certificate option that lists the path to a certificate, as follows: fdesetup changerecovery -institutional -verbose -certificate /tmp/institutional.cer 3. When prompted, enter the key to the certificate. ! Once deployed, use the validaterecovery option to verify that a recovery key will indeed unlock the encrypted boot volume of a system. To verify the recovery key will unlock the encrypted boot volume: 1. Start a command-line session using Terminal or the Remote Login service.
2. Run fdesetup with the validaterecovery verb, followed by the -recoverykey option and a key, as follows:
fdesetup validaterecovery -recoverykey ABCD-ABCD-ABCD- ABCD-ABCD 3. The output will either be a true or a false.
219� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.6.3 Enable FileVault on an External Volume FileVault can be used for more than just the boot volume. Enable FileVault on any volume connected to the computer to keep all your removable media secure.
To encrypt an external volume using FileVault: 1. View a volume using the Finder. 2. Control-click or right-click the volume name. 3. Choose Encrypt “
� Figure 5.6.3_1 ! 4. In the encryption dialog, provide a password and a hint for remembering the password. Then click the Encrypt Disk button.
� Figure 5.6.3_2 ! FileVault 2 is scriptable. The fdesetup command is used to encrypt and manage keys for boot volumes, and the diskutil command is used to encrypt external volumes. To encrypt a non-boot volume, first run diskutil along with the list verb to see what disks and volumes are available, as follows: diskutil list
220� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
The output is similar to the following: #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *251.0 GB disk0 1: EFI 209.7 MB disk0s1 2: Apple_HFS Macintosh HD 250.1 GB disk0s2 3: Apple_Boot Recovery HD 650.0 MB disk0s3 4: GUID_partition_scheme *292.0 GB disk1 5: EFI 209.7 MB disk1s1 6:! Apple_HFS ExternalHD 250.1 GB disk1s2 The device for the ExternalHD, above, is disk1s2. This is the volume to be encrypted. The diskutil command is used to encrypt that volume, using the cs (short for CoreStorage) option, along with the convert verb, the identifier, and the -passphrase option—in that order. The command would then be as follows: diskutil cs convert /dev/disk1s2 -passphrase
Use the list verb with the diskutil command to watch the status, as follows: diskutil cs list !
221� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.6.4 Configure Master Passwords When using monolithic images, deploying Full Disk Encryption can be problematic if relying on each user to enable encryption or if IT must touch each computer to enter the standard master password. The FileVault Master Password is configured on a monolithic image for all clients concurrently. This keeps users from setting their own FileVault Master Password. Setting a master password to a value known by IT personnel is helpful in the event IT needs access to a FileVault-encrypted Mac. It also helps with support when assistance is required and the master password is needed.
To set a FileVault Master Password in System Preferences: 1. Open System Preferences from the Apple menu. 2. Click Users & Groups. 3. Click the lock icon and authenticate to make changes.
� Figure 5.6.4_1 ! !
222� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Click the cog wheel icon to open the action pop-up menu. Then choose Set Master Password.
� !Figure 5.6.4_2 ! 5. Enter the desired master password, then again to Verify. 6. Click the OK button.
� Figure 5.6.4_3 ! The Master Password is now set in a master image.
223� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.6.5 Manage FileVault 2 Keys Managing keys for all users can require multiple approaches. To use the best deployment technique for FileVault 2, first consider how the encrypted drives will be supported and how data will be recovered when doing so as a required part of standard support operations. For a detailed look at different approaches for managing FileVault 2, refer to the Apple Technical White Paper, Best Practices for Deploying FileVault 2, available at training.apple.com/pdf/WP_FileVault2.pdf. !
224� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.6.6 Encrypt Time Machine Backups Time Machine backups stored on locally selected volumes can be encrypted using a custom password. To enable encrypted Time Machine backups: 1. Open System Preferences from the Apple menu. 2. Click Time Machine.
� Figure 5.6.6_1 ! 3. Click Options.
� Figure 5.6.6_2
225� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Click the Add (+) button.
� Figure 5.6.6_3 ! 5. Select any files or folders to exclude from the backup. 6. Click Exclude.
� Figure 5.6.6_4 ! 7. Repeat this process until all files and folders to exclude from the backup have been selected. 8. Click Save. 9. Click Select Backup Disk.
226� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
10. Select a disk from the list. 11. Click the “Encrypt backups” checkbox.
� Figure 5.6.6_5 ! 12. Click Use Disk. 13. Enter a backup password in the provided field. Then reenter the same password in the “Verify password” field. Note: Time Machine uses this password to encrypt the backup disk you selected. For help creating a strong password, click the key icon to the right. 14. Click the Encrypt Disk button to begin the encryption and backup processes.
� Figure 5.6.6_6 ! Backups are encrypted and will protect all files stored inside the encrypted Time Machine location. Reenter the same backup password when attempting to recover a system from this encrypted Time Machine backup.
227� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.7 Use Third-Party Full Disk Encryption
Full disk encryption (FDE) software manages fully encrypted volumes in an organization and provides centralized key escrow for recovering access to the encrypted data. Third-party options are available that encrypt the boot volume of a Mac computer. There are several enterprise software-based full disk encryption solutions, such as: • Check Point Full Disk Encryption®. www.checkpoint.com • Symantec™ Drive Encryption. www.symantec.com/drive-encryption • Sophos® SafeGuard® Encryption. www.sophos.com • WinMagic® SecureDoc™ for Mac. www.winmagic.com WinMagic integrates both software- and hardware-based full disk encryption, with self-encrypting hard disk drives (SEDs). All major developers of full disk encryption solutions provide the ability to centrally manage encryption keys, thus allowing for centralized key recovery. All third-party FDE solutions have the ability to be mass deployed, as needed, so that the full disk encryption process isn’t laborious to set up. ! !
228� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.8 Manage the Network Firewall
Network firewalls help protect client computers in an organization. While most systems on a corporate network are protected at the network perimeter, client computers can be exposed to a variety of threats, whether used inside or outside the organization. Therefore, running a firewall on each client system is recommended. Most environments leverage a layered approach to security, including a software firewall. OS X includes two firewalls, an application-layer firewall and a pf firewall. This module covers both types of firewalls, starting with the application-layer firewall, which operates by validating the processes attempting to communicate and how they’re allowed to communicate.
229� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.8.1 Use the Application-Layer Firewall OS X includes an application-layer firewall that secures network traffic by limiting which applications are allowed to establish network sockets in order to communicate with other hosts. The application-layer firewall limits which applications establish sockets by leveraging an application-signing framework. An application can’t establish a network connection without first being digitally signed. Application sources are tracked based on signatures and signature checking when initiating connections. Once an application makes a network connection, the application-layer firewall tracks whether the application can be used for incoming traffic. When using the application-layer firewall, if an application attempts to establish a connection on the network for the first time, the user is prompted to accept the communication. Only after acceptance is the application connection allowed through the firewall. The firewall can also be configured to deny all incoming communication so that users aren’t prompted to accept incoming traffic.
230� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.8.1.1 Configure the Application-Layer Firewall The application-layer firewall in OS X is configured using the Security & Privacy pane in System Preferences.
To configure the application-layer firewall: 1. Open System Preferences from the Apple menu. 2. Click Security & Privacy. 3. Click the lock icon to make changes.
� Figure 5.8.1.1_1 ! !
231� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Click the Firewall tab. 5. Click the Turn On Firewall button. Note: Items enabled in the Sharing pane in System Preferences are now allowed to accept incoming connections. The only other services allowing incoming connections are the “essential services.” These services are configd for network configuration, mDNSResponder for discovering services, and the racoond process for IPSec.
� Figure 5.8.1.1_2 ! 6. Click the Firewall Options button.
232� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7. Click the “Block all incoming connections” checkbox to block all connections for nonessential services.
� Figure 5.8.1.1_3 ! 8. Alternatively, use the Add (+) button to enable specific applications. 9. To add an application, navigate to and select the application. 10. Once selected, click the Add button.
� Figure 5.8.1.1_4
233� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
11. Choose whether the application will allow or deny incoming connections using the menu next to the application name. 12. The application now appears in the list of allowed applications.
� Figure 5.8.1.1_5 ! 13. Click the “Enable stealth mode” checkbox to prevent the firewall from sending an acknowledgement of attempts to open sockets without listeners running. Stealth mode mimics what would occur if a computer were not running at the IP address being scanned. Without stealth mode, the computer will let a possible attacker know the ports are closed, alerting them to the presence of the host. This option enables stealth mode for TCP traffic, but not UDP traffic. 14. Automatically enable any signed software, software signed by a valid certificate authority, to provide network services. To do so, click Advanced and choose “Automatically allow signed software to receive incoming connections.”
234� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.8.1.2 Manage the Application-Layer Firewall from Terminal The application-layer firewall is also configured from the command line. This enables programmatic control, which allows for automation in the form of scripts and packaging. These automations can be included in a modular image or enforced using a client management suite.
In this module, use the socketfilterfw command to configure the application-layer firewall from the command line.
To manage the application-layer firewall from the command line: 1. Change the working directory to /usr/libexec/ApplicationFirewall by using the following command: cd /usr/libexec/ApplicationFirewall
The firewall command in this directory is a system daemon that runs the application-layer firewall.
2. The socketfilterfw command in the same directory allows administrators to configure the firewall. To get started, review the tools used to view trusted applications by using the -l option, as follows: sudo /usr/libexec/ApplicationFirewall/socketfilterfw -l The --listapps option will also provide information about the status of each application that socketfilterfw will filter, as follows:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw -- listapps A list is displayed of the number of exceptions, explicitly allowed applications, and signed exceptions. The output also shows the process name and status of each application allowed. Most of this information comes preentered by Apple for applications that provide their own integrity validation method that doesn’t conflict with the application-based firewall’s ad hoc digital signing process. There is also a list of TRUSTEDAPPS. These have sharing capabilities preinstalled by Apple, such as httpd (Apache™). The options available in the Firewall pane in System Preferences map to options in the socketfilterfw command line. For example, the --setglobalstate option enables the global firewall. To enable the firewall using a script, simply run the following:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on Or to disable it, run the following: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off 3. To enable the “allow signed applications” option, use the following: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on !
235� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. To enable stealth mode, use the following: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on 5. To enable firewall logging, use the following: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on Or to just block all incoming traffic, use the following: sduo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on
6. To set up a trusted application, use the socketfilterfw command, using the --add option followed by the application to be set as trusted. The following command sets VMware® as a trusted application: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/VMware Fusion.app/Contents/MacOS/ vmware
Note: Here the vmware binary, hidden a few levels within the .app bundle, was used rather than the VMware Fusion.app application bundle.
Also use the socketfilterfw command to sign applications by using the -s option followed by the name of the file, as follows:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw -s /Applications/VMware Fusion.app/Contents/MacOS/vmware 7. Once signed, verify the signatures by using the -v option followed by the name of the file. To verify the binary that was signed above, use the following command: sudo /usr/libexec/ApplicationFirewall/socketfilterfw -v /Applications/VMware Fusion.app/Contents/MacOS/vmware 8. To stop the application-layer firewall, use the following commands:
sudo launchctl unload /System/Library/LaunchAgents/ com.apple.alf.useragent.plist sudo launchctl unload /System/Library/LaunchDaemons/ com.apple.alf.agent.plist 9. Remove the com.apple.alf.plist file from /Library/Preferences and replace it with the template /usr/libexec/ApplicationFirewall/ com.apple.alf.plist. The debugging feature of the firewall application can also be invoked by using the -d option to assist with troubleshooting, as follows: ./socketfilterfw -d
236� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.8.2 Use the pf Firewall
Similar to ipfw, pfctl is used to filter packets at the lowest “device” level of the operating system. The pf toolset can do much more, including NAT (in the manner of Internet Sharing), bandwidth control/shaping, and macros to build up rules more dynamically. These rules handle traffic by feeding options to the pfctl utility or by loading named rulesets as part of configuration files. Addresses and/or network ranges are grouped into structures called tables to efficiently deal with a large number of hosts. The pf daemon then acts on the specified information in a preset order. In addition to macros and tables (of IP addresses), tuning options, normalization, queueing, and network translation come before finally actually filtering packets by passing or blocking them—the most basic reason for using any firewall or packet filter.
The default configuration file is /etc/pf.conf, which displays how, if pf were enabled for custom behavior, certain services that rely on pf could still be enabled on demand. In addition to the switches included in the original version of pf from FreeBSD®, the operating system can dynamically affect its state with triggers called by passing -X to pfctl. In addition to Internet Sharing, AirDrop®, the developer-friendly Network Link Conditioner utility, and the higher-level application-layer firewall are all referenced in the com.apple file, located in the /etc/pf.anchors directory. (The grouping of rulesets and address tables are referred to as anchors in pf parlance.)
To use pf.conf: The /etc/pf.conf configuration file begins with handling for fragmentation and network inconsistencies by prioritizing the scrub directive. Internet Sharing ties into the NAT and redirection functionality, and NetworkLinkConditioner hands off traffic via dummynet for processing. Custom files can be incorporated in the pf.conf by adding rulesets as standalone anchors. Logs are captured by creating a pflog interface, then invoking tcpdump. To block all incoming traffic not otherwise allowed, make sure this line is in the file: block in all To block all outgoing traffic not otherwise allowed, make sure this line is in the rules defined in pf.conf: block out all Below that, the rules are then set to “pass” traffic “in” or “out” of an interface for a specified protocol. For example, to allow outgoing icmp traffic for en1: pass out quick on en1 proto icmp The power and flexibility pf provides to administrators adds many new options to the firewall in OS X. !
237� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
To use pfctl: pfctl is the tool used to dynamically change the configuration of pf, so there are a few command options administrators should learn. The first of these is the -e option, which enables pf, as follows: sudo pfctl -e When run, the return code should be: pf enabled The next step is to check the configuration file for any errors, as follows: sudo pfctl -v -n -f /etc/pf.conf The configuration then needs to be loaded, which can be done by specifying the -f option along with the path to the configuration file (/etc/pf.conf), as follows: sudo pfctl -f /etc/pf.conf Because a lot of work is done remotely, it’s important to check the rulesets, tables, show counters, and so on. Here are a few of the logging and sanity-checking options available with pfctl.
The first (-sa) shows all available information about pf: sudo pfctl -sa Because the amount of information provided can be difficult to digest, use the -sr option to just look at the current rules: sudo pfctl -sr
Or use the -si option to only show statistics: sudo pfctl -si ! To watch pf:
Administrators must be able to see, and possibly parse the output of, pf. To do so, first set up pflog as a network interface using ifconfig, as follows: ifconfig pflog1 create
Once the pflog1 has been set up, run tcpdump using pflog1 as the interface: tcpdump -n -v -ttt -i pflog1 ! For more information on using pf: Use the following commands to see more information about using the tools that comprise pf: • man pfctl • man pf.conf • man pflog
238� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.9 Manage Keychains
Users are authenticating to and accessing an ever-increasing number of protected services. These services include email, file sharing, social networking, banking, and system administration. With so many credentials, users need an easy way to store and retrieve credentials on demand, without risking exposure to unauthorized access. To address this, Apple includes a feature called Keychain®. A keychain is a container for securely storing user and system credentials on local systems, enabling quick retrieval when needed. Keychains are integrated so deeply into OS X that they can’t be disabled or shut off. There are five default keychains with each new system account, each providing a very specific purpose, protection, and storage. They are login, iCloud®, Directory Services, System, and System Roots. Every keychain in the keychain list is used by the system and administrator for locating and retrieving appropriate credentials, as follows: • Login. Stored in /Users/
239� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
Keychain Access provides simplified GUI management of the various keychains and their contents. The following sections take a closer look at what keychains are and how to manage them using Keychain Access.
240� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.9.1 View Keychain Contents 1. Open Keychain Access from the /Applications/Utilities folder. 2. Select a keychain from the list by clicking its name in the sidebar.
� Figure 5.9.1_1 ! 3. The right side of the Keychain Access window displays all items currently stored within that keychain, with the following column headings: • Name. The name of the keychain item, such as mail.company.com. • Kind. The type of keychain item, such as certificate or web form password. • Date Modified. The date the keychain item was last modified. • Expires. The expiration date of an x.509 certificate. • Keychain. The name of the keychain in which the item is stored. !
241� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Click a keychain item to see top-level information about it. 5. Double-click the keychain item or click the Information (i) button at the bottom of the window to open the information pane for the item.
� Figure 5.9.1_2 ! 6. Drag any keychain item to another location to generate a copy of that item. ! ! !
242� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.9.2 Install Certificates Using Profile Manager Certificates are deployed using configuration profiles. Commonly added in the form of .cer and .p12 files, leveraging a profile to deploy a certificate requires a certificate, and optionally a passphrase for the certificate.
To use Profile Manager to deploy certificates: 1. Open the Server application from /Applications. 2. Click Profile Manager from the Services list in the sidebar. 3. Click Open Profile Manager in the lower-right corner. 4. Authenticate as needed with administrative credentials. 5. Click Users, Groups, Devices, or Device Groups in Library list in the sidebar. Then select the user, group, device, or device group to edit. 6. Click the Settings tab. 7. Click the Edit button.
� Figure 5.9.2_1 ! !
243� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
8. Scroll down and click Certificate in the sidebar.
� Figure 5.9.2_2 ! 9. In the Configuration Certificate pane, click the Configure button.
� Figure 5.9.2_3
244� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
10. Provide a name for the certificate in the Certificate Name field. 11. Enter the password for the certificate you are about to upload in the Passphrase field. 12. Click the Add Certificate button.
� Figure 5.9.2_4 ! 13. Browse to the certificate with the certificate passphrase. 14. Click Choose.
� !Figure 5.9.2_5 !
245� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
15. Once uploaded, click OK.
� Figure 5.9.2_6 ! 16. Click Save. 17. Click Save again to confirm changing the profile. 18. Click Download to download a copy of the profile for manual installation or to apply it to a client system for MDM-based installation. ! !
246� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.9.3 Enable Directory Services Searching for Certificates Keychain can search a directory service for a certificate. To enable directory services searching for certificates: 1. Open Keychain Access from the /Applications/Utilities folder. 2. Click Keychain Access, then click Preferences. 3. Click the General tab. 4. Click the “Search directory services for certificates” checkbox to enable searching all directory services configured for the system.
� Figure 5.9.3_1 ! 5. Directory services now appears as an item that can be searched in the Keychains list.
� Figure 5.9.3_2 ! !
247� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.9.4 Enable Certificate Revocation Checking 1. Open Keychain Access from the /Applications/Utilities folder. 2. Choose Preferences in the Keychain Access menu. 3. Click the Certificates tab.
� Figure 5.9.4_1 ! 4. In the Online Certificate Status Protocol (OCSP) menu, choose Off, “Best attempt,” or “Require if certificate indicates.”
� Figure 5.9.4_2 ! 5. To enforce OCSP verification for all certificates, hold down the Option key while choosing from this menu.
� Figure 5.9.4_3 ! !
248� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. Choose the desired enforcement from the Certificate Revocation List (CRL) menu. To enforce CRL verification for all certificates, hold down the Option key while choosing from this menu.
� Figure 5.9.4_4 ! 7. When both OCSP and CRL are enabled, choose which protocol response takes priority, or whether to require both responses for full validation. Note: When configuring both options to Require, if either server isn’t responding, the system will be unable to verify the certificate. This can cause the use of this certificate to fail. ! ! !
249� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.9.5 Import Items into a Keychain 1. Open Keychain Access from the /Applications/Utilities folder. 2. In the File menu, choose Import.
� Figure 5.9.5_1 ! 3. Select a valid credential, such as an X.509 identity file (.p12 file) or a .pem file. 4. Keychain Access automatically launches and asks for the password for the certificate, if one is required. When importing an X.509 Identity (.p12 file), enter the password used when the wrapped file was created. 5. In the Keychain column, choose the appropriate keychain, either “login” for user credentials or “system” for system-wide credentials. 6. View the item(s) in the selected keychain.
� Figure 5.9.5_2
250� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.9.6 Export Items from a Keychain 1. Open Keychain Access from the /Application/Utilities folder. 2. Locate the item to export by choosing the appropriate keychain or category in the sidebar, or by using the search field.
� Figure 5.9.6_1 ! 3. In the File menu, choose Export Items. Or use the keyboard shortcut Command-Shift-E. 4. In the Save File dialog, navigate through the file system to select a location to export the item(s). 5. Click Save.
� FIgure 5.9.6_2 ! ! !
251� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. If the items to export are encrypted in the keychain, enter a password to protect the items. Use a strong password to ensure the credential can’t be unlocked by an unauthorized individual. 7. If the items to export are encrypted in the keychain, you’ll be required to unlock the keychain currently protecting the items by entering the keychain password. 8. If encrypted, click Allow. 9. The items are now stored at your selected location.
252� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5.9.7 Configure iCloud Keychain Keychains are used to store passwords, notes, certificates, and keys. When you choose to have OS X remember the password to a wireless network, encrypted drive, or file server, that information is put into a keychain. When you accept a certificate through Safari or the Mail application, that information is put into a keychain. And when you choose to have OS X remember a password to authenticate to a website or to certain applications, that information is also stored in a keychain. iCloud stores keychain items and synchronizes those items between computers. These keychain items can then be accessed from any computer that a given Apple ID is installed on using iCloud Keychain. Additionally, applications that are built to access iCloud Keychain can access entries directly. To enable iCloud Keychain: 1. Open System Preferences from the Apple menu. 2. Click iCloud. 3. Click the Keychain checkbox to enable Keychain.
� Figure 5.9.7_1 !
253� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. iCloud appears under Keychains in the sidebar.
� Figure 5.9.7_2 ! To disable iCloud Keychain, deselect the Keychain checkbox in the list of objects synchronized with iCloud in the iCloud pane in System Preferences. Note: If your organization has a policy against password managers, you can use a profile to disable iCloud Keychain on client computers. !
254� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0) 6 Networking/Wireless
OS X supports nearly all standards-compliant network configurations. Every Mac ships with a minimum of one network interface, as follows: • One 802.11n (2.4GHz and 5GHz Wi-Fi) or 802.11ac network interface. • One Bluetooth® 2.1+ interface. • At least one wired (802.3) Ethernet network interface (except MacBook Air and MacBook Pro with Retina® display). • Two wired Ethernet network interfaces (Mac Pro® only). The networking stack in OS X is configured for IPv4 and IPv6 through the Network pane in System Preferences and through the command line. 802.1x options are also tied into System Preferences, via configuration profiles, and into the command line using the networksetup command. The MAC address for each interface is printed on the outside of the box the computer is shipped in, along with a corresponding bar code. This allows for quick mass deployments using the bar code to scan a computer into an asset management database. MAC addresses are tied to logic boards, so in the event that a computer requires a logic board replacement, the MAC address(es) will change. The only exceptions are the USB or Thunderbolt dongles used by MacBook Air or MacBook Pro, which hold the Ethernet MAC address for the wired Ethernet interface.
255� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.1 Manage IPv4 Settings
OS X supports all the standard tasks required to configure a client to operate on an IPv4 network. By default, OS X runs DHCP on each interface. IP addresses can be assigned statically as well, with each interface having more than one address installed on it if desired.
To configure an IPv4 address in OS X: 1. Open System Preferences from the Apple menu. 2. Click Network.
� Figure 6.1_1 ! 3. Click the network interface you’d like to configure. For example, Ethernet, Wi-Fi, and so on. 4. Wired interfaces show the following fields. (The IP Address and Subnet Mask fields are required. The other fields are required only in order to route traffic and resolve names properly.) • Status. The state of the Ethernet interface. If an Ethernet cable isn’t plugged in, the indicator is red. If a cable is plugged in (and a switch is available on the other side of the cable), the indicator is either green, if a DHCP address is available and the network interface is set to obtain IP addresses automatically, or amber, if there’s no IP address available. • Configure IPv4 menu. - Manually. IP addresses are provided statically rather than dynamically.
256� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
- Using DHCP. IP addresses are provided automatically via the DHCP protocol. For more on DHCP, see the following requests for comment (RFCs) 1531, 2131, 3315 and 3633 at tools.ietf.org/html. - Using DHCP with a Manual Address. The IP address is provided statically while the rest of the information is provided by DHCP. - Using BootP. IP addresses are provided via the Bootstrap protocol. For more on BootP, see RFC 951 at tools.ietf.org/html/rfc951. • IP Address. The IP address the host will use when an interface isn’t obtaining the IP address automatically. • Subnet Mask. The subnet mask to be used with the IP address provided. • Router. The router, or default gateway, to be used to route traffic for the client using the IP address provided. • DNS Server. The DNS servers to be used for the environment, with multiple addresses separated by a comma. • Search Domains. Information from this field is appended to the end of host names not otherwise fully qualified. For example, if the search domain is configured as pretendco.com, entering www in a Safari window automatically expands to www.pretendco.com. • Advanced. Configures proxy server settings and the speed of network interfaces.
� Figure 6.1_2 !
257� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5. The Wi-Fi pane shows fewer fields, including: • Turn Wi-Fi On or Turn Wi-Fi Off button. Controls whether wireless networking is enabled. • Status. Shows whether the Mac is connected to a wireless network and, if connected, shows the name and IP address being used. Wireless IP addresses can be static or dynamic. • Network Name menu. The name of the wireless network. • Connect button. This button is used if there is an 802.1x network. • Advanced button. Used to configure more detailed controls, such as proxy server settings.
� Figure 6.1_3 ! !
258� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. Wired Ethernet (802.3) and wireless (802.11) interfaces both include an Advanced button. Use the Wi-Fi tab in the advanced screen to configure to which networks a client is allowed to connect and what wireless network tasks require an administrative password.
� Figure 6.1_4 ! !
259� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7. The TCP/IP and DNS tabs show similar options as those outlined in step 4, with the exception that here is where IPv6 is configured.
� Figure 6.1_5 ! !
260� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
8. The WINS tab shows discovery information for legacy (workgroup) Windows- oriented networks, including: • NetBIOS. A NetBIOS name for the computer being configured. • Workgroup. A NetBIOS workgroup name for discovering other hosts on the network. • WINS. The WINS server that manages NetBIOS communications when discovery isn’t automatic or when master browser conflicts are encountered while using sharing on a client system. DHCP can configure these fields automatically and can be manually overwritten.
� Figure 6.1_6 ! !
261� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
9. The 802.1x tab displays information about profiles, including details of installed 802.1x security configurations. These configuration profiles are installed as .mobileconfig files. Create, edit, and manage .mobileconfig files using tools such as iPhone® Configuration Utility, Apple Configurator, Profile Manager, and various third-party MDM tools.
� Figure 6.1_7 ! !
262� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
10. Click the Proxies tab to configure a proxy server for the environment. Proxies are broken down per client-side protocol or by using a SOCKS proxy. Proxies can also be bypassed for certain addresses. Passive FTP Mode can be configured here as well.
� Figure 6.1_8 ! !
263� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
11. Click the Hardware tab to configure the behavior of Ethernet interfaces including network speeds, duplex states, and MTU sizes (up to, but not including, jumbo frames). Interface performance can be improved with a correct value and decreased with an incorrect value.
� Figure 6.1_9 ! 12. At the top of the Network pane in System Preferences, there is a Location menu. Each location has different settings for interfaces, making it useful when computers roam between networks, such as home and office.
� Figure 6.1_10 !
264� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
13. To enable, disable, and duplicate services (or interfaces), click the cog wheel icon to open the action pop-up menu. Use this same menu to create a second IP address, set up Link Aggregation, or configure an internal VLAN.
� Figure 6.1_11 ! All the options available in the Network pane in System Preferences have parallel settings at the command line, allowing for scripting deployment and packaging the configuration of network settings. !
265� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.2 Manage IPv6 Settings
OS X is IPv6 compliant and is able to: • Accept automatically assigned addresses using IPv6-based DHCP services. • Obtain addresses using link-local addressing (the IPv6 version of Automatic Private IP Addressing, or APIPA). • Interpret addressing schemes in DNS. • Operate on IPv6 networks without the use of IPv4 networking or bridging. By default, OS X leverages what is known as a dual stack, where both IPv4 and IPv6 are used concurrently. All sharing services are also IPv6-aware, allowing Mac computers to communicate with one another using IPv6. Each enabled sharing service (for example, screen sharing) has a listener bound to both the IPv4 and IPv6 interface by default.
To configure IPv6 networking: 1. Open System Preferences from the Apple menu. 2. Click Network. 3. In the sidebar, click the interface to configure. 4. Click Advanced.
� Figure 6.2_1 !
266� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5. Click the TCP/IP tab. 6. The Configure IPv6 menu is set to Automatically by default, to obtain IPv6 addresses dynamically. Alternately, choose Manually or “Link-local only.”
� Figure 6.2_2 ! a. If changing the Configure IPv6 menu to Manually, provide the Router, IPv6 address, and prefix link (provided by a network administrator). Note: The prefix length is typically 64 characters.
� Figure 6.2_3 !
267� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7. Click OK.
� Figure 6.2_4 ! 8. Click Apply.
9. Test the settings. Use the ping6 command to ping other IPv6 addresses. Or use the Netstat command with the -l option to show IPv6 addresses. Additionally, ndp (Network Discovery Protocol) can be used. OS X can also relay communications between IPv6 and IPv4. To do this, select “6 to 4” in the “Add new interface” dialog. Then either allow the relay address to be obtained automatically or provide one.
268� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.3 Set Up Wired and Wireless Connections Using the Network Setup Assistant
The Network Setup Assistant provides a guided wizard for setting up wired and wireless network connections in OS X. The Assistant can be run multiple times, setting up a new location each time. Each location can have different interface settings, suitable for when computers roam between networks (for example, between home and office networks).
To use the Network Setup Assistant in OS X: 1. Open Network Setup Assistant from /System/Library/CoreServices. 2. Enter a location name in the Introduction window. Then click Continue. Note: The location is where the system will reside. For example, you can configure two locations—home and office. Home could have simpler settings for a home network, while office could have more detailed office network settings specific to your organization, such as proxy servers.
� Figure 6.3_1 ! 3. In the “How Do You Connect to the Internet?” window, click the method used to connect to the network, as follows: • If using Wi-Fi, select the “I use AirPort to connect to the Internet wirelessly” button. • If behind a router or firewall, select the “I connect to my local area network (LAN)” button. • If directly connected to a cable or DSL modem, select the corresponding cable or DSL modem button.
269� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
� Figure 6.3_2 ! 4. If selecting ”I use AirPort to connect to the Internet wirelessly,” a dialog will prompt you to select the wireless network and provide a password. If a broadcast isn’t detected for a given wireless network, choose Other Wi-Fi Network from the menu. Note: This step isn’t required for Ethernet-based networking.
� Figure 6.3_3 ! 5. Click Continue.
270� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. In the Ready to Connect? window, click Continue. Here, you can also open AirPort® Utility to configure an AirPort base station. Note: This isn’t required for wired (802.3) Ethernet networking.
� Figure 6.3_4 ! 7. The Network Setup Assistant configures the appropriate network interface and creates a location. If the process fails, an “Unable to establish a network connection” dialog appears, giving you the option to diagnose the problem.
� Figure 6.3_5 !
271� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.4 Run Network Diagnostics
Network Diagnostics is an Apple tool that checks Ethernet, modem, Wi-Fi (AirPort), and other interfaces for common networking problems. In this module, use Network Diagnostics to check the Wi-Fi interface for connectivity to the wireless network, appropriate network settings, connectivity to an ISP, and to validate communication with the Internet.
To run Network Diagnostics to check the Wi-Fi interface: 1. Open Network Diagnostics from /System/Library/CoreServices. 2. Confirm the network location. 3. Click Continue. Note: You won’t see the Select Location window unless you have configured multiple locations in the Network pane in System Preferences.
� Figure 6.4_1 ! !
272� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Select the Wi-Fi radio button. 5. Click Continue.
� !Figure 6.4_2 6. Select a W-Fi network from the list. 7. When prompted, provide the network password. If a broadcast isn’t detected for a given wireless network (for example if you’re using SSID suppression), click the “Use hidden network” button. 8. Click Continue.
� Figure 6.4_3
273� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
9. Select DSL or cable modem for connecting to the Internet, if prompted. If the system is unable to reach beyond the router, a prompt to restart the device appears. 10. Network Diagnostics attempts to connect to the network and reports back any failures encountered. 11. If any other problems are reported, click Continue to take corrective action. The Network Diagnostics tool is just one of the many applications that systems administrators, desktop support engineers, and help desk technicians can use to effectively troubleshoot issues that may arise on Mac computers. !
274� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.5 Configure Networking from the Command Line
Network settings are easily configured using the networksetup command. Use this command to script location setup, IP address settings, wireless network connections, and VLANs, and to prepare systems for 802.1x-based networks.
To use networksetup:
The networksetup command is most commonly used to set up wireless networking. Network ports in UNIX, Linux, BSD, and OS X are usually referred to as en followed by a number to identify the port. This is easily seen when running the ifconfig command from any of these operating system families. By default, most Mac computers with an Ethernet port use en0 to identify the physical Ethernet port and en1 to identify the Wi-Fi port. The MacBook Air is an exception—with its Wi-Fi port using en0. The networksetup command, along with the -listallhardwareports option, shows the physical ports present in each computer, as follows:
networksetup -listallhardwareports
Networksetup then shows existing wireless networks visible to a Mac using the -addpreferredwirelessnetworkatindex option. Follow this with the hardware port for the Wi-Fi adapter, the name of the wireless network to join, the index number to be assigned (or 0 to automatically choose a unique internal ID for the network), the security type of the wireless network (OPEN, WEP, WPA, WPA2, WPAE, or WPA2E), and, if pertinent, the actual credentials to join the network. For example, use the following command to add a network called pretendco:
networksetup -addpreferredwirelessnetworkatindex en1 pretendco 0 NONE If the pretendco wireless network uses WPA for security, use the following command to assign the WPA password of mypassword: networksetup -addpreferredwirelessnetworkatindex en1 pretendco 0 WPA mypassword To verify that a wireless network is properly added, use the -listpreferredwirelessnetworks option followed by the interface, as follows:
networksetup -listpreferredwirelessnetworks en1
To remove items from the list, use the -removepreferredwirelessnetwork option, followed by the hardware port, and then the name of the network to be removed. Continuing with en1 as the Wi-Fi interface, to remove a network called Cisco, use the following command: networksetup -removepreferredwirelessnetwork en1 Cisco To remove all preferred wireless networks (a common pre-imaging task), use the -removeallpreferredwirelessnetworks option followed by the hardware port, as follows: networksetup -removeallpreferredwirelessnetworks en1
275� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
Note: When using a script to deploy 802.1x settings, the certificate should be deployed prior to setting up the 802.1x profile. Certificates are managed using the security command.
To manage network services with networksetup:
Other network settings are also configured using networksetup, including services. A service is a virtual interface to a hardware port. Each hardware port can have many network services running on it, each with a unique IP address. Services are also put in the order connections are attempted. For example, if there are two services, one called Wi-Fi and another called Ethernet, when the Ethernet cable is plugged in, Wi-Fi should not be used (assuming they’re on the same network) for any traffic that is local to the Ethernet interface. To order network services: List the network services installed by default using the -listallnetworkservices option for the networksetup command, as follows: networksetup -listallnetworkservices By default, most systems return the following output: Ethernet Wi-Fi FireWire
To change the name of the Wired network service, run the networksetup command again. This time use the -renamenetworkservice option, as follows: networksetup -renamenetworkservice Ethernet Wired Next, make sure the Wired network service is listed above Wi-Fi. Use the same order in which the services are listed using networksetup with a -listnetworkserviceorder option, as follows: networksetup -listnetworkserviceorder This returns the following list (although potentially in a different order according to your configuration): (1) Wi-Fi (Hardware Port: Ethernet, Device: en1) (2) Wired (Hardware Port: Ethernet, Device: en0) (3) FireWire (Hardware Port: FireWire, Device: fw0) Wi-Fi is listed first in the network service order. In this example, the Wired interface should be listed instead so that Ethernet traffic has a higher priority than Wi-Fi traffic (given that it’s a faster interface). To change the order of network services, use the networksetup command with the -ordernetworkservices option. Then list each service in the desired order, as follows: networksetup -ordernetworkservices Wired Wi-Fi FireWire
276� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
Note: Not all interfaces shown in this example are available on all Apple notebook models. For example, by default a MacBook Air doesn’t come with an Ethernet port installed. Next, disable FireWire for networking. (It will still be available for storage devices.) Set FireWire to off using networksetup with the -setnetworkserviceenabled option, as follows: networksetup -setnetworkserviceenabled FireWire off
In this example, also disable IPv6, using the -setv6off option to disable IPv6 for the Wired and Wi-Fi network services, since many environments do no yet support IPv6. networksetup -setv6off Wired networksetup -setv6off Wi-Fi
Next, set Wi-Fi to use DHCP using the following -setdhcp option: networksetup -setdhcp Wi-Fi The Wired network service can use DHCP. For this example, set the service to a static IP address of 192.168.210.8 with a subnet mask of 255.255.255.0 and a gateway of 192.168.210.1. The configuration is performed in one networksetup command, using the -setmanual option, followed by the name of the service. It’s then followed by the IP address, subnet, and router. For this example the command is: networksetup -setmanual Wired 192.168.210.8 255.255.255.0 192.168.210.1 Or for USB Ethernet interfaces, such as those used with MacBook Air, use the following syntax: networksetup -setmanual ‘USB Ethernet’ 192.168.210.8 255.255.255.0 192.168.210.1
Next, assign name servers using the -setdnsservers option with networksetup. Set the DNS servers to 192.168.210.2 and 192.168.210.3. When using the -setdnsservers option, list the name servers in the order they should be utilized, as follows: networksetup -setdnsservers Wired 192.168.210.2 192.168.210.3 networksetup can be used for much more, including location management, proxy configurations, and even managing IPv6 settings. For more information on the networksetup command, see the following man page command: man networksetup
To use ifconfig: Other network settings can be displayed and monitored from the command line using tools such as ifconfig, ipconfig, and airport. Manual pages exist for all the commands and can be invoked by typing man followed by the name of the command. ifconfig is used to set, modify, and display interface properties and status. Changes won’t be saved on restart by default.
277� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
The following is an example output of ifconfig: en1: flags=8863
One example of using ipconfig is to display the DHCP properties of the interface, including the DHCP server that assigned the address. To see the information tracked about IP addresses, use the getpacket verb for ipconfig along with the interface to be run on, as follows: ipconfig getpacket en1 This command returns information similar to the following: op = BOOTREPLY htype = 1 flags = 0 hlen = 6 hops = 1 xid = 2021502854 secs = 1 ciaddr = 0.0.0.0 yiaddr = 192.168.5.99 siaddr = 0.0.0.0 giaddr = 0.0.0.0 chaddr = 68:a8:6d:19:2:18 sname = file = options: Options count is 8 dhcp_message_type (uint8): ACK 0x5 server_identifier (ip): 1.1.1.1
278� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
lease_time (uint32): 0x1c20 subnet_mask (ip): 255.255.255.0 router (ip_mult): {192.168.5.1} domain_name_server (ip_mult): {192.168.5.1} domain_name (string): home.local end (none): ! Using the airport command: A number of command-line tools in OS X are embedded in applications and frameworks. The airport command is one such application. Located in /System/ Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/, the airport command displays information about wireless interfaces. This command is also used to scan for wireless networks, set wireless preferences, and sniff wireless packets. For example, assuming /System/Library/PrivateFrameworks/ Apple80211.framework/Versions/A/Resources is the current working directory, the following command: ./airport -s Returns the following output: SSID BSSID RSSI CHANNEL HT CC SECURITY Apple b0:48:7a:ed:9c:d4 -83 6 N US WPA2(PSK/AES,TKIP/TKIP) Topeka ba:c7:5d:0c:ac:d0 -85 6 Y US WPA2(PSK/AES/AES) Atlanta c4:3d:c7:64:2a:8b -90 11 N -- WEP !Tampa c4:0a:cb:a0:ac:30 -36 11 Y US WPA2(PSK/AES/AES) !
279� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
To see extended wireless network information, hold down the Option key and click the Airport icon in the Apple menu bar.
� !Figure 6.5_1 The wireless information displayed is the same as the output from the airport command-line utility.
280� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.6 Configure VPN Settings
Users in many organizations must be able to access corporate networks when working from home. The most common way to accomplish remote access is through a Virtual Private Network (VPN). VPNs create secure tunnels between two otherwise untrusted networks so that traffic between them is encrypted. OS X acts as a native client to PPTP, L2TP over IPSec, and Cisco® IPSec VPNs—with no third-party software required. In this module, configure the VPN client in OS X using each of these three client types.
To configure a PPTP client: 1. Open System Preferences from the Apple menu. 2. Click Network. 3. Click the lock icon to be able to make changes. 4. Provide the user name and password, then click OK. 5. Click the Add (+) button in the lower-left corner.
� Figure 6.6_1 !
281� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. In the Interface menu, choose VPN. 7. In the VPN Type menu, choose PPTP. 8. In the Service Name field, provide the name you’d like users to see when referencing the VPN connection. 9. Click Create.
� Figure 6.6_2 !
282� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
10. In the Server Address field, provide the host name or IP address of the server. 11. In the Account Name field, enter the appropriate user name. 12. In the Encryption menu, choose an encryption type (the default value will work for most environments). 13. Click the Authentication Settings button.
� Figure 6.6_3 ! !
283� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
14. Choose the authentication mechanism to be used. For PPTP, a password is most commonly used. To prompt the user for a password each time they connect, click Cancel. 15. Click OK.
� Figure 6.6_4 ! !
284� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
16. Optionally, click the “Show VPN status in menu bar” checkbox to allow users to connect to the VPN from the Apple menu.
� Figure 6.6_5 ! 17. Click the Apply button. 18. Test the connection by clicking Connect or by choosing it from the Apple menu. !
285� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
To configure an L2TP client: 1. Open System Preferences from the Apple menu. 2. Click Network.
� Figure 6.6_6 ! 3. If present, click the lock icon to be able to make changes. 4. Provide the user name and password. 5. Click OK. 6. Click the Add (+) button in the lower-left corner. !
286� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7. In the Interface menu, choose VPN. 8. In the VPN Type menu, choose L2TP over IPSec. 9. In the Service Name field, provide the name you’d like users to see when referencing the VPN connection.
� Figure 6.6_7 ! 10. Click Create. !
287� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
11. In the Server Address field, provide the host name or IP address of the server. 12. In the Account Name field, enter the appropriate user name.
� Figure 6.6_8 ! 13. Click the Authentication Settings button. !
288� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
14. Choose the appropriate authentication mechanisms listed under User Authentication and Machine Authentication. This is often a password and a shared secret. However, Certificate can be chosen for Machine Authentication, and RSA SecurID, Certificate, Kerberos, or CryptoCard can be chosen for User Authentication.
� Figure 6.6_9 ! 15. Enter a Group Name if needed (frequently required for Cisco L2TP over IPSec connections). 16. Click OK. !
289� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
17. Optionally, click the “Show VPN status in menu bar” checkbox to allow users to connect to the VPN from the Apple menu.
� Figure 6.6_10 ! 18. Click the Apply button. 19. Test the connection by clicking Connect or by choosing it from the Apple menu. !
290� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
To configure a Cisco IPSec client: 1. Open System Preferences from the Apple menu. 2. Click Network.
� Figure 6.6_11 ! 3. Click the lock icon to be able to make changes. 4. Provide the user name and password, then click OK. 5. Click the Add (+) button in the lower-left corner. !
291� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. In the Interface menu, choose VPN. 7. In the VPN Type menu, choose Cisco IPSec. 8. In the Service Name field, provide the name users will see when referencing the VPN connection.
� Figure 6.6_12 ! 9. Click Create. !
292� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
10. In the Server Address field, provide the host name or IP address of the server. 11. In the Account Name field, enter the appropriate user name. 12. In the Password field, enter a password for that user name.
� Figure 6.6_13 ! 13. Click the Authentication Settings button. !
293� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
14. Provide a shared secret or select a certificate (see the network administrator for this information). 15. Optionally, provide a Group Name if one is needed for your environment. 16. Click OK.
� Figure 6.6_14
294� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
17. Optionally, click the “Show VPN status in menu bar” checkbox to allow users to connect to the VPN from the Apple menu.
� Figure 6.6_15 ! 18. Click the Apply button. 19. Test the connection by clicking Connect (or by choosing it from the Apple menu). !
295� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.7 802.1x and Network Security Overview
OS X supports connecting to WEP, WPA, WPA2, WEP Enterprise, WPA Enterprise, and WPA2 Enterprise networks. For more secure networks, OS X also supports most 802.1x options. 802.1x is the most widely accepted form of port-based network access control in use. The most modern method to secure a network interface is to install an SSL certificate on client systems to secure network traffic. Once a certificate has been installed, there are a number of 802.1x implementations that can be leveraged. 802.1x is used to force authentication against a centralized authentication mechanism (generally RADIUS™) in order to gain access to a physical network. Mac computers can join an 802.1x network as a standards-compliant Supplicant. Once joined, a Mac can authenticate against the Authenticator using a variety of standards-based protocols, including multifactor authentication mechanisms. This authentication helps further secure both wired and wireless environments by putting clients that haven’t authenticated to the Authenticator into an unauthorized state, limiting communications to only bastion hosts providing network authentication. 802.1x authentication (as a client) is implemented in OS X in the Network pane in System Preferences, per adapter used. 802.1x can be deployed to an environment depending on the protocols in use for authentication. OS X supports TLS, TTLS, PEAP, LEAP, EAP-FAST, and MD5. The following examples outline the steps for setting up a Mac computer to communicate with an 802.1x environment. In many environments, the distribution of SSL certificates occurs during the imaging process. This certificate establishes a trust relationship with servers, enabling traffic to be encrypted more than would otherwise be possible. 802.1x uses SSL certificates to encapsulate network traffic, as well as a user’s user name and password. This multifactor form of security is widespread, and the implementation of the client side of 802.1x is covered in the following modules. 802.1x profiles are created and distributed using Profile Manager or Apple Configurator. The following examples cover how to set up each of the most widely used 802.1x configurations in OS X. The configuration profiles are then deployed to client systems to set up the 802.1x profiles.
296� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.7.1 Configure WPA / TKIP — PSK Wi-Fi Protected Access (WPA) is a protocol for securing wireless networks. OS X can act as a WPA access point or as a WPA client. WPA networks use Temporal Key Integrity Protocol (TKIP) for security. TKIP is also commonly used in WEP networks, but WEP provides less security than WPA. Both are supported by OS X. In this module, use OS X as a WPA client, browse to a network, and join wireless networks. To join a WPA network: 1. Open System Preferences from the Apple menu. 2. Click Network.
� Figure 6.7.1_1 ! 3. Click the lock icon to make changes. 4. Provide the appropriate administrative credentials to authenticate. 5. !Click Wi-Fi in the sidebar.
297� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. If the Status is shown as Disabled, click the Turn Wi-Fi On button. 7. In the Network Name menu, choose the WPA network.
� Figure 6.7.1_2 ! 8. Provide a password when prompted.
� Figure 6.7.1_3 ! 9. The connection is established, and signal strength is shown in the upper- right corner of the screen. 10. Click the Advanced button.
298� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
11. The WPA network is now included in the list of preferred networks. To reorder interfaces by priority, drag each network into the appropriate order. To enable users without administrative privileges to create or change wireless networks and to disable the Wi-Fi adapter entirely, select the appropriate checkboxes.
� Figure 6.7.1_4 ! 12. When satisfied with the configuration, click OK.
299� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.7.2 Configure WPA2 / AES — PSK Wi-Fi Protected Access II (WPA2) is a protocol for securing wireless networks. OS X can act as a WPA2 client. WPA2 is similar to WPA, but rather than TKIP it uses Advanced Encryption Standard (AES) for encryption by default. In this module, use OS X as a WPA2 client, browse to a wireless network, and join that network (or provide the network information manually if SSIDs have been suppressed). To join a WPA2 network: 1. Open System Preferences from the Apple menu. 2. Click Network.
� Figure 6.7.2_1 ! 3. Click the lock icon to make changes. 4. Provide the appropriate administrative credentials. 5. !Click Wi-Fi in the sidebar. !
300� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. If the Status is shown as Disabled, click the Turn Wi-Fi On button. 7. In the Network Name menu, choose “Join other network.”
� Figure 6.7.2_2 ! 8. Provide a name for the network and a password when prompted.
� Figure 6.7.2_3 ! 9. The connection is established and signal strength is displayed in the upper- right corner of the screen.
301� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
10. Click the Advanced button. 11. The WPA2 network is included in the list of preferred networks. To reorder networks by priority, drag each network into the appropriate order. To enable users without administrative privileges to create or change wireless networks, and to disable the Wi-Fi adapter entirely select the appropriate checkboxes. 12. When satisfied with the configuration, click OK.
302� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.7.3 Create 802.1x Profiles 802.1x is the most widely accepted form of port-based network access control. Extensible Authentication Protocol (EAP) is an authentication framework used for keys. Supported EAP authentication protocols include Protected Extensible Authentication Protocol (PEAP), which is used to encapsulate EAP traffic within Transport Layer Security (TLS). PEAP authenticates clients to a network using a user name and password as well as a certificate. OS X supports 802.1x PEAP connectivity. Configurations are imported using a configuration profile (in the form of a .mobileconfig file) created in Profile Manager, Apple Configurator, or iPhone Configuration Utility. In this module, start with a functional installation of Profile Manager. Next create a configuration profile that will then be installed on a client system. To create a configuration profile for 802.1x/PEAP: 1. On an OS X Server system, open the Server application from /Applications. 2. Click Profile Manager in the Services list in the sidebar.
� Figure 6.7.3_1 !
303� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3. Click Open Profile Manager.
� Figure 6.7.3_2 ! 4. Click a Device, User, or Group to create the profile for that object. 5. Click the Settings tab. 6. Click the Edit button. Note: If the Edit button isn’t available, first create a new configuration by clicking the Add (+) button. Then click the Edit button.
� Figure 6.7.3_3 !
304� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7. Install the certificate. (If a certificate isn’t required, skip this step.) a. Click Certificate in the sidebar. b. Click the Configure button.
� !Figure 6.7.3_4 c. Provide a name for the certificate in the Certificate Name field. d. Click the Add Certificate button.
� !Figure 6.7.3_5 e. Browse to the certificate file (for example .cer, .pem, or .p12). !
305� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
f. Click the Choose button.
� Figure 6.7.3_6 ! g. In the Passphrase field, provide the passphrase for the certificate. h. Click OK.
� !Figure 6.7.3_7 8. Configure 802.1x. a. Click Network in the sidebar. b. Click the Configure button.
� Figure 6.7.3_8
306� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
c. In the Network Interface menu, select the appropriate interface to configure. • Choose Wi-Fi: i. Provide the name (SSID) of the wireless network in the Service Set Identifier (SSID) field. ii. Click the Hidden Network checkbox if the SSID has been suppressed. iii. In the Security Type menu, choose WPA/WPA2 Enterprise. iv. Click the Protocols tab. v. Under Accepted EAP Types, click the PEAP checkbox. vi. Click OK.
� Figure 6.7.3_9 ! !
307� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
• Choose Ethernet (OS X Only): i. Click the Protocols tab. ii. Under Accepted EAP Types, click the PEAP checkbox. iv. Click OK.
� Figure 6.7.3_10 ! d. Click Save. e. Deploy the profile to a client system to test functionality. !
308� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.8 Import and Export 802.1x Profiles Once .mobileconfig files are created, profiles can be installed on client systems to deploy 802.1x settings as part of an imaging workflow, on the device over the network, or manually by users. In this module, install profiles with 802.1x settings, first exporting the profile so there is a file that can be distributed. To export a configuration profile: 1. Open the Profile Manager web page located at http://
� Figure 6.8_1 ! !
309� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Cancel the attempt to install the Profile. Then copy it from the currently logged-in user’s download directory to a secure location.
� Figure 6.8_2 ! To install a configuration profile on a client computer: 1. Double-click the configuration profile. 2. Click Show Profile.
� Figure 6.8_3 ! 3. Verify that the settings are correct. !
310� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Click Continue.
� Figure 6.8_4 ! 5. Click Install. 6. Because 802.1x requires a local administrator for configuration, provide the local administrator’s user name and password. Note: To see profiles (and remove them, if needed), use the Profiles pane in System Preferences, which will only appear once a profile has been installed.
� Figure 6.8_5 ! Note: If the profile is signed using a self-signed certificate, you will see a prompt to install the profile again, along with a warning that the certificate is self-signed.
311� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.9 Configure 802.1x to Join Corporate Networks
The 802.1x protocol authenticates users to networks. OS X supports 802.1x clients joining standard networks via a number of the more common protocols used when configuring 802.1x. To see settings and to establish a manual connection with 802.1x: 1. Open System Preferences from the Apple menu. 2. Click Network. 3. Click the interface with an 802.1x profile. 4. Next to the 802.1x field, click the Connect button.
� Figure 6.9_1 !
312� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
5. Optionally, set the connection to occur automatically. a. Click the Advanced button. b. Click the 802.1x tab. c. Click the checkbox for “Enable automatic connection.” d. Click OK.
� Figure 6.9_2
313� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.10 Obtain a Certificate from a Windows CA
Many environments use a Windows-based Certificate Authority (CA). The CA distributes certificates to client systems, including Mac computers. When using any type of CA, certificates need to be made available in a form that OS X understands. Common certificate formats include, but are not limited to: • .cer, .crt, .der — Binary certificates. • .pem — Base64 DER certificates. • .p12 — Public and private certificates.
To obtain a .crt certificate: 1. Install the certificate from a CA using Safari. For example, visit the https version of the site. When prompted, click Show Certificate.
� Figure 6.10_1 ! 2. Click the “Always trust
� Figure 6.10_2 ! 4. Authenticate if prompted. 5. Open Keychain Access, located in /Applications/Utilities.
314� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. Search for the certificate name. 7. Export the certificate by either dragging it to the desktop or by choosing Export Items in the File menu if the certificate should have a password, as described previously in this guide.
� Figure 6.10_3 ! To install the certificate: 1. Double-click the exported certificate. This opens Keychain Access. 2. Click Certificates in the Category list in the sidebar. 3. Click the Add (+) button. 4. In the Keychain menu, choose the keychain into which to install the certificate. For certificates that should be available to all users, choose System. Otherwise, choose login. 5. Click the Add button.
� Figure 6.10_4 ! !
315� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. If installing the certificate into the System Keychain, provide a user account or an administrative account in the Authenticate window
� Figure 6.10_5 ! 7. In the “When using this certificate” menu, choose Always Trust. 8. Click the keychain into which the certificate was imported. 9. Click the certificate and verify that it’s valid. Certificates are also added programmatically or by double-clicking them. ! !
316� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.11 Trust Certificates from the Command Line
When imaging systems, SSL certificates often need to be distributed as part of a base image, enabling computers to authenticate to network resources. To obtain a certificate, the certificate must be downloaded from a valid Certificate Authority. This modules uses the curl command to download a certificate called mycert.crt and place it into the /tmp directory of the local client by specifying the path using the -o option, as follows:
curl -o /tmp/mycert.crt http://myserver.mydomain.org/ mycert.crt
Once a client system has a certificate, it must be imported using the security command along with the import verb. Specify the certificate file following the import verb, followed by the -k option to specify into which keychain the certificate will be installed (run with sudo to install into the System.keychain).
sudo security import /tmp/mycert.crt -k /Library/Keychains/ System.keychain -x Adding the -x flag to this command prevents the private key from being exported from the keychain.
Once a certificate has been installed, the .crt file can be removed using the rm command followed by the path of the file, as follows: rm /tmp/mycert.crt ! ! !
317� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6.12 Create Active Directory Certificates
An Active Directory Certificate Authority (CA) can issue certificates based on users. Previous modules covered .pfx certificates exported from a CA, but enrolling into CA provides certificates without manually installing the certificates. This allows for easier revocation and helps manage certificate expiration—that is, the amount of time before a certificate expires is configured on the CA, typically by policy. Because user- or machine-based certificates are becoming more common, Profile Manager now comes with a profile to configure these Active Directory-based certificates. This allows for mass enrollment of client systems into an Active Directory-based CA infrastructure. To configure an Active Directory certificate: 1. On an OS X Server system, open the Server application from /Applications. 2. Click Profile Manager in the Services list in the sidebar.
� Figure 6.12_1 !
318� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3. Click Open Profile Manager.
� Figure 6.12_2 ! 4. Click a device, user, or group. 5. Click the Settings tab. 6. Click Edit.
� Figure 6.12_3 ! 7. Click AD Certificate in the Settings sidebar. !
319� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
8. In the Configure AD Certificate pane, click the Configure button.
� Figure 6.12_4 ! 9. Click the Description field and type a description for the name of the payload. This is what you will see when selecting this profile in 802.1x or other windows. 10. Click the Certificate Server field and provide a name for the CA Server. 11. Click the Certificate Authority field and provide the name of the CA. 12. Click the Certificate template and provide a name for the template (such as Machine or User). Optionally, provide a user name and password in the Username and Password fields, respectively. Note: When left blank, the Username and Password fields prompt users for their Active Directory user name and password when the profile is installed.
� Figure 6.12_5
320� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
13. Click OK. 14. Click Save. 15. Click Save again to verify, and the profile change is saved. The profile can then be pushed to the user or manually downloaded using the Download button. There are more actions that can be accomplished with these profiles. For a more detailed explanation of use and functionality, see training.apple.com/pdf/ WP_8021X_Authentication.pdf. ! Certificate Expiration By design, certificates expire. Configuration profiles need to be reinstalled to reissue new identities. Notification Center in OS X issues a profile notification when the certificate is within 15 days of expiration. Users then click the notification and see an Update button in the Profiles pane in System Preferences. The Update button reissues the identity, tears down the existing EAP-TLS configuration, and rebuilds the EAP-TLS configuration with the new identity. Note: During the reconfiguration process, as with the initial configuration process, there should not be any interruption in connectivity. The client computer also needs a valid route to the issuing CA. !
321� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0) 7 Collaboration
Information is essential for the knowledge worker. One of the great challenges for IT is to optimize the sharing, storage, and retrieval of institutional knowledge, from managing access to sensitive data to enabling valuable group collaboration. Apple offers a number of innovative features built into OS X that promote streamlined collaboration. To collaborate effectively, users may also need to access groupware and corporate data centers that leverage Microsoft servers. This section covers how to integrate Apple tools and technologies with an organization’s existing collaboration solutions. And a good portion of this section also covers how to access Microsoft Exchange and Microsoft SharePoint®, two of the most common collaboration tools for the enterprise. !
322� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.1 Integrate with Microsoft Exchange
The Exchange Web Services (EWS) application programming interface (API) was designated Microsoft’s next-generation API for collaboration services, starting with Microsoft Exchange 2007. EWS replaces Messaging Application Programming Interface (MAPI) and Collaboration Data Objects (CDO). The EWS protocol communicates over HTTP by default, and includes a subset of features that implement the Autodiscover protocol. EWS is a robust API targeting rich client platforms. It should not to be confused with Microsoft Exchange ActiveSync® (EAS), which only targets delivering services to mobile devices. OS X ships with native support for Microsoft Exchange 2007 and later. This native integration with the Mail, Contacts, and Calendar applications in OS X relies on EWS. ! !
323� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.1.1 Use Mail, Contacts, and Calendar with Exchange Mail, Contacts, and Calendar can be configured to work with Microsoft Exchange in three ways: 1. Through the Internet Accounts pane in System Preferences. 2. By setting up Mail with Exchange Autodiscover, which also automatically configures Contacts and Calendar. 3. Using a configuration profile that can be created with iPhone Configuration Utility, Apple Configurator, or the Profile Manager service in OS X Server.
To configure Mail in System Preferences: 1. Choose System Preferences from the Apple menu. 2. Click Internet Accounts.
� Figure 7.1.1_1 ! !
324� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3. Click the Add (+) button.
� Figure 7.1.1_2 ! 4. Click Microsoft Exchange. 5. Enter the user’s name, email address, and password in the appropriate fields.
� Figure 7.1.1_3 !
325� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. Click Continue. 7. Autodiscover should provide the user name, password, and server address for the account. 8. Click Continue.
� Figure 7.1.1_4 ! Note: If Autodiscover doesn’t complete the setup process for you, see the troubleshooting section later in this document.
326� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.1.2 Enable S/MIME in Mail S/MIME (Secure/Multipurpose Internet Mail Extensions) is used to sign mail and can be enabled if a mail encryption certificate for the user account is available from the OS X keychain. In this module, enable S/MIME for an email account when a certificate has already been installed. To enable S/MIME: 1. Open the Mail application on a computer that has a configured account. 2. Choose Preferences in the Mail menu. 3. Click Accounts. 4. Choose the appropriate certificate from the TLS Certificate menu. (This information is loaded from the user’s keychain.)
� Figure 7.1.2_1 ! 5. Close the Accounts window. Signed and encrypted mail can be sent once the certificate is enabled. To compose a new message, click the icons for Sign and/or Encrypt in the menu bar and click OK. Note: The Sign or Encrypt option is only available if the account sending the email has a valid TLS certificate installed.
327� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.1.3 Enable Out-of-Office Responses in Mail Out-of-office responses are for users who are unavailable to check email for a variety of reasons, such as vacation or illness. While out-of-office responses can be configured in the Microsoft Exchange web client, they can also be configured in the Mail application in OS X. In this module, review how to configure an out-of- office response. To configure out-of-office messages for Exchange accounts in Mail: 1. Open Mail from /Applications. 2. Right-click the name of the account in the sidebar. Or if there’s only one account, click Inbox. 3. Choose Get Account Info from the pop-up menu.
� Figure 7.1.3_1 ! ! !
328� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Click the Out of Office tab.
� Figure 7.1.3_2 ! 5. Click the “Send Out of Office replies” checkbox. 6. Choose the duration of time during which replies will be sent. For example, “Until disabled.” 7. Enter a message for users of your domain in the Internal Reply field and a message for those outside your domain in the External Reply field. 8. Close the Account Info window. Out-of-office replies are now sent by the server on behalf of the user account. !
329� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.1.4 Configure Exchange ActiveSync Certificate-Based Authentication ActiveSync certificate-based authentication is an option for Exchange clients that allows users to change their password without having to reenter that password on every device they use. Mail supports Exchange ActiveSync certificate-based authentication. In order to use certificate-based authentication, use an Exchange 2010 server connected to an enterprise CA. ActiveSync must be configured to accept certificate-based authentication, and user certificates should be exported. The IIS (Internet Information Server) Client Certificate Mapping authentication role service must also be installed and configured properly. The authentication method for the ActiveSync site should then be set to Require client certificates. Each user being configured will need a certificate exported from the Certificates.mmc. Prior to enrolling on behalf of each user, an Active Directory Enrollment Policy will be required. In the next module, the example covers the process of installing the account using the certificate in a simple pfx form. The next module also covers creating a profile to install an email account on a device that leverages certificate-based authentication. By creating profiles to install email accounts, those accounts can be deployed en masse.
330� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.1.5 Set Certificate-Based Authentication for Mail, Contacts, and Calendar This module describes the actual implementation of certificate-based authentication for Mail, Contacts, and Calendar. This process is covered by using a profile to provide a functional mass-deployment scenario. However, such authentication can be configured manually as well. To configure certificate-based authentication: 1. Open the Server application on an OS X Server system. 2. Click the Profile Manager service. 3. Click Open Profile Manager, and authenticate if prompted. 4. Click Users in the Library list in the sidebar. Then select the relevant user.
� Figure 7.1.5_1 ! 5. In the Settings tab, click Edit. 6. Click Certificate in the sidebar.
� Figure 7.1.5_2
331� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7. Click the Configure button. 8. Provide a name for the certificate in the Certificate Name field. 9. Enter the passphrase for the certificate in the Passphrase field. 10. Click the Add Certificate button.
� Figure 7.1.5_3 ! 11. Locate and select the certificate. 12. Click Choose.
� Figure 7.1.5_4 ! 13. In the sidebar, scroll up and click Exchange. !
332� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
14. Click the Configure button.
� Figure 7.1.5_5 ! 15. Provide a name for the account in the Account Name field. 16. In the Connection Type menu, choose Exchange Web Services (OS X only). 17. Enter the domain name in the Domain field. 18. Enter the user name in the User field. 19. Enter the email address in the Email Address field. 20. Enter the password for the user in the Password field. 21. Enter the name of the Exchange server in the Internal Exchange Host field.
� Figure 7.1.5_6
333� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
22. Click OK. 23. Click the Save button.
� Figure 7.1.5_7 ! 24. Click Save again to confirm. Once the profile has been created, click the Download button to download a profile that can be manually applied to the server. Or enroll a device using the user name identified in the profile and the account will be created on the Mac using the information supplied in the profile.
334� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.2 Troubleshoot Mail, Contacts, and Calendar with Microsoft Exchange
Troubleshooting Exchange connectivity typically only happens during the initial integration of OS X, or during upgrades when new versions of client software are released. Many organizations rely on Autodiscover to allow client computers to easily connect to user mailboxes regardless of physical location. Autodiscover relies on Domain Name Service (DNS) to point clients to required resources. An Autodiscover request is sent over HTTP when setting up Mail, Contacts, and Calendar with Exchange. The Mail application then queries DNS for the location of the Autodiscover service, which should be the Client Access Server (CAS) for the Exchange organization. At that point, the Internet Information Server hosting EWS responds to the client with a request for authentication. The client then authenticates using the credentials provided to Mail. Once authenticated, the EWS service responds with the location of the Lightweight Directory Access Protocol (LDAP) service, the EWS servers, and other required configuration information. The Autodiscover protocol is designed to perform setup any time a known mail server is unreachable. This enables administrators to move mailboxes based on server capacity without impacting user uptime or experience. In accordance with this practice, Mail.app will run the Autodiscover process again if/when mailboxes are moved on the Exchange server. Troubleshooting connectivity to Exchange can be broken down into several areas including DNS, Improper Redirects, Certificate Errors, and Limits on Message Size.
335� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.2.1 Check Autodiscover with DNS In many organizations, Autodiscover has been implemented via Service Connection Points (SCPs). This is usually sufficient for Windows clients running Microsoft Outlook. However, if the proper forward and reverse DNS entries for Autodiscover haven’t been configured on the DNS servers, a Mac can’t find the Exchange Web Services service on the Client Access Server.
Check the DNS information using nslookup from a Windows client to verify service (SRV) DNS record results, as follows: 1. Click Start, then click Run.
2. In the Open window, type cmd.
3. At the command prompt, type nslookup and press the Enter key.
4. At the nslookup prompt, type set type=all and press the Enter key.
5. Type _autodiscover._tcp.pretendco.com, where pretendco.com is the domain of the primary email address. 6. Press the Enter key. The output appears similar to the following. If it doesn’t, continue to the next troubleshooting steps. *************************************************** > set type=all > _autodiscover._tcp.pretendco.com Server: casserver.mail.pretendco.com Address: 192.168.1.100 Non-authoritative answer: _autodiscover._tcp.pretendco.com primary name server = ns2.pretendco.com responsible mail addr = mailserver.pretendco.com serial = 1 refresh = 10000 (2 hours 46 mins 40 secs) retry = 1800 (30 mins) expire = 1814400 (21 days) default TTL = 300 (5 mins) _autodiscover._tcp.pretendco.com nameserver = ns2.pretendco.com _autodiscover._tcp.pretendco.com nameserver = ns1.pretendco.com
336� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.2.2 Address Improper Redirects / Certificate Errors If the client has problems connecting to the Exchange server, even with the service record set properly, the Client Access Server may not be properly configured to accept Autodiscover requests. There could also be a Host Name mismatch, or the server certificate may not have the proper Subject Alternative Name (SAN) and reverse IP lookup. To trace these errors while setting up Mail, execute the following command in Terminal: /Applications/System\ Preferences.app/Contents/MacOS/System\ Preferences -LogEWSAutodiscoveryActivity YES >& ~/Desktop/ ConnectionLog.txt & This will launch the Mail, Contacts, & Calendars pane in System Preferences to begin setup and log all traffic generated into a text file on the desktop. This log file will greatly assist in troubleshooting connectivity issues. To trace regular Mail activity beyond EWS Autodiscover, type:
/Applications/Mail.app/Contents/MacOS/Mail -LogHTTPActivity YES >& Desktop/yourmaildebug.log & defaults write -g LogHTTPActivity YES ! ! !
337� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.2.3 Limit Message Size Exchange has a complex hierarchy of settings governing the maximum message size for each mailbox. These are configured using the Set -TransportConfig commandlet in the Exchange Management Shell. Because Mail relies on EWS, the EWS website in the Internet Information Server instance coupled with Exchange must be modified to lift these restrictions. To increase the send size for an entire organization to an unlimited number, use the Set-TransportConfig commandlet as follows:
Set-TransportConfig -MaxSendSize unlimited
To increase the send size for individual users, use the Set-Mailbox commandlet. For example, set MaxSendSize and MaxReceiveSize for a user called testuser to 20 MB, as follows: Set-Mailbox -Identity testuser -MaxSendSize 20MB -MaxReceiveSize 20MB
In addition to configuring maxMessageSize, maxReceiveSize, and maxSendSize for Connectors and Hub Transport servers, the maxRequestLength in the EWS site's Web.config file must be changed to a similar scale value. This allows files of those sizes to actually be downloaded without first timing out. The interaction of Mail with an Exchange server is routed through the EWS site, and is therefore governed by this setting above all other message-size limits, as with other tools that interface with EWS.
To locate the Web.config file: • For Exchange 2007, Web.config resides in \Program Files\Microsoft\Exchange Server\ClientAccess\exchweb\ews. • For Exchange 2010 and 2013, find the Outlook Web App Web.config file on the Client Access server. The default location is \Program Files\Microsoft \Exchange Server\V14\ClientAccess\exchweb\ews. To limit message size, for example to 20MB, the message size limits and the Web.config file must be changed as follows:
1. Make a backup of the Web.config file.
2. Edit the Web.config file (for example using Notepad).
3. Find the httpRuntime tag, subordinate to system.web.
4. Change the value for maxRequestLength to 20000, as the units are kilobytes. 5. Save the file. 6. Stop and restart the Default Website for the setting to take effect. Alternatively, you can simply restart IIS. If other Exchange settings for message size limits are configured accordingly, changing this setting will give Mail users in OS X connected to an Exchange server the ability to send messages as large as 20MB. The size of a message is roughly determined by the size of the message body in addition to any attached files.
338� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
Note: The configuration of maxRequestLength in the EWS Web.config file isn’t currently documented by Microsoft. However, it’s documented for the Outlook Web App (OWA). The steps listed above are therefore subject to change. For more information about managing Exchange message sizes, see these Microsoft articles: • For Exchange 2007. technet.microsoft.com/en-us/library/bb124345(EXCHG.80).aspx • For Exchange 2010 and 2013. technet.microsoft.com/en-us/library/bb124345.aspx !
339� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.2.4 Access Additional Troubleshooting Resources The following web pages address many of the most common challenges encountered when integrating Mail, Contacts, and Calendar into Exchange environments. • Understanding Autodiscover Service in Exchange. technet.microsoft.com/en-us/library/bb124251.aspx • Configuring DNS to Support SRV Records. support.microsoft.com/kb/940881 • Exchange 2007: Managing Message Size Limits. technet.microsoft.com/en-us/library/bb124345(EXCHG.80).aspx • Exchange 2007: Managing Maximum Message Size in Outlook Web App. technet.microsoft.com/en-us/library/aa996835(EXCHG.80).aspx • Exchange 2010/2013: Managing Message Size Limits. technet.microsoft.com/en-us/library/bb124345.aspx • Exchange 2010: Configuring Maximum Message Size in Outlook Web App. technet.microsoft.com/en-us/library/aa996835.aspx ! ! !
340� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.2.5 Support Exchange Autodiscover The Mail application and other client apps used to access Exchange must first be configured with settings for the name or IP address of the server, potentially SSL certificates, user names, domain names, passwords, and so on. These settings are too numerous for end users to remember or configure on their own. Autodiscover is a protocol that attempts to connect to an Exchange server on behalf of the user. Introduced in Microsoft Exchange Server 2007, Autodiscover enables an Exchange-capable email client to automatically configure a user's account using just the email address and password. Autodiscover data populates the correct server addresses, port numbers, user name, and authentication settings. Autodiscover uses the domain of the email address to contact an authoritative DNS server for the address of an available Exchange server. Mail then contacts the Exchange server and provides the necessary credentials. The server returns the settings needed to complete the setup. Administrators often move Exchange mailboxes around within an Exchange organization. To help keep client computers connected even when the address of the server changes, Autodiscover also periodically checks settings and automatically updates those settings if the server address or mailbox location changes. Users benefit from Autodiscover by not having to know or understand email server settings, and by connecting to their email accounts without assistance from technical support staff. And technical support staff benefits from fewer support calls. The Mail, Contacts, and Calendar applications leverage Autodiscover to connect to Exchange. To set them up initially, simply select the Microsoft Exchange option in the Internet Accounts pane in System Preferences. Or open each of these built- in applications in OS X and configure an Exchange account by choosing Preferences in the application menu.
341� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.3 Troubleshoot Outlook
Microsoft Outlook relies on the Exchange Web Services protocol for setup and connectivity. The DNS troubleshooting steps discussed in previous modules may be useful since EWS is used. This is important to note because an Exchange administrator may assume that because the product says Outlook it can use Service Connection Point objects to discover the email location. This isn’t the case in Outlook. To activate logging for Outlook: 1. Open Outlook. 2. Select Error Log in the Window menu. 3. Click the cog wheel icon in the upper-right corner to open the action pop-up menu.
� Figure 7.3_1 !
342� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Click the “Turn on logging for troubleshooting” checkbox.
� Figure 7.3_2 ! Outlook uses a database to track each email message. The database is comprised of pointers, not the actual messages. Each time a user receives mail, a database write occurs that can trigger activity from an antivirus application. If there’s a lot of activity, antivirus scanning can cause database corruption and crashed email services. One potential solution is to make the following exceptions in the antivirus realtime scanner: /Library/Preferences/.GlobalPreferences.plist ~/Library /Users/.*/Documents/.*/Database/.* /.*\.log Note: These changes should only be undertaken if the incoming mail is scanned at the messaging gateway and the server.
343� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.3.1 Access Additional Outlook Information There are a number of additional resources available for Outlook. • Learning Roadmap for Outlook for Mac 2011. office.microsoft.com/en-us/mac-outlook-help/learning-roadmap-for-outlook- for-mac-2011-HA103528304.aspx • Planning for Outlook for Mac 2011. technet.microsoft.com/en-us/library/jj984221(v=office.14).aspx • How the Autodiscover Service Works with Outlook for Mac 2011. technet.microsoft.com/en-us/library/jj984202(v=office.14).aspx • Turning Logging On or Off in Outlook for Mac 2011. technet.microsoft.com/en-us/library/jj984217(v=office.14).aspx • Adding Support for Information Rights Management into Outlook for Mac 2011. go.microsoft.com/fwlink/?LinkId=201940
344� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.4 Leverage SharePoint
SharePoint connectivity in OS X is through a web browser or through the Microsoft Document Connection app, included in Office for Mac. Microsoft Document Connection is added to the Dock by default when Office is installed. It’s also available in the /Applications/Microsoft Office folder or in the /Applications/Microsoft Office 2008 folder. Document Connection works with SharePoint 2007 or later, and lets users check documents in and out of SharePoint Servers. Document Connection can authenticate using Kerberos and NTLM credentials, if the Mac isn’t yet bound to the Active Directory domain or if the SharePoint server isn’t yet kerberized to the domain. Many of the common tasks performed with SharePoint can be done using Safari (SharePoint 2007 and forward). However, any features that require an ActiveX® control aren’t available for Mac computers. !
345� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.4.1 Connect to SharePoint Microsoft includes the Document Connection application in Office. To use Document Connection with SharePoint: 1. Open Document Connection from /Applications/Microsoft Office 2011. 2. Click the Add Location button in the toolbar.
� Figure 7.4.1_1 ! 3. In the pop-up menu, choose Connect to a SharePoint Site.
� Figure 7.4.1_2 !
346� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Enter the address of the site.
� Figure 7.4.1_3 ! 5. Provide the user name and password of the site. 6. Under SharePoint in the sidebar, browse to the location of a file. 7. Click the file name. 8. Click the button in the toolbar that corresponds to the task at hand.
� Figure 7.4.1_4 !
347� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.4.2 Access Additional SharePoint Information For more information on how to use OS X to connect to SharePoint through Office for Mac, see: • Office for Mac 2011 and SharePoint Integration Features. technet.microsoft.com/en-us/library/jj984161(v=office.14).aspx
348� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.5 Access Instant Messaging
Instant messaging enables users to communicate with each other in real time. Instant messaging has been a text-based communication tool for many years, but most modern instant messaging solutions also support the ability to communicate through video and audio messaging. OS X supports many of the standard instant messaging platforms. The following modules cover Messages, FaceTime®, and Microsoft Lync®.
349� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.5.1 Configure Messages and FaceTime Messages Messages is a multiprotocol chat client that enables users to send unlimited iMessages® to any Mac, iPad®, iPhone, or iPod touch®. It also supports the XMPP instant messaging protocol commonly known as Jabber®, and works with AOL® Instant Messenger (AIM®), iCloud.com, and Yahoo!®. Jabber can be integrated with any instant messaging platform that also has an XMPP gateway, such as Google Chat™ and Apple Messages server, built into OS X Server. To configure Messages: 1. Open Messages from /Applications. 2. To enter an Apple ID for use with iMessage, provide the appropriate Apple ID and password when prompted.
� Figure 7.5.1_1 !
350� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3. To enter other types of accounts, click Not Now. When prompted, select the type of account. In this example, click the “Other Messages account” radio button to set up a Jabber account.
� Figure 7.5.1_2 ! 4. Click Continue. 5. In the Add a Messages Account dialog, choose Jabber from the Account Type menu.
� Figure 7.5.1_3
351� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
6. Enter an account name and password in the appropriate fields. 7. Provide a server name or IP address in the Server field. 8. If applicable, click the Use SSL checkbox and the “Use Kerberos v5 for authentication” checkbox. 9. Click the Create button.
� Figure 7.5.1_4 ! 10. Close the Accounts window. 11. Test the connection by adding other users to the Messages Buddy List and chatting with them. Apple provides a number of tools for troubleshooting Messages. One is Network Utility, located in /System/Library/CoreServices/Applications/. Network Utility is used to check that private Jabber servers are accessible via name and IP address, and that ports are accessible. Debug logging is also helpful. To debug Messages communications, first make sure to quit Messages. Then reopen Messages by entering the following string in Terminal. This command will log debug output, and will possibly show what the specific problem is: /Applications/Messages.app/Contents/MacOS/Messages -errorLogLevel 7 Note: Common issues with connection quality can usually be traced to poor bandwidth, gateway filters, and antivirus applications. ! FaceTime In addition to Messages, the FaceTime application is also built into OS X. FaceTime is also available on the Mac App Store at itunes.apple.com/us/app/facetime/ id414307850?mt=12. !
352� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.5.2 Manage Lync for Mac The Office suite includes the Lync for Mac chat program, with support for Lync Server 2010 and Lync Online. For the Lync for Mac 2011 Deployment Guide, see technet.microsoft.com/en-us/library/jj984275(v=office.14).aspx. To set up Lync for Mac: 1. Open Lync for Mac from /Applications/Microsoft Office 2011. Note: The first time the application opens, a prompt appears requesting to make Lync the default application for phone calls. Choose to make Lync your default telephony application by clicking Use Lync. 2. In the Microsoft Lync login window, enter the appropriate information.
� Figure 7.5.2_1 ! 3. In the Lync menu, choose Preferences.
353� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
4. Click the Account button in the toolbar. 5. The account name is shown next to Sign In Address. Click Edit to assign a new account name. Or if an address isn’t yet listed, go back to the login page and provide one.
� Figure 7.5.2_2 ! 6. In the Account window, Connection Settings is set to “Automatic configuration” by default. If you have a private Microsoft Lync server, click the Advanced button to enter the information manually. !
354� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7. Provide the server host name or IP address. 8. Next to “Connect using,” choose either TCP or TLS. If you don’t know which to use, contact the Communications Server administrator.
� Figure 7.5.2_3 ! 9. Click OK. 10. Click Sign-In. Users can send files and email, video, or telephone contacts added to the Contact List. For more on Lync, see: www.microsoft.com/mac/enterprise/lync. ! Integrating Messages with Microsoft Communications Server. To leverage the Messages application built into OS X when integrating into an existing Lync Server 2010 environment, install the XMPP gateway service on the Lync Server 2010 host. To download the XMPP services package, see www.microsoft.com/en-us/download/details.aspx?id=8403. For more information about adding an XMPP gateway, see this blog entry by Microsoft employee “Lync Guy” about adding XMPP services ocsguy.com/2010/11/29/deploying-lync-for-xmpp.
355� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.6 Use AirDrop
AirDrop is the Apple implementation of the Wi-Fi Direct™ protocol. AirDrop enables users to find other nearby users (via Bonjour, the Apple multicast DNS implementation) and transfer files directly to other client computers over an encrypted connection. To turn on AirDrop on a supported Mac: 1. Click AirDrop in the sidebar of any Finder window. 2. To exchange files with a nearby user, also have that user click AirDrop in the Finder sidebar on their Mac. Each computer is now listed in the other’s AirDrop window.
� Figure 7.6_1 ! !
356� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
3. To transfer a file, drag and drop the file on the other user’s AirDrop icon. The nearby user is prompted to accept the file. Transfer progress is indicated within the circle icon.
� Figure 7.6_2 ! 4. To turn off AirDrop, simply close that Finder window or click another sidebar item. The intentional nature of activating AirDrop, coupled with the Accept dialog, provides a strong measure of security and prevention from hijacking. Deliberate steps are required to accept file transfers.
Note: As of iOS 7, AirDrop supports iOS based devices.
357� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.6.1 Disable AirDrop While AirDrop is a great feature for many environments, some organizations may wish to disable the AirDrop feature in OS X to meet their information assurance and/or security guidelines. To disable AirDrop, enter the following command in Terminal: sudo defaults write /Library/Preferences/ com.apple.NetworkBrowser DisableAirDrop -bool YES To reenable AirDrop, send the same command with a boolean payload of NO, as follows: sudo defaults write /Library/Preferences/ com.apple.NetworkBrowser DisableAirDrop -bool NO To no longer see AirDrop, either restart the system or restart the Finder by running the following command: sudo killall Finder Preferences are stored in the defaults domain. These can be changed using Mobile Configuration (.mobileconfig) files. Environments running OS X Server or a third-party mobile device management solution can use the Custom Settings feature to assign a value to the com.apple.NetworkBrowser defaults domain. To use the Custom Settings feature in Profile Manager: 1. Open the Server application on an OS X Server system. 2. Click the Profile Manager service. 3. Click Open Profile Manager, and authenticate if prompted. 4. To assign custom settings, click the relevant Device or Device Group.
� !Figure 7.6.1_1 5. Click Edit in the Settings tab. 6. Click Custom Settings in the sidebar.
358� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7. Click the Configure button.
� Figure 7.6.1_2 ! 8. Enter com.apple.NetworkBrowser in the Preference Domain field. 9. Click the Add Item button. 10. Rename the initial key DisableAirDrop. 11. Choose Boolean from the Type menu. 12. Click the Value checkbox.
� Figure 7.6.1_3 ! 13. Click OK. 14. Click Save. Then click Save again to confirm. 15. Send the profile to the Mac running OS X. Then restart the Mac and verify that the key is enforced.
359� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.6.2 Debug AirDrop To increase logging verbose mode for AirDrop, set the logging level (0=off, 1=on) as follows: defaults write com.apple.finder EnableAirDropLogging 1 AirDrop logs are written to: /var/log/system.log. !
360� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.6.3 Access Additional AirDrop Information For more information on Wi-Fi Direct and about AirDrop, see: • AirDrop Supported Machines. support.apple.com/kb/HT4783 • Wi-Fi Direct FAQ. www.wi-fi.org/files/faq_20100916_Wi-Fi_Direct_FAQ.pdf ! !
361� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.7 Leverage iCloud
iCloud is an Apple cloud service that stores contacts, photos, and more. iCloud wirelessly pushes data to all of a user’s devices to keep them in sync, automatically and seamlessly, with no user file-level interaction necessary.* The iCloud Document Library is a convenient, consistent way to access iCloud documents across Mac computers and iOS devices. To find an iCloud document, just open its app. The iCloud Document Library shows the iCloud documents for the app, with the most recent one at the top. To organize documents into folders, drag one document onto another, similar to organizing documents on iPhone or iPad. Folders created on one device automatically appear in the iCloud Document Library when the app on another device is opened. Administrators can restrict the storage of iCloud data, including documents on the iCloud servers, by using configuration profiles. ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! *iCloud requires iOS 5 or later on iPhone 3GS or later, iPod touch (3rd generation or later), iPad, or iPad mini; a Mac computer with OS X Lion v10.7.5 or later; or a PC with Windows 7 or Windows 8 (Outlook 2007 or later or an up-to-date browser is required for accessing email, contacts, and calendars). Some features require iOS 7 and OS X Mavericks. Some features require a Wi-Fi connection. Some features are not available in all countries. Access to some services is limited to 10 devices.
362� IT Configuration Guide—For Your Mac Evaluation and Deployment (Version 6.0)
7.8 Use iWork for iCloud
iWork® is a collection of productivity applications available on the Mac App Store. iWork includes the following apps: • Pages®. Used to create and edit documents. • Numbers®. Used to create and edit spreadsheets. • Keynote®. Used to create and edit presentations. All iWork apps are available for iCloud, so users can edit and access documents in a browser or using a client application. Documents stored in iCloud are available on iOS devices, via the iCloud web interface, or using the iWork applications available on the Mac App Store. iWork for iCloud edits and saves documents so they’re compatible with Microsoft Office documents. iWork for iCloud documents can be stored in iCloud, shared to other applications, or sent using iCloud Mail.
363�