Please welcome Rob Neville to the podium. Thank you everybody. My name is Rob Neville and I manage the engineering team that does manage desktop 410. The sign outside says this is managing for a networking environment. If you're here just to hear something about managing in a networking environment, it's going to be different than that because today what we're going to be talking about is developing for a managed client environment for 10.

Okay, so today what we're going to be talking about is developing for Mac OS X Managed Desktop. Mac OS X is a managed environment, and we're going to be discussing in a variety of ways how it is a managed environment. Ostensibly what we did when we were here last year is we introduced you to the concept of Apple desktop management. And it's a year later. We've got a year's worth of software under our belt.

We've got customers who are actually utilizing the product and have been giving us feedback. We've got developers here who are developing products to work in that environment. So we'll be discussing where we are, where we are today, where we've come from, and what it is you guys need to do and to learn to provide solutions and to customize your environment to work better in this environment.

So we're going to be talking about a managed environment. So I'd like to turn the Wayback Machine back, take us back in history five years, back before there was a Mac OS X. And what we had then was the Mac OS, Mac OS 9, Mac OS 8. And that was an unmanaged computer. You plugged it in.

You booted, you came up to the finder, you could do whatever you want whenever you wanted. You got up and walked away from your machine, somebody could sit down behind you, do whatever they want, whenever they wanted. You had no way of controlling that environment at all. To do that, to do any sort of control at all, you had to get additional software.

Apple provided you additional software, it was called Macintosh Manager. Macintosh Manager gave you the notions of having multiple users use a particular machine, putting access control, which applications could they access, which printers could they use, a variety of things. You needed a server to be able to do that. But you started getting the notion of managing the computer.

Well, Mac OS X comes along--let's fast forward to the present--Mac OS X comes along and out of the box, it's a managed environment. If I go home today and open up a brand new computer and boot it up, turn on MacBuddy, Install the software, pick my admin account, get up and running.

I auto-login, turn on fast login, so I just come up, I never see a login screen. The user thinks that they're not managed, but they are. There are some things that I cannot do as that administration user, that only a super user can do. So right out of the box, there are at least two users of the system.

and I am not, by default, the super user. So, just right out of the box, we've got a managed environment. We put people into a home directory. They get a home directory for free, even on a local machine. So even without any Apple desktop management at all, you are managed.

Taking that one step further, then I start adding users. Again, if we're just even in a local environment. So at home, I have user accounts for my wife, for my children. I don't have any server involved. None of them--I have no managed preferences, which is what our group primarily does. I've never run a work group manager. I still have a managed environment. I don't have access to the data in my kids' home directory unless I go in as a super user.

So we'll be discussing a little bit of that as we just have. We're also going to be discussing some of the customer usage scenarios that we've seen. What I just discussed briefly was just a normal setup where I have a single machine with just multiple user accounts. That's a managed environment. We'll be talking about what Apple's desktop management solution is, what it is, what it isn't.

I'll be talking briefly a little bit about what we've learned. So it's been a year. People are starting to--if you went to Michael Lopp's session yesterday on the desktop solutions, he talked about deployment, access, and assessing the deployment, and rolling out. Well, people have been rolling out--starting to roll out solutions. And for those of you--how many here work in an IT department or work in IT? How many of you are application developers? Okay, so we've got--looks like it's about 70-30.

Seventy applications developers, 30% IT. So with the IT--you IT folks, you know that you test out a deployment before you roll it out to your customers, or disaster will happen in most cases. So what happens is, as you're deploying that, you find the glitches and the gutches, and you've been giving us feedback on some of those implementations, and we've taken those to heart. So we'll be discussing some of those. And where we're going to be taking Apple desktop management going forward. I'll be showing you a little bit about what's new in 10.3, which will be coming out soon.

And what it is you--70% of the people in here--what it is you're going to need to do to work in that environment. Things you're going to need to do. Things you're going to need to pay attention to. And really what you're going to need to do going forward.

So let's jump over to our customer usage model, because this is the way we think about--what we think about when we're developing software, at least in my organization. We try and identify who our critical customers are. Some of you are in this room. If you're not on this screen, you know, come talk to me after the session, and we'll start paying attention to what your usage scenario is.

But what we do is we look at various customer scenarios, and we try and gear our software and the solution that we're developing to meet one of these customer scenarios. So the first one we have is a one-to-one deployment. And what do I mean by that? That's a scenario whereby I hand you a PowerBook.

I own the PowerBook. You don't own the PowerBook. I have given you an account on that PowerBook. Let's say it's employee. You do not have super user access to that machine. You don't even have admin access to that machine. I put everything on that machine that you could possibly want to use that I can think of. But can you add new software to it? Not if it requires admin access to do that.

You would have to give it back to me to install new software on it. But it's my physical machine. I give it to you. You can add bookmarks. You can do whatever you can do as a user. You have physical access to the machine, but you don't have admin access. And one of our significant customers of this is the schools, where schools will hand out CPUs on a temporary or even a long-term basis. It's owned by the school system.

There's a full-blown IT deployment where I've got a server in the back, I may have Big Iron behind the server in the back room, you've got network accounts, I have site license software that I have in numbers of seats that each individual can use. So I control which printers you can have access to, which applications you can have access to. How much data storage you have on my servers, what servers you have access to, what your username is, what your password is, how often you have to change your password, how long your password needs to be, what sites you can access, what you can't access.

I control all that you see and hear. In that particular case, mostly the people have network accounts. So that's really useful, but that in and of itself--and we've tried to solve some of this--can create problems. Usually not for a big IT place, but I was in a session yesterday where we were talking about where a user got up and spoke at the podium--at the microphone.

And he was saying, "We still have 10BaseT. We're still deployed on top of 10BaseT." Well, so if I have all my network storage and it's all happening over 10BaseT, now with significant amounts of data flowing around and lots of people using my 10BaseT network, even just doing browsing.

Downloading some of that stuff off of the net is something we've attempted to try and solve. The other thing is the scenario that I alluded to in the beginning, where you have an at-home kind of setting. Though I know that some of you out there are deploying capabilities as an IT solution as well, this is primarily geared towards a small or very small number usage, and that's the capabilities.

However, the capabilities scenario, which allows you to control media--so Johnny can burn a CD, Johnny can't burn a CD, but I can--and what applications Johnny can use. I don't want Johnny using the terminal, those kinds of things. It's primarily for application access control and media access control, and it's in a small environment, but the mechanism for doing that is the same mechanism as what is used in a big system.

We don't have a separate means for funneling that kind of data down to the system. We use the same mechanism for capabilities as we do for a full managed environment in IT. Then we get the mobile user, and the mobile user is a little bit different from the one-to-one deployment I was talking about.

In this case, I give you the computer, and you have a network account. You have this computer. You sit down, you connect up to the network, and you log in. You log in with a username and password, and then you unplug that from the network, and you take it home. You take it on the road with you.

I have some medium of control, but maybe not as much. I may say that you can access the CD or not. But it's in a mixed kind of environment. And there are others, and we want to hear what those others are. We really want to get a feeling for how it is that you people are using the product. Because the clearer the feedback you give us, the better the product we can deliver to you.

So what is it that we're talking about here? Apple Managed Desktop. So Apple Managed Desktop is a mechanism for managing resources. And what is that? Well, that's people. So I manage people by managing user lists, by managing passwords and password policies. It's managing equipment settings, and there's some new ones that we're managing.

It's, you know, does the computer turn off at 10 o'clock at night? Do I have screensavers come on? Not screensavers, but does the monitor dim automatically? Do you have access to these kinds of applications? Applications are resources. So how do we do that? We do that through Workgroup Manager, primarily. Capabilities is handled through the system in a small kind of environment. But what you have is you have your personal environment where you have your accounts. And if you move from accounts on a local level for a system, you move to Workgroup Manager.

Workgroup Manager basically is a bigger accounts management thing with lots more options. Because you have lots more that you can control. But what is Workgroup Manager? Workgroup Manager is primarily a directory editor. It edits data that sits in a directory. And that's going to become much clearer to you all with Panther. Because for me, a key feature of Workgroup Manager in Panther is the inspector. Because that gives me the ability to go in and edit my directory raw.

That's a lot of power, and there's not a lot of sanity checking that happens when that goes on. So, you know, buyer beware--user beware in this particular situation. What we do in my group, which primarily handles the preference setting--and as we look into Workgroup Manager, you'll see, and we'll be dealing a lot with the preference setting--is we take those preferences and we put them into an XML file.

into an XML format, and we store those in the directory structure. We really don't, and then when a user logs in, we go out to the server based on what machine the user is logging in on, who the user is, what groups they're part of or have chosen to be part of for this particular session. And we get that XML data out of the directory.

We unionize it or munge it, put it down to the local system, and that sets what their preferences are. We also do volume mounting as part of the programmatic process that happens. We also pass information off to the system so that if you have applications that need to launch or those kinds of things, we set those preferences so that other system services can take advantage of those. But we really don't do a lot of actions other than that. We are not access control lists. Though we do allow for permissions and preferences and things like that, we're not setting up access control lists.

So we have a managed environment. The top of the managed environment chain for us is users. The first thing you do is you set up users and you set them up usually with home directories. Not always. Because I can set up a series of users and they don't have home directories and maybe they're all FTP users. In that case, they're managed. They're managed FTP users. They don't have--they're not going to be accessing this particular device, and so they don't have home directories.

In those home directories, we store preferences. So again, a bunch has changed with Panther, and the things that you as developers and you as IT folks really need to pay attention to, and that is today with Jaguar, I sit down and I log in as me. And until I log out, I'm the only one using the machine for the most part. Now, I know people can SSH in, people can FTP in, people can do a bunch of stuff. But as far as accessing freestanding, native Mac OS X, you know, GUI applications, I'm the only one that's doing any of that.

So that I can get up from my desk, go to lunch, or I can be in a lab and be sitting there and accessing it, and then my lab partner can switch over to their account. So now you have two people logged into the machine at the same time.

And application developer me puts all those things in a global space, or with an absolute path, Well, User 2 can't access the data that User 1 is accessing because I've got it open and running. So those are some of the things that you really need to be thinking about when you're developing solutions or when you're testing out your products.

Don't require specific folders. Now, last year when I was giving this kind of presentation, I had a whole scenario where I showed a demo and I ran FS usage on a bunch of applications and showed how some applications were being bad and they were doing lots of I/O, and if you have I/O over the network, it's bad.

I tried to look for some applications that were doing some bad things. Early iterations of some people's software, if you didn't have a specific folder with a specific name, the application would crash. Now, if you want a specific folder, some of these applications, they will create a new application with that particular folder.

Our customers like to customize. Customers customize. And don't require them to have a specific folder. Don't, you know, "My App Folder." So you provide an application and it has to have these--don't use specific folder names. Use relative names where possible. Allow for one installation per CPU, but don't require--don't disallow multiple users from accessing that particular application. This is, you know, the fast user switching scenario. You can't be sure that only one person is going to be trying to run your application. You're going to be multiple users in the machine. Also assume that your application will be accessed over the network.

So why is that? Well, that's for a couple of reasons. I do some beta testing for some Mac OS X applications, which I can't talk about because they're still in beta. And one of the first bugs I wrote on these applications was I logged in using my network user ID, which is out on the network, and I tried to run the application, and it crashed. It didn't like me not running locally.

It also didn't like me not running as admin, which is a totally also different scenario. So there are two different things. One, assume that if I'm doing I/O, for example, if I'm writing out to a cache or I'm storing files in temporary folders, if they're stored out on the network.

You have to assume that where that user's home directory is could be out on the network. And that if it's out over the network, what we ran into here this morning is there's a really big airport configuration here for all of you guys to have airport access. That can get really busy. And if I'm booting or running multiple applications, all of them over airport, and all of this data's in various network home directories, it might not be the fastest airport implementation.

In a lot of cases, we have airport solutions that we've sold to schools, and they haven't updated to the new, faster airports. So they're accessing their network folders over airport with 30, 40 people connecting to the same airport base station at the same time, and the performance goes into the toilet. So you as developers need to take that into consideration when you're building. You're writing your applications.

Don't require the users to run your applications if you're developers out there to have admin access. As we get back to the usage scenario, most of our users aren't running as admins. Most of them are running as network users, and some percentage of them know an admin password for their machine, but A large number of customers do not, and some subset of customers--one customer, two customers--might be 40,000 users, where none of those 40,000 users know their admin password. So, use our product to test your product.

Workgroup Manager. What is Workgroup Manager? Workgroup Manager is a way to manage system-level preferences.

How many of you have used Workgroup Manager here on Jaguar? So about 20-25%. For those of you who have not, Workgroup Manager allows you to set preferences into three separate categories. I'll be showing you a Workgroup Manager demo here in a bit, and I'll go into a little bit more because 75% of you haven't used it. Basically we have the notion of three different groupings. We have users, which I think you're all familiar with. We have groups, which you're sort of all familiar with.

The users are part of groups, and you're familiar with that. And then we have computer lists. So basically what happens is when the machine boots up, it is bound to--in most cases or in a lot of cases--it's bound to some directory in the network. So it gets network services available to it. It's bound to some directory.

And the machine will go to that directory and find out whether or not it knows about me on the computer. Does it know about me? In its list, yes or no. If I am, are there any preferences associated with me, my specific device? There may or may not be.

If I'm not in a list of known computers, does the binding handle guest computers? So anybody who comes and plugs in their machine. And what preferences are associated with that? Maybe I require everybody who logs into my network to have a list log in. things like that, we'll show you some of that when we get into showing your workgroup manager.

Then, it puts up the user list. You get a user list, I get to pick what user I want to log in as. Once I've logged in as that user, then I get to pick what group the user might be a member of multiple groups. And I can set preferences at each of those levels, and we'll show you how we do that. Workgroup manager also sets non-MCX data. That's the MCX data, for system level preferences, as we'll see. It also sets up non-MCX data. This is workgroup manager, where I go and I add users. And I add home directories. I add group volumes that are accessible to them.

and I set up parameters and policies for those users. This user has a home . They have 5K of storage in it, because I don't have--I have thousands and thousands of users using this particular machine, and I don't want them to have a lot of network storage. 5K is really small, but let's say 5 meg or 100 meg or something--something small.

So--but I'm already managing those users by telling them, "This is how much storage you have on my network devices." The other thing to remember with Workgroup Manager is it's directory-centric. So I can set this thing up in a directory, I can configure users, and those users could have home directories on a totally different set of machines.

Setup in Workgroup Manager: Where those home directories are does not need to be on the machine that is holding the information. So, Workgroup Manager is a directory-centric, it's not a server-centric configuration. Again, take the Wayback Machine back five years ago, and what we were dealing with was Apple Share and Apple Share IP, where your user list was specific to a specific machine.

What we do when we move into a directory-centric model is, "I can have the same username and password and have that be accessible in multiple different arenas." So what's new for 10.3? Well, there are a couple of things. And the first one that you see up there, mobile accounts, is something I'm really happy with.

and we'll get to one of our usage scenarios, and that usage scenario is the mobile environment.

I give you--again, thank you very much for volunteering--I give you this PowerBook, and you have a network ID, because you're an employee for me. So you have a network ID, you have a network account where I give you so much data storage on my server. and you can log in.

When you log in, you log in with your network ID, your username and password, and you're sitting at your desktop with your PowerBook and everything's fine. You unplug that PowerBook from the network and you go home, you go on the road, you try and log in using your network ID.

And you can't, because there's no network user on that local device. So what do you do? I've given you admin access to that particular machine so you can do some stuff. I'm a nice guy and you've got control of the machine, so you can create a local user with your first name only.

Log out. Log back in as my local user with your first name. Well, I'm out the directory, but now I don't have read/write access to my network home directory. What am I going to do? Ha-ha! You're going to use mobile accounts. Mobile accounts, what that will allow you to do is, I as an administrator know what you're going to be doing.

So I say, for you, you have the ability to set up a local account with the same name and password, and to the system, it looks like the same user. So you have the same permissions, the same group access, the same user ID. All of that's the same. I unplug that machine, I take it home, I take it on the road, I type in the same username and password. I get the same password policy.

Everything is the same. I plug it back into the network. Now, what this won't do--this is just account creation at this particular juncture. This is a transitionary solution. What we will do for you, and we will allow you to do, is we will mount your network home directory on your desktop when it's available.

so that I do my work and I want to copy this stuff up to my data storage on the network. Let's say I only have 100 meg of data storage. Well, that's fine for my documents. The documents that have changed, my spreadsheet maybe or this and that and the other thing, and I can copy them up.

I don't have to worry about permissions. I don't have to worry about any of that stuff. We don't do that for you. We will mount the volume for you, but we won't do the copying for you. We will put the documents folder in your doc, again, for easy transferring of data.

So you'll have your network account documents folder will be there. Your network account home directory will be in your desktop if you want it, and you asked me to set that up for you. We don't set up the synchronization. Our utilities, our sync and some other utilities, and we're providing, the OS is providing utilities going forward that will allow those kinds of things to happen. But for doing file copying and access, we don't do that.

So if I go home and I connect up to 100 different browser sites, and I add them bookmarks, and then I want to log in at work on my desktop with the same user ID, I'm not going to get those, unless I copy them, in which case then I will. So very excited about that. I think that'll be a real plus, make it a lot easier for people to work, and I know it'll make it a lot easier for me to work. Additional login window options. New in Mac OS 10.3, we have auto logout.

I use this now. I set mine for 45 minutes. I get up, I go to lunch, and when I come back in, I'm sitting at the login screen. I'm not sitting at the screen saver. I may be at the screen saver, depending on how I configure that, but I've actually logged out. So, auto log out. And the ability to manage that.

Again, we have fast user switching, and we've given you the ability to manage that. We've given you the ability to turn that off and on. Because what you may want is you may want to have fast user switching on most of the machines in your lab, except for that special one in the back, which has a new video card or something else in it. We've also--and people talked to me about this yesterday at another session, just because they saw who I was or remembered me from past years--and that is the ability to mount additional SharePoints.

So you can, it's not just, what we currently have today is if you're a member of a group, you can mount a group SharePoint. And that's good because it's sort of workflow oriented. But this gives you the ability to mount additional ones because people are saying, well, yeah, I want them to be able to mount a group one, but I also want them to be able to mount a documents one. I also want to mount a pictures one and things that are going to be global to a whole bunch of people that may be across groups. So we're giving you the ability to do that.

Universal access. These are things to handle a lot of special ed needs. And the other thing, and this comes up with where we've been hopefully listening to you guys, and that is for application access, currently in Jaguar today we have an allow list. Allow the users to access these applications. Well, that's good.

But not great. And why isn't that great? Well, because you all, as developers, may find and have found that at times to solve a particular engineering need, it's easier and faster to just write a Unix utility that your main application then calls. It munges some data in the background for you, you fork off some data to it, or you pipe some data over here.

And those "Applications, or those little utilities, aren't visible to the system in the same way as your full-blown application is." They actually don't appear any differently to the OS as a text file in some cases, though there are file differences and extension differences. But if I go to open the file, it's just gonna look like a bunch of text data in a lot of cases. So the ability for us in a user interface to show everything that possibly could be an executable would be a very big long list. So we only displayed applications.

So what might happen is I allow you to run your application, I'll use Photoshop for an example, and let's say your dithering utility is a Unix-based tool. I didn't allow my user the ability to launch that dithering tool. So guess what's gonna happen when they try to dither the image? It isn't gonna work because they don't have access to be able to do that.

So what we've given you is the ability to say, well, allow Unix-level tools to execute. We've also given you the ability to have a deny list. And what we found is that what people really wanna have happen, what our customers really want, is they don't want the students to run iTunes.

So, you can't run iTunes, you can't run a terminal, you can't run a console, you can't run this, you can't run that. All the things that they can easily pick, we just tell them you can't run those. And so we've added a deny list. And we think that with these particular different groupings, we've given you a lot more flexibility for 10.3. So now what I'd like to do is I'd like to show you a demo workgroup manager here on Demo 1.

So what we have here is something which is probably familiar to all of you. We've got a little bit of--a few things that are different. A little bit different look and feel. But ostensibly, this is where we--this is where everybody usually starts out. And I'm in here and I want to create a new user. And I'll create my new user, WWDC.

Give them a password. I can give them what level I want them to have. I can have them administrate the server. I can have them administrate a domain. There is no domain set up on this particular machine, so that's not active. The ability to log in or not.

So I'm already starting to layer some management here. Depending on whether or not they can administer the directory domain, I can give them granularity for that. Again, I can't get to that particular one because we're not administering a domain here. Rob Neville Then we have--let me save that so we have now a new user.

We have a variety of different options that we can set for that user. We can set their password policy. We can set what their shell is. We can assign them to groups. We'll get to that a little bit. Rob Neville We can also--again, since this is freestanding, there's another button which pops up when it's not freestanding, and that is a network button.

Rob Neville So I can select--say they have a network home directory, but I'll go here under Advanced. And basically what I can point to here is-- I point them to my server. This can be a server that's served up over some other mechanism. It doesn't have to be served over AFP. I give them a path and their home. I can set what their--I could give them five kilobytes worth of data storage. That probably wouldn't be real useful. I can set their storage in this particular environment. So let's revert to that.

I could say that they don't have any home. Again, that's a management choice right there. And all I'm doing is I'm setting up a user account. So what I'm trying to get the notion to you is you don't have to have managed system preference data to be a managed user.

I can set up mail preferences, print preferences, preferences if they want to have Windows access, those types of things. Then I get into--I can have groups. Create a new group--WWDC group. And for those of you who use Workgroup Manager every day,

I can set that up here.

I can designate a full path in the advanced mode. I can add users to this. Add users to them. That's real easy. So adding and deleting users in this particular environment

and i can do a bunch of things i can i can set the access for these now so this gets into an interesting kind of scenario whereby i can have a user that can authenticate as who they are they really are who they are they've typed in their username and password but i don't allow them to use that that computer in the back of the lab that i've saved for my special ed guys they're not allowed to use that computer or this servers i got a bank of servers Only admin users can log on to these servers.

I don't want any Joe Blow to be able to log in locally to these servers, so I can set those kinds of things up here too. Then you have a notion of a cache, and this gets more into... into our managed client MCX data environment. And that is for the sake of speed and to cut down on the network traffic and to optimize for that as much as possible, we keep a local cache of the data that you set here. So when a particular user logs in, we copy some of that data down, the MCX data, and some of that other data. When you're creating mobile accounts, we actually create a copy of the directory structure.

So that they've got the same set of groups, the same user list, that kind of thing. And this is cache aging here. So what we've got here is, I'm going to switch to guest computers, and I'm going to switch over here to...

to... Oh, I have it not authenticated.

I can say which applications. So what we have here is this is the option that we have which allows Unix tools to run. I can toggle that off and on. Basically, that allows any sort of Unix tools to execute. Users can access applications on local volumes.

A lot of times what you want to be able to do is you want to say, well, I don't want them running the network versions of these. I want them to run them locally and allow applications to run non-approved applications. And this is an ease of use or an ease of facilitating the user's ability to use the machine, but it gives people the ability to fairly easily, depending on what applications you give them, launch any number of non-approved applications.

Then you can launch all applications except these. So I can come in and I can say, remove Activity Monitor, remove Address Book--I want to be able to do that--remove ARDAgent, because I want to be able to access the machine, remove Classic, remove Color Sync, don't remove Console. So I can go through and I can remove applications, move direct--nah, I don't want them to access directory access--the meter. And you can set--basically you can set what applications that they cannot access. So, that's revert.

In the doc, we've added a couple of things to the doc. In the doc, we've added the ability to mount a documents folder. Shared folder, My Applications folder, group volumes for groups--since this is computers, there are no group volumes--and the network home. This gets to the mobile account scenario that I was talking about. I want to be able to mount your network home as a SharePoint on the desktop. You can also add documents and folders, and these can be documents and/or volumes that are individual separate volumes. And you can configure what the doc is going to look like.

Let's not save that. EnergySaver was in and is in Jaguar. You have a variety of different energy saver options. Finder--what's new in Finder? When new in Finder, the commands--we've separated out the restart and shutdown commands, again, at the request of some users who wanted to be able to say, "You can tell the machine to restart, but you can't--because something might happen, you may want to restart the machine, but you don't want it to shut down, or vice versa.

You can shut it down, but you can't restart it." We split out system preferences. In the past, we had application access and you had system preferences was just a separate tab there. People wanted those separately because they manage the ability to access system preferences differently than they do applications. Basically, I don't want people here to set the screen saver or change the sound volume, those kinds of things. So we allow them to manage system preferences. You can show none.

And then I can go in and pick printing and fax and QuickTime only and I can apply that. So now the only things that are gonna be shown for the guest computers are QuickTime and print and fax because that's the only thing I want them to do. Mobile accounts.

Mobile accounts is... Now, I clicked here on always just because, you know, for a bug standpoint, but since I'm not going to, but for the most part, this would probably be best done as a once preference. And what's the difference here? Because we have preferences handled in a couple of different ways. Once is like your initial setting. So if I come in and I want my initial setting on my dock items to be these things, these five settings, I want, you know, here's an intro to the school year, or an intro to my business.

I want that right in the dock, and I want a whole bunch of other things. So I want, when the user comes in at the beginning of some particular session, or if I've just rolled out a new IT solution, for example, well, I want the help file for this new process to be handled, or it's time for them to pick a new health plan. So I'm going to put down in a set once setting, I'm going to put down here's a URL to the health plan in my dock. And that's once. And then they can change that, and it won't ever show up again.

But if I want something to go back and every time they log in to be reset, So, creating a mobile account, I don't want to create this local mobile account every time I log in. So, I probably want to do that for the first time the user logs in, they get this preference, and I want to give them the option to create an account locally that maps to their network account.

So, this is an example of one that probably would be most useful. However, you might want to do that always, because the user might be deleting their mobile account on a regular basis. It may actually just be being used as temporary storage. So I may create a mobile account on a PowerBook, turn the computer in. At the end of the day, I delete all the users on that computer. Next time that user logs in, I want it to create another account local to the machine. So there is uses for always.

Universal Access is new. Basically, this tries to mirror the universal access in the system. And then the other one we have here, internet. Let's talk about internet for a second. So, and this brings up an interesting point that I wanted to get to. So we do not manage everything in the system from a system preference standpoint from managed desktop. We don't manage everything. And we don't manage everything in the same place. Why do we do that? Well, if you look at Panther, there is no internet system preference anymore.

In the Internet System Preference, there was what is now in the .Mac System Preference. Well, in Jaguar, in the System Preferences, we had email and we had web. So, what we did So with email and web, those things aren't managed in Panther anymore. They're managed in an application level. But for our Jaguar clients, they're still managed.

So that's why these are here. And we also believe that they're good to be managed anyway. But we don't manage the iDisk ones. So because we're running out of time here, I want to show you something which I think is really cool, and that is the inspector. So we have the inspector.

And ostensibly, I'll come over here to Users, I'll pick WWDC, and I'll click on the inspector. And I've got WWDC. Here I have everything that's associated with the standard password server. Notice I have no data for MCX data at all. Click on Computer Lists and click on Inspector. Here you'll see--whoops, hold on a second, it counts.

I don't see any MCX data. I thought I saved that. Didn't do it under Users. Let me go in here and create some. Users can use all applications except these. You'll have to excuse me. The demo that I had set up here on this particular hard drive would not boot on this particular machine, so we're running without a server setting behind me with all of this configured.

and there we have our MCX data. Why am I showing you this? Well, I'm showing you this for one reason. Can we switch back to the slides? Because I'm going to--.

We've got both from user accounts to file access to application settings--excuse me, to system-level settings. We're going to be showing you application-level settings here in a minute.

It's been shipping since Jaguar. Workgroup Manager has been part of the Jaguar 10 server. It can be running on a Jaguar machine. People are just beginning--the IT folks are just beginning to deploy this. They've been evaluating it, and they're now rolling out solutions. We're getting the feedback from you all. We're getting the feedback that we did with the deny list that we're adding to Panther and those kinds of things--the gutches that you've run into.

Preference Storage: We want you to do a couple of things for preference storage, and that is, wherever possible, we want you to cache files locally, where possible. And this is a little bit schizophrenic here, because I also want you to associate these things with user records, because more than one user can be accessing the machine, and I don't want you to have global data floating around.

But I want you to try and prevent, wherever possible, prevent network bottlenecks. And basically, what that does is--I mentioned you try and optimize your I/O as much as possible, so that you're not doing a lot of small reads and writes, because a ton of small reads and writes spread across a whole bunch of folks, all funneled through, you know, one switch, or all funneled into one Ethernet port out the back of one server, can really slow our users down. Multiple user environments are a factor that you have to pay attention to.

So as I mentioned before, by paying attention to one of the things that we did was we added your deny lists for users to restrict user access. And hopefully that will prevent the errors from happening and potentially the hangs from happening when not all of the utilities that you use to provide your solutions are available for the users. Users are accessing their home directories over airport.

Is this the optimum solution, and was this the design implementation that we thought about when we were doing home directory implementations? This is what the users are doing? Yes. So you need to take that in mind when you're developing your solutions or you're providing your applications, is that they're doing I/O to their network home directory. It may not be disk I/O speeds. And users want their application preferences to be manageable as well.

So what I'm going to be showing you here What we have here is a list of the--we're going to switch back to this demo machine. MCX data that's stored. And as you notice here, this is the inspector editor. Here you have the XML. And we've got application access. That's the key. Things are forced.

We have where we set it. Application access preferences. So what I'm going to be doing here is, let me cancel out of this. Go back here to this application access. Click on him. Click on preferences. And I'm going to set an internet preference web always. I want my home page to be w.ample.com. And default web browser to be Safari.

That's good. Now I've set my default web page here. Safari actually is one of the applications which uses this internet settings. And so now people will go to www.apple.com. Well, that's all well and good, but I want more. So what I'm going to do here is I'm going to go under my applications, and I'm going to open up Safari.

This should be interesting to the IFT folks. It may not be interesting at all to you application developers out here, with the possible exception of, if you do this with your preferences, your customers are going to be able to do this with our product. So we're going to look here at preferences. Oh, look! I have a home page here too.

Well, let me do http://

and that looks good. Bookmarks, that looks good too. I want them to enable tab browsing. New tabs, I'll set that. Autofill, security, I want to block pop-up windows. Yeah, I'm sure I want to save that. So I've just set up the preferences for this application by myself. So now I'm going to quit this application and I'm going to go under my home. And I'm going to open this up with I didn't want to open it with the plist editor. I didn't want to open it with the plist editor. Let me quit plist editor.

I'm going to copy this, paste it into a new file, save that file as--

Now we're going to edit these preferences here. So what I've got here is I've got application keys. and his team have a lot of application keys. And here we have apple.internet.com.

So I am going to

and I are going to paste that in there. And now I've just pasted in If I was able to connect up to the other server, basically what I've done is I have now added Safari preferences to this particular user's So, when they log in and they launch Safari, they're going to get those same preferences. I could do that to a group of users.

I could do that to a computer list. Any preferences I can set in an application that are stored in CFPreferences, using the inspector with Workgroup Manager, you can copy and paste those preferences into their MCX data. When that user or group logs in, that data will get composited and put in their plist file for Safari in their home directory, and they will get those preferences, too.

So, we're giving you a lot of very powerful tools with Workgroup Manager going forward. And we don't do any sanity checking here. If I had pasted this in in the wrong place, offset that dictionary by one, those preferences might not have launched. So, it would have behooved me to make a copy of those preferences first, save those out, so I would have been able to restore, should it not work.

But this allows you to go into any application that stores the bulk of its preferences in the same folder. And you can do that with any of your applications. In CFPreferences, and to be able to edit those preferences with a text editor or with any editor of your choice. Back to the slides.

So what are development guidelines? These are the things we want you to think about. Your product will be used in a managed environment. So test with our product. You should have been given a CD with the server software on it. So install the server software. Run this software locally.

You can run this stuff locally. You can sit it on a machine and run all these preferences locally for local users. Or you set up a server so you're actually doing traffic over the network. And if you run into problems, you can debug them in a network environment. and run capabilities.

Run capabilities. The capabilities defaults might be different. Assume that your applications will be controlled in some fashion. If you have helper applications, please call those out in your documentation if they're really full-blown applications. So let's say I have a chart application that puts up a pretty graph based on the data in my application, and that's a real application that I write.

It's a bundled Cocoa app, for example. Put that in the documentation so if a user is doing an allow list, they can pick all the applications that are usable. Minimize wherever possible the use of the unbundled. If you have some utility or scripts that you execute as part of your solution, those won't be runnable. We will say that the administrator is the king.

If the administrator sets something up in a particular way, we will try and enforce that. If it says don't give access to this particular application or these particular sets of applications, we won't. And assume that your product will be used on the network. So try and optimize your I/O wherever possible.

Don't assume that the configuration that you test with in your office will be the configuration that the user has in theirs. So try not to hard-code file path names. Use CFPreferences. Again, you just noticed how easy it was for me to cut and paste those system preferences out from Safari to MCX and put it into the MCX data. It's the same data.

"Rolling your own preference management might not work well in the future. There are no guarantees. But if you see a preference going forward, we'll still be able to manage that." So just to close up and to wrap this up, Mac OS X is a managed environment. You guys are IT guys, you already know that. Application developers, I want to thank you very much. When I was sitting putting together this particular presentation last year, I showed three applications that were bad.

And I showed how their behavior was bad. And there were some Apple applications, too. And, you know, I really thought that there--it would still be really easy to find bad applications. And I went and checked a lot of your applications out there, and you guys listened. Thank you very much. You're not doing a lot of the things which preclude you from running in this environment. And keep up the good work. I didn't show any bad applications out there because I didn't find any.

And what I found was things like Safari, things like, you know, other applications that are storing their preferences and CF preferences--not all of you are, but a good portion of you are--and in dictionary formats that are easily transferable for our IT users out there. Not all of them are, but a good majority of them are. So thank you very much.

And talk to me about what your customers are seeing and what your customers are needing. So who to contact? Myself, Michael Lopp, who gave the overview of this particular stuff. Skip Levens, your technologies evangelist. and the session we had--they had the session yesterday, so I don't know that we have any follow-on sessions.