Welcome to the Managing Mobile Computer session. It's the last session before our big party. ( Cheering )

Yeah. All the Europeans know that we actually check to make sure you're 21 before we'll serve you alcohol, right? So you need a little yellow band for that. Also I know some of you are going to be tempted to leave early and run to the party and so I wanted to let you know that I've got a little something special for those of you that wait till the very end, so stick around.

Let's begin. My name is Tony Graham. I'm a Systems Engineer with Apple Education, and I wanted to give you an overview of the kinds of tools and technologies that you can use for deploying large numbers of mobile computers. A number of the sessions at the conference have dealt with the topics we'll cover. This is the mobile twist on them.

So we've got a bunch of things we want to talk about today starting with Directory Services and then moving along to home folders. Try not to say home directories here because it tends to be a little bit of a conflict in the naming. So if you hear folder and you're thinking directory you can just swap it. Then we'll discussed managed preferences. And then take a break and talk about security, followed by some tips on software distribution, and then finish with a discussion of backup technologies. So let's start with Directory Services.

Your computer needs to know lots of things about you in order to operate in a way that's customized for you. It needs to know your name, it needs for know you UNIX, or your user ID, it needs to know your password, and that stuff needs to be stored in a way that it can get to. Now, out of the box a Mac is going to implement a local directory service so that you don't have to be connected to a network to use it.

And the local directory service will have your account information and can optionally store what I'll call management information. You can think of it as parental controls, the kind of things that limit your access to applications or set up the environment in a particular way. We'll refer to it generically as management information.

So how many of you are new to Mac OS X system administration? Oh my, one. Okay, excellent. Welcome.

The rest of you are well aware that Tiger uses a local directory service called NetInfo. And it's stored in a hidden directory, the directly that the user -- no, no hissing, please.

Don't speak ill of the dead. ( Laughter ) (Applause) NetInfo is in a hidden directory in /var/DB. Your users don't see it but you probably have. They're going to use graphical tools like the accounts pane and system preferences. You might have used NetInfo Manager or in some cases Workgroup Manager to modify that local data.

There are a number of command line tools that are available as well. And the historical ones start with NI, which tell you it's a NetInfo tool. And the newer stuff starts with DS for directory service. And you want to make sure you're using those today on Tiger because starting with Leopard they go away. Sorry. Starting with Leopard the NetInfo ones go away. So you're local directory service is going to be presented to most of your users in this way.

You may be working with it in this fashion. This is the DSCL command line tool which will display and let you modify and navigate your directory service. Navigate the local directory service on Tiger and on Leopard will show you something along these lines for user record. So in here you navigate the database as if it was a UNIX file system. You can change the directory to users.

Group information can be stored in here, computer information would be stored in here as well. Navigate to your user record and you can use the read command to display the properties of your user. And I've shortened some of them here, left out a few of them, but the ones that are kind of interesting in an out-of-the-box situation is your home folder.

When it accepts your authentication it wants to drop you in environment and know where your preferences are and where your documents are; the database needs to know where that is; it needs to know you name, it needs to know your login name, your short name and; it needs to know a unique UNIX ID.

So new in Leopard are account property lists, P lists. Each user going to have a Nile your file system that defines your user. And when I say "user" I'm kind of honing in on the user aspect, but certainly groups in other part of the directory service are represented as well. The same graphical tools with manage those, system preferences and Workgroup Manager -- notice NetInfo Manager no longer there -- and DS commands for Directory Services as well.

So here's a shot of kind of the directory structure for your local directory service. And notice that at the bottom the administrator user and the root user have a P list or property list. So for those one of you who's new to administering Mac OS X, that's a text file you can open and t a text editor or property list editor and see how those settings are.

It's a little bit more open now than in NetInfo, a little bit easier to get to So local directory services are fine until you start to create accounts on lots of computers and you start to do a lot of repetitive data entry and you start trying to synchronize passwords on lots of machines that becomes quite a bit of an effort. So a way of mitigating that is to try and put your directory services information on a server, we'll call that a directory server. Your account information and your management information can go there.

Even in this scenario you've got a local database in use as well. You cert that as an administrator you're going to have to decide where accounts go. But if you want to use them for multiple places on your network they got to go in the directory server. Two popular choices for directory services are Open Directory, Apple's directory service. It ships standard with Mac OS X Server.

Yeah.

- One of you likes Open Directory. Any other Open Directory fans?

Okay, good. Think of it as a database and it has to have all those same sort of the feels we saw in the local directory service. We've got, obviously, slots for all of those. Another popular one, Microsoft Active Directory. How many of you using Active Directory?

Oh, come on now.

Probably half of you. And the rest of you are afraid because people were hissing, right?

Snakes in a show, right? So Microsoft Active Directory. The good news about AD is you can talk to it through LDAP which is how we talk to Open Directory. And you can stuff the same sorts of things in AD, or Active Directory, that we stuff in Open Directory. But they don't have slots for everything.

So if you want to store management information in Active Directory you typically have to add extra slots to their database. You have to extend their schema so that they have room for management and other information that we want to put in there. And that's quite easy to do. Some of you are comfortable doing that and some probably not.

And alternative for those of you who don't want to extend the Active Directory schema is to use both Open Directory and Active Directory. And how many of you are doing this, what we call the magic triangle?

Probably a third of you, great. The beauty of this is you can put your management information in Open Directory and your users stay in Active Directory and you may not be the person or the group that manages Active Directory.

It may be something handled at a university level or at a corporate level and you're interested in management of your machines at a departmental level, you can govern the behavior of your machines using Open Directory and still use Active Directory users. Your clients will be bound to both directories.

That's caused the magic triangle. Now coming up in Leopard -- how many of you were lucky enough to see the bending Directory Services to your rule session? Good. About half of you. That was really, good, huh? In there we talked a little bit about augmented records, which will allow you to more streamline this process in Leopard and Leopard Server. There's another session tomorrow that will talk probably in more depth about augmented records.

So network accounts are great for people that are connected to the network, but if all of your user information is on a server and you disconnect you've now lost your user accounts. We need something that will allow you to work offline as well. And mobile accounts are the way you do that.

With mobile accounts you've got a copy of the -- you have a local database on your machine and you have one in the server and periodically that gets synchronized. So when you log into it it'll ask you if you want to create a mobile account, you say yes, and your user records get copied down to the system. So you can work offline. You can unplug and you can go home or travel.

So if you want details about this you have a number of options. Some of you had a chance to see the directory services, bending directory services session. Others of you will probably watch the recorded version, which should be available online in the future. Those of you who missed it will want to make sure -- and actually those of you who went will want to make sure that you go to the managing and deploying Open Directory session at Pacific Heights tomorrow at 9:00. And Managing Your Clients are Leopard Server tomorrow at 2:00.

All right. So that was directory services. Now we need to talk about home folders.

How many of you were at the calendar server session and couldn't go to the home directory session? All right, good. So I'll give you a little overview of what you missed.

Again you take a Mac out of the box, you open it up, it needs a place to put your stuff. We'll call that a local home. And that's going to be automatically created in the users folder on your machine. And Mac OS X will create subfolders for you: Your documents folder, your library folder, et cetera. In the library folder is a preferences folder. And in the preferences folder are where your application preferences are stored.

This is fantastic but it's not necessarily scalable. It defaults to /users and it's very easy to use because that's what we do out of the box. It's the default way of creating home folders on Mac OS X. It's tested. All the developers that are here at this session that are writing your applications are most likely testing against this situation, this scenario.

And it's uniform so those of you users who have Macs at home are used to using their Mac that way when they go to work it will be the same way. But it doesn't scale very well. For one thing there's no separation between the operating system and your user data. So your user home folder's on that same volume as your operating system, called the boot volume.

And some of you may want to set up a system whereby that operating system can be replaced without losing use you are data. I imagine most of you want to be able to replace the operating system without losing user data. And there are some mechanisms in Mac OS X for doing that, but not quickly.

And so partitioning your drive and kind of having a boot OS and a user volume may be an approach that you like. Some of you are work around that by creating a symbolic link from /users on the startup drive to the secondary drive. And others of you actually edit the FSFS tab file so that that second volume gets mounted sort of invisibly behind the scenes on the first volume.

We'll show you in a moment maybe a better way of doing that, a more easily supportable way. And then the other downside is all the users data is on one hard disk. So if their MacBook Pro gets stolen or lost or the hard drive crashes they lose all their data, and they may come crying to you.

So you may work around this by saying let's give everyone a network home and we'll have everything on a server and we can back up the server and we can put it on redundant storage. And that works great. Typically you'll locate that on a share point on a file server like an AFP, SMB or NFS share. The beauty of this is none of the user's data exists on their local computer. It's used live over the network, and that means it's portable. You can go from any machine, go to any machine on your network and get to your user environment.

The downside to this is performance. All the reads and rights to a user's home folder are going over the LAN. That means cache files are going over the LAN as people are browsing websites, all of these temporary files that are supposed to speed up access and take a load off the network are actually traveling twice over your network.

If people start to capture digital video in iMovie to their desktop it's going over your LAN. So downside there. And also it's not ideal for portable because the moment you unplug you have no access to your home folder. So we'll represent it with this picture and we'll tell you for portables not to necessarily a good approach but we'll discuss in a moment how you might use this in conjunction with portable homes to get the best of both worlds.

So a portable home, like with Directory Services is a mechanism that will synchronize what's on the network and what's on your disk. So you have a local home on your machine and a network home folder as well. And you're going to periodically sync, synchronize all of that data. So you should have a copy in both places.

The beauty of this is you can use it offline, you can work at home, you can work in another office, you can work in the airport; but you can backup the version of the user's data that's on your server. It's all in one place so it's easier to get to And again, you can get to it from multiple connected systems on your LAN. So the portable home is a periodic sync of your home folder and if you've got the mobile account which typically the two are used together, then you can be somewhat assured that the user's environment can travel with them.

Now, one things go wrong you may want tips on troubleshooting these portable homes and one that I'll point you to is something that some of you ran into where you configure home synchronization using the Workgroup Manager tool. And it's synchronizing, maybe you want to stop doing that and you in Workgroup Manager set it to never, thinking that will mean never synchronize your home folder. That actually just means never control the synchronization of your home folder. So we do have a tech note that explains how to change that if necessary.

And also you should know that the process that's actually doing the synchronization in the background is called Mirror Agent. And you're able to enable a debug mode in Mirror Agent using the defaults command. Set a preference for Mirror Agent, and there are increasing levels of detail from 1 to 4.

Now you may find that a portable home works great for some situation, and a network home works great for other situations and you want to be able to use both. An example would be somebody that who sits at a desktop machine most of the time, perhaps an engineer, they're working on a big screen and a beefy Mac Pro, but they occasionally travel.

Or they want to take some work home, right? So set them up with a network home on their desktop machine and when they want to check out a MacBook or MacBook Pro that can be set up with a portable home so they can take a version with them. When they return to the office they can resynchronize that and then go back to their network hope.

The opposite is also possible. You could have professors that have a portable that they travel with, and that's the machine they use at home and in the office. But when it gets time to go walk into the lecture hall to deliver their content, rather than unplugging everything on that portable machine, carrying it into the lecture hall, and reconnecting audio and video and networking and maybe even USB, you can have a desktop machine already there in the lecture hall. That machine can use a network home. So when they log in they're instantly presented with their environment, there's no delay for synchronization.

You typically don't want to use both at the same time. And then the third environment would be somebody uses a network home because they left their MacBook Pro at home, literally at home, or it's being serviced. So it's possible to synchronize and then hopefully not at the same time use a network home depending on your usage pattern. So Leopard brings some improvements to portable homes and network homes and some new features. With portable homes one change is the administrator and/or the user can define where on your disk your user folder, your home folder, is going to go.

So whereas before it had to live on that startup volume you can now partition your drive, you've got your OS on the boot volume, you've got a second one for the user folder, and you can specify that's where the user's data goes. Rather than sort of hacking Mac OS X to make this possible we have kind of a legitimate way of doing it.

The other problem that sometimes folks run into when they use portable homes in a lab environment is a student logs into machine A and they synchronize their portable home and they work and great, and then they leave. They log out hopefully, and then leave. We've all probably learned that lesson the hard way, right? When they come back the next day somebody's sitting at computer A so they use computer B, it synchronizes their home folder, now they have a copy in two places, which is fine.

But over time enough students and enough machines leaves little droppings all over the place. And some of you probably have scripts that run when they log out to delete all of this stuff. Portable homes in Leopard have an option to automatically clean up after these people on a schedule or also ensuring that synchronization takes place first.

And also server side file tracking. When a portable home directory is used and you log in your machine has to in Tiger traverse your entire home folder and look on the server and see which files have changed, right? So it's basically touching the metadata of every file and it's really beating on your server. With Leopard and Leopard Server the server can actually just tell you client, here's all the stuff that's changed so just synchronize that stuff.

Yeah. And that will help for those of you who are going to use maybe Xsan for your home environments on the back end. A new feature in Leopard is the external account. Think of this as a portable home directory but instead of it being on your computer it's actually on a portable drive. An external hard drive ideally, although you may find other removable drives that work as well.

So in this situation you can take that drive from machine to machine. When you connect it your home environment is immediately available, you don't have to synchronize it with the network and then come and resynchronize with the new machine. So your home folder and your directory login all travels with you in the disk.

Now one thing that's kind of cool is when you use a MacBook and you have a mobile account on it if you reboot that machine in target disk mode, by holding down the T on the keyboard, you're MacBook will become an external hard drive. It's not usable, the keyboard doesn't function, the screen essentially just shows a FireWire logo, but you could connect the MacBook to a desktop machine with a FireWire cable.

At that point your MacBook becomes an external account on the desktop machine. So you're working mobile and everything's fine, you put it in target disk mode, connected it to a beefier machine -- maybe you need to do some video editing -- and log in and your entire environment is preserved.

And finally the guest account. The guest account is a no password account, a local home folder that's created from the same template and standard local users are created from. But it's deleted as soon as they log out.

So a little warning would be kind of nice if you're going to do that. But this is going to work great in kiosks or in labs where you sort of trained your students to copy their files or trained your faculty to copy your files to a server before you log out, and then you don't have to worry about leaving private information behind. Now external accounts and guest accounts might raise some concerns about security. And you should know that you as an administrator can decide whether or not your machines allow guests or external accounts.

So a couple of related sessions on these again already expired so check those out online. By managing and deploying Open Directory and managing your clients are Leopard Server tomorrow at 2:00 will cover this ground as well. So let's take a moment and switch to the demo machine and for the tremendous number of you who are new to max OS X administration I'll give you a Workgroup Management tour.

I'm going to use Apple Remote Desktop to control both a Leopard and Tiger Server. So we'll see some of the changes that are coming in Leopard. So first the Tiger. So Workgroup Manager's going to give me a list of users, it's going to give me a list of groups, and potentially a list of computers that I want to administer. So let's create a new user here. Oh, I'm sorry, Tim.

I'll do it somewhere else great. Let's save this user. And Tim doesn't need a password. And we'll create a group and we'll call it "managed users." And we can add Tim to this group. And then we can decide to govern Tim's behavior using Workgroup Manager. I imagine his manager would like this capability.

So we'll hit preferences and we'll go in and we can decide, mmm, I want to control maybe his dock, right? What should we allow to Tim to have in his dock? Calculator?

No we're not going to give him calculator, we're going to give him the chess game.

Yeah. You have the ability to say, gets these icons that I define but also -- and again we're dealing with a group here as opposed to a user -- but this group of people is going to have these applications that I've defined. You can allow them to add additional ones but not remove the ones you've added, or you can say, no, this is going to be the dock.

So for those of you who are deploying a large number of machines that are going to go away and you want to have some control over the user experience, setting this here and having them log in and get that managed preference while they're on the network will allow it to travel with them when they leave your network. So we can also create a computer list.

Oh, sorry, account. Yeah, thanks. We can create a computer list and I'll call this portable machines. And for this list of machines I'm going to go threw and say I want to create a centralized software update server and I want to make sure that all of these machines use it. So I'll just put any URL.

If you're running a local software update server your portable machines will use that as opposed to using up the bandwidth for your organization. What else do we want to do? Let's take a look at mobility. These are portable machines after all. Now notice here we can say allow offline use portable, essentially mobile accounts by require the user to click okay, I want to create a mobile account on this machine when they log in. In a moment I'll show you Leopard Server and you'll see we have quite a few more options. In fact I will do that right now.

So same tool, Workgroup Manager in Leopard. And we've got a group called Managed User. We'll go to preferences. Notice now we can do things like parental controls. Whereas that was something you'd do on each machine before, you have the ability to say I want to limit access to websites and I want to hide profanity in the dictionary and always allow access to particular URLs, et cetera. So parental controls are available. Also Time Machine -- let's create a -- I think I've got a group of computers here.

So you say I always want to manage these and you can specify the URL and share point of a Time Machine server, so when these backups occur they go to your file server. Some of you also want to run scripts at login. And managed preferences can do that for you.

Just manage the login item here, select always, and you can do things like run a script whenever somebody logs in or when somebody logs out.

Thanks. Some of this you can actually do in Tiger. Notice under the options pane here is where you can do things like enable guest accounts on that list of machines and enable external accounts. So you have that control.

So kind of new also and something you may not know about it is some preference management that isn't reflected in this UI. So we've got a bunch of things in here that we can lock down. How many of you would like to govern the behavior of iTunes on the machines that you disperse?

So there's no iTunes icon here.

But if we go to details and click plus to add a preference manifest to workgroup manager. If a developer has taken the time to build something called a preference manifest you can manage their machine using Workgroup Manager. And there are a bunch of prebuilt ones included with Mac OS X in something called Managed Client.

And I'm going to take the shortcut here, but it's in /system/library/coreservices, and it's called Managed Client. So if you add the Managed Client to this list you'll see that there's a bunch of stuff now that you can lock down that you didn't see the UI for. One of them is iTunes.

So if you edit this notice where in Workgroup Manager you had kind of a once often and always setting. It's not quite the same UI, but it's the same kind of control. We could add a key here and say always. Let's disable music sharing and set the value to true.

I like that one a lot, too. But one that I like even more is something called folder redirection.

No.

Yes. So let's edit this. This one looks a little bit more hairy but it's so much fun. We'll go to always and click new key, change this value to login redirections. We'll give that one a new key. Sorry, I left my own dropping behind there. All right. We now have a redirect action. Now, take a look at this.

I'm going to take /tilde/library/caches. When the user logs in I'm going to delete it.

And then I'm going to redirect it to the temporary folder. And notice this syntax here, this percent at, that's the user name, right? So you'll have an individual cache folder in your temporary directory for that user name. Some of you probably scripted around this problem, now you've got kind of a legitimate way to handle it.

That does mean though that you've got some homework to do. Apple has provided some preference manifests that you can use for management. All of applications that you use you need to beat up on those developers and get them to provide those to you so you can lock down other applications besides the one that you see here. All right. I think I'm ready for slides again. Now we're going to take a break and introduce Shawn Geddis to talk a little bit about mobile security.

Thank you. Okay. Real quick, we just wanted to cover some content that some of you may have seen in some of our areas. Previous session we talked about security. There's a whole bunch of organizations, whether it be government or commercial, spending a lot of money protecting data, right? So there's some simple things that you can do to leverage the build-in services to do that, particularly on mobile devices.

One comment, one quote that I like to share with folks is if you were here back in 2004 in one of the IT sessions, Tom Yeager emphasized the fact that you don't spend money unless it or -- yeah. You don't purchase anything unless it saves you money, it makes you money, or the government requires it. So everyone here fits somewhere in that, in those groups. So let's quickly touch on managing the encrypted storage in the FileVault.

Particularly with FileVault many folks have been concerned with how to manage because they weren't sure how to do it on a charge scale. So hopefully we can quickly give you some guidance. We mentioned this a little bit earlier about the new capabilities in the disk utility enhancement with 256-bit AES with Leopard.

This gives you additional protection and some people always ask, Well, what does that mean to me, 'causey I don't understand the security side? So this is if you go up on the NIST Web site you can get an idea. So if you could build a rack of supercomputers to crack a DES key, which is not that hard -- crack a dez key in a second that same supercomputer group will take 149 trillion years to exhaust all the permutations, all the possibilities for 120- bit AES key. Now that we've gone to 256-bit, right, this is the exponent. All right, the exponent on this. So we haven't gone linearly we've now raised this much higher than 149 trillion years. And if some of you are here at that time - - good.

So let's quickly hit on the disk images. First, remember when you're created an encrypted disk image you actually have the ability to save the symmetric key, symmetric being the same key to encrypt and decrypt. You have the ability of storing that in your keychain. It could be any keychain that you have that you could even do a portable keychain with storage devices as well But as you're creating an encrypted container as you enter the pass phrase itself -- first of all we'll make a quick reference to the password strength. It's going to tell you whether the pass phrase that you're keying in there is worth anything.

Okay. Green is good, red is bad. Typical here. So, again, you can even -- if you click on the little key there it'll bring up the, a much more rich password assistant that many of you are familiar with, but as you type that you'll see the strength directly. So you can determine whether you want to hang onto that key on this particular system. And once you do that it's actually putting in a key entry in that keychain for that disk image.

Now you could copy that over to another keychain and manage that personally or even at a large organization. The area there about that count, that's really referencing that mountable image. It's directly related to that image and that's how the system will ask for the appropriate keychain to be unlocked when you want to mount that encrypted image.

This is -- taking this a little bit further. When remember when you have any encrypted image file you can now partition that multiple partitions, create various disk formats, put data on their. Maybe you're doing some virtualization parallels, VM ware, all kinds of stuff. Stick that on a partition, put another disk format like UFS, if you have some older UNIX applications they require both app lay indication and data being on UFS. These are again, other ways that you can now ensure that all of that data even though they're used by different run time environments and different maybe even the user, that you can encrypt all of that in one container.

This is a scenario that really has helped a lot of people better understand the power of the encrypted disk image that they weren't aware of. Not only with the fact that we've raised it up from 128-bit AES to 256, if you're in an environment where you need access to that data sometimes you don't always need the data to be maintained on your portable device You may not always have to take it with you as long as you have access back to where it's stored.

So as long as I have access back to this file server I can mount that volume right on my desktop and all of the data going back and forth between the file server and that disk image is fully encrypted blocks, right? Because that volume's a logical volume is seen as a blocked device. so as I read and write data only the blocks of information that are needed, both being written out and being read back, are all passed back and fort between the client and the server. And you have the key locally for that encryption and decryption.

So let's look at kind of a more feature-rich encrypted image, and that's FileVault. This is for the home directory. Now first of all it is relying on the same AS encryption, works on the fly so users aren't aware of the fact that you've got all that encryption and all that power underneath protection of their data.

But you as the IT folks need to be able to recover or be able to manage that in case -- I'm your employee, if I leave or you fire me or you just get rid of me, I forget the pass phrase if I'm logging in with passwords -- you need some method to be able to manage and get back access to that data. So what I wanted to do is kind of carry forward with you an explanation of what you can do both initially as a one to one or a very large deployment on how you can manage that FileVault container, the encrypted container, for each one of those users.

So you're already pretty much familiar with the system preference on a local machine, you're doing security, and you're manually enabling FileVault by clicking on set master password, you enter that password, and that is now creating what really is an identity behind that. And we'll talk in a minute about how you leverage that, how you manipulate that identity for your use both for recovery and creation of FileVault.

So let's review real quick how Tiger provides the protection for FileVault. Somebody logs in their pass phrase, they log in, that pass phrase is converted to a key, user key; and then that is unwrapping that symmetric key that is protecting all of that data. Then as a user I read and write my files just like I normally would. I'd see my folder, my documents, my desktop, my library, my music and all, it's just there as a -- I would do as a normally user.

On 10.5 we add the enhancement of using two factor authentication like the smart cards, to unlock that same encrypted container. As I men- --

There you go. You can clap for that one. As you can -- as I mentioned earlier, also with AES 256 the same user experience for everything else. Immediate access to all that data.

This is where you need to have some mechanism to manage this encrypted storage. Many of you need to manage by policy or manage your users both for recovery reasons and maybe in some cases just for the protection of corporate IP. Maybe there's data that you need to be sure that you can get back to in the event that the individual's not there.

So when I mentioned that you clicked on -- manually if you click on the set master password, what really is created is this FileVault master keychain. It's an identity, meaning it has a certificate and a private key. The combination becomes an identity. This is enabled and created for you on the fly.

And many of you that have your own certificate authority, if you want to maintain for -- predominant reasons would be for key escrow -- is issued the FileVault identity from your CA, what you can do is once it's created wipe that out and import your CA's issued identity for FileVault. Okay, then you can manage it at the user level, Workgroup level, organizational level.

So let's take this further. How can you leverage FileVault and manage it across a large organization? Remember that when you actually enable FileVault on the user all that really is used is the public key from that certificate to wrap that data key, okay? Some of you might -- I might be losing some of you here, but hang on. And that is when I -- let me back up here. Remember that by default there's an identity, a certificate and a private key. The public key is used to wrap, the private key is used to unwrap.

What I've done now is I'm going to deploy an image or I'm going to push out this management, FileVault management to all my machines. What I do is I escrow that original keychain and I remove the private key. Okay. Why would I remove the private key? Because if for various reasons there's -- through social engineering or just somehow I am able to get the pass phrase on that FileVault keychain I'd be able to decrypt someone's account.

And if you remove the private key no matter whether someone knows that pass phrase there's no potential for them a the that machine to decrypt and have access to that account. So what you do, again -- and back up, 'cause this is important. I've created that identity. I can do it on one machine if you want to manage it initially with one FileVault keychain. I enable, it creates the identity, I then remove the private key, and I either push this FileVault keychain to all my machines or I put this on the machine, the image that I'm going to use to restore all my machines on.

Okay? Then what I do is when I need to recover if the use' forgotten their pass phrase to enter for login or if, again, the user leaves, they're no longer at the company, all you need to do is restore that original FileVault keychain, that private key, and go through the standard recovery on the box. You're going to login, it fails three times, it's going to ask you for the master pass phrase, you enter that, you're able to reset the user's password.

You can also do that from the command line. It's one line and you do HDI util is the command to manipulate the unlocking and the management of a encrypted image with FileVault. So I guess I'm turning it back to you.

Thank you. Thank you, sir. Great. So let's move on to software distribution. I've got a couple notes on imaging. And I need to be on the slides, sorry.

I was hoping to get a laugh out of this slide and I didn't get one so now I know why, right? So I got a couple notes on images but we have some great sessions that cover images so I'm not going to go in-depth. A couple of the things that I'll point out.

One being that there's the temptation for many of you to build an operating system image and put all your applications and set your preferences and set your machine up in what you consider to be an ideal or perfect way and then copy that a thousand times or you know, 40,000 times and distribute that out in the world.

And that's fantastic, but the temptation is as Apple releases new hardware to try and take that old image and use it on the new machine. And those of you who have done this for some time know that usual little when new hardware's released from Apple a new build of the operating system is released with it, which is going to frustrate you if you try and use your old image.

Some of you have found workarounds to make this work. The danger you're going to run into is if there's a problem as a result of you reusing your old image you may not discover it until all of your machines are out in the world and it's going to be very hard to deal with after the fact.

So what you want to do is develop a process for building your image that assumes the operating system is there and then adds on top of it. Somewhat of a layered approach. So take packages that you're, that the developers provide you or make packages yourself, script this install if possible, and make the creation of your image an automated thing. So that if we were to give you a new machine you could click a button, make an image for that machine, and maybe one click and walk away.

So here is a way that I've used in the past. I'm not necessarily saying that this is what you want to do, but it's something to think about. And that is to use a shell script to take disk images that you're provided, that you download or that you copy off of optical media. Mound the disk image, use the command line installer to install the package that's on that image and then, if you like, dismount the image.

And you can do this for any number of applications in sequence. So when you're forced to make a brand-new image for a brand-new piece of hardware you don't have to remember all of the manual steps you used, all of the applications that you used. And if you've got applications that you want to customize, remember that the defaults command can set preferences so you can script that as well. Here's one that sets the Apple Remote Desktop administrator application such that when you double click on something in your list it controls it as opposed to getting info.

I've got another application, OmniOutliner. This one is going -- this one doesn't use a package installer so you need to copy the application onto the disk. And this uses the ditto command, ditto in the minus V form is going to do a verbose copy of that application. So what you've got is sort of a bunch of different things you can do in sequence. And if you have to repeat this it's not a tremendous amount of trouble. This last one here is configuring QuickTime so that when you launch the QuickTime player it doesn't bring up the hot picks movie.

So you can imagine there are probably hundreds of thousands of these things that you might want to do to a machine before you build an image. If your resistance to tailoring your image to that particular hard wear family is that it takes a long time to make it, an automated install may do it, it may resolve that. Now you can do this or you can use a tremendous number of existing tools to do something like this.

Apple provides -- or Apple offers Apple Remote Desktop, which is sort of a network management tool but also has the ability to push installer packages and you can save these steps that you do in Apple Remote Desktop and replay them later. You can also use PackageMaker which is included with the developer tools to make your own packages.

So install an application, make an installer based on that, and then redeploy. And the beauty of that is not only do you have it, not only do you make building your image easier, but you can repurpose those packages with Apple Remote Desktop and push them. System image utilities you'll hear a lot more about tomorrow, but it has workflow built in by way of Automator. So again, you can sort of automate the creation of your image. And a number of other tools -- some of these were even discussed here at the show.

Who was lucky to attend the scripting for system administrators session earlier in the week? So many of you saw Tim Purfit use Ruby on rails to build sort of of a lightweight Apple Remote Desktop application from a Web page. And he did offer his services. If you need help building something like that, his e-mail address is [email protected]. So if you need any assistance with that, contact him directly.

Speaking of Apple Remote Desktop, this is a tool that will allow you to control and observe remote systems. We probably know by now that Leopard's going to have some of that functionality build in, but ARD is good for a number of other things including generating system information, reports. And the beauty of the way Apple Remote Desktop does this is it puts all the stuff in a post (inaudible) database and you're clients will do it periodically.

So the database stores the last information your client gave it, and you can run reports against that if your machines are not connected. And this is going to tell you how much memory is in all of your portable machines and how full their hard disk is and what operating system and which processer and what kind of network capabilities. So when someone comes to you and says, brand-new operating system comes out next month, which of our machines can support it? You can run a report, get those answers, and you don't have to wait for people to bring their machines in to get that data.

You can also push installer packages. How many of you saw the extending Apple Remote Desktop session this morning? Great. So for the rest of you I want to take a moment to talk about a new feature -- not at new feature -- another feature in Apple Remote Desktop called Task Server. And we'll need the demo machine for that.

So I've got a machine designated as a Task Server for Apple Remote Desktop and I want to push a package to a number of systems. Let's say the .Mac backup application. Now I can select the machines, drag the package into the list of selected machines and install them. We'll go ahead and do that. And you'll see that you can see task progress. These machines are ready to go and they're installing the application directly from my administration system.

And they're complete. Now an alternative to this is to select the machines, install a package, but this time I say instead of running the task from this application I want to -- sorry about that -- I want to send this install packaged task to the Task Server running on another machine.

This other machine is probably going to stay connected to the network 24/7 and it will take these pack installs that you want to push and it'll send them out to connected clients. Clients that are not connected will get them when they come back up. So let's take one of these machines. Let's take the Leopard machine and shut it down.

And send the package. And you'll notice now that the Task Server is showing me the progress of this. And it's installing on the one machine that's up, and almost complete. We're going to have to wait for that machine to come back up so that we can' that once it comes back on the network it'll check back in with the Task Server, see that the administrator has a package available for it, and install that.

So while we're waiting how many of you are dying for the punch line for Steve Hayman's joke? Yeah.

So I have a treat for you. At the end of this session I will share that punch line with you. He was very kind to share the punch line with me and I will save that till the Q and A, so hang in there.

All right. So let me give you a status report on this. The Leopard machine is booting. Look at this. It's idle, it remains to be installed, but it's online. And notice that it says, oh, I've got packages waiting for me, it's going to begin installing the backup package in a moment. Let me give you a zoomed view of this.

There you go. All right. We need to switch back to slides. So all you need to do to set up an Apple Remote Desktop Task Server is just buy another copy of ARD, put it on a machine that stays connected to your network, and designate that as your Task Server.

So we've got a couple of related sessions for software distribution. This one's been done. But upcoming, managing your clients with Leopard Server we talked about. That's going to be a jam-packed session tomorrow at 2:00. Also a Building System Images for Large-Scale Deployment as 3:30. 0 And Understanding Managed Deployment at 5:00 p.m. tomorrow. So if you're into software distribution, tomorrow is a big day for you.

And, finally, backup. How many of you are already using portable home folders in your environment? Great. The best backup solution for that is to back up those home folder at the server. A portable home by itself not a very good backup. My friend, Frank, just reminded me, just told me a story not too long ago that portable home saved his marriage because his wife's machine -- he actually demagnetized the hard drive using a giant magnet, which apparently you can do by accident. I'm not sure how he did that.

But it had a lot of crucial data on it and he was able to use his portable home to resynchronize that. I had an opposite experience, or a near opposite experience with Frank. I was fooling around with portable home directories day one in 10.40, and I didn't think the synchronization of happening properly so I deleted a bunch of files on the server so I could resynchronize. And so then my machine said oh well it changed the network version sooner and these folders are gone so it removed my iPhoto library from my desktop machine. Six years worth of pictures of my kids from, like, day zero.

That was on ugly scenario. And I didn't actually discover that for about three months, because the cache files were still there. So iPhoto looked fine, but the photos behind there were gone. Luckily I made a backup before I started that, and you want to make sure you do the same. Back up the server and make sure that your clients are in fact synchronizing. So there's a little bit of a danger here.

If you're only backing up their network home and their portable home is not synchronizing to that, you're not getting everything. But the beauty of this approach is you're deploying an Enterprise backup solution at the server side and you're sort of letting the clients come and go and update their files as they do that.

So if you want to make sure you get everything you might want to push some of the responsibility for backup onto your users. And you can do that by way of client side backup app lay indications like the .Mac backup tool. You have to have a .Mac subscription to use it -- it's about $99 a year -- but it doesn't just back up to your .Mac iDisk, which is about 1 gigabyte worth of online storage.

It'll also back up to optical disks, CDs, and DVDs. It'll back up to a network server, it's back up to your iPod. It'll pop up a very inobtrusive reminder, hey, it's time to do your monthly backup, give me a disk. You give it a disk, it burns the disk, it spits it out, and it says write this on the disk.

So very easy for end users to use and puts a little bit more of the responsibility on their shoulders and covers you in case that synchronization isn't getting all of their files. You can also consider using things like iSync and .Mac Sync to put contacts and calendar information on people's phones, on people's iPods, or on other computers by way of .Mac Sync.

This isn't a full backup, obviously, but if you lose your phone and some of you probably support people that have their entire contact list in their phone you've got a backup on your machine and vice versa. And then .Mac Sync will let you do this with multiple computers and will even handle things like bookmarks and mail settings.

So if you use iMap for your mail you don't need to worry about synchronizing Mail, but you might want to synchronize the Mail rules and the signatures, and the smart mailboxes and that sort of thing. And then, of course, new in Leopard is the Time Machine backup tool. And this is going to perform backup for you in two primary ways. One being backup to an external disk.

So assign it your users an external hard drive and tell them this is your backup solution, plug it in and it will copy your data onto this external disk. Or set up a file server share point with Leopard Server so that they can back up over the network.

And you can use this in conjunction with portable homes, or you might decide that this is the way you want to do all of your backups. So we had a great Time Machine in-depth session and a storage solution session that you'd probably need if you're going to do all of these network backups.

Now it's possible some of you got all the way to this point and said, you know, what? All that GUI stuff is great, but I really want to get in there and tweak stuff at the command line. I've got a few minutes left and I wanted to share with you a couple of tips that might, that you might not know about.

And we'll start with something called PM set. So I think I showed you that in Energy Saver you could govern -- maybe I did, maybe I didn't. In Workgroup Manager and Energy Saver management you can govern the behavior of your portable machines. When do they spin down their hard drive? Do they turn off the display? At what point do you sleep the machine? You can do this manually if you like using the PM set tool. The PM stands for "power management." And Richard Glaser has a great writeup on this on the MacEnterprise.org website.

Also Kickstart. I've got -- I have one colleague who has a customer that deployed a bunch of machines and they were worried that theres who were administrators on their machines would disable the Remote Desktop client. So they figured the way to do that is they'd go to sharing and uncheck the box.

Well, unbeknownst to them behind the scenes is a script on a schedule that looks to see if their Remote Desktop client is running, and if it's not it uses Kickstart to start it up. So you have this mechanism to manage the machines even if there's some effort on the remote side to prevent that. And there's one command that I use over ask over and over to enable all access privileges for my administrator user.

And I'm very thankful that in the help for Kickstart, which you will get by type, by running the K star command followed by dash H. They have an example after about six or seven pages worth of great documentation of the line you use to do this. And the user they use is bob. So if you can remember to gret for bob you can run this one command down here and get that one line you're going to use over and over.

I mentioned DSCL before. The Directory Services command line will let you navigate through your directory service. And this is your local directory, this is Active Directory, this is Open Directory, just about anything. Read and modifier those files. It's also great tool for change passwords from the command line. There's a man page for DSCL. DS Edit Group is a Directory Services tool that you may like if you want to make your users who are using a nest network account or portable home, you want to make them administrator of their local machine.

So you assign them to a group in your network directory called administrators. But the way you give those people local admin access is you need to add that network group to the local administrators group. And I've got a couple of lines you can run one after the other with DS edit group that'll do that.

If you've got users that want to be able to run sudo from the command line this is the way you do it. In Leopard actually, group management is sort of the build in to the UI so you don't need to fall back on the command line method for doing that. And you can also use Workgroup Manager, by the way, to make these changes on your local machine. So that's DS edit group. Couple of related sessions.

And then some final steps.

So where do we go from here? Believe it or not there are tons of sessions tomorrow, especially if you're into software distribution or management, all the way up until the end of the day lots of good stuff to go to.

So take advantage of that. Also, beat up on Leopard. I think this is a fantastic opportunity because you have the operating system now but we're not going to ship it until October so you have all of this time to make sure that it does what it needs to do for you so that you can deploy it.

And let us know how it works. Use the Bug Reporter tool. Let your Apple representatives know how it's working for you so that we can get it ready for you in time. And also, how many of you have not joined or visited MacEnterprise.org or AFP 548? Okay. So you need to join -- no -- thank you for raising your hand. All right. So the rest of you did great. All right.