All right, thank you everybody for showing up for two p.m. session on the last day of WWDC. My name is Jussi-Pekka Mantere, I'm the engineering manager for managed desktop and system imaging. And today we're going to talk about managed technologies. So how to deploy your systems, how to manage them. So we cover technologies that I introduced in Leopard, and we tell you how to best deploy Leopard clients using system imaging utility.

We'll cover to some extent what differences there are between Mac OS X Tiger, Mac OS X Leopard, and where you'd need to pay attention to differences in behavior, what utilities are available on what platform, and how to manage them both best. And if we have time in the end, we'll do a short Q and A. So let's get into it.

Click, there we go. So how many of you are new to this IT track? So how many of you are new to WWDC, first time attendees? Wow. Thank you guys all, welcome back next year. We'll probably like have to move this conference to South Moscone or somewhere. So client deployment management, what does it really deal with? So you use our system image utility and net boot, net install to deploy clients.

You have managed desktop for user settings, you can have a environment for preference management, you can use Apple Remote Desktop for systems management such as software updating. So the life cycle of the system itself you can keep up to date with ARD. And then we have portable home directories and external accounts that are new in Leopard for mobility.

So let's look at our network. So what is your typical deployment? You shouldn't let the engineers do slides, so let's get the arts work guys slide here, and that's our network. So we have servers, we have administrators, we have users and workgroups. So here's a typical network overview. And in there you have mobile clients as well, so you have wireless users on laptops, MacBook Pros, or MacBooks, Powerbooks.

So how do our technologies work in this environment? What are the things that actually make this work on our side? So management pieces for managed desktop. We can do user management, we can do group management, and then we can do systems management for setting unique hosts for a particular use, so we can do preferences on a classroom on lab or a particular department.

And then for portable home directories, today in Tiger we can use portable home directories on your laptop, with your laptops users, so they can take their network home directories with them when they're disconnected from the network, so basically making them more mobile with their network home directories intact, even when they're disconnected from the network.

New with Mac OS X Leopard is external accounts. So external accounts brings the portable home directory experience to desktop users. So you can have a, let's say office worker who's got a MacPro at their office, also has a MacPro or Power Mac at their home, and now they move their account between the office system and the local system, use an external drive.

So this is new to Leopard. So portable home directories that now can, that now make sense with both desktop systems and laptop users. And System Image Utility, we can use that to image either clients or servers, desktop systems or X serves. And we can net boot either desktop systems or X serves.

So to go into little bit detail on managed desktop. So what is desktop management, how do we do it? So it's direct replaced client management. So we have Open Directory, we have Active Directory, LDAP. And in there we can manage users preferences, either by individual user, individual computer, or groups of users, groups of computers.

And settings are cached for offline use. So when these management settings are applied in the directory system, when mobile clients, MacBooks or PowerBooks leave the network, these management settings are still active. So if you have let's say application launch suggestions enabled on a system, when the user is disconnected, let's say using a one to one deployment of a MacBook, those settings are still applicable when they're not on the network. So working from home they still get the same management experience as if they were connected on the network.

And these settings are refreshed at network transitions. So let's say you updated some of the settings for that user, and they need to be applied overall in the company. Well if the users are offline, obviously they wouldn't get these settings immediately. But when the users connect back to the network, so network comes available, or when the systems wake from sleep, if it's a portable, then these settings are refreshed again, and they become the same as the network's are.

Managed settings are administered through workgroup manager, and with Leopard you can actually do some of this management through command line tools. So you can use Terminal, you can use Chron, you can use -

Thank you.

We tried to make this better for you.

And using command line tools. And for detailed editing of the preferences, we can, we have in workgroup manager also a, almost like a P list editor type interface, where you can use individual application domains that are not supported with our high level GUI. There you can actually go and add individual keys for individual applications that are not visible or accessible through the user interface.

And new with Leopard is ability to discover the active settings through System Profiler. So if you're doing support, or have to support let's say a network where you have multiple administrators, and then you have multiple users going to different systems, and you're trying to find out why aren't things behaving quite right.

So now you can ask the user, or just walk up to the system and bring up system profiler, and you can tell where these management settings originated from. And the user can also save these settings as a system profiler report, so then that can be looked at by let's say Apple support if you need to file a radar or a tech support request. So that's very useful for discovering what the state of the management settings are.

And also new with Leopard is ability to discover settings before they're actually applied. So with the mcx query tool, you can arbitrarily choose a user, choose a computer, choose a workgroup that they log on, and tell what settings would be in effect if this user were to log on on a system. So this is almost like effective -

Thank you.

Effective management inspection, to coin a word, I don't know.

One thing for management is that you have to have well behaved applications. So if the application that you're trying to manage doesn't use the Apple standards for preferences, they're not using CF preferences, they're not using NS defaults, then you have a problem. So you'd want to encourage your application vendors to take a look at the slides that we presented two years ago, that was making your applications management friendly. And there we go into detail how to create well behaved applications that adhere to the Apple way of using preferences, so that then their applications become manageable and deployable in some environments.

So, what is new in Mac OS X Leopard? So we've updated the workgroup manager, plug ins in there, so we have new support for new plug ins, and enhanced others where that made sense. New to Leopard, application launch restrictions. So this is a big thing for us, because now we can actually make real hard decisions on what applications can be launched, what can't be launched, and these decisions stick. And we also now support widget management, so you can tell which Dashboard widgets a user or group can launch.

Go Dashboard management. Hierarchical management. So now you have basically one, you have to choose how to manage your groups. It's basically a group of settings that you have to apply to an individual group, and those settings are not shared with any other group. So that becomes maybe unwieldy so a hierarchical management should address that manageability aspect of it. And command line tools, system profile reporting, and external accounts effectively taking portable home directories on external drives.

So preference management, what have we updated in workgroup manager? So applications. So we have now widgets access in the applications preference, application launch restrictions, that's being revamped so that now we use the Leopard signing technologies in workgroup manager to authorize applications. The log in plug in has been augmented so that we can now manage whether or not you can add a guest account to a system. So if you set up let's say kiosk machines, you can force guests to be either on or off, and hierarchical management so you can restrict which groups can access which systems.

Formability. We've added support for external accounts so we can enforce policies where external accounts can be created or not created. Account expiry. For mobile home directories, portable home directories and mobile accounts, there has been an issue where accounts would become stale. And account expiry should help read some of these like left behind accounts.

Parenting controls mirrors pretty much what the desktop has, so we have time limits support there. And Time Machine, you can set up systems to centrally back up, use Time Machine against a AFP share, or even an NFS share. And finally, preference editor. Now we have support for bi-host host preferences. So if you're trying to do let's say request password at a screensaver, you can do that now through bi-host preferences.

And also if you've gone through the other sessions for standard server, so using Mac OS X out of the box and configured for workgroup server, you can get these applications that are configured automatically to use the user's iChat account or iCal account, user's Mail account, they're all preset. You can actually get almost similar behavior using the preference editor in workgroup manager, but without using the standard server configuration.

So application launch restrictions. So this is based on code signing, and that's new technology in Leopard. And effectively any changes into the binary that you have approved to be run, any changes made to the binary will void the signature. So effectively, users will not be able to edit P lists any more. So how is this implemented? We have the kernel, inside the kernel there's, we have a mechanism for mandatory access controls. This comes from free BSD world or trusted BSD. On top of that we built a enforcement kernel extension.

So basically something that funnels all the application launches through. And for that, then on top of that we have a policy engine, and this is implemented as part of the parent controls engine. And that tells, can this user launch this application. And helping all this is application identification. So this is effectively code signing telling that is this binary still the same binary that was blessed when the admin first set up these permissions.

App launch, and computer lists. So this is hierarchical management. So today if you have to set up a computer lists that have various management settings that overlap, like here we have software update login window energy saver. So depending on how many permutations of these settings you have, you'd have to have as many individual computer lists. So with computed groups now, new in Leopard we'll bring you, so you still have the same set of systems, and you can now divvy up individual settings between computers. So here we have just energy saver -

Thank you.

Energy saver, and these settings apply to a subset of these machines. And then we have let's say login window settings that apply to a different subset of these machines. But because these settings are inherited and they can exist in parallel, so you can just apply any given setting to any given machine or group, and they all become active at the same time. And this is also useful for groups. So let's say we have groups that you want to divide up, let's say everybody gets, or no one gets Dashboard. So here we have a base policy, one group that contains everybody, and a global setting in that sense.

And then we can detail this even further, and say the dock behavior would be something for part of users, and for portable home directories we have another setting, and customize even further and further. So here we can create these narrow groups that are focused to the one preference that you want to manage, and then just have people added to the groups that are applicable, or even have groups that then contain groups. And I'll show you a little bit of this at the demo later.

And command line tools. So DSCL now has a module for, how many people are familiar with DSCL? Excellent, almost half the room, great. Go to command line. So DSCL will now allow you to use managed client settings through either P lists or XML formatted, or using the default write style and notation.

And that'll almost bring up all the functionality that you'd want to do if you have applications that are not supported by let's say the high level plug ins, or you want to automate some of these settings. So let's say you deploy systems, and you have a SAP backend that'll provision users. You can provision users just like you provision mail servers, you provision their home directories. Now you can provision management settings through the command line, or the scripts that you use. So that'll be very useful we hope.

And again, managed MCX query. So here we can use the introspection or effective inspection for preferences before the preferences come active. And system profiler, that'll be very useful for getting support, a view of what the management settings at any given time are. Or for even the user. So if the user thinks that what is happening on my system that I didn't know before, they can go to system profiler and discover what settings are active.

So let's go to the demos. And I think we've appeased the demo gods by offering them managed, we offered them Mac Manager.

So I think that'll make the demos run good. So no more Mac Manager in 10.5. I think it's time to move onto 10 something. If you can have, oh I need to go to demo. See here, okay. So here we have Record Manager, app we all know and love. And let's go look at some of the settings we have here. So we have some groups set up here.

So we have this system administrator's group, we have a chess club, and we have some nested groups. So in the system admin's group we have the chess club. So apparently anybody who makes it to the chess club becomes a system admin, good.

And we have some managed settings here.

So for the system admins, they have their dock set up so that they get to see console, they get to see directory, system profiler, and they have application restrictions so that they can only launch these four apps. So if you're in the system admin group, no Safari for you, sorry.

So it'll be I guess links in terminal, so -

Right? And here we have then the chess club, and chess club just has the dock. And anybody who's a member of the chess club will get chess in their dock added to it, because we merged the user's dock settings. So let's look at some of the users we have then.

So here we have Harry Hacker. So he seems to be a member of the chess club, so good for Harry. And if you look at what management settings we have set up for Harry, well Harry now can launch only chess. So apparently it was determined that Harry should really focus on non-extracurricular activities, and he should focus on chess and using system preferences.

So these now are, this is now our demo setup. So Harry Hacker is a member of a group, chess club, and he has application launch restrictions enabled. And let's see if Harry can actually circumvent these settings. So if we go to this system, here we have our login list, and Harry is logging on, and oops, rather not caps on.

Harry logs in, we have new nice desktop pictures by the way. Tries to launch Safari, well turns out that Safari's not allowed for him. And for some reason Harry can't launch anything at all, no address book, nothing. But since we had Harry be part of the chess club, and all chess club members were part of the system admin's group, Harry now has Terminal and system profiler here. So let's see can Harry launch chess.

And I guess we should have killed Mac manager earlier.

There we go, chess comes up. And let's see if we can launch Terminal then, okay Terminal launches. So Harry has access to some applications. So Harry being a clever guy, decides that hmm, I've heard of like circumventing application launch restrictions by editing the info P lists of an application. So let's see if I can launch Safari by making a local copy of Safari, and then editing Safari so that I'll make it appear as if it was chess. So here's Safari, made a copy of that, and let me copy chess as well.

And copy chess. So now I have, I've made local copies. These are now on my desktop, so I can modify these to my heart's content. So chess still launches from my desktop, but Safari doesn't. So thinking that we can just go and edit the P list, what Harry will do here is, he's using VI, okay.

Content info dot P list. So this effect will tell the Mac OS, tells Mac OS X what application belongs to whatever bundles. And there's a key called identifier, identifier, CF bundle identifier. So let's copy this, and we know that hmm, we can launch chess, so maybe that has something to do with the bundle identifier. So quit this, and let's try to make Safari look like chess. So identifier, identifier, and let's just delete this and add that. So Safari now, okay we called it chess, so it should launch, right? And if we try to launch Safari, no luck.

So, because we use code signing. The code signing piece now tells that with this signature, this blob of data can be loaded into run time. So if the application changes, any variants of it, I can change the app name, it doesn't affect the signature. But if anything that's determined to be crucial to the application's run time, like an info P list or its executables, if they change, then the signature is broken, and nothing goes after that.

And one thing that you can do also is, I still can edit chess and make it look like, if it was let's say Chess 10, and launch Chess 10. A single byte will invalidate the signature. So this should be very effective way of ensuring that the applications that you allow your users to use, really are the applications that you blessed. And we don't see right now how you can do much better than this. I'm sure we'll do in 10.6, but this is the best we have right now.

And -

Yep, it took a while to get here, but now we are there, so. And if I don't save this chess application, and change it back, well even the modification (inaudible) has changed, but the content of the file is now identical to what it was before, so we're good on that.

So Harry may wonder, it's like hmm, he's just part of the chess club, and obviously he's being managed in a way that he should be restricted from some applications. Like he doesn't get to use Safari, no Mail, so what gives? Well, since he's a member of the admin group now by virtue of being in the chess club, he can use System Profiler. So in System Profiler we have now the managed desktop settings, and you can actually, can you read those? Probably not.

And here if we select the application access settings, so here's where the application access settings came from. And we can now see that huh, actually Harry's settings are not only coming from his own domain, so Harry's user settings are not the only things that are active at this time. We also have settings that are inherited from the system admin group. And Harry's not a direct member of the system admin group, so these are coming from a group within a group. So that's something that the MCX query told, and then system profiler will then show you.

Okay. So that's Harry's world. So if you go back to our server, and let's look like how these things would have been seen here. So if I now go back to the group view, if I looked at, actually I should look at the user. So if I look at Harry, so here we know Harry is now a member of the chess club. But here's this one button that's kind of crucial.

Show inherited groups. So here if you have nested groups, it's quite important to go in and see what groups actually are effect when they use (inaudible), because these groups are nested. And here you can tell that huh, system admins apparently are, is, or contains the chess club. So these preferences are inherited from that.

So that's that. And on the details editor view. So let's look at some other groups we have here. So we have this thing called iChat and iCal users. And we have turned on application launch restrictions on them as well, but we also have something here in the details view.

So this is now what you'd see in the standard sort of configuration, this preference keys for applications that I tied to the configuration mechanisms that take place when clients bind to a standard server environment. So we have iCal settings and iChat settings. So if I look at the iCal settings for example, I can see that we have some dictionary that has some keys here.

So accounts to import, and there's some GUI looking thing. And if I click on these things, you don't really get much information on what's there. So there, that seems to be a URI, and we have a server description. But you know, I couldn't really make heads or tails out of this one. So in Mac OS X Leopard, we have added some preference manifests. So if I import the preference manifest for managed desktop applications, or managed clients from system, system, library, core services, and import the managed client preference manifest.

So we have quite a few preference manifests here now listed, and suddenly the iCal and iChat settings became, instead of being italicized, which means that they're unknown to workgroup manager, now they actually became regular text. And now if I look at the iCal settings, and go bring up the same domain, it now has huh, the dictionary keys are kind of different, and it says iCal preferences. So this description field used to be empty.

And the calendar URL, oh okay, so now it's actually telling me that there's a format to this. So we use percent at to replace the user's short name at run time when these preferences are applied. We have principal URI, and there again we can use the percent at notation.

So we have added preference manifests for some of the standard server configuration applications, but then if you don't use that configuration, you can still get some support for client configuration by doing this, by applying these managed settings from the details view. And lastly if I bring up Terminal, and look at these settings again from yet another different point of view.

So DSCL, so directory services command line tool, if I go and navigate to my directory server, LDAT groups for example, and I go to the iChat and iCal users, and if I do a read on this directory node, we see that okay, we have all kinds of gobbly gook here for all kinds of things. There's managed settings and like raw data, and like I have no idea what this is. So let's see what this reads if we use the NCX read as opposed to just read.

So that tells me oh, okay. So we have a preference for iCal managed settings, and it tells that the key is accounts to import. And for iChat, we also have iChat management, basically saying well this user will be user at server dot WWDC at Apple dot com. So this is now a way of enhancing your user experience where you can get client settings applied that are then dynamically transformed per user when the user logs in. so you can have iChat automatically configured when the user launches iChat for the first time, or launches iCal for the first time.

So I think that concludes my demo. So if you can go back to the slides please. Back to the slides. And then we actually conclude the managed desktop portion, and let me invite Bruce Gaya up to the stage, and he'll take, tell you about external accounts.

So far so good.

Hello. Play with the clicker, make sure it works. Ah wrong way. There we go. External accounts. Okay. So you should all be familiar with network logins. And a network login is where you have an account on a directory server, and you have a home on a file server. And when you log in, you use the account from the directory server, and your files are in the place on the file server.

Okay, in Panther we introduced mobile accounts. What we did in mobile accounts is we take the network account and cached it locally. And we also have credentials, so you can log in when you're offline. And to complement that, we also, you have a local home directory, and that's separate from your network home directory.

In Tiger we introduced home synchronization, and we called the whole thing portable home directories. And we basically took the mobile account caching, plus you can synchronize your local home directory with your network home directory such that you can go offline for a while, make these changes, come back to the network, let the synchronization run, everything gets pushed up back to the network home directory. It's very nice.

For Leopard we're introducing external accounts. And so what do we do? We take the PHP technology, and we're going to add an on disk account and credentials cache. And we're adding the ability to take this disk and take it to a computer, establish on, well be able to establish your account on that computer temporarily, log in on that computer, do your stuff on that computer.

Then when you're done, log out, disconnect the disk, and now you can take the disk with all your data on it, with your home on it, take it to another computer, present it, and you're able to log in on that computer. So you can take your account with you from computer to computer. Did I get the right one? Okay, let's get the right direction.

Okay, external accounts. I think we're back. How's it work? So inside of the firewall, this is what's in your intranet, where all your computers should be bound to a single directory service. When you present your disk to a computer on the network, what happens is there's tokens stored when you created this external account in this disk, and it helps you to bind to your, or it helps you to find your directory service, so when you log in with an account when it's on your net, what's really happening is all the authentication stuff and this account information's actually coming right from the directory server.

So essentially this is pretty much the same as a network login, except for that you have the disk there. So you're basically saying I'm you know, you know who I am, I've got this network account, and here's a disk I want to use for my home directory, and it does it.

Now there are machines that are not on your, or not bound to the same directory service. In this case, when you present your account, it doesn't really know anything about the account, so what you're asked to do is enter a computer administrator name and password. So essentially what you're doing is you're doing a dynamic import at that point in time, saying import this into this computer for now, and I'll demo that in a little while. And so you can log in and use your account.

If you go offline, let's say go to a home computer, it's the same deal. Basically you have to enter a local administrator's name and password, and once you do that you can take your account to that computer and log in. Go to grandma's computer and she'll be impressed, okay? Okay, external accounts.

Okay, what is external account? Said it's a PhD on an external disk. So even if you don't go mobile with this thing, you don't even have a mobile computer, it's still very nice because you get local disk performance with a network account. Okay, it doesn't go over the network, network is fine.

So also, if you have a PHD, this applies to Tiger too, and you have a system image, and you do server backup, you've got that in recovery. And what does that mean? It means that an external account is in some ways disposable, in the sense that if you lose it, you can get your data back. So that's very nice, especially when the thing's all on a disk. So keep the backups running, and keep on doing synchronization.

Where should this be good to use? If you have computer labs, many of you do, of course you can go from computer to computer to computer, your students or your corporate citizens can log in at each one with their accounts. An interesting one which I use. I actually bought with my own money an iMac for home. At work I have a Mac Pro, but what I do is I have an external account at work, I'm using this prototype mode, and I'm living on it.

And so all my, I mean all the source code and everything else is on my external disk. I use it at work, when I want to go home I unplug it, just go to my iMac at home and then plug it in there, and I can use it on my iMac at home. And this is great, and Apple didn't pay for the iMac at home, I did.

But my iMac at home actually has a larger display than my portable, so actually I prefer to use that for coding than my portable. So I really like this. And I actually like to work sometimes, you know, it's a lot easier to take a disk back and forth than it is to take a portable back and forth to work.

Okay, multi user workstations. Some of you will configure a particular machine such that it has a video or extra stuff on it, there's an excellent way to utilize that. You can take your disk to this machine, log in, use it, you know, you log out and then someone else can use that machine. So how are you going to manage? Well we have Leopard workgroup manager, some new features there, and also remember that external accounts like PHDs, like mobile accounts will retain their managed settings, even when they're offline, even when they're on another computer. Okay, time to demo.

Okay, I'd like to go to the demo slides, and this is the right one. Okay, so this is workgroup manager again. I have a user here, and I'm going to set up this user to use an external account. So not Harry Hacker, let's go back to this overview. Accounts, let's do Stanley Student. Okay. There, for Stanley Student, I have a nice picture for him. So I'm going to go to preferences for Stanley Student, and go to the mobility pane.

Click on mobility, click always, and I'm going to say create a mobile account whenever this user logs in, which is what I want. There's a new checkbox here, don't show, or rather show don't ask me again checkbox. I know some people had, this was troublesome that this always appeared.

But for this case I'm not going to require a confirmation, so whenever this person logs in, I'm going to immediately create a mobile account, an external account, and I'll show you how to set that up in the next pane here. So apply now, then go to options. Okay, this is new for Leopard, always.

This one up here is very nice, encrypt contents with file vault, okay. So now I can sit here and, yeah, thank you.

There's two options for that, there's actually, go through three options here. One is you can require a computer master password, and so what I suggest is that you get master passwords on all your computers first so that when you create a file vault account of that, you have the master password to decrypt it.

But if you want it to work anyway, you can do this first option I have up here, which is to say well, you know, even if you don't have a master password, create file vault anyway. It's up to you how you set that up. This other one here, restrict size, okay. I'm basically creating a home inside of a disk image, a disk image now with these settings is going to have a fixed size to two hundred and fifty megabytes.

So this is very nice when I want to limit the amount of space which is used on my server. So I can limit the users' local home size to two hundred and fifty megabytes, and then because he's synching, he's going to be synching up to the server, basically he's not going to use too much more than two hundred and fifty megabytes up on my server. So that's another way I can do this without using server quotas. This is new in Leopard.

Okay. Where do I want this home started? For this user you can either select on startup volume which you had at Leopard, excuse me, in Tiger you could only create things on the startup volume, mobile counts on the startup volume. You could choose a path, but in this case I'm going to say user chooses, and I'm going to say external volumes. So that's going to create a external account. And so when the user logs on, if they present a disk there, they'll be able to create a external account on that disk.

I'll mention in passing now that for external accounts, the disk must be formatted with HFS plus. So if you're going to deploy this, think about everything has to be you know, HFS plus to be an external account. Okay, here's another one to mention in passing again. Account expiry, this is for mobile accounts, not external accounts, but just to let you see it. You can set a checkbox such that a mobile account will expire after a certain amount of days.

I'm going to rules, rules are pretty much the same as Tiger, this tells what you synch. Set always, there's a checkbox here at the top which allows you to turn off synching with one checkbox like that, that would turn off synchronization for log in and log out synch. That will turn it on. The rules here have gotten a little more fancy in Leopard, let me see if I can zoom in on this. Okay, you see that this default rule has a star in it, so now we support wildcards in this, in our exclusions.

One other thing. There's some new match types, and this one here is regular expressions. So if you want to use NS predicate style regular expressions you can use them right there like that, okay. ( applause ) And I'm going to revert and say always, apply now. Okay. Now let's do background synch, same thing. I'm just going to do the default thing, synch everything in the background.

Options, just one thing kind of new here. We have a checkbox which will allow you to show the little menu extra for synching in the menu bar. And it works very reliably in Leopard so far. Okay. Now I basically have this user set up. One other thing now.

We'll go to preferences, and I have mobility set up here. I'm going to look at the details. Now in the previous demo we had add at preference manifest, and one of those was for home synch right there. So I'm going to edit now, and look at the details of what I've set up here.

It shows me all these different keys, right. One of them is when you synch, whether you synch at log in and log out. Someone wanted, at another session wanted to be able to change whether you synchronized both at log in and log out, or just log in, or just log out so you can change this, one of these keys here, and that will do it. And now let me see if I can zoom in first, and then show you all these wonderful keys.

There we go. Now okay, look at all the things you can set up here in details. Some people wanted to decide you know, they didn't want to see synch conflicts at their site, they wanted the user to always win at certain times, they wanted the users not to win, they didn't want the users to see errors, they wanted to set various things, there's some timeouts you can set here for different dialogs. It's all available now in Leopard, so go wild and have a great time. ( applause ) Okay. So this user's all set up. Okay, I'm going to go to demo B here.

Okay. So here we are. Now on this disk here I've set up an external account. So let's just plug it in here. And I also want to say this particular computer, I've called it Home Sweet Home, it's not on the network, so this is kind of typical let's say setup of a home computer. So this is the first time it's seen this account, so I'm going to plug it in.

And as the disk spins up in a moment, we should be, there we go, yeah. So it's now prompting you to ask if it's okay to allow this account. And I'm going, you can say you know, permanently by checking that checkbox, but I'm going to say allow once. I have to enter the admin's name and password, and there's the user.

Now I'm going to log on.

Okay. So just to say this is the full user, it's the full setup, has the files that I left on the desktop last time, everything's pretty much the same. Here's the menu extra where you can synchronize and do stuff. But essentially that's it, I'm going to show you that I'm offline, but briefly going to try to do synchronization, but it's not going to be able to find the server here, just briefly. It didn't find it so it's not going to synch. But I have one other thing here, okay let's deny that so this is off, unplug this, okay. Another thing here actually, this is a two gigabyte memory stick, and I'm going to plug this in right now.

And just allow, actually I'm going to do this and remember this time. So now that user's there, so now I can log in as that user if I wish to. Now this is lots of fun to play with so I got to do it once. So you pull the plug, it's gone.

Plug it in again, it's back, okay.

So that's it, okay. Thank you, now we'll go back to the slides.

Okay, external accounts. So hardware, and this is a big question. So what should you use for external account? Here's another wonderful small disk I have. I recommend that you use what are called portable disks. They're hard and for some abuse, you know. They can be dropped, and they're okay for vibrations, and they're not going to die on you.

A second choice would be for desktop disks. They're just as good as portable disks, but of course you have to have to find a power supply for them, in some cases they're a lot bigger, they don't have vibration protection perhaps. Flash based. Okay, you saw it work, it does work.

And you wonder how long it's going to work. ( laughter ) The problem is that all media has you know, disks they talk about mean time to failure, and that's an average. So some fail soon, some fail later. So at some point all media, including these disks and flash drives are going to fail, so you have to think about what you want, what your recovery plan is going to be. And I don't have any figures on whether flash drives will fail early or not, it's just something for you to consider in your deployments.

Okay, last thing, people always ask me about iPods. Okay. First of all they have to be formatted as HFS plus, but it's really up to you if you want to use iPods or not. You have to consider what'll happen when you lose your data, I want to get my clicker here. When you lose your data, if you're backing up with PHD synchronization, you've got your data backup, so you're okay. So you have think if there's anything of value on your device that would make you feel bad if you lost it. So that's my advice about using iPods.

Okay, security. So you should require a file vault, or basically just readable by anybody. You know that on OS X if you take the disk and plug it in, and you're admin, of course you can look at every file on here. If it's not protected by File Vault, anybody would be able to read this when, you know, just by connecting to a machine.

Okay. Command line tools, so we added some. There's a great mobile count command line tool, it'll allow you to create a mobile account. You can have synchronization on or off, you can have file vault on or off, and you can be at any path for your home, and that'll make an external account.

So I was trying to think about how I would do deployment, and one way to deploy things is that you might want to image disks that already are set up for a particular user, you know, file vault and all, and then just hand off the disks like that, and that'd be a very nice way to deploy. And you could do it with a command line tool. A second command line tool is the home synch command line tool. And if you just say home synch, you can find it inside of those bundles there.

Home synch minus S will do a synch home now. Some people didn't like the way that we did periodic synchronization, so if you don't want to use the way that we do it, you could just have a little tool in the background that calls this thing whenever you want, and we'll do a synch on demand that way. Minus, home synch minus R, actually there's a process in Leopard, it's called file synch age, which actually does the synchronization.

We keep our preferences in another file called com dot Apple home synch dot P list, that's in the user's library dot preferences folder. And when you do the home synch minus R, it will copy the contents of that and basically make the API calls in the mirror agent, excuse me, not mirror agent, file synch agent such that it picks up the new settings.

Inside of that file, the home synch dot P list file, there's a whole bunch of unmanaged synch rules, and the structure's exactly the same as that in the home synch preference manifest. So if you don't want to use workgroup manager, but you want to manage this with fine grained things, say I want to synch this folder, not that folder, all that sort of stuff, you can all do it, and again, go wild with the home synch preference manifest.

Okay, one other thing. Ah. Leopard has a so-called synchronization server, but it's not really a server, it's a small process that sits on Leopard's server, and you turn it on this way. You go into server admin, into the settings, and in the general part you'll see this checkbox.

Turn that on, and this is a process, and what it does is when the synchronization starts, the clients will talk to this process, and basically using the spotlight, you know, data there, just basically tell us what's changed. So when you do a synch, you'll basically skip the whole checking process, and just immediately go to copying data. So this should actually be quite fast for doing synchronization.

This is the command line way to do it, suggest you write that down real quick. ( laughter ) In I think the current version of Leopard you also have to make a default right call at each client to turn on the file synch server. That will not be in the shipping product, in the shipping product it will happen automatically. So thank you very much. Now let's go back to -

Thank you.

- All right, thank you Bruce. Everybody's I hope looking forward to External Accounts, this is great stuff. Extension mobility, having your own hard drive, so go with that.

So System Image Utility, system imaging. Where do you use system imaging? So switching topics. How to deploy Mac OS X Leopard on a hundred systems, how to deploy diagnostic systems when your systems go bad, like when hard drives fail, how to customize how Leopard is installed. You'd want to add iWork, you'd want to add iLife, or Microsoft Adobe applications. And how to restrict what systems can boot from whatever system image, or NetBoot image. So two tools, system image utility, server admin.

And what's new for Mac OS X Leopard with system imaging. So system image utility's totally revamped. So we effectively threw out the old code, started from scratch. And -

You guys loved 10.4, come on. So system utilities now in two modes, one is the assistant mode, and one is the advanced mode.

So in the assistant mode it's really easy to create images, in the advanced mode, using advanced mode, using automated workflows, go crazy. This is the system admins want to tweak every little setting that they have access to. So we have lots of actions you can tailor, we have support for this partitioning. So if you want to deploy let's say systems that would have a boot partition, this is the way to go.

Command line image creation, repeating workflows from automated command line tool. And then on the deployment side, server admin now can tell what clients have, are installing, and how far their installs are going. So instead of seeing like you have fifteen clients are connected, you can tell seven clients are about seven percent done installing the latest Mac OS X Leopard release.

So -

Yay. And image assistant, so what is this like? So this is basically one two image creation, there is no step three. You launch system image utility, it's still called system image utility, and you have some sources selected. So you have valued volumes either install DVDs, or Mac OS X 10.5 volumes. So if you select any of these images, the default settings are for DVD we create a net install image, for a bootable drive we create a net boot image.

That's step one. You click on continue, and then in this case we are creating a net boot from DVD, you plug in the administrative settings, admin name, password. You click create, there is no step three, after this your image is ready to be deployed. So that should make the basic image creation, like without any customizations very straight forward and accessible to many admins. So that's image assistant.

But then there's the workflow. So now that the system image utility is implemented using Automator actions, you have access to each individual element. So in 10.4, you had different panels for different settings. Well you didn't really know like what to use where, and how they apply, and yeah.

Now you can actually take the pieces that you want, and set just those settings. So you can apply just those pieces into the image, like creating an admin account for a net boot system, or doing package selection on a package based install, or customized packages for a net boot or net install image creation.

And these workflows you can then use, either from system image utility, you can use them from Automator, you can create them in Automator. And you can use them from command line. So you can have a chron job that creates like the daily build of your current Leopard, like you get daily discs in Leopard, and Microsoft releases and what not. And you'll have up to date information.

So where this matters is like you get a new set of systems, like two months we release the thirty two core Mac Pro, and it comes with disks that you don't have yet. So the current Mac OS X disks don't boot that system. Well to get you a net install or net boot systems that there are customized to your environment, all you have to do is re-execute the workflow against these new DVDs that you just received as part of the hardware bundle, and voila, you have a new net boot image, you have a new net install specifically tailored to that system. So that should be very useful. And -

Yeah, please.

And because it's an automated workflow, you can integrate with other actions. So if you went to the previous system imaging session on Wednesday, Mike showed you how to do some of the custom image actions, or image customization actions. There are some stock Apple ones you could find useful like burn to disk. If you've created a let's say net install, net boot, net install system image, you could burn that to disk, and maybe even boot from that and install. And from Automator.

So here's a way to execute the same workflows over and over again, yet because we're using Automator variables, you can tailor some of the elements in the image. It's not always going to be called my system image, it can be called my system image of today, or my system image for something, by just changing Automator variables. So you can customize the image ID, anything that you can have, anywhere you can insert a Automator variable, in the source pad, in the destination pad.

You can replace those values from the command line. So without further ado, oh we do image deployment. Okay, there's a demo coming up Image Deployment. So as I mentioned, we have improved status reporting so you can now see from server admin what the installation progress is on, of the clients. And per image client filtering.

This is significant because now you can actually say that I'm, I only have access to one net boot server, yet I'd want to do my prototyping and my production on the same server. So I don't really want to co-mingle those, just because like if somebody by accident boots into my, erase my hard drive image, I'll probably get support calls, that's not good. So what I'll do is I'll filter that one image on the production server and say it's only my test machines that will get to see these images.

So you can now have very fine grain control over which systems get to see which net boot images from a single server. So in previous, in Mac OS X Tiger and previous, this image filtering option was a global setting. So you couldn't do it image by image, but with Mac OS X Leopard sure you can. And boot PD.

Now we have access to boot PD relay. So if your IT staff is reluctant deploying let's say DHCP helpers, or somehow has some animosity towards like port nine sixty nine, sixty seven, sixty eight, there you can actually have boot PD act as a DHCP relay agent. So you set up one boot PD server on your network, and even without DHCP helper apps, you can now point the boot PD relay to another net boot server on a distant network that wouldn't regularly see the DHCP request from the clients, and you can boot your net boot clients from that.

And -

And read only volume support. So previously you couldn't serve let's say from a CD-ROM, well that doesn't really make sense, but Xsan. If you had Xsan read only clients, you wouldn't be able to, without going through some interesting mechanisms, you couldn't really serve those images readily from Mac OS X server.

Now we can actually have a single Xsan volume, and share that amongst five different servers, and only one of them would be the master toggle server that enables disables the images. And all four, the rest four of them would be just reading all the copies of that image form.

So it can do a form of load balancing using Xsan and read only images, without having to worry that if some admin goes to one machine and disables images, then how will that affect the others. It's just one image form, and deployed by Xsan And now we go to demos. So let me bring Brian Nesse to the stage and he'll show you how this system images now looks.

Yeah, that one, yes, okay. All right. So as you've seen, this is workgroup manager, we are not going to demo that. Okay. So system image utility, as you've seen in the slide, this is basically where you start. Instead of doing continue however, we are going to click customize. And if any of you were in the Automator session yesterday evening at five o'clock I think it was, this is an am workflow view.

We have taken an embedded Automator in our application, and here you go. So we have, we start out by putting this define image source in here for you, cause that's a first step that you have to start somewhere. And then we're going to take and we're going to customize our source a little bit.

Just going to scan the disk quickly and figure out what's there to install, and bring up this thing. And we're just going to turn some stuff off here, we don't like printers.

going to make them go away.

And then we're going to do one of these very dangerous things, and we're going to enable automated installation, erasing my hard disk.

going to call him Mac.

And then now that we've defined our hard disk, now we need to set it up. So we're going to do this.

You've seen system, or if you've seen the disk utility this will look quite familiar. going to give him a percentage of the available disk space, we're going to define this guy, going to call him PC.

And then we're going to make him an MS-DOS file system. Now you can see right here we're trying to be a little helpful, we're trying to tell you that this will not work on a Power PC based Macintosh, because this requires a GUID partition table, so you will not be able to boot this on your G5.

Let's see, was I going to do anything else? Oh yes, I had a server package that I wanted to install here, so I'm going to put this in here, and I'm going to go out and find it on my hard drive here, drag him in, and that will cause the server package to get installed after laying down all this stuff that we defined up here.

And then you simply say I'm ready to create, drop that in there, and we will attempt, if you're actually running on your server machine, we will attempt to go find your net boot folders, assuming that's probably where you want to save them. Otherwise you can put it wherever you like. Simply give it a name, and that's the name for, that's where it's going to, that's what it's going to be called on the drive, and then this is your name that you're going to see in the net boot server, on the net boot server.

And then you can add, oops, hey we don't use e's here. And you can add an additional description if you want more data, and then an image index, which if you've ever done one of these, you know what that's all about. You can then save this for future use, and oddly enough there's one there already. We'll replace it, and you'll see it appears over here in your workflow list, so you can bring it back at a later point.

All right, now we're going to leave this, close this guy out. Okay, here's one that I created earlier, and I'm just going to double click on it, and you'll see that it actually brings up Automator, because it is indeed an Automator workflow. And this one is a little different in that you'll see down here in the creation action, I have actually used variables instead of typing in text.

So I've got an image name, and then I'm going to modify that image name for the volume name that you see displayed, and for the description. And then hiding down here where you can't quite see it, there's an image index that I can assign that automatically from the command line as well. Now I don't really need this visible, so we'll put that away. And going to widen this up a little bit so that it doesn't wrap.

Get my handy little cheat sheet here cause I don't know how to type. So what this is going to do, and you saw this in the slide as well, we're calling the Automator command line tool, giving it my image name, and my image index, and then just telling it to execute this one that I've conveniently placed on the desktop here. Now when I run this, you'll see step three by the way, this is actually step three.

You have to authenticate, and what you see up here is, up in the menu bar here you'll see that Automator is telling you that it's doing something. And you'll see here we've got some logging going on right now, and you'll see that the text that I put in has been appropriately dropped into all the appropriate places, so it's in the image description, it's here in my image name, and it's attached to here where it's being written out. And then my image index, which I also assigned. And that's the demo.

Back to you Steve.

- Well thank you Brian. Did you like?

Yes. So that's System Image Utility, and that's pretty much our session. If I can have the slides please. So, here we go. So, to cap it up, if you have any feedback regarding any of the technologies, please send it to Mac OS X server at Apple dot com. Skip Levens is our technology evangelist for Mac OS X server. The developer side test documentation, sample code, we'll post some configuration information there as well at a later date. And for other sessions, hmm, let's see.

Oops. So right after this there's a building image, building system images for logical deployment, so that's about customization and customizing images. We also have a system imaging lab, and the engineering team will be at the system imaging lab right after this, at the IT lab. And then we have understanding managed deployment, which is still at this room, at five o'clock. So if you want to see how some other third party tools, like Casper and what not, and doing some secure deployments are used, come to that session.