Good afternoon. Welcome to Session 552 Understanding Manage Deployments. So you've now officially entered the home stretch for WWDC 07.

So my name is Gage Beauchemin I'm the systems engineer manager for enterprise at Apple sales. And I've got Veronica Law, she's one of our engineers.

And we're going to be talking today about managed deployments. And I know a lot of you would rather maybe be grabbing a beer right now or wonder maybe you should've made that decision. So, why would you want to be here? Why do you want to be listening to us talk to you about managed deployments when you've had so many sessions this week talking about deploying software, packaging, all of those things.

So, what I hope to give you guys today is the, at the very end, is to wrap it all up and give you the idea of how to take all these tools and methodologies and roll them out and see how some of our customers have actually used these to manage the deployments in getting software out, built, and supported in their organizations. So, I've got a history from being an IT administrator years ago so I'm obviously rusty.

But, what I've been doing for the last four years is being part of Apple's professional services division and helping deploy software and helping companies understand how to build mass deployments to meet their organization's needs. And so, these customers mostly are fortune 1000 commercial customers. And Veronica comes to us from NASA where she spent about eight years doing integration of platforms and deployments in heterogeneous environments.

So, if you stick around for the next hour the things I'm going to try to go over with you is one, defining what a managed deployment is because before we talk about it we want to know what it is. The second is process surrounding management deployment. We want to discuss what goes into that and also give you a case study of how someone's used these processes to actually do a deployment and then, talk about some sample scripts, give you those sample scripts to take home and go over some tips and tricks to maybe take some of the things that you seen throughout the week and come up with some new ways to use them. And then we'll do wrap up and Q and A. So, simply placing computers on a desk and installing some software doesn't count. So, if we go to Wikipedia, the source for all definitions, and look for managed deployment we get nothing.

This one?

So I'm sure by the end of the hour you stole my line. I am sure by the end of the hour somebody's going to go upload that. So, I'll give you some suggestions for what a managed deployment is. So, according to the "Gage-i-Pedia" managed deployment is the process for building a system to install support and maintain computers in an organization to achieve specific goals. And, this last part is important, specific goals.

So these are not what I'm dictating you guys should be having. Because, who's going to listen to me, right? These are suggestions about what commonly comes up in a lot of organizations that I've talked to about what are some goals. And goals are important because you want to have goals so that as you're going through this process it's easy to get sidetracked.

It's easy to get taken off course and go down a rabbit hole. And, setting aside what the goals for your deployment are at the beginning helps you check in from time to time and go. How is what I'm doing right now working to achieve those goals? Or is it not? So, some are enabling users to be more productive, duh. Minimize the total cost of ownership.

Improve the user's experience. Sometimes that really gets lost. Reduce user downtime and reduce support cost to the organization. So, as we go through we're going to talk about how some of the goals that were for one of our customers get defined. But before we do that let's talk about what else is there to advantage deployment. Obviously we talked about building and deploying a standard image everyone gets that part. But, migrating user data, patching and updating once machines are out there in the ecosystem. Training support, and of course asset tracking and inventory.

So you know what you still have. So if you're going through this process there's various stages. And I define eight of them. You guys can choose to do what you want with this. But, my whole goal is before you start with this doing something, you should actually plan what you're going to do. Go out and gather user feedback. Find out what the needs are.

Do a needs assessment of what you need to be delivering to your users. And then build something. And the first thing you're going to build is what I consider your best effort. And no matter how much we know about our in users or how much we think we know about our in users typically our first best effort isn't quite good enough.

And I know it's a knock to the ego but the reality is, is that you need a pilot to go ahead and learn about how your best effort either does or doesn't meet the needs of your in users. And so one of the important things is make sure your pilot group is as diverse as possible to represent the whole organization or at least the whole organization that's going to be using the deployment that you build.

So, once you've learned from that, use that to revise your builds and maybe you want to go through this process of piloting and revising a couple three four times until you feel you've got it right. And then you want to deploy. So, deploying in my mind is just a bigger pilot. Right, because you're going to find out more about what's happening.

So again, go back to learning and then go ahead and update your system. And this is where once you've gone into the wild and deployed you want a mechanism to make sure that once you learn by doing that you can then integrate it in and fix and build out wall machines that have been deployed without having to re-image the whole thing.

So, let's talk about a case study here. I'm not going to use the company's name. We're just going to say it's a large electronics manufacturer. So, the first, these are the goals that this company came up with for their deployment. And the first thing they wanted to do is these machines were going to buy these nice pretty maps and we're going to put them through our inner organization. And the concept that our guys sending the checks are these are expensive. Everyone thinks Macs are expensive.

But they wanted to look further into the system because, I mean we can get into that debate. But what they wanted to look at is what's the total cost of the organization deploying, supporting, and maintaining these machines throughout the life of the machines? How do we protect that cost? So, they also wanted to take this new platform they were building in and they wanted to use that as a platform to revisit 15 years of experience deploying Windows and maybe some of the assumptions and the rules that have been built around how the deploy machines and pull them out, put them on the table, and really see if this still made sense. Because they didn't want to infuse a lot of previous knowledge on a platform that may or may not work with this new platform.

They also wanted to leverage a Windows-focused help desk. They didn't want to have to get a whole new IT support group. How many here have budget for more people? No we're not, those dot com days are over, right. We're in more of how to get more out of less. So they want to do the same thing.

In fact, some companies actually, I find, are still looking at outsourcing off shoring their IT support, their help desk. So, they want a way that they can leverage non Mac gurus to sit on the help desk and use their Mac gurus for building and designing their infrastructure and actually doing proactive work. So, they also want to do this all while minimizing user down time, maximizing their up time, and minimizing the impact on IT. And where possible, integrating into the existing infrastructure they already have, instead of having to build a whole new parallel system just for the Macs.

So, I have, I keep wanting to look at the screen. So the first thing they did is they wanted to, the built out a zero touch deployment. And the reason they looked at this is they, if you look at companies who talk to them, to quantify going out and physically touching a box. Most companies can quantify that that it cost them between 35 dollars and 50 dollars to touch a box.

Now that's not per hour. That's just to physically go touch it whether it's two minutes or half an hour it cost them between 35 and 50 dollars. So, if you need to touch a box to deploy it just figure on adding 50 bucks to the cost of that machine right off the bat. And every time you need to touch it therefore out, throughout the rest of the life of that machine just keep racking that bill up.

This company previously was spending depending between two and four hours to set up a box. So, what they would do is they'd get the box from procurement, they would vision and set up and image the box. They'd go physically deliver it to the in user. And then they'd the set the in user up, attach it to the directory service, configure their mail client, and do all this nice white glove service, real good experience from the in user's standpoint. From the IT standpoint it's a very costly endeavor. And so, what they wanted to do is they wanted to continue this white glove experience, but they wanted to reduce the impact on IT both in man hours and in cost.

So they leveraged NetBoot with ASR to do a complete hands off image, zero touch imaging where they used extensive use of preflight scripts to automate asset tracking and other pieces of the process, post flight scripts to bind at the directory once everything's done, log-in scripts to configure the machines to the entourage setups because they're using Entourage to exchange. So, they wanted all this done automated. And they wanted it customized for each user. This way they don't have to visit the box.

All the while they wanted to minimize total cost of ownership. So, how did they minimize that total cost of ownership? Some of the things they did were partitioning the hard drive so that you have one hard drive partition for all the system software and a second partition for all the user data. What this provided them was the ability to go ahead and re-image a box without worrying about the user data.

They didn't have to back it up. That takes time and it also potentially puts the data at risk. They didn't have to worry about archiving that data. They can just re image a box. So this actually really lowered the threshold for them of when they could pull the trigger of re-imaging a machine.

a lot of companies will spend four, five, six hours invested in a single box trying to trouble shoot the ghost in the show in that box knowing full well that if they just re imaged it, it wouldn't be a problem. But there's such a fear that maybe if I re image it I'm not going to catch everything.

Or, how do I put it back to where it was that they just avoid the whole thing. So we wanted to take that pain point away. They're making extensive use of the packaging format for deploying all of their software. I'll repeat that, for deploying all of their software they're using packaging format.

They're leveraging a push-pull model. They, phone home and pull software down on a regular basis but they also can take those packages and push them out where it makes appropriate sense. They do, not only hands off deployment, but hands off support and maintenance of the boxes. The only time IT physically touches a box is when the box breaks, there's something hardware wrong with it and then the in user brings it into the depot.

They really embrace this hands off approach to deployment and support. Also leveraging scripts as much as possible to automate as many things as possible continue to involve on that policy. And then also using policy base management out of a central repository to make decisions about what goes where for your customization of these boxes.

Okay, so let's talk about the components they put in the machine or into the system. So, we've got a NetBoot server. We've got a file server. We've got directory services and a MySQL Database. So what they're really using is they're using NetBoot and ASR to do the initial deployments. They're using AFP file servers to host their maser DMG image and al the package images. They're using package format obviously and directory service. Now this customer, they're using active directory. But you can us active directory, open directory open LDAP, choose your favorite.

They're also using MySQL server with Java running on a Java server, which is Tomcat. And this system was basically a database for hosting some logic in Java so they can actually intelligently build out a system of triggers, policies and actions. So, the trigger is when does the box phone home to talk to the server and the Java engine.

Okay, they've got business logic embedded in the Java engine that allows them to say okay if this criteria's met perform this action. And the resulting action can be go out and install this package, run this script, remove something, there's a range of things that can happen. And that leads right into the fact that a lot of this is predicated on scripts, AppleScript, Perl, and Shell Scripts.

So, what does a user's experience look like when they get a new machine? IT hasn't touched it. How does this box get built? So, Veronica's here with me and she's going to basically go through this with them. The in user gets they get a machine. And they get a quick start guide, which is right up here on the screen.

And this quick start guide says you've got your new box, congratulations, woo hoo, let's pull it out of the box. And the first thing you want to do to get this onto the corporate build system is plug in the power cord. Remember it's Veronica not Vanna. Next thing they're going to do is plug in the Ethernet.

So far we haven't lost the in users yet, right. We've got pretty pictures. Okay here comes the tricky part. Take your finger and hold down the N key. Okay, and press the power button. Okay I think everybody in this room knows where we're going with this. Right? Okay we're netbooting.

So, the one thing we learned, remember relentless learning about the user's experience, is that users were complaining that their finger hurt from holding it down too long. So, we had to add an extra step saying please remove your finger from the N key when you see the globe.

Sometimes it's not the technical stuff. Actually most of the time it isn't. So how does initial deployment look? What's going to happen? How 's the system going to build up? We're going to walk you through each step. This is the time that if you're bored go get a beer.

Alright, so the first thing we do is we go up to the net server and we boot off a customize NetBoot image. We're booting into us of an image sitting on the server. And what it's going to do is it's going to run a preflight script. That preflight script's going to go out and find the first disc in the system, which is disc zero.

And it's going to look to see if we've touched that box before. And the way it looks to see if we touched that box before is if there's two partitions and one of them is named data. Okay so, if it's not named that we haven't touched the box, we're going to go ahead an partition it.

So it partitions it. And the first partition is called Macintosh HD. It's 20 gigs. Second partition is the remaining data and it's called data. And then we go ahead and build a sim link. This actually happens a little later in the process but we'll say it for user sake now. We build a sim link from the base system, which has the OS and everything on it. And we want to go ahead and separate all the user data to the second partition so /users on the Macintosh HD is sim linked over to /users on the second drive.

Okay so for those of you who are script junkies where it is, we can walk through it real fast. We're basically using diskutil to go ahead and do that. One thing that we did add that the customers wanted was a warning for the in users that, okay say you brought your home machine and managed it somehow, figured out how to NetBoot. And you're about to image your machine, warning Robinson, you're about to loose all your data. Most of the time, guess what happens?

Audience: They lost all their data.

Yes. Okay the least IT wasn't on the hook at that point. You said yes. Okay, so then we use diskutil, we partition two drives, HFS plus one for 20 gigs and one for 2000 gigs. So far I haven't seen a laptop with 2000 gigs in it. So what that's really doing is saying take all the remaining space and make an HFS partition. So this allows us to future proof the script a little bit for different drive sizes.

These are all going to be uploaded to the site so you can download them. This is basically our sim link script. And we thank Rick Lemman from professional services who helped this customer. These are all his scripts that he built. And he was nice enough to share them with us.

So, the initial deployment continues on where after we've got the drive imaged, or sorry partitioned we want to take an ASR master image blast it down on that first partition. So, now we have our master sitting on this box. This is not rocket science, in fact, this whole process isn't rocket science. The Windows guys have been doing stuff like this for years, the Mac guys have been doing stuff like this for years, managed deployments. We're just taking in a unique set of tools and doing it on the Mac platform.

I just said the Mac guys didn't I? Okay, Lenix guys correction. Okay so, after we ASR'd it the box has a post flight script and that post flight script is going to go out and it's going to find the Mac address of the first Ethernet device in the box, which is En0, and it's going to go out and find the second Mac address of the second device which is En1.

And we're going to go ahead and use those as unique identifiers. And we're going to go out and throw those up and create a computer count on the MySQL dataBase. So we're creating a record. And those are our index fields which is the Mac address, it's unique to every box.

The next thing we want to do is a script that's going to go out and do a inventory of this box. So what's a good tool to do inventorying with? System Profiler, so we do a system profiler report, export it as XML, and I think this is running our of batteries, and it sends it up to the server and caches it in the data base, okay. And it bears saying that when we created that computer count record, there's a default template. And that template already had predefines from triggers and some policies for this box that we'll discuss in a minute.

So, we now have an inventory of what's physically on this box. Well, we could also cache in here pre-populate all the software that we know that's in our master image. Right? But what happens when we change that master image down the road? Are we going to want to go change that default template every time? Probably not.

So, rather than do that we're just going to go ahead and inventory and troll through the hard drive and find every application that dot, ends in .app in the applications folder and we're going to go ahead and send that up to the server as well and cache in the data base.

After that, what else is left? Receipts right? So, we go ahead and take all seven locations where you can have a receipt in the system and we throw that up there. So now we've not only captured everything that was installed with the package which we done, but anything that wasn't installed with the package so a third party installer as long as it ends in .app extension, which are usually hidden.

Okay, and then here's the typical, we'll go back into the typical process. If after we built our master image, we're six weeks down the road, seven weeks down the road and we find out you know what, we wanted to add a couple of things or we wanted to fix a couple things and we don't want to repackage up our master image, we'll just throw some packages, post action package installers and throw them down.

Okay, so now what we have is we have a system that has basically been imaged. It's got some customization done but for the most part it's a generic box. The last script retargets the internal drive as you boot device, restarts it and we boot up. And remember I said that default account had some triggers in it the template, those trigger were, next time the machine boots up, they'll phone home.

The other trigger had was first time user logs into any account, phone home. Now we can also have cron'd action triggers, we can have log out triggers, there's a variety of things we can do. So, we have some pre-staged in the box just from the initial get go. And the first one phones home to MySQL DataBase and says okay I'm phoning home.

What do I do? And the data base says okay, you've got this default thing lets bind you to active directory. So, it sends down a startup item and tells the box go bind yourself to active directory. So what we'll do is we'll take, we already used the Ethernet address to create a computer account in My SQL DataBase.

So why not use the same, be consistent, and create an account to Active Directory with the same thing? Well the only problem is Active Directory really like combs in fact for that matter MySQL doesn't like combs in your fields either. So, what we do is we go ahead and truncate that down and pre-cursor it with Mac just so we know it's a Mac in their system so that the paranoid AD admins know how to find us. And we go ahead and throw that in and we're creating a computer count in the computer's OU.

So, if you guys want to see here's a script that actually does that. This started life as Mike Bombich's scripts and got heavily modified again by Rick Lemman who's sitting right down here. And he'll be available for Q&A if you have any questions later. But, basically what this is doing is running out and finding doing an if config to find your Mac address, doing a little act truncate things down. And then it's setting some variables and then it ultimately does a dsconfigad. Now the last thing you're seeing in variable on here is a $password. Anyone know what's wrong with that? Some one scream out. What?

Audience: It's in the command history.

Right it's in the command history. What else?

Audience: (Inaudible)

Okay so you're potentially, the root of what it's doing is you're opening up a security problem because you're giving and admin password in the active directory system. So, how do we, we can't get rid of it. How can we minimize the impact? So, what we did was we went in and created an account in Active Directory dialed down the ACL's so that all that it had the right to do was to create and account in the computer's LU and nothing else. So if someone managed to get this that's all they'd be able to do. So, this script is getting pushed down at first boot to systems that have only been imaged by our imaging process.

It's using a, you know, fairly innocuous computer account. And then at the very end we destroy it with a secure remove. It's not 100 percent foolproof but at least it's better than nothing. You gotta live with Windows you gotta live with Windows. So, customizing the workstation. We've shown you how this works in theory. Let's actually show how it works in practice. So, Veronica's going to go ahead and show you under the hood of what goes on.

Thank you Gage.

So, less than ten minute ago I show you NetBooting this Macbook Pro, so during that time we've laid down generic image, bound that system to directory domain. Add in some of the startup scripts to talk to MySQL server data base, and put in the login script.

So, besides all these scripts it's basically a very generic build. There's nothing specific software- wise installed for any user. So, it's nothing like Xcode for a developer or you know CS3 for a creative artist. So how do we take a generic system to, from out of the box kind of experience to totally a customized managed client? So, to start let me show you the system at a generic state using a local admin account that we have put into the generic build.

One of the things I want to show you this, but let's see, can you switch it over to the demo?

Yeah, I'll fix that in just a sec. See I didn't put in the mirror mirroring so let's see. Is it mirroring now.

Thanks. I do, you know, give out sacrifice to the demo God' so it's not working.

Do you want me to walk them through the process and then on the screen while you do it?

It should be right there.

I'm going to slide this do you want me to walk them through the process while you get it set up?

We got it, it should be.

Oh see, sorry, great. Yea thank you.

Alright, next time I know better. Do something for the demo god. Mirror, one more step. We'll get there

Alright, we're there, okay. So, first thing you notice that the hard disc has been divided into two partitions. As Gage has point out in that partitioning script we have one for the OS and one for the data.

Then next thing is it's basically for this admin we just get a default blue desktop, although the dockets move from the default location, which is at the bottom to the left. And if you take a look right now you have some of the generic application like mail, iChat, Safari on there. So one of the things I want to kind of show you is, at this point the system has been bound to our directory service. So if I were to execute the SCL, is it too small?

Bigger.

Better? Alright, and if I go to my directory service I can see my list as a user, great. So this system has been configured and it's already bound to our directory server. So, how do we take it from this system to something that's customized with specific software for our user? So, let me take you step by step from this point how, say, for this example we have Joe who's a software developer.

And he's going to show us how from this point on how he's going to get the system installed with the necessary software he needs. Can I switch back to the presentation slide?

Okay, so Joe is going to face with a MacBook Pro with a log in screen. So the first thing he does is, what are you going to do? Put in a user name and password.

That information is sent and checked against the directory domain. And when it's authenticated a long in script it then triggered to phone home to our MySQL DataBase with the Ethernet address as well as his user name. So, at this point the data base server now has two pieces of information to work with. What it's going to do is three things. One; it's going to use this user name and then pole the open directory server for further use or attributes such as his, Joe's real name, his email address, maybe perhaps what group membership he belongs to.

The next thing that MySQL is going to do is using the Mac address it's going to check against the list of inventory data base that has been keeping up all the system and the management. And find out, for example, Joe's system is a MacBook Pro with two gigs of memory. Perhaps a little, you know, free space for software installation.

Third; with all the information about the user and the system, it's going to then look at a list of configuration policy that someone has precreated or predefined. These policies basically are just a list of action items. These could be running a script. They could be installing and uninstalling packages. These policies are key to any user attributes. So it could be key to Joe's group membership being in the software engineer group he's going to get at Xcode.

And in other software perhaps is Omnigraph he's going to be getting. Once the MySQL server data base figures out what policy this system and this user required that information is sent back to the client and the client is going to go mount the AFP server downloads the software, the scripts, and proceeds to, you know, install and run the scripts.

So, one of the things I want to point out is that, Gage just mentioned earlier, with the type of script that you can configure it can highly customize it to any actions you want. So it can be setting up their mail preferences so a user doesn't have to figure out what, you know, mail server or relay server they need, so, all that, once they have logged in, everything will be configured. So let me take this for a spin.

Oh by the way the script is basically Applecript and at the end of this session it's going to be up on the server for you to download.

So, can I have it back on the display? Thank you. So, I'm Joe and I'm logging into the system.

Prior to this the system is still generic like everything else.

Alright, right away you can see my desktop is different. And if I look down on my application folder pretty soon you notice this role bar changes because Omnigraph was getting installed in the background. And you can see that's just popped up. And now let's take a look at the developer folder where Xcode's going to be installed. And as you see Interface Builder is being installed. And as I speak you can see additional folders popping up. There's Xcode.

So Joe is pretty psyched I mean being a developer is like oh my God, my Xcode is there. As you know Xcode can be pretty bulky. So for this demo it's going to take a couple of minutes to finish install before it runs the other scripts. So I have a different system that has all that, you know, pre built. So I want to show you the end product, once baked.

Is it showing yet?

Okay, is it showing up?

Okay, sorry about that. It doesn't, are we there? Okay good. Alright, great. So this is Joe's environment. As we see the desktop has, you know, changed to the rock garden. And if you take a look at, I want to take you to the dock. The dock has Xcode and Omnigraph or icon already added on there. That's part of my policy design.

And let's take a look at Entourage because that's the script at the end of that install. It basically runs the setup script. So, oops, no not that one, and let's take a look at Entourage. So, is it going to prompt me to set up my environment? No that's just Graffle... close that. And it takes a while but eventually it's going to come up.

That's still the Graffle. Alright where is it? There, it takes a while, okay. If I check my account settings you can see that's all a pre-setup. So, for Joe that whole customization has been done by just merely logging onto system, so for a user all Joe know is take the system out of the box, NetBoot it. At the end of NetBoot a log in. And wa la, I have all the stuff that I need for my job. So, that is the customization that you can do.

Can we switch the slides back to the other screen?

So, there's a lot of tools. And Apple's got a lot of tools well there's some third party tools out there. And a lot of people are looking for this magic bullet that does everything for them.

And the reality is is that there is no magic bullet. There's a lot of different tools out there and there's a lot of overlap between those tools. And a lot see that overlap like is that, okay this does a little bit of what this other thing does, and which one should I use? And the answer's both.

If you've got options then you've got an option of well, in this circumstance this one may work better for my needs at this point and time. And in another circumstance this one may work better. So, I'd like to take a tool belt approach to this. You don't see your carpenter using just a hammer to build your house. You wouldn't dream of it. And so you wouldn't just expect one tool to do everything for you when you're doing managed deployment.

So Veronica showed you how you can customize a box, how the box gets customized after we build it to give the user a unique experience of what software goes on there, what's on their dock. There's some overlap there with some of the other tools out there. So, managing preferences, you all know you can control what goes into the user's dock through managed preferences and edit directory service. Which one works better? Maybe both, maybe some things you want to manage through policies and actions out of a data base and some you want to manage through managed preferences out of your directory service. They're not mutually exclusive.

They're complimentary. There's also Apple Remote Desktop. We talked about doing that pull model where stuff gets pulled down. Well sometimes when you're doing help desk you don't want to set up policy and wait for the user to log out and log back in again before they can have this new software pushed to them. You just may want to grab of the AFP repository of all your packages and go push and install a package to the user because you're dealing with them right then and there.

So, ARD have some overlap with some of the things we've already discussed. There's also some reporting tools in there. Maybe the reporting you have a policy for everybody out there doesn't quite cover something you want. And ARD can do it faster and more nimbler or whatever doesn't mean they're mutually exclusive.

So, there's also a range of third party tools out there that try to solve that last piece that Apple doesn't have something right off the GUI button to do, which is how do you install third party applications after a box is already out there because we all know the software update's out there but it only handles Apple updates.

Right? So how do we get those pieces down? How do we asset manage? How do we inventory these boxes? So there are a range of solutions, there's LanDesk, Radmind, LanREV, there's FileWave, there's Casper, and there's Alteris, and there's probably a few more that I haven't mentioned and if you're in the room and I didn't mention your product I apologize sincerely. So, all these take a slightly different tack on solving very similar problems.

So, for the customer we've been referencing we've had slides that said MySQL, it said Java, it said Tomcat. The reality is is that the customer's looking at doing this. And in fact, my own team was looking at doing this. And we went down Rick and I were actually at one point trying to design all this ourselves. And we had to make a pragmatic choice. And the customer did the same thing in saying do I want to spend all my time doing, building infrastructure with MySQL and building Java.

Or, do I want to buy something off the shelf that's already gone through all that and just focus my time on solving my business needs. So, what they ended up doing was they decided on one of these previous slide one of these solutions and the one these guys managed to choose and I'm not endorsing anybody. I'm just saying the one these guys chose was Casper. And, Casper is basically a tool that's just leveraging MySQL it's levering packages and NetBoot, ASR, AppleScript, they're doing Java, it basically runs on the MySQL server that's built in, the Java server that's on there, which is Tomcat.

It automatically sets up at share point so it's plumbing, just using the plumbing under the hood. Any of you guys given the right skill set and the will to do it can set these kinds of things up. You don't need to buy a solution. But where do you want to spend your time? So, this customer chose to go ahead and purchase Casper and we've been kind of referencing all this stuff that happens magically. So Veronica's going to show you how to set up the policies on the admin side to make all of this a reality.

Thank you Gage. So we talked about using Casper to basically address your business needs. One of the things that we did just in the last demo was to show you how to configure a system from the generic to a customize system. So, other things that basically we can address our installing and uninstalling third party software. This could be for an admin C, oh my God CS3 is out.

I have to go up there and do an inventory of what's up there and figure out okay, what other system out there are using CS2? And do I have enough disk space, so, basically all those are different steps that an admin would have to do in preparation work before you can address these specific needs. Other things are, you know what? Give me a sec. do you have the, thank you.

What we have is policy enforcement. When I was working at NASA was I was being asked by the security officer basically well can you set up a screen log that enables it every 15 minutes and make sure that it's, you can't break it without a password. So, as you know, you can reset that at the system configuration panel. So a user can usually reset that. So how do you do a persistent policy enforcement? Other business needs are, for example, inventory and asset management.

I find that actually to be a very important piece to desktop management because not only for hardware refresh but also planning. One of the things is, as I'm about to show you with Casper, is without having an accurate and also an updated inventory it's really hard to create a policy and push out some of these configurations and enforcements.

So, just take a quick step back. What is Casper? As Gage has kind of let you know it basically leveraged all the existing Apple technology as well as open source technology that's found in our operating system. What I found, one of the things that very helpful is, what they did is wrap all that up, put in the glues to each of these technologies, and allow you to have a very easy configuration console that you can access through the gooey.

So one thing I kind of thought is one of my colleagues has said is what about an iPhone? So, maybe in the future you can do some of this configuration using the iPhone. So, before I do, let me log onto the Casper server and show you how to create a policy to remove and install the software.

This thing is not having. I did, let's see, nope. Okay there we go.

Can we get demo slides please?

B. Start on B. Can you switch it over to demo?

There we go. Okay.

Thank you. I don't know, okay. Let's try this again. let me go over to log onto Casper. And it'll prompt me for user name and password.

Now that I'm on there my objective is to create a policy that's key to any systems that have an older version of a software, remove that and then install the new one. So, the first thing we'll do is go over to the management panel and we'll create a smart computer groups.

So let's click on the smart computer group. For this demo I'm going to be removing an in house Apple Quote Tool that we use for this enterprise sales group. So, I'll call this group that's there, there's there. And I want to tag that to the type of software. So, you can do that by application title so I'll click on that.

And now, application title, I can choose to have a certain phrase or string within that. So, I'll type, there we go, that's Apple Quote Tool, version 1.2.7 so save that group. Next thing I do is to go over at the policy and create this new policy to remove the older version with the newer version. So, I call that AQT and you can choose how to trigger by any startup log in.

So, for this purpose I'll just go for log in. And you can actually set the things up by active when it's active when it's expired. The next thing is how often do I want to run this? So, let's just go for ongoing. And, I'll tap up at the scope to basically set up who gets this policy.

I want to add a computer group so I add a computer group and I'll show it up as Apple quote tool. That's the one that I just created. Next, I want to basically define the action items which that is whatever package that I wanted to install. So, I'll tap it over to packages at package.

And here are the list of packages that I've already pre-created using Composer. That's a toolset within Casper Suites. So in this case I'll go over to Apple Quote Tool version 1.2.7 and go uninstall. And with the newer version I've created an install. And now I'll just save the policy.

So, let's just review to make sure I've got everything right. I have active policy that's going to be run on log in. and if I go to the scope it's going to basically install on any system that has 1.2.7 group. And action item is uninstall the old one and install the new Apple Quote Tool. So that was it and let's see this in action. Let's see if I can now get over to the other screen.

Do I have the same?

So, any news, we've been having a lot of problem with this. Okay, D. And you get to the display, see if I can detect display again. Okay it's mirrored. So, okay one more try. Alright, so I've logged in as admin on the system and if I take a look at the application folder.

At this point I should just have, let's see where's my Quote Tool, 1.3.1. It had 1.2.7 before. So if you want to take a look at the library receipt folder to see, okay when was it installed? You can see it was just now Apple Quote Tool 1.3.1 and that was just a minute ago that that just got installed. So, that's how easy it is to create a policy for you to uninstall and install the package.

One of the other business needs that we thought was very cool with this tool is I don't know how many out there as a system admin, you'll find applications that are not really necessarily business related that just, you know keep happening on being installed on the users desktop.

You can advice them not to install it. But some how they just end up being there. So, instead of chasing down these applications, you know like, Internet games or programs doing sniffing on network, it would be cool to have a way to set up, basically blacklisting some softwares. So what I've done is on the server is to create a blacklist software.

So, now I installed using a thumb drive. Say, I'm going to pick on LimeWire here Limewire here. so I'm going to go ahead and put in thumb drive. And where's my LimeWire? There it is. Let me open it up, install that, let me just install as an admin. Immediately I get my message.

And so, as you can see this is an often tool for you to streamline and basically do your admin job without running around and creating all these different customized scripts. But again, if you are inclined of doing that, all this tool underneath, Casper is basically Apple technology in open stores. So, with some elbow grease and midnight oil I'm sure that can make it happen. So with that, thank you Gage.

Can you switch back to slides please? So now we have a system where you can build data based machine based on a common standard image and based on users logging in and who they are, what groups they are, what computer or physical inventory of the hardware that they're sitting at. You can customize that experience in that box to whatever their needs are.

We talked about the deployment and we said physically getting the software out there and deployed is not the whole bag. One of the other parts is support. And remember we call that, this customer said that they wanted to leverage Windows centric help desk guys who didn't have any particular knowledge ahead of time of what the Mac platform was.

And they were faced with two choices. Take their Mac gurus who are designing their infrastructure and put them on the help desk and make them run around fighting fires and putting out fires and be in a very reactive mode. Or they could give their Windows help desk users some training, not expect them to be gurus.

But, build some way for them to go ahead and troubleshoot and triage machines effectively so that the majority of the problems that users face can get solved and the few things that are systemic to the whole system can get bumbled up to the map guru so they can solve it, fix it once and solve it for everybody.

So, I have this approach, this concept I call it my value meal system. And the value meal system is basically you go into a fast food restaurant and you want the easy pick out what you want, right? So we have a value meal system for supporting at this customer. And value meal A is, and this is not rocket science people, everybody knows to trouble shoot, a user calls up and says something's wrong with this application. It's not running right. It's doing something funky.

What's the first thing you do? Sorry? Fire the user? Okay. No.

Okay. So the first thing you do is you isolate it as it's a user issue. Is this isolated to this user? So long in as a different user. Did the problem follow them or not? If it did, we all know what to do. You can train the help desk guy with some simple training. How to throw away prefs and figure out the user problem.

If it did follow the user to another user, it's not the user. So what's the next thing you look at? It's the applications. Value meal B. so go and blast down an application. You've got everything in package format. You've got A or D. Blast it down. Did the problem get fixed, yes or no? No? Here's the part where it gets tricky for most people.

Is this problem just on this system, or is it everybody? So spend a little time fixing the problem. Here's the prob, the rut for most places that remember I mentioned earlier that they're willing to spend four or five hours finding that ghost in the shell on that system, because the pain point for the perceived pain of a reimaging a box is so high that they'll keep digging further and further into trouble shooting that box.

You really shouldn't be spending more than about 15 to 20 minutes troubleshooting a problem on a box. If it's not something, if it's just limited to this box and it's not going to be done, wipe the desktop clean. With Apple Remote Desktop, you can go in and you can say you know what? Retarget the boot drive as this NetBoot drive, reboot now.

What happens is the box goes out, sees the script, sees it's already been touched, it doesn't repartition, it just reimages that first Macintosh HD, puts it back to zero. You know you've got a fresh system. I lost all that configuration I did before. No you didn't. it's still got the triggers. It's going to log in. it's going to phone home the next time the box starts up. It's going to rebind itself back to the directory.

It's going to see the user count's already there, so it's going to use the existing one. It's going to have the first user login. It's going to go look at who the user is, what groups they belong to, pile on all the policies and do the actions, install the software and you're back to good again. You don't have to remember what you did to that box. You don't have to remember how it's different from this box and the other box. It's all built into a centralized managed system.

So here's the real power, because now you have a real simple process for your help desk guys to troubleshoot and fix a lot of things with some very simple training and if it isn't fixed there, it must be seismic to the whole system, escalate the ticket to the guys who know how to build the system.

They can spend four or five hours troubleshooting and fixing the problem. They fix it once, they build a policy, it's fixed for everybody, maybe before most users realize it. All right. So now we need to decide what goes into our base and our delta. Now the base is that first image that gets pushed out with ASR.

Why do you want to put stuff into that base image? Well, ASR is real fast. You're doing block mode copies. There's no CRC checking back and forth. It's the fastest way to get it out there. So, you know, I'm a child of the 70s. they used to have this commercial for Prego.

You don't remember it? What's the tag line? It's in there. Yeah. Thank you. So my approach to the base OS is treat it like a Prego bottle. Put it all in there. If you have the right, the legal right to install it, it doesn't matter whether users are going to use it or not, if you have the legal right to install it, put it in the base, get it delivered out there in the fastest mode possible.

All the rest of the apps, you don't have a right to install, go ahead and put it in your deltas. Let your policies push it out and do it policy based. Now I just got pointed out five minutes before here, why wouldn't you put Firefox in your base? Right? Okay.

So, I have no excuse. Even I make mistakes.

A lot of them. All right. So this makes it, the big question here is on here, we have a couple of applications that aren't in package format already. They're InDesign, Photoshop, you guys know they use their own installer, right?

You don't need to go that far. We can do it ourselves. In fact there's a lot of things that you just want to roll up as a package yourself but it just may not be commercial software. It may be packaging up the hack you did to the login window to put your company policy in it. All right? So let's start with this. PackageMaker. Everyone knows PackageMaker, right? Okay. If you don't, you've been asleep this week. So PackageMaker in Tiger got a relative upgrade to the GUI. It's core market that it's focused at is developers.

There are times to get the full power of it, you want to drop in and edit an XML file to get something done, but the GUI's been greatly enhanced and that's very nice. I like PackageMaker, but there's one thing missing. If you've got an application like Adobe Photoshop, or any other commercial application that's not already in package format, how do you go ahead and know what to drop into PackageMaker? Well, there's a tool called loggen , it's part of the Radmine Suite.

Thank you, University of Michigan. Part of the whole Rad Mine Suite. And this goes back to my philosophy you don't have to take the whole bath tub of water, you can take out the pieces that makes sense for you, right? So loggenis a tool, and it's a command line tool, and what it does is it indexes your system. So you run the command line, you tell it to create an index, and this example it's called the orig.dat, and after it's done, you go install whatever app you want to.

I'd caution you not to go around surfing the web and all that kind of stuff, because you're going to create a lot of temp files that you later on have to ignore. But just install your app. Once you're done installing that app, you want to capture, run loggen again, tell it to create a new index file, compare it against the old and the result will be a text file that says here's all the stuff that's installed with a path to each one of them, and here's all the stuff that was modified. So this is your shopping list. Go drag it all in and you're ready. Okay, you now can build packages.

As an example, I think Macromedia DreamWeaver was like 13,000 files, but I only actually had to drag about 30 different things in there, because it'll count every file you have down a path. You just have to grab the root of the path. Okay. So what are the tools that are there for building packages? Say you don't want to use PackageMaker, there's a nice tool out there called IceBerg.

Anyone heard of it? Yeah. So IceBerg doesn't have at it's disposal all the features that PackageMaker has, but ultimately what it's doing is it's really using PackageMaker under the hood with just a different skinned interface to it. So it gives you, for me, it gives me maybe 70 - 80 percent of all the features I normally use on a regular basis. So this is my quick and dirty, fast get it done tool.

And again, here's what it looks like. It's pretty easy to use. And it just exposes most of the options in there so you can embed preflight scripts, preinstall scripts, pre-upgrade scripts, post flight post install, post upgrade, all those kinds of things differentiate as you conversion your stuff, all that.

So again, you need a shopping list. So go get loggen and run it and now you have your shopping list to build it. And if you really want to go the easy route, and you'll notice we're going harder to easier, more features to less. Okay. So if you want to go really easy, there's a commercial application out there called Composer.

And I like Composer. And the reason I like Composer is it's simple. I can go to a company and I can teach them how to use this in a couple of minutes and they can go start working on building all their packages. And it's an easy, low risk thing to do.

The other cool part is they do some unique stuff like you build a package, you now have an uninstaller package. If you take the whole suite from the JAMF guys, the Casper Suite, it'll upload it to your AP servers for you. But you don't need to buy the whole Casper Suite to take advantage of this.

This is a 50 dollar app. If you buy Apple Remote Desktop, they will sell you this, Composer, for 50 dollars. And so that's a real nice one - two punch. Package up all your applications and push them out with ARD. Say you don't want to take the whole managed deployment route, you just want to take what makes sense for you guys, right? And the nice part is it does all the indexing for you. Okay. So we've got a way to build packages nice and easy.

We've got a way to build our base. We know what goes in the base. We know what goes in Deltas. But it took us six weeks, three weeks if you're good, it took you an investment of time to build your first master image, right? And get it all dialed in with all the tweaks you wanted to do.

The only really unique thing when you want to update that is your OS, right? All the rest of your things pretty much stay the same. So if we're going from like 10.4.8 to 10.4.9, and you want to update your image, do you want to go through all of those things and remember and most of us just keep a detailed list of everything we did and we have to recreate all of that.

So we know how to make packages, why do we have to do that again? What we really should be doing is once you've installed your base OS, anything that goes on over that, say your VPN client, make it a package. Your hack to the login window to change the welcome screen, make it a package. Office, make it a package.

Virus, make it a package. Whatever you're doing on top of that base OS, package it up so the next time you want to build a new base image, it's not going to take you three weeks. You install a fresh OS, you add all those packages on top of it in an afternoon, you have a new system, go ahead and suck it up with ASR and make a master image out of it.

Okay? So that begs the question when do you update your packages? Everyone has their own theory, right? Stand on your right foot, rub your tummy, pat your head. Okay. So basic philosophy here is that get your clicker to work first. If we've got a system based on 10.4.8 and we come out with some new hardware, say a new laptop, I'm not predicting hardware, we don't talk about unannounced products, we come out with a new piece of hardware. That hardware is not necessarily going to have a whole new OS rap, it's going to have 10.4.8 plus. What's the plus? Kernel extensions, hardware drivers, that kind of stuff.

Apple, when we're focusing on getting a new product out, we don't necessarily go down the right of regression testing that build against every other piece of hardware that's supported by the last dot release. So we're not going to go through all the engineering of making sure. We don't always do that to make sure every single box out there runs. Now can you install it? Sure. Will it work? Most of the time.

You guys ever seen those G5 fans just run and run and run and run? Yeah. Okay. So what's a good, safe practice? And I've heard some people say wait for a retail box. How often do we come out with a retail box? Okay. So, correct me if I'm wrong, but what I have been told is the right thing to do is wait for the next dot release. What we'll do is take all of the changes and kernel extensions and everything else that have been done, roll it up into that dot release, and then they do go through an aggression test back.

Okay? So, okay. Everyone's got their own idea, right? Okay. So we're updating, we're building this new system. We're adding all of our packages on to it. But there's still this thing like do I put this on out in the wild across a whole wide ecosystem of machines without testing it, right? So you always want to pilot it. But let's talk about how you prevent putting a pilot out and wearing your pilot users thin, is automated testing. And there's a really cool application out there for OS X called Eggplant. Anyone heard of it? Okay. Cool.

So if you do this build, you rev it, you put all of your packages on it, you're building all of these packages individually anyway, Eggplant's a really cool tool where you can build a test script for every single one of your packages, your applications as you build it. So you know if this worked before you can run it through a script and test to see if it still works.

So you can build up a while suite of these scripts for every application you make a package out of and then you can just say okay, I've made a new build list, just run through the script to know that what worked before, does it still work? If anything's wrong, it'll tell you. So how does that actually work? Well at it's heart, it's a VNC server.

So what Eggplant's doing is we already have a VNC client built into our machine. Or do I have that backwards? Anyone know? I always get it backwards. Anyways, one of them is the server, one's the client. So VNC, you're not installing anything new onto the OS X build you did, so you're not corrupting the system, all you're doing is you're turning on access to the VNC clients so the Eggplant server can go in, tap in the box, and you can build a script.

You can say listen, I'm doing this. It watches the visual VNC session and does image recognition and says okay, when I did this, the expected result was this. And it actually will record all of this for you and you can build in inputs to it, but it's a pretty easy way to build scripts and they have a powerful scripting language behind it.

Well what that allows you to do is go ahead and build a test, automated test script for every application, and then at the end just fire them off and run against it. If it hits a problem where it veers off the track that it doesn't know about, it does a screen capture, rolls it up into an email and sends it to you.

Cool. So let's recap. We're running into the Q and A time right now. So just to repeat, this is nothing new. People have been doing this on Windows and Linux for years. We now have a great suite of tools that we can employ in very creative ways to build out a system that's very, very cost effective to manage, maintain and support machines in a wide environment. You don't have to do all or nothing. You can take the pieces and parts that make sense for your organization that meet the goals that you need and use those pieces.

I want to reiterate I've done before, but learn about your users. Learn, learn, learn and employ that learning. And then lastly, protect your experience as an administrator. Be proactive. Don't be reactive and run around fighting fires. Okay. So we're going to have, there's some more resources if you want to know more any of these things I've mentioned are, you can got to our slides.