Configure player

Close

WWDC Index does not host video files

If you have access to video files, you can configure a URL pattern to be used in a video player.

URL pattern

preview

Use any of these variables in your URL pattern, the pattern is stored in your browsers' local storage.

$id
ID of session: wwdc2008-101
$eventId
ID of event: wwdc2008
$eventContentId
ID of session without event part: 101
$eventShortId
Shortened ID of event: wwdc08
$year
Year of session: 2008
$extension
Extension of original filename: m4v
$filenameAlmostEvery
Filename from "(Almost) Every..." gist: [2008] [Session 101] Getting Sta...

WWDC08 • Session 101

Getting Started with Mac OS X Administration

Getting Started • 1:19:54

Whether you're new to deploying Mac OS X or just need a refresher, learn why Mac OS X and Mac OS X Server are as easy to manage as they are to use. Discover a wealth of management tools and services that are at your disposal, explore management features unique to Mac OS X, and learn how the administration expertise you've already gained managing other platforms translates to Mac OS X management.

Speakers: Brian Loose, Jason Deraleau

Unlisted on Apple Developer site

Downloads from Apple

SD Video (860.9 MB)

Transcript

This transcript was generated using Whisper, it has known transcription errors. We are working on an improved version.

Welcome to session 101, Getting Started with Mac OS X Administration. My name's Brian Loose, and I'll be the presenter today. And along with me is Jason Deraleau, offstage. And Jason will do a couple of demos tonight for us. So just informally, we've got a couple of questions we wanted to ask about the session. How many of you would say that you're new to the Mac platform? Hands. Okay, and how many would say that they've got experience administering Windows platform? And then, and also for Unix, Linux? Okay, so a fair amount. Okay, let's get started then.

As Bertrand told us this afternoon, the Mac platform is only increasing as a platform. And it's become a great business tool, really, in the last few years particularly. Now, you're probably seeing in a lot of your own businesses that you see management and power users, both that are bringing Macs into the office and they're getting work done on the Macs and they're being productive.

But a lot of you are probably thinking, how can a Mac integrate into our environment? How can we make it integrate? And how can I also support that when I may not have Mac administration specialties or capabilities and you have a lot of MCSEs or Unix, Linux admins on staff? So how can I be sure that somebody with that knowledge can administer some Macs that I'm bringing into my organization and hopefully expanding that presence? So we'll answer a lot of those questions and we'll show you some equivalent platform tools that we have on the Mac. And we'll also talk about how we can use some of our existing infrastructure in our IT organizations to integrate and support those Macs that we're bringing in.

So we'll do that in a number of ways. First, we'll give you an overview of Mac OS X administration. Now, this is not intended to be a real deep dive, but it's intended to have you get a real good look at the platform, see what some of the tools are, and then look at the rest of the sessions over the week and see where you want to get more information and more of a deep dive into that topic.

So first we'll give you a very brief platform overview. Just to kind of give everyone a level set of the hardware and software platforms that we're dealing with, just in case you missed some of the sessions this morning. And we'll show you some of the tools and utilities that you'll use to administer Mac OS X, both from the GUI and the command line.

Now next, there's four things that we're going to cover today, really. First, user accounts. And just some basics about how do I configure user accounts from a local perspective on the Mac. Then we'll dive a little bit deeper and talk about, well, how would I do that if I was tied into a directory system, a directory service, both on a Mac or an active directory? Third, we'll look at policy management. A lot of you that are familiar with the PC platform, we call it policy management. On the Mac, very commonly referred to as client management. So when you see sessions that say client management, that's pretty much what we're talking about is how do we administer policy.

And lastly, system deployment. Taking a Mac out of the box, how do we get it ready to give to a user? How do we manage it over its lifetime so I can distribute updates and things like that to it? And lastly, we're going to cover some of the related sessions.

As you're looking through that guide of sessions to attend, we'll have a list of all those. We can quickly go over those at the end. We'll also point out sessions on slides, which usually you probably won't see too much during this, but because it's an overview session, we are going to point out relevant sessions right on the slides.

So with that, let's start with a platform overview. So a lot of you are probably very familiar, you know, in the last two, three years, Apple's transitioned to the Intel platform. And that's -- they've been a great partner of ours, and all of our machines are on Intel, and for that matter, They're all very much standards-based.

Beyond the processor themselves, when you think about things like the USB interfaces, using keyboards, mice, thumb drives, USB hard drives, firewire drives, displays, using DVI or VGA displays, and those types of areas. And as Bertrand mentioned this morning, multi-core is very, very important. Now, Mac OS X has always been very friendly to the multi-core and the multi-core area, always recognizing those cores, always making them available to both the operating system and the applications that are written to specifically address those.

Now, a third area where you probably are less familiar with is EFI. Now, rather than using BIOS like the traditional PC standard of the last decade and a half, The Mac uses EFI to handle pre-boot types of capabilities. Now, EFI is that next generation standard from Intel, and I think over the next few years, you'll start to see PCs as Microsoft supports EFI, you'll see that in the hardware of the machines, and that's what we use. And it gives us some great capabilities. Because we were bringing our platform up on Intel from very recently, we were able to see that this was a future direction, and so we built on EFI rather than BIOS.

I mentioned it gives us some great things. So with EFI, we can emulate BIOS, and that's what we do as one of the ways that we allow you to use the capability of Boot Camp, which allows you to actually install and boot Windows on a parallel partition on your Mac and switch that back and forth and use that either one whenever you want.

Now, a lot of people are using VMs and virtual machines to do emulation. I'm sorry, not emulation, but virtualization. But in some cases, you may want to boot that Mac directly into Windows and make use of it. So Boot Camp gives you that capability. And to have it on the machine installed right alongside your Mac gives you a great opportunity to do that.

Now the next real foundation technology of Mac OS X is Unix. A lot of people are familiar with our great GUI interface, and it's been -- it's what's made Mac OS X very popular with a lot of people. But the real foundation and the strength of Mac OS X is the Unix underpinnings and the foundations. So let's take a little bit of a further look at that.

So with Leopard, one of the things that's a great improvement in the platform is being UNIX 03 registered, one of four platforms to do that. So we are a certified UNIX. And we're also POSIX compliant. So if you have source code that's also POSIX compliant, you can be pretty sure that you can bring that source code in, you can build it, compile it, and run it on our Unix foundations.

Now, you're going to find that it's very similar to BSD. You'll find a lot of the same directory structures and a lot of the same commands, so it'll be very familiar to you. But in a lot of cases, there are certain commands that you may not find. You might think that they're missing. But in fact, they've probably been superseded by commands that Apple has written that go beyond the initial command that you might be missing and address functionality far beyond and integrate further into the Mac environment than the binary commands that you may have been missing.

So last, let's talk about networking and communications. Nowadays, communications and being able to communicate to people in a wide variety of ways has never been more important. So whether you're using a dial-up modem, a cellular card, Wi-Fi, or gigabit Ethernet, some of the fastest standards, You can be sure that with our self-tuning TCP/IP stack, that we're gonna manage things like latency to make sure that you get the best throughput, no matter whether you're using a modem or that gig ethernet.

So it's gonna manage that for you. Very powerful TCP/IP stack. And our networking is also very standards-based. So you can be sure that you can take a Mac out of the box, either plug it into your network, configure it to work with your wireless, configure that security if needed, and you can be sure that you're going to get an IP address, you're going to get on that network, and you're going to be able to start working.

I've also got a very robust firewall that supports both IPSec and PPTP standards for Microsoft. So that's built in, ready to go, right out of the box. And finally, if you are having some issues with your networking, you can be sure that there are a lot of diagnostics tools, both in the GUI and in the command line, to help you get through a rough patch that you might be having networking-wise.

Now let's take a look at some of the tools and utilities that you're going to use. Now, a lot of these you'll find have equivalents both in Windows and the Unix. And so we'll try to point those out where relevant. The first tool, which is very handy when you're doing any type of diagnostics, and you can use either by yourself or you can even prompt a user to very easily use and give you some piece of information to diagnose something. This is System Profiler.

Now you can also call this from the command line in the user S-bin system profiler, and that'll spit out an XML list of information that you can capture to a file and possibly save or transport somewhere. But you've also got a full GUI interface into this to very easily check the settings of a specific device or if a specific device is even showing up.

The next is Activity Monitor. It just gives you a very quick basic system resource usage of the system. Kind of see if you've got a process that's perhaps using more resources on the processor or from a system memory than it should be and manage that process a little bit better, in some cases killing it. Very similar to the Unix command top or even PS. So from a command line or GUI, you're pretty much covered there.

Now, as a Unix admin, one of the things that is usually very troubling is the myriad of areas where logs from a system or application standpoint are stored all across your system. One of the things that the console application does is allows you one very quick interface into all the system logs, all the application logs, and can very easily allow you to go in and check out a log and also filter a log for keywords.

Another thing that Jason's going to show you in the demo is a neat feature where you can mark sections of the log. So it's very easy to go back and see where you were in a log at a specific time when you waited for an event to happen that you were looking for.

Oh, let's go back in there. One thing is that you're probably used to on the Unix command line is using the tail command. Okay, so we can wait for events that are logged to a specific file. Very similar in this area. You use this instead. System Preferences is the one place in Mac OS X where you can configure all of your OS environment settings. So things like setting up your desktop and your dock and some very Mac specific things such as your expose window management.

Now, there are a lot of similar command line types of tools that we also have. The network setup command from the command line will allow you to do most of the configuration settings that you can do in the network preference. PMSET is a command line tool that will allow you to do very similar things to the energy saver settings in the preferences panel. And MDUtil is a utility that will allow you to manage Spotlight.

Now, the spotlight, as you can see up here, is one area that you can configure to allow you to index metadata for your files in Mac OS X. So you can do this from the command line. You can also do many of these things. You can do them all in the GUI, but many of them from the command line as well.

And lastly, CUPSD. CUPSD is the system that runs our printing architecture from the command line. There's also a web interface into CUPSD that you may want to look at. That can help you manage printers from the command line if you need to. So, let's go ahead and start.

Next is Disk Utility. This is the one tool that you'll probably use to format, erase, partition disks, whether that's a single OS X HFS partition or even a Windows partition. You can configure all those types of partitions in Disk Utility. There are also some great companion tools in the command line, Disk Util and HDI Util, which is more geared towards So being able to take an entire disk that you have, a physical disk, and copying that into a disk image that you can move, copy, and deploy on another disk.

Now, we talked about some of the capabilities for doing networking diagnostics. Network utility is a very, very easy application to use. You could probably walk any user through using this and can get some great information about what your Mac sees networking-wise. So you've got a lot of the familiar Unix commands there, ping. You can do some things like the netstat capability. And you have similar functionality to host, the dig, and the ifconfig commands. So, a very good tool for diagnosing networking issues.

Now, Directory Utility is a primary tool that you'll use to do binding of machines. We'll talk a little bit more about Directory Services. We've got a whole section on it later. But this is the tool that you would use to bind your machine either to LDAP, open Directory Servers, active Directory Servers, all right inside Directory Utility. Now, there are also many command line equivalents to this. You'll see Directory Service, DSConfig LDAP, DS Config AD, DS Cache Util, and the Mount command. Those are all commands that we do in a very similar way, but through the GUI with direct utility.

Now, the next two are a couple of server-based tools. If you were in the last session, I'm sure you saw some of that. But first one is Server Admin. It allows you to administer a server locally on the box or remotely. Very easy to do that either way. And from a command line perspective, you can also do this with a command line tool called Server Admin. So this is primarily for starting and stopping server processes and also configuring those processes.

And additionally, it will also handle all of your file share capabilities. So if you were going to reshare a directory on the system, this is where you'd go to do that. It also gives you status of these as well. As you see there, all green lights. Everything's great.

Second tool, Workgroup Manager. And this is primarily for managing users, groups, and computers, and policies. Some command line tools that will also do similar types of things, DSCL, DS Group Edit, and PW Policy. So if you're into the command line, you'll want to look into those tools. And now lastly, Remote Desktop is not included in the operating system like the rest of those tools are, but it's a great tool for beginning and medium-sized networks that want one tool that can manage their Macs from a number of different areas.

You can observe Macs on your network, be able to grab their screen, view it, control it. You can also do things like install software over the network, push software out to those machines. You can also do some great things. One of my favorite things is to be able to distribute a Unix command across a number of machines.

So you can do things one machine at a time with Remote Desktop, but you can also batch those things. So you can select a group of 100 machines, deploy a piece of software to them. Or issue a Unix command and have the result come back from all 100 machines from their Unix command line. So this is an additional piece of software.

And now we've got Jason to come up and give us a demo of the typical Mac admins doc. And he's gonna go through some of those applications that we just spoke about and give you just a very brief tour of some of their capabilities. Over to demo machine, Jason.

So I'm just going to walk through a quick demo here of some of the different tools that Brian just covered. First one up we have is System Profiler. And System Profiler is a great way to go in and take a look at the details of the hardware and software configuration inside your machine.

I kind of think of this like the old MSD command under DOS. You get a lot of information about what particular hardware is installed in the machine. For example, I can see the graphics adapter in this particular workstation. I can take a look at the different hard drives installed.

I can get into different software configurations so I can find out what version of an application is installed on the machine, when it was last modified, and even can tell me whether it's a universal binary or maybe like a classic one that would require me to use the classic environment, which we don't really have as much these days.

I can also take a look at extensions, which are similar to the concept of device drivers. This is the way that the hardware is going to talk to the kernel. And there's a lot of great information in here that you can use to collect specifications about the machine, what the current configuration is, and whether anything has been changed recently.

You have the ability to go in if you're working with AppleCare, for example. You can send the information directly to Apple. You can save it out to a file and perhaps send it to your IT department if you're on the road and having problems with it. And it's just a great tool to get all the information about the machine in one place.

Moving on, the next tool is Activity Monitor. And with Activity Monitor, like Brian was saying earlier, this is very similar to the Unix top command. Getting information about what processes are currently running on the machine, how much memory they're using, CPU time. I have some nice little graphs down here at the bottom as far as what the disk activity currently going on in the system is. If I come up here to this show box, I can actually see all the processes hierarchically.

So I can see how the different processes are structured on the machine, and I can see the bridge between the system processes themselves and into the user space. Another thing I particularly like about this tool is you can go in and sometimes you get a problem where I'm maybe trying to eject an external drive and it keeps saying a file's open.

Well, if you go into Activity Monitor, you can inspect the process, and it'll actually show you what files and ports are open on the machine. So this is kind of some of the same kinds of information you got in Netstat and also some information out of the LSOF command. and for you Unix admins. The ability here to stop processes, do sampling, get some more information about what's currently running on the machine.

Next tool I'd like to show you here is Console. And with Console, usually when you first open it up, you kind of want to come over here and click Show All Logs. And what this will do is allow you to see all the logs that are gathered up in the system.

And these are organized into different domains. Brian touches on this a little bit later in the presentation, but depending on whether the log is, for example, something running in my user space, like an application like Mail or maybe the .max sync panel or something like that, that's going to end up in a different location on the system than system processes.

So, for example, if I want to take a look at what the Apache logs are doing for the Apache service, I can come down here to Var Log, where you'd find it traditionally on a Unix system. However, for something like within the Disk Utility tool, when I run it in my workstation, I'd find that in my local log file.

Now, kind of a neat thing here that I like, and I kind of wish Event Viewer had this on the Windows side, is the ability to mark the log. So I can actually click here to insert a marker, and you can see it does a timestamp. And then I'm just going to open up Terminal here, and I'm going to issue a bad command.

Now, if I come back over here to System Log, I can actually see that the information about the failed attempt for the authentication is popping up in the log. And now I can insert another marker, and this gives me two points of reference to determine what's going on in the system when I have this failure.

So if I'm having problems with a service starting or I keep getting an error when I'm trying to upload something, I can come in here, mark the logs, repeat what the process is, and then use that as a way to troubleshoot a little further on what's going on.

Now, System Preferences is very similar to Control Panel, same kind of tool you would use on the Windows side to configure a lot of the basic configuration of the machine. And actually, you can even use a lot of the Windows terminology in here. So, for example, on the Mac, we call our background a desktop picture, but on Windows, you call it a wallpaper, right? So I can come up here, type wallpaper, and it's actually going to suggest to me that I go over to this particular panel and then change my picture.

One other one I also get questions quite often about is going into right-clicking. And you'll find that if you go into the keyboard and mouse panel, you have the ability to go into the mouse section. And you can actually switch this over to secondary button, which will make it act like a right-click. So even if you have a standard USB mouse that adheres to the HID standard, you can come in here, enable the right-click, and it'll work just like a mouse would on Windows side.

As far as Disk Utility goes, again, this is a way you'd use to go in and partition drives. You can also use it to set up different file systems. A nice feature of Disk Utility is you can create images of different devices. So, for example, if I have a CD and some software on a CD that I want to make a backup of, I can actually use Disk Utility to make a copy of that in a file on my machine, and then I can back it up on my workstation instead of having to burn another copy of it.

Another feature I really like about Disk Utility is you have the ability to go in and do multi-pass erases on a drive. So, for example, I'm about to decommission a whole bunch of workstations, I'm going to throw them up on eBay. Before I do that, I probably want to go in and erase my company's sensitive data.

So, I can come into Disk Utility, go to the erase portion, and right here I have this option for security options. And in here you can see I can zero out the data just to get the drive out to a certain state. I can do a seven-pass erase or a 35-pass erase to eradicate the data. Something I do personally is just kind of a best practice.

I like to zero out the drive before I install the operating system on it because it'll actually try to write to every single sector on the drive, and that way, if any of them are bad, it'll mark it in the volume bitmap and it won't use that block for data in the future.

As far as network utility goes, this is, again, a tool you would use to do a lot of diagnostics related to the network stack. You have some pretty standard stuff here, you know, as far as I can get information about a network interface, which, you know, is very similar to if I did perhaps the ifconfig command, I'd get a lot of the same information right here in the box. Netstat, you know, if I want to take a look at the routing table on the machine, I can get that back and find it here.

If you're still using Apple Talk, you can make use of this through here. DNS lookups, trace routes, all the standard kind of tools you'd find in there, even a rudimentary port scan utility. So it's a great tool for just a graphical interface for users who may not be comfortable with the command line to do basic network diagnostics, but can at least click around in a box and work with you on the phone while you're working on it.

As far as directory utility goes, this is the tool you use to connect to different directory systems. For example, in this case here, I'm working off an open directory server. There's also options to add active directory servers. So if I want to go in here and click plus, I can say I want to use active directory and just as easily bind to an AD backend in my enterprise environment as I could bind to an open directory environment.

There's also the ability to go in and search some advanced settings here where I can set up mount points, I can disable and enable different plug-ins, and I also have the ability to modify the search policy. And for those of you who are a little newer to the platform, the search policy is kind of a unique case. On Windows, you know how you have the authentication box, and typically you have a name, a password, and then you have a selection of a domain at the bottom where you would pick which particular domain you want to log into.

On the Mac, the way you pick what domain is used is based on the order of the search path. So if, for example, the LDAP directory has a user account named Bob, and the Active Directory system has a user account named Bob, whichever one comes in the list first is the Bob that's going to get used. So if you're having problems logging in, it's usually a good idea to come in here and just double-check the order that you have in here to be sure that you're authenticating against the directory system you think you are.

For Server Admin, again, this is the basic tool to come in and not only examine the status of the server, but also configure its services. So it's kind of like the services panel in Windows, but it's a little more featureful. Not only am I able to stop and start the services, but it's also a way to manage their settings. There's a lot of great information in here about the machine as I'm looking at it, so I can find out, again, some of these graphs. I can see an activity monitor about CPU usage and disk usage.

I have an overview here of the different services that are currently enabled on the machine. And you can see in the list here that a green dot means it's currently active, while a gray dot means it's not running at the moment. So in this case, DHCP is not running.

I have the ability to go in to look in the logs, and this is the same information I'd find in the console tool, but the big difference here is that all of our server admin tools, as far as server admin, work group manager, they're designed to be used remotely.

So the idea is I can have my administrative laptop sitting at my desk here, and I can manage an entire rack of servers in the other room from one place, and I can go in and view all their logs individually, collect performance information, and otherwise configure the machines.

Again, some more of these nice graphs we can look at, configuring share points on the server, giving a list of updates, SSL certificates, pretty standard fare. Another big one's notifications, right? As far as the individual services themselves go, they have a pretty standard format. Each one will have an overview telling you what the current status of the service is. Depending on the different service, it will give you a little bit of information here, like the connections in use, or if we look at mail, it will tell me a little more detail about the different services related to mail.

So depending on the service, these vary a little bit, but generally speaking, you'll have an overview information about the current status of the service. You'll have some log information for the logs related to that particular service, and then depending on what service it is, I might get some things like more graphs or a connection table.

And then finally, at the end of the list, I'll have the settings. And in here, this is how I would actually configure the service itself. So the settings for AFP are going to be very, very different than the settings for DHCP. It's just what's involved in the nature of the service.

Finally, Workgroup Manager is the tool I would use to configure my user accounts. So this is similar to Active Directory Users and Computers. And in here, I can go in, create new users, delete users, change passwords. I have the ability to set different types of password policies. So for example, if I want to require the password to be changed on a specific date or introduce different types of password complexity requirements, I can do that through Workgroup Manager.

Additionally, no standard things you would find related to a user account as far as the groups the user is a member of, where their home directory is going to be. If you're using the Windows services in Mac OS X Server, you can configure their profile path and login script. It's a pretty standard tool for just setting up your user accounts and putting them into place.

Additionally, we'll touch on this a little later, but when you get into the policy management portion, this is where you go in and configure your policy management for your user accounts. If I want to enforce different types of company policy on the user account, I can do that through WorkRoute Manager.

The command line equivalent tool, or one of the many that you can use with work group managers, is called DSCL. And I actually like this one a lot because it lets you browse the directory service system as if it were a directory on a file system. So, for example, I can use the LS command and I can see the individual plugins that are currently configured on the machine. I can CD into, say, the LDAP plugin. I can see what servers it's connected to. And then from there, I can go in and look further into it as far as finding, for example, my list of users.

A lot of Unix administrators may be familiar with the tools like UserAd or UserDel that you would find on a standard Linux machine or like a BSD machine. And unfortunately, that isn't the exact equivalent available on Mac OS X, but using DSCL, you can introduce a lot of the same functionality. So, really, again, this is just a basic overview of the different tools. You'd use and you'd find in a typical Mac administrator's doc.

And, again, I think that each one has its own purpose. And just as you would when you're administering a Windows machine or a Unix machine, you'll find that even though the tools may be a little different, the underlying concepts are the same. You're still working with user accounts.

You're still setting up services and configuring them. Brian? So the next thing we're going to talk about are users, and specifically users from a local perspective, those that are configured on the actual computer themselves. Now, there are a couple of things, sometimes we consider those best practices, some things that you might want to do right out of the box, especially in the corporate workspace for a local user.

So you've probably seen when you configure a user on Mac OS X, it asks you for the name, the password, and it logs you right in. And any time you restart the computer, it logs you right in. So the first thing you probably want to do is go into the accounts preference. And by default, it's going to have that state until you create a second user. Now, if you don't want a second user, You can go in and configure that to give you what we call login window.

So when the machine comes up, it will either give you an icon to display the users that are available and a space for a password, or just two spaces to enter a name and a password. So that's what I recommend for best security is two empty spaces. So you can configure that in the account system preference. And so that's where you configure login window.

And as we mentioned, the first account that you create has admin privileges. Now, that's good because admin is the level of user that you need to create additional users. So in many cases, what people will do, they'll create an admin user on the computer and call it admin or some variation of that. And then for actual users, even if you are the main user on the machine, create a second user for yourself and run as a standard user.

It's a good security practice that you might want to get used to on a computer. But it's important to realize that even if you stay admin on the machine, admin level user, it's not root, okay? There are still many, many areas on the computer you can't get to and things that you can't do as an admin. So even when you want to change things on the computer, if you haven't authenticated an application to do something, it's still going to pop up a dialog box if you're admin and say, please authenticate as admin so I can do this.

Now the admin user can create additional users as we mentioned, standard users as well as guest users, something that's new to Mac OS X Leopard. We'll talk about guest users in the next slide. But as I mentioned, we probably recommend that you just run as a standard user with standard user privileges.

Now, what's nice about this as a standard user is that you can always authenticate as an admin anytime an authentication box comes up. So it doesn't really limit you in any way. If you do know the admin password, you can go ahead and authenticate and allow something to happen. And if you have a user that's running as just a standard user, they can call you up and say, hey, something's going on in the box and it says I need to authenticate.

You can walk over to the box and you can authenticate with your admin privileges in the box and allow something to happen. So it doesn't mean you're locked out running a standard. It just means I'm going to need to talk to somebody before I can get something done.

Now, it is important to realize that once you authenticate and you allow an application the privilege to change something low level that requires admin access, that application still has, by default, five minutes of admin privilege to it. So, best practice, you'd probably want to quit that application after you change something so that your user couldn't go ahead and change it back or change it to something different that you didn't want to happen.

Now let's talk a little bit about a guest user account. We can use this in some kind of interesting ways. I'm sure you can think of a few ways that or a few things that you can use it for in your own organizations. Now, as I mentioned, it's new in Leopard, and one of the things that's really nice about it is that it gives you an account that somebody can just click on guest or type in guest and no password is needed.

Now, because of that, the home folder is completely temporary, and after the user is done working and doing what they want to do, maybe accessing a website or accessing a file share that they needed to authenticate to and log on to. When they log out, then that entire home folder is deleted when they leave. So number one, it's very important that any work they do is copied back onto a server, which is great. Or if they're using a website, obviously whatever's going to get changed in the website is going to stay changed.

And the reason we did this is that it took a lot of manual work to do this in the past. People wrote things like login hooks and logout hooks to manage users that didn't necessarily have an account on the machine, but they still wanted people to have access to a machine.

So we put this in. Now keep in mind that this is anonymous access on the computer. It means that anybody can just walk up and log in as guest if the guest account is enabled. It's not enabled by default, but if you turn it on, keep that in mind.

The fact that it is anonymous may mean that it's something that you might not be able to use in your organizations. You might want to check with your IT security guidelines because you may not allow anonymous logins on a computer. But where it is allowed, it can be very handy in situations.

Now, additionally, you can restrict this account with what we call parental controls. Now, it's a little bit misleading, and it's called parental controls for a number of reasons we don't need to get into too much in this discussion. But what it allows you to do is a very smaller subset of basically policy management for users. We'll talk about that a little bit later.

Now the next thing we want to cover is the concept of resource domains on the computer. One of the things that you'll notice is that as a user, you only have access to specific areas on the computer. And if you need to get access to other areas that are restricted to you, you're going to need to have a little bit higher level of access. So let's talk about that a little bit right here.

Across the top we have the domain, the type of usage that that domain or directory is used for. And then we have each of the account types inside of Mac OS X and how that account has access to that different domain. So if we look at that second line where it says home directory or home dir, and what that's used for is your own user data. And as a guest all the way through root, you have read and write access to your home directory.

Now, if we go one level deeper into that home directory, you've probably seen the library subdirectory. Now, what that library directory is used for are additional types of data that applications may store. You'll also see a preferences folder inside there. All of your preferences get stored in that library preferences. You'll also see a fonts folder. So, anytime you want to add a font into your computer, you go into the home directory, library, fonts, you would add that in.

Now, it's important to note that anything that you do in the library domain or the directory in your home directory, it only applies to you as a user, not to anybody else on the computer. So, if you were to do something like add a screensaver, in some cases, it does ask you now, do you want this to apply to just you as a user or to all users on the machine? And we'll get to that situation next.

But you can see, even inside of your home directory, that library domain, each account type still has full read-write access to the information in there, which means you can throw it away and delete it. If you're having an issue with a preference and you're trying to diagnose it yourself, you can take a preference, throw it away, you'll be fine.

Now it's when we get to the next level of library, which is at the root of the file system. That's where computer specific data goes, data and resources. Now, in addition to resources like fonts, screen savers, things like that, applications can also install files and resources in this area.

So if you were to run an application that needed to be run from any user account on the system, if it needed to get access to those resources, it would go in here because, as you can see, we have read-only access. All accounts have read-only access to that domain. Okay, very important. So I can read the resources, use them, but I can't change them as a guest or a standard user. Now we can get in there as an admin and pull those out and change them if we need to, or root.

And then beyond that, we can make available a network library folder. Now, it serves the same purpose as library, but that access to the network library would be given to you through some sort of an AFP mount, NFS mount perhaps. And what that does is allows you to distribute the same types of information, fonts, screensavers, whatever it may be, but it allows you to put that on a network share and change it in one central place rather than having to push that information or copy it out to a user's local slash library. Now, there may be reasons why you would want to store it locally, such as performance type reasons, but in a lot of cases, having a network library is great because you change it in one place.

And everyone that has that network library mount automatically receives those changes. Now, if you look at that line, network library, and we look across, we show that admin still has read and write access to that. So in this case, we're assuming that the admin also has read-write access to the file share that that mount is based off of.

Now lastly, we have the system library. Now this is dedicated to operating system specific types of resources. So little utility programs and resources that the operating system needs. And nobody has access to those except in certain situations where the admin may be able to authenticate as admin. In the case where you're installing a kernel extension for some reason to support additional hardware or maybe to install a kernel extension for a server. You may want to install some resources for a VM environment. So it does require that that admin authenticate. Okay, so in general, you don't delete anything out of there. It's generally specifically for the operating system itself.

Let's now look at a couple of advanced tips for local users that you might want to look into. This is new in the accounts preference pane. There isn't a lot of detail in the user accounts for people sometimes. If you right-click or control-click on individual user accounts in that preference, it will show you additional information, such as the directory that that user's home directory is stored in.

It will show you their user ID, their group ID, their generated GUID as well. So additional information in there. It also allows you, if you're an admin, allows you to change that. Now with knowledge is power and the ability to change stuff, but you also have to take responsibility because you can screw things up by changing anything in there, such as a user's user ID.

But it's there if you need it. Now, additionally, how do we enable root on the system? Since we said that admin, the admin user is not root, and root is not enabled by default on the computer. So if you go into that accounts pane, you can enable root if you're admin only, and you can turn that on and give it a separate password from your admin user.

Additionally, you can use the ds enable root command from the command line. So if you're already an admin on the computer, you can run the ds enable root command. It will ask you for a password for the root user. You give it a password, preferably different than your admin users, and you're off and running. You can now log in from the command line as root.

Once again, dangerous because it will do what you tell it and it does not forgive. Okay? So very, very careful on the RMs and that sort of thing. Okay? We covered that. Another new thing in Leopard is the ability to have a home directory on a portable device.

So you might have a nice beefy thumb drive or a FireWare drive or a USB drive. You can now create an account that has that home directory stored right on the thumb drive, and you can make that portable and carry it around with you and plug it into machines that are authorized to have an account installed that way, or if you have a network-based account that has those settings stored in it, it will be able to use that thumb drive.

Now lastly, another real dangerous area. That's why this is an advanced tip, okay? There's a file called authorization inside the /etc directory. Now, this file is a compilation of a number of different security settings in the operating system. It's only available to -- it's not available to, you know, standard users. To be able to get to that and edit it, you have to have the right privileges.

Now, it does allow you to change some of the security parameters on the system. Now, we're not going to get into those here, and it's not really well documented, but it does allow us to have some workarounds into some security issues that you may be having or some capabilities that -- or configuration changes that you think you need for a couple of different reasons, and you can't change any other way on the computer. This is an area that you can look into.

Okay? Now, lastly, we're going to mention a great session, 512, Deploying Macs in a Highly Secure Environment. Now, in addition to this that you might want to attend, a Leopard security document was just released on the Apple website. So that may be also something that you want to look into to help you configure your Macs specifically from a security perspective to meet your IT policy needs.

So we talked about local users on the machine, but that's really not that powerful. What we really need in a lot of your environments is our users need access to just about any machine that they sit down in front of. And the way that we accomplish that is directory services, and we do that in a very similar way as pretty much any other platform.

So why do we use directory services? Well, it allows us to take all those user accounts that used to sit locally on machines and allow us to put them in a central location and apply policy information to those as well. So this greatly simplifies our administration. So we don't have to visit machines anymore. We don't have to do bulk operations over the network to try to manipulate those accounts. We just change them in one central place and hopefully they just all work with all of our remote machines.

So a great thing also, kind of a side benefit of this is that anyone deploying a directory service is going to deploy one that also has a system for redundancy, both in the fact that if one goes down, I've got another one that's still up. But when you have multiple directory servers, you can also provide a level of load balancing as well for authentications.

Now, these are primarily IT things that we worry about, things that make us happy. Well, for a user, there are very few things that an IT organization does that makes our lives happy. Okay, let's admit that. But one of the things they can do is give us single sign-on for a user. So when they sit down at a computer, they can authenticate, type in that password once, and for the most part, they're probably going to work at that machine during the day.

They may not have to authenticate again because they'll have the advantages of single sign-on capabilities. So whether it's a file share or maybe even an internal website, they may not have to authenticate again the rest of the day. That's nice. No more yellow stickies up on the monitor with their password.

And lastly, because we're a developer crowd as well, it gives developers a single target for a target API to write to. So on Mac OS X, developers can write to our directory services layer, and they don't have to worry about what the back-end storage is for the user accounts or any of the policy information. They can work with our directory services API, and it's very simple for them to support a number of different architectures on the back-end. They don't have to worry about it.

So let's talk first a little bit about Open Directory, which is the way that Mac OS X does directory services. Now it's based on open source in many different areas. First, from the directory side of things, it's based on OpenLDAT. So we take these open source tools and we're using them in a lot of our areas of our operating system.

And when we talk about open directory or an open directory system, we talk about that being something that's used on the client as well as the server. You may hear of a server being an open directory master or a replica, so those are specific to servers, but on the clients, open directory is still the method that we connect into those servers, so it's kind of an umbrella term.

Now, there's really three areas that make up the directory service in open directory in Mac OS X. First is the LDAP server that pretty much has a standard schema that you'd expect on an LDAP server that you would find in an organization. But we've also added Mac-specific schema that can support additional things like management and things that apply specifically to the Mac.

The next area is Kerberos. So we have MIT's Kerberos as part of Open Directory, and that's going to handle your authentication. So very well respected, very widely used, but not so easy to implement on a number of different platforms. If you've ever tried to do this in Unix, it's not always that easy and straightforward. So on Mac OS X, it's a couple of button clicks, and you've deployed a full, on the server anyway, you've deployed a full Kerberos system.

And then the third key piece of this is an open source piece of technology called Sassl, which we use as our password framework. So when we store passwords on the server, the password goes in once, and it's stored inside of the Sassl framework, security framework. And that password never comes out of there again. It's a vault. It's simply, when authentication is needed, it verifies that the password is correct, but that password is, for all intents and purposes, locked away. it's never gonna get out of there.

Now the last thing that's really great about Open Directory is that it's plugin based. And we hear a lot about plugins all over the operating system. This is one of the places where it's extremely usable. In fact, Apple's LDAP and built-in directory services tools are all plugins themselves. Okay, so we know that the plugin architecture works well, but one of the most widely used plugins is Active Directory plugin. So let's take a little bit of a look at that and how this works in the platform.

So just the last slide, you heard me mention that Open Directory was based on LDAP and Kerberos. Well, what a surprise. Active Directory is based on LDAP and Kerberos as well. Yeah, they probably have some secret sauce in there, right? But... They're essentially built on the same technology, so why can't they work together pretty easily, right? That allows us with our Active Directory plugin to bind a Mac OS X client or server

[Transcript missing]

Well, you may not want to sit at every machine and use the command line to do that, but what about if you had automated scripts that could use that DSConfigAD tool and automatically configure and bind machines as soon as they're imaged and put on the network? So a very easy way to bind those machines into your directory service.

Now what's also great is if you're an admin, you can configure it so that every machine that's bound to your network, you can sit down in front of and still authenticate as an admin, even if the user that's using the machine has just standard user policy given to them.

Now we can also do some nice things like cached local accounts. So if your machine is connected to the network, that's great. But what if you're on a laptop and you want to disconnect from the network? One of the things we can do is cache that account and those credentials locally on the machine, unplug from the network, walk away, you can still authenticate to that machine. So it's authentication information is stored, encrypted on the machine, and you can still authenticate no matter where you are.

You can also have a local or a network home directory. So if your active directory has a network home directory already stored, a location for that already stored for you, you're going to pick that up and automatically use it. We can also configure this so that you can have a local home directory. Now that goes great in combination with the local cached accounts. So when you leave the office, you have your cached credential, you also have your home directory available with you, and you can also configure that to automatically sync back to your network home directory.

So when that data changes, when you're on the road, you come back, plug in, you can have it sync back to your home directory on your Windows Server. Now additionally, we've got a couple of classes that you may want to or sessions that you may want to attend. There's a directory services lab that will allow you to play with all of these technologies and see how they work hands-on. And then there's another session, extending and troubleshooting directory services that I highly recommend, specifically if you're looking at active directory integration.

Next, let's cover policy management. As I mentioned, Mac users are probably used to this term as client management. But because this is talking specifically from an IT perspective, probably from a Windows type of perspective, we're going to continue to use policy management as our term. And this is basically about controlling your user's work environment, right? So we use it in a number of ways.

First of which is to enforce our IT policies, right? We're IT, we got policies, let's enforce them, right? Don't let people do this, don't let them do that, make sure they do it this way. We also can push out application preferences, or at least default application preferences anyway. If we don't want them with iTunes, we don't want them to be able to go to the iTunes store, we can push out maybe a preference that keeps them from visiting the iTunes store.

Now additionally, policy management can be stored and pushed out using our directory services. So kind of a great one-two punch. Directory services and policy management, they go great together. And this is the same way we do it on the Mac. So whether you're bound to Active Directory or Open Directory on the Mac, we can still push out client management and policy information that way.

Now, it can be stored in AD or Open Directory, but if you're going to do further work in the policy management area, if you want to use Active Directory by itself alone and not integrate any other systems, you're going to probably want to install schema extensions into Active Directory that allow you to then add the attributes that Apple uses to control policy information. Okay, it's about 24 attributes.

If you're interested in this, talk to your Apple rep. They can get you discussions with Apple's professional services group. They can provide a little bit more information in that area if you want to extend that schema. They've got a lot of experience doing that over the last few years.

Now, if you don't want to change your Active Directory server or you have policies against that, one of the things you can do is bind your Mac for user authentication, user accounts to Active Directory, and then have your Mac also pick up policy information from Open Directory. So a dual binding capability, and that allows you to do that as well.

So it does require that you have Mac OS X Server in that environment, but it works very well and is an easy way to overcome IT that's nervous about extending the schema. We do recommend schema as probably the best way to do it, but you can do it either way. Additionally, there are some third-party tools that you could look at if either of those aren't going to work well for you. And the first tool is Admin Mac from Thursby. They've been around for quite a while doing this.

They do allow you to do policy management without extending your schema. And then... If you're also looking to have additional types of clients, also integrate into Active Directory such as Linux, Unix, a number of other additional platforms other than Windows. Centrify has software that can allow you to bind your Macs in and not allow you to have to extend your schema. So a couple of tools. There are more out there. Just use Google, find them.

Now let's talk specifically policy management from a very basic perspective, just on a local machine level. We mentioned parental controls, and they're a little bit misleading because that's how it happens to be represented in the GUI. But parental controls allow us to do some basic restrictions on local accounts. We can regulate application usage. So you can say these applications you can't run, these are applications you can run.

We can restrict websites and say, "These are ones you can access, these you can't." We can log those. We can also monitor email on the account that's attached, the email account that's attached to that system. We can log chats if you need to, depending on policy. And you can also use time restrictions.

So you can say this user can only log in between these time periods or this user can only use the computer for this amount of time. Okay, sounds great for restricting kids' access to a computer. So that's probably where we get the parental controls from, right? Now, you can also use this in combination with a guest account.

Okay, so combine those two together. You do have some capabilities for doing policy management locally without having to integrate a lot of extra

[Transcript missing]

If you have Mac OS X Server and you've got Workgroup Manager, that's kind of a last resort. You can run that locally on a computer and apply policy to specific accounts on that computer using Workgroup Manager. It's kind of a last ditch. If you absolutely have to configure somebody's policy and that's the only way to do it, Workgroup Manager can work against the local account database in that regard.

So from a little bit more advanced perspective, let's look at a server-based deployment scenario. So we talked about it, we can extend the schema. We bind Macs to Active Directory with our plugin. We manage users using our normal Active Directory tools, right? Using the tools that Microsoft gives you.

In that scenario though, you would use Workgroup Manager and you would authenticate against Active Directory with our tool, and that would allow you to manage the Apple specific sections where it specifically applies to policy. Okay. So it does require that extended schema, but you manage policy with Workgroup Manager. That's important.

Windows cannot create our policies. Okay. We have to create them with our own tool. And those policy settings are then delivered with our directory service, which is the Active Directory plugin. You can apply policy at the user group computer level, and you can also do combinations of those, and we'll composite those policies together if needed.

And what's great is if you have those offline accounts or those cached accounts, we also cache that policy information so when you leave the network, you still have that enforcement on the account that you're using to log in. So just because you leave the network and go home, it doesn't mean that you can get around the policy that IT has enforced on that computer. Now, if you're interested in more information in this area, there's the Managed Clients Lab and also Managing Clients and Preferences Session 517. So two great areas where you can find more information on this.

And now Jason's gonna come up, he's gonna give you a demo of Workgroup Manager, specifically in the area of policy management, and show you some of the powerful things that you can do with Workgroup Manager in managing your Macs. Jason, over to the demo. So at this point, I'm once again back in Workgroup Manager. And up at the top here, before we were looking at accounts, so this was where we saw some of the settings about basic and advanced settings related to the particular user account.

But if I click over here to Preferences, this is how I'm actually going to go ahead and manage my policy. So as you look through here, there's some different types of policy I can manage. For example, mobility settings, if I want to set up login accounts for mobile accounts. I can come in and look at universal access settings.

Depending on the types of settings, they are available in different categories. So for example, if you take a look here, I have, what, 13 items right now. If I look at a group, I'm sorry, if I, yeah, there we go. If I come over here and I look at a computer account, I actually get a couple extra settings. So for example, this allows me to look at time machine settings.

Depending on the type of preferences you're trying to manage, they may be managed at different levels. And you can actually manage several of them on multiple levels. So for example, maybe I want to have a group of users who have a particular set of applications launched when they log in, while I want one user to have a different set of applications. I can configure that easily using Policy Management and Workgroup Manager.

So I'm just going to set up my Joe demo account here with a couple quick policy settings. Again, I have the same options under parental controls that you would find in the system preferences panel on a standard computer, on a standard client workstation. But I have an ability to manage this at a directory service level, so I can push this out to an entire organization through one set of settings. Now, across the top, when you're looking at this interface, you'll see a few different options here.

Never manage the settings. And the interesting thing about this is when you first start working with this, this isn't like an ACL rule where it'll keep it from happening if you have it managed elsewhere. So, for example, if I'm, I may not be managing the parental control settings at a user level, but if I'm managing them at a group level, those group level settings will still apply. This doesn't mean it will stop applying them.

You'll also see an option here for always. And basically what this will do is make it so that the user cannot even change the option in the app. So, if I set these settings in here, they go into the... - So, just a quick one here. I'm gonna say I'm gonna always manage and I'm gonna do some basic limiting to limit the user to a specific set of sites. And I'm just gonna say local.

So they won't be able to get off anything but the site that's on the server itself that I'm using here. Go ahead and click Done. And now I want to come back in and I'm going to manage some login settings for the user so that I want to have a particular set of login items load when they first log in.

Now, you'll notice here I have the option to set this option once. So basically, if I want to set kind of some defaults for my users, I can set the manage policy in here to say I want to have it, you know, for the first time the user logs in, I want them to load address book. But then if they decide they don't want address book to load when they log in, it's able to be disabled. So we'll actually go ahead and say address book here.

And just a couple other options in here, like you have Network Home SharePoint for network home users, Group SharePoints for when they're in a group. A lot of stuff you can set in here depending on what you're also working with. For example, if we were working with a computer account instead of a user account, I can set login scripts and such. I'm just gonna do a couple other little things just to mix up what the user's account's gonna look like. I'm gonna push the dock over to the left side of the screen.

Let's see. And now I'm gonna go ahead and just to take a look at the information here, I have, if you look next to these icons, I have this little darkened arrow in a circle, and that actually indicates quickly to me that I'm managing policy for this user at that setting. So for this account, Joe Demo, I can see just at a glance that I'm managing those three sets of preferences. While if I look at this podcast admin account, I can see clearly that there's no management going on.

If I click over here to the Details tab, I get a little further information about what's being managed. So, for example, if I look at the doc settings here and I click the pencil, it'll actually show me what preferences are specifically being managed for the doc. Now, the interesting thing about this is what's really being manipulated on the back end is what we call property lists. These are just simple XML formatted files that, or in some cases binary file formats, that contain the specific settings that are being managed.

So, much as Brian was talking about earlier where you'll find these inside your home folder inside library preferences, what you're doing is forcing the values in those files so that when the user logs in and they go to open a particular application, it's going to look at that file and those settings are all going to be in place.

An additional nice thing about this is you can have what's called preference manifests. And Brian alluded to this earlier where if I have a particular application that I want to manage that's not necessarily in this list, I can take the preferences file for it and I can drop it into this box and make use of those preferences and manage them even though it's not necessarily built in as part of the original infrastructure for the application.

For example, if I come over here and I look, I really don't have any time machine preferences managed and I don't even have an ability to manage them for my user account. But maybe I want to keep that box from popping up saying, do I want to use this as a time machine drive every time I plug in a new FireWire drive? Well, what I can do is click plus here and right on my desktop I have a file that has the preference in it.

And now I can see I've added a new preference to the list for time machine. And if I look at the settings for that particular one, I can see that here's the do not offer new disks for backup option. And I'm just going to move that to always manage.

And now at this point, this user should not get that option anymore. It won't pop up the box and won't annoy your users. So now that I've set all these different preferences, I'm just going to go ahead and test them out so I can show you it in action.

And as I'm logging in, you can see my docs on the left side of the screen. Address book popped open for me. And even though I have all these different drives on here, Time Machine's not giving me any trouble. So that's just a quick overview of some of the different things you can do with policy management. Again, it's a very flexible system, I think more so than even group policy on the Windows side, because you can manage far more options than are traditionally available to you. Brian.

Thanks, Jason. And now the last area that we're gonna cover today, system deployment. Now there are really three areas of system deployment that we talk about when we talk to customers. First is, how do we image that system? Whether it's out of the box from a reseller or out of the box and we've done something to it at our corporate headquarters and distributed it.

So how do we image that system? How does it get to us? What shape is it in? Then how do we inventory that hardware and software that's on the computer, both initially and over time, how do we keep up with updates? And then finally, maintaining that system, software updates, keeping it running well. Sometimes we may have to push out an additional script to do some changes, some fundamental changes to our system.

So really those three areas. We'll talk about how we do system deployment in a couple of different environments. So first is Windows. A lot of people use a very popular Ghost program to do their imaging. Sometimes it's local with a boot floppy or a boot CD and they'll kick it off. And a lot of times that's Pixie booted and they'll restore a machine over the network.

And typically you're using the Windows.msi files, and you're going to push those out in some manner, whether it's the Windows tool itself or some third-party tool. Now, there are also a variety of tools on the Windows side to do system management. So you may be using one of those various tools today to already do that, or Windows, the Microsoft tools.

And they're using software maintenance options on the platform as well to do your push of software and security updates beyond initial deployment. So how does that map kind of to the Mac experience? Well, we're gonna talk about the Mac in a couple of areas. First, a very simple Mac deployment.

Let's say you have under 10 Macs that you're working with, but you know you want 100 or 1,000 later, right? So let's talk about the small deployment. Well, you're gonna build a master image typically on a, find your newest Mac, and you're gonna build that system, make it perfect exactly as you want it to be deployed.

And you're going to create a disk image of that deployment, of that hard drive. And once you have that image, you can then use a number of different tools to deploy it. You can use disk utility to create that image. You can also use a number of shareware tools that are on the market to do that. Just Google those. And typically, you're going to deploy it with a FireWire drive. A lot of people will boot the system up with a FireWire drive and then go ahead and deploy that image right onto the hard drive, write it out, and image it.

Now, one of the things you can do is with Apple Remote Desktop, you manage those systems in Apple Remote Desktop and periodically have them talk back to the Apple Remote Desktop server product, and they'll upload their software information and their hardware specs automatically. Once they're uploaded, they're in the Apple Remote Desktop database, and you can do queries against that anytime you want. So even if the computers have been shipped off, somebody's in Africa on a photo shoot using a computer, that information has been stored in a local database in Apple Remote Desktop. You can always query it.

And then you can also push software updates using Apple Remote Desktop. So grab a group of machines that you've deployed, Tell it you want to install a specific package, software package, the PKG format, and it'll go ahead and send those, push those updates out to the computers. Either in real time, right as you ask it, or if you're running Apple Remote Desktop as a client server type of model, that server remote desktop copy is going to sit there and watch the network and wait for computers to join the network, and when they do, they'll go ahead and push those updates out to them. So a computer doesn't necessarily have to be on the network right at the time that you push an update for it to happen. It will make sure that does happen.

Now, optionally, you can configure your systems to talk to Apple's remote, I'm sorry, Apple's software update server. So if you have Mac OS X Server, you can turn on the software update server capability, and it basically acts as a local proxy for all of Apple's software updates. Now, this does a couple of things. It reduces the network load that you might be using to do software updates over your connection to the Internet.

But really the most important thing it does, though, is it allows you to check out a software update, hold it in your system, do some testing in your IT labs, make sure that an update is something that's not going to break anything that you've got set up and configured, and then when it's complete, you can go ahead and release that and allow it to go through the software update process, and the machines can then find it, install that software update. So a couple of great uses for that. Let's look at a little bit more of an advanced deployment. You build and create your images basically the same way.

But in an environment where you've got hundreds of machines now or maybe thousands, let's think of a campus environment even, you'd probably deploy that image using a Netboot server. And for that, you'd need a Mac OS X server running the Netboot server, and the system can boot off of that and image the machine right off of the Netboot server.

So, in a great way, especially in a distributed environment where you can just simply press, hold down the N key, the system can boot up over the network and image itself. You can then configure the client to pull updates from Software Update Server, as we mentioned in the last deployment.

And in most cases, imaging, inventorying, and distributing third-party software, you may even be, you may want to use a system that you already have in place. A lot of systems that people have to do that with Windows already support the Mac. Okay, so just check and see if you have a Mac client.

Okay, so some of those include Altares, FileWave, Landesk, LandRev, great product, and RadMinder Puppet. So some of you may already be using some of these tools or you're interested in some cross-platform tools. Those are some great options. Okay, so if you're interested in this area, you're probably gonna wanna look at managing Macs with NetBootPrefs and ARD, session 908.

So what have we learned? Okay, I'm the only thing keeping you from pizza out in the hallway, so we'll cover this pretty quick. What have we learned today? Well, Macs really are standards-based, right? We're so standard, in fact, that you can take Windows, install it on the Mac via Boot Camp, and it will run, okay? So very standards-based hardware.

Second, knowledge is transferable. So some of you that are MCSEs or Unix admins, or if you have those types of people back at your offices, you can see that through the GUI or through the command line, most of that knowledge that they have is very easily transferable to the Mac.

We've also seen that it's very easy to leverage existing resources that you have in your environment. So whether it's Active Directory that you already have deployed, it's very, very easy to use those existing systems that you have. The key though is if you're kind of new to the platform and you're just starting, start simple. You don't have to go for the most advanced management options right away. Start simple and as it meets your needs or you start to outgrow that, then migrate up to a little bit more advanced way to do some things.

And lastly, I can't stress this enough. Take what you've seen here today, because this is not a very deep dive, as we said. Take the information you've seen today and go to the detail sessions. They'll be able to answer most of your questions there as well. And so that's really where you're gonna get the most out of this is the sessions.

So I've listed them up here just very briefly, just as the same ones that we've covered. I won't read through these. These are all the IT track, the orange sessions. Okay, and one last page that we want to cover here. These are the labs, so hands-on, get to see how this stuff works.

And then lastly, when you leave here or later tonight on your iPhones, you've got some great resources on the internet that I wanted to mention. Apple.com slash ITPro, that's a great resource. It has a lot of Apple white papers for a lot of the things that we've already spoken about today. Developer.apple.com slash documentation.

There's Mac OS X client and Mac OS X server areas on there that have some great detail information. And then also MacEnterprise.org and AFP548.com, two great resources if you need to find a little bit more detail in a certain area or want to pose a question for the internet to answer for you.