All righty. So welcome to the -- there we go. Welcome to the client management session. So here we'll cover managed desktop, system imaging and Apple Remote Desktop. I'm Juussi Mantere. I'm one of the engineering managers in the team. And the agenda for today, we'll go over Apple Remote Desktop. We'll cover client deployment using system image utility.

And we'll talk briefly about client managed desktop and go over external accounts and we'll wrap it up with Q&A. So let's get started. So what this really is, this is a tool chest inventory. So what are the tools at your disposal for either getting systems onto your users' desktops or how to manage them long-term either actively or passively and how to provide mobility or portability for your users' accounts? What are the tools? We have Apple Remote Desktop, we have system imaging, server admin, record manager, all these tools at our disposal.

But really the key thing is the user. So we use these tools to make the user's life easier. So either getting them the management support they need or getting them the inventory reports that your management wants, but still the key is the use of the desktop that they're using and how to make that the best desktop possible for their particular purpose.

And we've had sessions like this in the previous years. So last year we did a session on client management on Apple Remote Desktop. So please log on to IDC on iTunes. And on iTunes we have videos of previous year's sessions. So we're not gonna go into depth on all of these technologies, but if you are interested in more in detail look at these.

Please review the sessions from last year and they're available for free on IDC on iTunes. And could we start the clock please? Yay, I just gained five minutes. First, we'll cover Apple Remote Desktop. So let me introduce Mark Whitemore, who is the engineering manager for Apple Remote Desktop.

and welcome. I'm going to give you a brief overview of the features of Apple Remote Desktop and talk about where we are right now with version 3.2 and what's coming up next with Snow Leopard. So let's start off and talk about software distribution. So we have a feature called Install Package, lets you install packages on your clients.

We have a feature called Auto Install, which allows you to install packages on machines that are both on the network and off the network using a server that's always on that will be able to contact those systems. We have -- I'm going to talk a little bit more about that in detail in just a moment. We also have a File Copy command and Delete Files.

So digging a little bit more into Auto Install. So the scenario here is you have machines that are both on the network and off the network and you need to get packages installed onto them. And the best way to do this is to have a server that's -- a machine that's going to act as a server for you that's always running. And you install another copy of Remote Desktop onto that machine.

and you configure your administrator to use that. We call that a task server and you configure your administrator to use that machine as your task server. And you select your package on your administrator and it delegates that package over to the task server to complete the installation for it, copies the package over there and the task server then contacts all the clients and installs the package on all the clients that are currently online. If you have a machine that's offline like this MacBook Pro, once that machine comes online, it's going to contact the task server and then the package is going to get installed on that machine as well.

Let's talk about the asset management features. We have software reports, hardware reports, application usage reports, and user history reports. And you can run these reports on all machines that are online at any time. And you can also, by setting a report cache generation policy on your clients, have these reports generated on a regular basis and uploaded to a task server machine, just like what I talked about a moment ago with auto install. You can also export the data into a tab format or a cum-delimited file. And we also have a remote spotlight search feature that allows you to search the spotlight databases on all your client machines.

So let's talk a little bit more about how the offline reporting works. So just like with auto install, it's best if you have a machine that's going to act as a server and it's going to be on all the time and you install another copy of your remote desktop on that machine. You don't have to have the admin running, you just have to have the software installed. Then you configure your admin console to use that task server.

Then you set a reporting policy for all your clients so that they'll generate these report caches on a regular basis and upload them up to the task server. Once those reports are on the task server, your admin can then run its reports and it'll get the report data from the admin. The advantage of setting up this offline reporting is that even if one of your clients is offline, you can still get reports.

Let's talk about the remote administration features. So we have a send Unix command so you can send Unix commands or Unix scripts to all your machines and get the results back. We have a set startup disk that allows you to set the startup disk to a local volume or to a network volume. We have various system control features.

You can sleep, wake, restart, shut down a machine, empty the trash, lock and unlock the screens. We have some user control features that allow you to log out users or open files for them or open applications. And we also have a lights out management feature for X servers that support this that allow you to restart, power on or shut down a machine regardless of the OS state. So even if the machine is kernel panicked, you can still restart it.

So let's talk about remote assistance. You can observe or control a remote screen. You can also observe many screens at once in a single view. You can share your screen out to a number of other machines. We have a guest access mode that allows the end user to either allow or deny a control request from an administrator. We have a full screen mode so you can see the other user's machine on full screen on your machine. We have a curtain mode that blocks anyone from seeing what's going on on the machine that you're remotely controlling.

You can drag and drop files for copying using screen control. And you can also get or send the pasteboard buffer. We also have a widget for doing remote desktop observation or screen observation. And there's an interactive text messaging client as well for environments that aren't appropriate for iChat. Let's talk about automation. We have a rich Apple script dictionary, lots of automator actions, and just about any management command in the product can be scheduled.

and lastly all the setup and configuration features for Remote Desktop. We have task templates so you can put all your favorite settings for your tasks and when you create tasks later you can easily populate that task document with your settings. We have labels so you can label your machines much like you would label, set a label on a file in the finder. We have user defined list views so you can create your own list with a set of machines from your library and set what kind of information you want to see in that list, for instance what version of the operating system it's running, how much RAM it's got.

You can also create smart computer lists that will filter your entire library using some of this criteria. For instance, create a list that shows you all the machines that have less than one gigabyte of RAM. And then you can create groups to organize your, the tasks that you've created and the computer lists you've created.

In addition to this, we have a user mode for the Remote Desktop application so that you can let unprivileged users run it and you can restrict what features they have access to. We have network scanners for finding machines on your network for you to add to your computer library. We have directory-based authentication and a setup assistant that allows you to configure some of the more advanced client-side features from the admin console.

So Remote Desktop 3.2 is the current version. It was released in October of 2007. It brings Leopard compatibility, greatly improved screen sharing performance, greatly improved keyboard mapping for screen control, as well as improved file copy reliability. and what's coming up next is Remote Desktop 3.3. It's gonna be a free upgrade to existing users. And I'm gonna talk about all the things that we're gonna be improving with this version.

So first off is improved management for offline reporting settings. And I talked about the offline reporting settings just a moment ago when I was talking about how it's advantageous to have your clients generate these caches and upload them to their task server so you can do your reports at any time. So first thing I'm gonna talk about how things work right now.

On the left side is the preference pane in Remote Desktop that shows you where the settings are for setting your default reporting policies. So currently, this is in the same tab as the task server. Now the truth of what the reporting policy is on each client is set on the admin.

And what that means is that if you have a client that is generating a report that you don't want to do and you remove the preferences on that client, the next time the administrator that had originally set up that policy authenticates to that client, it's going to push that schedule back down again and you're going to have the same issue. Now also from your administrator console, you don't have any visibility into what other report policies other administrators have set up.

So in the next version, we're going to move the reporting settings out of the Task Server tab and into its own tab so that they're a lot more discoverable. We're going to move the truth of the offline reporting policy onto the client rather than on the admin. So if you have a client that is generating reports that you don't want it to, you can delete the preferences and you don't have to worry about another rogue administrator pushing that policy back down to the administrator and getting the reports generated all over again.

and the next thing that we're going to change is we're going to have a single reporting policy. No longer are we going to have different reporting policies coming from different admins. We're going to have a single reporting policy that all administrators can view and set the settings on.

So everyone will be able to see the same policy. Also, this is the computer get info window. You see that you see all the administrators who can manage this machine now. And not only that, but you also see who is interested in getting these offline reports loaded up to their task server. And you see what task server is associated with each of these administrators. So this is all new in 3.3. So the next thing that we're going to improve is our NAT support.

So in the current version, Remote Desktop only allows, each machine has to have a unique IP address and the reason is that it hard codes the port that it communicates to the client on, 3283. So that means that behind a NAT, currently, you can only have one machine for it to the WAN side. So in the next version, we're going to allow the administrator to have machines with the same IP address but with different ports. So now you can configure your NAT router to port forward to all your machines behind it and just with different ports.

So while it's great that you can now manually configure your NAT router and manually enter in these ports into Remote Desktop, in some environments it may be even better to have this happen automatically. And you can do this if you have a supported UPnP NAT router and you configure a client to register its network services into a wide area of Bonjour Server which you can configure using Leopard.

and when you do that, the client is going to learn what the WAN side of the port is that got opened up automatically using UPnP and it's going to register that information in the wide area Bonjour server. Now your Remote Desktop Administrator using a Bonjour scanner and also looking at that same wide area Bonjour server is going to learn what the wide area dynamic port is that was set up and then without any other additional configuration, it's going to be able to connect to that client behind your UPnP NAT router. And it will also as needed, re-resolve that DNS address, that wide area Bonjour address so it will always be able to find that client. So even if the dynamic port mapping changes, Remote Desktop will still be able to re-resolve and find that machine.

So in addition to improving the offline reporting settings and improving our NAT settings, we're also going to have support for managing machines across back to my Mac. We're going to add support for IPv6 addresses. And just like as 3.2 came in Leopard, 3.3 is going to come in Snow Leopard.

So just as a review, 3.2 is the current version. It's out right now. 3.3 is going to be our next update with Snow Leopard. There are more resources available online at www.apple.com/remotedesktop/resources.ht ml. And we're going to be in the IT lab at 5:00 to answer any additional questions. So I'll hand it back to Juussi.

Good job. All right, thank you, Mark. So next topic, system imaging. So how do you get these clients that you want to manage with ARD, how do you get them onto people's desktops? So system imaging, what do you use it for? Basically, whatever source you have to create images from either DVD or user volume, you use system image utility to create master images out of those, either install sets or volume restore sets.

And then with server admin, you have the tools that you can deploy these images with. So this, and you can finally customize content with Package Maker. So if you have applications that don't use the Apple installer to deploy their packages with, you have other tools available to you.

So what's new with the system imaging? So this covers what we have new in Leopard or to be delivered in Snow Leopard. So with Mac OS X Leopard, we basically rewrote the application. So now the application is based on automated actions. So any step that you have to do to create a image, either from volume or DVD, is now an automated action.

So you can use these workflows either inside system image utility itself, or you can use these in automated workflows inside either automated application or other applications that support workflows. And also, in addition to all these powerful tools that you have, we created a image assistant. So image assistant lets you create really in one, two step, create images that you can deploy without having to customize or otherwise tweak the images. So it's really easy to use and hopefully will let other people who are not necessarily that technically savvy create their deployment sets.

And we also added pieces into server admin where you can now monitor the status of either systems that are installing an OS or doing a volume restore, or you can see which systems are currently netbooted. And for load balancing, we also added support for Exa and read-only volumes. So this would come in handy where you have, let's say multiple Exa's acting as netboot servers, and you have Exa and volume that's backing all the netboot images or netinstall images, but on some Exa's, those volumes are read-only.

So now we can actually offer netboot, netinstall images off of read-only volumes. Last but not least, we now have ASR support inside system imaging in Snow Leopard. So this basically gives you ASR multicast support or ASR sources such as HTTP disk images. And this is configured via an automated action.

So let me just give you a brief look on how the tools look like. And here's the first thing you'd see when you launch the system image utility. So you land in the Image Creation Assistant. And here we have just two sources. One is a volume source. One is a hard drive. And you can create either net install or netboot volumes from either install disk sets or the volume sets. And what you can do then with the workflow action-- so if you actually go on to customize these images, first you can define where this image is created from.

So you can pick an installation type or an image type, either netboot or netinstall, pick where it's created from. And if it's an install volume, like you have a DVD at hand and you want to customize which packages are actually, by default, delivered to your users, you can customize the package selection, either entirely eliminating some packages so that they're not selectable by the user, or by changing the default set that the user would get when they install this. So you can either add or delete options, don't install all the printers, only install some particular printers, or don't install all languages. So that's a very flexible way to customize the disk set.

And you can also add packages. So if you do have application packages such as Remote Desktop or other applications that come bundled as a package model, you can add those into your installation set as well. And you can also add custom scripts that, if there isn't a direct way to tweak some settings on the systems that you create, you could use scripting, shell scripts or Rubio, Perl, Python, whatever have you, to finally lay down the bits that you exactly need on the target systems just the way you'd like them.

And for netboot images, if we create those from DVDs or DVD sources, we have to create a user account for those, so we have support for that. And we can also change some of the system settings. So if we need to bind some of the systems into directory systems, we can configure that via the system configuration settings. We can also rename some of the systems based on their MAC addresses.

So if you know that you have 15 machines and they've all come up as Macintosh 1, 2, 3, 4, that's not very helpful. So you could take down the MAC addresses of the systems and actually call them something that's meaningful to you. Or if you so choose, you can just call them the Final Cut Lab 1-2-3 or 4. And then... You can also create installation sets that effectively could wipe out your users hard drives. So this is for automated installation. This is useful for lab scenarios.

Like if you have a lab or classroom that has 50 to 100 machines, you'd rather not have to go one by one to machine and click through all the panes for the installation. But if you know that your target machines will have some known elements such as a named hard drive, you could fork off the installation based on that and say, well, if I see a hard drive called erase me, then just go ahead with the installation and wipe out the target and lay down the bits without you having to do anything on the machines themselves. So the next time the systems come up, they'll actually be booted into the installation that you just finished.

and another system deployment or system configuration setting we have is for partition in the disk. So you may want to change the disk configuration, for example, adding a bootcamp partition on the target systems. So you can also-- not only can you just erase the hard drive and lay down new bits, you can also reconfigure the disks into partitions that you'd like to see. You might have two partitions for the OS and another partition for user data depending on your needs.

And we also support filtering for the images. So some images are not applicable to all Mac clients. So you might have installed images that are applicable to only, let's say, Mac Pros. So if you do create a Final Cut application bundle that's an install set, you may not want to offer that to a iMac or MacBook, but you may want to restrict that only into Mac Pros.

And you can also filter the images based on Mac addresses. So if you know that you're testing an image that you will deploy down the road, but you really want to serve it from your production service, you can set the image settings so that they're only available to particular set of machines that you want to use for your deployment testing.

and finally, we have a create image where you can define where this image will be stored and what it will be called. And what's new to Snow Leopard then? This is the action where you configure the ASR multicast restore source. So either ASR multicast streams or HTTP images stored on a server can be defined here. And you also have options to discover the restore sources dynamically on the network.

So if you create a disk image that doesn't have any ASR sources defined in it, the client can discover these sources when it's actually on the network. And you'd send a Bonjour beacon on the network advertising the availability of restore sources. So if you start up a multicast stream, the restore image will automatically pick that up and you could select that as your restore source.

So this is new to Snow Leopard and will be part of the Mac OS X Snow Leopard package. And then Packagemaker. So this is not necessarily part of system imaging as such, but quite a few people have not really used the tool and some people don't know what to do with that. Well, one interesting thing with Packagemaker is the remote source for packages. So with Packagemaker in Mac OS X Leopard, you can actually source the data payload for your install images off of a web server.

So imagine that you create an application, you create a new installer that installs the latest, let's say Firefox or could be Office or could be CS3. And you know that, well, this is up to date for today. And maybe there's gonna be an update down the road that you'd want to install, but you'd rather not go back to the initial disk set and have to recreate it all from scratch.

So with Packagemaker, you can actually point to the network live copy of the installation set and that would be always kept up to date. So no matter when you install this, this system, you'll always get the latest, most current version of applications that are using the web-based package payloads. So that's definitely something that will be useful for deployments. And, yay, go Packagemaker.

and where you'd actually access this in system image utility is through the add packages action. So you can add to the remotely stored packages, the pointer to that will be contained in a standard package that you add, but then the payload itself will be carried down at a later stage. So that's briefly an overview of system imaging and as I mentioned we went into a little bit more detail last year. One new thing that's kind of new to us is MacBook Airs and wireless Netboot. So let's see, does this play? There we go.

So here we have a MacBook Air. And actually, here's the MacBook Air. And what's new with MacBook Air is like, we can actually do wireless Netboot. So that's a boot picker on MacBook Air. So you hold down Option key, and if your wireless infrastructure is configured so that you see Netboot servers on the wireless network, you now get a picker where you can choose the network you bind it to, and the Netboot images on your network will be available there. So this is no different than booting a standard Mac.

So if you do have MacBook Airs on your network, and you don't want to have everyone use the install assistant that comes with it, you can actually serve Netinstall and Netboot images to your MacBook Air users by using the standard OS X server as long as your network infrastructure is configured for wireless use.

So here's actually a server that's, or a client that's hooked up to our demo server. So this is not smoke and mirrors. This is actually works. So MacBook Air wireless Netboot. That's a first for Apple here. So, yay. Let's now go on to a brief demo. And let me introduce Brian Nesse, who is the lead engineer for System Image Utility. And if you can go to demo one, please.

and I will be doing a lot of work on this. So, real briefly here, I'm just going to quickly show you SIU. This is, as you see, I already mentioned, this is the assistant mode that you see when you come up. You get your, this is an install DVD source. This is a local hard drive. You can choose whether you want to make an install image or Netboot image out of it. Real simple. Two clicks, you're basically creating an image. Real simple.

But what I'm really up here to show you is our new little action here. So when you go to the customize and get the workflow editor here, you'll see it basically comes up and says define image source and create image source. What we're going to do is kill this guy, because we don't want a source per se, and we're going to drag in our new action here. Get expose out of the way.

Let's do that. Okay, so we tried to make this real simple. Just click the button to add, you give it a URL to your server. Give it a somewhat descriptive name so that you know what you've got. As Juussi mentioned earlier, we can also tell it to look for multicast streams that are out on your network. And then as before, you simply run and you've got yourself an image.

So to show you what you're going to see on the other end of this, and I will quickly go to server admin here. You'll see we have a couple of clients here that are currently booted into our server showing that they're trying to do net installs or prepared to be installed. And through the magic of ARD here, I will go control one of these machines. And so here we are. Going to progress.

So as this is the standard Mac installer, I'm sure you've all seen it many times. Just going to select your target destination. And you'll see here's our new panel that we've added that supports the action previously demoed there. These are some server or some streams that were added in, in the action. So you see you've got your descriptive name up here and a little clue down here as to what it's pointing to. See we've got a couple of ASR images or streams here and another image that's being served up over HTTP.

We also checked the ASR multicast browser, so let's quickly go and... Start up a couple of streams here. And if you look here, you'll see them pop up because it's constantly browsing and it will find them and These are basically any streams that you had out there that you set up for this thing to go look for. And that's basically all I came to show you today. So back to Juussi.

All right, thank you, Brian. So that's what's new and fresh with system imaging with Mac OS X Leopard and Snow Leopard. So let's then move on to Managed Desktop. So you've now deployed your systems and then how do you manage these systems? So Managed Desktop, again, it's a directory-based way of deploying settings into the systems that are bound to directory systems. Managed Desktop is also used in parent controls.

So if you ever go to System Preferences and enable, let's say, application launch restrictions, that functionality is part of Managed Desktop. The parent controls is a UI front end for some of the features that we have in both in Workgroup Manager and then the client side on the OS. And there have been releases since Mac OS X too.

So in Jaguar, Jaguar was the first release of Mac OS X that had client management for OS X clients. With Mac OS X, 10.3, Mac OS X Panther, we introduced mobile accounts. And in Mac OS X for Tiger, new to the platform where preference manifests on portable home directories. And last, with Mac OS X, Mac OS X5 with Leopard, we introduced hierarchical groups and external accounts. And there were numerous other features in every single release.

So if you look briefly at the history, it's like this was the original Mac industry, but now we're going to talk about Mac and Mac OS X, and I'm going to talk about Mac and Mac OS X, and I'm going to talk about the Mac and Mac OS X interface. So let's start with the Mac and Mac OS X interface.

Yeh, how many of you are still using 10.2 or 10.3 clients on your networks? For the love of anything that's holy, please move on because

So we did a bunch of demos last year as well, so I implore you to go to the ADC site and view some of the previous sessions from there.

So we're not going to cover the same crowd. So what I'm going to show you here today is using Remote Desktop and some of the command line utilities to actually query the management status of some of the systems on the network. So I have some of the clients on the network here that I've configured for management. And what I'd want to find out is, do I have all the active management settings live? So if I go to Workgroup Manager, here's my user list.

So I have... as soon as work with management comes back. So I have some users that I know that should be managed and I also have groups that I have done the management through. So I have this allowed applications group where we have the white listed applications. So I can see that this seems to be a user group where they can only use rudimentary applications, no access to terminal or system profiler or anything else besides your basic four apps. They can chat, they can send email, they can browse and they have iCal and they probably should have address book support. So let's add address book here just for the heck of it.

and others. So now they get to use address book as well. That's just right. And this is implemented -- this group is a nested group. So when we looked at the members of this group, there are no direct members of this group. It only contains another group where then we have the individual users. So this is one example using hierarchical groups.

So then let's go to the client. And actually, I have already logged on these clients. So it seems like everybody's sitting at their desktops. So that's fine and great. And there they are. But let's see if they're actually being managed. So one way to find that out is using one of the Unix command line tools. So I could use System Profiler. So let's send a command to the client and see what comes back.

So I just used the Managed Client System Profiler module to discover what management settings are there. So apparently I have some window settings, and then I have some application settings. But this is really unmanageable. Let me see if I can roll it up for you. Nope. Quick jump to universal access. Enable zooming. Yes.

There we go. So this is highly unreadable. Well, first of all, it's XML. It's PList, not meant for human consumption. So let's see what else we can do with this. Another Unix command that could be, so that was using the system profiler and the Managed Client module in that.

And mcxquery is another tool for Managed Desktop where you can query either hypothetical scenario where you know that with this user logging into this machine with this work group, what would the management settings be for that user? So Managed Desktop now has an option to also query the active state with the mcxquery tool. So let's see what that comes back with. Well, that's a little bit more readable. So here we have a tab-delimited list of some of the settings. So apparently we have family controls enabled and we have some login window settings, but something's not quite right. rights.

So let's do another query where we can actually use the plist output or the non-human consumable output of a managed client. So we use the query format for XML. So we get much more detail into what keys are being set. So OK, that's probably something that could be parsed using either Python or Perl or Ruby. So that could be further processed with, let's say, an auditing tool. And here I'm going to use an auditing tool called defaults. So this is not recommended for production use. So here's just-- oops, I want to send a Unix command.

So what I'm doing here, so I'm using the MCX query tool and I'm going to output the management values into a temporary file.

and actually go to the manage group that I had and go to preferences. So I can now use the details view and see that this is actually the keys that were managed here. And one of the keys is family controls enabled so now I know which domain I could use. And now if I go back to the remote desktop side.

and then run this command. So I think what I'm doing is trying to read the managed applications list from these three machines. And it turns out that there's no management active for one of these users, so this user sitting on Mac Mini 3 doesn't have any management enabled. And that's kind of curious because I thought everybody was a member of the group. And apparently I just thought that.

What I can do now with Remote Desktop, I can actually see who are these people here. So that was our Mini 3 system. Let's not make that so jerky. So here we go. So on Mac Mini 3, I have Ms. Stein there. And apparently there's something wrong with the group memberships. Well, that's at least what I guess first. So if I look at the groups that are here, so students is member of the applications group, but apparently Ms.

Stein is not part of the students group. So by using the tools here, I was able to tell that this particular user is not -- is not properly set for this -- for our setup. So I'd need to add this person into our restricted group and the life will be good again. Oops. Drag. There.

Save. And that's how you can use like various tools that we have at our disposal using Workgroup Manager to manage, using Remote Desktop for reporting, and using the Managed Desktop backend tools for querying state of management. And using Unix tools to then report on those and find anomalous conditions. So that is the demo for Managed Desktop. So if you can go back to the slides, please. And now let me introduce Bruce Gaya, lead engineer for Managed Desktop, and he'll cover portable home directors.

Let's talk about portable home directories. Whoops, wrong way. There we go. Okay, portable home directories, mobile accounts, external accounts, what they're all about is taking a network account and the whole user's home directory and making them portable so that the user can log in and use that home directory when they're not connected to the network. Also, when we talk about the account, all the management of the account goes with these users. So this is a good way to manage a local user as a network user.

Mac OS 10.3 Panther was where we introduced mobile accounts. At that time, we had a mobile account with a cached account with credentials so you could log in offline. But the home directory that you created locally did not synchronize with the network home. In Mac OS 10.4 Tiger, we introduced portable home directories and that really is all the things of a mobile account plus home synchronization. So now, in Tiger, you can create a portable home directory, take your portable computer, use it offline, make all sorts of changes to your home directory, come back to the network and it will synchronize all the changes you made locally back up to your network home directory.

Starting in Leopard, we introduced external accounts and more. An external account is a mobile account, is a portable home directory, but instead of living on the internal disk of a computer, it lives on a disk itself. So the disk itself contains the account information and it contains the home directory. Now I said and more there because as we progress from 10.3, 10.4, 10.5, we've been adding more management features so now you can really control home directory creation and synchronization very finely.

So here's some new management things we put in for portable home directories in Leopard. First of all, FileVault. Starting in Leopard, you can require that FileVault that when a user creates a mobile account, that the home directory will be protected by FileVault. FileVault is essentially an encrypted file system for just the user's home directory.

So protect the information in there so that you can't get in there without an account password or a master password. Starting in Leopard, the account can now be on an internal or an external hard disk as well as just under the users folder of the boot disk. And when it's on an external disk, we call that an external account.

We added account expiration. So what this is is that if you set up mobile accounts across your network and you have a whole bunch of network machines, one day a user will come into machine A and they'll log in and because of the management settings they'll create a PhD there and they'll be happy and log off, sync back to the network.

They come back on another day, they log into machine B, they get another mobile account, they get the fresh information from the network, they log off, they sync back to the network, they're happy. They go to another machine, third day and you can see what happens. By the end of the week they've got a mobile account on all these different machines and they're taking up resources. So starting in Leopard you can now have these accounts be reaped and deleted or expired after a certain amount of unuse.

Okay, we also added MCX and HomeSync preference manifests. Okay, now you can actually have quite a bit of fine-grained control over PHG creation and sync. A whole bunch of keys are now exposed so that you can actually change things to your own site requirements. We added a sync server.

A synchronization server is a process which runs an OS X server and it keeps listening to the FS event queue. And so you have to think about how a synchronization works. How a synchronization works is there's two big phases. One is you figure out what's changed and the second one is you copy stuff.

And it turns out that figuring out what's changed can usually take more time than the data that's copied because prior to using the synchronization server in Tiger, you had to walk through the entire folder hierarchy and do this big enumerate on the server and locally to figure out what's changed. Starting in Leopard, we used a sync server so this figuring out what's changed phase is much quicker and so the entire synchronization process is much quicker as well.

Okay, so how do you set this stuff up? First of all, run Workgroup Manager. This is what Workgroup Manager looks like. You can either select a user group computer or computer group in Leopard, and what you do is you select that, select this preferences icon, select the mobility icon, and you start going. We get right away to the mobile account creation pane.

What you have to do here is simply click this checkbox which says create mobile account when a user logs into a network account. You seem to have lost that, but we'll let that go. There it is. Okay, and once that's checked and you hit Apply Now, then basically this user is set to create a mobile account when they log in.

We get to the options pane. This is where you get to decide if you want to have the user use FileVault or not. I've checked it here because I want all the users on this network because I'm managing the guest computer. I want all the users on the network when they create a mobile account to have it all encrypted with FileVault.

At the bottom here is where you get to decide where the home directory is. The bottom, a pop-up, has a couple of states. I have it set here to any external volume. So what I'm doing here is I'm setting up for having my users use external accounts. So when they log in, they'll get a dialogue and at that time they can present a disk or attach a disk and they'll be able to create a mobile account, a PhD or an external account on that disk.

One other thing, you can set synchronization rules. This is the login and logout sync pane. And how this works is at the top you can decide what folders are going to be synchronized. and at the bottom you can decide what things inside of those folders, which files or folders you don't want to synchronize. If you look at the match column there's a whole bunch of different match types. This is full path there. You can say starts with, ends with, that sort of thing.

Also, there's another pane called the background synchronization pane. It works the same way. It has two panes at the top. You decide what to sync, and you decide what not to sync. So there's always a question which comes up, is what should be synchronized? Synchronization takes time, so you should try to minimize data. The less you synchronize, the less time your user will spend waiting for synchronization, essentially.

There's a user education issue. If you decide not to synchronize pictures, which should have a capital P there, you should tell your users so that they don't put important data in pictures. Because if it doesn't synchronize, it doesn't get replicated up onto the network server, and if they lose that mobile account or they lose that disk, they won't get it back. So while it's good to reduce what you're syncing, you also need to tell your users.

What should you sync at log in and log out sync? That is designed to synchronize preferences. What should you sync during the background sync or put in the background sync set? That's designed to sync everything else. And here's a hint that I'll give you. For Leopard clients, don't put the same file in both sync sets. And I'm going to tell you why.

You can decide in Leopard when to sync using the Home Sync Preference Manifest. Now, I've loaded all the manifests here and the one I've selected here is called Home Sync. If I selected that and clicked on the pencil icon, I'd come to a dialog which looks like this.

And this will allow you to set various keys that decide when things are synced. The thing I want to point out here is that in Leopard, the log in and log out sync set and the background sync set can actually synchronize at log in, log out and in the background.

So we found that was a bit perhaps confusing, so I'm going to show you this is the Leopard version of Workgroup Manager. And we've changed the name. Of the log in and log out sync set to the preference sync set. That's right up there. It's now called preference sync. And we've changed the name of the background sync set to be called Home Sync.

Right up there. But more importantly, there's a bunch of check boxes at the top. And now you can decide very finely in Snow Leopard when you want these different preferences to sync. Now, I want to point out this is just an HI change. Okay, this is just an HI change, it's not a functional change, okay? So, Leopard clients and Snow Leopard clients basically work the same, but we want a work group manager to really reflect what is actually happening in synchronization.

Okay, some command line tools of interest. HomeSync is a little application which sits inside of managedclient.app. When you're synchronizing, actually HomeSync is running. It has a command line interface. If you call HomeSync -s from the command line while you're logged in, you'll get a HomeSync now right then. But my favorite tool is called CreateMobileAccount. And CreateMobileAccount will allow you to create a mobile account and its variations of portable home directory and an external call right from the command line.

Most interesting parameters are the -h home path and under -h you can actually specify any path to the home, which means that you're not limited to creating the home under /users or you can create it wherever you want. Any path will do. Under create mobile account -u you can specify a sync URL and that's a URL like afp:// that sort of thing.

And that allows you to have a mobile account which synchronizes to not just to its network home, but perhaps it can synchronize to another file server completely or a different spot on the network home. I was talking to an Active Directory user site and they wanted to have their Leopard clients synchronized to a folder inside their network home. So if you create it with the create mobile account tool, it will allow you to do that.

Another trick, which you only hear about at WWDC I think, is that if you have an existing loader, if you have a local account and you run create mobile account against that with a sync URL, you'll actually create a local account which will synchronize against any share or network home. One other fun thing is in Leopard we support these URLs -afp, nfs, smb. Starting in Leopard we're going to support the file URL, which will allow you to synchronize the home to somewhere else on the network hierarchy and perhaps to another volume.

So I'll let you think about that. the implications of that. OK, time to do a demo. Okay, I need to go to demo one. I think it's on, there we go. Let's start from scratch here. Close everything. I'm going to launch WorkRoute Manager. I have to log in as diradmin.

Okay, these are the users and what I want to do is set it up such that one user will create an external account when they log in. I'm going to choose John Appleseed, I'm going to click on Preferences, and I'm going to click on Mobility. I get the creation pane as I showed in my slides.

Click on always and then create mobile account when this user logs in. That's fine. With default sync settings. That's great. Under options, there's the options pane. I click there. Click on always. It's going to encrypt this home with FileVault. And down at the bottom I'm going to say user chooses any external volume.

and just say apply now. That's pretty much done, but I want to set up some other rules just for this demo. So let's go to the sync rules. And this is Snow Leopard. So what I'm going to do is say always. And for the preference sync, I'm going to say don't sync it log in and log out.

Just in the background and manually. And I'm going to do the same thing for whole sync. Click on always. Unclink these two. So sync in the background and sync manually. So apply now. Okay, that's all there is to it. This user setup. So now I'm going to go over to demo number four. Did you get it? Oh, Brian's MacBook Air. Yes, that's it. I need to log out.

and we see we're at login window. And by the way, these things that say network accounts available and the title are coming from managed preferences using the guest record. So I'm going to click on other and log in as that user who is John Appleseed. There we go. And this is the dialogue you get.

Create a mobile account with a portable home directory. But here it says no volumes attached. So I happen to have a USB 2.0 volume here. It's formatted with HFS+ and all I do is connect it, which can be easier said than done. There we go. And as soon as that disk spins up.

and I'm going to just click Create Now and it starts creating the File Vault Home. File Vault is very important, especially on an external account because if that disk falls into someone else's hands, it's very easy to get all the files off that disk. You just sort of turn off ownership and anybody can read it. So I would recommend using File Vault on basically all portable home directories and especially on all external accounts.

Yes, we go, and we're done with the FileVault creation, and now we're starting a synchronization. And this is -- we'll be taking the stuff off the server, the user's network home, and copying it down to this MacBook Air, and specifically to this disk, which is sitting right there. And by the way, the network is wireless.

and the rest of the team. Okay, the sync is complete. And now we are logged in. We see this user is here and what do you know, he has the desktop and the home directory. Now let's make sure that the home is where I think. So I select the home. There's the home.

You see it's file vaulted there. If I get info on that and you read here, it will say it's located on volumes Aristophanes. If I look on this external volume here, Aristophanes, I see there's a folder called users. And inside of users, open that and there is the home.

John Appleseed. It's actually on this disk. Now if I take this user and try to drag him to the eject it, that's actually prevented. So that's a good thing, right? So now I'm going to log out. And once the log out is complete, the account and the home I just created will be right on that disk. File vault has to run. Now one thing I want to mention is you didn't see any log in and log out sync here. You didn't see a log out sync. And that's because I turned it off in Workgroup Manager. So, let's return to the login window.

There we go. And there's my new user, John Appleseed. I'm going to disconnect him from this machine now. Disappears from that machine. And let's go over to demo B. You got that? Yes. Okay. I have a USB connector and I'm going to connect this up here like this. There we go.

There's John Appleseed. Okay. So let's, thank you. Now I can log in using the home right here. and it should skip the log in and log out sync that does that. Here we are again. Here is Aristophanes users and there's the home. Something I wanted to do to make it a little more distinctive, I'm going to give this user a special picture. Let's try that one.

OK, just to show that some of these things stick. And now I'm going to log out, get back to login window. File vault's going to clean up a bit. Again, skipping the login and logout sync so it's quick. We get here and there's John Appleseed and he has his special icon. And now all I have to do is disconnect this and I'm off to go use another computer with my home right here.

and back to Juussi. - So thank you, Bruce. And that's a brief overview of the different management options you have to manage your either Leopard or Tiger, hopefully not Panther or Jaguar clients. There are many ways to manage these things. You could use either Remote Desktop, your Swiss Army knife. You can use system imaging to deploy clients, Managed Desktop to enforce settings on a directory-based environment. And you have account portability with mobile and external accounts. So last year we covered some of these features.

And if you go to the ADC site, you'll see some of the sessions there. For any further information, please get in touch with our technology evangelist, Mark Malone, or you'll find more information on Apple's site for all of that. And if you're interested in more information, please go to the ADC site, and you'll find more information on the OS X server.

There are a bunch of sessions. There was one session earlier today for portable home directories. So if you missed that, please log on to ADC once the sessions are up and available on iTunes. So if you're interested in external accounts and some more detailed view, check that session out from this morning. Upcoming sessions, we have a session, there is a session tomorrow for client management.

If you use scripting with ARD or using, let's say system imaging with Ruby or whatnot, there are session on that. Directory services, if you do use managed desktop, you probably want to know about how directory services can be troubleshot. You may have some issues with Active Directory integration or open directory anomalies or whatnot.

So this is where you'd actually get some tools for your environment. And there's a panel on Friday for OS X administration. So if you're interested in that, that's one to attend. And we have a bunch of labs lined up as well. Right after this session, there's an Apple Remote Desktop Lab at the IT Lab.

All these sessions are at the IT Lab. Directory services, we have two labs for those, one on Wednesday and another one Friday. For Mac administration lab, there's one on Thursday in the morning. And for client management, there's another lab on Thursday afternoon. So with that, that concludes our presentation. And we move on to the Q&A portion.