All righty. So welcome to the -- there we go. Welcome to the client management session. So here we'll cover managed desktop, system imaging, and Apple Remote Desktop. I'm Yusuf Monturi. I'm one of the engineering managers in the team. And the agenda for today, we'll go over Apple Remote Desktop. We'll cover client deployment using system image utility. And we'll talk briefly about client managed desktop and go over external accounts. and we'll wrap it up with Q&A. But what this really is, this is a tool chest inventory.

So what are the tools at your disposal for either getting systems onto your users' desktops or how to manage them long-term, either actively or passively, and how to provide mobility or portability for your users' accounts? So, What are the tools? We have Apple Remote Desktop, we have System Imaging, Server Admin, Workgroup Manager, all these tools at our disposal. But really the key thing is the user. So we use these tools to make the user's life easier. So either getting them the management support they need or getting them the inventory reports that your management wants, but still the key is the use of the desktop that they're using and how to make that the best desktop possible for their particular purpose. And we've had sessions like this in the previous years. So last year, we did a session on client management on Apple Remote Desktop. So please log on to IDC on iTunes. And on iTunes, we have videos of previous year's sessions. So we're not gonna go into depth on all of these technologies, but if you are interested in more in detail, look at this. Please review the sessions from last year, and they're available for free on IDC on iTunes. And could we start the clock, please? Yay, I just gained five minutes. First, we'll cover Apple Remote Desktop. So let me introduce Mark Whittemore, who is the engineering manager for Apple Remote Desktop.

and welcome. I'm going to give you a brief overview of the features of Apple Remote Desktop and talk about where we are right now with version 3.2 and what's coming up next with Snow Leopard. So let's start off and talk about software distribution. So we have a feature called Install Package, lets you install packages on your clients. We have a feature called Auto Install, which allows you to install packages on machines that are both on the network and off the network using a server that's always on that'll be able to contact those systems. We have, I'm gonna talk a little bit more about that in detail in just a moment. We also have a File Copy command and Delete Files. So digging a little bit more into Auto Install. So the scenario here is you have machines that are both on the network and off the network, You need to get packages installed onto that. And the best way to do this is to have a server that's-- a machine that's going to act as a server for you that's always running. And you install another copy of Remote Desktop onto that machine.

and you configure your administrator to use that. We call that a task server, and you configure your administrator to use that machine as your task server. And you select your package on your administrator, and it delegates that package over to the task server to complete the installation for it, copies the package over there, and the task server then contacts all the clients and installs the package on all the clients that are currently online. If you have a machine that's offline, like this MacBook Pro, once that machine comes online, it's going to contact the task server And then the package is going to get installed on that machine as well.

Let's talk about the asset management features. We have software reports, hardware reports, application usage reports, and user history reports. And you can run these reports on all machines that are online at any time, and you can also, by setting a report cache generation policy on your clients, have these reports generated on a regular basis and uploaded to a task server machine, just like what I talked about a moment ago with auto-install. We can also export the data into a tab format or a cum-delimited file. And we also have a remote spotlight search feature that allows you to search the spotlight databases on all your client machines.

So let's talk a little bit more about how the offline reporting works. So just like with auto-install, it's best if you have a machine that's going to act as a server and it's going to be on all the time, and you install another copy of your remote desktop on that machine. You don't have to have the admin running.

You just have to have the software installed. Then you configure your admin console to use that task server. Then you set a reporting policy for all your clients so that they'll generate these report caches on a regular basis and upload them up to the task server. Once those reports are on the task server, your admin can then run its reports and it'll get the report data from the admin. The advantage of setting up this offline reporting is that even if one of your clients is offline, you can still get reports.

Let's talk about the remote administration features. So we have a send Unix command, so you can send Unix commands or Unix scripts to all your machines and get the results back. We have set startup disk that allows you to set the startup disk to a local volume or to a network volume. We have various system control features. You can sleep, wake, restart, shut down a machine, empty the trash, lock and unlock the screens. We have some user control features that allow you to log out users or open files for them or open applications. And we also have a lights out management feature for X servers that support this that allow you to restart, power on, or shut down a machine regardless of the OS state. So even if the machine is kernel panicked, you can still restart it.

So let's talk about remote assistance. You can observe or control a remote screen. You can also observe many screens at once in a single view. You can share your screen out to a number of other machines. We have a guest access mode that allows the end user to either allow or deny a control request from an administrator. We have a full screen mode so you can see the other user's machine on full screen on your machine. We have a curtain mode that blocks anyone from seeing what's going on on the machine that you're remotely controlling. You can drag and drop files for copying using screen control. And you can also get or send the pasteboard buffer. We also have a widget for doing remote desktop observation or screen observation. And there's an interactive text messaging client as well for environments that aren't appropriate for iChat. Let's talk about automation. We have a rich Apple script dictionary, lots of automator actions, and just about any management command in the product can be scheduled.

And lastly, all the setup and configuration features for Remote Desktop. We have task templates, so you can put all your favorite settings for your tasks. And when you create tasks later, you can easily populate that task document with your settings. We have labels, so you can label your machines, much like you would set a label on a file in the Finder. We have user-defined list views, so you can create your own list with a set of machines from your library and set what kind of information you want to see in that list. For instance, what version of the operating system it's running, how much RAM it's got. You can also create smart computer lists that will filter your entire library using some of this criteria. For instance, create a list that shows you all the machines that have less than one gigabyte of RAM. And then you can create groups to organize your, the tasks that you've created and the computer lists you've created.

In addition to this, we have a user mode for the remote desktop application so that you can let unprivileged users run it and you can restrict what features they have access to. We have network scanners for finding machines on your network for you to add to your computer library. We have directory-based authentication and a setup assistant that allows you to configure some of the more advanced client-side features from the admin console.

So Remote Desktop 3.2 is the current version. It was released in October of 2007. It brings Leopard compatibility, greatly improved screen sharing performance, greatly improved keyboard mapping for screen control, as well as improved file copy reliability. And what's coming up next is Remote Desktop 3.3. It's going to be a free upgrade to existing users. And I'm going to talk about all the things that we're going to be improving with this version. So first off is improved management for offline reporting settings. And I talked about the offline reporting settings just a moment ago when I was talking about how you -- how it's advantageous to have your clients generate these caches and upload them to their task server so you can do your reports at any time. So first I'm going to talk about how things work right now.

On the left side is the preference pane in Rote Desktop that shows you where the settings are for setting your default reporting policies. So currently, this is in the same tab as the task server. Now, the truth of what the reporting policy is on each client is set on the admin. And what that means is that if you have a client that is generating a report, you know, generating a report that you don't want it to do and you remove the preferences on that client, the next time the administrator that had originally set up that policy authenticates to that client, it's going to push that schedule back down again and you're going to have the same issue. Now also from your administrator console, you don't have any visibility into what other report policies other administrators have set up.

So in the next version, we're going to move the reporting settings out of the Task Server tab and into its own tab so that they're a lot more discoverable. we're gonna move the truth of the offline reporting policy onto the client rather than on the admin. So if you have a client that is generating reports that you don't want it to, you can delete the preferences and you don't have to worry about another rogue administrator pushing that policy back down to the administrator and getting the reports generated all over again.

And the next thing that we're going to change is we're going to have a single reporting policy. No longer are we going to have different reporting policies coming from different admins. We're going to have a single reporting policy that all administrators can view and set the settings on. So everyone will be able to see the same policy. Also, this is the computer get info window. You see that you see all the administrators who can manage this machine now. And not only that, but you also see who is interested in getting these offline reports loaded up to their task server, and you see what task server is associated with each of these administrators. So this is all new in 3.3. So the next thing that we're going to improve is our NAT support.

So in the current version, remote desktop only allows -- each machine has to have a unique IP address, and the reason is that it hard codes the port that it communicates to the client on, 3283. So that means that behind a NAT currently you can only have one machine for it to the WAN side. So in the next version, we're going to allow the administrator to have machines with the same IP address but with different ports. So now you can configure your NAT router to port forward to all your machines behind it and just with different ports.

So while it's great that you can now manually configure your NAT router and manually enter in these ports into remote desktop, in some environments it may be even better to have this happen automatically. And you can do this if you have a supported UPnP NAT router and you configure a client to register its network services into a wide area of Bonjour server, which you can configure using Leopard.

And when you do that, the client is going to learn what the WAN side of the port is that got opened up automatically using UPnP, and it's going to register that information in the wide area Bonjour server. Now your remote desktop administrator, using a Bonjour scanner and also looking at that same wide area Bonjour server, is going to learn what the wide area dynamic port is that was set up. And then without any other additional configuration, it's going to be able to connect to that client behind your UPnP NAT router. And it will also, as needed, re-resolve that DNS address, that wide area Bonjour address, so it'll always be able to find that client. So even if the dynamic port mapping changes, Remote Desktop will still be able to re-resolve and find that machine.

So in addition to improving the offline reporting settings and improving our NAT settings, we're also gonna have support for managing machines across back to my Mac. We're gonna add support for IPv6 addresses. And just like as 3.2 came in Leopard, 3.3 is gonna come in Snow Leopard. So just as a review, 3.2 is the current version. It's out right now. 3.3 is gonna be our next update with Snow Leopard. There are more resources available online at www.apple.com/remotedesktop/resources .html. And we're going to be in the IT lab at 5 o'clock to answer any additional questions. So I'll hand it back to Yusi.

Good job. All right, thank you, Mark. So next topic, system imaging. So how do you get these clients that you want to manage with ARD, how do you get them into people's desktops? So system imaging, what do you use it for? Basically, whatever source you have to create images from either DVD or user volume, you use system image utility to create master images out of those, either install sets or volume restore sets. And then with server admin, you have the tools that you can deploy these images with. So this, and you can finally customize content with PackageMaker. So if you have applications that don't use the Apple installer to deploy their packages with, you have other tools available to you.

So what's new with the system imaging? So this covers what we have new in Leopard or to be delivered in Snow Leopard. So with Mac OS X Leopard, we basically rewrote the application. So now the application is based on automated actions. So any step that you have to do to create a image, either from volume or DVD, is now an automated action. So you can use these workflows either inside system image utility itself, or you can use these in automated workflows inside either automated application or other applications that support workflows. And also, in addition to all these powerful tools that you have, we created an image assistant. So image assistant lets you create really in one, two step, create images that you can deploy without having to customize or otherwise tweak the images. So it's really easy to use and hopefully will let other people who are not necessarily that technically savvy, create their deployment sets. And we also added pieces into server admin, where you can now monitor the status of either systems that are installing an OS or doing a volume restore, or you can see which systems are currently netbooted. And for load balancing, we also added support for Exa and read-only volumes. So this would come in handy where you have, let's say multiple Exaers acting as netboot servers, and you have XAN volume that's backing all the netboot images or netinstall images. But on some XRs, those volumes are read-only. So now we can actually offer netboot, netinstall images off of read-only volumes. Last but not least, we now have ASR support inside system imaging in Snow Leopard. So this basically gives you ASR multicast support or ASR sources such as HTTP disk images. And this is configured via an automated action.

So let me just give you a brief look on how the tools look like. And here's the first thing you'd see when you launch the system image utility. So you land in the Image Creation Assistant. And here we have just two sources. One is a volume source. One is a hard drive. And you can create either net install or net boot volumes from either install disk sets or the volume sets. And what you can do then with the workflow action-- So if you actually go on to customize these images, first you can define where this image is created from. So you can pick an installation type or an image type, either netboot or netinstall, pick where it's created from. And if it's an install volume, like you have a DVD at hand and you want to customize which packages are actually by default delivered to your users, you can customize the package selection, either entirely eliminating some packages so that they're not selectable by the user, or by changing the default set that the user would get when they install this. So you can either add or delete options. Don't install all the printers.

Only install some particular printers. Or don't install all languages. So that's a very flexible way to customize the disk set. And you can also add packages. So if you do have application packages such as Remote desktop or other applications that come bundled as a package maker package, you can add those into your installation set as well. And you can also add custom scripts that, if there isn't a direct way to tweak some settings on the systems that you create, you could use scripting, shell scripts or Rubio, Perl, Python, whatever have you, to finally lay down the bits that you exactly need on the target systems just the way you'd like them. And for net boot images, if we create those from DVD sources, we have to create a user account for those.

So we have support for that. And we can also change some of the system settings. So if we need to bind some of the systems into directory systems, we can configure that via the system configuration settings. We can also rename some of the systems based on their MAC addresses. So if you know that you have 15 machines and they've all come up as Macintosh 1, 2, 3, 4, that's not very helpful.

So you could take down the Mac addresses of the systems and actually call them something that's meaningful to you. Or if you so choose, you can just call them the Final Cut Lab 1-2-304. And then, You can also create installation sets that effectively could wipe out your user's hard drives. So this is for automated installation. This is useful for lab scenarios. Like if you have a lab or a classroom that has 50 to 100 machines, you'd rather not have to go one by one to a machine and click through all the panes for the installation. But if you know that your target machines will have some known elements such as a named hard drive, you could fork off the installation based on that and say, well, if I see a hard drive called erase me, then just go ahead with the installation and wipe out the target and lay down the bits without you having to do anything on the machines themselves. So the next time the systems come up, they'll actually be booted into the installation that you just finished.

And another system deployment or system configuration setting we have is for partition in the disk. So you may want to change the disk configuration, for example, adding a bootcamp partition on the target systems. So not only can you just erase the hard drive and lay down new bits, you can also reconfigure the disks into partitions that you'd like to see. You might have two partitions for the OS and another partition for user data, depending on your needs. Amen.

And we also support filtering for the images. So some images are not applicable to all Mac clients. So you might have install images that are applicable to only, let's say, Mac Pros. So if you do create a Final Cut application bundle that's an install set, you may not want to offer that to an iMac or MacBook, but you may want to restrict that only into Mac Pros. And you can also filter the images based on Mac addresses. So if you know that you're testing an image that you will deploy down the road, but you really want to serve it from your production service, you can set the image setting so that they're only available to particular set of machines that you want to use for your deployment testing.

And finally, we have a create image where you can define where this image will be stored and what it will be called. And what's new to Snow Leopard, then? This is the action where you configure the ASR multicast restore source. So either ASR multicast streams or HTTP images stored on a server can be defined here. And you also have options to discover the restore sources dynamically on the network. So if you create a disk image that doesn't have any ASR sources defined in it, the client can discover these sources when it's actually on the network. And you'd send a Bonjour beacon on the network advertising the availability of restore sources. So if you start up a multicast stream, the restore image will automatically pick that up. And you could select that as your restore source. So this is new to Snow Leopard and will be part of the Mac OS X Snow Leopard package. And then Packagemaker. So this is not necessarily part of system imaging as such, but quite a few people have not really used the tool and some people don't know what to do with that. Well, one interesting thing with Packagemaker is the remote source for packages. So with Packagemaker in Mac OS X Leopard, you can actually source the data payload for your install images off of a web server. So imagine that you create an application installer that installs the latest, let's say, Firefox or could be Office or could be CS3. And you know that, well, this is up to date for today. And maybe there's going to be an update down the road that you'd want to install, but you'd rather not go back to the initial disk set and have to recreate it all from scratch. So with PackageMaker, you can actually point to the network live copy of the installation And that would be always kept up to date. So no matter when you install this system, you'll always get the latest, most current version of applications that are using the web-based package payloads. So that's definitely something that will be useful for deployments. And-- Yay. Go, PackageMaker.

And where you'd actually access this in system image utility is through the add packages action. So you can add the remotely stored packages. The pointer to that will be contained in a standard package that you add, but then the payload itself will be carried down at a later stage. So that's briefly an overview of system imaging, and as I mentioned, we went into a little bit more detail last year. One new thing that's kind of new to us is MacBook Airs and wireless net boots. So let's see, does this play?

There we go. So here we have a MacBook Air. And actually, here's the MacBook Air. And what's new with MacBook Air is, like, we can actually do wireless netboot. So that's a boot picker on MacBook Air. So you hold down Option key, and if your wireless infrastructure is configured so that you see netboot servers on the wireless network, you now get a picker where you can choose the network you bind to, and the netboot images on your network will be available there. So this is no different than booting a standard Mac. So if you do have MacBook Airs on your network and you don't want to have everyone use the install assistant that comes with it, you can actually serve net install and net boot images to your MacBook Air users by using the standard OS X server as long as your network infrastructure is configured for wireless use. So here's actually a server that's a client that's hooked up to our demo server. So this is not smoke and mirrors. this actually works. So MacBook Air wireless net boot, that's a first for Apple here. So, yay. Let's now go on to a brief demo. And let me introduce Brian Nesse, who is the lead engineer for System Image Utility. And if you can go to demo one, please.

up there? Okay. So real briefly here, I'm just going to quickly -- I want this open. Just going to quickly show you SIU. This is, as you see, I already mentioned, this is the assistant mode that you see when you come up. You get your -- this is an install DVD source. This is a local hard drive. You can choose whether you want to make an install image or net boot image out of it. Real simple.

two clicks, you're basically creating an image. Real simple. But what I'm really up here to show you is our new little action here. So when you go to the customize and get the workflow editor here, you'll see it basically comes up and says define image source and create image source. What we're going to do is kill this guy because we don't want a source per And we're going to drag in our new action here. Get expose out of the way.

Let's do that. Okay, so we tried to make this real simple. Let's just click the button to add. You give it a URL to your server. Give it a somewhat descriptive name so that you know what you've got. As Yusi mentioned earlier, we can also tell it to look for multicast streams that are out on your network. And then as before, you simply run and you've got yourself an image. So to show you what you're going to see on the other end of this, Quickly go to server admin here. You'll see we have a couple of clients here that are currently booted into our server, showing that they're trying to do net installs or prepared to be installed. And through the magic of ARD here, I will go control one of these machines. And so here we are. Going to progress.

So as this is the standard Mac installer, I'm sure you've all seen it many times. Just gonna select your target destination and you'll see here's our new panel that we've added that supports the action previously demoed there. These are some server, or some streams that were added in, in the action.

So you see you've got your descriptive name up here, and a little clue down here as to what it's pointing to. See we've got a couple of ASR images, or streams here, and another image that's being served up over HTTP. Now, We also checked the ASR multicast browser, so let's quickly go and... Start up a couple of streams here. And if you look here, you will see them pop up because it's constantly browsing, and it will find them and These are what you, these are basically any streams that you had out there that you set up for this thing to go look for. And that's basically all I came to show you today. So back to you, Steve.

All right. Thank you, Brian. So that's what's new and fresh with system imaging with Mac OS X Leopard and Snow Leopard. So let's then move on to Managed Desktop. So you've now deployed your systems, and then how do you manage these systems? So Managed Desktop, again, it's a directory-based way of deploying settings into the systems that are bound to directory systems. Managed Desktop is also used in parent controls. So if you ever go to System Preferences and enable, let's say, application launch restrictions, that functionality is part of Managed Desktop. The parent controls is a UI front end for some of the features that we have both in Workgroup Manager and then the client side on the OS. And there have been releases since Mac OS X too. So in Jaguar, Jaguar was the first release of Mac OS X that had client management for OS X clients. With Mac OS X, 10.3, Mac OS X Panther, we introduced mobile accounts, and in Mac OS X for Tiger, new to the platform where preference manifests on portable home directories. And last, with Mac OS X, Mac OS X5 with Leopard, we introduced hierarchical groups and external accounts. And there were numerous other features in every single release. So if you look at briefly at the history, it's like this was the original Macintosh Manager interface for managing Mac OS 9 clients in 10.2. How many of you actually used Macintosh Manager back in the day? Yay. How many of you are still using 10-2 or 10-3 clients on your networks?

for the love of anything that's uh holy please move on because uh Most of the development that we do has really been focused on the features in Mac OS X Tiger and Leopard now. So the sooner you come on with the rest of the platform to the new features, I think you'll find that the features are much more rich and you'll find them quite appealing. So that was 10.2 management for OS 9 clients. And with 10.2, we also had our first plugin inside Workgroup Manager that really had a rudimentary support for some of the features in the OS. 10.3, we then added plugins for Energy Saver and other settings such as system preferences and mobile accounts. So we've been evolving from between every single release and with 10.4, we introduced the preference manifest concept. So under the details tab, you can actually now manage applications that don't have a UI inside Workgroup Manager. And with the latest release with Mac OS X 5 Leopard, we introduced controls for parity controls and for time machine. So what's the laundry list for Mac OS X Leopard then?

So biggest thing really is for hierarchical group management. So you can now partition management settings into individual groups and divide them logically. We have now a different version of application launch restriction that is kernel-based. for time machine and parental controls, and other settings for portable home directory settings and login options that you'll find inside the Record Manager plugin. Also new is FileVault support with portable home directory accounts and also external accounts. So external accounts, accounts that you can take with you no matter where your system is. And we also have a command line tool for querying the status of either management settings settings or setting management settings via DSCL and extensions into managed desktop. And also we have system profiler module where you can find out what the active management settings for a client are. So let me do a brief demo of managed desktop features. So if you can go to demo one, please.

So we did a bunch of demos last year as well. So I implore you to go to the ADC site and view some of the previous sessions from there. So we're not going to cover the same crowd. So what I'm going to show you here today is using remote desktop and some of the command line utilities to actually query the management status of some of the systems on the network. So I have some of the clients on the network here that I've configured for management. And what I'd want to find out is, do I have all the active management settings live?

So if I go to Workgroup Manager, here's my user list. So I have-- as soon as worker manager comes back. So I have some users that I know that should be managed, and I also have groups that I have done the management through. So I have this allowed applications group where we have the white listed applications. So I can see that this seems to be a user group where they can only use rudimentary applications, no access to terminal or system profiler or anything else besides your basic four apps. They can chat, they can send email, they can browse, and they have iCal. And they probably should have address book support, so let's add address book here just for the heck of it.

So now they get to use address book as well. That's just right. And this is implemented-- this group is a nested group. So when we looked at the members of this group, there are no direct members of this group. It only contains another group where then we have the individual users. So this is one example using hierarchical groups.

So then let's go to the client. And actually, I have already logged on these clients. So it seems like everybody's sitting at their desktops. So that's fine and great. And there they are. But let's see if they're actually being managed. So one way to find that out is using one of the Unix command line tools. So I could use System Profiler. So let's send a command to the client and see what comes back.

So I just used the Manage Client System Profiler module to discover what management settings are there. So apparently I have some Lager window settings, and then I have some application settings, but this is really unmanageable. Let me see if I can roll that up for you. Nope. Quick jump to universal access. Enable zooming, yes.

There we go. So this is highly unreadable. Well, first of all, it's XML. It's PList, not meant for human consumption. So let's see what else we can do with this. Another Unix command that could be-- so that was using the system profiler and the Managed Client module in that. And mcxquery is another tool for Managed Desktop where you can query either hypothetical scenario where you know that with this user logging into this machine with this work group, what would the management settings be for that user? So Managed Desktop now has an option to also query the active state with the MCX query tool. So let's see what that comes back with. Well, that's a little bit more readable. So here we have a tab-delimited list of some of the settings. So apparently, we have family controls enabled, and we have some login window settings. but something's not quite right.

So let's do another query where we can actually use the plist output or the non-human consumable output of Vantage Client. So we use the query format for XML. So we get much more detail into what keys are being set. So okay, that's probably something that could be parsed using either Python or Perl or Ruby. So that could be further processed with, let's say, an auditing tool. And here I'm going to use an auditing tool called defaults. So this is not recommended for production use. So here's just, oops, run to send a Unix command.

So what I'm doing here, so I'm using the MCX query tool, and I'm going to output the value of the management values into a temporary file. It's going to be in a XML format, so that's a plist. Again, I will get the current user and the current work group that the user is in. And next thing, I will use the defaults command, and the reason this is not recommended, the defaults format might change, so I cannot always rely that it's going to be a plist, so your mileage may vary. And from that particular default setting, I will read the application access key. So why do I know that this is an application access key? So if I go to Work With Manager-- and actually go to the manage group that I had and go to preferences. So I can now use the details view and see that these are actually the keys that were managed here. And one of the keys is family controls enabled, so now I know which domain I could use. And now if I go back to the remote desktop side, and then run this command. So I think what I'm doing is trying to read the managed applications list from these three machines. And it turns out that there's no management active for one of these users. So this user sitting on Mac Mini 3 doesn't have any management enabled. And that's kind of curious because I thought everybody was a member of the group. And apparently, I just thought that. What I can do now with the remote desktop, I can actually see who are these people here. So that was our Mini 3 system. Let's not make that so jerky. So here we go. So on Mac Mini 3, I have Ms. Stein there. And apparently there's something wrong with the group memberships. That's at least what I would guess first. So if I look at the groups that are here, so students is member of the applications group, but apparently Ms. Stein is not part of the students group. So by using the tools here, I was able to tell that this particular user is not properly set for our setup. So I'd need to add this person into our restricted group, and the life will be good again. Oops, drag, there.

Save. And that's how you can use various tools that we have at our disposal, using Workgroup Manager to manage, using Remote Desktop for reporting, and using the Managed Desktop backend tools querying state of management and using Unix tools to then report on those and find anomalous conditions. So that is the demo for Managed Desktop. So if you can go back to the slides, please. Yeah. And now let me introduce Bruce Gaya, lead engineer for Managed Desktop. And he'll cover portable home directors.

Let's talk about portable home directories. Whoops, wrong way. There we go. OK, portable home directories, mobile accounts, external accounts, what they're all about is taking a network account and the whole user's home directory and making them portable so that the user can log in and use that home directory when they're not connected to the network. Also, when we talk about the account, all the management of the account goes with these users. So this is a good way to manage a local user as a network user.

Mac OS 10.3 Panther was where we introduced mobile accounts. At that time, we had a mobile account with a cached account with credentials so you could log in offline, but the home directory that you created locally had no -- did not synchronize with a network home. In Mac OS 10.4 Tiger, we introduced portable home directories, and that really is all the things of a mobile account plus home synchronization. So now, in Tiger, you can create a portable home directory, take your portable computer, use it offline, make all sorts of changes to your home directory, come back to the network, and it will synchronize all the changes you made locally back up to your network home directory.

Starting in Leopard, we introduced external accounts and more. An external account is a mobile account, is a portable home directory, but instead of living on the internal disk of a computer, it lives on a disk itself. So the disk itself contains the account information, and it contains the home directory. Now, I said and more there because as we progress from 10.3, 10.4, 10.5, we've been adding more management features, so now you can really control home directory creation and synchronization very finely.

So here's some new management things we put in for portable home directories in Leopard. First of all, FileVault. Starting in Leopard, you can require that FileVault that when a user creates a mobile account that the home directory will be protected by FileVault. FileVault is essentially an encrypted file system for just the user's home directory.

So protect the information in there so that you can't get in there without an account password or a master password. Starting in Leopard, the account can now be on an internal or an external hard disk, as well as just under the users folder of the boot disk. And when it's on an external disk, we call that an external account.

We added account expiration. So what this is is that if you set up mobile accounts across your network and you have a whole bunch of network machines, one day a user will come into machine A and they'll log in, and because of the management settings, they'll create a PhD there, and they'll be happy and log off, sync back to the network. They come back on another day, they log into machine B, they get another mobile account, they get the fresh information from the network, they log off, they sync back to the network, they're happy.

They go to another machine, third day, and you can see what happens. By the end of the week, they've got a mobile account on all these different machines, and they're taking up resources. So starting in Leopard, you can now have these accounts be reaped and deleted or expired after a certain amount of unuse.

Okay, we also added MCX and HomeSync preference manifests. Okay, now you can actually have quite a bit of fine-grained control over PHG creation and sync. A whole bunch of keys are now exposed so that you can actually change things to your own site requirements. We added a sync server. A synchronization server is a process which runs an OS X server, and it keeps listening to the FS event queue. And so you have to think about how a synchronization works. How a synchronization works is there's two big phases. One is you figure out what's changed, and the second one is you copy stuff. And it turns out that figuring out what's changed can usually take more time than the data that's copied, because prior to using the synchronization server in Tiger, you had to walk through the entire folder hierarchy and do this big enumerate on the server and locally to figure out what's changed. Starting in Leopard, we used a sync server, so this figuring out what's changed phase is much quicker, and so the entire synchronization process is much quicker as well.

Okay, so how do you set this stuff up? First of all, run Workgroup Manager. This is what Workgroup Manager looks like. You can either select a user group computer or a computer group in Leopard, and what you do is you select that, select this preferences icon, select the mobility icon, and you start going. We get right away to the mobile account creation pane. What you have to do here is simply click this checkbox, which says create mobile account when a user logs into a network account. Amen. We seem to have lost that, but we'll let that go. There it is. OK, and once that's checked and you hit Apply Now, then basically this user is set to create a mobile account when they log in.

We get to the options pane. This is where you get to decide if you want to have the user use FileVault or not. I've checked it here 'cause I want all the users on this network, 'cause I'm managing the guest computer. I want all the users on the network when they create a mobile account to have it all encrypted with FileVault.

At the bottom here is where you get to decide where the home directory is. The bottom, a pop-up, has a couple of states. I have it set here to any external volume. So what I'm doing here is I'm setting up for having my users use external accounts. So when they log in, they'll get a dialog. And at that time, they can present a disk or attach a disk and they'll be able to create a mobile account, a PhD, or an external account on that disk.

One other thing, you can set synchronization rules. This is the login and logout sync pane. And how this works is at the top you can decide what folders are going to be synchronized. And at the bottom, you can decide what things inside of those folders, which files are folders you don't want to synchronize. If you look at the match column, there's a whole bunch of different match types. It says full path there. You can say starts with, ends with, that sort of thing.

Also, there's another pane called the background synchronization pane. It works the same way. It has two panes at the top. You decide what to sync, and you decide what not to sync. So there's always a question which comes up, is what should be synchronized? Synchronization takes time, so you should try to minimize data. The less you synchronize, the less time your user will spend waiting for synchronization, There's a user education issue. If you decide not to synchronize pictures, which should have a capital P there, you should tell your users so that they don't put important data in pictures, because if it doesn't synchronize, it doesn't get replicated up onto the network server, and if they lose that mobile account or they lose that disk, they won't get it back. So while it's good to reduce what you're syncing, you also need to tell your users.

What should you sync at log in and log out sync? That is designed to synchronize preferences. What should you sync during the background sync or put in the background sync set? That's designed to sync everything else. And here's a hint that I'll give you. For Leopard clients, don't put the same file in both sync sets. And I'm gonna tell you why. You can decide in Leopard when to sync using the Home Sync Preference Manifest. Now, I've loaded all the manifests here and the one I've selected here is called Home Sync. If I selected that and clicked on the pencil icon, I'd come to a dialog which looks like this.

And this will allow you to set various keys that decide when things are synced. The thing I want to point out here is that in Leopard, the login and logout sync set and the background sync set can actually synchronize at login, logout, and in the background. So we found that was a bit perhaps confusing. So I'm going to show you this is the Leopard version of Work manager and we've changed the name of the login and logout sync set to the preference sync set that's right up there it's now called preference sync and we've changed the name of the background sync set to be called home sync right up there but more importantly there's a bunch of check boxes at the top and now you can decide very finely in snow leopard when you want these different preferences to sync now I want to point out this is just an H I change Okay, this is just an HI change. It's not a functional change, okay? So Leopard clients and Snow Leopard clients basically work the same, but we want a work group manager to really reflect what is actually happening in synchronization.

Okay, some command line tools of interest. HomeSync is a little application which sits inside of manageclient.app. When you're synchronizing, actually HomeSync is running. It has a command line interface. If you call HomeSync -s from the command line while you're logged in, you'll get a HomeSync now right then. But my favorite tool is called CreateMobileAccount. And CreateMobileAccount will allow you to create a mobile account and its variations of portable home directory and an external account from the command line.

Most interesting parameters is the -h home path, and under -h, you can actually specify any path to the home, which means that you're not limited to creating the home under /users, or-- you can create it wherever you want. Any path will do. Under create mobile account -u, you can specify a sync URL, and that's a URL like AFP colon colon slash slash, that sort of thing. And that allows you to have a mobile account which synchronizes to not just to its network home, but perhaps it can synchronize to another file server completely or a different spot on the network home. I was talking to an Active Directory user site, and they wanted to have their Leopard clients synchronized to a folder inside their network home. So if you create it with the Create Mobile Account tool, it will allow you to do that. Another trick, which you only hear about at WWDC, I think, is that if you have an existing local account and you run Create Mobile Account against that with a sync URL, you'll actually create a local account which will synchronize against any share or network home. One other fun thing is in Snow Leopard, well, let's say in Leopard, we support these URLs, AFP, NFS, SMB. Starting in Snow Leopard, we're gonna support the file URL, which will allow you to synchronize the home to somewhere else on the network hierarchy and perhaps to another volume. So I'll let you think about the implications of that. Okay, time to do a demo. Okay, I need to go to demo one. I think it's on. There we go. Let's start from scratch here. Close everything. I'm going to launch WorkRoute Manager. I have to log in as diradmin.

Okay, these are the users and what I want to do is set it up such that one user will create an external account when they log in. I'm going to choose John Appleseed, I'm going to click on preferences and I'm going to click on mobility. I get the creation pane as I showed in my slides. Click on always and then create mobile account when this user logs in. That's fine with default sync settings. That's great. Under options, there's the options pane. I click there. Click on always. Going to encrypt this home with FileVault. And down at the bottom, I'm going to say user chooses any external volume.

and just say apply now. That's pretty much done, but I want to set up some other rules just for this demo. So let's go to the sync rules. And this is Snow Leopard. So what I'm going to do is say always. And for the preference sync, I'm going to say don't sync it log in and log out.

Just in the background and manually. And I'm going to do the same thing for whole sync. Click on always, unclink these two. So sync in the background and sync manually. So apply now. Okay, that's all there is to it. This user setup. So now I'm gonna go over to demo number four. Did you get it? Oh, Brian's MacBook Air. Yes, that's it. I need to log out.

And we see we're at login window. And by the way, these things that say network accounts available and the title are coming from managed preferences using the guest record. So I'm gonna click on other and log in as that user who is John Appleseed. There we go. And this is the dialogue you get. Create a mobile account with a portable home directory. But here it says no volumes attached. So I happen to have a USB 2.0 volume here. It's formatted with HFS+ and all I do is connect it, which can be easier said than done. There we go.

And as soon as that disk spins up, see it here. Oh, there we go. Okay. Since this is a MacBook Air, I named my volume accordingly. So I'm going to just click create now, and it starts creating the FileVault home. FileVault is very important, especially on an external account, because if that disk, you know, goes to, if that disk falls into someone else's hands, it's very easy to get all the files off that disk. You know, you just sort of turn off ownership, and anybody can read it. So I would recommend using FileVault on basically all portable home directories and especially on all external accounts.

Yes, we go, and we're done with the FileVault creation, and now we're starting a synchronization. And this is -- we'll be taking the stuff off the server, the user's network home, and copying it down to this MacBook Air, and specifically to this disk, which is sitting right there. By the way, the network is wireless.

Okay, the sync is complete. And now we are logged in. We see this user is here, and what do you know, he has the desktop and home directory. Now let's make sure that the home is where I think. So I select the home. There's the home. You see it's file vaulted there. If I get info on that and you read here, it will say it's located on volumes Aristophanes. If I look on this external volume here, Aristophanes, I see there's a folder called users, and inside of users, open that, and there is the home, John Appleseed. It's actually on this disk. Now if I take this user and try to drag him to the -- eject it, that's actually prevented, so that's a good thing, right? So now I'm going to log out, and once the logout is complete, the account and the home I just created will be right on that disk. File vault has to run. One thing I want to mention is you didn't see any login and logout sync here. I didn't see a logout sync, and that's because I turned it off in Workgroup Manager. So let's return to the login window.

There we go. And there's my new user, John Appleseed. I'm going to disconnect him from this machine now. Disappears from that machine. And let's go over to demo B. You got that? Yes. Okay. I have a USB connector, and we're going to connect this up here like this. There we go.

There's John Appleseed. OK. So let's-- thank you. Now I can log in using the home right here. and it should skip the log in and log out sync that does that. Here we are again. Here is Aristophanes users, and there's the home. something I wanted to do to make it a little more distinctive.

I'm going to give this user a special picture. Let's try that one. Just to show that some of these things stick. And now I'm going to log out, get back to login window. File vault's going to clean up a bit. Again, skipping the login and logout sync so it's quick.

And we get here and there's John Appleseed and he has his special icon. And now all I have to do is disconnect this and I'm off to go use another computer with my home right here. Thank you. And back to Yussi. YUSSI LAKHTARI: So thank you, Bruce. And that's a brief overview of the different management options you have to manage your either Leopard or Tiger, hopefully not Panther or Jaguar, clients. There are many ways to manage these things. You could use either remote desktop, your Swiss Army knife. You can use system imaging to deploy clients, manage client, Managed Desktop to enforce settings on a directory-based environment. And you have account portability with mobile and external accounts. So last year, we covered some of these features. And if you go to the ADC site, you'll see some of the sessions there. For any further information, please get in touch with our technologies evangelist, Mark Malone, or you'll find more information on Apple's site for OS X Server. There are a bunch of sessions. There was one session earlier today for portable home directories. So if you missed that, please log on to ADC once the sessions are up and available on iTunes. So if you're interested in external accounts and some more detailed view, check that session out from this morning.

Upcoming sessions, we have session -- there is a session tomorrow for client management. Scripting, if you do heavy scripting or want to use scripting with ARD or using, let's say, system imaging with Ruby or whatnot, there are session on that. Directory services, if you do use managed desktop, you probably want to know about how directory services can be troubleshot. You may have some issues with Active Directory integration or Open Directory anomalies or whatnot. So this is where you'd actually get some tools for your environment. And there's a panel on Friday for OS X administration, so if you're interested in that, that's one to attend. And we have a bunch of labs lined up as well. Right after this session, there's an Apple Remote Desktop Lab at the IT Lab. All these sessions are at the IT Lab. Directed services, we have two labs for those, one on Wednesday and another one Friday. For Mac administration lab, there's one on Thursday in the morning. And for client management, There's another lab on Thursday afternoon. So with that, that concludes our presentation. And we move on to the Q&A portion.