Hello. I'm the engineering manager for Client Management and System Imaging and Address Book server in Mac OS X server. Let me invite Tony Graham to talk to you about managing home directories.

Thank you, Yusip. My name is Tony Graham, I'm a systems engineer in the education group, and I'm hoping to talk to you about home directory, it's a very exciting topic, I know.

Some of you are probably experienced system administrators. How many here spend a lot of time in Mac OS X server home directories?

It's home directories people, it's not that funny. OK, good. So we want to get in and talk about the various options for setting up.

Oh boy. Hello?

[ Little girl ] Daddy, I can't find my dolphin report.

[ Presenter ] Your dolphin report is your Documents folder, sweetheart.

[ Little girl ] Where is my Documents folder?

[ Presenter ] In your home directory.

[ Little girl ] Oh, thanks. Daddy?

[ Presenter ] Yeah, sweetie.

[ Little girl ] Where do home directories come from?

[ Presenter ] Babe, I've got a bunch of people in the room here, they're waiting for me talk to them about something important, I really don't have

[ Little girl ] Please.

[ Presenter ] OK, but I've got to make this quick.

You remember the story I told you about the little girl who found the house in the woods?

[ Little girl ] Goldilocks?

[ Presenter ] No, no, no, it's Goldidots.

[ Little girl ] Why Goldidots?

[ Presenter ] Because daddy can't draw, sweetheart. Anyway, Goldidots had this wonderful home, it had all of her favorite stuff in it.

And she loved her home, it was made just for her.

[ Little girl ] Oh boy, I sure love my new home.

[ Presenter ] And it was the greatest home ever. The problem is something terrible happened.

[ Little girl ] The bank foreclosed on her loan?

[ Presenter ] No, it was even worse.

[ Little girl ] Oh no.

[ Presenter ] Yeah, it was terrible.

[ Little girl ] So what did she do?

[ Presenter ] Well luckily she had a time machine, so she went back in time and got all her stuff back.

Problem was, it was bound to happen again.

[Little girl] Oh no, not again.

[ Presenter ] So she realized she needed some time to think and plan for the future, she checked herself into a local motel.

And the neat thing about the motel is it had everything she needed for a brief stay: a place to sleep, place to rest, place to think things through.

So she made a few phone calls, got things rolling, and then checked out. Downside of course being as soon she left, they threw all of her stuff away.

But her new home was built in a safe place free of disaster, and she thought that was wonderful. Problem was, it's still kind of hard to get to, it's kind of far away.

[Little girl] Now my home is safe over on Server Valley, but it sure takes a while to get there.

[ Presenter ] So she realized it would take her a long time to get there through the mountain, she had a tunnel dug just for her. And this was great because any time she wanted to get anything from her home, she could just go through the tunnel. So if she was hungry, she could go through the tunnel and get something to eat.

And if she was thirsty, she could go through the tunnel and get something to drink. No matter what she needed, all she had to do...

...was go through the tunnel and she could get what she needed. So that would have worked out really well for most people, I mean, most dots, except then she Twittered about it or Tweeted about it, and as soon as her friends found out...

[Little girl] Oh, I want one of those.

[Other children] Me too.

Me too.

Me too.

Me too.

Me too.

Me too.

[ Presenter ] So now she had a new problem because it wasn't so much like a truck, it was more like a series of tubes. And as soon as all of her friends wanted to use it too, it got kind of crowded and slowed things down.

So she realized she needed something maybe a little bit more mobile.

[ Presenter ] This seemed like it wasn't solve her problem because she could keep the stuff that she used all the time with her no matter where she went and then still keep her awesome house in the safe mountains. Problem was, she needed help filling it with all her stuff. So she went and asked her best friend, HomeSync.

[Little girl] Hey HomeSync, what are you doing this weekend?

[ Presenter ] HomeSync didn't have a very good answer so he was stuck helping her load all of her stuff into this new mobile home.

And in fact, probably stuff for life helping her unload it any time she came up with anything new. But once all her stuff was put in her new mobile home, Goldidots hopped in and lived happily ever after.

[Little girl] So is that where home directories come from?

[ Presenter ] Yes, sweetheart, that's where.

[Little girl] Oh, I thought it was built from the user template folder in /System/Library.

[ Presenter ] It is sweetheart, unless you have a network home, and then it's built from the user template folder on the server.

[Little girl] And if the server is not a Mac?

[ Presenter ] Well if the server is not a Mac then you get a basic Home folder, just a desktop, a library, and then if you download stuff with Safari it'll make you a downloads folder.

[Little girl] Oh OK, thanks Dad. Dad?

[ Presenter ] Yes, sweetheart.

[Little girl] Where do babies come from?

[ Presenter ] Go ask mommy, sweetheart.

[Little girl] OK, thanks Dad.

[ Presenter ] So I apologize for that interruption, I'd kind of hoped to walk you through the various options that you'd have for Home folders. I do have some slides, maybe I can work through them quickly and get us caught up. Many of you said that you have Mac OS X installed on your computers, how many of you Mac OS X users out here? Many, OK, very many.

Most of you probably have seen then a local home that gets created for you when you create your first account. And that goes into the /Users folder, and it's a wonderful way to use your computer because it's the easy way a folder is created for you automatically when you create your first account, you create new accounts, new folders are created for them. It's very well tested.

So your application developers are probably first going to test their applications against this scenario, and anything else would be further on down the list. And it's very uniform, so if somebody comes in from another organization, they're likely to have their Home folder in their /Users folder as well. Downside to this being that there's no separation necessarily between the operating system and the user data, and that can be a real advantage.

And the other downside being that everything is located on that one hard disc mechanism, so if something terrible happens, you could potentially lose it all. But backups are very easy, you can use Time Machine, you can use any number of backup applications to protect your or your users' files. There's a variation since Leopard on the local home called a guest home, and it's sort of the same thing except there's no password, no admin privileges, and it makes a new Home folder from that system library user template.

If you want to customize the user experience for the guest user, you can modify that folder carefully, modify that folder as well. But the better way to manage that experience is using Workgroup Manager in conjunction with directory services, so you don't have to touch every machine, and so that you don't have to build those changes into an image. Nice thing about the guest account is as soon as they log out, that Home folder is thrown away.

Up to Leopard, probably a lot of you had developed custom solutions for doing this, now it's baked into the operating system. So if we take that local home and we stick it on a file server somewhere and manage the directory service records a little bit differently so your Mac knows where to look for them, you can host that home on a server.

And there are a number of protocols you can use to get to it, and you use that Home folder live over the internet. So where your applications would write things to Preferences or Application Support or your Documents folder, it's still doing exactly that, but that folder is on a network share now.

The advantage to that being you can use any Mac connected to your organization, login, you have the same user experience. There are some disadvantages, your performance is going to be affected by the speed and reliability of your network. And for some of you, that's great; and for others, may not solve your problem.

And of course it does require a network with supportable machines that leaves your organization aren't going to be able to easily participate. Backup though is really easy, you get an enterprise backup solution on a server. You've got a single place, single source for all of your user's data, and you back that stuff up.

So I mentioned there are a number of protocols for getting to your Home folder on the server, AFP, SMB, and NFS being the ones that you're likely to use. We tend to recommend AFP if your client is a Mac and your server is a Mac. We recommend often SMB if the server is a Windows server, it sometimes gives you better performance, or often gives you better performance.

NFS is used probably by some of you if you're in scientific computing environment or using clusters. Because there's no user name and password exchanged ordinarily, with NFS there are some security ramifications to using that. And what's nice about Snow Leopard, slight change in Snow Leopard, maybe not such slight changes, dramatic improvements in the performance of these network file systems, especially SMB and NFS.

So a mobile account is sort of a hybrid between the two, not quite. You imagine the directory records that you have in your server that take care of identity and password information that get synced down to your portable machine so that you can use it offline, you can still manage the experience from a central location, but the home directory is on that computer. You get the performance, the compatibility of having a local home.

We synchronize the user records so password changes can be managed centrally and preferences can be managed centrally. But if we take that one step further, your option is a portable home, that's essentially the same thing where the directory record is synchronized, but we also synchronize the files in the home directory. And the advantage to this is it can be used offline.

So synchronization happens when you're connected, when you're disconnected, new files created in that mobile account are synchronized back to the network home when you reconnect, and it works both ways. The disadvantage, or a potential disadvantage to this is that there's sometimes issues with conflict resolution. So a file gets changed on the server and on the portable machine. You're probably going to end up presenting the UI to the user that says, Which of these files do you want to keep? And for some of you that is not a big deal, and for others that presents training opportunities.

Now backup is actually pretty nice here too because you can do both, backup a network Home folder with an enterprise server-based backup solution, and have your users, your customers backup their own machines using local backup software, use Time Machine, use an external drive, or whatever. You could even issue them a drive to take with them if they don't spend a lot of time in your organization.

And I think you'll sense a theme as we talk through these various options today that for many of our customers, we think this is the best possible approach because you've got the speed and compatibility of that local home, but you've got the central management and occasional or often access to a network home. And in fact, we have some customers that do both, they have a network home and a portable so they could do the portable HomeSync.

And this is great for people who primarily use desktop machines but will occasionally checkout a laptop or portable computer from you to leave with. You can synchronize that network home to that portable. They leave, they come back, the reverse happens, and then they go back to living on their network-attached desktop machine.

And the reverse is actually kind of a nice use scenario too, we've got folks that live on a portable computer with a portable home and it's synchronized to their network home, but there may be use scenarios where they want to be able to walk in and use another machine in your organization, in a lab, in a presentation experience like this, and they don't necessarily want to take their portable plug-in audio and video and power and network, but they want to have access to all their files. And so they can use a network account from that machine, and you have control, you have the option as an administrator to decide which of these options you present to your customers.

So there is a variation or enhancement to the portable home option called an external account, and what's nice about this is you use it in conjunction with an external drive, it's going to be a FireWire drive or a USB drive or maybe even a flash drive. It also works with MacBook Pros in Target Disk Mode.

So if you have a student who lives on their MacBook Pro, they can put that in Target Disk Mode when they connect to one of your desktop machines, and continue to use that user account on your desktop machine but when they leave they take all their stuff with them.

The nice thing about this is it reduces login sync because their home is pretty much with them on their drive, so when they log in they don't have to wait for their home to be synchronized down to a new machine. And they can take that disk to another Mac that's off of your network that they also use, maybe a machine at home, and use that external account with the machine at home.

With portable homes and external accounts, FileVault is an option for you, and if you're going to be taking your home with you on an external drive file, might be something you would want to encourage or require depending on your use. And again, like portable homes and mobile accounts, you can manage the user experience through Managed Preferences.

So this can be an external drive used for your FireWire. New in fact in Snow Leopard is FAT formatted external drives. So if you buy a disk from Office Depot or a flash drive or whatever, you don't necessarily have to reformat that in HFS+ before you can use it.

So we've got a demonstration lined up for you next, and I guess that is me, so I'm going to switch over to a demo machine over here. What we wanted to show is a variation on the external account which is pretty straightforward. How many of you have seen demonstrations of external accounts? Set previous, developer conferences? Yes, so probably half of you. We didn't want to show you exactly the same demo, so we decided to show you exactly the same demo.

But we have a little twist, and that is that this user account on my flash drive is actually an administrator account. The machine I'm going to connect it to does not have an administrator account on it. So you can imagine this use scenario where you allow guest users to your user machines and they get erased when they log out, but when you have to work on the machine, install software and configure it, you attach your external account to it, and your administrator account becomes available. This is also handy if for whatever reason your network isn't available, so your network admin accounts won't work.

So I'm logging in as an administrator on this machine, this is bound to my directory system but it doesn't necessarily require that the network be attached. And I wanted to show you a couple of things. The first thing I wanted to show you is the command that you need to use to make this happen.

What I didn't show you was the creation of the external account. For those of you who haven't seen this done before, you essentially login to a machine that's had their user account enabled for external accounts using mobility. And it asks you where you want that portable home to be, you just say, I want it on the external drive, and it creates it there.

But that's not going to be an administrator account, and administrators are by design required to be members of the admin group on each desktop machine, especially if they're not network connected. So the command that you're going to use to take an arbitrary local or networked account and add to the admin group for your workstation is fairly simple, and I've got a fancy Steve Hamon-like service written here to type this in so you can see it. It's the DS edit group command. You're going to use the -O flag followed by edit.

You're going to edit this group record, you're going to add a user, in this case the user's name is Tony, and he's being added to the admin group. This is by the way, the same command that you would use if you have network users that want sudo access their own machine. You'd want to add them to the local admin group on their own machine.

And once you run this command, you can check it fairly easily, there's a DSCL command that will let you navigate your directory services. We'll go into local default groups. And in here the list of the local groups on this machine, and we'll pop into admin and do a read. And as you may notice, my account is a member of this particular local group. So I wanted to show you another couple of things while we're at it.

In System Preferences under Accounts - really just two accounts right now; my external account which goes with me when I leave, and the guest account which is currently disabled but I could enable that for login, and then you've got a machine that basically erases itself when someone leaves, and requires you with your external drive to administer.

You can imagine there's some security advantages to this too as far as remote access. And then one twist on this as well is if I get info on my flash drive, you'll see that it's a FAT32 formatted USB drive, and there's a user's folder on here with my account and it is in fact a FileVault account, and that has additional advantages.

In addition to my data being private and the applications that I have on here being private, my keychain has passwords saved for things like controlling the server, the screen sharing, controlling a server password has been saved in my keychain. And say if I lose this disk, it is protected. So that's it for the demo. I think I'll turn the stage over to, I like to describe him as Germany's answer to David Hasselhoff, this is Educational Consulting Engineer, Armin Briegel.

Thank you, Tony.

I am not going to sing and I guess you will be grateful for that.

My name is Armin Briegel, I'm Consulting Engineer for Apple Education National Resource, specializing on classroom management. And I'm going to take what Tony and Emily introduced to us and go more into depth, introduce some new features.

[Amrmaiiln B Brirnieggeerl on slide]

I've been anagrammed.

Don't leave your slides unattended.

So as Tony mentioned early, network home directories are a really great feature, but we really store everything in that Home folder. I checked on my work machine just now, and I have 260,000 files in my Home folder. And I guess you will probably get pretty close to those numbers. And there are things in there that are big, things that are important, things that are less important. But each piece of this goes through the series of cubes to your network server back and forth.

And not everything is traffic that you necessarily want to have on the network, essentially the caches, Safari caches, all of the other caches. Other things like movie files, audio files, are really sensitive towards bandwith and latency. You probably want to have them locally. iMovie for example, won't let you edit projects that are on a network home directory, iMovie 09.

So there used to be some hacks with login scripts where you'd replace that particular folder with a symbolic link and redirect it to a local folder so you would get the local performance. And even since Leopard, we have kind of made that official and we give you managed preferences settings to get these features and redirect particular folders to local folders even though the rest of the folder is on a network.

The way you can get that is in Workgroup Manager in the Details tab. You first want to add a very special feature. You go to System/Library/Core Services. There's an application called Manage Client App, and if you add that in the Details tab, it will give you a whole list of new features that you can manage. You can manage them without that, but it's much easier because you get the descriptions and it looks more clearer.

One of them is Folder Redirection, and if we select that, it looks somewhat like this, and I can zoom in a little to make that view. The default one that gets created when you do that for the first time is actually redirecting the Library/Caches folder to a local folder in your Temp folder. We use the Temp folder because that gets cleared at Restart and it's really not very important. You can see there's a percent at in here, that gets replaced at login with the user's name who's currently logged in, that's a placeholder.

So each user gets their own folder in the Temp folder so they don't overwrite each other's stuff or see each other's stuff. The other redirection info that I put in here, it's a different action. The first one is deleteAndCreateSymLink, because I don't care about the Caches folder, we can recreate those. We may care about the user's Movies folder or the users may care about that. So in this case, we're doing a Rename. We're renaming the Movies folder in the network home directory and replacing it with a symbolic link.

That points to Users/Shared/Username/Movies. So if they want to continue to work on their project, they need to come back to the same machine over and over again, which is one of the advantages of network home directories. But I can move from machine to machine. We're negating that here.

But on the other hand, we can edit Movies and work with them in the network home directory. Of course if you use portable home directories, a lot of those issues go away, so that's another alternative. Instead of redirecting, just use portable home directories. I'll be working locally all the time, anything I change and work on will eventually by synchronized up to the server.

But the synchronization process introduces another bottleneck and challenge for the network because the client has to figure out which files have changed locally, which files have changed on the server, and what do I need to copy back and forth, what do I need to get from the server, what do I need to move up with. And before Leopard what we did was, we remounted the user's network home directory and we scanned it to see what changed since the last synchronization, and that obviously puts a lot of load on the server, all the metadata requests from the HomeSync process.

So what we introduced in Leopard is called server-side file tracking, and it uses FSEvents on the server to keep a database of files that changed on the server. And the client actually uses the same FSEvents on the client and keeps a list of files that change there. And when a client attempts the HomeSync, it will go through a certain port, 2336, actually it 6uses SSH over that port to try to get that file out of my home directory on the server. And if I can get that, it will use that to compare, and I can avoid the expensive scanning of the network home directory. It's a setting and server admin that you have to enable.

And because it uses SSH or SEP to copy that file downwards, please remember that the user needs to have a valid shell assigned, otherwise this part will fail, and the HomeSync process will revert back to the scanning. FileVault. You're taking data along with you, and depending on your organization or what kind of data it is, you may be required to encrypt that data.

In general, encrypting data that you take with you either on laptops or on external accounts is a very wise idea, and FileVault works very well. FileVault is an option whether you use mobile accounts, synchronized mobile accounts, or portable report home directories, or external accounts, we can use it in any of those flavors.

You can make a master password a requirement. A master password gives you a backdoor password in case the user leaves without telling you his or her password, or they forget. And obviously you can enforce the usage of FileVault with Managed Preferences. Another thing that we gain when we use FileVault, because it's an image on the laptop's hard drive or usually it's the laptop, it could be a desktop machine as well, is quotas.

We can enforce quotas from the server locally, and there's two options. One is you can set arbitrary numbers depending on the machine or the user that logs in, or you can take the quotas out of Workgroup Manager that have been assigned per user and enforce them locally using the FileVault image.

Tony mentioned the guest account earlier, we introduced that in Leopard and that's a really nice feature, you just have the generic account, it gets wiped at logout. You can mange the guest account using computers or computer list, Managed Preference settings. And you can apply managed settings, you can do some things with the user template as well.

But sometimes you may want to have a more varied user experience or a more specific user experience depending on the task that's at hand. Imagine you have a classroom and students come in for one class, you may want the management settings to be different for that class than for another, and then you won't get very far with the single guest account. Using mobile accounts, we can actually create kind of multiple guest accounts.

If you use a non-syncing mobile account that logs in, creates an empty account from the user template, and then the user works on that. And you can have all users logging in to the same and you get multiple copies of the same mobile account. And then in Workgroup Manager there's a setting that says expire this account after a certain number of days, which means if the user hasn't logged in for certain number of days, well then delete that account, I don't want it messing up all of my Macs.

If I set that to 0, it means delete this account at logout, which is basically guest account behavior. And I can use the local template to do some management and MCX, and I can apply individual Managed Preferences settings to each of those accounts to basically gain multiple guest accounts. We updated the sync UI, it's not called login and logout sync and background sync anymore, we changed that name, it is now the preference sync and the HomeSync.

The reason we changed that is because we gave you more granular control and you can now decide when these synchronizations happen. So calling it login and logout sync if it may not happen at login and logout didn't really make sense anymore. Nevertheless, we give you two options of doing this, and they're basically the same, but one is intended to for all the files that are probably open in the background, preferences, files, databases, mail, and they can't be synced while the user is working. And the other one, the HomeSync, is intended for the files that can be synced while the user is working. And even though the default settings in Snow Leopard when you open Workgroup Manager has all of these enabled, you want to disable background manually for the preference sync.

And then for the HomeSync you basically have the control. So if your users are complaining that the logout sync is taking too long and they don't want to sit there waiting for the progress bar to proceed, you can disable the logout sync, and it will take longer at login, or vice versa. We updated the conflict resolution dialogue and it now actually gives you a QuickLook preview of the file in question.

We've also kind of clarified the options that you have in the menu, and we've assigned hot keys so you can quickly go through that dialogue if you have a few dozen files that need synchronization. And even from this dialogue we can now exclude this file from future syncs. I don't care about this file, just don't synchronize this, that's the exclude from syncing Command-e at the lower level.

Still, there will be users that are challenged by this. We tried to make it very simple, but they will be challenged. So one of the things you gain when you add the Manage Client on an app to the Workgroup Manager is in the HomeSync category there, you gain options for controlling this conflict dialogue. And you can basically suppress the conflict dialogue and make the decision for the user.

You can say the mobile account on the laptop always wins, or the network account on the server always wins, and don't show that dialogue and confuse my users. Again, this is a little easier to set up, we could set that earlier in Tiger and Leopard, but the manifest UI makes that a little more controllable.

We get asked a lot about best practices, What do I synchronize? What don't I synchronize? and there's really no generic answer. It really depends on how much storage space you have, how much network bandwidth, what your users expect to be synchronized. A good rule of thumb, at least for education that we've sorted out, is to synchronize the document on the desktop because those are the files that we care most about, and that users care actually.

Especially on the desktop, we tend to put things we work on, on the desktop. And most admins exclude the media folders; Movies, Pictures, and Music, not because they're not important, but they tend to be very big, and we certainly don't need copies of everybody's iTunes library on our server.

We'd have to sell you storage for that. And the point is no matter what you do and which rules you set up, you need to inform the users about that, the users have to be aware this is a synchronized folder and things that are in here won't be synchronized. There is the possibility in the sync rules to exclude by wildcards, which gives me the option to synchronize by extensions, by file type.

So the temptation is there to synchronize, not synchronize .mov files or .wmv files, which seems like a great idea until you run into the following problem that a lot of applications, including Keynote 08, store their files in a package which is actually a folder, and if something drags a movie into their Keynote presentation, the movie will be selectively not synchronized, and they will end up with a broken Keynote presentation. Keynote 09 and iWork 09 actually changed the file format, they now use a big binary file format because it had other issues. But old Keynote documents or third party and other applications still use the package format because it is very flexible.

And if you synchronize by file format, you will break those packages or you might break those packages. Background synchronization, it can put some load on your server and you probably want to distribute that. What we've found from our experience is that higher background synchronization frequencies, shorter background cycles, actually distribute the load much better over the server than longer ones.

Especially in classroom deployments or labs where you have a certain rhythm anyway, like an hourly rhythm when everybody opens their laptops and closes it again, you want to select background sync cycles that are much shorter than the classroom cycle and the order of a few minutes, 7 to 12 minutes.

Another option is to switch to manual synchronization which basically takes the load out of the server until the user decides, Well now is a good time to synchronize my stuff with the server and make sure that it's up there, but again, you have to train the users. It's a manual process which usually means it doesn't get done ever, so...

Yeah. The same with the logout/login sync or the preference sync, certain files can not be synchronized when the user is logged in because they will be open, they will be used all the time.

So if you want to synchronize, if they're important to you and you want them on the server an copied from machine to machine, you have to train the users to login and logout occasionally, which may be especially hard with laptop users. This is my Hasselhoff/Baywatch slide.

Eventually you may come to the point where you decide if you've been experimenting with the HomeSync and you decide for some reason you want to disable it, you don't want to use it anymore, the mobile account part is good enough for you.

And a lot of people run into this, when they disable it, they go into Workgroup Manager and switch the management from always to never. And then synchronization isn't turned off, because all you did is you turned off the management of the synchronization and the client, since it's now unmanaged, will keep doing what it did. So what you have to do is you go into Workgroup Manager and disable all the sync options. And just to be on the safe side, you probably want to go into the next tab and set the background synchronization to manually.

And that's the way to completely turn off the synchronization. Some applications, and I really don't want to dis Firefox here, it's a great application. But Firefox doesn't respect our preferences database, our preferences system, they use their own because it's a cross platform application. So I can't manage Firefox using Managed Preferences in Workgroup Manager.

The solution to that, obviously if I have a distributed system with lots of people and different home directories, it's to manage the user with the template, so I go back into the Systems/Library/User template folder and put the important folder for the Firefox preferences in there. And there's other applications that do that.

Another thing that's important for HomeSync is applications that have large binary files, large binary databases, Entourage is one of them, it stores everything in one big database. And if I get one email, it will synchronize the entire database back up to the server. You probably want to exclude those from your synchronization.

Email, it's OK to exclude it because IMAP will probably take care of your email synchronization from client to client, but you'll have to find solutions for that, and they're different depending on the application and what you're doing. The same for VM solutions, parallels, and VMWare fusion, they're switching to a file format which is one big, huge whopping disk image, but it's drive to disk image, but even those drives are still big enough that they will probably extend your synchronization process too much. And then finally there's the temptation or the desire to put your home directories on Xsan. And this used to be a big no, don't do it, we're working it, they're slow improvements, but we're really improving the system.

If you're using network home directories, Xsan works well as a backup medium. We've done a lot of optimizations in Xsan 2, 2.1, and Xsan 2.2 that will improve the performance with lots of small files. Portable home directories are an extra challenge. As I said earlier, when I do the HomeSync for portable home directories, the client will scan the network home directory for the changes, and that puts a huge load on the metadata controller. And if you have multiple users coming in through multiple file servers connected to the Xsan, your metadata controller is going to be the bottleneck.

Xsan 2.1 in Leopard does not support FSEvents, so we can't use server-side file tracking. Xsan 2.2 will support server-side file tracking, but each server that's attached to the Xsan will only see changes that the server has done. So you really want to make sure that one user sticks to one server even across sessions over multiple days, so you could use server-side file tracking.

And in general, we've seen that the performance with lots of small files of Xsan is less than in direct attached mode. So unless there's a huge requirement for a growable file system, we tend to recommend direct attach mode in carving the storage into luns [phonetic] rather than Xsan, for home directories.

Another question I get very often and I actually got it this morning, or I didn't get it but the people in one of the other sessions this morning got it is, Well this entire synchronization thing sounds really great and I'd like to use it, but all of my users already have a laptop and they have local accounts. And I would like to take that data and move it to be a portable home directory.

So I'm going to use Tony's admin account that's on an external drive and show how you can promote a local user to a mobile account or even a portable home directory. Since we wanted to show you the completely empty login window earlier in the demo, I don't actually have a local account, so I need to create one And as usual, when you quickly need to create a user, you have to think of a name very quickly. Steve Hamon flashed over my slide earlier, so I can use...

[Tony] Do an anagram.

[Armin] You think I should do an anagram of that? Let's see, Steve Hamon used an anagram on Sal yesterday. Coincidently, I have a file here...

Honestly, when I look at these, I don't know, it may be my English, but I don't think we can use these. Oh, this one is great, "have amnesty." That's fitting.

So...

[Tony] [inaudible]

So I'm creating a local account and now I'm assuming that this local account will live on this machine for a while to create data, put everything in the home directory. We'll just work with that for a while, and I can go in and I can do an ID on that user. And it has a UID of 501 because this was a completely empty machine. So it's probably a local user, that's always a nice way of checking this.

I can go into the user's account and see that this is my Home folder obviously as we'd expect it to be. So this has worked for a while and then now I want to change this into a network managed mobile or portable home directory. And actually the UI helps me with that, it's really not that difficult. When I go in and delete the local account, because that's obviously the first thing I need to do to make room for the network account.

It will give me the option of what I want to do with home directory, do I want to archive it in a disk image, do I just don't want to change the Home folder, don't touch it, or do I want to delete the folder? In this case I want to select don't change the Home folder and I say, OK, and it will remove the user directory database, but it will leave the home directory more or less untouched.

If I go in and do the LS again, I see that it added the deleted word to the Home folder just to notify me that this is an inactive Home folder, and I don't want to use that. So this is the first thing I want to change, I want to rename the Home folder, well the first thing I want to check is I need obviously to prepare my network home directory.

So coincidentally if I do an ID on amnesty right now, I actually have a network user account, you can see it's a 1030 ID, this is hosted on my server, and this is ready to swoop in and be the mobile for this user. So I need to adapt the Home folder name - oh wait - to match the short name of the user, and I need to make sure - because I can see up here now that this Home folder is orphaned. The owner is the user ID 501, this is an orphan folder, nobody really owns it.

And when the user amnesty logs in, the network user amnesty now, I want that to take over possession of the Home folder, I need to prepare the Home folder. And that's it, that's all I have to do. I've prepared the Home folder with the existing data. And please do a backup of this before you start messing around with a user's data.

But I've prepared the Home folder to be converted into a mobile account, and I if I now logout and log back in, the login as amnesty - have amnesty, the system will detect that there's an existing Home folder and it's primed for this user, and it will just take that and stop the synchronization process.

Now if you have data - hang on If you have data on both the server and the client, this will generate a ton of synchronization conflicts, so you'll probably want to find a solution around that, and make sure that either the server or the client is empty before you attempt that.

In this case, I'm getting the dialogue, we can suppress the dialogue with Manage Client, but I'm just going to go ahead and say I want to do a mobile account, and it will now connect to the server and start the first synchronization process. With that, I'm going to hand it over to Dave Douglas, who is a systems engineer for Southern California Education, and he has a small school district he wants to talk about with us today.

[Dave] Thanks, Armin.

Great job.

Thanks for not singing, it'll work.

So we've gotten a great overview about home directory strategies and theories. I'd like to take a minute to try to put a face to different folks and customers that have been leveraging these technologies, and some of the specific reasons why. I do manage this school district in Los Angeles, it's the second largest in the country, second largest by population, largest in geography, we take in at least 1,000 units every month.

And as we're seeing all these systems come in the management style, it's completely up to each school to determine how they're going to implement the technology, how they're going to choose which technical coordinator is going to do that. Some schools are Active Directory, some schools are running Open Directory, some are unmanaged. And so as we looked at different things that were going on, we wanted to go ahead and profile some of the different environments.

Now again, these are all different education sites, but I hope as you look at these different settings and the reasonings behind them, you'll see potential linkings between maybe your organization that may not be education, but the relevancy to how it can help your users because ultimately these home directories are here for them.

So I'll go ahead and go to the next slide.

Thank you, Steve. Tony, you've got to take more care of these slides.

All right, so guest accounts. So you know a lot of different guest accounts, don't really need to go into much more detail.

Specifically, the school that we were seeing a lot of success, one of many different ones, is a school called Wilmington Middle School, we've got 2200 students, three XServes running the infrastructure, about 400 Macs, and a mix of wired and wireless network, but that's kind of normal, What's special about this particular school? At Wilmington we have a huge growing thriving community both of parents and folks living around the school that do not speak English.

And as they come to drop off their kids and other things, they all of a sudden recognize all the resources and infrastructure that's there. And so the school has gone ahead and adopted an English language learning school that's after hours. And so if we have parents or grandparents or other folks coming in, the school has decided to service these folks and help them learn English.

Of course when they're doing this work we want to purge what they've done after the fact, and so the guest account is a nice solid fit. To manage the experience of course, we're leveraging Workgroup Manager and all the different pieces of Managed Preferences. As we were going through different configurations last year during our config time, we didn't know about this guest account feature and the multiple guest accounts, so what we'll be looking at doing this summer as we look at refreshing the rollout is specifically looking at using the mobile accounts with an expiration set of zero so that we can have different user experiences so that we can manage having a different doc setting, even potentially having different languages so that we can have the operating system run in this language or that language, and be able to manage all of that without having to be burdened by the single computer group and the single guest account.

Mobile accounts. Again, we've had plenty of background on mobile accounts. The school I wanted to talk about in terms of the actual usage of mobile accounts is King Middle School, we've got 2500 students, 750 Macs. We have 400 students in a magnet program focusing on math and science, and they're working on carts. The network is wired and wireless, but they only have two XServes, and the network is fairly slow and limited. And as we looked at the different solutions, it ultimately came to a decision that mobile accounts were going to fit, and that was ultimately because of speed.

I know all of us have been reading, we're doing our Twitter, our Facebook, and email, and our own level of attention deficit disorder is getting incredibly high, and every second feels like two minutes. And this can have a real impact to the learning environment, and our users have less and less patience. So how do we serve users to get them in and learning or getting them productive as quickly as possible? And so the mobile account really ended up being a win here.

Not only do we of course get that ability to get them in and learning quickly, but we still get all the directory help. We can manage the passwords, we can even manage acceptable use policies. If you're not authorized to use the machines, you can't use them until then. We still have all that flexibility.

Of course we're not leveraging synchronization, and so in this case here, our data is somewhat at risk because they were just sitting on that machine, I have to visit that machine each time. If I do cross between different systems, I've got to take advantage of their USB thumb drive or I've got to go ahead and use the file servers to move data back and forth.

The nice part of course is that if the system were to go offline, we were doing something in the field, doing science work, we don't have to worry about the network going down. Redirected accounts. Redirected accounts has been very popular for a major switch for schools, it's a big win for us. In 2008 summertime, we ended up going ahead and it was a full wholesale platform change. We ended up getting 550 Macs and all the PCs went out, and it was time to switch platforms.

So you can imagine all the different challenges and concerns about Oh, how am I going to do this, what are the different choices? We have 2400 students to take care of. The implementation is almost all wired, but some pockets are wireless. And we have five XServes to go ahead and try and power this infrastructure.

So why did redirected accounts work for them? Well they're coming from Windows, and there's a lot of different challenges in this bit tectonic style of change. How do we make this comfortable for them as they're trying to work through all the different challenges, professional development, helping all of the different people deal with this big change. Redirected accounts of course makes it very comfortable for the Windows admin who had to learn a whole new language essentially in terms of server management. When we look at our Windows profile and our Mac home directory, there are some distinct differences of course.

Most of us, if we've have any exposure or deal with actively managing Windows systems, we understand the concept of Windows profile, and we have a My Documents folder. With the Windows profile of course, I've got maybe My Desktop folder, preferences and settings and quite often in Windows deployments are disposable, we throw them away. If they're local to that system, then we'll just keep purging those.

Of course, at the same time we're going to map that Z drive or R drive and we're going to have that My Documents folder mapped so that if I needing, you know, everything that they're going to do, their My Documents folder is there. Of course in Mac OS X it's all inclusive in the giant umbrella of the one home directory.

With redirected accounts of course, we can provide that same type of experience where we can move things like library Safari caches, put that into a disposable location while making sure that everything that is supposed to be on the server from the Windows admin perspective is right where it belongs.

So My Desktop, My Documents folder, those are on the server as they should be. We didn't want to forfeit the ability iLife. So as we looked at OK, what are we going to do? we went ahead and moved these media folders to Users/Shared and then the %@ sign. That gave us an ability so that if you did have a desire to do multi-media, go back to that system and at least you can do the media.

You can deal with your video editing projects and not have to necessarily fill the server up. And again, part of the other pieces of why we went ahead with redirected accounts is also we didn't have to deal with the user training of conflict syncs. Because one of the things, if you think about, it's very tempting to go to the Managed Preferences manifest - I want to say the local home always wins. In practice, I've found that typically you're wrong about 20 percent of the time. And so it's a question of who was wrong at that time, what data got stomped on that really didn't need to be stomped on.

So something to be weary of if we go ahead and just answer that question, I'm really excited we did not have this luxury at the Quick Look option during conflict resolution. I think that's going to be a major win to help us more seriously look at using the synchronization of portable homes. Talking about portable homes, back to Wilmington.

This time we're talking about the 93 faculty members here, and this is really because everything that's going on with these teachers is, they end up getting all of the work the students are producing. So whether it be podcasts, essays, everything, it all ends up on that teacher workstation. The teacher workstations end up going home, these little laptops and little MacBooks.

And then on top of that of course, they may need to use something in the wired lab and have a resource, it's only available there, and they don't want to have to move that around. So a combination of network, portable homes, but the important thing of course is we can have everything backed up.

And I want to reiterate of course, portable homes is not a backup solution in and of itself, it's a delayed sync mirror. I delete something here, it's deleted on the server. I sure hope you had an archive, right, because the idea is when we're dealing with backups is I need redundancy combined with an archive. So as we're looking at portable homes, it's a part of the solution, not an exclusive solution in and of itself. Finally, I want to talk about external accounts.

This is a very exciting opportunity that we've been seeing specifically at Garfield High School. If anyone has seen the movie "Stand and Deliver," this is the high school from that movie. We have 4,000 users, 330 Macs, 500 students are actively using USB thumb drives as their home directory, and they only have two XServes.

Well why? Well it comes down to, they don't have a lot of resources.

It's a Legacy network, their wireless network hasn't come in, they're still waiting for some of their federal funds and their rollout of different pieces, and there's no ability to make - even if they spent 15 grand on centralized storage, put 14 terabytes in a cabinet, nobody can get to it quickly.

So it ends up being a poor investment to put the resources there. Instead, using the USB thumb drives we can go ahead and put that storage, those gigabytes, in the student's hands and let them login. Of course at Garfield today, we've got a couple teacher's assistants, students who are off hours, and their job is to format thumb drives.

I got halfway writing a script for it and then it was like I don't know who's going to put the thumb drive in at the wrong time and format their thumb drive, so we've decided we're just going to let the kids learn how to use disk utility really, really well. And so...

...they're busily formatting those thumb drives.

Obviously when we get to Snow Leopard it's fantastic to hear that we'll be able to use FAT32 drives, so that can really help. And it really brings me to my last point about the power of these USB external drives, especially in an environment where you're low on resources.

So that's the demo here. I want to go ahead and even though I saw a bunch of hands who have done this, there were still plenty of hands that hadn't seen this, so I think it's still relevant to show you. When one of these students at Garfield goes ahead and they're done for the day and they take their thumb drive with them and go home, What is the experience of that thumb drive when I get home to my Mac? So I have my thumb drive here, I'm going to go ahead and plug this in.

Now this Mac has, I could take the time, I'm not going to, to show you that directory utility has no concept over the server. This is a system that's out of the domain, it's not bound, it's not even on the same physical network, and it's mimicking what you'd see out of a system that's at home.

And so now what we've found is we've found a user by the name of Ken, he's on this external disk, and it's like, Did you want to allow this person to use this system? If I click Allow, it's going to ask me for admin credentials, and admin credentials are the domain. The admin credentials of this iMac or MacBook that's sitting at home in the kitchen.

And so in this case I'll go ahead and authenticate with the local admin of this unit. And with any luck here I'm going to go ahead and see - there's Ken. And then what's the password for Ken? The password is the synchronized cached password from my domain login.

So I still have that control, so the password that I set is still there, the Managed Preference settings that I went ahead and said that Ken's doc has to do this or that, all of that is still intact even though I'm sitting on a USB thumb drive on a system that knows nothing about my domain.

So let me go ahead and authenticate. I've logged in, my doc is over on the left, and I have my experience the way that I want using this USB external account. All right.

[Tony] We have Mark Malone to talk to you on of course the Apple and training URLs. 28