My name is Mark Whittemore and I manage the Apple Remote Desktop Engineering Team. I am very happy to be here today to share with you the work that my team has been up to recently. So I would like to start things off by spending a few minutes reviewing what it is that Apple Remote Desktop does, and then in order to give you as good an experience with Remote Desktop as possible, we would like to cover three very important topics that are going to give you the knowledge you need to deploy this very important application in your organization. And lastly, in order to maximize your day-to-day user Remote Desktop, we are going to show you some great techniques that are going to allow you to automate the management of your Macs.

[Applause] OK, Apple Remote Desktop is a full desktop management suite that gives any administrator responsible for managing a network of Macs the ability to distribute software, create software and hardware reports, provide online real time support to your end users, as well as automate routine management tasks.

As a system administrator, you need to be able to make sure that all of the Macs in your organization are running the correct version of the software you have installed on them, as well as making sure that you have the operating system and security updates installed on them. In addition, you need to install configuration files or basically any type of file at all. And Remote Desktop gives you the ability to do this by allowing you to install packages and copy files and delete files.

Now you also likely have the need to be able to queue up the installation of software on machines that are not currently online, and Remote Desktop gives you the ability to do this as well by allowing you to configure another machine that you have Remote Desktop installed on to act as a Task Server. And a Task Server allows your administrator console to delegate the responsibility of installing the software to that other machine, which will then install it on the machines that are both currently online and on machines that come online later.

So let's take a closer look at how this works. So I as the system administrator have a package that I want to install. I set up another machine, I install Remote Desktop on it and configure it as a Task Server, then I configure my administrator to use that machine. So now when I start my install package task, that package is then delegated to that Task Server and it will go ahead and install it on all the machines that are currently online.

Then when my machines that are offline, such as my laptop, come online, they contact the Task Server, and the Task Server will go ahead and install the package on that machine as well. Another area of desktop management is making sure that you have up-to-date and accurate information about all the Macs in your organization.

Whether this is-- so you also need to know what software is installed as well. For instance, let's say you want to install the next version of an Adobe created suite or Snow Leopard when it comes out in a few months, you want to make sure that the Macs in your organization meet the correct minimum system requirements, such as make sure you have enough RAM in them and making sure there is enough free hard disc space, and Remote Desktop gives you the ability to do this as well.

You can create software reports that let you know what versions of software are installed on your machines, hardware reports that for instance can tell you how much RAM they have, how much free hard disc space. You can also export this data if you want to use it in other applications. And if you want to do real time online searching of all the file systems in the Macintosh organization, you can use the remote Spotlight search feature.

So let's take another thing, just like the installation of software on machines that are not online, you may also have the need to get the same reporting information when your machine is not online, and Remote Desktop allows you to do this as well. And just as with the installation of software for offline machines, the Task Server plays as essential role for getting report information from your machines that are offline. So let's take a closer look at how this works.

So as before, I set up another machine to act as my remote Task Server, and then I configure with my admin console to have all my client machines build their report cache data on a regular basis and have this uploaded to the Task Server, because this machine is always running. My administrator may not always be running.

I may not have it on a Mac Pro, I may have it on a laptop machine. So now when I want to request a report, such as a system information report, my administrator contacts the Task Server, which generates those report results and sends it back to my admin machine. So even if one of my machines, such as this laptop, is offline at the time, I can still get the information I need, and I can continue to do the planning that I have to do.

When you have as many Macs as you all do, those machines can be spread across a floor or a building, across town or even across the country, and it isn't really practical to get up and walk over to these machines, touch each one of them when you have to restart them or set the start-up disc, so you can do a net install.

You need to be able to perform these operations remotely and often times against a set-up Macs and Remote Desktop gives you the ability to do this as well by allowing you to remotely start the start-up disc, being able to restart or shut down, asleep/awake machines or be able to power on Intel X serves that configure with lights-out management. Now one of the most of the most powerful features, one of the most powerful remote administration features on the Remote Desktop is the Sun UNIX command.

This gives you access to a wealth of command line utilities for which there is no graphical user interface equivalent, and Remote Desktop has over 40 presets for these types of command line utilities that are very useful for remote administration So far, we talked about the tasks you perform on the computers that you have in your organization, but in most organizations, computers have users, and users need assistance as well. And it is very convenient to be able to take a look at the screen-- a user screen when you are helping them resolve a problem, because it significantly cuts down on the amount of time you need to spend resolving that problem.

And Remote Desktop also has capabilities to let you do this as well, by letting you remotely control another user's screen or just observe it, or observe many screens at once. Now you can also drag and drop files between your desktop machine and the Remote Desktop-- the remote computer screen as well. For instance, if you have a log file from console that you want to bring back to your machine in order to analyze later on when that person's machine is not around.

So as any good system administrator knows, the key to their success is the ability to automate and write scripts for tasks that they perform on a routine basis. That is why Remote Desktop has a rich AppleScript dictionary and over 30 automated actions, as well as you can also create your own automated actions to increase your productivity even further.

So far, I have talked about how powerful a Remote Desktop is, but we have also worked very hard to make it easy to set up and configure a Mac, so you can begin managing them. Remote Desktop has the ability to let you find the computers in your organization very quickly and add them into the administration console so you can start managing them. You can start organizing them into lists.

You can even create smart lists, so you can filter what machines show up on those lists based on criteria that you specify. You can create save tasks for routines that you perform regularly on a set of machines. You can organize these lists and these save tasks as different groups.

And you can also centralize the administration of the usernames and passwords that you use for managing this system by using directory based authentication. So now I would like to spend a few minutes giving you a demo of how you can use Remote Desktop in a couple different scenarios.

And my first scenario is going to be sort of a teacher scenario in which I am going to distribute a file out to a set of machines, have my students work on those files, get that file back and then clear it out, and get the machines set up for the next class.

So I have gone ahead and set up a group called member class tasks here, which has a set of tasks that I am going to be performing on a regular basis whenever I teach this class. And here is sort of the set of machines that I have got. I have created this list with all the machines that are going to be in this class. One of the first things I do when my students come in is, I want to lock all of the screens, because I don't want them fussing around with them.

I just want them focused on what I am talking about. So I go ahead and do this, and for those of you who can see the machines up here, you can see that they are locked. Now the next thing I want to do, I am going to be teaching a class in numbers, so I have got an example spreadsheet that I am going to be sending out to those machines, and I have set a task up here that is going to-- I will go ahead and show you the task up here.

It has got this copy of the personal budget example, and it is going to copy it to the desktop of all of these machines, and then I set it to automatically open as well. So I am going to go ahead and execute that command, and now I want to make sure that is actually getting opened up on those machines, so there I can see that the example is open up on all the machines.

So that looks good. So now I have talked a little bit about what I want the class to do, and I am going to go ahead and unlock the screens and now they all have access to that stuff, so once the class is over, I want to go ahead and collect all of the work that everyone has been doing.

So once again, I am going to go ahead-- well I would at this point probably log off the screen in order to keep them from continuing to do stuff, and then I would quit the application, which I am going to do here. I have created a UNIX command to go ahead and quit it, and I am going to just show you here so you can see how this is going to work.

Now that, boom! all the applications quit, now I am going to grab that file that they have been working on each of their desktops and bring it back to my machine. The easiest way for me to do this is just to find them all with the Spotlight, push budget example, boom! give it a second to find them, OK, select them all, and say Copy to this computer. And I am going to go ahead and specify attach here on my desktop. I have got a members class student folder here and what I want to do is rename each of the items as they come in so they have all got unique names.

So that happened very quickly, but here you can see all these items were copied, and if I go check out on my desktop here, I have got all those files. Now that we are done with that stuff, I am going to select them all and delete them, boom! like that they are gone, Spotlight updates, you can even see-- take a closer look at one of the machines here, you can see it is off the desktop. So that is what I would do in order to get my files out to the classroom, keep people from using the machines when I want their attention focused on me, and then get the results of their work back onto my computer station.

So my next scenario is more of a system administrator scenario, and I have got a user who said they had a problem with one of their-- with being able to open a document that someone gave to me and they said, Oh I can't open a numbers document someone gave to me, I don't have the correct version, can you help? OK, so one of the first things that I am going to do is, let's see here, I think it was this machine here, is go ahead and run a software difference report-- or sorry, a separate version report on this system and then compare it to the copy of numbers that I have got on my machine, and I see, Yes indeed, his remote version is 1.01 and my version is 2.0.2. So to resolve that, I am going to do an install package on that machine.

And I have got a folder with my current installers and I have my iWork installer here. In this case, I am going to select running this operation from my Task Server. In this case, my Task Server happens to be the same as my administrator computer, but I could also have a remote one. the reason that I want to use my Task Server for my install is because for one thing, my administrator machine may be off, in which case I would definitely use the remote one, but also in case Tim's machine goes off.

He may have a laptop, he may close it and go away. I want to make sure that this installation eventually succeeds, and the Task Server is going to keep trying to do that install until it finally succeeds, so I am going to go ahead and get this going here.

So in the background here, you see that my machine is, as the progress indicates, is sending the package over to the Task Server. After it gets over the Task Server, it is going to contact Tim's machine, and it is going to go ahead and update it. So I am not going to sit here and wait while that is happening, we are going to move on and take a look at something else.

So one of the other things I may do as a systems administrator on a semi-regular basis is take a look at the software that is installed in the machines in my organization to make sure there isn't anything installed out there that we are not licensed for. So I am going to go ahead and select all of these machines, and this time, I am going to run a software difference report. I have got in my applications folder the software that I know we are licensed for.

So by comparing their machines to mine, I am going to be able to pretty quickly determine if someone has got something installed in their applications folder that doesn't belong there, because I want- I am going to go ahead and sort this stuff by path and then by the difference, which is going to tell me in this case extra, extra means things that are installed on someone else's machine that aren't installed on mine. Now in my case, I happen to have a Snow Leopard machine and these are Leopard machines, so there are going to be some differences. And in this case, I know this is quite a few applications.

Actually, it is all the machines that are not installed on mine, and there was one thing in particular that I knew was out there. I guess I must have picked some machines that have more stuff than I was expecting. But in this case, let's say you know this ODC app isn't supposed to be out there. I can go ahead and select it here, and I can say delete selected like that, and then we would go ahead and come back here, and we can see on these machines, on Tim's Mac for instance, those items were deleted on the other machines, they weren't there.

So as a demo, how you can use this thing in both kinds of a teacher situation and as a system administrator example. So the current version that we have right now is Apple Remote Desktop 3.2, and it came out October of 2007. It included Leopard compatibility, some more improvements for screen sharing performance, also a lot more-- better keyboard support and improved file copy reliability.

So what we have been working on recently is an update to Remote Desktop, version 3.3, and it has actually got quite a number of enhancements in them. We changed how or we added managed client settings, which I am going to bring someone up here very shortly that is going to talk about that stuff. We have added support for NAT networks, quite a bit of support for that, also support of wide area Bonjour support.

We will go into that some more. We have added new Task Server-- new scanner types, both Task Server ones where all of your administrators that share your single Task Server will see all of the machines that other administrators have adds. So it can act sort of as sort of a central pool, [applause] so you don't have to have everyone go out and find these machines, OK.

The other thing we added was this DirectoryService scanner, which is kind of a filtering mechanism on your Task Server scanner wherein if your administrator is bound to a directory server, all those computer groups that you have set up with Workgroup Manager, and you have organized your computers in them that can act as filters and you will be able to see each of your computer groups as they pop up in the scanner, so you can create these scanners and...

...make it very easy for people who only need to see a filtered set.

And when you combine that with some of the stuff we have done with managed settings, you are going to be able to deploy-- it is much easier to deploy Remote Desktop across your organization and give people just the kind of access that they need once you get 3.3. We have also added some enhancements on how our reporting works.

Now we just have a single cache policy on a client, rather than each administrator creating their own cache policies, and you end up with like 5 of these things, every time someone adds a machine, they end up with another cache. We have a single one that all administrators see, all of them can edit it, and no longer when an administrator adds a machine do they force their default cache report if one is already set.

So it is only if a machine doesn't have one that your default one applies, so this is really going to improve your ability to manage how report caches are built on your clients and being able to reset if they are not in the state you want them to be in.

We have added some additional Automator workflows. We have added services support, Snow Leopard Services support to the Remote Desktop, a very cool addition of which we are going to see a demo of later and as with 3.2, shipping with Leopard 3.3 is going to ship with Snow Leopard.

So I would like to hand things over to Brian Ganninger for a little bit, who is going to talk about things you want to consider in configuring both your administrator and your client when you are going to be deploying them in your organization.

Thanks Mark, as an administrator it pays to plan ahead when you are making configuration changes.

That way you can centralize as much information as possible to simplify future maintenance. When you are deploying your Remote Desktop, there are three components you will want to keep in mind. As your administrator console, which is your primary workstation, the clients you will be managing, and your Task Server, which is the designated intermediary for delegated tasks and reporting info. As you are preparing your deployment checklist, here are some questions you will want to consider. Do you want to use a common Task Server? That way all of your administrator consoles share the same reporting data and client information.

Do you want to use a common default reporting policy for your admin consoles? Or is it OK if they all have their own custom ones? Would you like to force a common reporting policy for all your clients? And once you have done that, Would it be beneficial to go ahead and restrict where that reporting data is actually being sent back by setting a Task Server white list? If your administrator consoles are used in pre-configured environments where scanners aren't really necessary, you can go ahead and disable these by limiting the scanner types.

And you also want to ask, Do I want to use additional security settings when I am performing tasks with a Remote Desktop? You could go out and configure each of your administrator consoles and client computers individually, but this can be tedious and error prone, and as you can imagine doesn't scale very well. To make this easier, you can go ahead and use managed preferences. For those who aren't necessarily familiar with this technology, I will go ahead and provide a brief overview.

Typically, your clients are all individually configured, each with their own preferences, but instead with managed preferences, we will go ahead and use your administrator console and Workgroup Manager to configure your preferences, which are then saved to your directory server. Once your clients bind to the directory server, the next time they log in, they will go ahead and pick up their new preferences. In addition, once you make changes and the next time they log on, they will go ahead and pick up your edited preferences. You no longer have to go to each of these clients by hand. In addition, users can't inadvertently make changes and neither can other administrators.

It only can be edited in your directory server. The utility you will be using is Workgroup Manager, which makes it much easier to edit these preferences instead of going into the raw directory server itself, but now you are probably wondering what preferences can I actually manage for a Remote Desktop though? So I will go ahead and show you. Essentially, what I am trying to say is, all of your administrative preferences are manageable.

Thank you. The only exceptions to this are your serial number and your Remote Desktop password. For clients, you are able to manage their reporting policy, which is responsible for the categories that generate those caches, as well as the schedule when these are actually collected. In addition, you can also set the Task Server white list, and then the reports will only be sent back to the Task Servers that are allowed.

The report categories are responsible for the report caches. There are four of these that are responsible for the 12 reports you will find in Remote Desktop, and they break down like this. The first is the system profile, which provides data for the reports you see listed. There is also the file system cache, the application usage cache and user history.

You will want to keep in mind that whenever you want to run one of these reports, you will need to have a report cache there, so you must make sure that you configured your reporting policy to generate that cache in particular, and that you have set a day or days of the week, as well as the time to generate that.

Once you have a complete reporting policy-and that is going to apply to your clients, you are good to go. Now let's go ahead and take a look at how this all works by restricting our administrator console so we are not using some of our more network intensive scanners at the WWDC, also go ahead, and set up a reporting policy for our clients in the rack.

I will go ahead and enter Workgroup Manager. As you can see I have a computer group already set up. I will go ahead and go to the managed preferences, and this contains my administrator computer. I will add Remote Desktop, and you can see now we have our preference manifests, which contain the individual preferences. Since the restricted features are applied to the entire machine, I want to edit the com.apple.RemoteDesktop preferences. I will go here and since I always want that to be present, I will go ahead and add those, and we will just add the restricted features.

You will see these aren't necessarily the most intuitive in the list [laughter], so you will want to refer to the description down here to make life a little simpler. We will go ahead and disable the Bonjour scanner and the local network scanner and the Task Server scanner is also disabled.

We will go ahead and apply that. Normally restricted features are only applied to non-administrators, but I want to make sure that no scanners are present causing too much chatter on my network. I will do this by editing a user group for my administrators, and I will go ahead and set the key there to restrict that. There we go. I will go ahead and make sure this all worked by logging in as one of our directory users.

We will launch Remote Desktop, and as you can see in the security settings, we have disabled the appropriate scanners and when we are in the scanner, only the ones that are supported show up.

We will go ahead and switch back, and now we'll set a reporting policy for our clients.

I will launch Workgroup Manager again, and this time I want to set a reporting policy for the computers that are in my legal group. We want to make sure they all have this reporting data on them, just so we can keep tabs. I have already got our preference manifests, and since the reporting policy is part of the agent, we will go ahead and edit those preferences.

I will add the reporting policy, and then inside of this, we need to make sure we have the report types, so we set those, again the description field is our friend. We will go ahead and add the report type, the first one, system info, and then just for fun, we will also add the software info.

Actually, I don't need any more report cache types. Now we will go ahead and set our days of the week, let's just go ahead and set this to run tomorrow, and I will just go with the default time of 12 a.m., because I am pretty sure no one will be using these computers at that point. Let's see, there we go, now I have a valid reporting policy, and all of the computers that are in my legal group will go ahead and pick that up the next time they log in. There we go.

We have looked at how you can go ahead and configure these in a central location, but really, you can also manage these by hand or actually not manage, you will edit them by hand, so now we will take a look at how you can configure these client settings in Remote Desktop.

You will want to come back and review, as you can tell, the reporting policy, because it is incredibly important to make sure we are receiving up to date data. You will want to see who set that policy and when did they last set it, and once you know that you may want to know which administrators are actually receiving that reporting data.

That way you can remove anyone who shouldn't, or computers that are out of date. When you hit Command-i, you will go ahead and be created by a rather familiar looking window. It starts with the attributes tab, which shows connection details including the address that you know the computer by and the ports that you connect to it, and this is how you configure port forwarding. There is the authentication section where you enter your credentials that you use to connect to that machine and for machines unsupported, such as X serves, you can edit the lights out management configuration here as well.

On the reporting tab, we can see the reporting policy that we have set, as well as who modified it and when they did so. On the administrators tab, we see the administrator consoles that are receiving our reporting data, we can tell whether they are online or not right now and we can see which Task Server they are associated with to receive their reporting data. The reporting policy you are viewing for that client is, as we have been stressing, singular, there is only one policy for that client.

All administrators are viewing and editing the same policy. Again it controls the reporting policies that are responsible for those support caches, and then there is also the schedule. If you set a blank policy, this will disable reporting on that client, and if you remove all of the administrators so that no one is interested anymore, it is not going to generate reports anymore either.

If you have more than one computer selected, you will see this also familiar window, which again starts with the attributes tab. You can edit the authentication information, this time for all of the selected clients, and for machines that support it, again you can edit the lights out management configuration. On the reporting tab, you will see that we have a union of the reporting policies. In this particular case, each of the clients that I had selected had different reporting policies.

And in this case all of the fields were used, so we actually see a mixed state for all of the checked boxes and then multiple values for the time. On the administrators tab, we see a union of the administrator consoles, so that we see all of the administrators responsible for all the clients that we had selected. If you are unsure which clients are actually sending reporting data to a given administrator, you can click the details button and see which of those clients are sending data right there.

If someone doesn't belong, you can go ahead and hit the minus button and move them from the list, no problem. They won't receive reporting data until the next time they check in with that client. Now let's go ahead and take a look at how this works by reviewing some of our reporting settings that we set earlier.

I will go ahead and launch Remote Desktop, and here pretty sure Matlock is in our Legal Group, so I am going to go ahead and take a look at his reporting data, and as you can see, it indicates that it is a managed setting, set by management administrator.

It is set to report on Friday at 12 a.m., and it is going to be generating my system profile and file system caches, like I expected. Since it is from the directory server and it is a managed preference, I can't edit this here, it can only be done on the server.

And now I want to make sure that finance has an appropriate policy, but I don't want to set that in the directory server, so I will just select my three computers here, get my access on those, and I will check it out. They don't have the proper reporting policy, so I will just go ahead and edit them. We will select the right ones. As you can see, it warned me that I don't have the right policy set yet, so I want to go ahead and correct that, so I am all set Friday and we are good to go.

Just out of curiosity, what administrators are going to see this, hmmm, my laptop shouldn't be here. I will go ahead and take him out of the list, and we are done. And that is how you can review client settings in Remote Desktop and keep tabs on what is going on with your clients. Now I am going to go ahead and hand you over to Doug Richardson, who is going to talk to you about discovering those clients and how you can add them.

Thanks Brian, as a systems administrator running Remote Desktop, one of the first things you are going to want to do is find and add clients to your computer library so you can manage them. And Apple Remote Desktop has various scanners that can help you accomplish this task. I am going to talk about which scanner is best in different situations, so that you can figure out the most efficient way to find your computers.

Which scanner you use depends on the following factors, one is your network topology, that is, are you scanning computers in a single sub-net, in multiple sub-nets, or even multiple sub-nets with NAT routers? Another thing you can take advantage of in Apple Remote Desktop 3.3 is the Task Server scanner, so if you have multiple administrators, and remote Task Server, you can use that scanner. If you define computer groups in a directory server, you can take advantage of the directory server scanner to filter the results from the Task Server scanner. First let's look at the single subnet case.

In this example, we have four network devices connected to a common switch. Normally what you want to find are NAT clients running remote management or remote management enabled. The easiest way to do that is to use the Bonjour scanner; however, if you want to find other computers that are running for instance, a PC running a third party DNC server, then you can expand your search using the local network scanner.

The local network scanner also returns other network devices, anything that responds to a ping. If you want to target a range of IP addresses, then you can use the network range scanner. Again, this one will return a result for any device that responds to ping in this given address range.

If you want to create an ad hoc list of addresses that aren't necessarily in a range, then you can use the network address scanner to add them one at a time. If you have them filed as a list of IP addresses, then you can use the file import scanner to import those.

And the file format for the file scanner is a list of IP addresses one line at a time, or one at a time, or IP address ranges, or fully qualified domain names. And in this example, I have also included an IP address of the device that is not currently connected to the network at 10.01.10. And you can add addresses that are not currently connected to the network with the network address scanner as well. Now let's look at multiple subnets, again the Bonjour scanner finds clients that are remote management enabled in the remote subnet only.

And the local network scanner finds all devices, but still only in your local subnet. If you want to find computers that are in other networks or in other subnets, you need to use one of the other three scanners, so here is an example of using the network range scanner to find any device in your entire network that responds to a ping. Here is an example of using a network address scanner to enter in an IP address of a computer outside of your local subnet.

And likewise you can use the file import scanner to accomplish the same thing. Now let's look at multiple subnets with NAT routers. The main thing to keep in mind here is, you are not going to be able to see the clients in the NAT routers private network until you have configured port for it in the NAT router.

So there are two ports to keep in mind with Remote Desktop, there is the remote management port, which runs on UDP port 3283, and there is the screen port that runs on TCP 5900. So to keep it simple, I am only going to show you mapping the remote management port. And what I have done is mapped port 13283 to client 192.1.1.20 and 13284 to client 192.1.1.21.

Now when you want to add these clients to your Remote Desktop so you can start managing them, you can't use any of the scanners, instead you have to use addByAddress. addByAddress takes the IP address, the remote management port and the screen string report. And then the IP address that you want to use is the IP address of the NAT route'rs LAN port. In this case, 10.11.200, so to add client 192.1.1.20, we are going to add address 10.11.200 and port 13283, which is the one I mapped to it.

Likewise, if you want to add 192.1.1.21, you would use the same address, but port 13284. Now let's talk about the two new scanners in NAT Remote Desktop 3.3, the Task Server and directory server scanner. So in this example, we have three computers that I have divided into two groups, finance, and legal. Those groups are defined in a directory server.

We also have two administrators, and they are both sharing a common Task Server. Now let's suppose that administrator one adds all the computers to its own computer list, entries are also created in the Task Server, so that now when administrator two goes to the Task Server scanner, they will also see all of those computers. In addition, if administrator two goes to the Task Server scanner, they will see a list of the two groups.

If they select finance, what they are going to see is all the computers in the Task Server scanner that also appear in the directory server's finance group. If they select legal, they will see all the computers in the Task Server that also appear on the directory server legal group. And that wraps up finding and adding clients. Mark is going to come back up and tell you how to stay connected to them now.

OK, so we have seen, how do you want to-- or things you want to consider when you are configuring your administrator console, and your client machines and you are employing them in your organization. And Doug was just showing you how you can find these machines and add them into your Remote Desktop administrator console, and I am going to talk a little bit about how it is on an ongoing basis to make sure you stay connected to these machines.

One of the issues that you face trying to stay connected to any machine is making sure that you always know what IP address it is, especially if it is a laptop and it is moving from one place to another, you have a DHCP server and it is always giving you a different address, so just real quick I am going to review how it is that machines end up changing their client addresses.

So in this example here, I have one machine down here at the bottom is 10.0.0.20, when that ma chine goes to sleep, its address goes back into the pool of addresses available in the DHCP server. Now I bring my middle machine back online ,and it ends up getting the address that my previous machine had. I bring my last machine online and it gets an address, a completely different address.

Now my machines, if I knew them by those other addresses before, I can't find them right now. I am not going to be able to reach them, because I don't know what their new addresses are. Similar situation and maybe a more common one is when people move around from one building to another and you have different access points and both of these access points serve different networks, so I have got a machine here that moves over to another building, when it comes online, it gets a different address. If I was expecting to find its old address, I am not going to be able to find it now. So let's take a look at how it is that Remote Desktop handles this situation.

So in the simplest of all cases, everyone is on the same network, we are all sharing the same switch there. When I go ahead and put my machines to sleep-- or put my Remote Desktop administrator to sleep, in that case my clients change addresses. I have to find their new addresses again, OK. So we will go ahead and put those asleep, we will bring them back online, this time in iMac Two, its address changed from 10.0.0.20 to 10.0.0.40.

iMac Three changes from 10.0.0.30 to 10.0.0.50. Now when I bring my Remote Desktop administrator online, the first thing it is going to do is, it is going to start trying to find all of the machines that are currently in its list. So the current status goes to dash dash, which means it is out searching for these machines on the network.

Now because all of these machines are on the same switch, one of the new things we are doing in 3.3 is that if Remote Desktop can't find it by its last known IP address, it starts the Bonjour service resolve of the computer name. So in this case, because we are all on the same network, I can find these machines by Bonjour, and it updates the addresses and we get connected, so it is no problem.

If you are all on the same switch, most desktops are almost guaranteed to find these machines again, even if it changes addresses. So a slightly more complicated situation here. Now our Remote Desktop administrator is actually on a different network, so once again we put our Remote Desktop administrator to sleep, put our clients to sleep, bring them back online, different IP addresses, admin comes online.It is not going to know where they were, based on those old addresses, they are not there anymore. It starts to search for them, but because Bonjour is not going to go travel across a different network, those two machines are going offline.

So the question is, How do we make sure we stay connected to them? How do we get informed of those IP address changes on an ongoing basis? So one solution is once again a remote Task Server. In addition to being able to use it for delegated package installs, as well as collecting your report caches, the Task Server will also keep track of the IP addresses.

One of the first things that your clients do when they wake up or have any type of network state change is to contact their Task Server and essentially inform it of its new address. One of the first things the administrator does when it gets online, before it tries to find these machines is, it synchronizes with the Task Server to get these new addresses. So now, I have got the new addresses at .40 and .50, and I am able to find these machines. So let's reset things again.

There is another way we can do this now too, because we have added support into 3.3 for wide area Bonjour. So if you bind your administrator and your clients all to the same wide area Bonjour server, which means that you are registering your addresses in these machines, the first thing that your clients are going to do when they wake up is to align a slide?

It is to send a packet to the wide area Bonjour server and register these new addresses. Then your administrator comes online and the first thing, well it is going to try to contact them once again by the last known address.

It is not going to be able to find it, so it is going to go ahead and do a resolve again on those computer names. It is going to search the local domain name and-- basically it's default domain, which happens to be in its list, because it is also registered with the wide area Bonjour server.

In this case it goes and contacts the wide area Bonjour server, it gets the new updated addresses, and then it can find the machines no problem. So let's talk a little bit about where you can place your Task Server, and what kind of implications it has, where things can always work and where things might be a little bit sketchy.

So in this example, we are all in the same network, and when my iMac contacts the Task Server to say 17.0.0.30, 3283, that is no problem, because the administrator can read the iMac at that address, the Task Server can reach the iMac at that address and port, so we are all good. Make it a little more complicated, Task Server and administrator are on the same network, but a different network from your iMac. In this case, our iMac is behind a NAT router, so the first thing, well these slides are not in the right order.

Let's see actually, OK. So when I added this client to the Task Server, one of the things I had to do of course is set up a net port mapping on my NAT router from the wide area address to the one behind the network. And I add that machine to the task or to the administrator console using that wide area-- sorry the LAN address.

When the client connects to the Task Server, it is going to come across with a different address and an ephemeral [phonetic] port mapping essentially, but the Task Server is smart enough to know that is not the port mapping that my administrator console told me, so I am going to go ahead and ignore that. So in this case, even when your machine is behind a NAT, still no problem, the mystery console is going to be able to contact that machine.

Yes.

Now we are going to see basically everything I just talked about. So yes, I added that machine to the Task Server, I set up my port mapping from this case 53283 to 3283, client comes online, Task Server ignores that port mapping, because it knows the one that the administrator told it is the true one.

OK, let's hope this one goes a little bit more smoothly. As before, I reset things a little bit and I have the same port mapping as I had before. I have this port mapping from 17.0.0.1, which is the WAN side of my NAT router from 53283 to the 192.168.1.30 address, 3283 for my client then. Now I moved, this time I moved the Task Server behind the NAT, and in order to for the administrator console to use the Task Server behind the NAT. This is the one case where you have to set up a very specific port mapping.

The Task Server has to get the port mapping from 3283 to 3283, because we don't support those dynamic ports when you are contacting the Task Server. So in this case, now my administrator has added this machine that is behind the NAT and it has this address. And as well, I go ahead and I add the iMac using the wide area address as well. When I do that the administrator informs the Task Server of the fact that it has added this machine, and it tells the Task Server, this is the address by which I know this machine.

This is the address by which you should know this machine, and this is fine, the Task Server can contact the other machines behind the NAT through the wide area address, no problem. So now, I am going to go ahead and set my administrator offline. I am going to bring another administrator online, but this time behind the NAT router, and this is where things go a little bit tricky. So in this case, my administrator used a Bonjour scanner, and because he used a Bonjour scanner, he found the address of the iMac-- of iMac one with its local area address, which is the 192.1.1.30 address of port 3283.

Well just like in the case of my administrator, that is on a completely other network outside the NAT, this administrator is also going to inform the Task Server, Hey, I found this machine with this particular ID at this IP address, I want you to store that. So it ends up happening is that the address for iMac one gets updated to an address that my administrator that is outside the NAT can't use.

So when that guy comes online, he ends up synchronizing with the Task Server and getting this essentially bogus address. It is fine for the administrator behind the NAT, it is no good for the one that is outside. If he tries to contact it, you know, the router in network A isn't going to be able to reach that machine.

So you can have a Task Server behind the NAT, but be careful about putting administrators behind that NAT. They are going to be adding those machines by local addresses, because they are going to end up storing addresses in the Task Server that other administrators outside your NAT are not going to be able to reach it by.

OK, so another situation, besides just IP address changes and keeping track of those that has to do with being able to stay connected to your clients. This is the ability to wake them up when they have gone to sleep, and in the situation where machines are on another network from the one that you are on. Generally speaking you cannot wake them up.

The wake up packets don't cross routers, so in this case my administrator-- my clients go to sleep, and my administrator sends a wake up packet. The router is like, I don't know those IP addresses for those machines anymore, they are not assigned. They are outside of my arb cache, so to solve this in Snow Leopard, we are using something called the Bonjour sleep proxy. There was another section that was talking about this, and hopefully some of you were able to see that as well.

What this does is when your machines go to sleep, they register what services, what network services they have available including Remote Desktop with that Bonjour sleep proxy machine. That sleep proxy machine then acts like those other machines are still online, and it advertises via Bonjour those services. So with Remote Desktop, those machines can still appear to be online.

When Remote Desktop sends wake packages over to the Bonjour or over to those particular addresses to those clients, the Bonjour sleep proxy will then wake up those machines and forward those packets on. So this is the first time, we have ever had any support for being able to wake machines up across networks before, so I think this is a really cool technology. I am pretty excited about it.

So if you want to find out a little bit more about wide area Bonjour, because we have been talking about it a little bit, here is a couple articles at AFP548.com, part 1 the Practical Bits and Part 2, Bring the Pain. I am going to hand things over to Steve Hayman, who is going to show you how to do more automation stuff with your Mac so that you can manage them in even a more efficient manner, as well as having a bit of fun.

I had a whole demo worked out based on launching ODBC administrator on all the machines.

And you know we were going to launch it, we were going to look at the help, try to figure out what it was for.

I think it is something different now, thanks a lot.

So, I've got to tell you that my two favorite programs on the Mac have got to be Apple Remote Desktop and Automator. And that's partly because I'm learning MacOS X in alphabetical order, [laughter] I someday I'm going to figure out what Xsan is, I hear it's good but that's-- I've got a couple of other things I've got to work through first. But I want to show you a few ideas of ways that a combination of these two things and this new services feature in MacOS X can improve your lives.

Finally, with services we have a way to alter the behavior of products like Apple Remote Desktop, to make them do what we want, without having to ask these guys. So finally, we have a way to attach hotkeys to arbitrary scripts, anywhere in the computer. [applause] So if you can build a workflow that does something useful, you can make it you know, command, control, options, shift, clutch, reverse, p to do some marvelous thing to your entire network. So I want to show you a couple of simple examples of this sort of thing.

Here's Apple Remote Desktop. Here's our whole rack full, chock full of machines here, and let me pop up a little multi-observe window here on the side so that you can see what's going on. Hopefully this matches what we're seeing over there. But I don't know what some of these are.

I might like to have a handy way to identify which one of those computers is which. So let me try and build a really, really simple workflow from scratch. I'm going to fire up Automator here, my other favorite program The way that you build a service to operate with a selected item in Remote Desktop is the same way you build a service now to work on the selected file in the Finder or the work on text that's selected in any application. Up at the top of your new service, is a menu here where you get to declare, what is this service operating on. Is it operating on text? Is it operating on files? Well this one is actually going to operate on Remote Desktop computers.

That's pretty sweet to see that in there as a starting point for a workflow. So I'm going to have a workflow that's going to somehow on these computers, cause them to display their name in some way so that I can see what's going on. Now Automator has you know, 200 kabillion actions in here.

I have made-- by the way here's a tip for you, make a smart group of all the actions related to Remote Desktop, then it's a little easier to find them. I have a smart group here of all the ones related to Apple Remote Desktop. One of them is Execute New Unix Task. So here's something that will run a Unix command on the remote machine.

I'm going to select the list of computers, then I'm going to run this service, and it runs this here Unix task on those computers. I would like to show the host name. So one way to get the computer name is scutil getcomputername right? But that's going to vanish into the ether where nobody can see it. But I want to pipe it into this little thing I got kicking around called Big Honking Text, [laughter] which is-- and we'll run this as root, just because we like to live dangerously here.

So let's, so we'll save this service. This actually is something that's going to go into the Library Services folder. It's going to be associated with Apple Remote Desktop, because of that very first part that says, This is for Remote Desktop. And I got to call this one ARDWhatComputerAreYouExactly. So having done that, I've now got a service, previously installed.

When I'm over here in the Remote Desktop, you have access to a list of services that are associated with Remote Desktop, they will pop up in a menu. You Control-click on one or more selected computers or computer lists and this thing pops up. If you like, you can go way up here to the Service menu, but I don't know about you, but that's getting farther and farther away on larger monitors from what I'm looking at.

So with Services here, you're actually looking at something, and then you're operating on it right there. So I don't know which one of these is, let's say Warren's Mac and Judy's Mac, let's run the service on those two. Services, What computer are you exactly? And then hopefully the two of them will display their name in large letters.

Did you notice that, by the way, that they're popping up the name there in large letters. Well, well that's our show. [laughter] Thank you for coming. So there are a few other things I'd like to show you that have been, that I've previously built. Here's an example. Here's a workflow that I already did that launches a new terminal session to SSH to the selected computer. This is something I'm doing all the time.

I've got a big list of 45,000 computers and for whatever reason, I want to log in on the command line and mess around. Rather than cutting and pasting IP addresses, it would be handy to have something that asked Remote Desktop for the IP address of whichever computer I'm looking at now, and then told terminal to go and make a new window, open, that would be running SSHApple@thatIPaddress. And that's exactly what this does here.

This is a simple AppleScript that is being passed from the starting point of the action, which is the selected computers. It's being passed a list of selected computers, and then it's telling terminal to activate, which pops up to the front, and then it's going to run the script SSH, and then it's going to extract the Internet address of the selected computer. This is a simple local AppleScript in this case.

There's another action that runs an AppleScript remotely on the remote computer. I'm using the one here that runs it locally on this computer. So with something like this in place, I can choose several of these machines here, and services ARD SSH here, that's going to launch terminal and create a bunch of SSH sessions connected to each one.

I must set up my public and private keys one of these days so that I can get it without a password. But you'll notice that each of these windows is actually starting a new SSH command, off the associated computers. That's the kind of thing I do all the time. So oh, please, no, come on, this is like two lines, don't clap for this, this is something you're supposed to do. You're supposed to go home and write this, write this kind of thing yourself.

We're giving you some ideas here. Maybe we want to do something a little more elaborate. Maybe we have some sort of lab setup process we want to do. We want a service here that operates on whatever computers are selected. This is sort of your reflexive starting point. You're always going to choose remote computers at the top here, and then there might be a bunch of interesting ARG related actions you'd like to toss in.

Maybe you want to lock all the screens, or maybe you want to force quit all the applications and maybe you want to disable Dashboard. Maybe you want to start an application, maybe it's time for, I don't know, it's time for the Chess Club meeting, so we're going to launch the Chess program on all the computers, and then we're going to unlock the screen. So of course you can customize this, you can you know, come in here and change the message that's going to be typed, hands off, you doughboy.

Give people, keep people informed. And then we'll save this as manipulateLab. So I will select some computers now, and it will run these six actions in order. They are not really going to do anything that exciting, but they're going to lock the screen, which you only see over there, then they're going to launch some programs and then unlock the screen.

So let's see if there's any chance that that might actually work here. I supposed there's a chance, there's always a chance. So we'll click Services manipulateLab, and so it's going to lock the screens, and it's going to kill everything and delete the DOC or something, and launch Chess, and unlock the screens and away we go. So I've launched Chess for the Chess Club on a few of those computers over there. I'm sure you can come up with a more exciting workflow than this one.

But ODBC administrator isn't here, so I mean, What can you do? You're kind of hamstrung when you're going at the end of the session. So let me get, let me get Chess off the screen. Incidentally, you can choose these old work-- you can see that what happened here is that ARD executed a sequence of tasks in order, associated with this workflow. I just want to quit everything again.

Let's kill Chess over there, so hey, Chess is gone. So this is using ARD to manage the remote computers in an effective way, but there are a few things I found I wanted to do locally with ARD itself. I'm forever choosing computers and hitting this send Unix command button, which is my favorite command button in the entire computing universe, and typing some task that I want to run. How full is the boot disk? Df/. And I want to run this as the user root. And then I want to hit Send. And that runs that command, and here's all the output over here, and I think OK that's great.

My disk is full so I want to do something else, rm-rmark and then we want to copy ODBC administrator from somewhere else. But you've got to go clickity, clickity, click here and several times through. I found myself doing this so often that it would be great if we could simplify this and do like a one key hotkey sequence. So I've got another workflow kicking around here called RunCommandAsRoot, and this is a fairly simple one.

This just asking ARD to take-- to create a new-- actually to ask me for what command I want to type. In here, it says, Display dialog, What command do you want to run? And then we're going to save that in default so that it remembers it next time, and then we're going to close all the old output windows so that we only see one, and then we're going to make a new send Unix command that runs this thing.

This is in AppleScript, how you create a new send Unix command task in ARD, and then we're going to execute that on the input. The input is the list of computers that we've selected. So with something like that, step one, and step two, attaching a hotkey to it over in the keyboard preferences pane, over here you have the opportunity to attach hotkeys of your choice to any of these workflows.

So I've picked this one here, and I've previously set command, control, option, shift, something, escape, meta, r, it will be my run command as root thing. Now while I'm sitting over here in ARD, I can just choose a list of computers and I can go to my hotkey, bang! like that, What command do you want to run? Date. What time is it in all of those computers? Oh yeah, now What command do you want to run? I'll hit the hotkey again, I want to run ds/. Oh, there's the results of that. Then I want to run something else.

I want to run Who, and now I want to run [applause] find/desksize+with, I don't know, you could go over and over again with something like this, but this is a workflow that I personally found myself doing over and over again. And now thank goodness for these hotkeys, I can just extend ARD with little pointy-clicky thing there to make my life that much better. So there are many more possibilities that you could do here. I got a little carried away with one, and it's not the one you're thinking. It's not the one, it's a different one.

Here is a fairly elaborate one here, that actually uses Keynote. I'm going to start out by making a new Keynote-- blank Keynote presentation and keeping it over here at the side. So here's a-- let me just try and push this out of the way a little bit. Here's a Keynote presentation ready to go and I don't need that, I don't want that. So what's this workflow going to do? This is again taking these selected computers, and it's going to set the title on the first slide, and then it's going to run this AppleScript.

We're going to run a Unix command on the remote computers and take the output of that command, and then pipe it into a chart in Keynote. We're going to add a new slide, and we're going to add a chart with the numbers that we just got back from the results of that command. So we're running something on six computers, the numbers are coming back, we're drawing a chart.

So I got this one set up to actually create three charts. Oh you're laughing, like you haven't written really complicated scripts that look horrible. So let's, let's see here. Let me pick, let me pick all of them here. I'll go to the rack, I'm going crazy here, I'll pick all 8, services, Keynote report.

Here it is, it's Monday morning, I need to prepare a report for the CIO on the state of our network. So we're going to launch this and it will, through a combination of Unix tasks on-- in Apple Remote Desktop and Keynote actions, it will add a series of graphs over to this Keynote workflow, and I've now got this gorgeous Keynote presentation that's just been created here.

Here's the first slide, here's the second slide, I do need to move the grass around a little bit. This is how full is the boot disk on all the different computers. We ran df and picked out the percentage on the first line. Here's one that's kind of boring. How many people are logged in as a pie chart.

Well there's one person logged in on each of those computers. [laughter] But here's one that's actually a little bit practical. What version of Keynote is everybody running? I ran a command over there to poke around and determine what version of Keynote was in use, and what we got out of this was that, I guess, six out of eight were running one version of Keynote and two out of eight were running a different version of Keynote. I think you could imagine a variety of elaborate, custom, time-saving, beautiful workflows that you can build like this to show off to your colleagues. They're going to be so completely impressed.

However, having said that [applause]-- we did, we did do one the other day in here that caused a great frenzy of activity. I've been getting emails from the International Olympic Committee, wanting to add ARD Whack-A-Mole as a new Olympic event. [laughter] Not only that but some of the ARD engineers are-- they're very competitive.

They must be gamers in their spare time. And Doug broke the previous record on ARD Whack-A-Mole in public that was I think set by Sal who got maybe one, two, two out of ten. I bet Doug that he couldn't get-- I bet him 5 bucks that he couldn't get five out of ten, and he got five out of ten.

Doug, I have 20 Canadian dollars for you [laughter], if you can get eight out of ten in ARD Whack-A-Mole. I want to show people the workflow, just so you know what's going on here. This is a workflow here. This is-- actually I'm surprised how simple this turned out to be.

We're getting a list of computers and then this thing asks them all to say, Get ready, get set, go, and then this one does one turn. It uses a big honking text to put up a giant Apple logo, and then it waits to see if you click on it.

If you click on it you get one point. If it disappears in 2 seconds you get 0 points, and then we run a little AppleScript up at the scoreboard. Then we use the Automator loop facility to loop ten times, and then we run another one down here to announce the score. So are you ready? Here we go, so here's the eight machines over here.

I'm going to select them all over in ARD, and we're going to go Services, Whack-A-Mole, are you ready?

Yep.

Here we go.

[computer speaks] Get ready. Get set. Go. Go. Click me. Up here. Click me. Hey, click me. That's one. Click me. This one, this one.

Click me.

Oh. [laughter] Oh you know what, here's what we're going to do. We're going to make a slight-- we're going to make a slight modification to this one here, we're just going to pick that computer. OK. Want to try it again?

[computer speaks] Get ready. Get set. Go. Up here. Up here.

This one. Up here. Click me. This one. Hey, this one. Over here. Hey.

Hey there you go, yeah. [applause] Doug, Doug, Doug. Here you go, come on, I'm a man of my word, come on. Here you go, very good. New world record, nine out of ten on the beginning level.

Here you go. Very good. But I really hope you will all take an opportunity to look at Automator and this amazing collection of workflows, in particular to exploit this new services feature, which I think, is going to allow us all to reshape this product into something that matches the way we work. And with that I'd like to invite the ARD team up here on the stage, and we will see if you have any questions. Or did you have another slide? Oh, Mark's got another slide. All right. There you go.

[applause]Thank you.

OK so if you're interested in testing some of the stuff you just saw here today, you can download the seed from ADC. If you're not a member of ADC, you can see Andre in the lab, or send an email to [email protected]. So in summary, 3.2 is available right now, 3.3 update is going to come with Snow Leopard. You can get more resources available at the web address or URL you see posted there, and we're going to be in the IT lab right after this at 5 o'clock, so we can answer more questions for you.