OS X v10.9 Management Basics
Donny Hornstein [email protected]
Welcome
3
1
2
Welcome the class & introduce yourself if you haven’t already.Provide important details such as where the restrooms are, the time schedule for the day & where emergency exits are found.
3
Mac OS X v10.9 Management Basics
• Creating Installer Packages• Creating System Images• Deployment• Managing Computers With Apple Remote Desktop• Policy Management• Managing Software Updates• Caching Software Downloads
4
Creating Installer Packages
Installation Packages
Installation package
Installation metapackage
Distribution project
Receipt
Payload
6
This is an overview slide showing how the course is laid out. Touch on it & move on.
4
Each section has a lead in title slide.
5
First, identify the two different package types: Packages & Metapackages. Tell how they differ.
Once an installer package is opened, the user is guided through the install
Mac OS X uses receipts to keep track of installed items.
The items you intend to deploy using an installation package are generally referred to as the installation payload
6
Signing packages with a certificate
Gatekeeper Obtain Developer ID certificate from AppleInstall the certificate in the KeychainChoose the certificate for the package
7
Creating a package from the command line
8
Basic syntax
pkgbuild --identifier pkg-identifier --version pkg-version --sign identity --component component-path package-output-path
Example syntax: Package from Traffic Manager application
pkgbuild --identifier com.pretendco.TrafficManager --version 1 --sign "Developer ID Installer: Pretendco" --component "/Applications/Traffic Manager" "~/Desktop/Traffic Manager Installer.pkg"
Create a package using PackageMaker
With Gatekeeper, the user may not be able to run an unsigned (no certificate) package depending on how Security is setup in SysPrefs.
If you are targeting Mac OS X v10.5 or newer systems, you can select a certificate file to sign your flat installation package. This will help others verify the authenticity of your installation.
7
Walk the students through the basic syntax to create a package from the command line. Don’t get hung up on all the options; touch on them quickly & move on.The students will see how the options get put into play through the example syntax.
8
Give the package a name (on the Configuration tab)Select a certificate
9
Create a package using PackageMaker, cont.
Details of the installationContent Permissions
Options for Components
Show all receipts
pkgutil --pkgs
Show one specific receipt
pkgutil --files <name_of_receipt>
Working with receipts
PackageMaker Alternatives
JAMF Composer
Packages (s.sudre.free.fr)
Absolute InstallEase
12
Once the package has been built, permissions for its content can be changed from the Contents tab.Options for the components, such as allowing relocation or allowing a downgrade are obtained from the Components tab.
10
11
Note: Iceberg replaced with Packages. Packages allows signing of package with cert. Iceberg does not.
12
Installer Packages Exercises
Tools Tasks
Exercise 1.1.1Configure Server
• Configure server name
• Configure network settings
• Get Apple Push Notification service certificate
• Configure Open Directory Master
• Server app
• Setup Assistant
• Open Directory Service
Tools Tasks
Exercise 1.1.2Creating Installer Packages
• Create an installation package
• List the files installed on the system
• List the files installed from one receipt
• PackageMaker app
• Important Employee Documents folder
• Terminal
Student Numbers!
13
14
15
Creating System Images
Client startup with NetBoot
1 DHCP
3 TFTP
4 NFS or HTTP
2 BSDP
DHCP & NetBoot server
Booter files
Boot image
NetBoot
NetBoot Image on Server
Disk Image of System Folder on Server
Client boots from Server,& uses System Folder from image
Each section has a lead in title slide.
16
Describe what happens in each of the four phases of NetBoot.
17
Boots the OS from image on the server
18
NetInstall
NetBoot Image on Server
OS X Installer from Server
Client boots from Server& Installs OS on Disk
NetRestore
NetBoot Image on Server
Disk Image of Pre-Configured System
Client boots from Server,Disk is erased & restored
from Disk Image
NetRestore ImagesCloned System Image Modular System Image
Installs the OS from an image on the server.
19
Uses asr restore
20
Explain the differences between a cloned system image: Faster but not flexible. Entire image must be re-done with OS updates, even incremental. Modular system image: Slower to install, because all packages are installed separately but is more flexible. Even when incremental OS updates come out, it’s just a matter of replacing that component.
21
Deploying ImagesOver the network Locally
Target Disk Mode via Thunderbolt
Using System Image Utility
Using System Image Utility, cont.
Deploying images over the LAN, many computers can be done at once. Bandwidth is the biggest restriction.Deploying images locally, only one computer can be done at a time. If using Thunderbolt and SSD, this can be very fast.
22
System Image Utility MUST find a source in order to do it’s job. Once that’s found, you can decide on what kind of image to build. It’s important to mention SIU only supports creating images from the current OS eg. SIU 10.8 must build images from a 10.8 installer or system (cloned computer).
23
Only NetBoot or NetRestore support creating an Administrator Account.
24
System Images Exercises
Tools Tasks
Exercise 2.1.1Creating System Images
• Create a NetInstall image from the Mountain Lion Installer
• Mountain Lion Installer
• System Image Utility
Tools Tasks
Exercise 2.1.2Creating System Images
• Create a NetRestore image from a prepared volume
• Admin computer
• System Image Utility
• Firewire or Thunderbolt cable
25
26
27
Deployment
Using Disk Utility for deployment
NetInstall considerations
Gigabit Ethernet is best
Airport is not supported
Must have latest firmware installed
Each section has a lead in title slide.
28
When using Disk Utility to deploy, the Restore tab is chosen. Next, an image source is chosen from the sidebar. Then, a destination volume is selected. Finally, click the Restore button.
29
Touch on the points, move on.
30
Using NetInstall for deployment
Using NetInstall for deployment, cont.
Configuring the NetBoot client
Use Startup Disk to select NetBoot
Hold down the N key to look for & start from a NetBoot server
Hold down the Option key to invoke the Startup Manager
NetInstall must be enabled on a network interface, preferably built-in Ethernet. Additionally, storage for images, nbi images, and client data for diskless NetBoot must be chosen. Once the storage settings are selected, and the NetInstall service choices are saved, the NetBootSP0 & NetBootClients0 sharepoints are automatically created in /Library. (Note: While the ‘0’ at the end of the sharepoint names is typical, they could be other numbers as well. Don’t go into this unless a student asks.
31
In order to make images available from the NetInstall service, select the Images tab in the service. Click the service action icon (gear) in the lower left. Check the box for “Make available over” and choose either NFS or HTML. More often than not, NFS is used. There is also an option here to make the image available to all Mac models or restricted models. The image index is unique for each nbi.
32
Selecting the NetBoot from within System Preferences Startup Disk, while not typical in real world scenarios, is certainly an acceptable means of doing so. You may choose to explain the reason we do so in class is an attempt to have students boot from their own NetBoot server, not their neighbor’s.
More typical in real world deployments is the use of the N key first, the Option key second.
33
Image deployment Alternatives
DeployStudioJAMF’s Casper SuiteAbsolute ManageKACELANDeskFileWave
Deployment Exercises
Tools Tasks
Exercise 3.1.1Deployment
• Create a bootable image from a NetInstall image• Disk Utility
• My NetInstall v1.nbi
Quickly touch on the alternatives & move on. If the discussion comes up, you can speak to any & all you are familiar with.
34
35
36
Tools Tasks
Exercise 3.1.2Deployment
• This section is purely informational.
• Restore an image
• Disk Utility
Tools Tasks
Exercise 3.1.3Deployment
• Configure the NetInstall service
• Enable a NetInstall image
• NetBoot your admin computer
• Server app
• NetInstall service
• Admin computer
Managing Computers with Apple Remote Desktop
37
38
Each section has a lead in title slide.
39
Enabling Remote Management
Creating a computer list with ARD
Apple Remote Desktop Exercises
Clicking the Options button on the Sharing Sys Pref opens the “All local users can access this computer to:” dialogue. Holding the option key and checking one box, checks all boxes.
40
By choosing Scanner in the ARD sidebar, you can see all the computers ARD sees. The default is via Bonjour, but an administrator can pick from a variety of choices as seen in the cutaway.Clicking on the add button (+) allows for the creation of different types of computer lists. You may want to do an instructor demo with ARD. Don’t take too much time with it.
41
42
Tools Tasks
Exercise 4.1.1Apple Remote Desktop
• Create new computer group
• Install package remotely
• Copy software remotely
• Repair disk permissions remotely
• Apple Remote Desktop
• Important Employee Documents.pkg
• Handbook.pdf
• Important Employee Documents folder
Policy Management
Profile Manager
What’s Needed?
Server.appOpen Directory MasterSSL CertificateAppleID for Push Notification Certificate
45
43
Each section has a lead in title slide.
44
While turning on Profile Manager is relatively simple, there are some prerequisites which need to be in place before it is functional.
45
Profile Manager configuration
Setup Open Directory Master1
Beginning the Configure Device Management setup starts the setup of an Open Directory Master 1
2
2 Create a directory administrator for the Open Directory
3
3 Confirm settings. ODM created.
Adding certificates
SSL APNS
CSC
The next few slides walk through the Profile Manager service setup assistant.
46
The first thing is the server needs to be an Open Directory Master.
47
Next is enabling or obtaining the requisite certificates including SSL, CSC & APNs.
48
Profile Manager Complete
Profile Manager
What’s Available?
Profile Manager web appUser Portal web siteProfiles preference pane
50!
Profile Manager web app
Management can be applied to devices, groups of devices, users or groups of users
The service setup assistant has completed and Profile Manager is now ready to do it’s job.
49
Once Profile Manager is turned on, it’s really just a web app. Profile Manager is for administrators. The user portal is for end users. Once a computer has profiles installed, the Profiles preference pane shows up in System Prefs.
50
The administrator web app allows profiles to be configured for four resource domains: Devices, Device Groups, Users & User Groups. Unlike MCX, where overlapping profiles had priorities and additive capabilities, it is the admin’s responsibility to decide how profiles are best applied. There should not be an overlap between the resource groups.
51
Profile Manager user portal
Configuration Profiles
Distributing Configuration Profiles
Discuss the purpose and some of the functionality of the user portal.
52
An example of the Everyone profile. This highlights options available for setting the Passcode payload.
53
Three methods of distributing profiles: Through email, a web link or pushed to the device. Pick one method only.
54
Profile Manager Alternatives
Imaging & Client Management
JAMF’s Casper SuiteAbsolute ManageKACELANDeskFileWave
Profile Manager Alternatives
Client Management only
AirWatchMobileIronCentrifyThursby ADmitMacQuest Management XtensionsParallels SCCM
Policy Management Exercises
There are two different kinds of alternatives to Profile ManagerThis slide shows those which can do both imaging & client management.
55
This slide shows the alternatives which can do client management only. The Mobile Device Management systems if you will.
56
57
Tools Tasks
Exercise 5.1.1Policy Management
• Configure Profile Manager service• Server app
• Profile Manager service
Tools Tasks
Exercise 5.1.2Policy Management
• Edit a configuration profile
• Enroll your admin computer for management
• Create a device group & custom configuration
• Lock your admin computer
• Server app
• Profile Manager service
• Safari
Managing Software Updates
58
59
Each section has a lead in title slide.
60
Software Update Service• Reduce bandwidth by downloading Apple updates to a local server
• Manage what updates are available locally
• Use configuration profiles to point users to local server
• Mirror updates between the local server & Apple servers to ensure latest updates are available
61
Turn SUS On
Filter Updates
This slide enumerates reasons to use a local software update server.
61
After turning the SUS on, it will take some time (bandwidth is one of several factors) for the service to populate with the updates available from Apple. Once that is accomplished, an administrator has many options available to deal with those updates. Clicking on the action pop-up menu reveals the options.
62
By using the search box it is possible to limit the view on the updates available. From there, updates of a particular type can be dealt with as appropriate.
63
Using configuration profiles for SUS
Setting the SUS from the command line
defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL "http://server15.pretendco.com:8088/index.sucatalog"
65
To point the client to the local SUS:
To point the client back to the Apple SUS:defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL
SUS: Best Practices
Phase 11. Test
2. Cooling off period; seven days for patches, etc.
Phase 21. Deploy to power users for five days
Phase 31. Deploy to all workstations & integrate into the master deployment image
One method of having clients connect to a local SUS is to use configuration profiles. The next slide shows an alternative method, using CLI.
64
Another method of directing computers on the LAN to a local SUS is the tried & true CLI. This can be setup in a master image or even pushed out via ARD.
65
The three phases of deploying software updates are outlined here.
66
SUS Alternatives
Reposado
JAMF’s Casper Suite
Absolute Manage
67
Software Updates Exercises
Tools Tasks
Exercise 6.1.1Software Updates
• Configure Software Update Service
• Enable updates
• Create a configuration profile
or
• Configure your admin computer to use SUS
• Server app
• Software Update service
• Profile Manager service
or
• Terminal app
Some alternatives to the SUS on Mac OS X server.
67
68
69
Caching Software Downloads
Caching Service
• Speeds up the download of software purchased through iTunes & the Mac App Store
• Includes software updates, purchased apps & books
71
Requirements
• Mac clients 10.8.2 or newer• iTunes 11.0.2 or newer• Software Updates from Mac App Store• Applications from Mac App Store• Books from iTunes• iOS apps from iTunes• Clients share same public IP as server & use NAT
• Server on Ethernet• Clients don’t use SUS
72
Each section has a lead in title slide.
70
The Caching Service is new as of 10.8.2. It differs from SUS in several ways & has different requirements than SUS. The next two slides go into the requirements & differences in more detail.
71
Just as the slide title says, these are the requirements for the caching service. You should hit each of these points in the presentation. Note the importance of selecting where to store cached software. While Apple supports using a portable computer as a server with Mountain Lion, note the cutaway which calls out how the caching service on a portable is NOT support over WiFi.
72
Comparing: Caching service & SUS
• Software updates & Mac App Store purchases
• No configuration necessary• Based on client requests• No client management
73
• Software updates only• Requires configuration profile or command line implementation
• Downloads & caches all available Apple software updates
• Provides client management (which updates are available)
Software Update ServiceCaching Service
Caching Software Updates Exercise
Tools Tasks
Exercise 7.1.1Caching Service
• Instructor Demo• Server app
• Caching Service
73
The exercise for the caching service is an instructor demo with instructions on the next slide.
74
Using the Caching service1.On your
admin computer select Software Update from the Apple menu.
2.Click the 75
TM and © 2011 Apple Inc. All rights reserved.
76
