TweetFollow Us on Twitter

MacEnterprise: Snow Leopard Scavenger Hunt

Volume Number: 25
Issue Number: 11
Column Tag: MacEnterprise

MacEnterprise: Snow Leopard Scavenger Hunt

Changes in OS 10.6 of interest to systems administrators

By Greg Neagle, MacEnterprise.org

Introduction

With each new release of OS X, systems administrators have a bit of a scavenger hunt: hunting for what's new, what's changed, what's fixed, what's broken, what's moved, and what's gone. I have to admit that I find the hunt kind of fun - Apple's given us a new toy, and we get to find all the surprises inside. So instead of a column on a single topic or tool, this month we will be hunting through the new OS, looking for what's new and of interest to enterprise systems administrators!

Launchd

In a recent MacEnterprise column on launchd, I covered some of the changes to launchd in Snow Leopard. The most important change of interest to systems administrators is the change in how launchd handles the Disabled key in launchd plists.

In Tiger and Leopard, if you disabled a launchd job using launchctl like this:

launchctl unload -w /path/to/launchd.plist

The job would be unloaded, and the Disabled key in the launchd plist would be set to true. In Snow Leopard, the job is still marked as disabled, but the plist is not changed. The value of the Disabled key is stored elsewhere. The launchctl man page doesn't say where it is stored, but some hunting finds it in /private/var/db/launchd.db/.

Inside this directory, there are subdirectories like these:

com.apple.launchd/
com.apple.launchd.peruser.0/
com.apple.launchd.peruser.100/
com.apple.launchd.peruser.501/

The com.apple.launchd directory holds info for LaunchDaemons, and the com.apple.launchd.peruser.* directories hold info for LaunchAgents. Each of these directories contains an overrides.plist file. This file contains the current "effective" value of the Disabled key for each launchd job:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>com.apple.backupd-attach</key>
   <dict>
      <key>Disabled</key>
      <true/>
   </dict>
   <key>com.apple.backupd-auto</key>
   <dict>
      <key>Disabled</key>
      <true/>
   </dict>
[...etc...]
</plist>

To determine the current enabled/disabled state of a given launchd job, an admin must check the value of the Disabled key in the launchd job's plist, and then also check for an override in /private/var/db/launchd.db/.

An effect of this change is it now possible for non-admins to disable LaunchAgents that run when they login, by running

launchctl unload -w /Library/LaunchAgents/some_launchd.plist

This might be a problem if you rely on LaunchAgents to run at login and perform certain tasks for the user - the user can now turn these off.

Networksetup

OS X systems administrators should be familiar with the networksetup command, which allows you to configure network-related settings from the command line. This tool is ideal for use in setup scripts, or for remote configuration via SSH. In Snow Leopard, networksetup gains a few new tricks.

AirPort options

The AirPort options in networksetup have changed. If you have AirPort configuration scripts, you may need to revise them for Snow Leopard. The -getairportnetwork, -setairportnetwork, -getairportpower, and -setairportpower options all now require a hardware port to be specified. An example:

Prior to Snow Leopard:

networksetup -setairportpower  off

Snow Leopard:

networksetup -setairportpower "AirPort" off

Does this change portend Macs with multiple AirPort interfaces? Your guess is as good as mine.

There are four new options dealing with preferred wireless networks, which could be useful in a setup script that automatically added your organization's wireless network(s) to the preferred list:

   -listpreferredwirelessnetworks hardwareport
   -addpreferredwirelessnetworkatindex hardwareport network...
   -removepreferredwirelessnetwork hardwareport network
   -removeallpreferredwirelessnetworks hardwareport

Locations

networksetup can now work with network locations. This would allow you to script the creation and setup of Home and Work locations, for example.

   -listlocations
   -getcurrentlocation
   -createlocation location [populate]
   -deletelocation location
   -switchtolocation location

802.1X

networksetup has gained the ability to work with 802.1X-secured networks. You can set the System profile, the login profile, or user profiles:

   -listalluserprofiles
   -listloginprofiles service
   -enablesystemprofile service on | off
   -enableloginprofile service profile on | off
   -enableuserprofile profile on | off
   -import8021xProfiles service path
   -export8021xProfiles service path yes | no
   -export8021xUserProfiles path yes | no
   -export8021xLoginProfiles service path yes | no
   -export8021xSystemProfile service path yes | no
   -settlsidentityonsystemprofile service path passphrase
   -settlsidentityonuserprofile profile path passphrase

These new options don't help with the actual creation of 802.1X profiles, but with the import and export options, you should be able to create them on one machine and deploy them on others.

Lights-Out Management

Finally, networksetup gains options for configuring the Lights-Out Management interface on Intel Xserves:

   -resetBMCToDefaults
   -showBMCSettings
   -setupBMC portindex static | dhcp ipaddress subnetmask 
         routeraddress adminname adminpassword

For more details on all of the new networksetup options, type "man networksetup" at a command prompt.

Cisco VPN Support

Since we're talking about network configurations, this is a good time to note that Snow Leopard now has Cisco VPN support, accessible from the Network preferences pane. When adding a VPN interface, "Cisco IPSec" now appears as an available VPN Type.

With Cisco's client, an administrator could distribute the client software and some pre-configured profiles. Administrative configuration looks to be more difficult with Apple's built-in client. networksetup did not gain any new capabilities as far as VPN configuration, so that's no help. You can export and import configurations, and since they are XML files, you might be able to generate configurations programmatically.


Figure 1 - Cisco VPN support

Mcxrefresh

mcxrefresh is a new command-line tool to cause a client machine to re-read its MCX settings from the directory services. It must be run as root. You can specify a user id or shortname to refresh the Managed Preferences for a specific user as well as the computer settings. This might be useful when testing changes to MCX settings - you can instantly force a machine to refresh its Managed Preferences.

   mcxrefresh -n joeuser

Directory Utility

You've booted up your first Snow Leopard machine and you want to point it at your Open Directory or third-party LDAP server for directory services. In Leopard, you'd head to the /Applications/Utilities folder and look for Directory Utility. But on your Snow Leopard machine, it seems to be missing. Instead, you can open the Accounts pane in System Preferences as in Figure 2.


Figure 2 - Accounts Preference Pane

When you select Login Options, you'll see a new section for a "Network Account Server." Click Edit, and you'll see the sheet in Figure 3.


Figure 3 - Directory Services pane

From this pane, you can add directory servers, or open Directory Utility for more options. Or you can just skip all this, and go directly to the new location of Directory Utility: /System/Library/CoreServices/Directory Utility.app.

Keychain password Enhancements

A common problem in enterprise environments is keeping the login keychain password in sync with the directory services password. Many environments use a web page to allow their users to change passwords. In other environments, users may have access to multiple machines (say a Mac and a Linux box), sharing a common directory service. If they change their password on their Linux box, or use a web page to change their password, the login keychain on the Mac is not updated with the new password. When the user then logs into their Mac, the login keychain is not unlocked, and access to mail accounts, web pages, file servers and the like might be affected. Prior to Snow Leopard, many administrators used AFP548.com's Keychain Minder to handle this situation. When configured to run as a login item, Keychain Minder would check to see if the login keychain was unlocked at login, and offer to help the user reset the login keychain password if needed.

Snow Leopard builds in most of Keychain Minder's functionality. If the user password is changed, and the login keychain can't be unlocked at login, you'll see a dialog like the one in Figure 4.


Figure 4 - Update Keychain Password dialog

You can then update your keychain password, create a new keychain, or ignore the issue.

Screen Saver

Since the release of OS X 10.0, large organizations have wanted the ability to run a screen saver when the machine is at the login window. Apple's opinion always seemed to be that you should have your machines (or at least the displays) sleep when idle at the loginwindow for a long time. High schools, colleges, and other organizations instructional labs often wanted the machines to stay on with active displays so students could quickly identify available machines. When presented with a machine that was asleep, or with a darkened display, many students assumed the machine was broken. In my organization, we had a number of Macs connected to color-calibrated CRT monitors. These monitors needed to be left powered up and with an active display in order to maintain their calibration.

Whatever the reason, when an organization wanted/needed the display to remain active when the machine was at the loginwindow, they had a new challenge to deal with: screen burn-in. A machine left for hours or days at the loginwindow could burn the image of the loginwindow into the phosphors. (And although LCDs are supposedly immune to the effects of burn-in, I've seen evidence to the contrary.) So it's understandable to want the screen saver to run over the loginwindow to prevent burn-in. Some organizations also saw this as an opportunity to run a screensaver that presented news or announcements about the organization.

Unfortunately, Apple did not support running the screen saver at the login window. Various workarounds were developed. An application called Screen Preserver could be used to display slideshows over the loginwindow. In 10.3 and 10.4, enterprising administrators developed scripts that allowed Apple's screen saver to run over the login window. But Leopard brought that practice to an end, as the built-in screen saver no longer would run over the loginwindow.

So it was with some surprise when testing Snow Leopard this summer that I noticed the screen saver kick in while I was logged out. This new behavior persisted into the final release. There's no user interface to control which screen saver runs, or how long to wait until activation. I haven't yet figured out any other way to control these options, but I'm sure someone will before long. Still, this is a welcome change, and only took eight years for Apple to implement!

Exchange integration

We can't finish our scavenger hunt without mentioning a new feature of great interest to many enterprise systems administrators (and regular users!) - support for Microsoft Exchange. If your organization is running Exchange Server 2007 (and alas, my organization isn't yet...), you can configure Mail, iCal, and Address Book to talk to your organization's Exchange server. While this doesn't give you the full range of functionality you can get from Entourage 2008 Web Services Edition (let alone Outlook on Windows), it may be sufficient for some user's needs.

The Exchange integration in Snow Leopard is based on Exchange Web Services, a new protocol first available in Exchange Server 2007 SP1. Older Exchange servers support only MAPI (a protocol extremely difficult to replicate outside of Windows - even Entourage, a Microsoft product, doesn't use it), or the limited OWA (Outlook Web Access) protocol, which is on its way out. For this reason, the Exchange integration in Snow Leopard doesn't work with older Exchange servers.

Since this is a new feature, and Exchange support is notoriously difficult to implement (otherwise, why would Entourage still have issues?), it may work well in your environment, or not at all. Early reactions on the MacEnterprise mailing list are mixed: some organizations are reporting great success; others are having difficulties. If your organization is running Exchange 2007, try it yourself and see.

Figure 5 shows the dialog in Mail.app for adding an Exchange 2007 account. Note the options to also setup Address Book and iCal. If you don't configure them here, each of these applications also has an interface for configuring Exchange 2007 accounts.


Figure 5 - Mail setup for Exchange 2007

Conclusion

That concludes our scavenger hunt. If there's a theme to the changes in Snow Leopard, it's "refinement". Lots of little things have been subtly refined, providing a better user experience, or making things work the way they should have earlier. We have by no means covered all the changes in OS X 10.6 - there are many more. Have fun on your hunt!


Greg Neagle is a member of the steering committee of the Mac OS X Enterprise Project (macenterprise.org) and is a senior systems engineer at a large animation studio. Greg has been working with the Mac since 1984, and with OS X since its release. He can be reached at gregneagle@mac.com.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Firetask Pro 4.2.2 - Innovative task man...
Firetask Pro uniquely combines the advantages of classical priority-and-due-date-based task management with GTD. Stay focused and on top of your commitments - Firetask Pro's "Today" view shows all... Read more
Bookends 13.4.3 - Reference management a...
Bookends is a full-featured bibliography/reference and information-management system for students and professionals. Bookends uses the cloud to sync reference libraries on all the Macs you use.... Read more
LibreOffice 6.4.5.2 - Free, open-source...
LibreOffice is an office suite (word processor, spreadsheet, presentations, drawing tool) compatible with other major office suites. The Document Foundation is coordinating development and... Read more
Thunderbird 68.10.0 - Email client from...
As of July 2012, Thunderbird has transitioned to a new governance model, with new features being developed by the broader free software and open source community, and security fixes and improvements... Read more
Firefox 78.0.1 - Fast, safe Web browser.
Firefox offers a fast, safe Web browsing experience. Browse quickly, securely, and effortlessly. With its industry-leading features, Firefox is the choice of Web development professionals and casual... Read more
BetterTouchTool 3.389 - Customize multi-...
BetterTouchTool adds many new, fully customizable gestures to the Magic Mouse, Multi-Touch MacBook trackpad, and Magic Trackpad. These gestures are customizable: Magic Mouse: Pinch in / out (zoom)... Read more
Slack 4.7.0 - Collaborative communicatio...
Slack brings team communication and collaboration into one place so you can get more work done, whether you belong to a large enterprise or a small business. Check off your to-do list and move your... Read more
OsiriX Lite 11.0.3 - 3D medical image pr...
OsiriX Lite is an image processing software dedicated to DICOM images (".dcm" / ".DCM" extension) produced by medical equipment (MRI, CT, PET, PET-CT, ...) and confocal microscopy (LSM and BioRAD-PIC... Read more
Wireshark 3.2.5 - Network protocol analy...
Wireshark is one of the world's foremost network protocol analyzers, and is the standard in many parts of the industry. It is the continuation of a project that started in 1998. Hundreds of... Read more
Dabble 1.6.1 - Organize your manuscript,...
Dabble organizes your manuscript, story notes, and plot. Dabble simplifies the story, leaving more room in your brain to create, which is what being a writer is really about. Organize your story.... Read more

Latest Forum Discussions

See All

Pokemon Go's July Community Day wil...
Pokemon Go developers have announced the details concerning the upcoming Gastly Community Day. This particular event was selected by the players of the game after the Gas Pokemon came in second place after a poll that decided which Pokemon would... | Read more »
Clash Royale: The Road to Legendary Aren...
Supercell recently celebrated its 10th anniversary and their best title, Clash Royale, is as good as it's ever been. Even for lapsed players, returning to the game is as easy as can be. If you want to join us in picking the game back up, we've put... | Read more »
Detective Di is a point-and-click murder...
Detective Di is a point-and-click murder mystery set in Tang Dynasty-era China. You'll take on the role of China's best-known investigator, Di Renjie, as he solves a series of grisly murders that will ultimately lead him on a collision course with... | Read more »
Dissidia Final Fantasy Opera Omnia is se...
Dissidia Final Fantasy Opera Omnia, one of Square Enix's many popular mobile RPGs, has announced a plethora of in-game events that are set to take place over the summer. This will include several rewards, Free Multi Draws and more. [Read more] | Read more »
Sphaze is a neat-looking puzzler where y...
Sphaze is a neat-looking puzzler where you'll work to guide robots through increasingly elaborate mazes. It's set in a visually distinct world that's equal parts fantasy and sci-fi, and it's finally launched today for iOS and Android devices. [... | Read more »
Apple Arcade is in trouble
Yesterday, Bloomberg reported that Apple is disappointed in the performance of Apple Arcade and will be shifting their approach to the service by focusing on games that can retain subscribers and canceling other upcoming releases that don't fit... | Read more »
Pixel Petz, an inventive platform for de...
Pixel Petz has built up a sizeable player base thanks to its layered, easy-to-understand creative tools and friendly social experience. It revolves around designing, trading, and playing with a unique collection of pixel art pets, and it's out now... | Read more »
The King of Fighters Allstar's late...
The King of Fighters ALLSTAR, Netmarble's popular action RPG, has once again been updated with a plethora of new content. This includes battle cards, events and 21 new fighters, which increases the already sizeable roster even more. [Read more] | Read more »
Romancing SaGa Re;univerSe, the mobile s...
Square Enix latest mobile spin-off Romancing SaGa Re;univerSe is available now globally for both iOS and Android. It initially launched in Japan back in 2018 where it's proven to be incredibly popular, so now folks in the West can finally see what... | Read more »
Away: Journey to the Unexpected is a sto...
Away: Journey to the Unexpected looks really quite lovely. Stylish, cute, and clearly heavily inspired by Japanese animation, it's amongst the best-looking mobile games on the horizon. Developed by a two-person team, this story-driven rogue-lite... | Read more »

Price Scanner via MacPrices.net

July 4th Sale: Woot offers wide range of Macs...
Amazon-owned Woot is blowing out a wide range of Apple Macs and iPads for July 4th staring at $279 and ranging up to just over $1000. Models vary from older iPads and 11″ MacBook Airs to some newer... Read more
Apple Pro Display XDR with Nano-Texture Glass...
Abt Electronics has Apple’s new 32″ Pro Display XDR model with the nano-texture glass in stock and on sale today for up to $144 off MSRP. Shipping is free: – Pro Display XDR (nano-texture glass): $... Read more
New 2020 Mac mini on sale for up to $100 off...
Amazon has Apple’s new 2020 Mac minis on sale today for $40-$100 off MSRP with prices starting at $759. Shipping is free: – 2020 4-Core Mac mini: $759 $40 off MSRP – 2020 6-Core Mac mini: $998.99 $... Read more
July 4th Sale: $100 off every 2020 13″ MacBoo...
Apple resellers have new 2020 13″ MacBook Airs on sale for $100 off Apple’s MSRP as part of their July 4th sales. Starting at $899, these are the cheapest new 2020 MacBooks for sale anywhere: (1) B... Read more
This hidden deal on Apple’s site can save you...
Are you a local, state, or federal government employee? If so, Apple offers special government pricing on their products, including AirPods, for you as well as immediate family members. Here’s how... Read more
Apple Watch Series 3 models on sale for new l...
Amazon has Apple Watch Series 3 GPS models on sale for $30 off MSRP, starting at only $169. Their prices are the lowest available for these models from any Apple reseller. Choose Amazon as the seller... Read more
Deal Alert! Get these refurbished 2018 13″ Ma...
Apple has restocked and lowered prices on select Certified Refurbished 2018 13″ MacBook Airs, starting at only $679. Each MacBook features a new outer case, comes with a standard Apple one-year... Read more
July 4th Sale: 13″ 2.0GHz MacBook Pros for $2...
B&H Photo has new 2020 13″ 2.0GHz MacBook Pros on sale for $200 off Apple’s MSRP as part of their July 4th sale. Prices start at $1599. These are the same MacBook Pros sold by Apple in their... Read more
July 1 only: $100 off Apple iPhone 11, 11 Pro...
Boost Mobile is offering Apple iPhone 11, 11 Pro, and iPhone 11 Pro Max models for $100 off MSRP with service. Their discount reduces the cost of an iPhone 11/64GB to $599, iPhone 11 Pro to $899 for... Read more
Apple offers $50-$100 Education discount on i...
Purchase a new 12.9″ or 11″ iPad Pro at Apple using your Education discount, and Apple will take $50-$100 off their MSRP. All teachers, students, and staff of any educational institution with a .edu... Read more

Jobs Board

Operating Room Assistant, *Apple* Hill Surg...
Operating Room Assistant, Apple Hill Surgical Center - Full Time, Day Shift, Monday - Saturday availability required Tracking Code 62363 Job Description Operating Read more
Perioperative RN - ( *Apple* Hill Surgical C...
Perioperative RN - ( Apple Hill Surgical Center) Tracking Code 60593 Job Description Monday - Friday - Full Time Days Possible Saturdays General Summary: Under the Read more
Product Manager, *Apple* Commercial Sales -...
Product Manager, Apple Commercial Sales Austin, TX, US Requisition Number:77652 As an Apple Product Manager for the Commercial Sales team at Insight, you Read more
*Apple* Mac Product Engineer - Barclays (Uni...
Apple Mac EngineerWhippany, NJ Support the development and delivery of solutions, products, and capabilities into the Barclays environment working across technical Read more
Blue *Apple* Cafe Student Worker - Pennsylv...
…enhance your work experience. Student positions are available at the Blue Apple Cafe. Employee meal discount during working hours. Duties include food preparation, Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.