Managed Preferences is one of the many options available in Open Directory. Using Managed Preferences, administrators push settings to client computers that have been bound to the Open Directory environment. Open Directory uses various fields, or attributes, located within its database to push those settings out. That database is an LDAP database, the same type of database available in practically every modern implementation of a directory service to date.
Note
For more on setting up Open Directory itself and binding client systems to Open Directory, see Chapter 2.
A great example of using Managed Preferences is the parental controls options for a local computer running Mac OS X. If you open System Preferences from the Apple menu and click on the Users & Groups System Preference pane, you will see a list of the users on the local computer. Click on a nonadministrative user, and check the “Enable parental controls” checkbox to manage the account locally.
Once checked, click on the Open Parental Controls… button to bring up the Parental Controls System Preference pane. Here, you can enable the Simple Finder (a simplified user experience), limit which applications the user is able to open, edit whether the user can change their Dock, restrict access to websites, restrict access to manage printers, restrict burning optical disks, limit with whom the user can mail or chat, and restrict the use of computer to specific times (Figure 8-11). This is done per computer, per user, on a case-by-case basis. Managed Preferences leverages the same technology, but provides a means to control practically any setting on the system and to do so from a centralized server, for users and computers, or using groups of either.
These Managed Preferences are best controlled in Workgroup Manager. Open Workgroup Manager from /Applications/Server and then login to the Open Directory environment. Once authenticated, click on a group of users and then click on the Preferences icon in the Workgroup Manager toolbar, to bring up the Managed Preferences screen.
The Managed Preferences screen is different for users and computers (or groups of either). The preferences available for users include:
- Applications
Controls access to applications, Dashboard widgets, and Front Row
- Classic
Allows access to the Classic environment (only applicable for OS 9 users)
- Dock
Configures the look and contents of the Dock
- Finder
Manages the preferences, options, and appearance of the Finder
- Login
Most options are only available for Computers, but can control automated mounts and login items
- Media Access
Limit access to mounted volumes (optical drives, FireWire, and USB-based volumes)
- Mobility
Control mobile accounts and portable home directories
- Network
Manage proxy information and, at the computer level, sharing preferences
- Parental Controls
Centrally manage parental controls options
- Printing
Centrally deploy printers
- Software Update
Deploy Software Update Server settings
- System Preferences
Limit access to System Preference panes
- Universal Access
Controls accessibility options (e.g., those available for the hearing and sight impaired)
The traditional example everyone tends to use is managing the Dock. This preference is easy to configure and even more easily displayed in a screen shot (look Ma, the Dock switched to a different side of the screen). Therefore, we’re going to show you how to do something a bit more useful instead: managing the Software Update Server (which we will then show you how to set up in the next section of this chapter). To do so, click on the Software Update option and click on the Always radio button (Figure 8-12).
The Software Update preference only has one field. Click in the field and type the address of the server, with an http:// in front of it and a :8088/index.sucatalog at the end. Then click Apply Now. Logging into a client computer as a user who is a member of the group then shows that the client is trying to use the newly entered Software Update Server (note the title bar).
Of course, using the newly configured Software Update server will fail. But we’ll get that configured in the next section (or change it back if you do not wish to manage that option). For now, go through each of the Managed Preference panes and explore which options, if any that you would like to centrally manage.
Note
Because Managed Preferences is built on the powerful LDAP protocol, the options available in Workgroup Manager can also be applied in environments leveraging other directory servers, such as Microsoft’s Active Directory and various open source OpenLDAP implementations.