--- title: WWDC2003 Session 618 framework: wwdc role: article path: wwdc/wwdc2003-618 --- # WWDC2003 Session 618 ## Transcript Kind: captions Language: en please welcome Rob never the podium thank you everybody my name is Rob Nevel and I manage the engineering team that does managed desktop for 10 the sign outside says this is managing for a networking environment if you're here just just to hear something about managing in a networking environment it's going to be different than that because today we're going to be talking about is developing for a managed client environment for Kim okay so today what we're going to be talking about is developing for Mac os10 managed desktop Mac OS 10 is a managed environment and we're going to be discussing in a variety of ways how it is a managed environment ostensibly what we did when we were here last year's we introduced you to the concept of apple desktop management and it's a year later we've got a year's worth of software under our belt we've got we've got customers who are actually utilizing the product and have been giving us feedback we've got developers here who are developing products to work in that environment so we'll be discussing you know where we are where we where we are today where we've come from and what it is you guys need to do and to learn to provide solutions and to customize your environment to work better in this in this environment so we're going to be talking about a managed environment so I'd like to turn the Wayback Machine back take us back in history five years back before there was a Mac os10 and what we had then was the mac OS mac OS 9 mac OS 8 and that was an unmanaged computer you plugged it in you you booted you came up to the finder you could do whatever you want whenever you wanted you got up and walked away from your machine somebody could sit down behind you do whatever they want whenever they wanted you had no way of controlling that environment at all to do that to do any sort of control at all you had to get additional software Apple provided you additional software was called Macintosh manager Macintosh manager gave you the notions of having multiple users use a particular machine putting access control which applications could be access which preachers could they use a variety of things you needed a server to be able to do that but you started getting the notion of managing the computer well Mac os10 comes along let's fast forward to the present Mac os10 comes along and out of the box it's a managed environment if I go home today and open up a brand-new computer and boot it up turn on Mac buddy install the software pick my admin account get up and running I auto login turn on fast login so I just come up I never see a login screen the user thinks that they're not managed but they are there are some things that I cannot do as that administration user that only a super user can do so right out of the box there are at least two users of the system and I am NOT by default the superuser so just right out of the box where we've got a management we put people into a home directory they get a home directory for free even on a local machine so even without any apple desktop management at all you are managed taking taking that one step further then I start adding users again if we're just even in a local environment so at home I have user accounts for my wife for my children I don't have any server involved none of them I have no managed preferences which is what our group primarily does I've never run a workgroup manager I still have a management bar I don't have access to the data in my kids home directory unless I go in as a super user so we'll be discussing a little bit that as we just have and we're also going to be discussing some of the customer usage scenarios that we've seen what I just discussed briefly was just a normal setup where I have a single machine with just multiple user accounts that's a managed environment will be talking about what Apple's desktop management solution is what it is what it isn't tell you i'll be talking briefly a little bit about what we've learned so it's been a year people are starting to if you if you went to michael ops session yesterday on on the desk Solutions you talked about deployment access and assessing the deployment and rolling out well people have been been rolling out starting to roll out solutions and for those of you how many here are working an IT department or working IT okay how many of you are application developers okay so we've got looks like it's about 70 30 70 applications developers thirty percent IT so so with AIT uit folks you know that you test out a deployment before you roll it out to your customers or or disaster will have an animal in most cases so what happens is as you're deploying that you find the glitches and the Duchess and and you've been giving us feedback on some of those implementations and we've taken those to heart so we'll be discussing some of those and where we're going to be taking apple desktop management going forward I'll be showing you a little bit about what's new and 10 dot 3 which will be coming out soon and what it is you seventy percent of the people in here what it is you're going to need to do to work in that environment things you're going to need to to pay attention to and really what you're going to need to do going forward so let's jump over to our customer usage model because this is the way we think about what we think about when we're developing software at least in my organization we try and identify who our critical customers are some of you are in this room if you're not on this screen no no come talk to me after the session and we'll start paying attention to what your usage scenario is but what we do is we look at various customer scenarios and try and gear our software in the solution that we're developing to meet one of these customer scenarios so the first one we have is a one-to-one deployment what do I mean by that that's a scenario whereby I hand you a powerbook I own the powerbook you don't own the powerbook i have given you an account on that powerbook let's say it's employee you do not have superuser access to that machine you don't even have admin access to that machine I put everything on that machine that you could possibly want to use that I can think of but can you add new software to it not if it requires admin access to do that you would have to give it back to me to install new software on it but it's my physical machine I give it to you you can add bookmarks you can do whatever you can do as a user you have physical access to the machine but you don't have admin access and one of the one of our significant customers of this is the school where schools will hand out CPUs on a temporary on a long-term basis so owned by the school system and it's given to a student it's got a student to count on it student it's just a free free form powerbook goes wherever they go you can also be a desktop you said this is your desktop machine here's your cubicle here's you have an account on that machine I've set it up it may be network that may not be networked but there you go but you don't have admin access to the machine then there's a full-blown IT deployment where I've got server in the back i may have big iron behind the server in the back room you've got network accounts i have site license software that i have in numbers of seats that each individual can use so i control which printers you can have access to which applications you can have access to how much data storage you have on my servers what servers you have access to what your user name is what your password is how often you have to change your password along your password needs to be what sites you can access what you can access I control all that you see in here so in that particular case mostly the people have network accounts so that's real useful but that in and of itself and we tried to solve some of this can create problems usually not for a big IT place but I was it was in the session yesterday we're we're talking about where you user got up and spoke at the book at the podium at the microphone and he was saying we still have 10 base-t we're still deployed on top of 10 base-t well so if I have all my network storage and it's all happening over 10 base-t now with significant amounts of data flowing around and lots of people using my 10 base-t network even just doing browsing you can definitely run in two run into into bottlenecks so downloading some of that stuff off of the net is something which we've attempted to try and solve the other thing is the scenario that I alluded to it in the beginning where you have you know it's an at-home kind of setting though though I know that some of you out there are deploying capabilities as an IT solution as well this is primarily geared towards a small or very small number usage and that's the capabilities however the capabilities scenario which allows you to control media so johnny can burn a CD Johnny can't burn a CD but I can and what applications Johnny can use I don't want Johnny musing the terminal those kinds of things it's primarily for application access control and media access control and it's in a small small environment but the mechanism for doing that is the same mechanism as what what is used in a big system we don't have a separate means for funneling that kind of data down to the system we use the same mechanism for capabilities as we do for a full managed environment and ninety then we get the mobile user and the mobile user is a little bit different from the one to one deployment I was talking about in this case I gave you the computer you have a network account you have this computer you sit down you connect up to the network and you login your login with a username and password and then you unplug that on the network and you home you take it on the road with you and I control I kept some medium of control but maybe not as much I may have getting say that you can access the CD or not but it's in a mixed environment and there are others and you know and we want to hear what those others are now we really want to get a feeling for how it is the two people are using the product because if you the clear the feedback you give us the better the product we can deliver to you so so what is it that we're talking about here Apple managed desktop so Apple managed desktop is a mechanism for managing resources and what is that well that's people well so I manage people by managing user lists by managing passwords and passwords policies it's managing equipment settings and there's some new ones that we're managing it's you know just computer turn off at ten o'clock at night you know does do I have screensavers come on not screen savers but do I have you know visit does the monitor dim automatically do you have access to these kinds of applications applications or resources so how do we do that as we do that through workgroup manager primarily capabilities is handled through the system in a small kind of environment but what you have is you have your personal environment where you have your accounts right and if you move from accounts on a local level for a system you move to work group manager work group managers basically is a bigger accounts management paint with lots of lots more options because you have watch more that you can control but what is work group manager workgroup manager is primarily a directory editor it edits data that sits in a directory and that's going to become much clearer to you all in with panther because for me excuse me for me a key feature of workgroup manager in Panther is the inspector what that gives me is that gives me the ability to go in and edit my directory raw now that's a lot of power and there's not a lot of sanity checking that happens when that goes on so you know buyer beware user beware in this particular situation what we do in my group which handles primarily handles the preference setting and as we look into workgroup manager you'll see and we'll be dealing a lot with the preference setting is we take those preferences and we put them into a into an xml into an xml format and we store those in the directory structure we really don't and then when a user logs in we go out to the server based on what machine the users logging in on who the user is what groups they're they're part of or have chosen to be part of for this particular session and we get that xml data out of the directory we unionize it or munge it put it down to the local system and that sets what their preferences are we also do on volume mounting as part of the the programmatic process that happens we also pass information off to the system so that if you have applications that need to launch or those kinds of things we set those preferences so that other system services can take advantage of those but we really don't do a lot of actions other than other than that we are not access control lists though we do allow for for permissions and preferences and things like that we're not setting up access control lists so we have a managed environment the top of the managed environment chain for us is users the first thing you do is you set up users and you set them up usually with home directories not always because I can set up a series of users and they don't have home directories maybe they're all ftp users in that case their manage their manage to ftp users they don't have they're not going to be accessing this particular device and so they don't have home directories in those home directors we store preferences so again a bunch is changed with panther and the things that you as developers and you as IT folks really need to pay attention to and that is today with Jaguar I sit down and I login as me and until I log out on the only one using the machine for the most part now I know people can ssh in people can ftp in that people can do a bunch of stuff but as far as accessing freestanding native mac OS 10 you know GUI applications i'm the only one that's doing any of that while i have that session going alright so i have full access to the keyboard the mouse the monitor I control all that I see in in here primarily well now we have fast user switching so that I can get up for my my desk go to lunch or I can be in a lab and be sitting there and accessing it and then my lab partner can switch over to their account so now you have two people logged into the machine at the same time and application developer me puts all those things in a global space or with an absolute path well user to can access the data that user one is accessing because i'ma got it open and running so those are some of the things that you really need to be thinking about when you're developing solutions or when you're testing out your products don't require specific folders now last year when I was given this this kind of presentation I had a whole scenario where i showed a demo on Iran FS usage on a bunch of applications and showed us some applications were being bad and they were doing lots of i/o and vaio over the network it's bad I tried to look for some applications that were doing some bad things so early iterations of some people software if you didn't have a specific folder with a specific name the application would crash now if you want a specific folder some of these applications they will create a new application with that particular folder but our customers like to customize customers customized and don't require them to have a specific folder don't you know my app folder so you provide an application and it has to have these don't use specific folder names use relative needs were possible allow for one installation / cpu but don't require don't disallow multiple users from accessing that particular application this is you know that the fast user switching scenario you can't be sure that only one person is going to be trying to run your run your application may be multiple users the machine also assume that your application will be accessed over the network so why is that well that's for a couple of reasons I I do some beta testing for some from Mac OS 10 applications which I can't talk about because they're still in beta and one of the first bugs I wrote on these applications was I logged in using my network user ID which is out on the network and I tried to run the application that crashed it didn't like me not running locally it also didn't like me not running as admin which is a totally awful different scenario so so they're two different things one assume that if I'm doing I Oh for example if I'm writing out to a cash or I'm storing files in temporary folders that are stored out on the network you have to assume that we're we're that users home directory is could be out of the network and that if it's out over the network where we ran into here this morning is there's a really big Airport configuration here for all you guys to have airport access that can get really busy and if I'm booting or running it multiple applications all of them over work and all of this data in my and various Network home directories it might not be the fastest airport implementation in a lot of cases we have Airport solutions that we've showed the schools and they haven't updated to the new new faster airports so they're accessing their network folders / airport with 30 40 people connecting through the same Airport base station at the same time and the performance goes into the toilet so you as developers need to take that into consideration when you're writing your applications also don't require the users to run your applications if your developers out there to be to have admin access as we get back to you as I get back to the usage scenario most of our users aren't running is that most of them are running as network users and some percentage of them know an admin password for their machine but a large number of customers do not and some subset of customers one customer to customers might be forty thousand users where none of those 40,000 users know their admin password so use our product to test your product use the capabilities services to test your product to test our product test your products your sees me workgroup manager what is work group manager workgroup manager is a way to manage system level preferences how many of you have used worker manager here on Jaguar we people in room user for manager okay so about 20 25 percent so for those of you who have not where crew manager allows you to set preferences into three and three separate categories and will i'll be showing your work with manager demo here in a bit now go into a little bit more because of 75 percent if you haven't used it basically we have the notion of three different groupings we have users which i think what you're all familiar with we have groups which are sort of all familiar with you that the users are part of groups and you're familiar with that and then we have computer lists so basically what what happens is when the machine boots up it is bound to in most cases are in a lot of cases it's bound to some directory in the network so it gets network services available to it is bound to some directory and the machine will go to that directory and find out whether or not it knows about me on the computer doesn't know about me am I in its list yes or no if I am are there any preferences associated with me my specific device there may or may not be if there's not if i'm not in a list of the known computers does the binding handle guest computers so anybody who comes and plugs in the machine so and what preferences are associated with that maybe i require everybody logs into my network to have a list log in things like that will show you some of that when we get into showing your work or manager then it puts up the user list you get a loser you stand get to pick what user I want to log in as once I've logged in as that you then I get to pick what group the user might be a member of multiple groups and I can set preferences at each of those levels and we'll show you how we do that workgroup manager also sets nan and then that's the mcx data those for system-level preferences and well as we'll see it also sets up non mcx data that's this is work group managers where I go and I add users and I I add home directories I ad group volumes that are that are accessible to them and I set up parameters and policies for those users this user has a home they have 5k as storage in it because I don't have I have thousands and thousands of users using this particular machine and I don't want them to have a lot of network storage 5 case really small but let's say five Meg or 100 mage or something something small so I'm already managing those users by telling them this is how much how much storage you have on my network devices the other thing to remember with worker managers it's directory centric so I can set this thing up in a directory I can configure users and those users could have home directories on a totally different set of machines set up and work group manager where those home directors are does not need to be on the machine that is holding for information so work group managers a directory centric it's not a server centric configuration again take the Wayback Machine back five years ago and what we were dealing with was Apple share an apple sure I pee where your user list was specific to a specific machine what we do when we move into a directory centric model is I can you have the same username and password and have that be accessible in multiple different arenas so what's new for 10 dot 3 well there's a couple of things and the first one that you see up there mobile accounts is something I'm really happy with its to solve a customer problem and we'll get to one of our usage scenarios and that usage scenario is the mobile environment I give you again thank you very much for volunteering I give you this power book and you have a network ID because you're an employee for me so you have a network ID you have a network account where I gave you so much data storage on my server and you can log in when you log in you log in with your network ID your username and password and you're sitting at your desk top with your powerbook and everything's fine you unplug that powerbook from the network and you go home you go on the road you try and log in using your network ID and you can't because there's no network user on that local device so what do you do I've given you admin access to that particular machine so you can do some stuff I'm you know I'm the nice guy and you've got ola machine so you create a local user with your first name only and you do your work because I put all the applications that you really need to put them all locally so you do your work you come back in you connect up to the network you type in your network username and password and you logged in as your network user you now don't have readwrite access to the to your original documents that she's just been spending all this time working on so log out log back in as my local user with your first name well mount the directory but now I don't have readwrite access to my network home directory what am I going to do haha you're going to use mobile accounts mobile accounts what that will allow you to do is eyes an administrator to know what you're going to be doing so I say for you you have the ability to set up a local account with the same name and password and to the system it looks like the same user so you have the same permissions the same group access the same user ID all that's the same I unplugged that machine i take it home and take it on the road i type in the same username and password i get the same password policy everything is everything is the same i plug it back into the network now what this won't do this is just account creation at this particular juncture this is a transitionary solution what we will do for you and we will allow you to do is we will mount your network home directory on your desktop when it's available so that I do my work and I want to copy the stuff up to my data storage on the network let's say I only have 100 Meg data stored well that's fine for my documents the documents that have changed my spreadsheet maybe or this and that nothing I can copy them up I don't have to worry about permissions I not to worry about any of that stuff we don't do that for you we will mount the volume for you but we won't do the copying for you we will put the documents folder your doc again for easy transferring of data so you'll have a network account documents folder will be there your network account home directory will be in your desktop if you if you want it and you asked me to set that up for you we don't set up the synchronization our utilities our sink and some other utilities and we're providing the the OS is providing utilities going forward that will allow those kinds of things to happen but for doing file copying and access we don't do that so if I go home and I connect up to a hundred different browser sites right and I Adam bookmarks and then I want to log in at work on my desktop with the same user ID I'm not going to get those unless I copied them in which case then I will so very excited about that I think I think that'll be a real plus make it a lot easier for people to work and I know it'll make a lot easier for me to work additional login window options in new and Mac OS 10.3 we have auto log out I use this now i set mine for 45 minutes I get up I go to lunch and when I come back in I'm sitting at the login screen I'm not sitting at the screen saver I may be at a screen saver depending on how I've configured that but I'm but I've actually logged out so auto log out and the ability to to manage that again we have fast user switching way and we've given you the ability to manage that we've given you the ability to turn that off and on because what you may want is you may want to have fast user switching on on most of the machines in your lab except for that special one on the back which has a new video card or something else we've also and its people talk to me about this yesterday it is another session just because they saw who I was or remembered me from from past years and that is the ability to mount additional share points so you can it's not just week what we currently have today is if you if you're a member of a group you can mount a group sharepoint and that's good because you know sort of workflow oriented but this gives you the ability to mount additional ones because people are saying well yeah I want I'm going to be able to mount a group one but I also want them to be on them on the documents one and I also memo on a pictures one and things that are going to be global to a whole bunch of people that may be across groups sorda mean ability to do that universal access these are things to it to handle a lot of special EDS needs and the other thing and this comes up with with where we've been hopefully listening to you guys and that is for application access currently in Jaguar today we have an allow list allow the users to access these applications well that's good but not great and why isn't that great well because you all as developers may find and have found that at times to solve a particular engineering need it's easier and faster to just write a UNIX utility that your main application then call it munge some data in the background for you you fork off some data to it or you pipe some data over here and those applications or those little utilities aren't visible to the system in the same way as your full-blown application is they actually don't appearing differently to the OS as a text file in some cases ilderim it though there are there file differences and extension differences but you know if I go to open the file it's just going to look like a bunch of text data you know in a lot of cases so the ability for us in a user interface to show everything that possibly could be an executable would be a very big long list so we only displayed applications so what might happen is I allow you to run your application I'll use Photoshop for an example and let's say you're differing utility is a unix based tool I didn't give my user didn't allow my user the ability to launch that dithering tool so guess what's going to happen when they try to dither the image it isn't going to work because they don't have access to be able to do that so what we've given you is the ability to say well allow UNIX level tools to execute we've all so given you the ability to have a denialist and what we found is that what people really want to have happen what our customers really want is they don't want the students to run itunes at school so camera in itunes you can't run the terminal you can't run the console you can't run this you can't run that all the things that they can easily pick we just tell them you can't run those and so we've added a denialist and we think that with these particular different groupings we've given you a lot more flexibility for 4 10 2 3 so now what I'd like to do is I'd like to show you a demo workgroup manager here on demo one so what we have here is something which is probably familiar to all of you we've got a little bit of a few things that are different a little bit different look and feel but ostensibly this is where we this is where everybody usually starts out and I I'm in here and I want to create a new user and I'll create my new user WWDC give them a password i can i'll give them you know what level i want them to have I can have them the administrate the server I can have them administrate a domain there is no domain setup in this particular machine so that's not active the ability to log in or not so I'm already starting to to layer some management here depending on whether or not they can administer them minister the directory domain I can give them granularity for that again i can't get get to that particular one because because we're not administering a domain here then we have let me say that so we have now a new user we have a variety of different of different options so we can set for that user we can set their password policy we can set what their shell is we can assign them to groups and we'll get to that a little bit we can also again since this is a this is freestanding there's another button which pops up when it's not free standing and that is that is a network button where I can select say they have a network home directory but I'll go here under vance and basically what i can point to here is now so um about comp so you know i basically i point them to my server this can be a server that served up over some other mechanism it doesn't have to be served over a FB I give them a path and their home I can set what their I could give them five kilobytes worth of data storage that probably wouldn't be really useful I get set their storage in this particular environment so let's revert to them I can say that they don't have any home again that's a management choice right there and all I'm doing is I'm setting up a user account so what I'm trying to get the notion to is is you don't have to have managed system preference data to be a managed user I could set up mail preferences print preferences preferences if they want to have windows access those types of things then I get into I can have groups I can create a new group WWDC group and for those of you who who use workgroup manager everyday or frequently this is this pretty old stuff we also have a group folder here I can designate what this particular group folder is and you know how its configured and where it is it doesn't necessarily need to be on the same server but I can set that up here I can designate it you know a full path in the advanced mode I can add users to this add users to then that's real easy so adding and deleting users in this particular environment is these committees in that about serving and I can't do the other portions of that and i also have a notion of Thanks of computer lists what you see here is you see two things you see computer list and Windows computers as basic starts I can also add groupings of computers and I can do a bunch of things I can i can set the access for these now so this gets into an interesting kind of scenario whereby I can have a user that can authenticate as who they are they really are who they are they typed in their username and password but I don't allow them to use that that computer in the back of the lab that I'd savor my specially guys they're not allowed to use that computer or this servers I got a bank of service only admin users can use can log onto these servers I don't want any you know Joe Blow to be able to lock it login locally to log into these servers so I can set that those kinds of things up here too then you have a notion of a cache and this gets more into the into our managed client mcx data environment and that is for for the sake of speed and to cut down on the network traffic and to optimize for that as much as possible we keep a local cache of the data that you set here so when a particular user logs in we copy that date some of that data down the mcx data some of that other data when you're creating mobile accounts we actually create a copy of the directory structure so that they've got the same set of groups the same user and a loser list that kind of thing and since the cash aging here so what we've got here is under switch to guest computers and I'm switch over here to preferences man as you see we've got we've got a variety of different preferences that you can you can set here from from applications to padlock I have nothing to give it thanks I came to find a guest worker because I'm local did I did idea Thanks okay here we go good save that and then I want to go in under 1 and define those and I still don't there we go I could say which applications so what we have here is this is the option that we have which allows unix tools to run I can toggle ad off and on basically that allows you know any sort of UNIX tools if it's if it's to execute you're just going to access applications on local volumes a lot of times what you want to be able to do is you want to say well I don't want them running the network versions of these you want them to run them locally and allow applications to run non-approved applications and this is an ease of use or needs of facilitating the user's ability to use the machine but it gives people the ability to eat fairly easily depending on what applications you give them launch any number of non approved applications but then you have this you can launch any all applications except these and I so I can come in and I can say remove Activity Monitor address book I want to be able to do that remove ard agent because I want to be able to access the machine remove classic colors tanks don't remove console so I can go through and I can remove applications with direct no I don't want the max s directory access the meter and you can set basically you can set what what applications that they cannot access so that's where Burke in the doc we've added a couple of things to the doc in the doc we've added the ability to mount a documents folder shared folder my Applications folder group volumes for groups since this is computers are owner group I'm so on the network home this gets to the mobile account scenario that i was talking about i want to be able to to mount your network home as them as a SharePoint on the desktop you can also add documents and folders and these can be documents or and/or volumes that are on that are individual separate vines and you can configure what the doc is going to look like then you have doc display some of this was showed yesterday basically it says the doc laughs doc right all most of the doc particular doc items don't let's not save that energy saver was in and is in is in Jaguar you have a variety of different energy saver options finder what's new and find your when you and finder the commands we've separated out the restart and shutdown command again at the request of some users who wanted to be able to say you can tell the machine to restart but you can't because something might happen you may want to restart the machine but you don't have to shut down or vice versa you can shut it down but you can't restart it we split out system preferences in the past we had application access and yet system preferences was just a separate tab there people wanted those separately because they manage the ability to access system preferences differently than they do applications basically they don't want people here to set the screen saver or change the sound volume those kinds of things so we allow them to manage system preferences you can show none and then I can go in and pick printing in facts and QuickTime only and I comply that so now the only thing they're going to be shown for a guest computers are quick time and print and fax because that's the only thing I want them to do mobile accounts mobile accounts is now I click here on what on always just because bug standpoint but since I'm not going to but for the most part this would probably be best done as a once preference and what's the difference here because we have preferences handled in a couple of different ways once is like your initial setting so if I come in and I want my initial setting on my my doc items to be these things these five settings I want you know here's an intro to the school year or an intro to my business I want that right in the doc and I want a whole bunch other things and I so I want when the user comes in at the beginning of some particular session or if I just rolled out a new a new IT solution for example well I want the help file for this new new process to be handled aureus it's time for them to pick a new health plan so I'm going to put down in a set once setting i'm going to put down here's a URL to the health plan in my doc and that's once and then they can change that and it won't ever show up again but if I want something to go back and every time they log in to be reset then I would choose always well so shop creating a mobile account I don't want to create this local mobile account every time I will again so I probably want to do that for the first time the user logs in they get this preference and I they want to be able I want to give them the option to create an account locally that maps to their network account so this is an example of when once probably would be most useful however you might want to do that always because the user might be deleting their mobile account on a regular basis it may actually just be being used as temporary storage so i may create a mobile account on a powerbook turn the computer in at the end of the day i delete all the users on that computer next time that user logs in I wanted to create another another another accountable to the machine so there there's uses for always save that to universal access is new basically this tries to mirror the universal access in system and then the other one we have here internet let's talk about that for a second so and this brings up an interesting point that I wanted to get to so we do not manage everything in the system from a system preference standpoint from from managed desktop we don't manage everything and we don't manage everything in the same place why do we do that well if you look at Panther there is no internet system preference anymore and in the internet system preference there was what is now in the dot Mac system preference well in Jaguar and the system preferences we had email and we had web so oh my lord so with email and web those things aren't managed in panther anymore they're managing an application level but for a Jaguar clients are still managed so that's why these are here and we also believe that they're good to be managed anyway but we don't manage the the idisk ones so because we're running out of time here I want to show you something which i think is really cool and that is the inspector okay so we have the inspector and ostensibly I'll come over here to users i'll pick wwc and i click on the inspector and I've got WWDC oh sorry come now go to inspector let me WC and here I have everything that's associated here you can see the passwords this is standard standard password is not using passwords server I have no as just notice here I have no data here for mcx data at all so I click over here under computer list and i click on inspector here you'll see oops one second counts you don't see any mcx data I thought I say that didn't do it under users let me go in here and create them users can use all applications accept these oh now got to excuse me the demo that I had set up here on this particular hard drive would not boot on this particular machine so we're running running without a server setting behind me with all of this configured and now I will come two counts users BWC and there we have our mcx data why am i showing you this I'm showing you this for one reason we spit to switch back to the slides I'm going on that's worker manager we're going to come back to work ramanujan here for a second because there's a really neat thing as you can do with the inspector that that i want to show you before we leave so what have we learned for mac OS manage client mac OS 10 so we've learned that mac OS 10 is a managed environment we've got most from user accounts to file access to application settings excuse me to system level settings we're going to show you application level settings here in a minute it's in shipping since Jaguar workgroup managers been partners part of part of the Jaguar 10 server it can be running on a Jaguar machine people are just beginning the IP folks are just beginning to deploy this they've been evaluating it and are now rolling out solutions we're getting the feedback from you all we're getting the feedback that we did with a denialist that we're adding to panther those kinds of things the gutters that you've run into a preference preference storage we want you to do a couple of things for for preference storage and that is wherever possible we want you to cache files locally where possible and this it's a little bit schizophrenic here because I also want you to associate these things with the user records because more than one user can be accessing the machine and I don't want you to have a global data floating around but I want you to try and prevent wherever possible for rent network bottlenecks and basically what that does is I mentioned you trying to optimize your your IO as much as possible so that you're not doing a lot of small reads and writes because a ton of small region rights spread across a whole bunch of folks all funneled through you know one switch we're all funneled into one ethernet port of the back of one server can really can really slow slow our users down multiple user environments are a factor that you have to pay attention to so as I mentioned before by paying attention and one of the things that we did was we added you deny lists for users you restrict user access and hopefully that will prevent the errors from happening and potentially the hangs from happening when not all of the utilities that you use to provide your solutions are available for the users users are accessing or accessing their home directories over airport is this the optimum solution and was this the design implementation that we thought about when we're doing home directory implementations no this is what the users are doing yes so you need to take that in mind when you're developing your solutions or you're providing your applications is that they're doing I owe to their network home directory it may not be disk i/o speeds and users want their application preferences to be manageable as well so what I'm going to be showing you here is we switch back to this demo machine is what we have here is a list of the mcx data that's stored and as you notice here this is the inspector editor here you have the XML and we've got application access that's the key things are forced we have where we set it application access preferences so what I'm going to be doing here is let me cancel out of this go back here to this application access click on hand click on preferences and i'm going to set an internet preference web always I want my homepage to be let me the apple com and default web browser to be Safari shut that see if I got so far right here ok so I'm setting my default thing and I'll apply that so that's good now I've set my default web page here Safari actually is one of the applications which uses this internet settings and so now people will go to wwm well that's all well and good but but I want more so what I'm going to do here is I'm going to go under my applications and I'm going to open up safari and I'm going to this should be interesting to the IC folks I may not be interesting at all do you do application developers out here with a possible exception of if you do this with your preferences your customers are going to be able to do this with our product so we're going to look at your preferences oh look hmm the homepage here too well let me do HTTP [Music] let me set it here and let me say Oh open save files after downloading I don't want them there could be a virus in all of those files so I'm going to change that I don't want to do that and that looks good bookmarks yeah that looks good too I want them to enable cab browsing new tabs will set that autofill may security I want to block popup windows yeah i'm sure i want to say that okay so i just set up the preferences for this application by myself so now i'm going to quit this application and i'm going to go under my home and I'm going to open the shop with there's a plist editor I didn't want to open up a post editor let me quickly list editor preferences safari I am going to take these I'm going to copy this paste it into a new file save that file as safari press put it in my arm directly go back here under what curb manager to save now we're going to edit these preferences here so what I've got here is I've got application keys and a lot on application keys and here we have apple down internet com so I am going to change this to Safari and paste that in there and now I've just pasted in so I was able to connect up to the other server basically what i've done is i have now added Safari preferences to this particular users system preference its preferences so when a log in and they mount launch Safari they're going to get those same preferences I could do that to a group of users I could do that to a computer list any preferences I can set in an application that are stored and see of preferences using the inspector with workgroup manager you can copy and paste those preferences into their mcx date when that user or group logs in that data will get composited and put in there plist file for safari in their home directory and they will get those preferences too so we're giving you a lot of very powerful pools with workgroup manager going forward and and we don't do any sanity checking here if I pasted this in on the wrong place offset that dictionary by one those preferences might not have launched so it would have be moved me to make a copy of those preferences first save those out so I'd have been able to restore should it not work and it also behoove me to test out those implementations first but this allows you to go into any application that stores the bulk of its preferences in insya preferences and to be able to edit those preferences with a text editor with any editor of your choice back to the slides so what are the development guidelines these are the things we want you to think about your product will be used in a managed environment so test with our product you should have been given a CD with the server software on it so so install the service offer run this software locally run this stuff locally it considered on a machine and run all these preferences locally for local users or you'd set up a server so you're actually doing traffic over the network and you'd be run into the problems you can you can debug demeanor network environment run capabilities in the version of Panther that we got the capability stuff has a big not yet implemented on but it will be implemented w other seeds coming up run capabilities the capabilities default because we're addressing a different market segments with our capabilities but our the workgroup manager product might be different so it would behoove you as a Bella pers to check those up assume that your applications will be controlled in some fashion so if you have helper applications please call those out in your documentation if they're really full-blown applications so if let's say I have a chart application that that puts up a pretty graph based on the data in my in my application and that's a real application that i that i right it's you know bundled Coco app for example you know put that in the documentation so if a user is doing it allow list they can they can pick all the applications that are very useable minimize wherever possible the use of the unbundled applications because some users some IT folks might see allow UNIX tools and get scared and not want people to use those and if you have some utility or some scripts that you that you go and execute as part of your solution those won't be runnable because we will say that the administrator is the king the administrators set something up in a particular way we will try and enforce that if it says don't give access to this particular application of these particular sets of applications we won't and assume that your product will be used on the network so try and optimize your i/o wherever possible wherever possible don't assume that the configuration that you test within your office will be the configuration that the user has in theirs so try not that hard code file path names you see if preferences again you just notice me how easy it was for me to cut and paste those system preferences up from Safari 22 mcx and put it into the mcx data it's the same data rolling your own preference management might not work well in the future there are no guarantees but if you see if preferences going forward we'll still be able to manage that so just to close up and to wrap this wrap this up Mac os10 is a managed environment you guys are IT guys you already know that application developers I want to thank you very much when I was seeing putting together this particular presentation last year I had I showed three applications that were bad and I showed how their behavior with bed and there wasn't there were some apple applications too and you know I really thought that there I would it would still be really easy to find bad applications and I went and checked a lot of your applications out there and you guys listen thank you very much you're not doing a lot of the things which preclude you from running in this environment and keep up the good work I didn't show any bad applications out there because I can find any and what I found was things like Safari things like you know other applications that are storing their preferences and see if preferences not all of you are but a good portion of you are and in dictionary formats that are easily transferable for our IT users out there not all of them are but a good majority of them are so thank you very much and talk to me about what your customers are seeing and what your customers are needing so who to contact myself Michael Locke who gave the over overview of this particular stuff skip 11th your techno your technology evangelist and the session we had they had the session yesterday so I don't know that we have any following sessions