WWDC2004 Session 630

Transcript

Kind: captions Language: en good morning my name is Gordon chocolate and i'm here to introduce to you Richard glacier from the University of Utah and Phillip Reinhart from Yale University so the first thing we're unannounced was that the the Mac os10 labs project is now moving to becoming mac OS pen enterprise project and you'll find it at Mac enterprise org what you're going to see is that there's a increase of work that's going to be going on where they're changing from just lit part primarily looking at lab deployments to looking at how you deploy max completely in the whole lab and they'll be looking for some additional participation outside of just higher education so with that let me turn it over to you to Richard and we'll go from there okay today what you learn or we're going to cover some basics on application and just distribution next we're going to cover things you should know I'm commonly overlooked issues that admin should know about next we're going to cover how to track an application what does install our application really do to your file system next we're going to cover finding solutions how to make the application work in an environment and lastly we're going to cover distributing the application what tools and solutions are available so why is this important that's probably the most important question that you should probably ask yourself first thing is security so you can find a fixed security issues the next thing is flexibility it allows an administrator to easily add remove upgrade or downgrade applications it also allows for speed so the means that you don't have to spend your time developing new systems and you can quickly distribute applications fixes and their updates also allows for granularity because I can control that distribution on a per machine per user or group or for the entire enterprise and lastly it allows me to log complex installs with abstract names it allows me to control the setup details and the custom a shins to distribute the application properly so let's talk a little bit about the deployment lifecycle what we all deal with every day the first thing that we do when we get a new machine in the doors we assess the need what is this Mac need to do what application load set does it need to have the next logical step is the creation building and testing of that load set that you're going to apply to the machine so you have to figure out what am I going to put and where am I going to put it the next step is actually deploying the application load set and deploying it in your enterprise environment and the next and last step is to patch and update it basically to address security needs or application needs and then the process to exist begins again with assessment of needs as new machines come in or its machines are retired so let's talk about some of the factors in management first thing and probably the most important thing base security by doing this it allows us to find them fix potential security issues it means that more and more most of us have an enterprise security policy which we need to meet and I can meet that policy by controlling my application distribution it also minimizes the impact on the network I don't have to worry about my machine affecting other machines and it minimizes the risk of my machine being compromised by a hacker or some other user also it gives a uniform experience for all end users this is title security but it actually isn't security it should be consistency means that I can give a uniform experience for all end user so that when the user sits down to their machine they know where things are and they have certain expectations that are met it also means that things break consistently and can be fixed consistently and that's equally important because it means if a user calls me up and says something has broken I know where to begin to look and it makes the troubleshooting of applications simpler the next thing and this is probably one of the best benefits of this is it gives me efficiency it means my time I can use tools to control and manage that distribution I can reduce my time spent developing a new system and I could minimize the downtime of my systems so essentially they're up 24 by 7 and the last thing and probably the thing that will make your enterprise managers to mow happy is cost it reduces the time you spend managing it means i can use open source and free tools there are many open source and free tools used to manage systems i can also leverage existing technology and i can deploy in minutes instead of hours so let's go back to the create building test phase the deployment lifecycle so what we're really going to focus on today is create build and test what we're going to talk about is what we should look for when you're deploying applications in your environment things you should know this will be a basic guide to what you need to worry about the forward distribute application this flow chart gives you a basic flow chart of the process and the first thing is kind of obvious you install the software next thing you set the application entering serial numbers do any default installation third you customize the application depending on your environment fourth you track and debug what you installed on what you've customized and then make modifications to get the application to work properly based on your customizations and then lastly you distribute and also debug because certain distribution tools might cause certain issues with some applications you might have to make some modifications next in the cover you shouldn't always entrust installers the first issue is sometimes installers are installed in secure permissions sometimes installers will not install the install it correctly are properly and also sometime installers will install binaries with elevated privileges and the next issue that arises sometimes is sometimes installers require administrative privileges a lot of times this isn't necessary for install and also overuse of the admin credentials can make it cause people to be careless and just automatically entering those in and that could become a security risk and lastly if you require admin for installers it also could stop add non admin users from installing the software and the next thing that's another issue with installers is sometimes they install in non-standard locations so for example the root of the file system us RBI n also installers sometimes will modify critical file so for example sometimes installers to make certain binaries or application launch on login will modify the users login window dot p list or the host based library preferences login window p list and this can cause a burden for the IT to manage because you have to manage multiple login p list or cause problems based on which user logs logs in might not have the application experience they need next on the cover some cover some topics on insecure permissions the first one we're concerned about our world our group writable this is the issue because this can cause security problems sometimes an application will require these for the application to run properly and the next are special modes you have su ID or set ID and this can cause problems because the application or the binary and application use will run with the privileges of the owner of that application this if the application is not properly set up could be allow another user compromise your system and all for the last set group ID you all have similar issues where it basically runs with the privileges of that group and so here's a basic example of the issues SI su ID application so you have an ask sui be application and then the next screen it's owned by root any user comes in drill below is a non-admin launches application basically that binary application runs with root privileges and if the application does something improperly it can be used to either delete files or compromise the file system this is a real big concern to enterprise next thing we cover the process of doing some simple tracking and the first option is read nice you see if the installer package has a readme rarely in my experience does that give you any detailed information but it's your first option next after you've done their installation you could always look at the log file and see exactly what its installed and see if it gives you any details third you have multiple options with package installers first I'm going to cover is Apple's installer utility the second Raymond cover is a GUI application called pacifist which is a package utility and the third one I'm going to cover is LS bomb which is a plan line utility that allows you to view package installers and again now these always only work with dr. Keiji installers so here's an example of using Apple's installer so basically you launch apples installer utility launch the Installer then what you have to do is go step through until you select the destination then what you'll see is under the file menu have a show files option this will basically show you all the files the Installer will install before you install again this doesn't give you a lot of detailed information you really should have but it's a good first start another option with the apples and celery utility is the show logs option and the show log option is good because you can actually watch scripts process a lot of times installers to either have pre post scripts that do certain things and you can actually watch actions they're doing again this is a give you all the details you need but the next step next thing we cover Pass which pacifist which is a gooey package installer utility if you see from the screen here octopus gives you a list of all the applet that see all the file system items installers going to install but also gives you some detailed information it's real important have so for example you have permissions and they also have attributes like owner and group also process is really useful you can verify taking install and verify what's an installed on your system it supports check something another item that we do a lot is if you need to custom install an installer or a piece of an installer in a certain location you can use pacifist to force it to install to a custom location also passwords is good to detect if something's been deleted on your machine that you need from an installer next there's Ellis bond which is a command line utility that allows you to view package installers so this first section here at the top I'm basically what you want to do usually on package installers you want to go into content / resources and for example you could do an LS and look for the bomb files and here in this example I'm showing iTunes so that's the file you want to find then the next thing you want to do is lift billo materials or the bomb materials to show all the contents installers can install so you basically run this command the bottom LS bomb minus p mu g TF FC and then the bomb file you want to use and it will basically give you a list of permissions attributes in etc next and there's some options for drag-and-drop installers so basically use the LS or lift command and so here for example I have a drag-and-drop installer fugu which is an SFTP FCP application I download it it launches a disk image and then I just drag the application package to everyone in the file system but for I wanna see what permissions tab I basically run the command below LS and I use the parameters la PR and then he'll give me a list of permissions attributes etc next we have Phillip is going to do a demo of some of the items I talked about so we switched demo to do a one hour demo on sorry so basically I'm going to take our one of our favorite apps I can and going to show you how we can do some of the simple things with installer and how we can some of the things that rich are just explained so I've pre-launch this so you can kind of see some of the things that happen so when you launch installer there's an option in the file menu that says right now it's high log but if I go to the file menu and I say show log it brings up along and if you notice I've actually got information here already and it's basically what this has done is run it's called the pre-flight script and you can see the results of that so watch what happens now when I hit continue it's actually going to do as it runs the script it will actually do fill that log and there you go you see that it says show everything I typically want to see everything that happens because it's going to talk about everything that it does now Richard said that show files only begins to appear after you've selected a destination so in this case I've selected original and then all I have to do is go to file windows and say show files and notice that this deals with not only packages but also meta packages and I can basically show you all the files that are installed so that's a useful first start but what it doesn't do is it actually misses the checksum it misses the permissions misses a lot of things that can be useful so i'm going to show you the other tool that is the next logical step after you use installer which is pacifist and past that this looks at packages or meta package files and basically provides you a lot more information so notice here that I've brought off the package and the contents of itunes for package shows me a ton of information I get to see the size of it I know the owner of it I know the group of it and notice that I see the permissions I also see the original modification date so this allows me to take this and view all of the things that might be important to me and this little button right here extract 2 is also really useful because as Richard said if I want to install it in a location other than the default location that installer might put it in I don't have to depend on that anymore I can now extract it to any place across the file system that I have permissions to extract 2 and the other thing is notice that it also has the authorization dialogue so in case you would want to put it in some place that you may not normally have access to you can do that now what I'm going to do is pacifist is a great GUI tool you can do the same thing with command line and here's the example of the command that Richard list Atlas bombed p and you'll notice when I do this I get a ton of information a little bit hard to read right now because of the waving line wraps happen but essentially gives me all the same sort of information that I just saw in pacifist so if you're more comfortable to command line it's one way to do it now the other thing is for drag-and-drop installers I'll get it right once so I've listed a lot there but as you can see when I do list that's la T capital R what I do now is it actually gives me all the permissions information for a drag-and-drop installer gives me the group everything else the one thing it doesn't do is a checksum because there's really no way that list can support checksums so it gives me an insight to what the application actually might be doing because a lot of drag and drop installers because of the ignore ownership flag that is set often when a developer drag that over and creates it when you first open it's going to come down to your file system with it being completely open and having world write permissions set so it's just a good idea to check it before you drag and drop it or when you drag and drop it then you can check it so back to Richard backslide next time and cover things you might not know but we think are important to know about here's a list of some commonly overlooked issues and the fish issues that we've run into our broken links and links or aliases with applications applications that do not follow the preference hierarchy and by host preferences which are host specific file naming and preferences hard-coded paths directory location limitations either restricting you to either the root of the filesystem luda applications etc file or finder attributes broken links first thing you have are sometimes applications will depend on symlinks and sometimes they'll use absolute path and this will cause issues if the admin or user lose a folder or move or rename the folder or moves the parent folder or rename the parent folder aliases prior to Mac os10 to aliases resolved based on unique ID and tin two and higher they use the path name selected symlinks and then use the unite unique identity second again problems arise when either the user admin renames application folder or moves it to a different location then the issue where the unique identities will not resolve is when you use a cloning software like ASR preference hierarchy this is an OS system where applications can depend on the OS to resolve separate scopes to find preferences issue sometimes happens when a requires a specific location or restricts to a specific location you have options for separate scopes the first scope you have user space where you can install the preferences and users / username / library / preferences this restrict the preferences just to that specific user next you have post post based scopes which could be stored in library preferences and this is limited to users of that particular machine next you have network scopes which are stored in network library preferences so here's an example of a quote-unquote flexible app in a problematic app the first app uses the OSS preference hierarchy so the at the admin or user can basically install based on their needs in the environment and can install the preferences in separate scope so if the admin wants to install in the user scope they can do that an application will work properly else if the admin wants to instead say they have limited disk space and don't want to duplicate preferences there's a lot of preferences could put it in the host host base coat and then an example of a problematic app app basically requires you to use the user space scope this might cause some problems if you have for example an application has a lot of user specific files and it's not easy for them to move it to host or network base so so following on Richards talk about the Preferences hierarchy the other thing that we need to talk about when we talk about preferences by host preferences now by host preferences are a unique case because they use a particular machine specific Hardware address or hostname for setup so the preface files often contains that information it contains either the mac address of the machine or the host name of the Machine and the preferences are typically stored in the either the user scope at tilde library preferences by host or in the global directory of library preferences by host so as an example in our test Mac machine I've set up my machine that I want to deploy I set it up exactly like I want but in the bios folder it has the set up max host name or the set up max hardware address so what happens when I now deploy this when I deploy it and I put it on my clone mac now the set up Mac host name is different and the set up hardware address and is different and so no longer are those preferences actually preserved so let's move to something different that we talked about hard-coded paths often hard code paths and tie an application to a default location with the default name and some apps actually expect the default install pathway so they might expect it to be at the my applications my app folder my app if they're not there they may not work properly so when the parent folder is moved or renamed for clarity it may actually break the application we also have directory location limitations which is also related to hard code paths that some apps may require installation at specific locations such as the root level of the hard disk or the root level of the applications folder and many installers and applications don't support the special characters such as spaces or the option six character or other characters that can be added to it and this particularly causes issue when you try to update the application or use features of the application last thing that we're going to talk about is file or finder attributes some applications use file attributes carbon s file attributes for setup and some distribution tools don't support this information typically the way that you use this is within the developer tools directory there's a tool called get file info and the get file info actually looks at the carbon resource file and basically tells you what is stored in that file and particularly the attributes and it could be also the creation and the modification date next to uncover tracking installation what does the Installer really do and we've covered some simple tracking option readme logs using apple's installer utility past SLS bomb now we're going to cover some more complex tracking options uncover utilities like file buddy command-line tool called log jam and a suite of tools called rad mine first what method should you use and the first option depends on the technical ability of the admin and do they know command-line the next you want to use a GUI air command line some of the tools do have GUI friends some don't so maybe not offer all the features with the GUI that they do with the command line so you have choices they're also the accuracy of the tool you want to use some tools don't track as well as other or as accurately as others lastly how does the tool you're using for tracking installation integrate into your overall distribution model again simple tracking it works great with packages and drag and drop installers complex tracking you can use with packages and drag and drop installers you can also use with non-apple installers so likewise install anywhere so here's an example of file buddy fall buddy was a popular mac OS 9 you file utility those port 80 Mac os10 file buddy has an option where it allows you to capture a snapshot before and after install and then you create a comparison of the before and app after install it will give you a list of added items modified items deleted ions etc and the cons against using file buddy doesn't support the detailed information that you usually need like permissions and attributes and also doesn't support file checksums so below here's the graphic if people haven't used file buddy basically launched five buddy utility there's an option creative I shot you take a before snapshot you install your software set it up doing the installation customization you do an after snapshot and then you compare the before and after and it will output the files listed below logged in log jam is a command line utility it's open source it depends on perl modules in Mac OS 10 3 and it does support detailed information like permissions and attributes and also does support file checksums and it uses a similar method as file buddy so you basically take a snapshot of the file system before install your software set it up do any customization and then do a scan after and creates a logs of what's been different in the file system so here's a quick example of log jam basically you logged in you store an s bin so you run the utility logged in you name whatever you want to call the before snapshot then you install the software set it up then you basically run logged in again you name the after snapshot and you also select the before snapshot and you can either output it to screen or output it here to changes txt and then the output below you'll get something similar so it shows you new file change files or deleted files rad mine rad mine is a suite of command line tools rad mine is a really powerful file system management tool that could be used to manage whole file system from tracking to also distribution right mind does support detailed information is like permission and attributes on an group and also supports checks them and the process of red line is slightly different than the other tools what you have to do is set up a managed file system you update the client to that manage file system you install the software set it up and then you run the rad line tools grab my tools will scan the file system compared it to the manage file system and log any differences so we're going to talk about advanced troubleshooting and this kind of might seem a little bit out of place in tracking but it really isn't because typically we want to run the application as a non admin user and so some of these sometimes the application may not work as a non admin user so we have to have a way of tracking what that application is trying to do so that we know what to do with the application for deployment so most of these are command line tools some do have GUI interfaces but most are accessed from the command line the first one is lsof which lists all open files the next one is FS underscore usage which monitors kernel level system calls and file system activity and the last one is Kate race which is Colonel tracing and it's a very low level tracking mechanism so let's talk about the first place that you should probably start list open files this list open files by processes and has many command line switches the first one that I have highlighted here is the list open files with the desk see switch and what the dash t switch does is tells it to pay attention only to an application that I'm interested in in this case I've said I only won't care about mail app and so what it simply does is it tells me all the activity that's going on on the file system with mail but only with open files the other thing that you can do and is another useful switch is if it's trying to do something to a particular directory you can pay attention to just that application directory with the plus capital D switch so i can say list open files plus capital d pay attention only to the mail app directory so if a normal user is trying to write to some place that i don't understand where it's trying to write to i may capture that with this command sloth is a GUI for list open files makes it a little bit easier because i don't know if you can actually see it yes you can see it it has a number of checkboxes to basically encapsulate the command line switches and you can also set a filter on it so that you could really pay attention so let's move to the next level this is the next level that you go if list open files doesn't give you enough information you use file system usage has to be run as root and it's more advanced than FL sof because it basically tells you every file that's trying to be accessed across the entire file system it also reports in real time and the output is very very verbose so I've listed the command here which is FS usage followed by the dust w which tells me wide output so that I can see the entire path I nextel if that I only care about file system object I don't care about anything else and that's attached to the process identifier of the application so that's what I mean my command I next use grep to omit cache hit if you don't do this you're going to find that you have a ton of output that you actually have to pay attention to and it can actually get very chatty and makes it hard to find what you actually are looking for the last thing that you should use colonel trace utility and this is when you have an application that's doing something and you cannot solve it in any other way it handles all calls directly from the colonel the output is not readable by a text editor it actually stores it in machine format and it provides the most complete set of information so notice that I have Kate race dash TI Dash P to the process identifier of the application then to read that i use kdump it's going to put a file called kate race dot out in the directory that you start typically this is your home directory and then you can pipe that to a text file and then you can read it but as you notice from the example here it's actually fairly complex and it's not easy to read if you're going to use que traes i would suggest reading the manual page because it will provide you most information that you need the next thing that I should say is when you run que traes it's actually very important that's you after you have tracked the application that you actually turn it off if you don't turn it off it will continue to monitor until basically your file system is full so I actually accidentally forgot to shut it off once and filled up a 60 gig hard drive in about four hours because it basically just continues to monitor every single kernel level call so read the man page if you want more information so Richards going to do a demo over on demo to what I'm going to show is a two of the utilities we talked about file buddy and ran mine note just for sake of speed and for demo purposes I'm basically going to use a disk image to show the demo but you could basically the entire file system of a real large hard drive but if you guys want to wait 40 minutes while I do stuff and we could but anyway so what I'm going to do is here's the disk image I have basically tap on it this could be the OS could be whatever you want I could have a real diverse file system here but for simply simplicity and sick of time it's just real simple so basically I have chest and what I want to do is I'm going to show file buddy so I want to do a file scan a snapshot of the file system so i launched file Betty and I select take a snapshot then I select the volume 0 and take a snapshot of which is the disk image and I name it so name it before and in an output next I'm going to stall an application again for sake of time I'm just going to do a drag and drop with my ass so I just drag this over to the desk image this could be an installer could be a vice install it could be complex file system could put the pieces wherever you want on the file system again for sake of time just do a drag and drop so next I again I did install I did any customization I wanted then I take a snapshot again and I call this one after and outputs it and the next thing i want to do is compare the before and after snapshots and what it will do is output a folder that basically has these files listed in here i'm going to display those so you'll see in the new items that list my app and the package contents there doesn't list any detailed information like permissions and attributes there's also new and modified items nothing let's modify those only new items on the file system what I'm doing here which we'll talk about later is I'm running an applescript to basically mount the disk image with a shadow file i wrote the applescript to remove the shadow so I could get back to a clean system from so basically what that did is just mounted the disk image deleted the shadow file now mounting it again we'll talk about that little bit more okay so the next one shows rad line again I'm back to my my clean system and rad line one notes I'll go over this little quickly red line you set up a default manage file system which is defined by this command K again for simplicity this is a real basic it doesn't have any unmanaged items on the file system the base image basically contains my default baseline image which just contains chess and if you have questions you can ask me after rad mine will take a long time to talk about so again I do my install do any customizations I want red line does have command line rd front end but i'm going to show the command line the first thing to again I basically CD to the root of the disk image and the next thing I'm going to use a command line tool called fsdf file system differences I use a minus up Casey which defines a creative all transcript in a tradable transcript is when I want to create a overload to upload and distribute to other clients the next parameter is mine of minus lowercase C which defines checksum and sha wan is when the checksums red line support dot current path and then I'm outputting the transcript that it creates or the modifications to the disk image to my apt e but run there goes and will create a file on my desktop and I'll open that up for you so you'll notice kind of some differences here file buddy only lists some of the contents it uses the date and size modification date rad mine uses checksums and gives me detailed information like permissions so if I use file buddy I would know that I wouldn't notice that this application stalls with rules right that's 0777 so I'd missed that item also with rad man you can also check for su ID and I can quickly scan through the transcript and find those items would be notified that there are some concerns here so all right now back to fly text slides so let's talk about now that I've actually tracked the installation and I know what it actually does how do I actually make it work because often the developer may not have the time or may it may be a fix that is coming down the road how do I actually make the application work so let's talk about modifying the default install there are solutions that you can use installer we can solve the problems of installers of solving with superuser privileges we can use tools to customize or extracting installer they're also security solutions where we can modify the permissions and attributes to something more acceptable we can use links to redirect to a user space instead of the global space you can use the disc image with the shadow file or can use login logout or startup scripts you can also affect the Preferences by using login or startup scripts for by host preferences you can move the Preferences to a different scope so instead of being in the user scope it probably or sometimes will work if you move it to the host or network scope and the last thing we'll talk about is file and finder attributes so some on stallers actually require root privileges to install because they require writing to the file system in places that you cannot write as a normal user so they're gooey and command-line options it probably easy as a GUI one is called pseudo and all you do is you drag the Installer on top of it and then it installs as root which means you have access to the entire file system the other way you can do it is course is with the command line you can use the sudo command and impersonate the root user you can either open the cocoa application or you can use the carbon-based installer the other way that we talked about a little bit earlier but this is only solution with package installers is to use pacifist and with pacifist it allows you install to any location across the file system and it also allows you to extract individual items for example if an application actually breaks and you need to get part of that application out you can do that with passes so permissions and attributes what's the simplest way to actually look at permissions and attributes simplest methods defined are using to get info you can't set certain bits you can't set the execute bit and you don't have access to the special bsd bits to set you ID to set GID bits those are not there so there is an application freeware I believe that's called x-ray and allows you to see all the bits on a file so if you notice the orange box shows you the special bit to set you ID the set GID and the sticky bit and then security bits which are less familiar to some people the bsd security bits of the user flags and the root flags the append all those type of flags are located in there and you can modify these with x-ray so what's the quickest way to reset file permissions I don't really want to let's say I don't really want to GUI but I want to be able to go through and traverse either the application or the entire file system if I want to look for every set uid world or group writable or sets the idea the easiest way is to use the unix command line find utility so I've highlighted some of the options so that you can see how this actually works the first thing that I do is I do dash X dash X says I don't care about network file systems and in this case I'm not going to start at the root level I only care about my app so I'm going to only look into applications my app directory so that becomes the first place that it looks the next thing that I'm doing is I'm looking for world right permissions permissions of 0777 I then put the exclamation point and tell it that I don't care about sticky bit directories and the reason is because sticky bits directories are traditionally considered as a safe measure of using something that needs to be world right because you cannot delete other users files the next thing that I do is I also add the option of I don't care if it's a link because links don't matter so much of the world right the next and last thing is I actually am Telling fine that I want verification every time I go through the entire file system and what i'm doing here is i'm using this change mode command mod to remove the execute bit so it is no longer world or group rideable now you can also do this with set you idea set GID in the same manner except this time i add the option of that i'm only looking for file types and that i only care about to set uid bit and again I'm using the okay so that ask for verification so that when I actually change and remove this at uid bit I have confirmation that it just doesn't do it I actually like to be careful that it i'm actually prompted for an okay could do the same thing with set GID you just changed it to zero two thousand the same thing so let's talk a little bit about redirection so that you can leave an application to this default location symbolic links often will trick an application into working correctly so as an example in my applications i have an application test world right folder i have a world right folder and in that folder i basically want to not leave that folder there i want redirected to a more benign space so in this case what I've done is I've actually symbolically linked that world right folder to a place that I can put world right folders that I trust it to be and so I've redirected to the users shared directory and that's where I leave the world right folder you could also use aliases to fool an application and sometimes that works as well you can either use the finder to do it or there are command-line os10 utilities it's a source Ford project if you just look for OSX utils there's actually a make alias command that's command-line this using symbolic links also works for directory location because you can use them to preserve that location you preserve it for upgrades and you can give a custom name to an application without actually altering the original name it's a little safer to use the full path if you're using symlinks not to use relatively link relative links next time we cover other options when you tried redirection modifying permissions and if your application still does not work properly the next option is to basically use a disk image and mount it read write with a shadow file so my example there where I had a applescript to mount my disk image with the shadow file so i could write to it all modifications i could basically pipe out to a shadow file and i could store those in user space or other locations I deem that wouldn't be a issue with the file system these are really useful because sometimes we run into an application that basically requires right access to the same location uses a temp file for example what you can do is you'll see below there's an applescript what you want to do is use do shell script you want to use the HD ID tool then I give the pathway to the disc image so application applications app dmg then i use the parameter minus shadow then the next step I do the pathway which I just have appt shadow so that could I basically do the path to the user space and say the shadow file to that location I've used this on many applications and it's an ideal solution one thing to know sometimes the shadow files become very large if you want either delete them on log out aren't start up next if you can't solve an applications issues with any of those options we've just talked about one option is using scripts and with scripts if an application needs certain files created you could create those you can remove certain files or folders that are world right so if an application does require world right you can't use a shadow file you could go back and remove those on log out or on startup also you can modify preferences if an application requires certain file attributes you can modify those with a script also if you have an application that does it close properly you can use a script that kills application properly again you can run these up login logout startup or you can put a GUI wrapper in front of the script file attributes have revisited some applications depend on some file attributes or finder attributes that aren't supported by some distribution tools so for example we use the developer toolkit file info I get the information of the carbon registration database to gather all the front of the finder attributes and then I notice there's one attribute the application depends on else it'll reconfigure so what I want to do is use the set file- d parameter to force the application to have an attribute it won't have after i use a distribution tool next I'm going to cover distributed application some tools and options and solutions first how do you distribute software if it's a package installer you have multiple options from Apple if you want to do Network versus local installs you can use net install ard and there's a lot of other options or simply download the Installer to the local machine install it then there's some options for managed versus unmanaged and unmanaged often options we would consider like apple remote desktop managed options you could have open source tools like arsenic acts and read mine so let's talk a little bit about repackaging why you would actually want to do this the reason that we find repackaging to be a very useful tool is because you can take any installer from any third party or a drag and drop and you could repackage it this also means that if I've modified an application then I put it in a certain directory I can preserve my corrector permissions so if I don't like the way it came out of the box I can modify it repackage it and that when i distribute it out it actually has those permissions that are preserved or any modifications that i might have done it also means that every time a user may perhaps let's say we have a in an enterprise environment a laptop user if they run the utility repair permissions it actually looks in the library receipts directory and pays attention to those permissions so that recur X them if to the way that I originally intended it to be and probably the best benefit of repackaging is it means that if I'm an apple remote desktop or in that install user I can now use those utilities to distribute the application which in an enterprise is a big win so let's talk a little bit about apple remote desktop now apple remote desktop with one point two point one actually includes the ability to install a package and this is really really useful because it means that i now have a package i select install a package and i can install it to any group of machines that i've set up to do so i can also do it with the command line so for example if i have apple remote desktop turned on i can actually or actually even if i don't have apple remote desktop turned on i can ssh into that machine i can then use the kickstart tool which I give the complete path there but don't worry about writing it down because it's actually in an AR in an article knowledgebase article you can use def H with the help option it gives you the complete sort of man page there is no man page for kickstart you actually have to do the desk h option and it spits out a long file and the other thing is that you must use apple remote desktop 1.21 or later and the article number and this is where it's probably if you just write down 1078 37 that's the actual knowledge base article and it's also an ARD to the other advantage of a package is if you're big and debt install you can actually use netinstall to distribute this package throughout the enterprise so if I have mobile users who connect and let's say you've just purchased a site license for macromedia MX let's say you've got that license well now that I packages the package installer it means they can attach to that in that install machine and they can install it and be within compliance if you have that site license next I'm going to talk about the open-source utility rsync X our sink ex is basically hfs+ implementation of the rsync protocol a developer has put a gooey front end in a command line option to using this utility and the sheet ill in the past is usually been used to think say servers or things like that the rsync protocol is really very efficient at basically copying the differences between two file system options or items so this is a great utility it's been used a lot in Mac OS 10 deployment one common gets this utility it doesn't give you granularity of some other options where you want maybe just to distribute one specific file red line again I talked about that a open source suite of tools it comes with a lot of different GUI auctions there's a wrap my assistant that allows you to edit and view transcripts which are basically portions of the file system it also has a rat minus system that allows you to run the command line tools through a GUI interface either creating overloads which again would be say a particular application install they have some command line interface tools two notable ones or fsdf file system differences l apply loads that apply red line is a very powerful tool can be used from the overall distribution it could be used from tracking to also file system management one cig denote by about red line at rents a trip wire and it's also detect differences in restore the machine back base to that manage state so it's a really useful tool if you're worried about security the flexible one time subscribe lines of command tools it's basically depending on how you want to script the tools but we run it manually start up login schedule single user mode in conditional so if you have certain higher is the file system that have been touched you could actually have read mine start running and restore the machine to a default state next we want to just highlight why you want to test when you're setting up your application first different environments different tools you use to capture the install you might run into certain issues depending on which tools you use the captures attracted installation so it's usually useful to have a test machine and another machine that you deploy the tool to and same thing with distribution methods a lot of people use there's a large variety of different methods from sr using GUI friends like netinstall and etc and there's other tools like rsync x and rad mine or just manually going around using either net install or apple remote desktop and selling each of these methods might cause some problems when you're distributing so you want to also have a machine to test those on things to test a lot of these are kind of obvious but a lot of times people forget to test these when you distribute application you wanna make sure help works printing spell check you know the pretty global options and then if you have notable features of the application you want to test also if the application has any integration so for example I likes you want to make sure you don't break that integration by customizing or modifying the application install so we've covered a lot day and I know that some of it probably went by pretty fast so we're going to tell you where you can get more information first of all for Chris or for Richard in my information both of us up there that's our email addresses will try to answer your question as best we can the other place that you should know about is Mac os10 labs org both of us actually participate in this we've written a white paper which actually talks about many of these issues and goes into more detail so that you actually have the time to look at it there's also a website that we will try to keep more up to date than the white paper because just too hard to keep the white paper up to date all the time and then Richards institution the University of Utah has an application deployment problems and solutions pages would talk which talks about applications that they've found which may or may not work particularly well in an enterprise