managing a mac lab: tips to make life easier helen siukola jancich anastasia trekles purdue...
TRANSCRIPT
Managing a Mac Lab: Tips to Make Life Easier
Helen Siukola Jancich
Anastasia Trekles
Purdue University Calumet
Workshop Outline
• Introductions• What’s the Mac Environment Like at Your
School?• Options for Imaging and Restoring Lab Drives• NetBoot & NetRestore• Mac OS X, Users, and Security• Other Lab Management Tricks from the
Battlefield• Featured Software and Resources
How’s Your Macs?
• Every institution has its own lab and network configurations, making almost everyone’s situation unique
• We may not get to cover every possible configuration during the workshop, but you are encouraged to visit http://www.bombich.com and http://www.macosxlabs.com to find scripts, articles, advice, and more to fit your exact needs
Our Mac Environment
• At Purdue Calumet, we have: Novell Services almost exclusively for Windows users
(the majority on campus) 1 Xserve (10.3) and 1 Mac OS X 10.2 server for 3
websites, FTP, Apple File Services, and SMTP & POP Mail services
4 Mac labs of varying sizes (largest holds 25 Macs) About 20 faculty and staff using Macs in their offices
Our Mac Environment
• The Mac network is separate without the Novell client software
• We manage our own users for OSX server access
• Lab computers have a universal “student” login rather than authentication through LDAP - this would be possible, however, if the Novell server admins would allow access
Imaging and Restoring
• Mac clients all share almost the same software configuration
• Differences between models and lab needs are handled with multiple drive images
• Currently there are four images distributed across campus Mac labs
Imaging Drives - Basic Steps
1. Take any Mac similar to your lab computers, and partition it into two drives (also works with an external Firewire drive)
2. Build the lab drive and install software as needed
3. Set up users and system and program preferences
4. Restart from the other partition
5. Use either Disk Utility, Disk Copy, or NetRestore Helper to make an image of the lab drive partition
Imaging Drives - Notes
• Don’t use a different OS from the lab drive’s to make the image
• To save some time, create the lab image on a local drive first, then copy it to the network once it’s created if needed
• OS9 Users: Disk Copy limits you to 2GB unless you have Disk Copy 6.4 Get it here:
http://homepage.mac.com/alk/personal/stuff.html You’ll also need to use ASR 2.2.4 or higher to restore
Restoring Drives
• OS9: ASR 2.2.4 or higher for drive images over 2GB
• Mac OS X 10.1: ASR 2.2.4 or asr at command line
• Mac OS X 10.2: ImageJaguar script (get it from http://www.versiontracker.com), asr command line, or NetRestore (recommended)
• Mac OS X 10.3: Disk Utility (rec.), asr, or NetRestore (rec.)
Restoring Drives - Notes
• You should use the same OS as the OS version of the drive image being restored, especially under Mac OS X (sub-versions, like 10.3.x also count in most cases)
• For large images, local restore from a Firewire drive or CD/DVD is fastest
• Use BootCD to create a startup disk for OSX (again, create your BootCD from the same OS as the drive image)
NetBoot and NetRestore
• NetRestore Helper can create NetBoot sets to load into your /Library/NetBoot/NetBootSP0 directory on your NetBoot server (login as root)
• Use OS X Server 10.2 or higher for best results
• Note that some older Macs can’t NetBoot with newer OS X Servers - restore locally instead
NetBoot and NetRestore
• To configure the NetInstall set with NetRestore: Place your restore image on a readily
available network drive Tell NetRestore where to find it and what the
authentication is Test and Save the configuration, and your
NetInstall set is ready
NetBoot and NetRestore
• For added security: Don’t make the NetInstall set your
default Create a special user whose only role is
NetRestores and is the only one with access to the drive image
Keep the drive image on a private part of your network
NetBoot and NetRestore
• Network speed and the size of the image will affect the amount of time you spend with NetBoot/NetRestore solutions
• For a 14-station lab of slot-load Indigo iMacs at 10Mbps, it takes an average of 160-180 hours per station if they are all restoring at once (NetBoot is housed on a dual processor
Xserve G5)
Mac OS X, Users, and Security
• OSX allows more flexibility and security than ever before
• You can have users log in using remotely-hosted information on LDAP or Active Directory servers
No Directory Access?
• Create universal local users with different privileges and preferences
• Create a local user list and set System Prefs -> Accounts -> Login Options as “Name and Password” to prevent open listing of user accounts
Mac OS X, Users, and Security
• Securing Classic is important - if you don’t need it you might not even install a Classic System Folder
• If you do need it, you can load your Classic folder into a read-only disk image and use ShadowClassic to make it usable
• On any recent Apple Restore CD or DVD, get a ready-to-go Classic image from the “.images” invisible folder
Save Time and Money with Universal User Accounts
• Universal logins can make life difficult without DeepFreeze or another security/desktop management software
• But, you can get around this and save some money!
• Use LoginWindow Manager and a Logout Script as a hook to clean up the user’s home directory at each logout - “poor man’s DeepFreeze”!
The Poor Man’s DeepFreeze Logout Script
• Open Terminal and type sudo su to login as root
• Enter the following commands (note that the generic name “student” is our user’s name - replace it as needed):
• Cd /var/root• Mkdir Scripts• Mkdir student• Cd Scripts
The Poor Man’s DeepFreeze Logout Script
• Type pico logoutscript to create a placeholder file for the script: #!/bin/csh Exit 0
• Make it executable: chmod ugo+x logoutscript
• Now copy the contents from the original account: Ditto -rsrcFork /Users/student /private/var/root/student
• Delete cache files for the account: Rm -R /private/var/root/student/Library/Caches/*
Now for the script - pico logoutscript again and enter:#!/bin/csh#Example user below has “short name” student#full paths used for commands in case path variable is not set
correctly#login window passes the user name to the script via the variable $1If ( $1 == ‘student’ ) then#first, unlock all files/usr/bin/chflags -R nouchg /Users/student/*/usr/bin/chflags -R nouchg /Users/student/.??*#then, delete all the files/bin/rm -R /Users/student/*/bin/rm -R /Users/student/.??*#ensure that the users directory exists/bin/mkdir /Users/student/#copy the clean version of the student directory/usr/bin/ditto -rsrcFork /private/var/root/student /Users/student/usr/sbin/chown -R student:staff /Users/studentendifexit 0
The Poor Man’s DeepFreeze Logout Script
• Use LoginWindow Manager from http://www.bombich.com to set /private/var/root/Scripts/logoutscript as your Logout hook
• You can also add messages to the login window and more using this handy program
• For added security, keep LoginWindow Manager in a secure place away from users
Tips from the Battlefield
• Three words: Apple Remote Desktop• Simple AppleScript knowledge is a huge help
Inserted disks missing from the Desktop might be in /Volumes - create a script to open this directory for users to access their disks
AppleScript can also prompt users to authenticate to network volumes - works great for our PCounter server for authenticating to print
• Upgrade from older versions of OS X as soon as possible - you won’t be sorry!
Tips: Securing Printing
• Printers getting switched around or deleted?• In OS9 - avoid using Desktop Printing and lock or
hide the Chooser• In OSX - secure Print Center
Put Print Center (Printer Setup Utility in 10.3) in its own folder
As an admin, open Terminal Type sudo chmod -R a-r nameoffolder So, Print Center will keep working with given printer
list, but users can’t change it or open the folder
Tips: Hide a User
• To hide a user from the Login Window in OSX: Enable Root from NetInfo Manager as an administrator Login as root and open NetInfo Manager again Change the UID of the account in question to something
less than 500, like 499 (take note of the original UID too) Open Terminal and type (501 is the original UID and
499 is the new one):• find / -user 501 -exec chown 499 { } \;
Use NetInfo Manager to change the “home” property to “/var/admin” for added security
Tips for the Battlefield
• What are your Mac management tips or stories you’d like to share?
Featured Software
• Mike Bombich Software: NetRestore/NetRestore Helper LoginWindow Manager ShadowClassic Info and more goodies…
• Charles Srstka Software: BootCD
• Apple Disk Utility (Mac OS X 10.3) Disk Copy (Mac OS X 10.2) Apple Software Restore (Mac OS 9)
Resources
• Mike Bombich’s website, including many articles and discussion forums: http://www.bombich.com
• MacEnterprise (MacOSXLabs), a growing project with a repository of information about Mac deployment in enterprise settings: http://www.macosxlabs.org
• Charles Srstka produces several freeware utilities, including BootCD: http://www.charlessoft.com
Resources
• Extras Helen’s website:
http://education.calumet.purdue.edu/Faculty/Jancich
Staci’s website: http://education.calumet.purdue.edu/Faculty/trekles
Thank You!
To download this presentation and get other related resources, visit our workshop website:
http://education.calumet.purdue.edu/Tutorials/ICE
Helen Siukola Jancich
Anastasia Trekles
Purdue University Calumet
http://www.calumet.purdue.edu