How to Configure Windows Group Policies for Macs (Using a Dual Directory Solution)

In my last post I discussed the potential uses and requirements for managing Mac clients in a dual directory environment. In this post, I will delve in deeper to discuss how you can actually configure these settings.

First things first

Before you jump in, you will need to have the Mac server configured and integrated into the Active Directory (AD) domain. The Mac Server will need to become an Open Directory (OD) Master connected to another Directory, and the client will need to be bound to both the AD and OD.

Finally, you will need to download and install the Apple Server Admin Tools related to your specific Mac Server OS (10.6.8 or 10.7.3).

Workgroup Manager: GUI options

Right, once you have completed the above steps, you should be able to launch Workgroup Manager, connect to the Mac Server and authenticate as the Directory Administrator. The newly bound Mac will appear under the Computers tab, ready for management.

Select the computer in the left list and the Preferences button in the top toolbar. The right hand section will change to display a list of preferences similar to System Preferences on a client Mac.

Note: The availability of these preferences can change, dependant on a Computer or a User (or groups of) being selected

managed preferences

Let’s take one of our examples from my previous post, setting shut down times. Select the “Energy Saver” option, followed by the “Schedule tab” along the top.

energy saver

This option can only be Managed Always or not at all, so select “Always”. Next, tick the second box, select “Shut Down” and “Weekdays” from the drop-down menus and fill in the desired time.

managed preferences

Finally, click “Apply Now” and you’re done! It’s as simple as that.

I would recommend that you elect a test Mac to apply these preferences to and just try out each one in turn and see what it does.

Note: Managed Macs normally require a log in and out to apply the new settings, but sometimes update better after a full restart.

Workgroup Manager: Preference Manifest Options

You’ve had a play with the GUI side and found out some interesting settings but it’s not enough. You need greater control over your clients!

Well, select the “Details” tab to get access to the raw plist files for editing. These are known as the preference manifests and provide a finer and deeper control over Mac settings.

If you have not yet configured any preferences, this box could be empty. You can populate it in one of four ways:

  1. Set some preferences in the GUI side and view them in the details tab
  2. Import a preference file into Workgroup Manager (discussed below)
  3. Add the manage client bundle. Click the small plus symbol in the lower left corner and navigate to /System/Library/Core Services and add the “ManagedClient” bundle
  4. Add the application to have Mac OS X look for the manifest. Click the small plus symbol in the lower left corner and navigate to the desired application. Add this and the OS will look for a preference manifest it can use.

Once you have the manifest file imported you can modify its contents before pushing this out. In the below example, I will modify Safari’s homepage.

Select the Computer/User on the left hand side, go to the preferences details tab and import Safari preferences through one of the methods listed above.

Once imported, double click the name (in this case “Safari”). Open the disclosure triangle on the how often you want the preference to apply (in this case “Always”) and click “New Key”.

Open the disclosure triangle on the how often you want the preference to apply (in this case “Always”) and click “New Key”.

In the drop down box (currently showing “New Item”) click to show a list of options. Change this to show “Homepage” and fill in the “Value” box with a website address (in the example I have chosen Amsys’ website).

Change this to show Homepage and fill in the Value box with a website address

Once complete, click “Apple Now” to save these changes.

You can use the same method to manually enter specific Key names that might not be in the drop down list. Consult the application’s documentation for possible advice on these values. Again, I would recommend that you elect a test Mac to apply these preferences to and just try out each one in turn and see what it does.

Note: Managed Macs normally require a log in and out to apply the new settings, but sometimes update better after a full restart.

Workgroup Manager: Importing Preferences

Like the idea of enhanced control provided by the preference manifests but don’t like the idea of hunting around locating what the relevant Keys might be? Well, there is another way that combines both of the above.

Simply grab one of the Macs you plan to manage, set all the preferences as you want, then copy off the relevant plist files. Copy these to the server and import them into Workgroup Manager.

You can use the same plus button to add configured plist files as you used to add the Managed Client bundle.

A few points of advice:

  1.  Have open the /Library/Preferences and ~/Library/Preferences folders and arrange them by Data modified.  It will make it easier to see what plist files are modified as you change settings
  2. When importing the plist files, take time to go through the actual content and remove any Keys that aren’t relevant. This will prevent unexpected behaviour and settings being enforced on clients, unnecessarily.
  3. Some applications store bespoke plist files in the /Library/Application Support folders instead of, or in addition to standard plist files. If this is the case, you may have to find an alternative mechanism to manage these options.

Conclusion

Well I hope that’s given you plenty of ideas to try out on your systems and to help manage those troublesome users!

Please always remember to back everything up and test your MCXs before rolling them out site-wide to ensure they act as expected! I’m sorry to say we can’t accept any responsibility for issues arising from using MCXs.

Still want more? Check out the next blog post, where I’ll be going over some other advanced areas that are related to Managing client Macs.

Links

Managed Preferences Part 1: An Introduction

Apple’s Mac OS X Server

Server Admin Tools Download

10.6.8
10.7.3 

If you require help with Mac deployment or AD integration within your organisation please get in touch, or check out our range of support & consultancy services here.

Leave a Reply

Your email address will not be published. Required fields are marked *