My god, it's Full of Macs!

Really, who needs Windows?  If you want a second OS on your Mac, add Ubuntu.  If you haven’t looked at it in a while, you’ll be surprised at how nice it is.

Here’s how:

1. On your Intel Mac, go to the utilities folder and open “Boot Camp Assistant.”
2. Partition your drive, as if you were going to install windows, but choose “Quit and Install Later” when it’s done.
3. Download the newest version of Ubuntu and burn it to a CD.
4. Once the CD is ready, restart your Mac and hold down the option key.
5. When it re-starts, you’ll see your Hard Drive and the Ubuntu CD, choose to boot with the CD.
6. Your Mac will boot into Ubuntu, then double-click “Install Ubunutu…” to install.
7. That’s it, the new Ubuntu installer is so smart it even sees that OS X is installed on your Mac and auto-selects the right options.

Once you have Ubuntu installed – you can do all those amazing Linux things, like install Compiz Fusion and set up your workspace like these screenshots (click to enlarge):

Yes, Apple, it’s pretty.  But – by making the wireless keyboard and mouse the standard with your iMacs – aren’t you just adding piles of garbage to landfills?  Why doesn’t the iMac have a built-in battery charger for the “Magic Mouse” – that would really be magical.

I’m going to keep the wired keyboard and mouse for our specifications. What do you think?  Would you rather have this mouse, even with the environmental cost?

There is a lingering mythology about Macs being expensive and Windows PCs being more affordable – which is easily debunked if you look at the specs of a new Mac vs. a Dell & compare all the software included with OS X.  This extends into the realm of servers as well.  Have a look at this great chart from AppleInsider comparing the cost of a Windows Server with an OS X Server.

Read the whole article here.

This is a survey of images that result from a G**gle search of the term “computer security.”  I find it fascinating how quickly some in the academic environment subscribe to someone else’s ’security’ discourse.

(Does anyone have a door that actually takes a key like this? Is this what the internet’s door looks like?)

(This luggage lock is (not) ’securing’ this keyboard or anything else.)

(Superman wore green today and only a giant orbital lock can stop him from reversing the earth’s rotation.)

(This monitor is secured with an enormous materializing chain and lock – too bad it’s not connected to anything.)

(The space burglar is connected to Africa through a billion mile cable – and he brought your computer to space so he could pull the giant lever on the side.)

(Really?)

Snow Leopard

We’ve begun upgrading the Macs at the Graduate Center to OS X 10.6.

Along with this upgrade, we’re implementing some other changes.  We are no longer asking users to authenticate with Active Directory credentials in order to use the Macs in public areas.  Users will not have to log in with their name and password in order to use all the applications on Macs in the Library, student computing areas and departmental lounges.

We’re implementing this change because our Mac users have had chronic problems saving files to their network drives and using applications that rely on saving to network drives.  My first concern is making certain that users can actually use the technology, without anything standing in the way, and this change is the best way to make that happen.

Password Liberation

There is an additional benefit that comes with this change.  All students, faculty and staff can now use our Macs without worrying about passwords.  And once the user is done and they log out, all trace of their presence and activity is deleted from that computer.  This is a dramatic increase in privacy for our users and frees them from having to worry about their password or account being up to date.  As it is, most students I talk to use a non-CUNY email account as their primary email, so they often have problems when they are asked to use the CUNY account because the password has expired.

But what about printing and other network services that require an account?  If the user wants to access any network services that require authenticating against Active Directory, they can do so à la carte  -  they choose to connect to the service (printing, network drives, etc.) and authenticate for each service.

This à la carte model flies in the face of current trends.  Everyone says they want ’single sign on’ – which means, you log in once and everything else uses that authentication to give you services.  But, I wonder, what if you want to use a computer without telling the computer who you are?  And why should you have to confirm your identity at the door of the building and then again when you sit down at a computer?  After all if security let them in the building they’re entitled to use other public services of the building.  Just as they have access to the public restrooms, shouldn’t they have access to the public computers?  Now they do.  And more relevant to most users, what if their password expired, they don’t have time to deal with the bureaucracy of having it reset, and they just need to look at an email quickly or email a document from a flash drive?  Now they can.  And there are other benefits to privacy:

I’m pleased to announce that after months of work our first Mac classroom has opened at the Graduate Center.  We had previously set up dual boot MacBooks for our Audio Visual department and have dual boot MacBooks available for loan from the Help Desk in the library.  Although this classroom has 15 computers facing forward, a configuration that doesn’t seem necessary under any circumstance today, it opens up new possibilities for faculty and students at the school – and that’s a good thing…

The classroom image was built as a team effort.  A Windows technician built the Windows image on a 24″ iMac, I built the Mac image, including Boot Picker for OS selection – and used my new installation of DeployStudio to capture the images, create a workflow and deploy them to the classroom.  The workflow partitions the drive and installs the OS on each side.  We had used a similar workflow previously in NetRestore but DeployStudio is much easier to set up (and much faster all around).

After a bit of tweaking on the Windows side (pesky XP) – the Macs are set up and we can manage them (both sides) from Apple Remote Desktop.  You can visit the new Dual Boot Classroom in C196.02 on the C level of the Mina Rees Library at the Graduate Center.  Classes are regularly scheduled in the room and it can be reserved by contacting IT.

If you’ve upgraded to OS X 10.6 your computer is now, by default, communicating with Apple about your location.  This allows your Mac to set the time zone automatically based on location, but you may find it a bit creepy. I do.

Here’s how you disable this ‘feature’.

1. Open System Preferences
2. Click on “Security”
3. Check the box “Disable Location Services”

After the recent demise of Mike Bombich’s NetRestore, we all cried.  For days and days, we cried, placed coins in NetRestore’s mouth, built tombs filled with offerrings.  It was very sad and we all hoped that NetRestore would have lots of good fortune in the afterlife.

But, it is  time to move on.  So, what could possibly replace NetRestore?  DeployStudio.

I looked at and rejected DeployStudio, so if you did the same, I suggest you give it another chance.  The biggest hurdle for us was simply getting it configured on the server and understanding what it wanted.  Once that was done, and I understood that it was providing all the same functions as NetRestore, it has made image management much easier.

DeployStudio’s ‘official’ documentation is lacking, but there is a wealth of information available from the community of users about setting it up and using it for standard OS X imaging, dual boot images, and triple boot images.  Using the following resources, I was able to migrate our whole imaging process from NetRestore to DeployStudio in about 1 week, working on it a few hours each day.  Here are the steps I recommend:

1. Download the Software: DeployStudio Server (on both your Mac and on your Server if you are going to use NetBoot)

2. Read the Quick Install Guide

3. Follow the Step-By-Step instructions in this DeployStudio Guide

4. Read through this DeployStudio Wiki for answers to your questions

5. Post questions in the comments and I’ll help if I can!

If you’re managing Macs in an environment where Active Directory is used you might be considering how you can integrate the two, or you might be asked what the options are.  I’ve been doing research and testing on this for a few years so I thought I would share what I’ve learned.  I’m breaking this down into four options – but really there are countless combinations that you could deploy.  Please ask questions (or post corrections!)  in the comments.

Option Zero: Starting from Scratch

If you’re currently building and deploying images that incorporate all of your settings without using any directory services your computer management looks something like this:

What’s the downside here?  When you want to make a change in settings, you have to re-image your Macs.  This is probably the most common but least efficient way to support your Mac users.  If you decide you want to start using domain accounts on your Macs and you bind one of the Macs above to Active Directory and log in, you’ll get a generic user account and have very little control over how that account is configured.  Why would you want control over that account?  Not to control the users behavior or how they use the technology, but to provide them with the best environment for their work; to give them more access.  What kind of access? – network resources like printers, network drives and other services.  So how do you control the settings and preferences for the user accounts once your Mac is bound to Active Directory?  You use MCX:

(The line “the only way to do some things” is borrowed from Greg Neagle’s (Senior Systems Engineer at Disney) presentation on MCX.  He said it so well!)

Option 1: Dual Directory with local MCX

This brings us to the first option for managing Macs in an Active Directory environment.  In this configuration (Option 1) your Macs are authenticating to Active Directory and when the user logs in, the settings are determined by MCX on the local image.  To configure those settings you use Workgroup Manager which is available in Apple’s free download “Server Admin Tools.”  Once you’ve set up the MCX settings for a group of domain users, you can update these MCX settings by deploying changes with Apple Remote Desktop.

Option 2: Dual Directory with MCX on OS X Server

Alternatively, you can centralize those MCX settings by moving them off of the local hard drive (out of the local directory) and onto an OS X Server that is bound to Active Directory.  That means when you use Workgroup Manager to make a change on the server it is applied to every client bound to that server.  The clients are bound to both Active Directory and to Open Directory (on the OS X Server).  They authenticate with Active Directory and get their settings from the OS X Server.  That brings us to what is commonly called “The Golden Triangle.”

Option 3: Extend the Active Directory Schema

You don’t have to host these MCX settings on an OS X Server, they can be kept inside attributes and objects in Active Directory.  But to do that, you have to extend the Active Directory Schema. That brings us to the third option.

Click for streaming video from Apple on extending the AD Schema to support MCX.

Option 4: Third-party Software

You can purchase third-party software that will do some of this work for you and provide some ability to control Macs from Active Directory.  The software available includes Centriy DirectControl, Thursby AdmitMac and Likewise Enterprise – but here’s why I don’t suggest going that route:

• $80-100 per seat software cost
• Requires production server downtime
• Adds an entirely new set of management tools on the network side (for example: DirectControl Management Tools)
• Installs a client on every Mac
• Requires installation of add-ons to the client on every Mac whenever we add a feature
• Makes you dependent on a 3rd party plug-in and that vendor for access to basic network services
• Has the potential to hold you hostage to vendors timelines because:
• The plug-in might not allow you to upgrade or patch your servers when you are ready
• The plug-in might not allow you to upgrade your Macs when you are ready

If you have Mac users with network homes, you might have decided to redirect the users cache (~/Library/Caches) to a temporary folder on the local drive (/tmp/%@/Caches for example).  I did this at the GC because without the redirection, the users cache fills up their network home and suddenly they can’t load web sites or use applications.

But, Microsoft Office applications don’t like this at all.  They want to save your working file to the temporary items (~/Library/Caches/TemporaryItems) folder and then copy that over to the final destination when you save.  But if the temporary items folder is on the local drive and the user is saving to the network home, they might get an error saying something like “Word cannot save this document due to a naming or permissions error on the destination volume.”

How do you get around this?  Well, this isn’t the whole solution, but it’s a start.  I’m still testing and trying to figure out how to really fix this – but so far what I’ve done is re-redirect the temporary items folder back into the users network home.  I did it with another MCX entry.  We manage our Macs with local MCX settings (no Apple server running directory services here) so that means adding another listing in “com.apple.MCXRedirector.”  I chose to redirect it like this:

Action: deleteAndCreateSymLink
Destination Folder Path: ~/Library/TemporaryItems/%@
Folder Path: ~/Library/Caches/TemporaryItems

Which looks like this in Workgroup Manager:

This seems to solve the problem for MS Office – but not text edit.  I’m not sure why but still working on it.