"It can only be attributable to human error…."Posts RSS Comments RSS
Yes, Apple, it’s pretty. But – by making the wireless keyboard and mouse the standard with your iMacs – aren’t you just adding piles of garbage to landfills? Why doesn’t the iMac have a built-in battery charger for the “Magic Mouse” – that would really be magical.
I’m going to keep the wired keyboard and mouse for our specifications. What do you think? Would you rather have this mouse, even with the environmental cost?
Snow Leopard
We’ve begun upgrading the Macs at the Graduate Center to OS X 10.6.
Along with this upgrade, we’re implementing some other changes. We are no longer asking users to authenticate with Active Directory credentials in order to use the Macs in public areas. Users will not have to log in with their name and password in order to use all the applications on Macs in the Library, student computing areas and departmental lounges.
We’re implementing this change because our Mac users have had chronic problems saving files to their network drives and using applications that rely on saving to network drives. My first concern is making certain that users can actually use the technology, without anything standing in the way, and this change is the best way to make that happen.
Password Liberation
There is an additional benefit that comes with this change. All students, faculty and staff can now use our Macs without worrying about passwords. And once the user is done and they log out, all trace of their presence and activity is deleted from that computer. This is a dramatic increase in privacy for our users and frees them from having to worry about their password or account being up to date. As it is, most students I talk to use a non-CUNY email account as their primary email, so they often have problems when they are asked to use the CUNY account because the password has expired.
But what about printing and other network services that require an account? If the user wants to access any network services that require authenticating against Active Directory, they can do so à la carte - they choose to connect to the service (printing, network drives, etc.) and authenticate for each service.
This à la carte model flies in the face of current trends. Everyone says they want ’single sign on’ – which means, you log in once and everything else uses that authentication to give you services. But, I wonder, what if you want to use a computer without telling the computer who you are? And why should you have to confirm your identity at the door of the building and then again when you sit down at a computer? After all if security let them in the building they’re entitled to use other public services of the building. Just as they have access to the public restrooms, shouldn’t they have access to the public computers? Now they do. And more relevant to most users, what if their password expired, they don’t have time to deal with the bureaucracy of having it reset, and they just need to look at an email quickly or email a document from a flash drive? Now they can. And there are other benefits to privacy:
I’m pleased to announce that after months of work our first Mac classroom has opened at the Graduate Center. We had previously set up dual boot MacBooks for our Audio Visual department and have dual boot MacBooks available for loan from the Help Desk in the library. Although this classroom has 15 computers facing forward, a configuration that doesn’t seem necessary under any circumstance today, it opens up new possibilities for faculty and students at the school – and that’s a good thing…
The classroom image was built as a team effort. A Windows technician built the Windows image on a 24″ iMac, I built the Mac image, including Boot Picker for OS selection – and used my new installation of DeployStudio to capture the images, create a workflow and deploy them to the classroom. The workflow partitions the drive and installs the OS on each side. We had used a similar workflow previously in NetRestore but DeployStudio is much easier to set up (and much faster all around).
After a bit of tweaking on the Windows side (pesky XP) – the Macs are set up and we can manage them (both sides) from Apple Remote Desktop. You can visit the new Dual Boot Classroom in C196.02 on the C level of the Mina Rees Library at the Graduate Center. Classes are regularly scheduled in the room and it can be reserved by contacting IT.
After the recent demise of Mike Bombich’s NetRestore, we all cried. For days and days, we cried, placed coins in NetRestore’s mouth, built tombs filled with offerrings. It was very sad and we all hoped that NetRestore would have lots of good fortune in the afterlife.
But, it is time to move on. So, what could possibly replace NetRestore? DeployStudio.
I looked at and rejected DeployStudio, so if you did the same, I suggest you give it another chance. The biggest hurdle for us was simply getting it configured on the server and understanding what it wanted. Once that was done, and I understood that it was providing all the same functions as NetRestore, it has made image management much easier.
DeployStudio’s ‘official’ documentation is lacking, but there is a wealth of information available from the community of users about setting it up and using it for standard OS X imaging, dual boot images, and triple boot images. Using the following resources, I was able to migrate our whole imaging process from NetRestore to DeployStudio in about 1 week, working on it a few hours each day. Here are the steps I recommend:
1. Download the Software: DeployStudio Server (on both your Mac and on your Server if you are going to use NetBoot)
2. Read the Quick Install Guide
3. Follow the Step-By-Step instructions in this DeployStudio Guide
4. Read through this DeployStudio Wiki for answers to your questions
5. Post questions in the comments and I’ll help if I can!
If you’re managing Macs in an environment where Active Directory is used you might be considering how you can integrate the two, or you might be asked what the options are. I’ve been doing research and testing on this for a few years so I thought I would share what I’ve learned. I’m breaking this down into four options – but really there are countless combinations that you could deploy. Please ask questions (or post corrections!) in the comments.
If you’re currently building and deploying images that incorporate all of your settings without using any directory services your computer management looks something like this:
What’s the downside here? When you want to make a change in settings, you have to re-image your Macs. This is probably the most common but least efficient way to support your Mac users. If you decide you want to start using domain accounts on your Macs and you bind one of the Macs above to Active Directory and log in, you’ll get a generic user account and have very little control over how that account is configured. Why would you want control over that account? Not to control the users behavior or how they use the technology, but to provide them with the best environment for their work; to give them more access. What kind of access? – network resources like printers, network drives and other services. So how do you control the settings and preferences for the user accounts once your Mac is bound to Active Directory? You use MCX:
(The line “the only way to do some things” is borrowed from Greg Neagle’s (Senior Systems Engineer at Disney) presentation on MCX. He said it so well!)
This brings us to the first option for managing Macs in an Active Directory environment. In this configuration (Option 1) your Macs are authenticating to Active Directory and when the user logs in, the settings are determined by MCX on the local image. To configure those settings you use Workgroup Manager which is available in Apple’s free download “Server Admin Tools.” Once you’ve set up the MCX settings for a group of domain users, you can update these MCX settings by deploying changes with Apple Remote Desktop.
Alternatively, you can centralize those MCX settings by moving them off of the local hard drive (out of the local directory) and onto an OS X Server that is bound to Active Directory. That means when you use Workgroup Manager to make a change on the server it is applied to every client bound to that server. The clients are bound to both Active Directory and to Open Directory (on the OS X Server). They authenticate with Active Directory and get their settings from the OS X Server. That brings us to what is commonly called “The Golden Triangle.”
You don’t have to host these MCX settings on an OS X Server, they can be kept inside attributes and objects in Active Directory. But to do that, you have to extend the Active Directory Schema. That brings us to the third option.
Click for streaming video from Apple on extending the AD Schema to support MCX.
You can purchase third-party software that will do some of this work for you and provide some ability to control Macs from Active Directory. The software available includes Centriy DirectControl, Thursby AdmitMac and Likewise Enterprise – but here’s why I don’t suggest going that route:
If you have Mac users with network homes, you might have decided to redirect the users cache (~/Library/Caches) to a temporary folder on the local drive (/tmp/%@/Caches for example). I did this at the GC because without the redirection, the users cache fills up their network home and suddenly they can’t load web sites or use applications.
But, Microsoft Office applications don’t like this at all. They want to save your working file to the temporary items (~/Library/Caches/TemporaryItems) folder and then copy that over to the final destination when you save. But if the temporary items folder is on the local drive and the user is saving to the network home, they might get an error saying something like “Word cannot save this document due to a naming or permissions error on the destination volume.”
How do you get around this? Well, this isn’t the whole solution, but it’s a start. I’m still testing and trying to figure out how to really fix this – but so far what I’ve done is re-redirect the temporary items folder back into the users network home. I did it with another MCX entry. We manage our Macs with local MCX settings (no Apple server running directory services here) so that means adding another listing in “com.apple.MCXRedirector.” I chose to redirect it like this:
Action: deleteAndCreateSymLink Destination Folder Path: ~/Library/TemporaryItems/%@ Folder Path: ~/Library/Caches/TemporaryItems
Which looks like this in Workgroup Manager:
This seems to solve the problem for MS Office – but not text edit. I’m not sure why but still working on it.
The new Mac Media Lab on the concourse level of the Mina Rees library is open during library hours. Some days, the lab might be reserved for a class or a workshop. There is a new link above that will take you to the calendar as well as a new sidebar item with buttons. You can always get there by going to: http://tinyurl.com/gcmaclab
The XML button will give you the RSS feed of the calendar. The ICAL link will allow you to subscribe to this calendar in iCal, Outlook or Google Calendars. The HTML link will give you the calendar on screen.
Unfortunately, Apple’s “Parental Controls” are a mess. They are turned on when you are managing users with MCX, and they interfere with web access. Why, how? When “Parental Controls” are on, even if no restrictions are set, your Mac is routing all web traffic through its own internal server. This slows things down and even makes some sites unusable (Gmail, Pandora, etc).
To restore access to the real internet, you can make the proxy server unexecutable by running the following command in Terminal. You may need to run it again after software updates but it works great and it’s worth it if you’ve run into this issue. We applied it in the Mac Media lab after some users reported issues with accessing certain web sites.
sudo chmod a-x /System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources/httpsproxyd
We’ve received some wireless keyboards for the Mac Media Lab and they have these very clever silicone overlays with all the quick-keys for Final Cut Pro. They’re a great tool for the lab. You can take a wireless keyboard to whichever Mac you want to use. The overlay helps you learn Final Cut and makes working in it much faster for those who are familiar with the software.
But the keyboards are wireless and that means batteries. As far as I’m concerned, there’s only one solution to this and that’s rechargeable batteries.
About the same time that I replaced every bulb in my house with compact fluorescents, I also replaced all the batteries with rechargeables. That was 2 years ago and we haven’t bought a battery or a light bulb since.
Yes, technology can be great, but it can also be toxic and wasteful. As technophiles, I suggest that we have a moral obligation to reduce the waste we produce and keep disposable products to an absolute minimum. It also makes financial sense; do you want to buy 1 rechargeable battery or 1000 disposables?
I heartily recommend the eneloop brand I use at home. They come pre-charged, they hold the charge much longer than other brands, they last ‘forever,’ and they look really cool. Technophilia satisfied, environmental sustainability satisfied.
“Security” is a buzzword we hear every day in IT. For some it has become the foundation of IT policy and a litmus test for every decision. But it’s not a closed case. What “security” actually means is still up for debate. There are researchers doing incredible work on these questions of “security” uncovering the ways it’s used to disempower people, spy on them and prevent them from regaining power. Big Brother in the Black Box and the boardroom.
”Electronic media…have become the privileged space of politics…without it there is no chance of winning or exercising power.” (Castells, M. The Power of Identity. 1997)
During my 15 years in academic technology I’ve frequently witnessed the idea of “security” used as justification for closing down previously open services and limiting user choice. Not as a response to problems that have arisen, but as a “Best Practice.” Whenever I encounter this, it always clashes with my experiences of technology opening up previously closed systems and empowering users to remake the world. When I.T. uses “security” in this way they’re really saying: ”There is some kind of threat, some potential danger, and we have to protect you from it even though nothing has happened so far – to do so, we’re going to to take away civil liberties and restrict your civil rights.” Sounds eerily familiar doesn’t it.
The application of this notion of “security” does not make us more secure, it does not increase our security. It limits our freedoms. If an IT department considers “security” above all else, pay careful attention because they’re likely limiting your freedoms in significant ways. By prohibiting certain protocols, software and behavior and not allowing you to choose what is installed or have control over your computer or software they’re policing your behavior, hoping to stop you from doing something either “illegal” or “harmful.” But it seems pretty clear from both historical and modern attempts that policing and criminalization don’t achieve the desired result; the behavior inevitably continues in a different form and through different means. The most troubling part about this implementation of “security” is that it’s not just happening in the corporate sphere, but in higher education, in research universities, in places where these kinds of restrictions not only limit users rights, but actually hinder the goals of the institution.
“A powerful counterhegemonic use of the Internet is the ability to communicate intersubjective knowledge – as much an attribute of hypertext as innate in the Internet. People from different places, with radically variant experiences, are able to convey a notion of what it is like to be them, to live their lives, via the Net. For example, the production side of the commodity chain no longer is shielded when one reads an essay, written by a shoe-factory worker, that describes conditions where Nike shoes are made. In an ideal situation these texts are written by the individuals who are involved, not by experts or elites, and are unfiltered.” (Warf, B. and J. Grimes, Counterhegemonic Discourses and the Internet. Geographical Review, 1997.)
Why would higher education choose a model of “security” that threatens open inquiry? Some of it is coming from corporations. If you work for MegaCorporation X and your job is filling in a spreadsheet with numbers, they might squeeze more profit out of your labor (in the short term) by only giving you access to a spreadsheet application, restricting your access to anything else and spying on you while you work. Of course, they’re missing out on innovations you could discover if you were free to use the full potential of your digital device on the open network – but they don’t want innovation, they want a factory worker who sits at a computer instead of an assembly line. OK, so the corporations always do this – but they’re also informing much of what is done behind the scenes in the broader world of IT. Higher education is always in danger of inheriting the corporate discourse from hardware and software vendors, through hiring policies and because of traditions of institutional organization that regard IT as a building service and not a department with a responsibility to education and research. You can see how insidious this danger is if you listen carefully to the language used in academic IT departments. They talk about “enterprise” services, “clients,” “customer satisfaction,” “customer service” and “training.” Again, buzzwords that sound great to MBAs, but not policy, practice or discourse that encourage participation, learning and democracy in education.
If you haven’t worked in IT, you might even think that IT staff are well suited to making decisions about issues like “security.” That’s not usually the case. It’s not malicious, they’ve just learned to respond to technology in certain ways. For example, they have a gut reaction that “peer-to-peer file sharing is bad” without considering that organizations like the Democratic Voice of Burma use P2P technology to collect digital reportage of human rights violations from citizen journalists. And the IT staff have been constructed by a corporate IT discourse with little regard for pedagogy because corporate IT doesn’t care about pedagogy. But IT policy doesn’t have to be a monolithic dogma accepted only because the people who repair hardware, write code and build networks “know more about technology” than the users. To allow that is no different than trusting government officials who won’t show the evidence, but say “We don’t want the smoking gun to be a mushroom cloud.”
So, when someone in IT says “we can’t do that because it’s a security issue” I encourage users to borrow from a classic film and respond:
“You keep using that word. I do not think it means what you think it means….”
With that in mind, here are some closing thoughts on specific Users Rights, a working draft on a Users Bill of Rights if you will.
Because digital device hardware, software and network systems exist only to meet the needs of the user AND because the user is not a powerless subject of arbitrary policy AND because liberty and the exercise of freedom are always under threat, users have the right, including but not limited to:
Michael
Elizabeth Housley