Publishers of technology books, eBooks, and videos for creative people

Home > Articles > Apple > Operating Systems

This chapter is from the book

Integrating with Managed Preferences

If you have used the Parental Controls preferences to manage a local Mac or the Preferences pane of Workgroup Manager on a Mac OS X Server to manage networked Macs, then you have used preference management. Both of these features are facilitated by the underlying managed preferences architecture. The Mac OS X managed preferences architecture, sometimes called MCX, is a method to control both system and user settings from a centralized source. In other words, you can use managed preferences to define policy for all your clients from a single administrative resource.

In this section, you will learn how you can leverage Mac OS X’s managed preferences as an alternative to deploying static settings as part of a system image. Planning and implementing this type of client management system is the best way to enforce usage policies and maintain a consistent configuration across your deployed systems. Nevertheless, managed preferences are not required to deploy system images. In fact, the flexibility of this system means that you could choose to deploy managed preferences well after you have deployed your system images.

For many deployments the managed preferences source is a network directory service that the client computers are bound to, like a Mac OS X Server with the Open Directory service enabled. By relying on a network directory service for acquiring configuration, you have much greater flexibility for deploying user and system settings. Storing configuration information on a directory server means you don’t have to include this configuration as part of your system image. Further, when managing preferences from a network directory service you can easily change configuration settings after your initial deployment.

Understanding the Managed Preferences Architecture

Mac OS X’s managed preferences architecture allows you to define policy at four different account levels; user, group, computer, and computer group. The background process MCXCompositor, found inside the /System/Library/CoreServices/ManagedClient.app bundle, is responsible for assessing any available managed preferences. At system startup the compositor process queries directory services for computer and computer group managed preferences, and during login queries for user and group managed preferences. These preferences are then cached to the local computer so the management remains active even if the Mac is disconnected from the directory service.

As you can see, managed preferences rely on directory services as the source for policy information. This allows you to store managed preferences in any location that Mac OS X’s directory service can access. This includes the local account database, a properly configured Lightweight Directory Access Protocol (LDAP) server like the one hosted from a Mac OS X Server, or a properly configured Active Directory (AD) server.

If you choose to host managed preferences in the local account database, then you will want to include this configuration in your system image. The downside is that your managed preferences are no longer centrally managed, and you will have to deploy changes to each client using a manual method.

A more common configuration is to have a network directory service like LDAP or AD host the managed preferences information. In this case, to take advantage of managed preferences, your system image must include steps for binding to the network directory service, as covered in Chapter 6, “Postimaging Deployment Considerations.”

Using Managed Preferences

The most comprehensive tool for configuring managed preferences is Workgroup Manager (WGM), located in the /Applications/Server folder on your Mac OS X Server computer. This application can also be installed as part of the Server Admin Tools v10.6 on any Mac OS X v10.6 computer. In fact there are several managed preferences settings that can be properly set only when you open WGM from a Mac client. For example, when building an allowed applications list, WGM can add applications to this list only from the Mac it’s currently open on. Many Mac servers don’t have all the additional applications that Mac clients use; thus you need to open WGM from a Mac client.

To apply basic managed preferences settings using WGM:

  1. Open /Applications/Server/Workgroup Manager.app and a server connection dialog will appear.
  2. Perform one of the following tasks to connect and manage a directory service:
    • If you’re going to manage a network directory service, enter the address and directory administrator authentication information for the server hosting the directory.
    • If you are going to manage the local directory service on the local Mac client, click the Cancel button to dismiss the server connection dialog and then choose Server > View Directories from the menu bar.
  3. Verify that you have connected to the correct directory and are allowed to make changes by inspecting the selected Directory Node, which appears directly under the WGM toolbar.

    If the lock icon to the right still appears “locked,” click it and authenticate as an administrator so you can edit accounts.

  4. Select or create the account type you wish to manage—a user, group, computer, or computer group—and then click the Preferences button in the toolbar.

    This will display a pane showing the categories of preferences that can be easily managed with WGM. In this example a computer group has been selected. Note that computer and computer group accounts have more preference management options in WGM.

  5. Select a preference icon to display an interface that allows you to manage the associated preferences. The following example shows the Dock Display preferences.
  6. To manage a preference only the first time a user logs into the system, select the Once button. To permanently mange a preference, thus disallowing a user to make changes, select the Always button.

    Selecting the Never button will “turn off” managed preferences for the selected items.

  7. Once you have made your selections, click the Apply Now button to save the managed preferences.
  8. Click the Preferences button in the toolbar to return to the main Preferences view.

    Note the small arrow icon next to any preference that is being managed.

Finally, when configuring managed preferences, it’s important to thoroughly test these settings from a client Mac to verify the correct behavior. Any new preference changes will be applied the next time a user logs into any system that is currently connected to the directory service. If you’re having problematic results, try some of the troubleshooting tips covered in the “Troubleshooting Managed Preferences” section later in this chapter.

Understanding Custom Managed Preferences

Workgroup Manager (WGM) also provides a managed preferences Detailed view that allows you to import and manage preferences that don’t have a graphical interface in WGM’s default Preferences view. This includes the ability to centrally manage the preferences for both built-in and third-party applications that support Apple’s standard preference format, the property list or “.plist” file. In fact, the underlying format for managed preferences is the same XML (eXtensible Markup Language) encoded key/value pairs that you’ll find in local preference .plist files.

There are three methods for importing, and thus managing, a preference with WGM:

  • The primary method is via a mechanism known as a preference manifest. A preference manifest is a file embedded inside an application bundle that describes the application’s customizable preferences. When you select an application’s icon to import into WGM, it will scan the application for a preference manifest to import. Not only will the preference manifest include all the manageable key/value attributes, it often also includes examples and plain-text description of the items. In short, the existence of a preference manifest makes it much easier to define custom managed preferences settings for an application or service.
  • Another method is to import the application’s preference file directly into WGM. This can be done by locating the specific .plist file, or by selecting the application’s icon. If the application lacks a preference manifest, then WGM can import the application’s preference file instead. The primary drawback here is that the application may not react well to preference management. Further, you will likely have to experiment to figure out which key/value pairs represent the preferences that you wish to manage.
  • The last method is really just a shortcut to many of the included Apple preference manifests. The /System/Library/CoreServices/ManagedClient.app application bundle contains roughly two dozen preference manifests for various Apple system and application preferences. WGM can import all of these preferences at once for optional management. Preference manifests in the ManagedClient.app include several significant manageable preferences including Bluetooth, Desktop Picture, Folder Redirection, iTunes, Safari, Screen Saver, Sidebar, and VPN settings.

The primary caveat to custom managed preferences is that some items are difficult if not impossible to manage because they don’t fully support Mac OS X’s preference architecture. In fact, most third-party preferences do not respect the Always managed preferences option, thus making permanent management difficult. Because of this limitation, when you import custom preferences for management you are allowed a fourth management option, Often. Setting a preference to be managed Often instructs the MCXcompositor to rewrite the .plist file, wherever its default storage location is, every time the user logs in. The result is that the user may still be able to change the setting, but every time she logs into the Mac, the preference will be set to the managed state.

Using Custom Managed Preferences

To import and manage custom preferences:

  1. Open /Applications/Server/Workgroup Manager.app and authenticate to the directory that will be hosting the custom managed preferences.
  2. Select the account(s) that you wish to manage, then click the Preferences button in the toolbar, and then the Details tab. This will reveal WGM’s preference editor interface.

    If you have previously configured managed preferences settings using WGM’s normal graphical interface you will see those items in the preference editor list with a pointer icon adjacent to the items’ names.

  3. To import a new preference manifest or preference file, click the small plus button at the bottom of the preference editor list and an import dialog will appear.
  4. From this dialog you can import manageable preferences by selecting any one of the following items:
    • An application’s icon, which will import the preference manifest, if found, or the application’s related preference files as long as they are in .plist format
    • A specific .plist preference file that you wish to manage
    • The /System/Library/CoreServices/ManagedClient.app, which will import many of the included Apple preference manifests all at once
  5. Optionally, if you selected an application or preference file to import, you will note that the options at the bottom of the import dialog may have activated. These options can be used to automatically import the management settings along with the preference items:
    • Selecting the “Import my preferences for this application” checkbox will import the current preference state of the selected item and use that as the set management options.
    • The “Manage imported preferences” pop-up menu allows you to choose how you want the preference to be managed. The default selection of Often is the safest choice as it’s compatible with most custom preferences. The other two options are Once and Always. Again, selecting the Once option only sets the preference the first time the user logs in to a Mac, while the Always option attempts to prevent the user from changing the preference. It’s important to note that many third-party preferences do not respect the Always option, making the Often option your only recourse.
    • Selecting the “Import as ByHost preferences” checkbox is necessary if the preference is designed to be user and computer specific. This option instructs the managed preferences system to change the ByHost preference file’s name so that it can apply to any managed user or computer. An example ByHost preference is ~/Library/Preferences/ByHost/com.apple.scheduler, which is used to set the automatic Software Update schedule.
  6. Once you have selected the item you wish to import and any additional options, click the Add button to import the item into WGM.

    The following screen shot shows the results of importing the preferences of the Safari application and the preference manifests inside the ManagedClient.app bundle. Note that any managed preferences will be displayed with an adjacent arrow icon, thus only those preferences that you have manually configured or imported with settings will be managed.

  7. To manage a preference simply double-click on its name in the preference editor list.

    This will open the preference editor, which allows you to edit the individual key (shown in the Name column) value pair of the preference file. Use the disclosure triangles to expose the managed key/value pairs under each management option—Once, Often, Always. You can modify existing key/value pairs by clicking on them. Use the New Key button to add new key/value pairs and the Delete button to delete any unnecessary items.

    Any key/value item listed will be part of the managed preference entry. In many cases you will have to experiment to get the best set of managed key/value pairs. For instance, the previous screen shot shows an imported Safari preference, which contains many extraneous key/value pairs that should be deleted from management.

  8. When you have completed the necessary managed preferences modifications, click the Apply Now button to save the changes.

    Again, note the small arrow icon next to any preference that is being managed.

Finally, when configuring managed preferences, it’s important to thoroughly test these settings from several client Macs to verify the correct behavior. This is especially true when dealing with custom managed preferences. It will probably take several attempts to nail down the exact combination of managed preferences options and settings to achieve your policy goals.

Again, any new preference changes will be applied the next time a user logs into any system that is currently connected to the directory service. If you’re having problematic results, try some of the troubleshooting tips covered in the following section.

Troubleshooting Managed Preferences

With so many different technologies responsible for implementing managed preferences, troubleshooting managed preferences issues can be complicated. As with any complicated issue, breaking it down into specific trouble spots is always the best plan.

Managed Preferences: Verify Directory Services

Start by troubleshooting any potential directory service issues, since this is the system through which the Mac acquires the managed preferences settings. Basically, you need to verify connectivity to the directory service hosting the managed preferences. You can do this by viewing the Network Account Server status in the Login Options pane of the Accounts preferences.

You can further verify connectivity by logging into the Mac with a network user account or use id username, where “username” is the account name of a network user account, in the command line to verify that your Mac can see a network account. If any of these tests fail, then you need to resolve the directory service issue before you hunt down the managed preferences issue.

If you are able to verify that directory services is working properly, then you can verify that the directory service is providing managed preferences information. The dscl command allows you to read the directory information, including any managed preferences settings. In the following example Michelle uses the dscl command with the –mcxread option to verify that the “lab1” computer group contains managed preferences settings.

MyMac:~ michelle$ dscl localhost -mcxread /Search/ComputerGroups/lab1
App domain: com.apple.dock
Key: autohide
State: always
Value: 0

...

Note that dscl indeed returns management settings. Also note that the output has been truncated to save space. It’s not uncommon for dscl to return several pages of text when asked to query managed preferences information. When using dscl in this manner, if you want to search for a different account type, simply enter that in the search path: for example, /Search/Users/user_name, /Search/Groups/group_name, or /Search/Computers/computer_name.

If you are unable to retrieve user information using the id command, or are unable to retrieve management settings using dscl, you will need to troubleshoot the directory services setup. Common issues include a loss of network connectivity, DNS problems, and not having the directory service node in the search path on the client.

Managed Preferences: Verify Compositor Output

Once you have verified that the Mac can view managed preferences settings from directory services, it’s time to verify the results of the MCXcompositor. As covered previously, the MCXcompositor collects all the managed preferences settings and then applies those to the user’s session during login. Managed preferences issues at this level stem from having unexpected MCXcompositor results. The symptoms are easily identified by simply logging in as a user and then opening various applications and system items to verify your managed preferences settings.

While logged in as a user with managed preferences, you can view the managed preferences results by opening /Applications/Utilities/System Profiler.app and selecting Managed Client from the Contents list. This will show the managed preferences results of this specific user logged in to this specific Mac.

You can test other managed preferences combinations using the mcxquery command. This command allows you to test the managed preferences results by specifying a user, group, and/or computer account combination. The following example shows Michelle querying for the managed preferences results of user “logan” in the group “dev” on the computer “lab1_12.”

MyMac:~ michelle$ mcxquery -user logan -group dev -computer lab1_12
com.apple.dock
    autohide              wgmuser (User) always 0
    autohide-immutable    wgmuser (User) always 1
    largesize             wgmuser (User) always 128

...

In this example, again the results have been truncated to save space. If the compositor is returning what you think are improper results, then you have one of two main paths to follow. First, you can return to WGM on the server and try to verify the managed preferences settings. In this case, don’t forget to look in the WGM Details view, where you can manually inspect every key/value pair. The second path is to reset the Mac client’s managed preferences related service and settings, as covered next.

Managed Preferences: Reset Services and Caches

To enhance performance and provide for offline access, managed preferences are cached locally on each Mac. Sometimes the cache can become out of sync with the primary settings hosted from the directory servers. Mac clients will try to refresh on every directory service transition, such as a user login or network state change. You can also simulate this by restarting the directory service process, which may clear up any directory service issues as well. From the command line simply enter:

MyMac:~ michelle$ sudo killall DirectoryService

Another option, new in Mac OS X v10.6, is to use the mcxrefresh command. This command will attempt to re-query the managed preferences results and rebuild any local caches. In the following example Michelle refreshes the managed preferences results for the user “logan”.

MyMac:~ michelle$ sudo mcxrefresh –n logan

Finally, as a last resort you can manually clear out the local managed preferences cache and restart the Mac. Simply delete the /Library/Managed Preferences/ folder and restart. If you are having problems with a particular user’s preferences, you can delete just that individual user’s folder from within the Managed Preferences folder.

Peachpit Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Peachpit and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Peachpit products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email ask@peachpit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.peachpit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020