Integrating Mac OS X on Campus

Revised: 2006-07-25 richard

Introduction

Drawing on lessons learned from the Higher Education Mac OS X Labs Deployment Project, this Apple Computer sponsored seminar was held out the U of U in May 2003.


Seminar Review

On May 1st, 2003, Apple Computer and the University of Utah Student Computing Labs Mac Support Group (SCL) presented this free seminar based on real-world experience and lessons learned from the Higher Education Mac OS X Labs Deployment Project (www.macosxlabs.org). Together, they demonstrated solutions for deploying, maintaining, and managing Mac OS X clients in an open multi-user, multipurpose, and multi-platform environment.


Frank Callaham, an Apple Engineer, illustrated how Mac OS X is ideal for use in multi-user situations and how it can be distributed and maintained using tools like Open Directory, NetBoot, NetInstall, Apple Software Restore, and NetRestore. Frank also emphasized how easy it is to integrate Mac OS X into widely-used directory infrastructures such as LDAP and Kerberos.


The University of Utah's own Student Computing Labs Mac Support Group, a founding participant in the macosxlabs.org project, provided case studies highlighting these key Mac OS X features. Student Computing Labs has been deploying & administering Mac OS X on approximately 400 open use lab computers for the past year. Drawing on this first-hand experience, members of SCL discussed integration of Mac OS X with the U of U's Network Identification/Authentication system, the group's use of Radmind & iHook for file system maintenance, and Mac OS X lab security issues.


The seminar was a truly rare opportunity for the over 100 registrants. They were able to discuss large and small scale Mac OS X deployment with people possessing first-hand, cutting-edge knowledge & experience with deploying Apple's UNIX based operating system.


Lab Tour and Demonstration

Following the conclusion of the seminar, a number of participants were taken on a tour of the nearby Marriott Library Multimedia Center open use computer lab. Supported by Student Computing Labs, the Multimedia Center features machines configured as dedicated internet/email kiosks and general use lab computers. Members of Student Computing Labs demonstrated the the key modifications and customizations used to setup both types of machines.

Internet/Email Kiosk

For the internet/email kiosks, this included the following:
  • Removal of the dock.
  • Addition of custom System Menu with Menuversum
  • Replacement of the Finder with a web browser.
  • Customization of the Apple Menu with FruitMenu.
  • Addition of an Admin Utility that provides access to administrative. functions like running radmind, logging out, shutting down the mac.
  • Use of a special "IdleScript" to run certain maintenance functions when the machine is idle based on screen saver.
The "IdleScript" is useful in a kiosk environment where you want to cleanup after each user session. This includes cleaning up items like cookies, history, which may contain sensitive information like passwords, credit card numbers, etc. It also makes sure the web browser is opened to the default webpage & settings. Please click here for more details. (link dead)

Open Area Workstation

For the open area lab machines, this included the following:
  • Addition of custom System Menu with Menuversum.
  • Customization of the Login Window Graphic with modifications of the username field (i.e. uNID which is U of U specific terminology) and status of the file system maintenance tool radmind
  • The use of a "Screen Preserver" screen saver that runs on top of the login panel over when no one is logged in helps prevent monitor/LCD burn in and provides information to users.
  • Running "Classic" via a shadow mounted disk image. This simplifies user cleanup and improves Classic security because modifications are written to shadow file versus the Classic environment.
  • Certain applications, such as Virtual PC & QuarkXPress, do not work well in an open access multi-user environment like Mac OS X. They can be launched using a shadow mounted disk image as well. Other applications like Painter 7 & FreeHand 10 can be fixed with re-pointing files to user space with aliases or symlinks. Please click here for more details.
  • "Lost & Found" is functionality that temporarily stores locally saved files and makes the specific users files available on next login. This is useful to user who either accidentally saved to the local drive or don't have removable media
  • Customization of the Apple Menu to remove problematic items like Shut Down, Sleep and replacing items like Logout with our custom "Logout" script.
The custom "Logout" is available on the desktop & from the Apple Menu. It provides additional functionality over Apple's standard "Logout" function in that it will not be stopped by unsaved documents or hung processes and makes sure that all users processes are terminated for security.

Presentations & Handouts

Radmind - Mac OS X File System Maintenance - by Richard Glaser
This presentation discusses Mac OS X file system maintenance using radmind. It includes an overview of radmind, and details on how the University of Utah, Student Computing Labs group uses it to restore & update OS and software; remove client modifications by users, OS & hardware bugs; track & deploy OS and software updates; and options for customizing use of radmind.


Mac OS X Lab Security - by James Reynolds
This presentation discusses Mac OS X lab physical security, boot security, how to handle published exploits, passwords, world write permissions, SUID applications, how to securely modify the system, what to do with applications that stay open after logout, how to protect services that you might enable, and how to monitor your labs to ensure that they stay secure.


Mac OS X Authentication - by Darren Davis
This presentation is a case study of how the University of Utah Student Computing Labs performed network authentication on Mac OS X 10.2 (Jaguar) using Kerberos and an Enterprise Directory. It features a discussion on setting up the Kerberos client built in to Jaguar as well as using the Apple Directory Access Utility to setup directory integration using LDAPv2.


Additional Information

To review seminar related presentations & documentation prepared by Student Computing Labs, please select from the list below:

Imaging/Installation
 Radmind
  • Webcast (link dead)
  • Mac OS X File System Maintenance (link dead)
  • U of U Customization Details (link dead)
  • Scripts (link dead)
  • iHook
Miscellaneous

Seminar Photographs