MacAdministrator Customization

By: Mike Kimball - Revised: 2006-06-13 devin

Introduction

This page lists some of the configurations, customizations, and modifications we have made to MacAdministrator to suit our environment both from an authentication and a user-service standpoint.


Screen Save Pict

screen save pict

This is the pict that will display whenever a user is not logged in to the Mac. We customized this to display information to the user such as the requirement of authenticating with their network ID, where to obtain their network ID if they don't have one, and where to get help with problems logging in.

The screen save pict is located in the root of the MacAdmin Folder, named "Screen Save Picture (C)". There is also one for black and white - I just left it there, it is the default that comes with the software. Basically it just has to be named as such, and needs to be a PICT file; other than that you can customize it however you want.

Wish list: We think it would be really cool if there were a screen save function that worked for a logged on user - with separate idle time settings so that it would go to screen save and require a password to wake, then after a second time specification it would have a "logout" button available that would let another user log the machine out but not have access without logging back in. All this would be set through the configuration manager - the number of idle times and their lengths, the presence or absence of a logout button, etc. And this would be separate from the auto-logout setting (which we don't currently use, but some may wish to).

Greeting Pict

The greeting pict displays upon a successful login, before the machine proceeds to startup. Because this causes a significant delay time, we removed this pict - without it, the machine simply logs in and immediately finishes starting up.

This would be named "Greeting Picture (C)" and located in the same folder as the screen saver pict.

Login Panel

login window

We customized this heavily - a different top graphic, the "name" field reads "uNID", and some text at the bottom to display further instructions. We either moved or changed the text to every other item. Actually we are surprised this hasn't come up more often, that apparently no one else has wanted to do this (but Gair was very obliging with us in sharing info on how to).

I strongly advise making backup copies of anything you intend to edit with ResEdit because it is very easy to screw up royally and do something that completely wrecks its appearance or ability to function. I also advise making a backup of each stage of customization you try, so it is easier to go back to a previous one if you wish.

Edit the "MacAdmin Client" file, one of the three items in the Extensions folder (the master resides on the MacAdministrator volume in Client Software). Use ResEdit to open the DITL resource, ID 128.

Resedit window

Our login window resource looks like this:

Resedit window 2

Some trickiness: If you enable guest, once you click on the guest radio button, the uNID and Password fields disappear, so if you want them to reappear, you will need the "registered user" button visible too. As for the icon that gives the info, and the Shutdown and Change Password buttons, they have been moved outside the bounds of the window so they cannot be used. If you select the menu DITL:Show All Items, you can see all the items you have moved around. See below.

Resedit window 3

The buttons for Guest and Change Password only appear if you have them enabled in your MachineGroup profile, otherwise they won't be visible. However, if you have your window aligned precisely and take up the space where these items would appear by default, it's easier to move the unused items out of the window bounds.

One other useful bit - when you actually open each item, it will show coordinates (left/right/top/bottom). Using these is often easier than trying to align the items manually.

To edit the pict at the top of the window, you must edit the PICT resource, and since the login panel's ID is 128, you must edit the PICT resource ID 128. Obviously, since the resource ID is how they tie together, this limits you to using only one pict and one icon in this dialog. Anyway, the easiest way to insert a graphic in here is to save it in Photoshop as a PICT resource, so you can then open it in ResEdit - then just copy and paste from one PICT resource to the other.

Resedit window 4

Lastly, because the Login Panel is part of the MacAdmin Client, which is an extension, any changes require a restart to take effect.

Wish list: We think it would be really cool if there were a way to customize this sort of thing within the Configuration Manager.

Desktop

desktop

In addition to the usual customizations we provide (items on the desktop and in the desktop picture, such as the Software Index), we noticed a lot of people needed some encouragement to remember to logout. So, we added a "Please remember to LOGOUT" to the desktop, along with an alias to our Logout script, located on the desktop.

Alert Strings

During the login process you will see a few alerts that read "Authenticating ... please wait" or "Logging in". These are text strings in the STR# resource, ID (you guessed it) 128. You can merely locate the string you wish to change, and substitute your preferred phrase.

Other alert strings exist (I'm guessing) in the MacAdmin Protection extension.

Issues, Surprises, etc.

Auto-logout - this is not located on each user, but rather in the UserGroup profile, meaning that if you merely want the Guest user to have an auto-logout setting, you have to create and attach a UserGroup profile which has this set.

We don't actually have this set - although this does mean some users leave without logging out, we decided not to invoke it. We have lab supervisors who keep an eye on the machines, to help with patron questions, and also to log out machines that have been left unattended. We think it would be nice to have more than one idle time setting, including one that would go to screen saver mode but allow the logged in user back with their password. For more on this see the Screen Save wish list paragraph.

Agent Controls - these are tied to the MachineGroup profile, so you can't use MacAdmin to run different Agents based on which user logs in; again, if you want the Guest user to do something different at startup than all other users, you have to accomplish this through AppleScript. Luckily, MacAdmin does have a Scripting Addition that allows one to get the logged in username.

Disc Burner conflict - We've found that Disc Burner sometimes fails to complete its operation with MacAdmin's default protection on. Sometimes it works if you select "Burn CD-R" from the Special Menu, but if you drag the CD to the trash as your method of telling the System to burn the disc, you may experience problems (and wasted CD-R blanks)... Burning CD-R's with protection off works fine.

Flash 5 conflict - Flash 5 requires writing to places in the System that are protected, which causes the app to crash. Logging in as a deity (no protection) works, but not as a default protection user. This is fixed by upgrading to Flash MX.

Fonts Folder - Pretty simply, we set our protections to allow users to install fonts they need. The catch is, you can't just drag and drop fonts onto the System Folder (which would normally just prompt the user to put them in the Fonts folder) because the default protection settings protect the System Folder - the user has to put items directly in the Fonts folder.

Keycapture utilities - We have set our permissions to allow people to install things they might need for classes or research (i.e. software, etc). This opens the possibility of people installing Keycapture utilities (i.e. ones that capture someone typing their passwords). The problem is, MacAdmin does not recognize and kill these types of processes on logout. Our Logout Cleanup script takes care of this in its quitFacelessApps function.

Login/NoLogin Mode - NoLogin Mode means you can use the machine without logging in, but the machine still goes to screen saver and must have its mouse clicked to startup fully. Of course, if you don't have auto-logout set, it will stay this way, at least until some user tells the machine to logout...

Logout Short Key - By default the keyboard shortcut to logout is command-l, which is the same as open location in Netscape and IE. Kind of a hassle for lab consultants who wish to go by machines quickly and log them out. Originally we tried using command-esc, which worked ok but broke the Logout item in the Special menu (if you selected it, it did nothing). We considered changing it to a number, but finally decided we didn't want someone to log out accidentally, so we removed this short key altogether (use ResEdit and open the MacAdmin Client extension, the resource is LKey - you don't get to choose a modifier key, only the letter). Then, we used the Keyboard Control Panel to assign a Hot Key (we used alt-F12) as the logout shortcut - actually it triggers our logout script, which asks for confirmation before proceeding.

Password settings - These are stored both in the UserGroup profile as well as the MachineGroup profile. Basically the options are whether to allow password changes, the minimum and maximum lengths, and expiration. Note that the MachineGroup setting overrides the UserGroup setting - if the machine does not allow password changes, that goes even for users that are allowed; if the machine allows password changes, then the option is visible in the login panel even to users for whom you do not wish to allow it.

Protection while booted from CD - this depends on who was logged in before the machine restarted - if a user with Protection Off was logged in, that means the machine restarts with protection disabled (i.e. you can startup from a CD and do anything you want to the Hard Disk). This is a deliberate feature to allow admins access to the Hard Disk, but it of course means one must logout and then login/logout as a protected user, to enable the protection of the Hard Disk if booted from CD afterwards.

RevRdist - One snag that still exists is that RevRdist hangs the machine if it runs during Screen Saver mode - we are pushing Hi-Res to fix this - so for the moment you must run RevRdist while logged on, and you must be logged on as a user with Protection Off (this may be fixed in a future version of RevRdist). We accomplish this with a series of scripts which log the machine on and then run RevRdist.

The reason we want to run RevRdist during Screen Save mode is that we do not run it at every shutdown or startup - we prefer to run it once a night at a scheduled time, to minimize the impact on users. If necessary, we can also run it manually anytime we wish.

A note on coding: MacAdmin software (extensions, MacAdmin Folder, etc) gets refreshed at every logout, so the RevRdist code for these items should be ":AiSu". This includes the three extensions in the Client Software folder, the MacAdmin Folder, and a number of other items. Prefs files don't matter either way - they are created on the fly.


And naturally, when you update the configs in the Configuration Manager, remember to copy all the relevant pieces to your RevRdist images...