OS X Tiger Mobile Profiles for AD Users

1
OS X Tiger Mobile Profiles for AD Users

• Presented By
• Fabiano Iacusso
• Quinnipiac University

2
Outline

• Introduction
• Brief History of MySelf
• Current OS X Environment at Quinnipiac
• Managing our Labs (Setup)
• Bound OS X Server to AD
• Use of Client Workstation LDAP Authentication -
  TLS LDAPv3
• Portable Home Directories
• Network Share Accessibility (Filespace)
• Abide by AD Password Policies
• Print Management

3
Introduction

• Quinnipiac University Experience
• Undergraduate/Graduate Student (01-07)
• Hired in May 2005
• Network Operations / Client Support Services
• Computer Systems Administrator (Dec 06 - Present)

4
QU Environment

• Student Body - 8,000 students
• Server Environment
• 140 Windows Based
• 8 Linux (RedHat, SuSe)
• 2 Mac OS X
• Mac Workstations (Lab Env)
• 29 Intel iMac
• 21 Intel Mac Pro (Dual-Core Xeon)

5
Benefits of Binding XServer / Clients to Active
Directory

• Better Network Integration
• Domain Admins - inherit full rights
• Domain Password Policies Apply
• Access to file shares
• Print Management
• HomeSync - Facilitating Portable Home Directories

6
Requested Lab Details

• Allow Students and Faculty to log in with their
  AD User Accounts
• Need to have Users Home Profiles Backed up onto
  a Server (and Archived)

7
The Challenge

• QUs Policy, We do not support Macs...
• No approvals for hosting an Apple Open Directory
  Domain
• Im a Windows Admin - Where to start?!
• Once Complete, how to apply this to all computers?

8
HomeSync

• Facilitates Portable Home Directories
• Similar to Roaming Profiles for Mac
• System -gt Library -gt CoreServices -gt Menu Extras
  -gt HomeSync.menu

9

• Accounts -gt Create Mobile Accounts -gt Configure
• Avoid Administrative Nightmare - How to Automate?

10
Mobile User Account using Open Directory
11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
(No Transcript)
15
Mobile User Account using Active Directory
16
Bind XServer into AD

• Directory Utility
• Services
• Configure Active Directory plugin

17
Configure unique AD attributes
18
Configure Administrators
19
Shared AFP Home Directory Setup
20
Review WorkGroup Manager - Verify AD Users
21
Continued - primary group identifier
22
(No Transcript)
23
Client LDAP Configuration - LDAP Plugin
(Directory Utility)
HOMEDIRECTORY
lthome_dirgtlturlgtafp//xs-xenon.quinnipiac.edu/Home
lt/urlgtltpathgtsAMAccountNamelt/pathgtlt/home_dirgt
NFSHOMEDIRECTORY
For HomeSync Configuration /Network/Servers/XS-
Xenon/Volumes/RAID0/Home/sAMAccountName
24
Managed accounts Managed accounts are configured
with certain preferences by the administrator.
The managed preferences are stored in the users
LDAP profile in two fields. MCXFlags attribute
identifies the user as having managed settings
and no or numerous MCXSettings attributes define
the settings. They need to be mapped to MCXFlags
and MCXSettings respectively in the
DirectoryService (Directory Access or Utility
- Active Directory Plugin). The settings take
effect at login and persist in one of three ways
Once, the users preferences may subsequently be
changed Often, any changes last only for the
lifetime of the session Always, the preferences
may not be overridden at all
25
Creating a Mobile Managed account The values to
set in LDAP for managed user needs to look like
this ltdictgt ltkeygthas_mcx_settings
lt/keygt lttrue/gt lt/dictgt
lt/plistgt
26
Location created on client after
logon/Library/Preferences/com.apple.MCX.plist
Modify HomeSync Settings /Library/Preferences/com
.apple.homeSync.plist
27
(No Transcript)
28
Test Configuration - Demo
29
Other Benefits of AD IntegrationDomain
Password Policy

• Change expired passwords at logon.
• Another reason to Make Faculty/Staff Mac
  workstations Domain Members.
• Keeping our CISO happy.

30
Other Benefits of AD IntegrationFile Space
Resources
31
Other Benefits of AD IntegrationPrint
Management
32
Wrap-Up - Questions

• Feel free to Contact Me
• FIacusso_at_quinnipiac.edu
• Desk 203-582-3342