Enforcing Managed Preferences
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (422.63 KB, 14 trang )
9
Chapter
Enforcing Managed
Preferences
‘‘Enforcing managed preferences’’ can have two meanings. The first meaning pertains to
when and how often managed preferences are applied. With Apple’s tools, you can
select how often managed preferences are set to the values you choose. But ‘‘enforcing
managed preferences’’ can also refer to making sure your management settings remain
in place, and are not removed or altered by a user.
In this chapter, we’ll look at both meanings of the term. First, we’ll explore setting how
often managed preferences are enforced, or the ‘‘management frequency.’’ We’ll also
consider things you can do to prevent changes to your managed preferences
configuration. This is especially important if you are storing your managed preferences
data in the local directory service as described in Chapters 6 and 7.
While it is almost impossible to completely prevent admin users from making changes
that could affect preference management, you can implement methods to reverse these
changes. Far simpler, and reasonably effective, is to avoid granting administrative
privileges to users except those you trust or at least can rely on to not make your job
harder, which is always good advice when managing large numbers of computer
systems.
Management Frequency
In earlier chapters, we’ve seen some options for managing preferences with words like
‘‘Never,’’ ‘‘Once,’’ ‘‘Often,’’ and ‘‘Always.’’ These labels refer to the frequency or strength
with which the preference is managed.
CHAPTER 9: Enforcing Managed Preferences
136
Never is easy to understand, and this is the default setting for all
managed preferences------it means that the preference is not managed
for the current user, group, computer, or computer group object.
Choose a management frequency of ‘‘Never’’ to allow users to control
a preference themselves. Remember, though, that the same
preference could be managed at a different level. Dock management
might be set to ‘‘Never’’ for a computer group, but it could still be
managed for a specific user. In Figure 9-1, using Workgroup Manager,
we can see that the Dock Display preferences are not being managed,
therefore the management frequency is ‘‘Never.’’
Figure 9-1. Managing the Dock Display preferences “Never”
Once causes your managed preference to be applied once, and then
left alone for the users to change as they see fit. This is useful to set
certain default preferences for your users, but allows them to change
the preferences later. Not all preferences can be managed ‘‘Once.’’
Specifically, preferences that affect the computer as a whole instead
of individual users cannot be managed ‘‘Once.’’ Some examples of
preferences that affect the computer as a whole include Energy Saver
settings, Time Machine settings, and login window options.
In Figure 9-2, we’re adding icons for Mail, Safari, and Preview to the
user’s Dock. We don’t care if the user later removes these, so we set
the management frequency to ‘‘Once.’’
Download from Wow! eBook <www.wowebook.com>
CHAPTER 9: Enforcing Managed Preferences
137
Figure 9-2. Managing Dock items “Once”
NOTE: Preferences managed ‘‘Once’’ are applied once, but if you change the value of the
managed preference in the directory service, it will be applied once again. The file
com.apple.MCX.plist in the user’s Library/Preferences directory keeps track of when
each ‘‘Once’’ preference was last applied; if the version in the directory service has been
updated since it was last applied, it will be applied again. It’s important to be aware of this; if
you change a preference that is managed ‘‘Once,’’ thinking the change will be applied only to
new users, you might be surprised when it overwrites a preference already customized by
existing users.
You can also use this knowledge to your advantage. If you are testing preferences that are
managed ‘‘Once,’’ you can delete the com.apple.MCX.plist file in the test user’s
Library/Preferences folder to cause preferences that are managed ‘‘Once’’ to be applied
again.
Often reapplies the managed preferences at each login. In Workgroup
Manager, this option appears only in the Details editor. The users can
change the preference, but when they log out and back in, the
preference is reset to your managed setting. Apple’s documentation
describes this management frequency as useful for training
environments, but it also can be useful for preferences that don’t
respond to the ‘‘Always’’ setting.
CHAPTER 9: Enforcing Managed Preferences
138
In Figure 9-3, we prevent Microsoft AutoUpdate from running
automatically by setting it to run manually. By setting the management
frequency to ‘‘Often,’’ this preference is reapplied at each login.
(Microsoft AutoUpdate does not respect the ‘‘Always’’ setting.)
Figure 9-3. Managing a preference “Often”
Always sets the managed preference to your desired value and
prevents the user from changing it. In some cases the user interface is
updated to indicate that the preference is no longer modifiable. For
example, in Figure 9-4 the ‘‘Turn Off FileVault…’’ button is grayed out
because we are managing Mobility preferences, and have set the
mobile account to require FileVault encryption. Since the users are not
allowed to turn FileVault off for their mobile account’s home directory,
this option has been disabled in the user interface. Figure 9-5 shows
the related managed preferences settings in Workgroup Manager with
a management frequency of ‘‘Always.’’
CHAPTER 9: Enforcing Managed Preferences
139
Figure 9-4. Disabled FileVault control
Figure 9-5. Managing FileVault encryption “Always”
Not all preferences respond properly to the ‘‘Always’’ setting. In particular, very few
third-party applications support preferences managed ‘‘Always.’’ For these, the best you
can do is set the management frequency to ‘‘Often.’’ Users will still be able to change
the preference, but when they log out and back in, your managed setting will be
restored. This isn’t the best user experience, as users might find it perplexing or
frustrating when their preference settings don’t ‘‘stick.’’ But we must work with what we
have. If this is an issue for you, consider filing a bug or feature request with your
software vendors, encouraging them to support preferences managed ‘‘Always.’’
