LANDesk Management Suite provides complete system management for Apple Macintosh computers and devices. This enables IT professionals to automate system management tasks throughout the enterprise. From the console, you can gather and analyze detailed hardware and software inventory data from each device. Use the data to select targets for software distributions and to establish policies for automated configuration management. Manage software licenses to save costs and monitor compliance with license agreements. Remote control devices to resolve problems or perform routine maintenance. Protect your devices from a variety of prevalent security risks and exposures. Keep track of your inventory and produce informative reports.
Read this chapter to learn more about:
This chapter describes how LANDesk Management Suite is used to manage Macintosh computers. It provides a central location for referencing specific information on Macintosh-related tasks, tools, features, and functionality. For more information about using tools and features to manage your network, refer to the section for each tool.
LANDesk Management Suite for Macintosh functionality works with the following operating systems:
Mac OS X versions 10.4 (Tiger) and 10.5 (Leopard) support all of the Macintosh features available in LANDesk Management Suite.
You can find information on downloading legacy agents for Macintosh at http://community.landesk.com/support.
The LANDesk Management Suite version 9.0 agent for Macintosh does not support Jaguar or Panther. However, you can still manage devices running these operating systems if they have the LANDesk Management Suite version 8.8 agent for Macintosh installed on them.
NOTE: Due to policy differences between version 8.8 and version 9.0, policy-based management will not work with Jaguar and Panther clients using the version 8.8 agent.
You can use inventory and remote control with Mac OS 9 devices. This OS is in the process of being phased out, so only limited support is available.
LANDesk uses agent configurations to gain control of devices and manage them. Management Suite version 9.0 introduces support for pushing Mac agent configurations to unmanaged Macintosh devices using the same process used to push agents to Windows devices.
The Default Mac Configuration package contains the required agent for controlling Macintosh devices. In order to gain control of your Macintosh devices, you need to:
After the default agents have been installed, your devices become managed devices. Then you can create custom configurations to have greater control of your Macintosh devices. Custom agents are easily implemented once your devices are managed.
NOTE: All devices must support TCP/IP.
You can obtain the default package Default_Mac_Configuration.mpkg.zip from the LDLogon/Mac shared folder on your core server. The LDLogon/Mac folder is automatically created during the installation of Management Suite. Since the LDLogon folder is a Web share, it is available from the Internet at http://<CoreServerName>/LDLogon/Mac.
To place agents on Macintosh devices that have Secure Shell (SSH) turned on, you must specify the SSH login credentials for the unmanaged Mac devices by selecting Configure > Services > Scheduler > Change Login from the Windows console. You can then use the same push-based agent deployment you would use for Windows devices.
To place agents on Macintosh devices that do not have Secure Shell (SSH) turned on, you will need to decide on an alternate deployment method, such as:
After you have deployed the agents to the target devices, you need to install them on the machines. A full hardware and software scan is run at the end of every install, which synchronizes the devices with the core server. You must have the Management Suite agents installed on your Macintosh devices and their inventory information sent to the core server before you can manage them. After you've installed the base agents, subsequent agent deployments and updates are easily handled through the existing agents.
Use the Agent configuration tool to create and update (replace) custom configurations for your Macintosh devices. You can create different configurations for your specific needs, such as changing inventory scanner settings, remote control permissions, or what network protocols the agents use.
In order to push a configuration to devices, you need to create or update an agent configuration and schedule the task to occur.
Set up specific configurations for your devices. Don't use parentheses in your Macintosh agent configuration names. Parentheses in the name will cause the deployment task to fail.
You can push agent configurations to devices that have the standard LANDesk agent installed. Use the Scheduled tasks tool to run your new or updated agent configuration.
You can manually run agent configurations for Macintosh devices once they have been created or updated. When an agent configuration is created (Tools > Configuration > Agent configuration), the following file is created in the LDLogon/Mac folder on your core server:
The LDLogon/Mac folder is a Web share and should be accessible from any browser. Follow the instructions for Loading the default agent configuration for Macintosh devices. Insert your agent configuration files instead of the default files.
To uninstall Macintosh agents, run uninstallmacagent.sh from \\<core>\ldmain.
This section describes the agent configuration dialog box for Macintosh devices. The dialog box consists of the following:
Use this page to configure settings for the policy-based distribution agent.
Use this page to configure the inventory scanner.
Use this page to configure the remote control agent.
Use this page to configure agent security and management scope. For more information on agent security, see Agent security and trusted certificates. For more information on scope, see Role-based administration.
Use this page to configure scheduling for patch and compliance scans.
There are two options for configuring managed Macintosh devices to connect to the core through the LANDesk Management Gateway:
The inventory scanning utility is used to add Macintosh devices to the core database and to collect device hardware and software data. When you configure a device, the inventory scanner is one of the components of the LANDesk agent that gets installed on the device. The inventory scanner runs automatically when the device is initially configured. A device is considered managed once it sends an inventory scan to the core database.
The scanner executable for Mac OS X is called ldiscan (UNIX; it is case sensitive). Inventory scan files are saved locally on the client and are compatible with the core. You can e-mail the file to the core administrator and then drag and drop it into the ldiscan directory. You need to change the extension of the file to .scn.
Macintosh devices can be configured to scan at boot-up, at log in, at wake from sleep, and at network change. You can also use agent configuration to schedule the inventory scan to occur at a regular interval.
The Macintosh inventory scanner encrypts scans. The inventory scanner also uses delta scans so that after the initial full inventory scan, subsequent scans send only the changed data to the core server, reducing network bandwidth consumption.
The Macintosh inventory scanner looks in the "Custom Data" folder under the agent installation folder for XML files that contain additional information you want the inventory scanner to pass to the core server. This additional information appears in the inventory tree under the Custom Data node.
With the inventory scanner, you can view summary or full inventory data. You can print and export the inventory data. You can also use it to define queries, group devices together, and generate specialized reports. For more information about the Inventory tool, see Managing inventory.
A software scan compiles an inventory of software on managed devices. These scans take longer to run than hardware scans. Software scans can take a few minutes to complete, depending on the number of files on the managed device. You can configure the software scan interval in the Configure > Services > Inventory tab.
All applications installed in the Applications folder are placed into the Software > Application Suites node in the inventory tree.
You can add command-line parameters to the inventory scanner's (ldiscan) shortcut properties to control how it functions. The option are case-sensitive.
NOTE: Unless the --ignore option is set, command line options don't override settings in the agent configuration scan preferences. For example, specifying -F for a full software scan won't perform software scan if the software scan is turned off in preferences.
| Option | Name | Description |
|---|---|---|
| -c | --core <path> | Specifies which core the scan is sent to. Example: -c spencercore2.landesk.com |
| -D | --Delta | Forces a delta scan |
| -e | --everything | Forces a full hardware and software scan |
|
-F |
--force |
Forces a software scan even when none of the software scanning options have been selected in the agent configuration. Example: [MACHINES_MACX] REMEXEC0=/Library/Application\ Support/LANDesk/bin/ldiscan –F |
| -h | --help | Displays a list of command-line options |
|
-i |
--ignore |
Ignores user and server preference settings |
| -l | --LdAppl <path> | Specifies path to alternate LdAppl.ini path |
| -L | --Limit | Limits downloading of LdAppl3.ini |
| -o | --output <path> | Specifies which directory you want the scan file to go to. Example: -o /Users/spencer |
| -P | Displays scan settings without scanning | |
| -R | --reset | Resets scan database |
| -s | --sync | Performs a synchronization scan (and implies -R) |
| -T | --send <file> | Sends <file> to the core |
| -t | --mini | Performs a mini scan |
| -v | --version <n> | Reports formatted version information (1,2, or 3) |
| -V | --Verbostiy <n> | Sets verbosity level (debugging) |
The LdAppl3.Template file contains the scanner's inventory parameters. This template file works with the LdAppl3 file to identify a device's software inventory.
You can edit the template file's [LANDesk Inventory] section to configure the parameters that determine how the scanner identifies software inventory. By default, LdAppl3.Template is located in this directory on the core server:
Use this table as a guide to help you edit the [LANDesk Inventory] section in a text editor.
| Option | Description |
|---|---|
|
MacMode |
Determines how the scanner scans for Macintosh software on devices. The default is All. Here are the settings:
|
You must select Make available to the clients to allow the download of MacModes. MacScanExtensions is turned on by default. This can create very large scan files (11 MB+), so you may want to change these defaults.
NOTE: The /Library or /System directories are not scanned in a MacScanExtensions scan by default. This reduces the size of the scan file. The directories can be placed in the Mac folder include section.
For information on scanning for custom data, see Scanning for custom data on Macintosh devices
You can remote control a Macintosh device from the console the same way you would a Windows device. Before you can perform any remote control tasks, you must connect to the target device. Only one viewer can communicate with a device at a time, though you can open multiple viewer windows and control different devices at the same time. When you connect to a device, you can see the connection messages and status in the Connection messages pane (View > Connection messages). The Management Suite integrated security checks to see if the user initiating the remote control session has the appropriate rights and that the machine is part of the user’s scope. The data is obfuscated as it is passed over the network.
NOTE: Integrated security is turned on by default.
Macintosh keyboards have some keys that PC keyboards don't have. When remote controlling a Macintosh device, the following keys are used on the PC keyboard to emulate a Macintosh keyboard:
You need to have system key pass-through enabled in the remote control viewer window for the Alt and Windows keys to pass their Macintosh mappings.
NOTE: Clipboard sharing and draw features are not supported on Macintosh devices.
For more information, see Remote control.
You can connect to a Macintosh device and remote control it.
You can remote control a Mac machine from the command line on a machine that has the remote control container installed. Use the following command:
irccntr.exe /a[client name] /s[core name]
The inactivity timeout specifies a period of time (10 minutes by default), after which, if the client hasn’t received mouse or key moves, the session is terminated. Similar to a screen saver, it prevents others from using the remote computer if it is left unattended.
Software distribution lets you deploy software and file packages to Macintosh running OS X on your network.
You can distribute single-file executable packages to Mac OS X devices. Each distributed package consists of only one file, and the agent will try to install the file once the device receives it. Any file can be downloaded. Install packages (.PKG) can also contain directories, but they must be compressed. If the file downloaded has a suffix of .dmg, .pkg, .mpkg, .sit, .sitx, .zip, .tar, .gz, .sea, .app, .sh, .hox, or for Automator/workflow packages, LANDesk will decompress the file before returning (Automator packages will only work on versions 10.4.2 or later).
NOTE: Make sure that Stuffit Expander has its "check for new versions" option disabled; otherwise a dialog box may interrupt the software distribution execution.
Software distribution also provides the ability to distribute shell scripts as jobs. This enables IT to take even greater control over the Mac operating environment and perform nearly any configuration or information gathering task on a Mac OS X device.
You can schedule Mac OS X distributions in the Scheduled tasks window and drag Mac OS X devices into the Scheduled tasks window as distribution targets (see Scheduled tasks for Macintosh devices ).
NOTE: You must install the LANDesk Mac OS X agent on the target devices before you can distribute files to them.
A distribution package consists of the package files you want to send and distribution details, which describe the package components and behavior. You must create the package before it can be delivered and run. The following instructions explain how to perform software distribution. In order to execute it correctly, the software distribution package must exist on either a network or Web server and the recipient devices must have the software distribution agent installed.
There are three main steps required to distribute a package to devices:
View the task progress in the Scheduled tasks window.
You can use queries to create a list of devices to deploy a package to. For information on creating queries, see Database queries.
Macintosh software distribution commands are download commands, as opposed to a shell command (see Managed scripts for Macintosh devices). Download commands begin with either "http://" or "ftp://". If it's not a download command, it's a shell command by definition. The following is an example of a download command:
REMEXEC0=http://...
A download command won't autorun any files. After downloading the file to devices, you can follow up with a shell command to execute the file. Files are downloaded to /Library/Application Support/LANDesk/sdcache/, which you need to be aware of in your shell commands.
NOTE: If you're hosting files on a Windows 2003 server, you need to create MIME types for the Macintosh file extensions, such as .sit, otherwise the 2003 server won't let you access the files. The MIME type doesn't have to be valid, it just needs to exist.
You can also create Macintosh device policies. Creating a Macintosh device policy is similar to creating a policy for a Windows-based device. Macintosh devices also have the same required, recommended, and optional policy types. Macintosh application packages must be a single-file format. For optional or recommended policies, the client user needs to launch the LANDesk preference pane and click Check now for policy-based distribution. When targeting policies, Macintosh devices don't support policy-based management by user name, only by device name.
Policy-based management does the following with Macintosh application policy packages:
Also, policy-based management does support .dmg files with EULAs.
NOTE: Some package types don't work well with software distribution. (Installer Vise and Installer Maker installers don't work well with policy-based management. They almost always require user interaction and can be canceled.)
You have the option of showing or hiding the UI to the client when distributing a software package. If the LANDesk administrator is pushing out a package that requires the user to select a license agreement, the package needs to be installed using a user-controlled type delivery method because the package will not install if the license agreement is not accepted by the end user. You can expose the UI for either a push- or policy-based delivery method.
Management Suite uses scripts to execute custom tasks on devices. You can create scripts from the Manage scripts window (Tools > Distribution > Manage scripts). Macintosh scripts use shell commands to execute files. Shell commands run as root. The scripts are saved as text files, and you can edit them manually if you need to once they're created. The following is an example of a command:
REMEXEC0=/Library/Application\ Support/LANDesk/bin/ldscan
The user can use the shell command "open" to launch files and applications, or "installer" to install .pkg files. It's also possible for the download file to be a shell script written in Perl, Ruby, Python, and so on.
When files are downloaded, they are saved to /Library/Application Support/LANDesk/sdcache/, which you need to be aware of in order to execute some of your shell commands.
You can schedule Mac OS X managed scripts in the Scheduled tasks window and drag Mac OS X devices into the Scheduled tasks window as script targets (see Scheduled tasks for Macintosh devices ).
The scheduled tasks tool activates or starts many of the tasks you set up or configure in the application. These tasks can be run immediately, scheduled to occur at a later time, or configured to run on a regular basis. For more information, see Scripts and tasks.
NOTE: Before you can schedule tasks for a device, it must have the standard LANDesk agent installed and be in the inventory database.
The following procedures require the use of the scheduled tasks tool:
The reporting tool lets you generate a wide variety of specialized reports that provide critical information about the Macintosh devices on your network. The reporting tool operates the same way for all operating systems. For more information, see Reports.
Macintosh devices running Mac OS X support software license monitoring. With each inventory scan, the Macintosh software monitoring agent sends information to the core server about the applications that devices run. The Software license monitoring window shows Macintosh applications along with Windows applications.
You can scan for files based on their extensions. The LdAppl3.INI file contains the list of extensions to scan for. By default, .dmg and . pkg file types are scanned for. You can insert additional extensions into the LdAppl3.ini file, which is located in the /Library/Applications/System/User folders by default. The file location can be changed as well. You can also use the LdAppl3.ini file to scan for multimedia files.
The LANDesk agent application can be used to show applications that have been launched and how often they have been used.
You can use the Management Suite Patch and Compliance tool to block applications on managed Macintosh devices. This functionality works the same way as it does for Windows devices, except that no pre-defined blocked content is available for Macintosh devices. In order to block specific applications, you must create a custom definition for each blocked application using the procedure outlined in Creating custom definitions and detection rules. When creating the custom definition, be sure to select Apply to Mac.
NOTE: You can block only .app files on managed Macintosh devices.
Patch and Compliance is a complete, integrated security solution that helps you protect your Macintosh devices from a wide range of prevalent security risks. The tool allows you to manage security and patch content, scan devices, use patches, and remediate devices.
Security functionality is included as part of the standard LANDesk agent for Macintosh devices. It allows you to scan managed Macintosh devices for vulnerabilities, and perform remediation by deploying patches or software updates.
You can launch the scanner from the console or manually on the client machine.
You can use operating system deployment with the LANDesk agent for Macintosh by utilizing NetBoot/NetInstall as part of Mac OS X Server. For information, download the operating system deployment for Macintosh white paper from http://community.landesk.com/support/docs/DOC-1192.