Managing Macintosh devices

LANDesk Management Suite provides complete system management for Apple Macintosh computers and devices. This enables IT professionals to automate system management tasks throughout the enterprise. From the console, you can gather and analyze detailed hardware and software inventory data from each device. Use the data to select targets for software distributions and to establish policies for automated configuration management. Manage software licenses to save costs and monitor compliance with license agreements. Remote control devices to resolve problems or perform routine maintenance. Protect your devices from a variety of prevalent security risks and exposures. Keep track of your inventory and produce informative reports.

Read this chapter to learn more about:

LANDesk Management Suite for Macintosh overview

This chapter describes how LANDesk Management Suite is used to manage Macintosh computers. It provides a central location for referencing specific information on Macintosh-related tasks, tools, features, and functionality. For more information about using tools and features to manage your network, refer to the section for each tool.

LANDesk Management Suite for Macintosh functionality works with the following operating systems:

Mac OS X: 10.4 (Tiger) and 10.5 (Leopard)

Mac OS X versions 10.4 (Tiger) and 10.5 (Leopard) support all of the Macintosh features available in LANDesk Management Suite.

Legacy support

You can find information on downloading legacy agents for Macintosh at http://community.landesk.com/support.

Mac OS X: 10.2 (Jaguar) and 10.3 (Panther)

The LANDesk Management Suite version 9.0 agent for Macintosh does not support Jaguar or Panther. However, you can still manage devices running these operating systems if they have the LANDesk Management Suite version 8.8 agent for Macintosh installed on them.

NOTE: Due to policy differences between version 8.8 and version 9.0, policy-based management will not work with Jaguar and Panther clients using the version 8.8 agent.

Mac OS 9

You can use inventory and remote control with Mac OS 9 devices. This OS is in the process of being phased out, so only limited support is available.

Agent Configuration for Macintosh devices

LANDesk uses agent configurations to gain control of devices and manage them. Management Suite version 9.0 introduces support for pushing Mac agent configurations to unmanaged Macintosh devices using the same process used to push agents to Windows devices.

Loading the default agent configuration for Macintosh devices

The Default Mac Configuration package contains the required agent for controlling Macintosh devices. In order to gain control of your Macintosh devices, you need to:

  1. Obtain the necessary package (agents).
  2. Deploy and install the agents to the devices.

After the default agents have been installed, your devices become managed devices. Then you can create custom configurations to have greater control of your Macintosh devices. Custom agents are easily implemented once your devices are managed.

NOTE: All devices must support TCP/IP.

Obtaining the package (agents) for Macintosh devices

You can obtain the default package Default_Mac_Configuration.mpkg.zip from the LDLogon/Mac shared folder on your core server. The LDLogon/Mac folder is automatically created during the installation of Management Suite. Since the LDLogon folder is a Web share, it is available from the Internet at http://<CoreServerName>/LDLogon/Mac.

Deploying agents to Macintosh devices that use Secure Shell (SSH)

To place agents on Macintosh devices that have Secure Shell (SSH) turned on, you must specify the SSH login credentials for the unmanaged Mac devices by selecting Configure > Services > Scheduler > Change Login from the Windows console. You can then use the same push-based agent deployment you would use for Windows devices.

Deploying and installing agents on Macintosh devices that do not use Secure Shell (SSH)

To place agents on Macintosh devices that do not have Secure Shell (SSH) turned on, you will need to decide on an alternate deployment method, such as:

After you have deployed the agents to the target devices, you need to install them on the machines. A full hardware and software scan is run at the end of every install, which synchronizes the devices with the core server. You must have the Management Suite agents installed on your Macintosh devices and their inventory information sent to the core server before you can manage them. After you've installed the base agents, subsequent agent deployments and updates are easily handled through the existing agents.

To install agents
  1. On the client machine, locate Default Mac Configuration.mpkg.zip or access the package from the Web share (see Obtaining the package (agents) for Macintosh devices).
  2. Unzip the file or copy the files to the target device.
  3. Double-click LDMSClient.mpkg.
  4. Reboot the machine.

Creating agent configurations for Macintosh devices

Use the Agent configuration tool to create and update (replace) custom configurations for your Macintosh devices. You can create different configurations for your specific needs, such as changing inventory scanner settings, remote control permissions, or what network protocols the agents use.

In order to push a configuration to devices, you need to create or update an agent configuration and schedule the task to occur.

Creating or updating the agent configuration

Set up specific configurations for your devices. Don't use parentheses in your Macintosh agent configuration names. Parentheses in the name will cause the deployment task to fail.

To create an agent configuration for Macintosh devices
  1. Click Tools > Configuration > Agent configuration.
  2. Click the New Mac button to create a new Macintosh configuration.
  3. Complete the Agent configuration dialog box. For more information, see Using the Agent configuration dialog box (for Macintosh), or click Help in the dialog box.
  4. Click Save.
To update an agent configuration
  1. Click Tools > Configuration > Agent configuration.
  2. Right-click the agent configuration to be updated and select Properties.
  3. Make the updates to the agent configuration.
  4. Click Save.

Scheduling the agent configuration

You can push agent configurations to devices that have the standard LANDesk agent installed. Use the Scheduled tasks tool to run your new or updated agent configuration.

To schedule an agent configuration for Macintosh devices
  1. Click Tools > Configuration > Agent configuration.
  2. Right-click the agent configuration to be scheduled and select Schedule.
  3. Target devices for the task and start the task.

Manually running agent configuration for Macintosh devices

You can manually run agent configurations for Macintosh devices once they have been created or updated. When an agent configuration is created (Tools > Configuration > Agent configuration), the following file is created in the LDLogon/Mac folder on your core server:

The LDLogon/Mac folder is a Web share and should be accessible from any browser. Follow the instructions for Loading the default agent configuration for Macintosh devices. Insert your agent configuration files instead of the default files.

Uninstalling Macintosh agents

To uninstall Macintosh agents, run uninstallmacagent.sh from \\<core>\ldmain.

Using the Agent configuration dialog box (for Macintosh)

This section describes the agent configuration dialog box for Macintosh devices. The dialog box consists of the following:

About the Application policy management page

Use this page to configure settings for the policy-based distribution agent. 

About the Inventory page

Use this page to configure the inventory scanner.

About the Remote control page

Use this page to configure the remote control agent.

About the Standard LANDesk agent page

Use this page to configure agent security and management scope. For more information on agent security, see Agent security and trusted certificates. For more information on scope, see Role-based administration.

About the Patch and compliance scan page

Use this page to configure scheduling for patch and compliance scans.

Connecting through the LANDesk Management Gateway

There are two options for configuring managed Macintosh devices to connect to the core through the LANDesk Management Gateway:

To push the configuration to mobile devices while they are connected to the network
To manually configure a managed device
  1. From the Utilities folder on the managed device, launch the LANDesk Management Gateway application.
  2. Specify the Domain name of the Management Gateway.
  3. Choose the best connection method to the LANDesk core.
  4. Request a certificate by typing a LANDesk console user name and password, then clicking Request.
  5. Click Test to test the connection from the managed device to the LANDesk Management Gateway.
  6. If the test fails, check the information you entered and correct any mistakes, then click Test to make sure the connection works.
  7. If the managed device accesses the Internet through a proxy, specify the necessary proxy settings.

Inventory for Macintosh devices 

The inventory scanning utility is used to add Macintosh devices to the core database and to collect device hardware and software data. When you configure a device, the inventory scanner is one of the components of the LANDesk agent that gets installed on the device. The inventory scanner runs automatically when the device is initially configured. A device is considered managed once it sends an inventory scan to the core database.

The scanner executable for Mac OS X is called ldiscan (UNIX; it is case sensitive). Inventory scan files are saved locally on the client and are compatible with the core. You can e-mail the file to the core administrator and then drag and drop it into the ldiscan directory. You need to change the extension of the file to .scn.

Macintosh devices can be configured to scan at boot-up, at log in, at wake from sleep, and at network change. You can also use agent configuration to schedule the inventory scan to occur at a regular interval.

The Macintosh inventory scanner encrypts scans. The inventory scanner also uses delta scans so that after the initial full inventory scan, subsequent scans send only the changed data to the core server, reducing network bandwidth consumption.

The Macintosh inventory scanner looks in the "Custom Data" folder under the agent installation folder for XML files that contain additional information you want the inventory scanner to pass to the core server. This additional information appears in the inventory tree under the Custom Data node.

With the inventory scanner, you can view summary or full inventory data. You can print and export the inventory data. You can also use it to define queries, group devices together, and generate specialized reports. For more information about the Inventory tool, see Managing inventory.

Software scanning

A software scan compiles an inventory of software on managed devices. These scans take longer to run than hardware scans. Software scans can take a few minutes to complete, depending on the number of files on the managed device. You can configure the software scan interval in the Configure > Services > Inventory tab.

All applications installed in the Applications folder are placed into the Software > Application Suites node in the inventory tree.

Scanner command-line parameters

You can add command-line parameters to the inventory scanner's (ldiscan) shortcut properties to control how it functions. The option are case-sensitive.

NOTE: Unless the --ignore option is set, command line options don't override settings in the agent configuration scan preferences. For example, specifying -F for a full software scan won't perform software scan if the software scan is turned off in preferences.

Option Name Description
-c --core <path> Specifies which core the scan is sent to. Example: -c spencercore2.landesk.com
-D --Delta Forces a delta scan
-e --everything Forces a full hardware and software scan

-F

--force

Forces a software scan even when none of the software scanning options have been selected in the agent configuration. Example: [MACHINES_MACX] REMEXEC0=/Library/Application\ Support/LANDesk/bin/ldiscan –F

-h --help Displays a list of command-line options

-i

--ignore

Ignores user and server preference settings

-l --LdAppl <path> Specifies path to alternate LdAppl.ini path
-L --Limit Limits downloading of LdAppl3.ini
-o --output <path> Specifies which directory you want the scan file to go to. Example: -o /Users/spencer
-P --Print Displays scan settings without scanning
-R --reset Resets scan database
-s --sync Performs a synchronization scan (and implies -R)
-T --send <file> Sends <file> to the core
-t --mini Performs a mini scan
-v --version <n> Reports formatted version information (1,2, or 3)
-V --Verbostiy <n> Sets verbosity level (debugging)

Editing the LdAppl3.Template file

The LdAppl3.Template file contains the scanner's inventory parameters. This template file works with the LdAppl3 file to identify a device's software inventory.

You can edit the template file's [LANDesk Inventory] section to configure the parameters that determine how the scanner identifies software inventory. By default, LdAppl3.Template is located in this directory on the core server:

Use this table as a guide to help you edit the [LANDesk Inventory] section in a text editor. 

Option Description

MacMode

Determines how the scanner scans for Macintosh software on devices. The default is All. Here are the settings:

  • Listed: Records the files listed in LdAppl3.

  • Unlisted: Records the names and dates of all files that have the extensions listed on the MacScanExtensions line but that are not defined in the LdAppl3. This mode helps discover unauthorized software on the network.

  • All: Discovers files with extensions listed on the MacScanExtensions line.

You must select Make available to the clients to allow the download of MacModes. MacScanExtensions is turned on by default. This can create very large scan files (11 MB+), so you may want to change these defaults.

NOTE: The /Library or /System directories are not scanned in a MacScanExtensions scan by default. This reduces the size of the scan file. The directories can be placed in the Mac folder include section. 

Scanning for custom data

For information on scanning for custom data, see Scanning for custom data on Macintosh devices

Remote control for Macintosh devices

You can remote control a Macintosh device from the console the same way you would a Windows device. Before you can perform any remote control tasks, you must connect to the target device. Only one viewer can communicate with a device at a time, though you can open multiple viewer windows and control different devices at the same time. When you connect to a device, you can see the connection messages and status in the Connection messages pane (View > Connection messages). The Management Suite integrated security checks to see if the user initiating the remote control session has the appropriate rights and that the machine is part of the user’s scope. The data is obfuscated as it is passed over the network.

NOTE:   Integrated security is turned on by default.

Macintosh keyboards have some keys that PC keyboards don't have. When remote controlling a Macintosh device, the following keys are used on the PC keyboard to emulate a Macintosh keyboard:

You need to have system key pass-through enabled in the remote control viewer window for the Alt and Windows keys to pass their Macintosh mappings.

NOTE: Clipboard sharing and draw features are not supported on Macintosh devices.  

For more information, see Remote control

Connecting to a device

You can connect to a Macintosh device and remote control it.

To connect to a device
  1. In the Network view, right-click the device you want to remote control, and then click Remote control, Chat, File transfer, or Remote execute.
  2. Once the viewer window appears and connects to the remote device, you can use any of the remote control tools available from the Tools menu, such as chat, file transfer, reboot, inventory, or remote control.
  3. To end a remote control session, click File > Stop connection.

Command line remote control

You can remote control a Mac machine from the command line on a machine that has the remote control container installed. Use the following command:

irccntr.exe /a[client name] /s[core name]

Remote control features

The inactivity timeout specifies a period of time (10 minutes by default), after which, if the client hasn’t received mouse or key moves, the session is terminated. Similar to a screen saver, it prevents others from using the remote computer if it is left unattended.

Software Distribution for Macintosh devices

Software distribution lets you deploy software and file packages to Macintosh running OS X on your network.

You can distribute single-file executable packages to Mac OS X devices. Each distributed package consists of only one file, and the agent will try to install the file once the device receives it. Any file can be downloaded. Install packages (.PKG) can also contain directories, but they must be compressed. If the file downloaded has a suffix of .dmg, .pkg, .mpkg, .sit, .sitx, .zip, .tar, .gz, .sea, .app, .sh, .hox, or for Automator/workflow packages, LANDesk will decompress the file before returning (Automator packages will only work on versions 10.4.2 or later).

NOTE: Make sure that Stuffit Expander has its "check for new versions" option disabled; otherwise a dialog box may interrupt the software distribution execution.

Software distribution also provides the ability to distribute shell scripts as jobs. This enables IT to take even greater control over the Mac operating environment and perform nearly any configuration or information gathering task on a Mac OS X device.

You can schedule Mac OS X distributions in the Scheduled tasks window and drag Mac OS X devices into the Scheduled tasks window as distribution targets (see Scheduled tasks for Macintosh devices ).

NOTE: You must install the LANDesk Mac OS X agent on the target devices before you can distribute files to them. 

A distribution package consists of the package files you want to send and distribution details, which describe the package components and behavior. You must create the package before it can be delivered and run. The following instructions explain how to perform software distribution. In order to execute it correctly, the software distribution package must exist on either a network or Web server and the recipient devices must have the software distribution agent installed.

There are three main steps required to distribute a package to devices:

  1. Create a distribution package for the software you want to distribute
  2. Create a delivery method
  3. Schedule a software distribution task
To create a distribution package
  1. Create the package you want to distribute.
  2. Click Tools > Distribution > Distribution Packages.
  3. Under My distribution packages, Public distribution packages, or All distribution packages, right-click Macintosh and select New distribution package.
  4. In the Distribution package dialog box, enter the package information and set the options. For more information on each page, click Help.
  5. Click OK when you're done. Your distribution appears under the tree item for the package type you selected.
To create a delivery method
  1. If you've already configured a delivery method that you want to use, skip to the next procedure (To schedule a software distribution task).
  2. Click Tools > Distribution > Delivery Methods.
  3. Right-click the delivery method you want to use and then click New delivery method.
  4. In the Delivery method dialog box, enter the delivery information and change the options you want. For more information on each page, click Help.
  5. Click OK when you're done. Your script appears under the tree item for the delivery method you selected.
To schedule a software distribution task
  1. Click Tools > Distribution > Scheduled Tasks.
  2. Click the Create software distribution task toolbar button.
  3. On the Schedule task page, enter the task name and the task schedule.
  4. On the Delivery Methods page, select the delivery method you want to use.
  5. On the Distribution package page, select the package script you created.
  6. On the Target machines page, add the devices you want to receive the package.
  7. On the Summary page, confirm the task is configured correctly.
  8. Click OK when you're done.

View the task progress in the Scheduled tasks window.

You can use queries to create a list of devices to deploy a package to. For information on creating queries, see Database queries.

Macintosh software distribution commands

Macintosh software distribution commands are download commands, as opposed to a shell command (see Managed scripts for Macintosh devices). Download commands begin with either "http://" or "ftp://". If it's not a download command, it's a shell command by definition. The following is an example of a download command:

REMEXEC0=http://...

A download command won't autorun any files. After downloading the file to devices, you can follow up with a shell command to execute the file. Files are downloaded to /Library/Application Support/LANDesk/sdcache/, which you need to be aware of in your shell commands.

NOTE: If you're hosting files on a Windows 2003 server, you need to create MIME types for the Macintosh file extensions, such as .sit, otherwise the 2003 server won't let you access the files. The MIME type doesn't have to be valid, it just needs to exist.

Configuring policies for Macintosh devices

You can also create Macintosh device policies. Creating a Macintosh device policy is similar to creating a policy for a Windows-based device. Macintosh devices also have the same required, recommended, and optional policy types. Macintosh application packages must be a single-file format. For optional or recommended policies, the client user needs to launch the LANDesk preference pane and click Check now for policy-based distribution. When targeting policies, Macintosh devices don't support policy-based management by user name, only by device name.

Policy-based management does the following with Macintosh application policy packages:

  1. Downloads files to /Library/Applications/LANDesk/sdcache (just like software distribution downloads).
  2. If the download is compressed, policy-based management will decompress it in place.
  3. If the download is a disk image, policy-based management will mount it, look for the first Apple Package Installer file found on the mounted volume, run it silently, and then un-mount it.
  4. If the download is an Apple Package Installer file, policy-based management will run it silently.

Also, policy-based management does support .dmg files with EULAs.

NOTE: Some package types don't work well with software distribution. (Installer Vise and Installer Maker installers don't work well with policy-based management. They almost always require user interaction and can be canceled.)

To add a Macintosh client policy
  1. Click Tools > Distribution > Delivery methods.
  2. Configure a policy-supported push or policy delivery method for the package you want to distribute.
  3. Click Tools > Distribution > Scheduled tasks.
  4. Click the Create software distribution task button.
  5. Configure the task. Click Help on each page if you need more information.
To refresh the local client policies
  1. In the LANDesk agent application on the Macintosh device, click the Delivery icon.
  2. Click Check now for application policy management.
To view installed policies

Exposing the UI to the client

You have the option of showing or hiding the UI to the client when distributing a software package. If the LANDesk administrator is pushing out a package that requires the user to select a license agreement, the package needs to be installed using a user-controlled type delivery method because the package will not install if the license agreement is not accepted by the end user. You can expose the UI for either a push- or policy-based delivery method.

To show the UI to the client during software distribution
  1. Create a new software distribution delivery method or select an existing method to edit.
  2. Select Feedback from the tree.
  3. Select Display progress to user and then select Display full package interface.

Managed scripts for Macintosh devices

Management Suite uses scripts to execute custom tasks on devices. You can create scripts from the Manage scripts window (Tools > Distribution > Manage scripts). Macintosh scripts use shell commands to execute files. Shell commands run as root. The scripts are saved as text files, and you can edit them manually if you need to once they're created. The following is an example of a command:

REMEXEC0=/Library/Application\ Support/LANDesk/bin/ldscan

The user can use the shell command "open" to launch files and applications, or "installer" to install .pkg files. It's also possible for the download file to be a shell script written in Perl, Ruby, Python, and so on.

When files are downloaded, they are saved to /Library/Application Support/LANDesk/sdcache/, which you need to be aware of in order to execute some of your shell commands.

You can schedule Mac OS X managed scripts in the Scheduled tasks window and drag Mac OS X devices into the Scheduled tasks window as script targets (see Scheduled tasks for Macintosh devices ).

Scheduled tasks for Macintosh devices 

The scheduled tasks tool activates or starts many of the tasks you set up or configure in the application. These tasks can be run immediately, scheduled to occur at a later time, or configured to run on a regular basis. For more information, see Scripts and tasks.

NOTE: Before you can schedule tasks for a device, it must have the standard LANDesk agent installed and be in the inventory database.

The following procedures require the use of the scheduled tasks tool:

Reporting for Macintosh devices

The reporting tool lets you generate a wide variety of specialized reports that provide critical information about the Macintosh devices on your network. The reporting tool operates the same way for all operating systems. For more information, see Reports.

Software license monitoring for Macintosh devices

Macintosh devices running Mac OS X support software license monitoring. With each inventory scan, the Macintosh software monitoring agent sends information to the core server about the applications that devices run. The Software license monitoring window shows Macintosh applications along with Windows applications.

You can scan for files based on their extensions. The LdAppl3.INI file contains the list of extensions to scan for. By default, .dmg and . pkg file types are scanned for. You can insert additional extensions into the LdAppl3.ini file, which is located in the /Library/Applications/System/User folders by default. The file location can be changed as well. You can also use the LdAppl3.ini file to scan for multimedia files.

The LANDesk agent application can be used to show applications that have been launched and how often they have been used.

Blocking applications for Macintosh devices

You can use the Management Suite Patch and Compliance tool to block applications on managed Macintosh devices. This functionality works the same way as it does for Windows devices, except that no pre-defined blocked content is available for Macintosh devices. In order to block specific applications, you must create a custom definition for each blocked application using the procedure outlined in Creating custom definitions and detection rules. When creating the custom definition, be sure to select Apply to Mac.

NOTE: You can block only .app files on managed Macintosh devices.

Patch and Compliance for Macintosh devices

Patch and Compliance is a complete, integrated security solution that helps you protect your Macintosh devices from a wide range of prevalent security risks. The tool allows you to manage security and patch content, scan devices, use patches, and remediate devices.

Configuring Macintosh devices for security scanning and remediation

Security functionality is included as part of the standard LANDesk agent for Macintosh devices. It allows you to scan managed Macintosh devices for vulnerabilities, and perform remediation by deploying patches or software updates.

Launching the scanner for Macintosh devices

You can launch the scanner from the console or manually on the client machine.

To launch the security scanner
  1. Open the Mac OS X System Preferences on the target device and select the LANDesk Client panel.
  2. On the Overview tab, click Check Now in the Security and Patch Manager section.

Operating system deployment for Macintosh devices

You can use operating system deployment with the LANDesk agent for Macintosh by utilizing NetBoot/NetInstall as part of Mac OS X Server. For information, download the operating system deployment for Macintosh white paper from http://community.landesk.com/support/docs/DOC-1192.