Most Mac OS X releases have very nice security configuration guides, but Lion is not in the list. Is this document available somewhere else on Apple's site, or is there a roughly-equivalent document.
Many user-configurable Unix programs (such as your shell) read configuration files when they start up. These configuration files contain settings and commands that determine how the programs will behavefor instance, the files can modify the list of places your shell looks for the commands you enter (that list is called your PATH). You change your Unix environment to have it more closely match your personal preferences and to shape it more closely to the way you work. Examples of configuring your Unix environment include:. Customizing your shell prompt so that it displays information you want to see. Creating shortcuts for commonly used command/option combinations (these can be 'aliases,' but they are distinct from the aliases you create in the Finder, and from the shell functions, which are short scripts that are part of your private configuration).
Making it easier to use additional software you install; for example, if you add /Developer/Tools to your PATH, then you can use the commands in the /Developer/Tools directory without typing their full pathnames. Configuring specific programs such as vi to turn on various options whenever you use them, much the same way that traditional Mac programs often have a preferences dialogue box.
The first program to configure is your shell, since your shell is the primary program you use to interact with Unix. We will also show you how to configure the vi editor by editing a configuration file it uses (see Chapter 6, 'Editing and Printing Files,' to learn how to use vi). It should come as no surprise by now that you configure your shell by editing text files. Finding Configuration Files User-configurable Unix programs (including your shell, the vi editor, and others) look for configuration files in your home directory when they start up. Most of the commands you have learned so far are not user-config-urable; neither the ls nor the cd command uses configuration files, for example.
They do accept options on the command line but do not read any configuration files when you run them. Many configuration filenames begin with a dot (.), so they are called dot files (use ls -a to see them). Often the filenames end in 'rc' (for resource). For example, the main config-uration file for the tcsh shell is /.tcshrc, a configuration file for the bash shell is /.bashprofile, and the configuration file for the vi editor is called /.exrc ( ex is an older editor, and vi provides a 'visual interface' for it).
There are actually several config-uration files available for each shell, and Table 7.1 lists the more common ones. In this chapter, we will concentrate on the ones you would change in the course of normal use. These files each have settings and commands for the particular program being configured. (Remember that the tilde is a synonym for your home directory.) Configuration files for shells are actually scripts. This means they are a series of commands written in the scripting language for the corresponding shell. They make use of variables, if-then conditions, and other scripting elements such as loops. (See Chapter 9, 'Creating and Using Scripts,' for more on scripts.) Table 7.1 A Summary of Common Shells Shell Name and Description sh Bourne shell.
The oldest and most standardized shell. Widely used for system startup files (scripts run during system startup).
Installed in Mac OS X. Bash Bash (Bourne Again SHell) is an improved version of sh.
Combines features from csh, sh, and ksh. Very widely used, especially on Linux systems.
See the Bash Reference Manual online. Installed in Mac OS X. Provides scripting features that have a syntax similar to that of the C programming language (originally written by Bill Joy). Installed in Mac OS X. Ksh Korn shell.
Developed at AT&T by David Korn in the early 1980s. Ksh is widely used for programming. It is now open-source software, although you must agree to AT&T's license to install it.
See the KornShell Web site. Tcsh An improved version of csh. The t in tcsh comes from the TENEX and TOPS-20 operating systems, which provided a command-completion feature that the creator (Ken Greer) of tcsh included in his new shell. Wilfredo Sanchez, formerly lead engineer on Mac OS X for Apple, worked on tcsh in the early 1990s at the Massachusetts Institute of Technology. Created in 1990, zsh combines features from tcsh, bash, and ksh, and adds many of its own.
Installed in Mac OS X. The Web site for Z shell is.
Am I Configuring the Terminal Application or My Shell? There's an important distinction to understand here. The Terminal application you are using to access the command line in Mac OS X is not the same as your shell. Terminal is a regular Mac OS X graphical application, like your Web browser or word processor. When you open a new window in Terminal, the application runs the appropriate Unix shell (determined by the Terminal application's preferences). Terminal is the program that is handling the screen display and keyboard input for the shell. When you type something in Terminal, the Terminal application passes that to the shell, and when the shell produces output, Terminal draws it on your screen.
The subtle point here is that there are actually other ways besides Terminal in which you can use your shell. One example: You can connect to your Mac using the command line over a network from another machine, which we'll cover in Chapter 10, 'Interacting with Other Unix Machines.' So when we tell you in this chapter that a change you make will take effect 'in the next Terminal window you open,' that is really a shorthand way of saying that the change will take effect in the next instance of your shell that you run, and that the easiest way to see it is to open a new Terminal window.
System Center Configuration Manager, better known simply as ConfigMgr, has long been the centerpiece of Microsoft’s solution for managing Windows computers. But can it manage Macs, too? That’s the question I put to my colleague Andrew Perchaluk, who is an right here where I live in Winnipeg, Canada.
Although I don’t manage Macs myself, I did work together a few years ago with four System Center experts at Microsoft (Rushi Faldu, Manoj Kumar Pal, Andre Della Monica, and Kaushal Pandey) on a book that included a section that demonstrated how to use System Center 2012 R2 to create a workflow for application deployment on Mac clients. The book (available as a free ebook you can in PDF, Mobi, or ePub format) included a sample walkthrough of a scenario that involved deploying Adobe Reader to a Mac computer running Mac Book Pro with OS X Mountain Lion 10.8, and it was quite an illuminating experience to learn what was involved in such a deployment scenario. I’m sure, however, that managing Macs in Windows environments has come a long way in the last few years with all the changes and improvements in Windows Intune and the latest version of System Center Configuration Manager, so let’s now see what we all can learn from Andrew as he explains how he’s been using ConfigMgr together with a third-party solution for managing Macs in his university environment. Apple Device Management with ConfigMgr Many organizations have a mix of Windows and Mac desktops. A large percentage are using ConfigMgr to manage Windows desktops but the Mac desktops have always been a management problem. Most haven’t been able to fully manage them with a central tool and instead have to dedicate people to visit each Mac as issues arise. In today’s world of vulnerabilities and ransomware, it can be difficult to ensure these Macs are fully patched and compliant with company security policies.
The other state organizations might be in is that they have one tool to manage Windows desktops and a second tool to manage Mac desktops. What if you could use just ConfigMgr for management of both? Things would be so much easier. Is it possible to have a single pane of glass for all your desktops?
Can you have the same feature set of management tools that ConfigMgr gives you for Windows desktops but for Macs too? I worked through the process described below to come up with something that does exactly that. Problem definition We had no solution to centrally manage Apple devices within our environment. All work such as software installs, security updates, OS installs, and configuration, remote troubleshooting, security configurations were done manually by technicians.
This made it very difficult to maintain standard configuration and added additional time and costs in supporting these devices. There was no automated asset management solution for these devices, which means that we had to rely on manual efforts for purchasing decisions and future planning. Business drivers This capability if implemented would provide a single pane of glass for managing both Apple products and Windows-based computers in our environment. This would lead to:.
Improved daily IT support performance. Driving down IT operating costs by reducing duplicate work, incident resolution time, service request completion time, accurate reporting for hardware, and software licenses to make educated business decisions. Automation of software and OS configuration and security configuration. The capability to have a holistic view on software licensing. Security. Single pane of glass for compliance, reporting, & security. Central security patch deployment and reporting for Mac.
Common reporting and compliance reports between Mac and Windows. PKI security for Mac clients for encrypted communications between client and SCCM server.
Remote wipe capabilities. Ability to enable and manage Mac FileVault 2 encryption. Technical constraints. The solution had to effectively integrate with our existing SCCM infrastructure. The solution did not need to manage iPhones & iPads only Mac OS X 10.7 and newer.
Non-domain-joined Mac clients will require a local admin account. If the firewall is enabled in macOS, a message is displayed asking you if pmaagent.app should be allowed to accept incoming connections. Quality attributes. Scalability — Hosting all components on virtual servers would allow for growth and performance tuning as required. Maintainability — The system was able to run on existing SCCM components in our infrastructure. Upgradeable — Preferred if the solution meets business needs out of the box. No customizations required would allow a simplified upgrading process.
Auditability. Evaluation We researched and looked at demos of various products and determined that was the best fit and its functionality would enable our IT department to make large improvements in managing the Mac environment. Initially, we installed Parallels in our test environment and then shortly after into our production SCCM environment. Then we added the 25 pilot Mac systems to SCCM, which included one device per OS version to validate functionality. Some design considerations. This solution will tie in seamlessly with ConfigMgr enabling it to effectively manage the Apple environment. This solution will utilize existing SCCM server infrastructure and no new virtual servers would be required.
Best Terminal For Mac
This solution is in line with the vendors’ reference architecture. This solution will support end-to-end PKI security for Mac clients just as we had with Windows SCCM clients. This solution will allow adding of Mac clients to SCCM even if they are not Active Directory domain joined Parallels components design We installed the Parallels components on top of our SCCM servers in our environment as per the diagram below.
Parallels components Configuration Manager Proxy: The Parallels application that acts as a proxy between SCCM and Mac computers Configuration Manager Console Extensions: Set of dynamic libraries that extend Configuration Manager Console providing a graphical user interface enabling you to manage OS X. Component must be installed on the computer where the Configuration Manager console is installed. This plugin can be installed on any server or user desktop that is running the SCCM administrative client and requires the ability to manage Mac.
OSX Software Update Point: Allows you to manage Apple software updates (patches) for OS X using the native SCCM functionality. The component requires Windows Server Update Services (WSUS) and must be installed on the same server as WSUS. Netboot Server: The Parallels Netboot component enables Mac computers to boot from a network and is required for deploying OS X images to Mac computers. The Netboot component must be installed on an SCCM distribution point server. Because Mac clients will be on a different subnet then the Netboot and DHCP servers an IP address helper configuration will be required on all building routers.
This will forward DHCP traffic from Mac clients to the Netboot server. Reporting: Gain the ability to query and generate reports on all aspects of Mac desktops in your environment. Gather hardware and software inventory of your Mac computers. Report information about user logons. Leverage native Microsoft SCCM reports for details on Mac computers. Natively SCCM only supports very minimal Mac features with Parallels installed a wide feature array is supported allowing you to fully manage your Mac desktops from SCCM. Useful reference links.
Photo credit: Apple.