Managing without the Mac server

A few weeks ago, we discovered that the second hard drive on our Mac mini server was failing.  Which isn’t good.  It’s still under warranty though so won’t cost anything to fix, apart from the inconvenience of having it taken away from our school for a few days.

And an inconvenience it certainly has been!  The Mac server has been brilliant for managing all the little settings and preferences on the Macs and I’ve made much use of Workgroup Manager for tweaking this and fixing that.  This makes it all the more painful when it is removed, especially with a large school full of an ever-increasing number of Macs.

All the Macs are bound to two servers: the Open Directory (OD) on the Mac server and the Active Directory (AD) on the Windows server. The AD manages usernames and passwords and serves up all the network drives, but the OD tells the Macs what to put in the dock, what drives to mount on login, and where Microsoft Office can put all its first-run registration windows (i.e. not on my screen!). Without the Mac server, the Mac will still let users login, but the dock will be empty, network drives won’t be mounted and everyone will come running to find me and demand access to their shared folders.

After some very helpful support from our wonderful reseller Toucan, I settled upon this plan:

  1. Make a local account and set it up just how I wanted it, i.e. applications in the dock and network drives mounted on login with credentials on the keychain.
  2. Log in as root and copy this home folder to all the Macs using Apple Remote Desktop.
  3. Tell teachers to login with the local account only.

The first part was fairly straightforward.

The second part was a little more tricky as it involved logging in as root, something I had not done before.  But Apple give some easy-to-follow instructions how to do it.   This gives the user unlimited powers to look in any folder and move anything anywhere, without running into permission errors all the time.  Once logged in as root, I used Apple Remote Desktop to copy the home directory of the local user to all the Macs. I had already set up a local user previously, so I just reused that name and didn’t have to go to each machine and add a local account.

The annoying problem I ran into was that some Macs were still remembering all their managed preferences, even though the Mac server was unavailable.  This would have been fine if every Mac was doing this, but it was inconsistent across the school and gave an uneven user experience.  Thankfully, I found an article explaining how to flush the MCX cached settings. Et voilà, everything working fine.  Or at least good enough.

I hope the Mac server gets fixed quickly!

It does make me realise why Apple is moving to profiles for managing preferences on a Mac, just like with iOS.  That way, the client machine remembers the settings it’s been given, rather than relying on a continuous connection to a server.  It’s just a shame that Profile Manager isn’t quite up to the job as of yet, particularly with OSX.

iChatting across subnets

We’ve had iChat set up on our macs for a while, making use of Bonjour to provide a zero- configuration way for teachers to communicate around the school. We now have a second site and teachers wanted to be able to iChat between sites but it wasn’t working as Bonjour doesn’t easily work across two different subnets (especially if LGfL are involved!). So instead I set up iChat Sever on our Lion Server.

It was mainly straightforward, once I had figured out how…

  1. Turn on iChat server on the Lion server.  Involves switching it to on.  It sets up a Jabber messaging server.
  2. Set up the login details using Workgroup Manager.  There is a manifest called ‘iChat.Jabber’ which gives you a managed client settings already set up.
  3. When a user logs onto the Mac, their credentials are used to log onto the iChat server.  This requires an AD or OD setup, which meant a few issues when it came to the experimental ditched directory Macs. I had to set these machines up manually using the user’s network logins.
  4. Initially, the iChat window doesn’t show any ‘buddies’, which  renders the service useless at school because teachers wouldn’t know each other’s iChat accounts.  Lion server promises the ability to add all users as buddies automatically, but this only seems to work if you’ve got an Open Directory setup (i.e. all user accounts are on the Mac server rather than elsewhere).  Instead I had to log each user into iChat and then run the command ‘sudo jabber_autobuddy -m’ in Terminal on the Lion server.  This adds everyone who has ever logged into the iChat server onto everyone’s buddy list.

It seems to be working fine, with the teachers across two sites particularly finding it helpful.

First day back…

I went back to school today to try and get ready for the beginning of term.  As always, there’s lots of jobs that come up along the way, but here are a few things I managed to accomplish today:

  • Apply for some ‘up-to-date’ Mountain Lion licences for some Mac Minis that we bought after Mountain Lion was finally announced.  I had to go into school to get some serial numbers and to get invoices from our reseller, but it was pretty straightforward. Today’s the last day that you can apply so I was cutting it a bit fine.
  • Set up a repository for Munki on our Mac Mini server.  We’ve been using Munki with much success just as a way to automatically install Apple’s software updates when the computer is logged out. It’s pretty handy!  However, I’ve been wanting to use it update other software (such as Microsoft Office and Adobe Flash Player), rather than having to push out packages using Apple Remote Desktop.  I followed a really clear guide on the Munki website, which took a bit of time to get my head around but seems to have worked fine.

WebDAV

My problem is that I, deep down, hope and expect software and technology to work easily and first-time. One day I shall learn…

Our other task for today was to try and set up a WebDAV share on our windows server for our new iPads. Unfortunately we couldn’t get it to work, although our amazing technician is looking into it

I did manage to setup a new WebDAV share on our Lion server though. I was having trouble accessing it until I discovered the correct URL for the WebDAV share. It should be something like this:

http://hostname/webdav/sharename

The Lion share will work for windows and Macs too, so I’ll just add another share point to each user’s desktop called ‘ipad’ or something. It’s not ideal that it’s separate to our ‘school’ shared drive, but hopefully we’ll get the Windows WebDAV working before too long.

Deploy Studio and Gigabit Switches

Deploy Studio is a wonderful piece of software that lets you make a system image from a Mac and then deploy it to loads of other Macs from your Mac server.  I’ve just upgraded 16 iMacs to Lion like this, taking only about 10 minutes per machine (perhaps 20 minutes per machine if you’re doing 5 at the same time).  All you have to do is netboot (hold down ‘N’ when you turn on the Mac), which makes the computer boot up from Deploy Studio on the server.  Then you choose the image you want to deploy, and then it does it all for you.  Marvellous.  It even automatically binds it to the relevant directories as well.

And with gigabit ethernet, this process really is much faster that it used to (possibly even 10x!).

Toucan set this up for us, of which I am very appreciative. 

Giving up on Profile Manager

The promise of Lion’s Profile Manager seemed good: a nearly free way of managing all the macs and iPads on your network, pushing setting etc over air using Apple’s Push Notifications.

Except I can’t get it to work. The issue is that when you try and enrol an iOS device, it complains that the certificate is invalid. I’ve searched hi and low on the Interweb for solutions, and even tried out a few. However, the result has been even more of a mess, as far as I can tell!

45 iPads arrived at school today, just waiting for me to set them up ready for September. I was hoping to use Profile Manager as part of the setup process, but I think now I’ll just have to make do with Apple Configurator and iTunes. Hey ho.

Maybe more joy will be to had with Mountain Lion Server?

These guys at Amsys seem to have gotten it going, if anyone’s interested.

Ricoh Printer Driver Fix pt.II, Or How It Might Not Have Been Such A Great Idea To Upgrade The Server When Teachers Are Writing And Printing Reports

One of the wonderful technicians from Toucan came and upgraded our Mac Mini server to OSX 10.7 Lion on Monday. It went pretty well, with only a bit of a glitch with the Snow Leopard machines needing to be rebound.  We tried setting up a script to this automatically, but this only worked on about half the machines so I still had to go around and make sure people could log on properly.

However, I also discovered that this had pretty much broken the previous fix for the Ricoh printer/copier, resulting in the copier spewing out reams and reams of gibberish.  This was compounded by the fact that it is report-writing season, which requires much printing at the best of times. Not good.

The problem boiled down to printer driver issues, more specifically that not all the Macs had the same Gutenprint drivers installed and so defaulted to the generic driver instead of the correct one.  Fun.

The solution was as follows:

  • Make sure all the macs had the latest Gutenprint installed, as this is the driver Workgroup Manager was instructing Macs to use.  Apple Remote Desktop made this easy.
  • Log onto each Mac remotely and do a test print, checking if the correct driver was being used.
  • If the wrong driver was being used, I then had to log in as an administrator and reset the print system, forcing the Mac to use the driver instructed by MCX.  To do this, you open ‘Print & Scan’ in System Preferences, right click on the list of printers and then select ‘Reset printing system…’.
  • Log in again as a managed network account and check it works.

I’m sure if I was a scripting kinda guy, there could be an easier way to do this.  But it did work, albeit rather long-windedly.

The moral of the story?  Make sure your Ricoh printer come with a Postscript driver card installed!

10.7.4 URL Spring Fix

Annoyed about the spring loose in 10.7.4?  Want to see that lovely spring icon in your dock when you drag a URL there?  Here’s how to copy to all your machines using Apple Remote Desktop:

1. On a Mac not running 10.7.4, the missing icon lives in /System/Library/CoreServices/Dock.app/Contents/url.png. Use Finder to navigate to it (se Go > Go to Folder…).

2. On Apple Remote Desktop, select the Macs you want to fix the problem on, click the ‘Copy’ icon and then drag that file into the ‘Items to Copy’ box.

3. Choose ‘Same relative location’ in the ‘Place items in:’ box.

4. Set ownership to ‘Inherit from destination folder’.

5. Copy!

Marvellous.