CHAPTER 5: Writing a Property List for Management
50
/etc/passwd
/etc/group
ldap.example.com
LDAPv3
Default
Local
/(Root)
Users
Groups
Computers
Groups
Users
staff
everyone
Computers
marczak
gneagle
_amavisd
_jabber
BSD

Figure 5-1. Simplistic (and incomplete) example view of Apple’s directory hierarchy
In Figure 5-1, you’ll note the root, represented by the forward slash character (/). Other
branches of this tree descend from the root. In this diagram, the level just below the root
r e p r esent s t h e d i f f e r e n t d i r e c t o r y s e r v i c e p l u g - i n s -----BSD, LDAP, and the local node. If a
machine had Active Directory configured, it would appear here, too. Each of these
branches can have other branches, and will ultimately end in
leaf nodes
or individual

records. For example, under the path /Local/Default/Users are the user records for
‘‘_amavisd,’’ ‘‘_jabberd,’’ ‘‘gneagle,’’ and ‘‘marczak.’’ Each object in the hierarchy is
either a container, or a record that resides in some specific container.
CHAPTER 5: Writing a Property List for Management
51
To further that point, the local record for the group staff would be said to be found at
/Local/Default/Groups/staff. ‘‘staff’’ is the actual record. Each record is comprised of
a set of attributes and values. Each record in a given container will be constructed from
the same set of attributes. It’s the values given to those attributes that make each record
u n i q u e -----like a record in a database. When we query the contents of this record (‘‘staff’’),
we see the following attributes and values:

AppleMetaNodeLocation: /Local/Default
GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014
GroupMembers: AF54E0FF-7F61-A537-B51A-670997A5E774
GroupMembership: root
Password: *
PrimaryGroupID: 20
RealName: Staff
RecordName: staff
RecordType: dsRecTypeStandard:Groups
SMBSID: S-1-5-32-545

I n t h i s r e c o r d , t h e v a l u e o f ‘‘ R e c o r d N a m e ’’ ----- i n o t h e r w o r d s , t h e g r o u p n a m e -----is ‘‘staff’’.
Each group in Mac OS X gets a Generated UID associated with it, and this is stored in
the ‘‘GeneratedUID’’ attribute. The PrimaryGroupID attribute is the glue between Apple’s
internal record-keeping and POSIX groups. However, there’s only one thing to
understand with respect to our needs: Managed Preferences (MCX) are just more
attributes and values that get associated with a given record. There are two attributes
needed: MCXFlags and MCXSettings.

The MCXFlags attribute simply alerts Mac OS X to the fact that this record has MCX
data to be applied. The MCXSettings attribute contains the actual settings to be applied.
B o t h a t t r i b u t e s s t o r e t h e s e v a l u e s a s ----- y o u g u e s s e d i t -----property list files (.plist). The
MCXSettings attribute in a record stores an XML-based .plist file containing the actual
XML plists to be delivered to clients.
Preferred Tools for Creating, Testing, and Deploying
Managed Preferences
We’ve already looked at utilities to help write a general .plist file. There are additional
utilities that allow you to work with this .plist information in the context of the directory.
Let’s explore those now.




CHAPTER 5: Writing a Property List for Management
52
Using Workgroup Manager
Workgroup Manager is the easiest of the tools to use. As an Apple GUI tool, it basically
just does the right thing. However, it’s not solely a property list editor. As primarily a GUI
for configuring users, groups and computers, It’s not really much of a traditional editor at
all. Workgroup Manager does know all about Managed Preferences, though.
NOTE: If you haven’t installed the Server Admin Tools as mentioned in Chapter 2, ‘‘What You'll
Need,’’ you’ll need to do that to follow along in this chapter. Go download the installer and set
yourself up now.
Creating a Property List File
Workgroup Manager.app is found in the /Applications/Server directory. Launch it now
and you should be looking at a login dialog box similar to that shown in Figure 5-2.

Figure 5-2. Workgroup Manager sign-in dialog
D o n ’ t w o r r y -----for our purposes you won’t need to log in at all. To move forward here,

click on the Server menu, and then choose the View Directories menu item. (Command-
D is a shortcut for this menu command). Once done, you’ll see a warning displayed, as
shown in Figure 5-3.

CHAPTER 5: Writing a Property List for Management
53

Figure 5-3. Workgroup Manager local-only warning
Since 5.30 Workgroup Manager is typically used to work on centralized, network-
based directories, this warning is just letting you know that you’re now looking at
the local directory on your Macintosh. Despite Apple’s intentions, this is exactly
what we want right now, as we
do
want to be looking at the local ‘‘not-visible-to-the-
network’’ directory. Since we’re going to be doing this a fair amount, you may want to
check the ‘‘Do not show this warning again’’ check box before clicking OK. Once you’ve
cleared the warning, you’ll be looking at the main Workgroup Manager window shown in
Figure 5-4.

Figure 5-4. Workgroup Manager’s main window in its default state
CHAPTER 5: Writing a Property List for Management
54
This window is divided into a toolbar across the top of the window, a left-side pane, and
a right-side pane. The left-side pane represents the object that you’ve chosen from the
tabs at the top of that pane representing a user, group, computer, or computer group
object. The right-side pane will show the details of the operation you’ve chosen to
perform from the toolbar (working with accounts or preferences).
If you’ve worked with OS X Server before, you’ve likely used Workgroup Manager and
are familiar with this view. However, many people who use Workgroup Manager don’t
realize that it can be used to manage the local directory, too. For the purposes of our

work in this book regarding Managed Preferences, we’re concerned only with one area
of Workgroup Manager: the Preferences section, accessed by clicking the
‘‘Preferences’’ button in the top toolbar. When you do so, the right-side pane will reveal
the preferences panel (Figure 5-5).

Figure 5-5. Workgroup Manager’s preference panel exposed
CHAPTER 5: Writing a Property List for Management
55
Apple has categorized several different types of preferences on this panel that an admin
w o u l d l i k e t o m a n a g e -----you’ll see them in the pane on the right (‘‘Applications,’’
‘‘Classic,’’ ‘‘Dock,’’ and so on). However, you first need to choose the user, group,
computer, or computer group you want the preferences applied to. For our purposes,
c h o o s e a l o c a l u s e r . W h e n y o u c l i c k a c a t e g o r y ----- f o r e x a m p l e , ‘‘ D o c k ’’ -----you’ll be
presented with a new panel that lists predefined preferences that Apple has chosen to
expose for the selected category (Figure 5-6).

Figure 5-6. Preferences for the Dock
Initially, these preferences are grayed out. This is because you’re not managing them;
n o t i c e t h e s t a t u s o f ‘‘ M a n a g e ’’ a t t h e t o p o f t h e p a n e -----‘‘Never’’ is selected. Chapter 8
will go deeper into the meanings of never, once, and always as they apply to Managed
Preferences. For now, just select ‘‘Always’’ in order to inspect the offered preferences
further. Click the ‘‘Dock Display’’ tab (you can see this tab in Figure 5-6). Notice that
once you are viewing the "Dock Display" tab, that the preferences on each tab are
managed separately and that you’ll need to select ‘‘Always’’ again. Enable the check
box for ‘‘Automatically Show and Hide the Dock’’ and click ‘‘Apply.’’ There! You just
wrote a .plist file for management!