So what is Local MCX and why do I care?
If you build Mac Images but don’t have a way to manage policies or preferences via some system like JAMFs Casper or Apples Profile Manager/OpenDirectory then you probably will need to use Local MCX policies to enforce some basic consistency/security onto your computers. For instance, it may be necessary to enforce a Screen Saver time out or maybe you just want certain items to appear on every new users Dock. If this is a need and you want to bake it into your image then you need a way to handle that… enter my package.
When you create local computer policies you will notice that the local policy does not work when you clone that image to another Mac. This is because the local computer policy only works if the MAC address is correct. This package will assist in exporting the local computer policy you create for importing later, get the MAC Address of the newly imaged computer, and import the computer policy into the local system and populating the “Ethernet ID” field with the correct MAC address.
How to use:
You should start with a clean installation of Mac OS X. Below is a list of info for accomplishing local MCX. Note: I am not going into the details of creating MCX policies as that is a couple articles itself.
- Install Apple’s Admin Tools – http://support.apple.com/downloads/#Server%20Admin%20Tools – Look for the newest version ( 10.7.2 currently )
- Once installed you will use Workgroup Manager to create the computer record.
- YOU MUST CREATE the record with this name: “local_mcx” — No quotes and a single underscore
- Now create any MCX policies you need inside that computer record.
- Test, refine, etc. Make sure they work the way you intend them too.
- Backup your local_mcx – Use the export command in Workgroup Manager. Though this is not necessary it makes it easier to import on a clean imagine and not have to redo all your work.
- If your image is complete and you are ready to clone you now need to run my package. This will install the necessary scripts so that it can automate your computer record for use with different computers. DO NOT REBOOT!
Now create your image with your favorite utility. In my case I use DeployStudio.
Most of this process is from Apple’s own documentation that you can find here. I reused most of Apple’s scripts to accomplish this. I then tweaked them, added something I found on another website, then rolled them into a package for easy configuration.
Below is a list of directories and files installed with their locations.
- /usr/local/LocalMCX – This directory contains a LaunchDaemon (net.azimuthsystems.LocalMCX.plist) and an exported copy of your computer MCX policy called “local_policy.plist”
- /usr/local/bin – Two bash scripts are placed in here; LocalMCX.bash and localMcxExport.bash
- LocalMCX.bash – This script will detect on reboot the MAC address, create the computer record, add the MAC address to the Ethernet ID in the computer record, and then delete the LaunchDaemon so that it won’t run again
- localMcxExport.bash – This script is called when you run my package. It will export the local_mcx computer record along with the policies you have created so that when you reboot or cloned it will import that record and work with the new MAC address. It also deletes the computer record after the export process. This is so that the machine is clean prior to cloning.
If at some point you run my package and decide you need to make more changes to the policies all you need to do is reboot the computer. Doing this will import the policies so that they take affect and also allow you to edit them again. Once you have made your changes just re-install my package, shutdown (DO NOT RESTART), and clone.