Although I’ve got our Mac mini server nicely set up now, there are occasionally things I want to do on users’ Macs which can’t be done or don’t work properly via Server Admin and Workgroup Manager. However, one of the wonderful things about having an office environment consisting entirely of Macs (rather than Windows PCs) is that you can just SSH into them and write Bash scripts which can be triggered by cron (or, better still, by launchd.
To make sure the settings I want are set up and retained on users’ Macs, I have a script deployed on all our Macs which runs as root a couple of times each day:
#!/bin/bash
# set up web proxy
interface=$(/usr/sbin/networksetup -listallnetworkservices | grep -i airport)
/usr/sbin/networksetup -setwebproxy "$interface" 192.168.1.20 8080
/usr/sbin/networksetup -setproxybypassdomains "$interface" "*.local" "169.254/16" "*.office.ourdomain.com" "*.dev.ourdomain.com" "127.0.0.1" "localhost"
# turn off annoying 'this app was downloaded from the internet...' prompts
find /Applications -maxdepth 1 -mindepth 1 -name "*.app" | while read app ; do
xattr -d com.apple.quarantine "$app" &> /dev/null
done
for user in $(ls /Users | egrep -v "..*|Deleted Users|Guest|Shared|administrator")
do
# turn off software update prompts as they're pointless for non-admin users
su - $user -c "/usr/sbin/softwareupdate --schedule off > /dev/null"
# turn on screen saver with password for security
su - $user -c "defaults -currentHost write com.apple.screensaver askForPassword -int 1"
su - $user -c "defaults -currentHost write com.apple.screensaver idleTime -int 900"
# tell firefox to use system proxy settings
if [ -d /Users/$user/Library/Application Support/Firefox ] ; then
cd /Users/$user/Library/Application Support/Firefox
cd $(grep "Path=" profiles.ini | awk -F '=' '{print $2}')
echo "user_pref("network.proxy.type", 5);" > user.js
/usr/sbin/chown $user:staff user.js
fi
done
The first bit sets up the Mac to use our HTTP proxy for the users’s web browsing. There is a bit in Workgroup Manager which is supposed to achieve this but it doesn’t work for me, so I ended up doing it like this instead. It uses the networksetup command to get the name of the Airport interface, then tells the proxy settings for that interface to use our web proxy (and also to bypass it for specific local domains):
# set up web proxy
interface=$(/usr/sbin/networksetup -listallnetworkservices | grep -i airport)
/usr/sbin/networksetup -setwebproxy "$interface" 192.168.1.20 8080
/usr/sbin/networksetup -setproxybypassdomains "$interface" "*.local" "169.254/16" "*.office.ourdomain.com" "*.dev.ourdomain.com" "127.0.0.1" "localhost"
The next bit turns off the prompts you get in OS X which ask the user if they’re sure they want to run an application which was downloaded from the Internet. This kept happening a lot and was annoying users, and I know that all the applications are safe because I install them myself, so I decided to turn this off. This uses the xattr command to turn off the relevant attribute for all applications in the /Applications directory:
# turn off annoying 'this app was downloaded from the internet...' prompts
find /Applications -maxdepth 1 -mindepth 1 -name "*.app" | while read app ; do
xattr -d com.apple.quarantine "$app" *> /dev/null
done
Then there is a section which makes a few changes for each user on the Mac. The first is to turn off Software Update prompts for normal users because they’re just an annoyance they can’t do anything about (and I manage all the software updates myself):
for user in $(ls /Users | egrep -v "..*|Deleted Users|Guest|Shared|administrator")
do
# turn off software update prompts as they're pointless for non-admin users
su - $user -c "/usr/sbin/softwareupdate --schedule off > /dev/null"
I couldn’t find a way of turning on screen savers with password security for normal users via Workgroup Manager, so I put something to do that into this script instead. It uses the defaults command to configure these settings for each user on this Mac:
# turn on screen saver with password for security
su - $user -c "defaults -currentHost write com.apple.screensaver askForPassword -int 1"
su - $user -c "defaults -currentHost write com.apple.screensaver idleTime -int 900"
Finally, I configure Firefox to use the system proxy settings which we set up earlier in the script. This firstly works out what each user’s Firefox profile directory is, then it puts the relevant line into the user.js file, then makes sure the permissions are correctly set on this file (and using the user.js file is a good way to add your own preferences to Firefox without messing about with the application-generated prefs.js file):
# tell firefox to use system proxy settings
if [ -d /Users/$user/Library/Application Support/Firefox ] ; then
cd /Users/$user/Library/Application Support/Firefox
cd $(grep "Path=" profiles.ini | awk -F '=' '{print $2}')
echo "user_pref("network.proxy.type", 5);" > user.js
/usr/sbin/chown $user:staff user.js
fi
done
And that’s it. Every so often I just add new bits and pieces to this script as required.