Apple WTF

Looks like “WTF” will be the theme for today’s post as well as the previous Sesame Street post. Today, though, I’m going to complain about…


More specifically, OS X 10.6 in an enterprise environment.

We recently added a few OS X servers to our environment so we could take advantage of the OS X-specific tools to manage our enterprise Macs. Sure, we could have just changed the schema in Active Directory to enable some of the management features. The problem with that angle is that it would require tinkering with an already heavily-modified AD schema and directory, increasing risk of damage to things that ought not be tinkered with in our environment.

So, a dedicated Open Directory deployment on OS X Server, which is attached to AD should do the job.

On our enterprise Windows clients, we have some policies in place to enhance security. Drive encryption on laptops, password-protection, locked screen savers after a fixed period of time, preventing access to certain portions of the system to non-administrators, etc.

We can do many of those on OS X, too. Version 10.4 and 10.5 appear to be the most flexible when it comes to being good little secure members of the domain. Want to require a password when waking the computer from sleep or the screen saver? Easy enough — well, depending on your definition of easy:

  1. Open Workgroup Manager
  2. Select the computer or group that you want to apply the change to
  3. Click Details
  4. Add a object
  5. Under Always, add a key called “Require Password” with an integer value of 1
  6. Apply the changes
  7. Click Done
  8. The next time your 10.5 clients check in, they’ll get the new requirement.

Sure, it could be much, much easier than that — a checkbox would be awesome, Apple — but it’s not. I don’t know why. But it works beautifully on OS X 10.5 clients. A slight mod and it works good on 10.4, of which we only have one.

But what about on 10.6? You know — the OS version that every Apple device has shipped with for the last year?

Let’s try it!

Workgroup Manager’s key editor to enforce passwords to
unlock Mac from screensaver or sleep

After a few clicks and typing, I’m met by an interesting error while adding the preference: “**** Name doesn’t match preference manifest.”  Okay, well, that’s not a huge problem. I mean, how much could the feature have changed between 10.5 and 10.6?

A few more clicks, logout of my test machine, log back in, look at the mcxquery and it shows the settings… but System Preferences shows “Require password…” as unchecked.

Here’s the mcxquery:
    idleTime                                             everything (Computer Group)               often   840
    modulePath                                           everything (Computer Group)               once    /System/Library/Screen Savers/Flurry.saver
    Require Password                                     everything (Computer Group)               always  1
    showClock                                            everything (Computer Group)               once    1

Yes, the computer is a member of “everything”. Yes, it’s picking up every other setting applied to “everything”, but System Preferences has a different story:
Why isn’t Require Password checked?

A bit more typing, clicks, logouts, logins, reboots, Goggle-ing, much review of Apple’s discussion boards and much more harsh language, it appears that it may be quite impossible to enforce this trivial enterprise security policy on OS X 10.6 by using the Apple-supplied tools for managing OS X clients.

What? Really?

Granted, I only have about 35 or 40 enterprise Macs floating around the office, but how should we enforce our corporate security policy — and we aren’t the only company that uses this seemingly trivial feature — effectively when security has been lessened in the newer version of OS X?

Did the designers and engineers just decide, “Hey, this is the new version — let’s make it less secure to discourage people from using the product even more.”

WTF, Apple?

Back to research mode, I suppose.