Troubleshooting Managed Preferences

Similar Messages

• OS X Server 3.0.1 and OS X Mavericks: Managed Preferences not Removing on Mac After They are Removed from Server

  I just upgraded my server to OS X Server 3.0.1 and am testing changing some managed preferences on my MacBook Air with OS X Mavericks.  Initially from the upgrade the security & privacy and users & groups is disabled.  I changed the settings in profile manager, and the push was successful.  I then restarted my macbook air, and after logging in, it stalls and says "Updating Managed Preferences..."  it stalls for about one minute and then logs in.  Those preferences that I allowed in Profile Manager are still grayed out as if the preferences are not updating.  Has anyone see this or have any idea how to troubleshoot?
  Thank you.
  Mikel

  Brandon Macinnis wrote:
  Dnar,
  Thanks for the follow up bit about using the smbutil statshares command.  I used that and could confirm that I am also able to force it to connect with smb2.  Oddly though, in the stat share info it still says "AUTO_NEGOTIATE"
                                SMB_NEGOTIATE                 AUTO_NEGOTIATE
                                SMB_VERSION                   SMB_2.1
  But maybe that just means something else and not the fact that it did not auto negotiate to SMB.  I guess for now this will be what I have to do to use smb2.
  I think in this case the AUTO_NEGOTIATE merely means it will auto negotiate a connection between SMB1, SMB2, and (from your data) also SMB2.1 this would have nothing to do with auto negotiating between SMB2 and AFP, which from this thread appears broken.
  I also would like to thank Brandon for the tip about smbutil statshares, I had been looking for a simple way to tell what version of SMB was being used to test my NAS.
  For everyone's benefit, it would appear from the above that whilst Apple advertise Mavericks as using SMB2 they have gone as far as implementing SMB2.1 and merely list it only as SMB2 for simplicity and due to the fact there is not a huge different between SMB2 and SMB2.1
  See http://en.wikipedia.org/wiki/Server_Message_Block#SMB_2_and_3

• Leopard/AD integration- Managed preferences in OD questions

  I have issues and questions with “golden triangle” set up.
  Leopard 10.5.7 Server (already found the serial number snafu of upgrading to 10.5.8, and backed up a notch)
  I have followed the Bombich “Leveraging” guide and have gotten to where it appears things are supposed to be. Yet things are not working as expected:
  DNS lookup works both ways.
  My OD Server has been bound to AD.
  enabled Kerberos SSO.
  Klist –ke shows me lists of services services@ADkerberosrealm
  When I do the read /Library/Preferences/com.apple.AppleFilServer kerberosPrincipal I see my ODservername@ADkerberosrealm.
  So I Promoted server to to an OD master
  Question: At this point is Kerberos supposed to be running on the OD server? It’s just using AD Kerberos info, not acting as an independent KDC at this point? It’s currently listed in Server Admin as not running.
  Which may lead to my other issues:
  Even though things appear to be setup correctly, and I can bind AD bound Leopard client computers (10.5.7) to OD,
  Managed Preferences is a haphazard and frustrating thing.
  If I add an AD/ OD bound client to a Computer group and manage say a few dock items- add a few, subtract a few for that group, no items in the client dock are removed, and sometimes(only sometimes) is an added item reflected in the dock.
  Yet if I add a managed Login screen text Message- that shows up on the login screen.
  Managing an individual computer instead of a group fares little better.
  We need to manage groups of teachers on Mac clients with AD authentication by building location, and computer groups was the way that worked well in Tiger. But leopard clients didn’t play nice with the Tiger server. So I Upgraded (actually a clean install) to Leopard server and started from scratch to build an Leopard Golden Triangle with AD.
  I am still at the point where it would annoy me but not inconvenience me horribly if I were to have to reinstall and start again, but as the start of school draws closer I’d R-E-A-L-L-Y like to get this working.
  Any suggestions would be greatly appreciated.
  Thanks In Advance

  dvatech wrote:
  If I add an AD/ OD bound client to a Computer group and manage say a few dock items- add a few, subtract a few for that group, no items in the client dock are removed, and sometimes(only sometimes) is an added item reflected in the dock.
  Yet if I add a managed Login screen text Message- that shows up on the login screen.
  Go back and check DNS. Make sure forward and reverse both work. If DNS doesn't work, MCX will not work.
  sudo changeip -checkhostname
  Kerberos needs to be running from AD, not OD. Also, as stated, you have to have OD first, then AD in your search path so it will use the MCX.
  This is another issue I am dealing with. Not sure if this has been resolved. I was working on OS X 10.5.8 Server and had issues managing Computer Groups.
  http://www.afp548.com/forum/viewtopic.php?showtopic=23022
  Message was edited by: chrisjuno

• 10.5 Client refuses to authenticate Kerberos or obey managed preferences

  I am sure this has come up time and again, but a search in the forums has not come back with a work around.
  I am running Tiger Server 10.4.11 as an OD master serving up portable accounts in a mixed Tiger and Leopard Client Environment. I just did a Leopard upgrades on two MacBooks that were previously bound to the OD server when running Tiger.
  Upon completing the upgrades I have found two things:
  1) Local and network users working on the laptops are no longer being challenged for a kerberos ticket to authenticate to network shares served up by the 10.4 server
  2) Managed preferences for users as well as the clients are no longer being obeyed by the Leopard upgraded clients.
  Everything works as it should on my Tiger Clients connecting to the server.
  I have flushed the kerberos plists and rebound the Leopard clients to no effect, except to see some managed preferences on the login screen that somehow were honored in the upgrade be rolled back to factory defaults.
  I know that Apple has made a lot of changes in Leopard, but is there any known work around to get Leopard to pull kerberos tickets from the server and obey managed preferences? I am not yet ready to make the upgrade to Leopard server with a stable server environment already in place.
  Seems to me there should be some sort of workaround.
  Help!
  TIA,
  Art
  Message was edited by: MacWay

  Turns out it was a time synch issue. I discovered this without any help from the forums.

• Bad managed preferences that won't go away

  On one client machine, a deleted /Library/Managed Preferences/ folder keeps coming back, with incorrect user preferences, although:
  - I have unbound, rebound and unbound the machine from the server;
  - The machine is currently unbound;
  - I have repeatedly deleted the /Library/Managed Preferences/ folder
  - I have deleted every mxc or managed plist from the user's preferences folder
  - I have deleted the ~/Library/Preferences/com.apple.mcx.manifests/ folder
  What am I missing?
  SL server and client.

  It sounds like you have some managed preferences setup in Workgroup manager. Are you using a network user account?
  Remember managed preferences can be defined by user, user group, computer or computer group.
  The best way to check your preferences is to look at all those options that apply to the user and / or computer you are having problems with. Open workgroup manager and select the user, group, computer or computer group and then click on "Preferences" up the top. If there are any preferences that have been defined for that record then it should be indicated by an icon that looks like the mouse cursor with a greyish circle in the background. Clear any unwanted preferences and try again.
  The ~/Library/Managed Preferences/ folder will regenerate itself when you login. This is why deleting this doesn't do anything.
  If this doesn't solve your problem, can you please be more specific about what preferences that you are having problems with. What is or isn't happening that you do or don't want to happen?
  Hope that helps.

• "Application not supported" but only in Managed Preferences

  Using  Server 10.9.1  and OSX 10.9.1.
  If I open the client computer locally and go to Applications, I can launch the application.
  However if I log in as a networked user with managed preferences, the application is greyed out and I get the "You can't open the application because it is not supported on this type of Mac".
  there are no other copies of the aplication on the server.  I have

  Posting got cut off.. sorry.
  There is only one copy of the application on both the Server and the Client.
  Any ideas?
  Thanks
  Mitch

• Mobile account managed preferences sync rules not applied

  Hello everyone!
  I am testing out mobile accounts and home sync on a few of the machines I have. My goal is too use mobile accounts as a way to backup small documents. I have many preference and Home sync rules applied to a group. All the machines I have added to this group seem to recognize these rules, but one machine does not. It is syncing folders and file types that I have excluded. I have checked the users managed preferences file and it appears to be correct, yet when I start a sync it does not appear to follow it's own managed preferences.
  One thing I should add is that these machines have been using plain old local accounts and I have been migrating them to mobile accounts using this method:
  http://www.macenterprise.org/articles/migratingalocalusertoanetworkuser
  This method seems to work great except for the fact that the users preferences like the dock don't appear to be carried over.

  Did you ever solve this? I have just started testing this in our office as well. It appears I have a machine that does not appear to obey the rules ether. I am also migrating local accounts to mobile accounts.

• Publish client print queues as managed preferences?

  Hello,
  I followed the documentation from Papercut NG on Mac printing, section Publishing the printer via Workgroup Manager to get the defined print queues for my client machines published as managed preferences.
  I set up the print queues on the server. On the client, I configured the server print queues using the local Administrator account and printed successfully a few test pages. I then logged in with an Open Directory account with admin privileges. I then open Workgroup Manager, select a Computer Group, click Preferences, select Printing. I enable Manage Always, but the list of Available Printers remains empty, contrary to what the screenshot tells me from the referred article.
  Environment:
  + Snow Leopard Server 10.6.1 on a MacMini.
  + Snow Leopard 10.6.1 on a MacPro.
  Am I missing something?
  Ringo

  Hello,
  I followed the documentation from Papercut NG on Mac printing, section Publishing the printer via Workgroup Manager to get the defined print queues for my client machines published as managed preferences.
  I set up the print queues on the server. On the client, I configured the server print queues using the local Administrator account and printed successfully a few test pages. I then logged in with an Open Directory account with admin privileges. I then open Workgroup Manager, select a Computer Group, click Preferences, select Printing. I enable Manage Always, but the list of Available Printers remains empty, contrary to what the screenshot tells me from the referred article.
  Environment:
  + Snow Leopard Server 10.6.1 on a MacMini.
  + Snow Leopard 10.6.1 on a MacPro.
  Am I missing something?
  Ringo

• IChat and Managed Preferences

  Has anyone gotten iChat to auto configure an account using Managed Preferences in Workgroup Manager?
  I've gotten Mail.app to auto configure an account for users using Managed Preferences, but I've had no luck with iChat (or iCal).

  I have it working in my setup. I don't use the iChat server but an external XMPP server ( Openfire in my case ).
  I created a plist call com.apple.iChat.Managed with property list editor.
  This is what it looks like in xml.
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>XMPPAccount</key>
  <dict>
  <key>AllowSelfSignedSSL</key>
  <true/>
  <key>AutoDiscoverHostAndPort</key>
  <true/>
  <key>LoginAs</key>
  <string>%@@fqdn-of-im-server-here</string>
  <key>ServerHost</key>
  <string>fqdn-of-im-server-here/string>
  <key>ServerPort</key>
  <integer>5222</integer>
  <key>ServerSSLPort</key>
  <integer>5223</integer>
  <key>UseKerberos5</key>
  <false/>
  <key>UseSSL</key>
  <false/>
  </dict>
  </dict>
  </plist>
  Once I created the plist I then added it via workgroup manager to a default computer group I have. I hope that works for you.
  Cheers,
  Chris
  Message was edited by: Chris Silvertooth

• Server is suddenly using Managed Preferences on itself!!??

  I had to shut down our Xserve the other day as I needed to swap the UPS cable.
  When I restarted and logged in, I immediately noticed something wrong.
  The dock was populated with applications that our managed users have set in WGM, it is also asking for passwords to delete files that before I could delete straight away.
  There is also now a Managed Preferences folder in /Library which seems to have caused this, but if I delete it gets re-created on next log in. I have logged in as the same Admin user that I always use on the server, and this user is not in the WGM list, where on earth are these managed preferences suddenly coming from??

  Sorry Kevin, but I'm not referring to Users & Groups, but Computers.
  In Workgroup Manager, when you are looking at the user list, there are four tabs per se: Users, Groups, Computers, Computer Groups. You can manage preferences for any and all of these entities.
  You seem confident that you aren't managing prefs for the logged in User or that User's Group, so you should see if you are managing prefs for the server as a Computer. So, go to the Computer tab, choose your server, if its present, and view Preferences to see if any prefs are managed.
  Additionally, check to see if your server is a member of any of the Computer Groups and if they have any managed prefs.
  Lastly, there is a function to have a Guest COMPUTER account. If this is enabled, it will be on the Computer tab and if your server isn't defined, it might be inheriting the guest preferences.

• Time machine sharepoint and managed preferences

  I have added a share point as a time machine backup destination, and it shows up with Bonjour users. But I am setting up some machines with managed preferences, and I add the time machine volume in the time machine managed preferences pane, and supply the whole network path (afp://server.com/TimeMachine).
  The settings are added to the managed machine, but it can't mount the backup destination. Gives me error "The backup disk is not available".
  This error doesn't show when the disk is manually chosen in Time Machine preferences on non-managed computers.
  Any ideas?

  it sounds like you are using an OS X server. I suggest you post in the Snow leopard server forum
  http://discussions.apple.com/category.jspa?categoryID=264
  and please fill in your profile to indicate what hardware and software you are running.

• Managed Preferences issue

  I have an unusual problem. My managed preferences are coming down perfect from my server. I am running 10.6.6 on the server. 10.6.5 on the client machines. I'm not running any machine based policies, just user based. When I set one of the preferences (System preferences) to keep users out of the "accounts" and out of the "sharing", What happens is that is greys out on the client machines the "other" section in the system preferences. This is the only issue that I am experiencing, problem is that some software that we run (macaroni, keyaccess..etc) the preferences for them, sits in the "other" section. Any advice?

  Hi
  Did you apply the MCX on the Server itself? If you did try installing WorkGroup Manager on a client workstation that has those extra Preference Panes installed. You should then be able to access the Others section.
  Installing WGM on a designated client admin workstation is the preferred way of applying MCX.
  Tony

• Managed Preferences for network proxy overides location

  Hi
  We set the network proxy via network preferences. Unfortunately the settings seem to overrides the location. When a user takes a laptop home it will still attempt to use the proxy even though the "Home" location that we setup in the network does not have a proxy set.
  Is this the normal behavior?
  Tim

  timlegge wrote:
  Hi
  We set the network proxy via network preferences. Unfortunately the settings seem to overrides the location. When a user takes a laptop home it will still attempt to use the proxy even though the "Home" location that we setup in the network does not have a proxy set.
  Is this the normal behavior?
  Tim
  I had a quick look at the Managed Preferences options for proxies in Workgroup Manager under Snow Leopard Server.
  It does not show any reference to locations in this, so my guess is that when you use this option it will either apply to the currently active location on a client, or it will apply to all locations defined on the client. Neither possibility would be desirable for you.
  If you have not already, you could try using the "Auto Proxy Discovery" option, which was introduced with Snow Leopard (and is not available in earlier versions). This is not the same thing as "Automatic Proxy Configuration".
  I have not seen any official documentation from Apple, but my guess is that "Auto Proxy Discovery" may use WPAD (Web Proxy Auto Discovery) and if so is suitable for your needs and would answer a feature request I sent to Apple in the past. Your client computers would use either DHCP or the local DNS to 'find' the proxy server. When out of the office they would not get this information or would get someone else's different proxy server and hence still be able to use the Internet.
  Note: If "Auto Proxy Discovery" does use WPAD, then you will need to set up your DHCP and/or DNS servers appropriately. You will also still need a webserver to serve up the PAC file. WPAD uses DHCP option code 252, and thanks again to one of my previous feature requests, Apple's DHCP server does allow you to add extra DHCP option codes. (This has to be done by manually editing /etc/bootpd.plist)

• Application Manager Preferences requires an "Install Location"

  Application Manager Preferences requires an "Install Location". Is the "Location" for the Application Manager itself or for the programs it installs? My Win 7 64 bit OS has two separate program files locations for 64 bit and x86 programs. Which do I use?

  I await your instructions, but if it involves getting "under the hood" with the database settings, I'd rather not. Really this situation should not even be allowed to occur in the first place. If there was any explanation as to what the "location" field means in the UI, then obviously most peaople would leave it well alone unless they know what they are doing. As it is it just looks like a blank field which is REQUIRED to be filled. The developers NEED to get on to this quickly and sort it out! It is a VERY shoddy UI design. And as a result there is now a need for a reset option, also required urgently.

• Managed Preferences Issues

  I'm working with a lab of old eMacs with 10.4.11 installed. They say their local Student accounts are currently managed by the Mac OS X Workgroup Manager application. I've checked our OS X servers, though, and they don't appear to be listed anywhere in their Workgroup Managers.
  This wouldn't be a problem, except some of the computers are refusing to let me override the management settings. System Preferences just freezes up whenever I try to change them. Even if I disconnect them from the network, they still give the same error & freezes. On top of that, the few computers I've managed to override the managed preferences might be having their managed preferences changed by... something.
  I have 2 questions:
  1. How can I learn where an account's Managed Preferences are coming from?
  2. How do I unlock/remove trouble Managed Preferences?

  Hello Jeff
  Simply as a reminder but In 10.4 and earlier that particular application was known as Directory Access. Perhaps OP does not realise this and is looking for something else?
  I could be wrong but it seems to me OP is saying WorkGroup Manager is installed locally on each of the affected client workstations. In which case this will be locally applied MCX using the appropriate tools in WGM. This is something that's perfectly feasible and possible. I do it all the time in smaller (less than 10) OD environments when there's no need/budget for OSX Server.
  If this is indeed the case then launch WorkGroup Manager on each workstation, dismiss the initial connection window - click Cancel - click on the Server Menu and select View Directories. You should then be looking at the local node with users listed. Authenticate as the local administrator and inspect what MCX has been applied to each local user. It's been a while but I'm not sure if you could apply MCX to local groups using this method? Depending on how this was set up you'd probably have to do this for each local account on each workstation in turn?
  Additionally cached information for MCX may either be in/Library/Managed Preferences as well as the NetInfo Database. The NetInfo Utility can be found /Application/Utilities - the same place where you'll find Directory Access. Authenticate using the local admin and select the config container and delete anything to do with mcx that's listed. Alternatively you could use the command line utility "nicl" - similar to "dscl" - to achieve the same result. Restart afterwards into safe mode and on login empty the trash and restart again. You'd have to do this for each workstation in turn. If you have ARD available you could use this instead if you want to save yourself some leg-work?
  Hopefully this will get things back on track?
  Tony