More about the display appliance

Plasma screenThe project I’m working on mentioned in the post on Bluetooth preferences has presented a number of interesting OS X management challenges. We’re installing a number of large LCD and plasma screens, each connected to a Mac mini, which will display either QuickTime movies or PowerPoint presentations full-screen.

It is important that the “computer” disappear as much as possible, and that it require very little attention. Here are some configuration details:

  • Energy Saver set to automatically restart after power failure.
  • Energy Saver set not to sleep the display or machine ever
  • Auto-login a predetermined user
  • Script to play the current QuickTime movie or Keynote presentation fullscreen – this script should restart the movie/presentation if it get stopped or exits full screen
  • AppleShare and SMB dropbox to upload new content
  • Web interface to control what content is displayed

All of these things could be configured manually for each machine. But then you have to remember to do it, document it, and apply changes consistently. And if one of the Mac minis dies and you have to replace it, you have to remember to do all the configuration steps on the replacement machine.

So it’s better to encapsulate the configuration into a set of files and scripts to install – this way you get consistent results. And if you have a managment system like radmind at your disposal, all the better.

Let’s look at how to solve some of the configuration issues.

Energy Saver preferences

Use the pmset utility:


#!/bin/sh
# configure EnergySaver:
# no display sleep, no disk sleep, no system sleep, auto restart after power failure
/usr/bin/pmset -c displaysleep 0 disksleep 0 sleep 0 autorestart 1 dps 0

Auto-login a predetermined user

Use the defaults command to configure the login window. Set AUTOUSER to the short name of the user to autolog in, and UID to the UNIX UID number. This account must already exist. We can script the creation of the account, if needed.


#!/bin/sh
AUTOUSER="shortname"
UID=502
/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser -string "$AUTOUSER";
/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow autoLoginUserUID -int "$UID"

There’s one more step needed, and one that’s not (easily) directly scriptable. The password for the autologin account is encrypted and kept in this file: /private/etc/kcpassword. You’ll need to generate this file (the easiest way is to manually set a machine to autologin as this user, then make a copy of the file), then figure out a way to copy this file to the right place. I use radmind for this task, but it could be done other ways. You can’t easily use a script to generate this file directly unless you can figure out how to encyrpt it.

(In actuality, there is no need to auto-login a user in order to play QuickTime or Keynote content fullscreen. If you have a cron or launchd script that runs as root, you can launch QuickTime Player or Keynote while the machine is at the loginwindow! But this looks very strange, and could be a security risk, as when the machine is in the state, you can access System Preferences as root!)

I’ll cover more of the configuration in future posts.

More about the display appliance

4 thoughts on “More about the display appliance

  1. Gary says:

    This is interesting stuff, watching over the shoulder of a more experienced adminstrator… I’m familiar with some of what you’re doing, while other bits are new to me. I hope to be able to pick up some useful tips now and again.

    Thanks for taking the time to share. 🙂

  2. Thanks for the comment. I expect that some of the stuff I post will have no application to anyone but me. But I hope that some of the things I write will help someone, somewhere!

  3. Jaharmi says:

    We found the kcpassword and have used that in a slightly different situation — an area that is a cross between a kiosk and computer lab. Having computers there auto log in to a “guest” account was preferable that requiring, say, Active Directory logins — because user-specific logins would slow down the flow of customers.

    By capturing the changes in the kcpassword file, you could deploy that same kcpassword to several computers. I’d strongly recommend that you take every precaution in this, however, as it is slightly different than using one generic directory service account on all of them.

    You’ll want to prevent ssh logins for that user. You’ll want to restrict what it can do in the GUI, possibly with Tiger’s Parental Controls feature. And you’ll want to set a very secure password — not a null/blank password, since someone could use that for a local privilege escalation — and my tool of choice for that is the Keychain Access Utility. (Choose File > New Password Item and click the key icon to get the password assistant dialog, and you’ll have a few different schemes to generate passwords, as well as the ability to choose a length. Pick the longest password.)

  4. […] More about the display appliance « Managing OS X Artículo de la bitácora "Gestionando Mac OS X" en el que se explica cómo realizar mediante scripts (que pueden ser después lanzados con herramientas como Apple Remote Desktop, si tienes que gestionar decenas o centenares de equipos) la configuración de un equipo que debe permanecer encendido siempre (reiniciando en caso de pérdida de corriente), incluyendo no apagar ni atenuar la pantalla, entrar directamente en un usuario determinado, y lanzar una presentación o película. […]

Comments are closed.