Create a Hidden Administrator

I like to hide the administrator account from prying eyes, this helps add to the security of your machine by not making it obvious what accounts are on the machine.

To do this you need to do a number of things, first of all log in to the Mac with an admin account.

Go to System Preferences, then Accounts, then click on Login Options & change the following options

Display login window as : Name and password
Disable Automatic Login

Next you can either create a new admin account to hide, or you can edit and hide an existing one

Now, right-click (CTRL Click) on the account you wish to hide and choose Advanced Options

Set the User ID to a number less than 500, I usually do between 490 and 499 as there are a few system accounts that use earlier numbers

Now change the Home directory to something someone wouldn’t think to look, a lot of people use /var/

It’s also a good idea to put a . in front of your home folder to hide it further, so the path would be /var/.admin

Now you need to move and rename your actual home folder, to do this it’s easiest to use the Terminal, so open that up and type the following

sudo mv /Users/admin /var/.admin
sudo chown -R admin /var/.admin

Now you need to remove the Public and Sites folders from your home folder, as you already have a Terminal window open then you can enter the following to remove them

sudo rm -R /var/.admin/Public /var/.admin/Sites

OK, now thats all done you need to make some changes to the loginwindow preferences, this can also be done in the Terminal, so enter the following

sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array admin

This will hide any account with a User ID under 500 and add your ‘admin’ account to the hidden users list

Test this by rebooting and logging in as a non-admin user, go to System Preferences and then Accounts, if all is well then the admin account will not show up

Now log out and log in as the hidden admin user, I tend to put some applications on the Desktop of this hidden account, just ones that I’d rather the end user of the machine not use as they have the potential to break their machines if not used correctly (I once had a user use OnyX to display hidden files and then they deleted the mach.kernel as they didn’t recognise the file and thought it could be a virus) so I now keep this out of their reach

Command Line System Config

To change a number of system settings via the command line you can use the systemsetup command in Terminal

For example, to change a computers name you would enter the following

First, find out the current name

sudo systemsetup -getcomputername

then if its not to your liking enter

sudo systemsetup -setcomputername "iAM_iMac"

This will change your computer name to iAM_iMac, I don’t like spaces in names so I subsitute them with underscores _, but you can call the machine anything you wish.

Another useful option is setting a network time server, to do this enter the following

sudo systemsetup -setnetworktimeserver ntp0.itsallmacademic.com

In my example my Mac will now try to get its time settings from ntp0.itsallmacademic.com, you will need to replace this with your own time server, as there is no time server at the above address.

I don’t like power failures, and the most annoying thing is having to boot up all the machines that are essential to the day to day running of the company, to get around this irritation I do the following on all my Mac Servers

sudo systemsetup -setrestartpowerfailure on

This sets the machine to boot itself up after a power failure, as all good servers should

If you wish to see the full range of commands at your disposal enter this

systemsetup -help

Command Line Network Configuration

To change network info from the command line you can use the following commands in Terminal First you will need to find out which services are available to configure, you do this by typing
sudo networksetup -listnetworkserviceorder

You will get varying results depending on the machine you are running this on, on a MacBook Air for example you will get something like this

(1) Bluetooth DUN (Hardware Port: Bluetooth DUN, Device: Bluetooth-Modem)
(2) Wi-Fi (Hardware Port: Wi-Fi, Device: en0)
(3) Bluetooth PAN (Hardware Port: Bluetooth PAN, Device: en1)

On an iMac something like this

(1) Bluetooth (Hardware Port: Bluetooth, Device: Bluetooth-Modem)
(2) FireWire (Hardware Port: FireWire, Device: fw0)
(3) Ethernet (Hardware Port: Ethernet, Device: en0)
(4) AirPort (Hardware Port: Airport, Device: en1)

Now, to set a manual IP address on the Ethernet Port enter the following

sudo networksetup -setmanual "Ethernet" 10.1.10.2 255.255.255.0 10.1.10.1

The first number (10.1.10.2) is the IP Address you wish to set, the second (255.255.255.0) is your Subnet Mask, the third number (10.1.10.1) is your Gateway or Router address, obviously you would replace the details above with your own IP, Subnet Mask, Gateway.

To set DNS servers enter the following

sudo networksetup -setdnsservers "Ethernet" 8.8.8.8

Again, you would set them to your own DNS server, or you can try Googles Public DNS as I have in the example

And finally, to set your search domains, enter the following

sudo networksetup -setsearchdomains "Ethernet" itsallmacademic.com

And thats all there is to it

For a full list of configuration options type

networksetup man

Firmware Password Utility

As every good System Administrator should, I set firmware passwords on all my macs.

But one of the frustrations caused by this security precaution is when you are trying to boot a mac into Target Disk Mode, you need to first boot from an installation disk and then run the Firmware Password Utility

To get around this, I create a copy of the Firmware Password Utility on all macs (you could put one on a USB if you wish)

This is done by by following these steps

1. Insert a Mac OS X Installation DVD into your Mac

2. Open Terminal and type the following

cp - R "/Volumes/Mac OS X Install DVD/Applications/Utilities/Firmware Password Utility.app" ~/Desktop

3. Now you can run the utility from your desktop

Also, if you are setting up multiple macs and you wish to have them all use the same firmware password, you can do the following to push it to all machines

1. Set it manually on 1 machine using the utility mentioned above

2. Open Terminal and type the following

sudo nvram security password

you will get an output similar to this

security-password %cd%f8f%bd%98%87%c5%

This is your encoded firmware password, you can now deploy this via Apple Remote Desktop, SSH, or a script.

Please note, this will only work on Intel Macs

To deploy it to other Macs, enter the following into Terminal either locally, via SSH, ARD or other deployment solutions

sudo nvram security-password %cd%f8f%bd%98%87%c5%
 sudo nvram security-mode=command

Apple Software Update Server – Client configuration

To switch a Mac client from collecting its updates from Apple to your Software Update Server then you will need to apply the following to the client machines

Open Terminal and paste the following text into it

For 10.7

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://YOURSERVERNAMEHERE:8088/index-lion-snowleopard-leopard.merged-1.sucatalog

if running from Apple Remote Desktop then you can send the following UNIX command as root user

defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://YOURSERVERNAMEHERE:8088/index-lion-snowleopard-leopard.merged-1.sucatalog

For 10.6

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://YOURSERVERNAMEHERE:8088/index-leopard-snowleopard.merged-1.sucatalog

or if running from ARD then you can send the following as root user

defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://YOURSERVERNAMEHERE:8088/index-leopard-snowleopard.merged-1.sucatalog

For 10.5

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://YOURSERVERNAMEHERE:8088/

again if running from ARD then you can send the following as root user

defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://YOURSERVERNAMEHERE:8088/

To confirm that this has worked, run Software Update on the client and it should add your servers name to the window during the check for updates.

To remove a machine from a local ASUS and collect updates from Apple again then type the following into the Terminal

sudo defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

or if running from ARD then do the following as root user

defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL