Road to Mac OS X Leopard: Parental Controls and Directory Services
Microsoft's Windows Registry
DOS PCs had no standardized system for organizing configuration files, commonly called INI files. With the introduction of Windows 3.0, Microsoft introduced a simple registration database for cataloging these application details. In Windows 95, this expanded into the Registry, which served as a database for all user and system preferences, machine configuration, required installation information for all applications, and other details.
The Registry was intended to organize and manage all of the settings information in Windows. It was designed to separate user-related settings from machine-related configuration, limit access to settings with user permissions (starting in Windows NT), and allow network administrators to set Group Policy, which enforced certain settings based on the user's group membership. For example, administrators could use Group Policy to prevent certain users from changing desktop settings or installing applications apart from those provided, or to pre-configure their desktop environment to display file servers and set the printers they need to access, based on their group definitions set up on their NT Domain Controller.
The problem with the Registry is that it represents a single point of failure. If the database becomes corrupted, it wipes out the entire system. Unlike NetInfo, a Registry can't simply be rebuilt; a corrupt or damaged Registry typically requires the system to be reinstalled completely.
Its design also ties installed applications to a complex set of entries in the Registry, making it impossible to move applications between PCs; they have to be reinstalled. It also complicates removing an app, requiring an uninstallation process rather than just deleting the application. Many programs leave behind settings in the Registry anyway, and that can cause performance or reliability issues, because the entire Registry database is loaded into RAM while Windows is running.
It is also difficult and dangerous to manually edit the Registry, as there is no provision for documentation within the system, unlike most Unix config files. Microsoft warns users that editing the Registry, even with its supplied tools (below, Microsoft's Registry Editor), is done at the user's own risk because it is very easy to create an unusable system.
Preferences in Mac OS X
Rather than delivering a similar database system for preferences in Mac OS X, Apple instead improved upon the system used by NeXT for storing preferences in human readable text documents by specifying XML as the new file format for plist documents. XML provides a standard, defined structure for a text file that can be checked for integrity and efficiently parsed by the system.
This allowed plist files to remain as machine edited, human readable files in the file system; a file corruption only effects one plist, not a broad swath of the entire machine's configuration. Apple also maintained the expectation of Mac users that preferences could be deleted and rebuilt without creating problems.
In Mac OS X 10.2 Jaguar, Apple began migrating XML plist files to use a compressed binary format to save space. Users can still edit the documents using a supplied Property List Editor, or unpack the files individually when editing them from the command line manually. The Defaults command also automates the process of updating plist preference files.
Apple previously offered a product called Macintosh Manager that shuffled around preferences files for classic Mac OS users, essentially copying set preference files over the top of those already installed when the user logged in. This reset their environment as desired by network administrators.
In Mac OS X Server, Apple introduced Managed Preferences (below, within Workgroup Manager), which allows administrators to control the environment of network users similar to Microsoft's Group Policy. For any user or group of users in Open Directory, an administrator can set managed preferences that specify what applications can be launched; what items are placed in the Dock at login; network, printer, and accessibility settings; limit hardware operations such as the use of external hard drives or CD burners; and configure automatic Software Updates.
New In Leopard: Parental Controls
Apple has applied the idea of managed preferences from the server world to provide parents with a way to control settings for their children in Mac OS X Leopard. Parental Controls makes it easy to set up a limited user account. Options include setting up the account to use a "Simple Finder," which reduces the complexity of the Mac desktop into a kiosk-like view and hides away system files from tampering.
Parents can also set system restrictions that allow their children to only launch specific applications, or limit them from changing printer settings or from burning CDs. Content limitations (below), allow users to block dictionary words or webpages that they find objectionable. The web can be left unrestricted, set to automatically limit sites based on content filtering (which can be adjusted by manually adding a list of allowed or denied web sites), or restricted only to a given set of websites. By default, the latter option offers to let kids explore a selection of sites including Discovery, PBS, National Geographic, Disney, the Smithsonian; other sites can be added to the list.
Mail and iChat conversations can be limited to specific addresses, and time limits (above) can be defined to only allow access for a set amount of time per day on weekdays and on weekends. Bedtime settings limit computer use to specific on and off times, set for school nights and weekend nights. Logs can even record when the user account tries to access blocked web sites or unknown IM users, so parents can review the sites they are trying to access and give them permission (or try to determine why their kids are looking up how to build homemade fireworks).
New In Leopard: Employee Policy and Organizational Directory
Similar restrictions can be set in place in business environments using Workgroup Manager's Managed Preferences. In addition, password policy can be set in Server Admin (below) to define expiration of user accounts or to set minimum standards for the passwords users choose.
In addition, the accounts in Open Directory can also be fleshed out with full contact information, made available to organization users from the new Directory application (below). While Address Book can already plug into Directory Services to find contact information, Directory is designed specifically to browse users and groups within an organization. From Address Book, users can be allowed to share their local contacts with the organization, so that outside contacts can be listed in the company directory.
The new Directory app also provides a listing of company-defined locations or resources, such as meeting rooms or video projectors. These integrate with iCal to allow users to look up availability and schedule reservations, as described in Road to Mac OS X Leopard: iCal 3.0. Users and Locations can even be plotted on an organizational map.
Apple's Open Directory doesn't just apply to higher education and enterprise environments; Leopard Server is being targeted to small and medium sized businesses as an alternative to replacing an existing NT/2000 Domain with an expensive Active Directory infrastructure. Open Directory 4 also powers the user management behind major new Leopard features such as iCal Server, iChat Server, and Wiki Server, as noted in Road to Mac OS X Leopard Server: Collaborative Info Sharing Services. With Apple selling record numbers of new Macs, having a strong new server product will help continue its advance into new markets that the company hasn't really tried to compete in before.
Check out earlier installments from AppleInsider's ongoing Road to Leopard Series: What's new in Mac OS X Leopard Server, Dashboard, Spotlight and the Desktop, Safari 3.0, iCal 3.0, iChat 4.0, Mail 3.0, Time Machine; Spaces, Dock 1.6, Finder 10.5, Dictionary 2.0, and Preview 4.0.