Mac Management with CFEngine

The popularity of Apple products in the Enterprise is growing, and in this quick video by Diego Zamboni we’ll show you how to manage Macbooks with CFEngine. For those new to CFEngine and config management, we also included a quick introduction to CFEngine.


MAC packages are currently being offered on an on-request basis for CFEngine Enterprise customers. If you are interested in evaluating CFEngine for your Mac environment, please contact us to get access to the packages and referrals to our engineering team for any technical topics.


The lightweight CFEngine agent will be installed locally on the Macbook, bootstrapped to the CFEngine policy service, and from that point on the local agent will ensure that the machine is behaving exactly as the policy tells it to, whether that be on users, software, system settings or services.

Every five minutes (or the interval you configure), the agent will check for any updates and then execute its latest set of configuration rules, and report back to the hub on the status of the machine, empowering the IT team with up-to-date status and the ability to make changes.

CFEngine has been designed with superior scalability in mind, so whether you manage 10 or 50,000 macbooks, you write the policy in the declarative CFEngine language and then let the agents do their job. The lightweight nature of the CFEngine agent ensures its operation will not disrupt the productivity of the user.



Configuration Management

In this quick video tutorial, we demonstrate the following basic functionality of CFEngine:

  • Installation of CFEngine - can be done through both GUI and command line.
  • Bootstrapping - key exchange between the Macbook to the CFEngine server, ensuring a secure and trusted relationship using the CFEngine lightweight protocol.
  • User management - we’ll setup a new local user on the Mac, give that user admin rights and even setup a key for user authentication.
  • Services - we will enable sshd running on the system
  • Security - we will enable the local firewall, since the owner of this particular Macbook is known to occasionally work out of a local coffeeshop using the public WIFI.


Policy, control and validation in CFEngine

We’ll also quickly go through the actual policy that specifies the settings for this particular machine, including

  • How to use bundles and classes to limit config to a certain machine type (in this case Mac aka Darwin)
  • How to organize multiple lines of user data using an array and variable.
  • How to view the status of the machine in the CFEngine Enterprise Mission Portal.


Status reporting

The reporting hub will at pre-defined intervals connect to the agent and retrieve a status report. With the highly efficient CFEngine protocol only the incremental changes will be reported on each regular connection, with a complete update occurring every six hours (most of this is of course customizable).


NAT and Firewalls

The fact that the reporting hub connects to the client in a pull-model reflects the technological principles of CFEngine where scalability and security always come first. This is a proven model in the server management space, but in the case of laptops that tend to move around, change networks and be behind both NAT and Firewalls, the server cannot always reliably initiate a connection. In an upcoming update of CFEngine Enterprise, we will support a client-originated connection, in which the reporting server is offered the chance to request an update, preserving the pull principle.