Welcome to Leopard Leopard Welcome to

How to get started

www.apple.com/support
Apple Inc. 2007 Apple Inc. All rights reserved. Apple, the Apple logo, Boot Camp, Expos, FireWire, iCal, iPhoto, Keynote, Mac, and Mac OS are trademarks of Apple Inc., registered in the U.S. and other countries. Aperture, Cover Flow, Finder, iPhone, Leopard, Safari, and Spotlight are trademarks of Apple Inc. AppleCare is a service mark of Apple Inc., registered in the U.S. and other countries.Mac is a service mark of Apple Inc. Other product and company names mentioned herein may be trademarks of their respective companies. Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation. Because Apple frequently releases new versions and updates to its software, images shown in this book may be different from what you see on your screen.

Install Leopard

To upgrade to Mac OS X Leopard, insert your installation disc and double-click Install Mac OS X. Then click Restart. Your computer restarts, and the Mac OS X Installer opens.

Install Leopard

Select a destination
Select your startup disk or the volume that has the version of Mac OS X you want to upgrade.
Select a volume. You may not be able to install Leopard on some volumes.
Look here for important information about the installation.
Click Options if you want to select a different type of installation.
For additional information, see the Instructions folder on your installation disc.

Install Leopard

Begin installation
When youre ready, click Install to begin installing Mac OS X Leopard. When the installation is finished, your computer will restart.
Click Customize if you want to change whats installed.

Meet Leopard

www.apple.com/macosx

Desktop

From the menu to the Dock, Leopard introduces a great new look and Stacksa brand-new way to stay organized.

Desktop

Stacks
Stacks provide a convenient way to get to your documents. Folders already in the Dock become stacks automatically. To create a stack, drag a folder of documents to the Dock.
When you click a stack, the items appear in a grid or a fan above the icon.

Desktop

The Downloads stack
The Dock includes a Documents stack and a Downloads stack. Items you download in Safari, Mail, or iChat always go to the Downloads stack so that you can find them quickly.
The latest download appears here.
Click the Downloads stack to see items youve downloaded.

10 Desktop

Customization
Stacks appear as a fan or a grid automatically based on the number of items in the stack. You can specify which style you want to use and change the stacks sort order.
To customize a stack, position the pointer over the stack icon and then hold down the mouse button until a menu appears.

Desktop 11

Finder
See your files in Cover Flow and browse through them quickly.

12 Finder

Cover Flow
Cover Flow lets you see your movies, presentations, PDF files, and more in large-size previews as you flip through them.
Click this button for Cover Flow.
Move the pointer over an item to play a movie or see the pages of a document, for example. Drag the slider to thumb through your documents.

Finder 13

Sidebar
The Finder sidebar makes it easy to get to folders on your computer, shared computers on your network, and your saved searches.
Shared computers available on your network automatically appear here.
Commonly used searches are included in the sidebar, and you can add your own searches.

14 Finder

Spotlight
In a Finder window or the menu bar, use Spotlight to search for items on your computer. If you use the same search often, save it in the Search For section of the sidebar.
Type your search in the search field. Click Save to add a Smart Folder to the sidebar.

See your search results in Cover Flow.

Finder 15

Shared computers
Shared computers on your network automatically appear in the sidebar so that you can quickly find the documents they contain.
Search for documents on shared computers.
Get immediate access to the Public folder on any shared computer.

16 Finder

Screen sharing
Use screen sharing to get to the desktop of shared computers on your network. You can monitor use, change settings, and much more from your computer.
Select the computer and then click Share Screen.
To see the toolbar, choose View > Show Toolbar.
Youll see the desktop of the other computer in a window.
To use all of your screen, click the Full-screen button. Finder 17

Sharing

You can share your files, your website, your screen, and much more with other computers on your network. To start, open System Preferences and then click Sharing.
Click the Add (+) button to select users and groups who can share your files.
Click the Add (+) button to select any folder you want to share.

18 Finder

Back to My Mac
With your.Mac membership, an Internet connection, and Back to My Mac and sharing services turned on, you can access any of your computers from anywhere on the Internet.
Back to My Mac is on automatically.
Back to My Mac computers appear in the sidebar.

Finder 19

Quick Look
See stunning previews of movies, PDF files, presentations, spreadsheets, and more without opening an application.

20 Quick Look

View documents
You can use Quick Look in the Finder, Time Machine, and Mail. To view an item in Quick Look, select it and then press the Space bar.
Click the Quick Look button in the Finder window toolbar.
Click here for a full-screen preview.

Quick Look 21

Browse contents
When you view the documents in Quick Look, you can flip through each page of your document or view each slide of a Keynote presentation.
Each slide of a Keynote presentation appears here.

22 Quick Look

Show collections
You can use Quick Look to view several items at once. To automatically scan through the items, click the Play button.
Click a picture in the index sheet to view it.
Click the Index Sheet button to view all the items.
Click the Camera button to add a photo to iPhoto.

Quick Look 23

Time Machine
Automatically back up your Mac. If youre missing a document, travel back in time to recover it.

24 Time Machine

Turn on Time Machine
To start using Time Machine, just connect a FireWire or USB disk to your computer, and then click Use as Backup Disk in the dialog that appears.

When you turn on Time Machine, it backs up your computer to the disk youve selected.

Time Machine 25

Recover files
Easily find a missing document by seeing how your desktop looked in the past. Time Machine does a backup each hour of the current day, and then saves daily backups.
Type in the search field to look for the document.
Click the back arrow to go back in time.
Use Quick Look to check a document before you restore it.
Browse items in your backup using Cover Flow.
When you find the document, select it and then click Restore.

26 Time Machine

Set Time Machine preferences
To set Time Machine options, open Time Machine preferences. You can select a different backup disk or specify folders or disks you dont want to include in your backups.
Click Options to select items you dont want to back up.

Time Machine 27

Spaces
Organize your work and play by grouping application windows into a space. Then quickly switch between your spaces.

28 Spaces

Arrange windows
Turn on spaces in Expos & Spaces preferences, and then press F8 to show your spaces. To organize your windows, drag them from the current space to a different space.
Drag windows you want to use together into the same space.

Spaces 29

Switch spaces
To switch between spaces, type Control + [an arrow key]. To go directly to a space, type Control + [a number key]. Arrange the order of spaces to suit your needs.
Drag spaces to rearrange their order.
Use keyboard shortcuts to quickly switch between spaces.

30 Spaces

Customize spaces
After you turn on spaces, you can add other spaces. You can also assign applications to each space so that the applications windows always open in the same space.
Add rows and columns to create the spaces you need.
Choose keyboard shortcuts that work best for you. Click the Add (+) button to assign applications to spaces.

Spaces 31

Use Apple-designed stationery to send gorgeous email messages complete with photos.

32 Mail

Stationery
When you create a message, select stationery to give it the perfect style whether the occasion is fun or formal. Including photos is easy using the Photo Browser.
Click to see the stationery you can use.
Select a type of stationery, and then click the stationery you want to use.
Select photos from iPhoto, Photo Booth, or Aperture.
Locate photos here, and then drag them to your message.

Mail 33

Notes and to-do items
Keep all your notes and to-do items in one place. Jot down reminders, shopping lists, and information you need. Include pictures, URLs, and attachments with your items.

Click to create a note or to-do item.
To create a to-do item, select text in the note and click To Do.
Click to set options for the to-do item. Items automatically appear in iCal.
See your notes and to-do items in the Reminders section of the sidebar.

34 Mail

Data detection
You can turn dates in your email messages into iCal events. You can add names, phone numbers, and addresses to your contacts. You can even map addresses in Safari.
Move the pointer over the date, name, or address, and then click the triangle to choose an action.

Mail 35

Make your chats more fun using video effects such as backdrops. Show off your work with iChat theater.

36 iChat

Video backdrops
Use video backdrops with your chats to be anywhere in the world. iChat includes movies and still photos that you can use, or you can add your own.
Select a video backdrop and then step out of the picture for a moment.
Click Effects to select a video effect.
Add your own movies or pictures to use as a video backdrop.

iChat 37

Effects
While youre in a video chat, you can select video effects to make your chats fun and interesting.
Click the effect in the center for the original view.
Click any effect to use it.

38 iChat

iChat theater
To show photos, movies, or presentations in a video chat, start the chat and then drag the file or files you want to show to the chat window.
See how your presentation looks to your buddy.
Control your presentation using this window.

iChat 39

iChat screen sharing
Screen sharing lets you take control of a buddys computer to show how to do something, rather than just explain it.
Click to switch screens. To copy a document to this computer, drag it here.
Select a buddy with video chat capability, and then click the Screen Sharing button.

40 iChat

Tabbed chats
Use tabbed chats if you have a lot of chats. To do so, open the Messages pane of iChat preferences, and then select Collect chats into a single window.
Click a chat to return to it.
See the latest reply from your buddy.

iChat 41

Presence
If you have more than one.Mac, AIM, Jabber, or Google Talk account, you can log into all of them at the same time in iChat.
Use an animated GIF as your buddy picture.
Choose Invisible if you want to see whos available, but not be seen yourself.

42 iChat

SMS messaging
Exchange SMS messages from iChat with a buddy using a mobile phone, such as iPhone. Choose File > Send SMS, and then enter your buddys phone number.
This buddy can receive SMS messages.
Note: SMS messaging is available only with U.S. mobile phones. iChat 43

Dashboard

Create your own widget from any part of a webpage and see updates to it in Dashboard.

44 Dashboard

Web clip
To create a widget, open a webpage in Safari and choose File > Open in Dashboard. Safari automatically selects parts of the page as you move the pointer over the page.
Go to the webpage in Safari and click this button.
When youve selected the part you want, click Add.
Drag the selection rectangle over the information and click. You can then resize the selection.

Dashboard 45

Safari
The most elegant web browser is even easier to use with dynamic tabbed browsing and other new features.

46 Safari

Tabbed browsing
Now you can drag tabs to arrange them or pull them out into a new window. To merge open windows into a single tabbed window, choose Window > Merge All Windows.
Drag a tab out of the window to put it in a separate window. Drag tabs to rearrange the order theyre in. To switch between tabs, press Command-Shift-Right bracket ( ] ) or Command-Shift-Left bracket ( [ ).

Safari 47

To search for text in a webpage, choose Edit > Find > Find, and then type your search. To make it easier to see what youre looking for, Safari highlights all the results.
Click these arrows to highlight individual occurrences.
Safari highlights the results in the webpage so that theyre easy to locate.

48 Safari

PDF viewing
You can view PDF files in the Safari window. Youll find new controls that make it easier to work with these files.
Open the PDF file in Preview or save it in your Downloads stack.
To see the controls, move the pointer to the bottom of the Safari window.

Safari 49

Parental Controls
Give yourself peace of mind. Manage the time your children spend on the computer and what they do there.

50 Parental Controls

Time limits
Manage when your children use the computer by setting time limits for weekdays, weekends, and nights.
Specify how many hours a day your child may use the computer.
Specify the hours during which your child may not use the computer on school nights and weekends.

Parental Controls 51

Content limits
To limit the websites your children may visit on the Internet, click Content and then select the level of restrictions you want to apply.
Select to try limiting access to adult websites. Click Customize if you want to specify websites your children may and may not visit. Select to allow your children access only to specific websites.

52 Parental Controls

Mail and iChat limits
Protect your children from strangers by specifying who they chat with and exchange email with.

Print this document to follow the instructions while installing Windows. Drag the divider to set the size of the Windows partition.
If you installed a beta version of Boot Camp, you only need to install the new Windows drivers by switching to Windows and inserting the Leopard installation disc.

Boot Camp 65

Install Windows
Insert your Windows XP or Windows Vista installation disc and click Start Installation.
Install the Windows drivers when you finish installing and setting up Windows.
Click when youre ready to install Windows on your Mac.

66 Boot Camp

Switch systems
In Mac OS X, open Startup Disk preferences to select your Windows partition. In Windows, open the Boot Camp Control Panel and then click Startup Disk.
Select your Windows partition and then click Restart.
Select your Mac OS X startup disk and then click Restart.

Boot Camp 67

Here if you need us
Learning more, service, and support
Online resources For online service and support information, visit www.apple.com/support. Choose your country from the pop-up menu. You can search for the latest software updates and manuals, find answers using the AppleCare Knowledge Base, or get help from Apples discussion forums. Onscreen help You can often find answers to your questions, as well as instructions and problemsolving information by using the Help menu in some applications. Choose Help from the Finder Help menu, type a few words in the search field, and then press Return. System profiler Use System Profiler to retrieve information about your computer. System Profiler indicates the hardware and software installed on your computer, the serial number and operating system version, the amount of memory installed, and how much battery power remains. To open System Profiler, choose Apple (K) > About This Mac from the menu bar, and then click the More Info button.

70 Apple Support

AppleCare service and support information
Your Mac OS X product comes with 90 days of complimentary telephone support. AppleCare telephone support representatives can help you open and install applications and solve basic problems. Consult the table below, and then call the support center nearest you. Have the date of purchase and your Apple computer serial number ready when you call. Note: Telephone feesmay apply. You can extend your coverage by purchasing the AppleCare Protection Plan. For more information about the AppleCare Protection Plan, visit the AppleCare Products and Services website at www.apple.com/support/products. For additional information about contacting Apple Support, visit www.apple.com/ contact/phone_contacts.html. (Telephone numbers are subject to change.) Technical Support Numbers

United States Canada (English) Canada (French) Mexico Australia New Zealand United Kingdom 1-800-1-800-263-3394 1-800-263-3394 01-800-277-5322 (61) 133-622 00800-7666-7666 (44) 0753 www.apple.com/support www.apple.com/ca/support www.apple.com/ca/fr/support www.apple.com/mx/support www.apple.com/au/support www.apple.com/nz/support www.apple.com/uk/support

Apple Support 71

SOFTWARE LICENSE AGREEMENT FOR MAC OS X

APPLE INC.

Single Use and Family Pack License for use on Apple-labeled Systems
PLEASE READ THIS SOFTWARE LICENSE AGREEMENT (LICENSE) CAREFULLY BEFORE USING THE APPLE SOFTWARE. BY USING THE APPLE SOFTWARE, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS LICENSE. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENSE, DO NOT USE THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THE LICENSE, YOU MAY RETURN THE APPLE SOFTWARE TO THE PLACE WHERE YOU OBTAINED IT FOR A REFUND. IF THE APPLE SOFTWARE WAS ACCESSED ELECTRONICALLY, CLICK DISAGREE/ DECLINE FOR APPLE SOFTWARE INCLUDED WITH YOUR PURCHASE OF HARDWARE, YOU MUST RETURN THE. ENTIRE HARDWARE/SOFTWARE PACKAGE IN ORDER TO OBTAIN A REFUND. IMPORTANT NOTE: This software may be used to reproduce, modify, publish and distribute materials. It is licensed to you only for reproduction, modification, publication and distribution of non-copyrighted materials, materials in which you own the copyright, or materials you are authorized or legally permitted to reproduce, modify, publish or distribute. If you are uncertain about your right to copy, modify, publish or distribute any material, you should contact your legal advisor. 1. General. The software (including Boot ROM code), documentation and any fonts accompanying this License whether preinstalled on Apple-labeled hardware, on disk, in read only memory, on any other media or in any other form (collectively the Apple Software) are licensed, not sold, to you by Apple Inc. (Apple) for use only under the terms of this License, and Apple reserves all rights not expressly granted to you. The rights granted herein are limited to Apples and its licensors intellectual property rights in the Apple Software as licensed hereunder and do not include any other patents or intellectual property rights. You own the media on which the Apple Software is recorded but Apple and/or Apples licensor(s) retain ownership of the Apple Software itself. The terms of this License will govern any software upgrades provided by Apple that replace and/or supplement the original Apple Software product, unless such upgrade is accompanied by a separate license in which case the terms of that license will govern. Title and intellectual property rights in and to any content displayed by or accessed through the Apple Software belongs to the respective content owner. Such content may be protected by copyright or other intellectual property laws and treaties, and may be subject to terms of use of the third party providing such content. This License does not grant you any rights to use such content nor does it guarantee that such content will continue to be available to you. 2. Permitted License Uses and Restrictions. A. Single Use. This License allows you to install, use and run one (1) copy of the Apple Software on a single Apple-labeled computer at a time. You agree not to install, use or run the Apple Software on any non-Apple-

labeled computer, or to enable others to do so. This License does not allow the Apple Software to exist on more than one computer at a time, and you may not make the Apple Software available over a network where it could be used by multiple computers at the same time. B. Family Pack. If you have purchased a Mac OS X Family Pack, this License allows you to install and use one (1) copy of the Apple Software on up to a maximum of five (5) Apple-labeled computers at a time as long as those computers are located in the same household and used by persons who occupy that same household. By household we mean a person or persons who share the same housing unit such as a home, apartment, mobile home or condominium, but shall also extend to student members who are primary residents of that household but residing at a separate on-campus location. The Family Pack License does not extend to business or commercial users. C. You may make one copy of the Apple Software (excluding the Boot ROM code and other Apple firmware that is embedded or otherwise contained in Apple-labeled hardware) in machine-readable form for backup purposes only; provided that the backup copy must include all copyright or other proprietary notices contained on the original. Apple Boot ROM code and firmware is provided only for use on Apple-labeled hardware and you may not copy, modify or redistribute the Apple Boot ROM code or firmware, or any portions thereof. D. Certain components of the Apple Software, and third party open source programs included with the Apple Software, have been or may be made available by Apple on its Open Source web site (http://www. opensource.apple.com/) (collectively the Open-Sourced Components). You may modify or replace only these Open-Sourced Components; provided that: (i) the resultant modified Apple Software is used, in place of the unmodified Apple Software, on a single Apple-labeled computer; and (ii) you otherwise comply with the terms of this License and any applicable licensing terms governing use of the Open-Sourced Components. Apple is not obligated to provide any updates, maintenance, warranty, technical or other support, or services for the resultant modified Apple Software. You expressly acknowledge that if failure or damage to Apple hardware results from modification of the OpenSourced Components of the Apple Software, such failure or damage is excluded from the terms of the Apple hardware warranty. E. Apple has provided, as part of the Apple Software package, access to certain third party software as a convenience. To the extent that the Apple Software contains third party software, Apple has no express or implied obligation to provide any technical or other support for such software. Please contact the appropriate software vendor or manufacturer directly for technical support and customer service related to its software and products. F. Except as and only to the extent permitted by applicable licensing terms governing use of the Open-Sourced Components, or by applicable law, you may not copy, decompile, reverse engineer, disassemble, modify, or create derivative works of the Apple Software or any part thereof. THE APPLE SOFTWARE IS NOT INTENDED

FOR USE IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, AIR TRAFFIC CONTROL SYSTEMS, LIFE SUPPORT MACHINES OR OTHER EQUIPMENT IN WHICH THE FAILURE OF THE APPLE SOFTWARE COULD LEAD TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL OR ENVIRONMENTAL DAMAGE. G. If you use Setup/Migration Assistant to transfer software from one Apple-labeled computer to another Apple-labeled computer, please remember that continued use of the original copy of the software may be prohibited once a copy has been transferred to another computer, unless you already have a licensed copy of such software on both computers. You should check the relevant software license agreements for applicable terms and conditions. 3. Transfer. You may not rent, lease, lend, redistribute or sublicense the Apple Software. Subject to the restrictions set forth below, you may, however, make a one-time permanent transfer of all of your license rights to the Apple Software (in its original form as provided by Apple) to another party, provided that: (a) the transfer must include all of the Apple Software, including all its component parts (excluding Apple Boot ROM code and firmware), original media, printed materials and this License; (b) you do not retain any copies of the Apple Software, full or partial, including copies stored on a computer or other storage device; and (c) the party receiving the Apple Software reads and agrees to accept the terms and conditions of this License. You may not rent, lease, lend, redistribute, sublicense or transfer any Apple Software that has been modified or replaced under Section 2D above. All components of the Apple Software are provided as part of a bundle and may not be separated from the bundle and distributed as standalone applications. Apple Software provided with a particular Apple-labeled hardware product may not run on other models of Apple-labeled hardware. Updates: If an Apple Software update completely replaces (full install) a previously licensed version of the Apple Software, you may not use both versions of the Apple Software at the same time nor may you transfer them separately. NFR (Not for Resale) and Evaluation Copies: Notwithstanding other sections of this License, Apple Software labeled or otherwise provided to you on a promotional or not-for-resale basis may only be used for demonstration, testing and evaluation purposes and may not be resold or transferred. Apple System Restore Copies: Restore CDs or DVDs that may accompany an Apple hardware bundle, or are otherwise provided by Apple in connection with an Apple hardware bundle, contain a copy of the Apple Software that is to be used for diagnostic and restorative purposes only. These CDs and DVDs may be resold or transferred only as part of the Apple hardware bundle. Academic Copies: If the Apple Software package has an academic label or if you acquired the Apple Software at an academic discount, you must be an Eligible Educational End User to use the Apple Software. Eligible Educational End Users means students, faculty, staff and administration attending and/or working at an educational institutional facility (i.e., college campus, public or private K-12 schools).

OR PROVIDED BY, THE APPLE SOFTWARE WILL MEET YOUR REQUIREMENTS, THAT THE OPERATION OF THE APPLE SOFTWARE OR SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE, THAT THE APPLE SOFTWARE OR SERVICES WILL BE COMPATIBLE WITH THIRD PARTY SOFTWARE, OR THAT DEFECTS IN THE APPLE SOFTWARE OR SERVICES WILL BE CORRECTED. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY APPLE OR AN APPLE AUTHORIZED REPRESENTATIVE SHALL CREATE A WARRANTY. SHOULD THE APPLE SOFTWARE OR SERVICES PROVE DEFECTIVE, YOU ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR LIMITATIONS ON APPLICABLE STATUTORY RIGHTS OF A CONSUMER, SO THE ABOVE EXCLUSION AND LIMITATIONS MAY NOT APPLY TO YOU. The Apple Software automatically references, displays, links to, and provides web services related to, sites and information located worldwide throughout the Internet. Because Apple has no control over such sites and information, Apple makes no guarantees as to such sites and information, including but not limited to: (a) the accuracy, availability, sequence, completeness, currency, content, validity or quality of any such sites and information, or (b) whether an Apple search completed through the Apple Software may locate unintended or objectionable content. Because some of the content on the Internet consists of material that is adult-oriented or otherwise objectionable to some people or viewers under the age of 18, the results of any search or entering of a particular URL using the Apple Software may automatically and unintentionally generate links or references to objectionable material. By using the Apple Software, you acknowledge that Apple makes no representations or warranties with regard to any sites or information displayed by or accessed through the Apple Software, or any web services performed by the Apple Software in relation to such sites or information. Apple, its officers, affiliates and subsidiaries shall not, directly or indirectly, be liable, in any way, to you or any other person for the content you receive using the Apple Software or for any inaccuracies, errors in or omissions from the content. Financial information displayed by the Apple Software is for general informational purposes only and is not intended to be relied upon as investment advice. Before executing any securities transaction based upon information obtained through the Apple Software, you should consult with a financial professional. Neither Apple nor any of its content providers guarantees the accuracy, completeness, or timeliness of stock information appearing within the Apple Software. The Apple Software may be used to conduct automated translations. As automated translations are performed by software tools and do not involve any human intervention or verification, it is not advisable to rely upon such translations where absolute accuracy is required. Backup functions performed by the Apple Software are only carried out at certain times and are subject to hardware limitations such as drive storage capacity. Apple and its licensors reserve the right to change, suspend, remove, or disable access to any Services at any time without notice. In no event will Apple be liable for the removal of or disabling of access to any such Services. Apple may also impose limits on the use of or access to certain Services, in any case and without notice or liability.

for such free software under the terms of the GPL or LGPL, as the case may be, without charge except for the cost of media, shipping, and handling, upon written request to Apple. The GPL/LGPL software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY, without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. A copy of the GPL and LGPL is included with the Apple Software. C. The Apple Software includes certain software licensed under the IBM Public License Version 1.0 (IPL) or the Common Public License Version 1.0 (CPL). A copy of the source code for the IPL and CPL licensed software may be found in Apples Open Source repository. See Apples Open Source web site (http://www.opensource.apple. com/) for information on how to obtain the source code. THE IPL AND CPL SOFTWARE IS PROVIDED ON AN AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NEITHER APPLE, IBM NOR ANY OTHER CONTRIBUTOR TO THE IPL AND CPL SOFTWARE SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE IPL AND CPL SOFTWARE OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. D. MPEG-2 Notice. To the extent that the Apple Software contains MPEG-2 functionality, the following provision applies: ANY USE OF THIS PRODUCT OTHER THAN CONSUMER PERSONAL USE IN ANY MANNER THAT COMPLIES WITH THE MPEG-2 STANDARD FOR ENCODING VIDEO INFORMATION FOR PACKAGED MEDIA IS EXPRESSLY PROHIBITED WITHOUT A LICENSE UNDER APPLICABLE PATENTS IN THE MPEG-2 PATENT PORTFOLIO, WHICH LICENSE IS AVAILABLE FROM MPEG LA, L.L.C, 250 STEELE STREET, SUITE 300, DENVER, COLORADO 80206. E. Use of MPEG-4. This product is licensed under the MPEG-4 Systems Patent Portfolio License for encoding in compliance with the MPEG-4 Systems Standard, except that an additional license and payment of royalties are necessary for encoding in connection with (i) data stored or replicated in physical media which is paid for on a title by title basis and/or (ii) data which is paid for on a title by title basis and is transmitted to an end user for permanent storage and/or use. Such additional license may be obtained from MPEG LA, LLC. See http://www. mpegla.com for additional details. This product is licensed under the MPEG-4 Visual Patent Portfolio License for the personal and non-commercial use of a consumer for (i) encoding video in compliance with the MPEG-4 Visual Standard (MPEG-4 Video) and/ or (ii) decoding MPEG-4 video that was encoded by a consumer engaged in a personal and non-commercial activity and/or was obtained from a video provider licensed by MPEG LA to provide MPEG-4 video. No license is granted or shall be implied for any other use. Additional information including that relating to promotional, internal and commercial uses and licensing

may be obtained from MPEG LA, LLC. See http: //www.mpegla.com. For answers to frequently asked questions regarding use fees under the MPEG LA Visual Patent Portfolio License see www.apple.com/mpeg4 or www. apple.com/quicktime/products/qt/faq.html. F. H.264/AVC Notice. To the extent that the Apple Software contains AVC encoding and/or decoding functionality, commercial use of H.264/AVC requires additional licensing and the following provision applies: THE AVC FUNCTIONALITY IN THIS PRODUCT IS LICENSED HEREIN ONLY FOR THE PERSONAL AND NONCOMMERCIAL USE OF A CONSUMER TO (i) ENCODE VIDEO IN COMPLIANCE WITH THE AVC STANDARD (AVC VIDEO) AND/OR (ii) DECODE AVC VIDEO THAT WAS ENCODED BY A CONSUMER ENGAGED IN A PERSONAL AND NON-COMMERCIAL ACTIVITY AND/OR AVC VIDEO THAT WAS OBTAINED FROM A VIDEO PROVIDER LICENSED TO PROVIDE AVC VIDEO. INFORMATION REGARDING OTHER USES AND LICENSES MAY BE OBTAINED FROM MPEG LA L.L.C. SEE HTTP://WWW.MPEGLA.COM. G. AMR Notice. The Adaptive Multi-Rate (AMR) encoding and decoding functionality in this product is not licensed to perform cellular voice calls, or for use in any telephony products built on the QuickTime architecture for the Windows platform. The AMR encoding and decoding functionality in this product is also not licensed for use in a cellular communications infrastructure including: base stations, base station controllers/radio network controllers, switching centers, and gateways to and from the public switched network. H. FAA Notice. Aircraft Situation Display and National Airspace System Status Information data (collectively Flight Data) displayed through the Apple Software is generated by the Federal Aviation Administration. You agree not to redistribute Flight Data without the prior written consent of the FAA. The FAA and Apple disclaim all warranties, expressed or implied (including the implied warranties of merchantability and fitness for a particular purpose), regarding the use and accuracy of the Flight Data. You agree that the FAA and Apple shall not be liable, either collectively or individually, for any loss, damage, claim, liability, expense, or penalty, or for any indirect, special, secondary, incidental, or consequential damages deriving from the use of the Flight Data. The Apple Software is not sponsored or endorsed by the FAA. The FAA is not responsible for technical or system problems, and you should not contact the FAA regarding such problems or regarding operational traffic flow issues. I. Use of Adobe Color Profiles. You may use the Adobe Color Profile software included with the Apple Software pursuant to this License, but Adobe is under no obligation to provide any support for the Color Profiles hereunder, including upgrades or future versions of the Profiles or other items. In addition to the provisions of Sections 7 and 8 above, IN NO EVENT WILL ADOBE BE LIABLE TO YOU FOR ANY DAMAGES, CLAIMS OR COSTS WHATSOEVER. The Adobe Color Profile software distributed with the Apple Software is also available for download from Adobe at www.adobe.com. EA0390 Rev. 8-14-07

The Mac OS X Server Administration Guides
Getting Started covers installation and setup for standard and workgroup configurations of Mac OS X Server. For advanced configurations, Server Administration covers planning, installation, setup, and general server administration. A suite of additional guides, listed below, covers advanced planning, setup, and management of individual services. You can get these guides in PDF format from the Mac OS X Server documentation website: www.apple.com/server/documentation
This guide. Getting Started and Installation & Setup Worksheet Command-Line Administration File Services Administration iCal Service Administration iChat Service Administration Mac OS X Security Configuration Mac OS X Server Security Configuration Mail Service Administration Network Services Administration Open Directory Administration Podcast Producer Administration Print Service Administration QuickTime Streaming and Broadcasting Administration Server Administration tells you how to: Install Mac OS X Server and set it up for the first time. Install, set up, and manage Mac OS X Server using UNIX commandline tools and configuration files. Share selected server volumes or folders among server clients using the AFP, NFS, FTP, and SMB protocols. Set up and manage iCal shared calendar service. Set up and manage iChat instant messaging service. Make Mac OS X computers (clients) more secure, as required by enterprise and government customers. Make Product Name and the computer its installed on more secure, as required by enterprise and government customers. Set up and manage IMAP, POP, and SMTP mail services on the server. Set up, configure, and administer DHCP, DNS, VPN, NTP, IP firewall, NAT, and RADIUS services on the server. Set up and manage directory and authentication services, and configure clients to access directory services. Set up and manage Podcast Producer service to record, process, and distribute podcasts. Host shared printers and manage their associated queues and print jobs. Capture and encode QuickTime content. Set up and manage QuickTime streaming service to deliver media streams live or on demand. Perform advanced installation and setup of server software, and manage options that apply to multiple services or to the server as a whole. Use NetBoot, NetInstall, and Software Update to automate the management of operating system and other software used by client computers. Use data and service settings from an earlier version of Mac OS X Server or Windows NT.

Security Architectural Overview
Mac OS X security services are built on two open source standards: Berkeley Software Distribution (BSD). BSD is a form of UNIX that provides fundamental services, including the Mac OS X file system and file access permissions. Common Data Security Architecture (CDSA). CDSA provides a wide array of security services, including more specific access permissions, authentication of user identities, encryption, and secure data storage.

UNIX Infrastructure

The Mac OS X kernelthe heart of the operating systemis built from BSD and Mach. Among other things, BSD provides basic file system and networking services and implements a user and group identification scheme. BSD enforces access restrictions to files and system resources based on user and group IDs. Mach provides memory management, thread control, hardware abstraction, and interprocess communication. Mach enforces access by controlling which tasks can send a message to a Mach port. (A Mach port represents a task or some other resource.) BSD security policies and Mach access permissions constitute an essential part of security in Mac OS X, and are both critical to enforcing local security.

Access Permissions

An important aspect of computer security is the granting or denying of access permissions (sometimes called access rights). A permission is the ability to perform a specific operation, such as gaining access to data or to execute code. Permissions are granted at the level of folders, subfolders, files, or applications. Permissions are also granted for specific data in files or application functions. Permissions in Mac OS X are controlled at many levels, from the Mach and BSD components of the kernel through higher levels of the operating system, andfor networked applicationsthrough network protocols.

Security Framework

The security framework in Mac OS X is an implementation of the CDSA architecture. It contains an expandable set of cryptographic algorithms to perform code signing and encryption operations while maintaining the security of the cryptographic keys. It also contains libraries that allow the interpretation of X.509 certificates. The CDSA code is used by Mac OS X features such as Keychain and URL Access for protection of login data.
Chapter 1 Introduction to Mac OS X Security Architecture

# Updating Manually from Installer Packages # ----------------------------------# Download software updates. softwareupdate --download --all # Install software updates. installer -pkg $Package_Path -target /Volumes/$Target_Volume
Verifying the Integrity of Software
Software images and updates can include an SHA-1 digest, which is also known as a cryptographic checksum. You can use this SHA-1 digest to verify the integrity of the software. Software updates retrieved and installed automatically from Software Update verify the checksum before installation. From the Command Line:
# Verifying the Integrity of Software # ----------------------------------# Use the sha1 command to display a files a files SHA-1 digest. # Replace $full_path_filename with the full path filename of the update # package or image that SHA-1 digest is being checked for. /usr/bin/openssl sha1 $full_path_filename
If provided, the SHA-1 digest for each software update or image should match the digest created for that file. If not, the file was corrupted. Obtain a new copy.
Repairing Disk Permissions
Before you modify or repair disk permissions, you should understand the file and folder permissions that Mac OS X Server supports. Mac OS X supports the following permissions: Portable Operating System Interface (POSIX) permissionsstandard for UNIX operating systems. Access Control Lists (ACLs) permissionsused by Mac OS X, and compatible with Microsoft Windows Server 2003, Microsoft Windows XP, and Microsoft Windows Vista. Note: In this guide, the term privileges refers to the combination of ownership and permissions. The term permissions refers to permission settings that each user category can have (Read & Write, Read Only, Write Only, and None).
POSIX Permissions Overview
POSIX permissions let you control access to files and folders. Every file or folder has read, write, and execute permissions defined for three categories of users (Owner, Group, and Everyone). You can assign four types of standard POSIX permissions: Read&Write, Read Only, Write Only, None. For more information, see Setting POSIX Permissions on page 124.

ACL Permissions Overview

An ACL provides an extended set of permissions for a file or folder and enables you to set multiple users and groups as owners. An ACL is a list of access control entries (ACEs), each specifying the permissions to be granted or denied to a group or user and how these permissions are propagated throughout a folder hierarchy. In addition, ACLs are compatible with Windows Server 2003, Windows Server 2008, Windows XP, and Windows Vista, giving you added flexibility in a multiplatform environment. ACLs allow you to be more specific than POSIX when granting permissions. For example, rather than giving a user full write permission, you can restrict the user to the creation of folders but not files. If a file or folder has no ACEs defined for it, Mac OS X applies standard POSIX permissions. If a file or folder has ACEs defined for it, Mac OS X starts with the first ACE in the ACL and works its way down the list until the requested permission is satisfied or denied. After evaluating ACEs, Mac OS X evaluates standard POSIX permissions defined for the file or folder. Then, based on the evaluation of ACL and standard POSIX permissions, Mac OS X determines what type of access a user has to a shared file or folder. For more information, see Setting ACL Permissions on page 127.

$ sudo touch /System/Library/Extensions
The touch command changes the modified date of the /System/Library/Extensions folder. When the folder has a new modified date, the Extension cache files (located in /System/Library/) are deleted and rebuilt automatically by Mac OS X. 4 Choose Finder > Secure Empty Trash to delete the file. 5 Restart the system.
# ------------------------------------------------------------------# Protecting System Hardware # ------------------------------------------------------------------# Securing Wi-Fi Hardware # ------------------------# Remove AppleAirport kernel extensions. srm -rf /System/Library/Extensions/AppleAirPort.kext srm -rf /System/Library/Extensions/AppleAirPort2.kext srm -rf /System/Library/Extensions/AppleAirPortFW.kext # Remove Extensions cache files. touch /System/Library/Extensions
Removing Bluetooth Support Software
Use the following instructions to remove Bluetooth support for peripherals such as keyboards, mice, or phones. This task requires you to have administrator privileges. You can also have an Apple Authorized Technician remove the built-in Bluetooth hardware from your Apple computer. Important: Repeat these instructions every time a system update is installed. To remove kernel extensions for Bluetooth hardware: 1 Open the /System/Library/Extensions folder. 2 Drag the following files to the Trash: IOBluetoothFamily.kext IOBluetoothHIDDriver.kext 3 Open Terminal and enter the following command:
The touch command changes the modified date of the /System/Library/Extensions folder. When the folder has a new modified date, the Extension cache files (located in /System/Library/) are deleted and rebuilt by Mac OS X. 4 Choose Finder > Secure Empty Trash to delete the file. 5 Restart the system.
# Removing BlueTooth Hardware # ----------------------------# Remove Bluetooth kernel extensions. srm -rf /System/Library/Extensions/IOBluetoothFamily.kext srm -rf /System/Library/Extensions/IOBluetoothHIDDriver.kext # Remove Extensions cache files. touch /System/Library/Extensions
Preventing Unauthorized Recording
You computer might be in an environment where recording devices such as cameras or microphones are not permitted. You can protect your organizations privacy by disabling these devices. This task requires you to have administrator privileges. Note: Some organizations insert a dummy plug into the audio input and output ports to ensure that audio hardware is disabled.
Removing Audio Recording Support Software
Use the following instructions to remove support for the microphone. You can also have an Apple Authorized Technician remove the built-in microphone hardware from your Apple computer. Important: Repeat these instructions every time a system update is installed. To remove kernel extensions for audio hardware: 1 Open the /System/Library/Extensions folder. 2 To remove support for audio components such as the microphone, drag the following files to the Trash: AppleOnboardAudio.kext AppleUSBAudio.kext AudioDeviceTreeUpdater.kext IOAudioFamily.kext VirtualAudioDriver.kext 3 Open Terminal and enter the following command:

FIPS-181 compliant: According to your password length requirements, Password Assistant generates a password that is FIPS-181 compliant (which includes mixed upper and lowercase, punctuation, and numbers). For example, you can create a randomly generated password or a FIPS-181 compliant password that is 12 characters long. The following screen shows Password Assistant.
You can open Password Assistant from some applications. For example, when you create an account or change passwords in Accounts preferences, you can use Password Assistant to help you create a secure password.

Using Kerberos

Kerberos is an authentication protocol used for systemwide single sign-on, allowing users to authenticate to multiple services without reentering passwords or sending them over the network. Every system generates its own principals, allowing it to offer secure services that are fully compatible with other Kerberos-based implementations. Note: Mac OS X v10.5 support Kerberos v5 but does not support Kerberos v4.
Mac OS X v10.5 uses Kerberos to make it easier to share services with other computers. A key distribution center (KDC) server is not required to use Kerberos authentication between two Mac OS X v10.5 computers. When you connect to a computer that supports Kerberos, you are granted a ticket that permits you to continue to use services on that computer, without reauthentication, until your ticket expires. For example, consider two Mac OS X 10.5 computers named "Mac01" and "Mac02." Mac02 has screen sharing and file sharing turned on. If Mac01 connects to a shared folder on Mac02, Mac01 can subsequently connect to screen sharing on Mac02 without needing to supply login credentials again. This Kerberos exchange is only attempted if you connect using Bonjour, if you navigate to the computer in Finder, or if you use the Go menu in Finder to connect to a server using the local hostname of the computer name (for example, computer_name.local). Kerberos is also used to secure the Back to My Mac (BTMM) service. For more information about using Kerberos with BTMM, see Securing BTMM Access on page 171. Normally, after your computer gains a Kerberos ticket in this manner, keep the Kerberos ticket until it expires. However, if you want to manually remove your Kerberos ticket, you can do so using the Kerberos utility in Mac OS X. To manually remove a Kerberos ticket: 1 Open Keychain Access (in /Applications/Utilities). 2 From the Keychain Access menu, choose Kerberos Ticket Viewer. 3 In the Kerberos applications Ticket Cache window, find the key that looks like this:

You can create multiple keychains, each of which appears in a keychain list in Keychain Access. Each keychain can store multiple values. Each value is called a key item. You can create a key item in any user-created keychain. When an application must store an item in a keychain, it stores it in the keychain designated as your default. The default is named login, but you can change that to any user-created keychain. The default keychain name is displayed in bold. Each item in a keychain has an Access Control List (ACL) that can be populated with applications that have authority to use that keychain item. A further restriction can be added that forces an application with access to confirm the keychain password. The main issue with remembering passwords is that youre likely to make all passwords identical or keep a written list of passwords. By using keychains, you can greatly reduce the number of passwords you need to remember. Because you no longer need to remember passwords for multiple accounts, the passwords you choose can be very complex and can even be randomly generated. Keychains provide additional protection for passwords, passphrases, certificates, and other credentials stored on the computer. In some cases, such as using a certificate to sign a mail message, the certificate must be stored in a keychain. If a credential must be stored on the computer, store and manage it using Keychain Access. Check your organizations policy on keychain use. Due to the sensitive nature of keychain information, keychains use cryptography to encrypt and decrypt secrets, and they safely store secrets and related data in files. Mac OS X Keychain services enable you to create keychains and provide secure storage of keychain items. After a keychain is created, you can add, delete, and edit keychain items, such as passwords, keys, certificates, and notes. A user can unlock a keychain with a single password and applications can then use that keychain to store and retrieve data, such as passwords.
Using the Default User Keychain
When a users account is created, a default keychain named login is created for that user. The password for the login keychain is initially set to the users login password and is unlocked when the user logs in. It remains unlocked unless the user locks it, or until the user logs out. You should change the settings for the login keychain so the user must unlock it when he or she logs in, or after waking the computer from sleep. To secure the login keychain: 1 Open Keychain Access. 2 If you do not see a list of keychains, click Show Keychains.

For more information, enter man

mdutil

in a Terminal window.
Securing Startup Disk Preferences
You can use Startup Disk preferences (shown below) to make your computer start up from a CD, a network volume, a different disk or disk partition, or another operating system.
Be careful when selecting a startup volume: Choosing a network install image reinstalls your operating system and might erase the contents of your hard disk. If you choose a FireWire volume, your computer starts up from the FireWire disk plugged into the current FireWire port for that volume. If you connect a different FireWire disk to that FireWire port, your computer starts from the first valid Mac OS X volume available to the computer (if you have not enabled the firmware password). When you enable a firmware password, the FireWire volume you select is the only volume that can start the computer. The computer firmware locks the FireWire Bridge Chip GUID as a startup volume instead of the hard disks GUID (as is done with internal hard disks). If the disk inside the FireWire drive enclosure is replaced by a new disk, the computer can start from the new disk without using the firmware password. To avoid this intrusion make sure your hardware is physically secured. Your computer firmware can also have a list of FireWire volumes that are approved for system startup. For information about physically protecting your computer, see Protecting Hardware on page 41. In addition to choosing a new startup volume from Startup Disk preferences, you can restart in Target Disk Mode. When your computer is in Target Disk Mode, another computer can connect to your computer and access your computers hard disk. The other computer has full access to all files on your computer. All file permissions for your computer are disabled in Target Disk Mode.
To enter Target Disk Mode, hold down the T key during startup. You can prevent the startup shortcut for Target Disk Mode by enabling an Open Firmware or EFI password. If you enable an Open Firmware or EFI password, you can still restart in Target Disk Mode using Startup Disk preferences. For more information about enabling an Open Firmware or EFI password, see Using the Firmware Password Utility on page 52. To select a startup disk: 1 Open Startup Disk preferences. 2 Select a volume to use to start up your computer. 3 Click the Restart button to restart from the selected volume. From the Command Line:

Modifying ACL Permissions
You can set ACL permission for files. The chmod command enables an administrator to grant read, write, and execute privileges to specific users regarding a single file. To set ACL permissions for a file: 1 Allow specific users to access specific files. For example, to allow Anne Johnson permission to read the file secret.txt, enter the following in Terminal:
$ chmod +a ajohnson allow read secret.txt
2 Allow specific groups of users to access specific files. For example, to allow the engineers group permission to delete the file secret.txt, enter the following in Terminal:
$ chmod +a engineers allow delete secret.txt
3 Deny access privileges to specific files. For example, to prevent Tom Clark from modifying the file secret.txt, enter the following in Terminal:
$ chmod +a tclark deny write secret.txt
4 View and validate the ACL modifications with the ls command:
$ ls -le secret.txt -rw------- 1 ajohnson admin 43008 Apr secret.txt 0: ajohnson allow read 1: tclark deny write 2: engineers allow delete
For more information, enter man chmod in a Terminal window.
Setting Global File Permissions
Every file or folder has POSIX permissions associated with it. When you create a file or folder, the umask setting determines these POSIX permissions. The umask value is subtracted from the maximum permissions value (777) to determine the default permission value of a newly created file or folder. For example, a umask of 022 results in a default permission of 755. The default umask setting 022 (in octal) removes group and other write permissions. Group members and other users can read and run these files or folders. Changing the umask setting to 027 enables group members to read files and folders and prevents others from accessing the files and folders. If you want to be the only user to access your files and folders, set the umask setting to 077. To change the globally defined umask setting, change the NSUmask setting. You must be logged in as a user who can use sudo to perform these operations and you must use the decimal equivalent, not an octal number.
Not all applications recognize the NSUmask setting so files and folders created by other applications might not have proper umask settings. The NSUmask setting also doesnt affect some command-line tools. WARNING: Many installations depend on the default umask setting. There can be unintended and possibly severe consequences to changing it. Instead, use inherited permissions, which are applied by setting permissions on a folder. All files contained that folder will inherit the permissions of that folder. To change the global umask file permission: 1 Sign in as a user who can use sudo. 2 Open Terminal. 3 Change the NSUmask setting to be the decimal equivalent of the umask setting:

Client-Side Authentication
Some applications or services require that you use a digital certificate to authenticate. Digital certificates can be stored in a Smart Card and can also include a photograph of the authorized user to further protect a certificate from being used by an unauthorized user. By using a certificate as an authentication and identification method, the service or application can ensure that the person who provided the certificate is not only the same person who provided the data, but is also who they say they are. The certificate is also signedin this case by the certificate authority (CA) who issued the certificate.
Managing Data Communication and Execution
Downloaded files are tagged with the com.apple.quarantine extended attribute until you permit the file to be opened or executed.

Opening Safe Files

When you enable Open safe files after downloading in Safari preferences, files that are considered safe are opened after downloading. These include pictures, movies, sounds, text files, PDFs, disk images, and ZIP archives.
Before they are opened, the following content factors are examined to verify that the file is safe: The file extension The MIME type Whats inside the file Sometimes malware tries to disguise itself as safe, but Mac OS X v10.5 checks for signs that indicate this. If Safari considers that a downloaded file is safe: Safari opens the file after it downloads. If the downloaded file is an archive (.zip file), Safari decompresses it. If the downloaded file is a disk image (.img file), Safari mounts the image volume. Other types of files might not be safe. Applications, scripts, web archives, and archives that contain applications or scripts can harm your computer. Not all such files are unsafe, but you should exercise caution when opening a downloaded file. Note: Although Safari, iChat, and Mail offer Download Validation for increased security, no software can detect all potentially dangerous file types. If Download Validation cannot determine that a downloaded file is safe, it is stored in your default download directory in the same way it is if the "Open safe files after downloading" preference was disabled. If Download Validation determines that a downloaded file is unsafe, you are prompted to download or cancel the download. If you download the file, it is placed in your download location as configured in Safari preferences. If you cancel, the file is saved as a web download in your download location as configured by Safari preferences. The file is named the same as the original file with.download at the end of it. This can be moved to the Trash or inspected manually.

Nonsecure Forms

In some cases, forms you complete in Safari might be submitted in a nonsecure way to a secure website. Safari is set to display a message when this is about to happen, so you can prevent the form from being submitted if you are concerned about the security of your information. If you dont want to see this message, choose Preferences from the Safari menu and click Security. Deselect the checkbox labeled Ask before sending a nonsecure form to a secure website.

Syncing Bookmarks

If youre using Mac OS X v10.5 or later and Safari 1.0 or later, you can synchronize your Safari bookmarks with the bookmarks in your.Mac Bookmarks library on the web. You can also synchronize your Safari bookmarks across multiple Mac OS computers. With bookmarks synchronization turned on, the bookmarks in your.Mac Bookmarks application on the web synchronize with Safari on your computers hard disk each time you sync. (After you sync, it might take a few minutes before you see the changes.) You can turn off synchronization in Safari Preferences by deselecting Turn on.Mac Bookmarks Synchronization. While synchronization is off, changes you make to bookmarks in.Mac Bookmarks or Safari are saved until the next time you turn on synchronization and click the Sync Now button on the.Mac pane of System Preferences (v10.4 or later) or in iSync. For example, if you delete a bookmark from.Mac Bookmarks with synchronization turned off, the bookmark is deleted from Safari on your computers hard disk the next time you use iSync with synchronization turned on.

AutoFill

Safari can use information from various sources to complete forms that are on many webpages: Personal information, such as mailing addresses, mail addresses, and phone numbers, are retrieved from your Address Book card. User names and passwords that you enter on websites are saved in your keychain and retrieved when you try to log in later. (Some websites do not allow you to save your user name and password.) Any other information that you enter at a website is saved in Safaris cache to be reused later. You can select the information that Safari uses to complete web forms. Choose Preferences from the Safari menu and click AutoFill. Then select the items you want Safari to use. To complete a web form, open the webpage and click the AutoFill button in the address bar. If you dont see the AutoFill button in the address bar, choose AutoFill from the View menu. Items that are completed using AutoFill appear in yellow in the webpage. To complete individual fields in a form, select a text box and start typing. If Safari matches saved information for the field, it finishes entering the text for you. If several items match what you typed, a menu appears. Press the arrow keys to select the correct item and press Return.

Enabling Encryption Using.Mac Identity
You can secure your iChat communications so no one can access your conferences. To use this safeguard, you and your iChat buddy must both have.Mac accounts and request.Mac identity certificates. To set up secure messaging: 1 Choose iChat > Preferences and then click Accounts. 2 Select the.Mac account you want to secure. Free trial.Mac memberships are not eligible for secure messaging. 3 Click Security and then click Enable. As part of the setup process, you must enter an encryption password. This is the password you enter if you are using secure messaging on a second computer. This password can be different from your Mac OS X password.
When you and your buddy have the.Mac certificate installed and you start a chat, a lock icon appears in the upper-right corner of the iChat window. Text, audio, and video are encrypted on your computer and are not decrypted until they reach your buddys computer. To view your Secure iChat certificate, open Keychain Access and click My Certificates in the Categories window. Double-click the certificate that is the same as your.Mac short name.
Multimedia Security with iTunes
Your iTunes account is protected by your user name and password, which should never be shared with other users, to prevent it from being compromised by an unauthorized user. If an unauthorized user gains access to your user name and password, they can use your account to purchase music, videos, and podcasts from the iTunes store. You can protect your iTunes account from being compromised by using a strong password. When creating your iTune password use Password Assistant to help you generate a strong password. Also, you can use the sharing preference of iTunes to share your music with other network users. When configuring iTunes sharing preference, require that users set a strong password to access your shared music. You can generate a strong password using Password Assistant. When you finish sharing your music, turn the iTunes sharing preference off to keep unauthorized users from attempting to access your shared iTunes music. For more information about creating strong passwords, see Using Passwords on page 70.

Information Assurance with Services
Use this chapter to secure network and shared services.

Securing Local Services

Your Mac OS X v10.5 computer offers many services that can be quickly set up and configured. Although these services are helpful and easy to configure, they must be securely configured to prevent unauthorized users from accessing your computer. Most services can be securely configured by using strong passwords or by turning the services off when they are not in use.
Managing Who Can Obtain Administrative Privileges (sudo)
You can use the sudo command to execute commands as the superuser (root) or another user with more privileges, as specified in the sudoers file. The computer uses a file named /etc/sudoers to determine which users have the authority to use sudo. You can modify root user access by changing the /etc/sudoers file to restrict sudo access to specific accounts, and by allowing those accounts to perform specific commands. This granularity gives you fine control over what users can do as root. For information about modifying the /etc/sudoers file, see the sudoers man page. Limit the list of administrators allowed to use sudo to only those administrators who must to run commands as root. To restrict sudo usage: 1 Edit the /etc/sudoers file using the visudo tool, which allows for safe editing of the file. The command must be run as root:

$sudo visudo

2 When prompted, enter the administrator password. There is a time-out value associated with sudo. This value indicates the number of minutes until sudo prompts for a password again. The default value is 5, which means that after issuing the sudo command and entering the correct password, you can enter additional sudo commands for five minutes without reentering the password. This value is set in the /etc/sudoers file. For more information, see the sudo and sudoers man pages. 3 In the Defaults specification section of the file, add the following line:
4 Restrict which administrators are allowed to run sudo by removing the line that begins with %admin, and adding the following entry for each user, substituting the users short name for the word user:

user ALL=(ALL) ALL

Each time you add a new administrator to a system, you must add that administrator to the /etc/sudoers file if the administrator requires the ability to use sudo. 5 Save and quit visudo. For more information, see the sudoers man pages.

AFP server

Unencrypted AFP connection Tom Clarks computer
Firewall allows SSH (port 22) and AFP (port 548) connections
To create an ssh tunnel: 1 Open Terminal. 2 Use the ssh command to create the SSH tunnel.
$ ssh -v -L 2501:localhost:5900 RemoteHostName -l RemoteAFPAccount
Replace RemoteHostName with the name of the host you what to connect to. Replace RemoteAFPAccount with the AFP account name, and when prompted enter the password for RemoteAFPAccount. 3 Create a server in AFP. Enter the address localhost:2501 and the RemoteAFPAccount username and password.
Modifying the SSH Configuration File
Making changes to the SSH configuration file enables you to set options for each ssh connection. You can make these changes for the system or specific users. To make the change for the system, change the options in the /etc/ssh_config file, which affects all ssh users on the computer. To make the change for a user, make them in the username/.ssh/config file. The ssh configuration file has connection options and other specifications for a specific ssh host. A host is specified by the Host declaration. By default, the Host declaration is an asterisk (*) indicating any host you are connecting to will use the options listed below the Host declaration.
You can add a specific host and options for that host by adding a new Host declaration. The new Host declaration will specify a name or address in place of the asterisk (*). You can then set the connection option for your new host below the Host declaration. This helps secure your ssh sessions in environments with different security levels. For example, if you are connecting to a server using ssh through the Internet, the server might require a more secure or stricter connection options. However, if you are in a more secure environment, such as your own personal network, you might not need such strict connection options. For more information about ssh configuration file options, see the ssh man pages.
Generating Key Pairs for Key-Based SSH Connections
By default, SSH supports the use of password, key, and Kerberos authentication. The standard method of SSH authentication is to supply login credentials in the form of a user name and password. Key pair authentication enables you to log in to the server without supplying a password. This process works as follows: 1 A private and a public key are generated, each associated with a user name to establish that users authenticity. 2 When you attempt to log in as that user, the user name is sent to the remote computer. 3 The remote computer looks in the users.ssh/ folder for the users public key. This folder is created after using SSH the first time. 4 A challenge is then sent to the user based on his or her public key. 5 The user verifies his or her identity by using the private portion of the key pair to decode the challenge. 6 After the challenge is decoded, the user is logged in without needing a password. This is especially useful when automating remote scripts. Key-based authentication is more secure than password authentication because it requires that you have the private key file and know the password that lets you access that key file. Password authentication can be compromised without needing a private key file. If the server uses FileVault to encrypt the home folder of the user you want to use SSH to connect as, you must be logged in on the server to use SSH. Alternatively, you can store the keys for the user in a location that is not protected by FileVault. However, this is not secure. To generate the identity key pair: 1 Enter the following command on the local computer.