Remote Management
Power Manager supports remote management over the network. Remote management allows users on distant computers to monitor and alter Power Manager. This ability is particularly useful for system administrators and for those managing computers that are difficult to physically reach.
Remote management can be enabled and disabled using the Power Manager System Preference pane. The Allow remote management checkbox controls the default connection settings.
Procedure 1.6. Enabling Remote Management using the application
Launch Power Manager.app.
Enable (check) the Scheduler > Allow remote management menu item.
Procedure 1.7. Disabling Remote Manager using the application
Launch Power Manager.app.
Disable (uncheck) the Scheduler > Allow remote management menu item.
Customising Remote Management
By default, the user interface sets up a single network socket listening to all interfaces on a system provided port. The default network socket is advertised via Bonjour.
The default socket’s unique identifier is uk.co.dssw.powermanager.systempreference.remote-management. You should avoid altering sockets whose name begins with uk.co.dssw.powermanager. This namespace is reserved for use by Power Manager’s graphical and command line tools.
Power Manager can be set up to listen to more than one network socket.
You can add additional sockets for remote management using the command line pmctl tool, or with an AppleScript script.
To create a remote management socket with a fix port number (1234) listening on all network interfaces, see Example 1.14, “Creating a fixed port socket”.
Example 1.14. Creating a fixed port socket
cd '/Applications/Power Manager.app/Contents/Tools'
./pmctl listen.applysocket 'unique ID=Fixed' 'port=1234'
Remote management is provided by the Listen API object. The Listen object provides an interface for creating (listen.applysocket), listing (listen.sockets), and removing (listen.removesocket) network sockets.
The listen.applysocket command accepts a range of parameters. The parameters are all optional. Power Manager will choose a suitable default for each missing parameter.
The command above creates a listening socket on port 1234 with the unique identifier 1234.
To check the socket has been created and is listening, issue the commands in Example 1.15, “Listing the fixed port socket details”.
Example 1.15. Listing the fixed port socket details
./pmctl listen.sockets [{"port"=>1234.000000,"protocol family"=>"IPv4","state"=>"listening","unique ID"=>"Fixed","URLs"=>["pm://Mac-Pro.local:1234"]}]
The command’s response lists every listening socket, along with information such as the name, port number, and URL.
You can immediately start using your new socket.
To remove a remote management socket, issue the commands in Example 1.16, “Remove the fixed port socket”.
Example 1.16. Remove the fixed port socket
./pmctl listen.removesocket 'unique ID=Fixed'
The listen.removesocket command removes the socket with the provided unique identifier.
Procedure 1.8. Creating a new remote management socket using pmctl
Issue the command:
./pmctl listen.applysocket port=1234 'protocol family=IPv6'This command creates a new Internet Protocol version 6 (IPv6) remote management socket listening on all network interfaces on port 1234.
Procedure 1.9. List all remote management sockets using pmctl
Issue the command:
./pmctl listen.socketsThis command returns a list of all Power Manager’s listening network sockets.
Procedure 1.10. Removing a remote management socket using pmctl
Issue the command:
./pmctl listen.removesocket 'unique ID=Fixed'This command removes the listening socket with the unique ID
Fixed.
How Remote Management is Secured
Remote management connections are secure. All connections are encrypted using SSL/TLS industry standard encryption. Authentication and authorisation are provided by Pluggable Authentication Modules (PAM), in additional to a secondary group membership check within Power Manager.
Pluggable Authentication Modules (PAM) Support
By default, Power Manager’s PAM configuration is controlled by the PAM configuration file /etc/pam.d/sudo. This means, if the user has super user rights (sudo), then they can also remotely manage Power Manager.
You can customise the PAM service name that Power Manager uses, see Table 1.4, “Available Defaults”. This allows you to alter the configuration. We generally advise against making alterations. The default configuration will be ideal for the great majority of environments, and should be left untouched.
Authorised Group Check
Apple’s change in PAM implementation prompted us to include a second layer of authorisation checks. macOS 10.6’s OpenPAM includes a module capable of checking the user’s group memberships, but Linux-PAM did not include this capability.
Once PAM has authenticated and authorised the remote user according to the PAM configuration file, Power Manager confirms the user is a member of at least one authorised group.
Power Manager will deny access to remote users, unless they are a member of either the wheel group or the admin group.
You can alter the groups Power Manager checks against using the defaults tool. See Example 1.18, “Authorising two groups for remote management”.
Table 1.4. Available Defaults
| Key | Purpose | Type | Default |
|---|---|---|---|
remotemanagement.service | PAM service name. | string | sudo |
remotemanagement.groups | Restrict remote management access to users of these groups. | array | wheel, admin |
Example 1.17. Custom PAM configuration
defaults write /Library/Preferences/uk.co.dssw.powermanager remotemanagement.service custom
A PAM configuration file must be created at /etc/pam.d/custom. Restart your Mac to ensure the configuration change is applied.
Example 1.18. Authorising two groups for remote management
defaults write /Library/Preferences/uk.co.dssw.powermanager remotemanagement.groups -array admin wheel
Bonjour Domains
Power Manager advertises across all available Bonjour registration domains. This helps ensure the best experience when trying to locate Power Manager services.
When searching for Power Manager services, the application will search only the .local domain by default. This reduces network traffic but more importantly lists only services which the user is likely to be able to access.
Attempting to connect to services beyond the .local domain is likely to fail. Routers and other network devices may block required ports and otherwise limit access. Power Manager services may be visible through Bonjour but not accessible.
Searching beyond .local is possible by enabling Search all domains in the network services window. This option respects the forced default behaviour and will be hidden automatically if the user can not change the underlying DSSWPMAKServicesDefaultWideDomains default.
Table 1.5. Available Defaults
| Key | Purpose | Type | Default |
|---|---|---|---|
DSSWPMAKServicesDefaultWideDomains | Search all Bonjour domains. If NO, search only .local when searching for Power Manager services. If YES, search all available domains. | boolean | NO |
DSSWPMAKServicesResolveTimeout | Seconds before timing out service address resolutions. | float | 30.0 |