Remote Management

Power Manager supports remote management over the network. Remote management allows users on distant computers to monitor and alter Power Manager. This ability is particularly useful for system administrators and for those managing computers that are difficult to physically reach.

Remote management can be enabled and disabled using the Power Manager System Preference pane. The Allow remote management checkbox controls the default connection settings.

Procedure 1.6. Enabling Remote Management using the application

  1. Launch Power

  2. Enable (check) the Scheduler > Allow remote management menu item.

Procedure 1.7. Disabling Remote Manager using the application

  1. Launch Power

  2. Disable (uncheck) the Scheduler > Allow remote management menu item.

Customising Remote Management

By default, the user interface sets up a single network socket listening to all interfaces on a system provided port. The default network socket is advertised via Bonjour.

The default socket's unique identifier is You should avoid altering sockets whose name begins with This namespace is reserved for use by Power Manager's graphical and command line tools.

Power Manager can be set up to listen to more than one network socket.

You can add additional sockets for remote management using the command line pmctl tool, or with an AppleScript script.

To create a remote management socket with a fix port number (1234) listening on all network interfaces, see Example 1.13, “Creating a fixed port socket”.

Example 1.13. Creating a fixed port socket

bash% cd '/Applications/Power'
bash% ./pmctl listen.applysocket 'unique ID=Fixed' 'port=1234'

Remote management is provided by the Listen API object. The Listen object provides an interface for creating (listen.applysocket), listing (listen.sockets), and removing (listen.removesocket) network sockets.

The listen.applysocket command accepts a range of parameters. The parameters are all optional. Power Manager will choose a suitable default for each missing parameter.

The command above creates a listening socket on port 1234 with the unique identifier 1234.

To check the socket has been created and is listening, issue the commands in Example 1.14, “Listing the fixed port socket details”.

Example 1.14. Listing the fixed port socket details

bash% ./pmctl listen.sockets
[{"port"=>1234.000000,"protocol family"=>"IPv4","state"=>"listening","unique ID"=>"Fixed","URLs"=>["pm://Mac-Pro.local:1234"]}]

The command's response lists every listening socket, along with information such as the name, port number, and URL.

You can immediately start using your new socket.

To remove a remote management socket, issue the commands in Example 1.15, “Remove the fixed port socket”.

Example 1.15. Remove the fixed port socket

bash% ./pmctl listen.removesocket 'unique ID=Fixed'

The listen.removesocket command removes the socket with the provided unique identifier.

Procedure 1.8. Creating a new remote management socket using pmctl

  • Issue the command:

    bash% ./pmctl listen.applysocket port=1234 'protocol family=IPv6'

    This command creates a new Internet Protocol version 6 (IPv6) remote management socket listening on all network interfaces on port 1234.

Procedure 1.9. List all remote management sockets using pmctl

  • Issue the command:

    bash% ./pmctl listen.sockets

    This command returns a list of all Power Manager's listening network sockets.

Procedure 1.10. Removing a remote management socket using pmctl

  • Issue the command:

    bash% ./pmctl listen.removesocket 'unique ID=Fixed'

    This command removes the listening socket with the unique ID Fixed.

How Remote Management is Secured

Remote management connections are secure. All connections are encrypted using SSL/TLS industry standard encryption. Authentication and authorisation are provided by Pluggable Authentication Modules (PAM), in additional to a secondary group membership check within Power Manager.

Pluggable Authentication Modules (PAM) Support

Power Manager's PAM configuration is controlled by the PAM configuration file /etc/pam.d/

You may alter the PAM configuration file to match your needs. We generally advise against making alterations. The default configuration will be ideal for the great majority of environments, and should be left untouched.

If you are familiar with PAM configuration files, and wish to use alternative modules or configuration settings, this is possible. Changes to the PAM configuration take effect immediately for new remote management connections.

OpenPAM Configuration

Power Manager's OpenPAM configuration file restricts remote management to users who are members of either group admin or group wheel.

OpenPAM was introduced to Mac OS X 10.6, aka Snow Leopard.

Figure 1.1.

# Power Manager remote management configuration for OpenPAM
auth       required
account    required
account    required no_warn group=admin,wheel fail_safe
password   required
session    required

# Restrict remote management to members of group admin and wheel.
# DssW Power Manager /

Authorised Group Check

Apple's change in PAM implementation prompted us to include a second layer of authorisation checks. Mac OS X 10.6's OpenPAM includes a module capable of checking the user's group memberships, but Linux-PAM did not include this capability.

Once PAM has authenticated and authorised the remote user according to the PAM configuration file, Power Manager confirms the user is a member of at least one authorised group.

Power Manager will deny access to remote users, unless they are a member of either the wheel group or the admin group.

You can alter the groups Power Manager checks against using the defaults tool. See Example 1.16, “Authorising two groups for remote management”.

Table 1.4. Available Defaults

Key Purpose Type Default
remotemanagement.groups Restrict remote management access to users of these groups. array wheel, admin

Example 1.16. Authorising two groups for remote management

bash% defaults write /Library/Preferences/ remotemanagement.groups -array admin wheel

Bonjour Domains

Power Manager advertises across all available Bonjour registration domains. This helps ensure the best experience when trying to locate Power Manager services.

When searching for Power Manager services, the application will search only the .local domain by default. This reduces network traffic but more importantly lists only services which the user is likely to be able to access.

Attempting to connect to services beyond the .local domain is likely to fail. Routers and other network devices may block required ports and otherwise limit access. Power Manager services may be visible through Bonjour but not accessible.

Searching beyond .local is possible by enabling Search all domains in the network services window. This option respects the forced default behaviour and will be hidden automatically if the user can not change the underlying DSSWPMAKServicesDefaultWideDomains default.

Table 1.5. Available Defaults

Key Purpose Type Default
DSSWPMAKServicesDefaultWideDomains Search all Bonjour domains. If NO, search only .local when searching for Power Manager services. If YES, search all available domains. boolean NO
DSSWPMAKServicesResolveTimeout Seconds before timing out service address resolutions. float 30.0