Link to home
Create AccountLog in
Avatar of Wayne_Bow
Wayne_Bow

asked on

How can I allow an unprivileged user to access a thumb drive - school setting

Aloha,

I support a school that uses primarily Apple-based computers running various versions of OSX. One of the annoyances for our Computer teacher is that the students can't plug in and access USB thumbdrives because they do not have (nor do we want to give) administrative privileges on the machines.  

Is there any way that I can allow them to access a USB drive? Is that a huge security risk?

Thanks!
Wayne Bow
Avatar of strung
strung
Flag of Canada image

They could presumably run unauthorized applications from the USB drive.
SOLUTION
Avatar of pheidius
pheidius

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Eoin OSullivan
It depends on how well locked down the Macs are .. if users have NO read/write access to the System/Library/Applicaitons folders then there will be little harm in enabling USB drives. And if user accounts are prevented from running any applications that require write access to the local System/Library folder then it should be fairly safe.
The question is CAN you unlock the USB port to allow mounting drives while retaining the rest of the locks and security.  You also would be best to clone/image the system to restore any damaged Macs from a central source.

Avatar of Wayne_Bow
Wayne_Bow

ASKER

Mahalo for the replies.

I've just beginning work with this school and come from many years of managing Windows machines and very little time managing Macs.  The students have access to home directories located on a server and they also have access to email so they probably don't *need* access to thumb drives.  It has been a repeated request from the teacher and I'm looking into potential solutions.

In the Windows world there is a product called "Deep Freeze" that locks the OS in such a way that it always boots with the same configuration. That has kept the campus running smoothly for years with no incidents of infection that I've ever had to deal with..thank God!  Is there something like that for OSX?

Mahalo, Pheidius, for the script. and keylogger suggestion. I'll definitely look into the keylogger. To date, the teacher in charge of the lab has gone thru great pains to make certain that the Safari profiles exist on the server in the home directories and that the students profiles remain current. Certainly we don't want to erase their saved work.  I suppose that the script could be modified to leave data alone and to overwrite the rest of the homedir.

Mahalo, too, eoinosullivan for your comment, I don't know yet if any of the System/Library/Applications folders are locked down currently.  Will the Mac operate if the student can't "read" the Applications folders?

I do know that the teacher's solution is to log them on using the admin password so they can access their drives. I find that unacceptable as they are in an Open Directory structure and, lo and behold, we see admins logged on in places where they shouldn't be during times when they shouldn't be. Not good.

Thanks for all suggestions so far. I'm going to leave this open a bit longer, though I think Pheidius has the best answer so far.

I know that Windows has the ability to lock down a machine thru active directory such that only specified applications can run.  Maybe OD has a similar feature. I've got a lot to learn! :) I haven't felt this green in *years*.

Aloha,
Wayne Bow


ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Aloha,
Much mahalo (thanks) Pheidius for your answer. I upped the points because you really provided me with the solutions that I was looking for.  Have a great Day!

Aloha,
Wayne Bow