Just this year we have launched a Mac rollout at our school and had some questions and opinions about our setup and maybe some better ideas of how we can make it better.
Our current setup is as follows
Xserver running Open Directory
Macbooks for students
Students currently use network logins, I understand we have to modify the local groups on each mac to make them local admins so that they can install programs. We dont really want to restrict the student to much because we want to have them establish ownership over them so they feel like the macs are theirs. We are very innovative and want them to explore the macs with very little restrictions.
Also they lease the macs from us so there is a need to have them feel like they own them. We do force them to have our images so that we can bind them to our network.
We also run a software called safeeyes which is for monitoring what they do on the computers.
My concern is that with given them local admin access Im afraid they will be tempted to remove the computer from the bind with the server. I was thinking of restricting that in the network settings by the computer account so they cant remove the bind, but give them local admin access to the computer to be able to install programs.
Can the policy restrict them from unbinding the computer while they have admin access?