Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Opinion about One on One Student Macbook Setup

Posted on 2010-08-27
14
369 Views
Last Modified: 2012-05-10
Just this year we have launched a Mac rollout at our school and had some questions and opinions about our setup and maybe some better ideas of how we can make it better.

Our current setup is as follows

Xserver running Open Directory
Macbooks for students

Students currently use network logins, I understand we have to modify the local groups on each mac to make them local admins so that they can install programs. We dont really want to restrict the student to much because we want to have them establish ownership over them so they feel like the macs are theirs. We are very innovative and want them to explore the macs with very little restrictions.

Also they lease  the macs from us so there is a need to have them feel like they own them. We do force them to have our images so that we can bind them to our network.

We also run a software called safeeyes which is for monitoring what they do on the computers.

My concern is that with given them local admin access Im afraid they will be tempted to remove the computer from the bind with the server. I was thinking of restricting that in the network settings by the computer account so they cant remove the bind, but give them local admin access to the computer to be able to install programs.

Can the policy restrict them from unbinding the computer while they have admin access?
0
Comment
Question by:cbielich
  • 6
  • 5
  • 3
14 Comments
 
LVL 32

Expert Comment

by:nappy_d
ID: 33547495
My first inclination is that it's not a wise idea. While there are not that many viruses out there for Macs "yet", the more in rods Apple makes, the greater the risk becomes.

That being said, you can simply set a policy that disallows them from being able to access certain apps.

In wgm create a preference policy that disallows access to the Directory Utility. Try this but not sure if it will have an effect on your Macs at login.
0
 
LVL 1

Author Comment

by:cbielich
ID: 33548102
Well concerning virus and things like that all we have in our policies is that we just reimage them when something goes wrong. Its their own fault if they screw it up :)
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33552841
Its up to you really, in all liklihood students being students - providing them with admin rights will cause some problems, as you suggest it may be that they remove the OD bind. That being said, you mention the option to re-image the machines which will reduce the support overhead.

At work i manage the MAC deployment for about 50 users, pretty varied in role and demands. At present we dont provide the users with admin rights but we have considered it in the past.

That being said, we have chosen to provide a deploystudio created build, which auto binds them to AD and OD, applies some software packages, forces a mobile account (client <-> server home folder sync ) and applies some managed preferences.

You could apply a managed preference file to prevent them accessing certain applications as you suggest, but a a admin user there is always a way around it - but if they intentionally bypass it, its effort and then at least you can say you have tried.

Do some research on the MCX's (managed preferences) associates with the system prefs app - that way you can make it more difficult to unbind. Also consider some program restrictions to prevent running of the directory access program - removing another route to OD unbinding.

How would I handle it ? Reading your situation and your needs maybe i would aim to have some OD provided managed preferences, create the alocal accounts as 'mobile' meaning their data is secured whenever they login on campus and give them admin rights so they can install their own software and customise it a little.
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 
LVL 1

Author Comment

by:cbielich
ID: 33553320
When u say at the end give them rights, are u talking about adding the local group to the machine manually? Or is there an easier way to manage that from the network? Is there anyway to give them rights to install programs whiteout giving them admin rights?
0
 
LVL 32

Accepted Solution

by:
nappy_d earned 500 total points
ID: 33553353
On the Mac OS you need to have to enter admin credentials for every install that occurs. Since 10.5,, you need admin privileges to add printers.

I would also tell you to use OD to manage users for admin privileges. Doing this from each machine jus becomes a pain.

On the groups tab of WGM, you can add the group administrators to each user.

The unfortunate part with this is that they are now admins on all computers on your network.

You can however in wgm config a machine group and add the users to specific machine groups. This way, they do not get admin privileges on your servers.

I suggest you draw it out on paper. It may help you in planning out your admin groups and machine access.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33553383
Our situation is a little different as we have active directory too, and the default AD connector interprets anyone added to the 'managed by' setting on a computer object to have admin rights. What we do is define any domain admins as admins within the AD connector, and then if we want to give users admin rights add them as managers on the computer object.

OSX's privileges are not all that granular, i know windows has power users which isnt much better, but there isnt anything inbetween admin, and non admin on a OSX machine.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33553393
How are you installing the images on the laptops ? if you use something like deploystudio you can define an account record for a machine, meaning each time the machine is deployed the account is created - could reduce admin time a little if you pre-define the users rights on the machine.

That way if they do screw anything up, when you re-apply the image the account is recreated ready to go.

If you make sure users have 'mobile' accounts, set it to sync to the OD server, you ensure that users config settings and preferences are available when you re-image.

I guess what i'm trying to get across is that in your situation i would ASSUME that they will screw things up, design your infrastructure to ensure that when they do, you have everything inplace to quickly re-image, reconfigure and return the machine to how it was.

0
 
LVL 1

Author Comment

by:cbielich
ID: 33553494
I do have them all set with mobile account, I also have an AD network as will but I keep the servers totally apart. I dont even want to start making those 2 talk to each other.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33553501
then its about as good as it can get to give them admin, ensure the images have as much of the config as possible (admin accounts defined) and then restrict access to certain parts of system preferences and certain system apps (directory utility) to ensure their ability to change stuff is as limited as possible.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 33553512
As I have previously mentioned, this is all accomplished thru wgm.
0
 
LVL 1

Author Closing Comment

by:cbielich
ID: 33553786
I think i am going to go with this
0
 
LVL 1

Author Comment

by:cbielich
ID: 33556059
Can you explain in more detail what you mean by "You can however in wgm config a machine group and add the users to specific machine groups. This way, they do not get admin privileges on your servers."
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33556513
You may want to look at the /etc/authorization file too , that offers some granular control.
http://www.afp548.com/article.php?story=20041027093216241 this may avoid 'some' of the requirement of admin rights.

0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33556829
Ahh - sorry i noticed that you have closed the question and awareded points.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article we discuss how to recover the missing Outlook 2011 for Mac data like Emails and Contacts manually.
A professional opinion on which Apple product to buy, and a tidbit about the WWDC.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question