Solved

Opinion about One on One Student Macbook Setup

Posted on 2010-08-27
14
360 Views
Last Modified: 2012-05-10
Just this year we have launched a Mac rollout at our school and had some questions and opinions about our setup and maybe some better ideas of how we can make it better.

Our current setup is as follows

Xserver running Open Directory
Macbooks for students

Students currently use network logins, I understand we have to modify the local groups on each mac to make them local admins so that they can install programs. We dont really want to restrict the student to much because we want to have them establish ownership over them so they feel like the macs are theirs. We are very innovative and want them to explore the macs with very little restrictions.

Also they lease  the macs from us so there is a need to have them feel like they own them. We do force them to have our images so that we can bind them to our network.

We also run a software called safeeyes which is for monitoring what they do on the computers.

My concern is that with given them local admin access Im afraid they will be tempted to remove the computer from the bind with the server. I was thinking of restricting that in the network settings by the computer account so they cant remove the bind, but give them local admin access to the computer to be able to install programs.

Can the policy restrict them from unbinding the computer while they have admin access?
0
Comment
Question by:cbielich
  • 6
  • 5
  • 3
14 Comments
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
My first inclination is that it's not a wise idea. While there are not that many viruses out there for Macs "yet", the more in rods Apple makes, the greater the risk becomes.

That being said, you can simply set a policy that disallows them from being able to access certain apps.

In wgm create a preference policy that disallows access to the Directory Utility. Try this but not sure if it will have an effect on your Macs at login.
0
 
LVL 1

Author Comment

by:cbielich
Comment Utility
Well concerning virus and things like that all we have in our policies is that we just reimage them when something goes wrong. Its their own fault if they screw it up :)
0
 
LVL 20

Expert Comment

by:woolnoir
Comment Utility
Its up to you really, in all liklihood students being students - providing them with admin rights will cause some problems, as you suggest it may be that they remove the OD bind. That being said, you mention the option to re-image the machines which will reduce the support overhead.

At work i manage the MAC deployment for about 50 users, pretty varied in role and demands. At present we dont provide the users with admin rights but we have considered it in the past.

That being said, we have chosen to provide a deploystudio created build, which auto binds them to AD and OD, applies some software packages, forces a mobile account (client <-> server home folder sync ) and applies some managed preferences.

You could apply a managed preference file to prevent them accessing certain applications as you suggest, but a a admin user there is always a way around it - but if they intentionally bypass it, its effort and then at least you can say you have tried.

Do some research on the MCX's (managed preferences) associates with the system prefs app - that way you can make it more difficult to unbind. Also consider some program restrictions to prevent running of the directory access program - removing another route to OD unbinding.

How would I handle it ? Reading your situation and your needs maybe i would aim to have some OD provided managed preferences, create the alocal accounts as 'mobile' meaning their data is secured whenever they login on campus and give them admin rights so they can install their own software and customise it a little.
0
 
LVL 1

Author Comment

by:cbielich
Comment Utility
When u say at the end give them rights, are u talking about adding the local group to the machine manually? Or is there an easier way to manage that from the network? Is there anyway to give them rights to install programs whiteout giving them admin rights?
0
 
LVL 32

Accepted Solution

by:
nappy_d earned 500 total points
Comment Utility
On the Mac OS you need to have to enter admin credentials for every install that occurs. Since 10.5,, you need admin privileges to add printers.

I would also tell you to use OD to manage users for admin privileges. Doing this from each machine jus becomes a pain.

On the groups tab of WGM, you can add the group administrators to each user.

The unfortunate part with this is that they are now admins on all computers on your network.

You can however in wgm config a machine group and add the users to specific machine groups. This way, they do not get admin privileges on your servers.

I suggest you draw it out on paper. It may help you in planning out your admin groups and machine access.
0
 
LVL 20

Expert Comment

by:woolnoir
Comment Utility
Our situation is a little different as we have active directory too, and the default AD connector interprets anyone added to the 'managed by' setting on a computer object to have admin rights. What we do is define any domain admins as admins within the AD connector, and then if we want to give users admin rights add them as managers on the computer object.

OSX's privileges are not all that granular, i know windows has power users which isnt much better, but there isnt anything inbetween admin, and non admin on a OSX machine.
0
 
LVL 20

Expert Comment

by:woolnoir
Comment Utility
How are you installing the images on the laptops ? if you use something like deploystudio you can define an account record for a machine, meaning each time the machine is deployed the account is created - could reduce admin time a little if you pre-define the users rights on the machine.

That way if they do screw anything up, when you re-apply the image the account is recreated ready to go.

If you make sure users have 'mobile' accounts, set it to sync to the OD server, you ensure that users config settings and preferences are available when you re-image.

I guess what i'm trying to get across is that in your situation i would ASSUME that they will screw things up, design your infrastructure to ensure that when they do, you have everything inplace to quickly re-image, reconfigure and return the machine to how it was.

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 1

Author Comment

by:cbielich
Comment Utility
I do have them all set with mobile account, I also have an AD network as will but I keep the servers totally apart. I dont even want to start making those 2 talk to each other.
0
 
LVL 20

Expert Comment

by:woolnoir
Comment Utility
then its about as good as it can get to give them admin, ensure the images have as much of the config as possible (admin accounts defined) and then restrict access to certain parts of system preferences and certain system apps (directory utility) to ensure their ability to change stuff is as limited as possible.
0
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
As I have previously mentioned, this is all accomplished thru wgm.
0
 
LVL 1

Author Closing Comment

by:cbielich
Comment Utility
I think i am going to go with this
0
 
LVL 1

Author Comment

by:cbielich
Comment Utility
Can you explain in more detail what you mean by "You can however in wgm config a machine group and add the users to specific machine groups. This way, they do not get admin privileges on your servers."
0
 
LVL 20

Expert Comment

by:woolnoir
Comment Utility
You may want to look at the /etc/authorization file too , that offers some granular control.
http://www.afp548.com/article.php?story=20041027093216241 this may avoid 'some' of the requirement of admin rights.

0
 
LVL 20

Expert Comment

by:woolnoir
Comment Utility
Ahh - sorry i noticed that you have closed the question and awareded points.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The /etc/authorization file in Mac OS X 10.x can be used to control access to the various panes of the System Preferences amongst other things. It’s used by some of us Mac Sys Admin’s to give Standard Users access to System Prefs panes that only adm…
In this article we discuss how to recover the missing Outlook 2011 for Mac data like Emails and Contacts manually.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now