[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 374
  • Last Modified:

Opinion about One on One Student Macbook Setup

Just this year we have launched a Mac rollout at our school and had some questions and opinions about our setup and maybe some better ideas of how we can make it better.

Our current setup is as follows

Xserver running Open Directory
Macbooks for students

Students currently use network logins, I understand we have to modify the local groups on each mac to make them local admins so that they can install programs. We dont really want to restrict the student to much because we want to have them establish ownership over them so they feel like the macs are theirs. We are very innovative and want them to explore the macs with very little restrictions.

Also they lease  the macs from us so there is a need to have them feel like they own them. We do force them to have our images so that we can bind them to our network.

We also run a software called safeeyes which is for monitoring what they do on the computers.

My concern is that with given them local admin access Im afraid they will be tempted to remove the computer from the bind with the server. I was thinking of restricting that in the network settings by the computer account so they cant remove the bind, but give them local admin access to the computer to be able to install programs.

Can the policy restrict them from unbinding the computer while they have admin access?
0
cbielich
Asked:
cbielich
  • 6
  • 5
  • 3
1 Solution
 
nappy_dCommented:
My first inclination is that it's not a wise idea. While there are not that many viruses out there for Macs "yet", the more in rods Apple makes, the greater the risk becomes.

That being said, you can simply set a policy that disallows them from being able to access certain apps.

In wgm create a preference policy that disallows access to the Directory Utility. Try this but not sure if it will have an effect on your Macs at login.
0
 
cbielichAuthor Commented:
Well concerning virus and things like that all we have in our policies is that we just reimage them when something goes wrong. Its their own fault if they screw it up :)
0
 
woolnoirCommented:
Its up to you really, in all liklihood students being students - providing them with admin rights will cause some problems, as you suggest it may be that they remove the OD bind. That being said, you mention the option to re-image the machines which will reduce the support overhead.

At work i manage the MAC deployment for about 50 users, pretty varied in role and demands. At present we dont provide the users with admin rights but we have considered it in the past.

That being said, we have chosen to provide a deploystudio created build, which auto binds them to AD and OD, applies some software packages, forces a mobile account (client <-> server home folder sync ) and applies some managed preferences.

You could apply a managed preference file to prevent them accessing certain applications as you suggest, but a a admin user there is always a way around it - but if they intentionally bypass it, its effort and then at least you can say you have tried.

Do some research on the MCX's (managed preferences) associates with the system prefs app - that way you can make it more difficult to unbind. Also consider some program restrictions to prevent running of the directory access program - removing another route to OD unbinding.

How would I handle it ? Reading your situation and your needs maybe i would aim to have some OD provided managed preferences, create the alocal accounts as 'mobile' meaning their data is secured whenever they login on campus and give them admin rights so they can install their own software and customise it a little.
0
How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

 
cbielichAuthor Commented:
When u say at the end give them rights, are u talking about adding the local group to the machine manually? Or is there an easier way to manage that from the network? Is there anyway to give them rights to install programs whiteout giving them admin rights?
0
 
nappy_dCommented:
On the Mac OS you need to have to enter admin credentials for every install that occurs. Since 10.5,, you need admin privileges to add printers.

I would also tell you to use OD to manage users for admin privileges. Doing this from each machine jus becomes a pain.

On the groups tab of WGM, you can add the group administrators to each user.

The unfortunate part with this is that they are now admins on all computers on your network.

You can however in wgm config a machine group and add the users to specific machine groups. This way, they do not get admin privileges on your servers.

I suggest you draw it out on paper. It may help you in planning out your admin groups and machine access.
0
 
woolnoirCommented:
Our situation is a little different as we have active directory too, and the default AD connector interprets anyone added to the 'managed by' setting on a computer object to have admin rights. What we do is define any domain admins as admins within the AD connector, and then if we want to give users admin rights add them as managers on the computer object.

OSX's privileges are not all that granular, i know windows has power users which isnt much better, but there isnt anything inbetween admin, and non admin on a OSX machine.
0
 
woolnoirCommented:
How are you installing the images on the laptops ? if you use something like deploystudio you can define an account record for a machine, meaning each time the machine is deployed the account is created - could reduce admin time a little if you pre-define the users rights on the machine.

That way if they do screw anything up, when you re-apply the image the account is recreated ready to go.

If you make sure users have 'mobile' accounts, set it to sync to the OD server, you ensure that users config settings and preferences are available when you re-image.

I guess what i'm trying to get across is that in your situation i would ASSUME that they will screw things up, design your infrastructure to ensure that when they do, you have everything inplace to quickly re-image, reconfigure and return the machine to how it was.

0
 
cbielichAuthor Commented:
I do have them all set with mobile account, I also have an AD network as will but I keep the servers totally apart. I dont even want to start making those 2 talk to each other.
0
 
woolnoirCommented:
then its about as good as it can get to give them admin, ensure the images have as much of the config as possible (admin accounts defined) and then restrict access to certain parts of system preferences and certain system apps (directory utility) to ensure their ability to change stuff is as limited as possible.
0
 
nappy_dCommented:
As I have previously mentioned, this is all accomplished thru wgm.
0
 
cbielichAuthor Commented:
I think i am going to go with this
0
 
cbielichAuthor Commented:
Can you explain in more detail what you mean by "You can however in wgm config a machine group and add the users to specific machine groups. This way, they do not get admin privileges on your servers."
0
 
woolnoirCommented:
You may want to look at the /etc/authorization file too , that offers some granular control.
http://www.afp548.com/article.php?story=20041027093216241 this may avoid 'some' of the requirement of admin rights.

0
 
woolnoirCommented:
Ahh - sorry i noticed that you have closed the question and awareded points.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now