Solved

Magic Triangle - Allow Mac Users to Install Applications

Posted on 2013-01-29
5
465 Views
Last Modified: 2013-01-30
Hey Experts,

I have just setup Magic Triangle on our network.  I am testing this on a new user setup whereby I am logging into the domain with their account information from the AD.  On our OD I have set it so the user does not have access to System Pref > Sharing and when I login I can see that that option is grayed out for this user.  So as far as I can tell, everything seems to be working as expected.

One question though, is there a way to allow the user to install Application on their Mac?  We are a small company with an even smaller IT department and I don't have time to approve every install.  Is there a happy medium between locking the user out of some things but allowing them to install / remove software?

Thanks
G
0
Comment
Question by:GMoney99
  • 3
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
schaps earned 500 total points
ID: 38832636
Unfortunately, I doubt it, not that I have seen. Having administrative rights to install software is among the biggest security risks; it's not a low-risk right like being able to manage printers or to change the dock icons. Managed preferences is built around limiting access to non-admins. My gut is that you might be able figure out a way to build a group of managed preferences to accomplish what you want "on the surface," but there would always be issues and you'd end up with more micromanaging than you might anticipate.

If you're not using software to manage your Macs, Apple Remote Desktop is a steal on the App Store for $80. You can very easily keep the client Macs updated as well as install new software with a few clicks.

That's the direction I'd look rather than granting users admin rights.
0
 

Author Comment

by:GMoney99
ID: 38832687
Hey schaps,

Thanks for the reply.  In our current setup, the users are admins and are not connected to a domain.  While I understand that there are security risks around them being admins, with 4 offices (2 overseas and no IT staff in those offices) and a small IT staff, we just don't have the manpower or ability to type in a password every time that someone needs to install a piece of software.

That being said, the biggest thing I am trying to accomplish is to have an admin account on the machine that the users can't change or remove and keep them from turning off remote access.  We do use ARD and that's what started this whole conversation.  I got tired of users deciding that they can turn off remote access when they want.

Seems like I'm in a bit of a pickle though.  Either they have enough access to do everything or not enough to do the things that I am ok with them doing while trying to keep them out of other areas...

G
0
 
LVL 10

Expert Comment

by:schaps
ID: 38833289
well, you're just doing things unorthodox enough to consider this crazy solution. ;)

Send command with ARD as root:
mv /System/Library/PreferencePanes/SharingPref.prefPane /some-secret-directory-of-your-choosing/

Now when your admin users login, they can go to the System Preferences, but the Sharing panel is not there. Unless they are command-line pros, they cannot mess with your ARD settings. And, frankly, command line pros should be tech enough to take seriously the clearly stated (I hope) consequences for messing with admin settings beyond installing software. If you don't have such a policy, draft one. You can put it on the login screen using a utility like Onyx, so they can't say they didn't know.

By the way, you should also have 'remote login' enabled in the Sharing Pref panel with it restricted to an admin user only you control. You can do a lot with SSH in remote login if you can't get access to the computer in other ways (Google is your friend).  

Disclaimer: I have no idea of the long-term effects of this action. I would definitely move the panel back with the reverse command before running updates. You can stop your users from running updates by setting the Software Update server to something which does not exist. Then, again, use ARD to correct that before running updates.

Your mileage may vary, consult your doctor before starting any weight loss program, and please buckle up.
0
 

Author Comment

by:GMoney99
ID: 38833308
Hey schaps,

Thanks again for the response.  If I go this route, is there any benefit then in having a Mac Server to help lock some things down?  I currently do see a reason to have the headache of managing more servers if I am just going to limit their access on each machine with a command...

This is getting more and more complex by the minute!  :)

Thanks
G
0
 
LVL 10

Expert Comment

by:schaps
ID: 38833384
I can't answer that for you -- I have attempted to set up Managed Preferences with a Mac server a couple times with varying results, but I found various problems and ended up using mostly ARD (high school setting). I have imaging workflows set up with Deploystudio, so if things get messed up, I can reimage quickly. The students are NOT admin users, but I also don't lock down all the settings. I do set up a "User template" so they get a customized dock, desktop, etc. which they then can goof up, but they can't get into much without admin access, so things rarely get so messed up. See why I can't answer that for you?

Another suggestion I was going to make is to not make them admin users, set up a process for getting software installed, and let them wait. If it's truly a problem, they'll complain to management, and you can explain the security problems with making them all local admins, refer them to numerous Best Practices documents on the subject, and suggest you could use another person or two in the IT department in order to do things the right way. You're not necessarily doing yourself any favors by obscuring the inadequately staffed IT department from those who hold the purse strings. It's a lesson I could have learned a long time ago. Now it's been many years of long days and management does not gain a proper appreciation for all the work that gets done.

/soapbox
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now