?
Solved

Magic Triangle - Allow Mac Users to Install Applications

Posted on 2013-01-29
5
Medium Priority
?
480 Views
Last Modified: 2013-01-30
Hey Experts,

I have just setup Magic Triangle on our network.  I am testing this on a new user setup whereby I am logging into the domain with their account information from the AD.  On our OD I have set it so the user does not have access to System Pref > Sharing and when I login I can see that that option is grayed out for this user.  So as far as I can tell, everything seems to be working as expected.

One question though, is there a way to allow the user to install Application on their Mac?  We are a small company with an even smaller IT department and I don't have time to approve every install.  Is there a happy medium between locking the user out of some things but allowing them to install / remove software?

Thanks
G
0
Comment
Question by:GMoney99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
schaps earned 1500 total points
ID: 38832636
Unfortunately, I doubt it, not that I have seen. Having administrative rights to install software is among the biggest security risks; it's not a low-risk right like being able to manage printers or to change the dock icons. Managed preferences is built around limiting access to non-admins. My gut is that you might be able figure out a way to build a group of managed preferences to accomplish what you want "on the surface," but there would always be issues and you'd end up with more micromanaging than you might anticipate.

If you're not using software to manage your Macs, Apple Remote Desktop is a steal on the App Store for $80. You can very easily keep the client Macs updated as well as install new software with a few clicks.

That's the direction I'd look rather than granting users admin rights.
0
 

Author Comment

by:GMoney99
ID: 38832687
Hey schaps,

Thanks for the reply.  In our current setup, the users are admins and are not connected to a domain.  While I understand that there are security risks around them being admins, with 4 offices (2 overseas and no IT staff in those offices) and a small IT staff, we just don't have the manpower or ability to type in a password every time that someone needs to install a piece of software.

That being said, the biggest thing I am trying to accomplish is to have an admin account on the machine that the users can't change or remove and keep them from turning off remote access.  We do use ARD and that's what started this whole conversation.  I got tired of users deciding that they can turn off remote access when they want.

Seems like I'm in a bit of a pickle though.  Either they have enough access to do everything or not enough to do the things that I am ok with them doing while trying to keep them out of other areas...

G
0
 
LVL 10

Expert Comment

by:schaps
ID: 38833289
well, you're just doing things unorthodox enough to consider this crazy solution. ;)

Send command with ARD as root:
mv /System/Library/PreferencePanes/SharingPref.prefPane /some-secret-directory-of-your-choosing/

Now when your admin users login, they can go to the System Preferences, but the Sharing panel is not there. Unless they are command-line pros, they cannot mess with your ARD settings. And, frankly, command line pros should be tech enough to take seriously the clearly stated (I hope) consequences for messing with admin settings beyond installing software. If you don't have such a policy, draft one. You can put it on the login screen using a utility like Onyx, so they can't say they didn't know.

By the way, you should also have 'remote login' enabled in the Sharing Pref panel with it restricted to an admin user only you control. You can do a lot with SSH in remote login if you can't get access to the computer in other ways (Google is your friend).  

Disclaimer: I have no idea of the long-term effects of this action. I would definitely move the panel back with the reverse command before running updates. You can stop your users from running updates by setting the Software Update server to something which does not exist. Then, again, use ARD to correct that before running updates.

Your mileage may vary, consult your doctor before starting any weight loss program, and please buckle up.
0
 

Author Comment

by:GMoney99
ID: 38833308
Hey schaps,

Thanks again for the response.  If I go this route, is there any benefit then in having a Mac Server to help lock some things down?  I currently do see a reason to have the headache of managing more servers if I am just going to limit their access on each machine with a command...

This is getting more and more complex by the minute!  :)

Thanks
G
0
 
LVL 10

Expert Comment

by:schaps
ID: 38833384
I can't answer that for you -- I have attempted to set up Managed Preferences with a Mac server a couple times with varying results, but I found various problems and ended up using mostly ARD (high school setting). I have imaging workflows set up with Deploystudio, so if things get messed up, I can reimage quickly. The students are NOT admin users, but I also don't lock down all the settings. I do set up a "User template" so they get a customized dock, desktop, etc. which they then can goof up, but they can't get into much without admin access, so things rarely get so messed up. See why I can't answer that for you?

Another suggestion I was going to make is to not make them admin users, set up a process for getting software installed, and let them wait. If it's truly a problem, they'll complain to management, and you can explain the security problems with making them all local admins, refer them to numerous Best Practices documents on the subject, and suggest you could use another person or two in the IT department in order to do things the right way. You're not necessarily doing yourself any favors by obscuring the inadequately staffed IT department from those who hold the purse strings. It's a lesson I could have learned a long time ago. Now it's been many years of long days and management does not gain a proper appreciation for all the work that gets done.

/soapbox
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question