Magic Triangle - Allow Mac Users to Install Applications

Posted on 2013-01-29
Last Modified: 2013-01-30
Hey Experts,

I have just setup Magic Triangle on our network.  I am testing this on a new user setup whereby I am logging into the domain with their account information from the AD.  On our OD I have set it so the user does not have access to System Pref > Sharing and when I login I can see that that option is grayed out for this user.  So as far as I can tell, everything seems to be working as expected.

One question though, is there a way to allow the user to install Application on their Mac?  We are a small company with an even smaller IT department and I don't have time to approve every install.  Is there a happy medium between locking the user out of some things but allowing them to install / remove software?

Question by:GMoney99
  • 3
  • 2
LVL 10

Accepted Solution

schaps earned 500 total points
ID: 38832636
Unfortunately, I doubt it, not that I have seen. Having administrative rights to install software is among the biggest security risks; it's not a low-risk right like being able to manage printers or to change the dock icons. Managed preferences is built around limiting access to non-admins. My gut is that you might be able figure out a way to build a group of managed preferences to accomplish what you want "on the surface," but there would always be issues and you'd end up with more micromanaging than you might anticipate.

If you're not using software to manage your Macs, Apple Remote Desktop is a steal on the App Store for $80. You can very easily keep the client Macs updated as well as install new software with a few clicks.

That's the direction I'd look rather than granting users admin rights.

Author Comment

ID: 38832687
Hey schaps,

Thanks for the reply.  In our current setup, the users are admins and are not connected to a domain.  While I understand that there are security risks around them being admins, with 4 offices (2 overseas and no IT staff in those offices) and a small IT staff, we just don't have the manpower or ability to type in a password every time that someone needs to install a piece of software.

That being said, the biggest thing I am trying to accomplish is to have an admin account on the machine that the users can't change or remove and keep them from turning off remote access.  We do use ARD and that's what started this whole conversation.  I got tired of users deciding that they can turn off remote access when they want.

Seems like I'm in a bit of a pickle though.  Either they have enough access to do everything or not enough to do the things that I am ok with them doing while trying to keep them out of other areas...

LVL 10

Expert Comment

ID: 38833289
well, you're just doing things unorthodox enough to consider this crazy solution. ;)

Send command with ARD as root:
mv /System/Library/PreferencePanes/SharingPref.prefPane /some-secret-directory-of-your-choosing/

Now when your admin users login, they can go to the System Preferences, but the Sharing panel is not there. Unless they are command-line pros, they cannot mess with your ARD settings. And, frankly, command line pros should be tech enough to take seriously the clearly stated (I hope) consequences for messing with admin settings beyond installing software. If you don't have such a policy, draft one. You can put it on the login screen using a utility like Onyx, so they can't say they didn't know.

By the way, you should also have 'remote login' enabled in the Sharing Pref panel with it restricted to an admin user only you control. You can do a lot with SSH in remote login if you can't get access to the computer in other ways (Google is your friend).  

Disclaimer: I have no idea of the long-term effects of this action. I would definitely move the panel back with the reverse command before running updates. You can stop your users from running updates by setting the Software Update server to something which does not exist. Then, again, use ARD to correct that before running updates.

Your mileage may vary, consult your doctor before starting any weight loss program, and please buckle up.

Author Comment

ID: 38833308
Hey schaps,

Thanks again for the response.  If I go this route, is there any benefit then in having a Mac Server to help lock some things down?  I currently do see a reason to have the headache of managing more servers if I am just going to limit their access on each machine with a command...

This is getting more and more complex by the minute!  :)

LVL 10

Expert Comment

ID: 38833384
I can't answer that for you -- I have attempted to set up Managed Preferences with a Mac server a couple times with varying results, but I found various problems and ended up using mostly ARD (high school setting). I have imaging workflows set up with Deploystudio, so if things get messed up, I can reimage quickly. The students are NOT admin users, but I also don't lock down all the settings. I do set up a "User template" so they get a customized dock, desktop, etc. which they then can goof up, but they can't get into much without admin access, so things rarely get so messed up. See why I can't answer that for you?

Another suggestion I was going to make is to not make them admin users, set up a process for getting software installed, and let them wait. If it's truly a problem, they'll complain to management, and you can explain the security problems with making them all local admins, refer them to numerous Best Practices documents on the subject, and suggest you could use another person or two in the IT department in order to do things the right way. You're not necessarily doing yourself any favors by obscuring the inadequately staffed IT department from those who hold the purse strings. It's a lesson I could have learned a long time ago. Now it's been many years of long days and management does not gain a proper appreciation for all the work that gets done.


Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The error "There was an error performing the update" occurred on a Mac OS X client workstation running  Symantec AntiVirus for Mac ( - the Enterprise product vers…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now