Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Magic Triangle - Allow Mac Users to Install Applications

Posted on 2013-01-29
Medium Priority
Last Modified: 2013-01-30
Hey Experts,

I have just setup Magic Triangle on our network.  I am testing this on a new user setup whereby I am logging into the domain with their account information from the AD.  On our OD I have set it so the user does not have access to System Pref > Sharing and when I login I can see that that option is grayed out for this user.  So as far as I can tell, everything seems to be working as expected.

One question though, is there a way to allow the user to install Application on their Mac?  We are a small company with an even smaller IT department and I don't have time to approve every install.  Is there a happy medium between locking the user out of some things but allowing them to install / remove software?

Question by:GMoney99
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 10

Accepted Solution

schaps earned 1500 total points
ID: 38832636
Unfortunately, I doubt it, not that I have seen. Having administrative rights to install software is among the biggest security risks; it's not a low-risk right like being able to manage printers or to change the dock icons. Managed preferences is built around limiting access to non-admins. My gut is that you might be able figure out a way to build a group of managed preferences to accomplish what you want "on the surface," but there would always be issues and you'd end up with more micromanaging than you might anticipate.

If you're not using software to manage your Macs, Apple Remote Desktop is a steal on the App Store for $80. You can very easily keep the client Macs updated as well as install new software with a few clicks.

That's the direction I'd look rather than granting users admin rights.

Author Comment

ID: 38832687
Hey schaps,

Thanks for the reply.  In our current setup, the users are admins and are not connected to a domain.  While I understand that there are security risks around them being admins, with 4 offices (2 overseas and no IT staff in those offices) and a small IT staff, we just don't have the manpower or ability to type in a password every time that someone needs to install a piece of software.

That being said, the biggest thing I am trying to accomplish is to have an admin account on the machine that the users can't change or remove and keep them from turning off remote access.  We do use ARD and that's what started this whole conversation.  I got tired of users deciding that they can turn off remote access when they want.

Seems like I'm in a bit of a pickle though.  Either they have enough access to do everything or not enough to do the things that I am ok with them doing while trying to keep them out of other areas...

LVL 10

Expert Comment

ID: 38833289
well, you're just doing things unorthodox enough to consider this crazy solution. ;)

Send command with ARD as root:
mv /System/Library/PreferencePanes/SharingPref.prefPane /some-secret-directory-of-your-choosing/

Now when your admin users login, they can go to the System Preferences, but the Sharing panel is not there. Unless they are command-line pros, they cannot mess with your ARD settings. And, frankly, command line pros should be tech enough to take seriously the clearly stated (I hope) consequences for messing with admin settings beyond installing software. If you don't have such a policy, draft one. You can put it on the login screen using a utility like Onyx, so they can't say they didn't know.

By the way, you should also have 'remote login' enabled in the Sharing Pref panel with it restricted to an admin user only you control. You can do a lot with SSH in remote login if you can't get access to the computer in other ways (Google is your friend).  

Disclaimer: I have no idea of the long-term effects of this action. I would definitely move the panel back with the reverse command before running updates. You can stop your users from running updates by setting the Software Update server to something which does not exist. Then, again, use ARD to correct that before running updates.

Your mileage may vary, consult your doctor before starting any weight loss program, and please buckle up.

Author Comment

ID: 38833308
Hey schaps,

Thanks again for the response.  If I go this route, is there any benefit then in having a Mac Server to help lock some things down?  I currently do see a reason to have the headache of managing more servers if I am just going to limit their access on each machine with a command...

This is getting more and more complex by the minute!  :)

LVL 10

Expert Comment

ID: 38833384
I can't answer that for you -- I have attempted to set up Managed Preferences with a Mac server a couple times with varying results, but I found various problems and ended up using mostly ARD (high school setting). I have imaging workflows set up with Deploystudio, so if things get messed up, I can reimage quickly. The students are NOT admin users, but I also don't lock down all the settings. I do set up a "User template" so they get a customized dock, desktop, etc. which they then can goof up, but they can't get into much without admin access, so things rarely get so messed up. See why I can't answer that for you?

Another suggestion I was going to make is to not make them admin users, set up a process for getting software installed, and let them wait. If it's truly a problem, they'll complain to management, and you can explain the security problems with making them all local admins, refer them to numerous Best Practices documents on the subject, and suggest you could use another person or two in the IT department in order to do things the right way. You're not necessarily doing yourself any favors by obscuring the inadequately staffed IT department from those who hold the purse strings. It's a lesson I could have learned a long time ago. Now it's been many years of long days and management does not gain a proper appreciation for all the work that gets done.


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question