[gorickey]

A school district wants to disable the AIM part of iChat so kids cannot use home AIM accounts at home (or school); however, they want the Rendevous iChat account part to work...is this possible? If so, how?!?

Thanks.

[Mithras]

You could add a firewall rule:
sudo ipfw add deny all from any to 205.188.11.152

Make a StartupItem to have this rule executed on every startup, and it will work. At least until AIM's host IP changes... but I think iChat is using the IP address, and not a hostname, so it should be safe.

[gorickey]

I'll give that a shot...

Thanks.

[gorickey]

Originally posted by Mithras:
You could add a firewall rule:
sudo ipfw add deny all from any to 205.188.11.152

Make a StartupItem to have this rule executed on every startup, and it will work. At least until AIM's host IP changes... but I think iChat is using the IP address, and not a hostname, so it should be safe.

Well, that didn't work....

IPFW is the IP firewall that comes with OS X.

So, you are telling IPFW to "add" a new rule that deny's all connections from any IP to the IP listed...while that might work as a temporary solution, I would not look at it long term.

I've also looked into some port blocking (5190); however, that doesn't work because AIM will jump ports by looking at a range...if it's unsuccessful, then it will use a commonly known good port (like FTP) to push the traffic through...arrrgghhhh...

Any more ideas?

Thanks.

[Person Man]

Originally posted by gorickey:
A school district wants to disable the AIM part of iChat so kids cannot use home AIM accounts at home (or school); however, they want the Rendevous iChat account part to work...is this possible? If so, how?!?

Thanks.

Why would they not want the kids to be able to access their AIM accounts from HOME???

Not being able to access them from school is fine.

[Rickster]

There's a new feature in the CFPreferences/NSUserDefaults subsystem in 10.2 that's supposed to let administrators in a managed environment set certain preferences as being "forced"; that is, their value is set by the administrator and users can't change it. Unfortunately, I haven't seen any administrator documentation on how to do this... it might be buried in the Mac OS X Server docs somewhere.

Assuming one could find a way to enable these forced preferences, all you'd need to do for iChat is look up which keys and values have to do with AIM login using defaults read in the terminal. Then again, it's possible that iChat might not work properly with forced preferences -- for example, they could store the state of the "Enable AIM" option internally instead of always storing and retrieving it from NSUserDefaults, in which case forcing the preference would do nothing.

[gorickey]

Originally posted by Person Man:
Why would they not want the kids to be able to access their AIM accounts from HOME???

Not being able to access them from school is fine.

...simply because they (administration) promised parents that kids would not have internet/communication to the outside world at home. Parents want it this way.

[gorickey]

Originally posted by Rickster:
There's a new feature in the CFPreferences/NSUserDefaults subsystem in 10.2 that's supposed to let administrators in a managed environment set certain preferences as being "forced"; that is, their value is set by the administrator and users can't change it. Unfortunately, I haven't seen any administrator documentation on how to do this... it might be buried in the Mac OS X Server docs somewhere.

Assuming one could find a way to enable these forced preferences, all you'd need to do for iChat is look up which keys and values have to do with AIM login using defaults read in the terminal. Then again, it's possible that iChat might not work properly with forced preferences -- for example, they could store the state of the "Enable AIM" option internally instead of always storing and retrieving it from NSUserDefaults, in which case forcing the preference would do nothing.

Interesting approach, I'll bury my head into this one a little deeper...

Thanks!

[Person Man]

Originally posted by gorickey:
...simply because they (administration) promised parents that kids would not have internet/communication to the outside world at home. Parents want it this way.

And what of those parents who don't mind their kids having access to the internet?

[gorickey]

Originally posted by Person Man:
And what of those parents who don't mind their kids having access to the internet?

Not an option, it's all or none....and in this case, they voted for none...

[Busemann]

If they can't use the AIM part, why register AIM accounts

[Mithras]

The method I suggested should work indefinitely... as I said, the address of the AIM host appears to be fixed.

So preventing connections to that host is essentially exactly what you want, I think?

[OwlBoy]

Hey, they could try and edit the .nib for ichat, and disable 2 the input fields, then copy that version of iChat to all the computers...

Kind of dirty, but it would get the job done.

-Owl

[gorickey]

Originally posted by Busemann:
If they can't use the AIM part, why register AIM accounts

Huh? They aren't registering AIM accounts at school, it's the ones they have created at home or elsewhere they are using...

[gorickey]

Originally posted by Mithras:
The method I suggested should work indefinitely... as I said, the address of the AIM host appears to be fixed.

So preventing connections to that host is essentially exactly what you want, I think?

Indefinitely, until they change the IP host yes...

[gorickey]

Originally posted by OwlBoy:
Hey, they could try and edit the .nib for ichat, and disable 2 the input fields, then copy that version of iChat to all the computers...

Kind of dirty, but it would get the job done.

-Owl

That could get messy, that would involve "touching" all computers and we want to avoid that as much as possible...though, I like your thinking!

[Mithras]

Like I said, the IP address appears to be encoded into iChat, not a hostname. So the IP address should be stable for a long time. The IP address for www.apple.com has been the same for years, by the way.

If you want to prevent the use of AIM at school and home, you're going to have to 'touch' every computer.

Just at school, you could make a change at the school firewall. But at home, what else would you change but each laptop?

I like the nib-editing method, BTW. Though an update to iChat could overwrite your changes.

[gorickey]

Originally posted by Mithras:
Though an update to iChat could overwrite your changes.

Yep, that's the downfall of that method for sure....

[Thinine]

While your request borders on the absurd, I wonder in you're asking the right question. iChat/AIM has nothing to do with internet access. To get internet at home they'd either have to have broadband or dialup. And I doubt you're installing dialup software on the machines. So what's the problem? They would have to use an existing broadband connection with a spare ethernet port just to get online.

In conclusion, blocking iChat/AIM is a bit of an overreaction.

[gorickey]

Originally posted by Thinine:
While your request borders on the absurd, I wonder in you're asking the right question. iChat/AIM has nothing to do with internet access. To get internet at home they'd either have to have broadband or dialup. And I doubt you're installing dialup software on the machines. So what's the problem? They would have to use an existing broadband connection with a spare ethernet port just to get online.

In conclusion, blocking iChat/AIM is a bit of an overreaction.

Umm, I know what I am wanting and asking for....thanks; however, in response to your question...

We have blocked their internet access at home via a Web proxy; however, that only blocks the Web...if they tap into a DHCP router they could gain access to stuff like iChat from home. Are you with me? They can't even get into Network Preferences in order ot set-up anything on their own...

[Mithras]

Originally posted by gorickey:
Yep, that's the downfall of that method for sure....

But presumably you're managing the OS updates anyway, right? So you know when an update comes out, and could roll your own patch right on top of it...

[gorickey]

Originally posted by Mithras:
But presumably you're managing the OS updates anyway, right? So you know when an update comes out, and could roll your own patch right on top of it...

True, very true!

Come to think of it, are their any "Rendezvous Chat" clients out there that only use Rendezvous? If so, I could simply use that client instead of iChatAV and avoid the other mess...

[Thinine]

Let me get this straight: the district gives laptops to kids and then prevents them from accessing the internet at home with them? That eliminates most of their functionality right there. I would hate to go to that school.

But in the spirit of being helpful, if the students can't reconfigure the network preferences, how are you expecting them to get access at home anyway? Can't you just manually assign IP numbers to each computer? And lock the preference so that the IP can't change? Then they could only get access while at school. Or could you make the iChat preferences unwritable by the student so they couldn't enter an AIM account? And the firewall should work, if you block the right ports.

And why aren't you asking the parents to monitor their cable modem to make sure their children are using it?

[gorickey]

Originally posted by Thinine (his thoughts are in bold:

Let me get this straight: the district gives laptops to kids and then prevents them from accessing the internet at home with them? That eliminates most of their functionality right there. I would hate to go to that school.

Nope, the parents layed down that rule to the district and the district is only following through on their promise to the parents...

But in the spirit of being helpful, if the students can't reconfigure the network preferences, how are you expecting them to get access at home anyway?

DHCP, they need no cofiguration. They won't be able to surf the web though (due to the proxies)...literally, the only thing they can do really is use iChatAV...

Can't you just manually assign IP numbers to each computer? And lock the preference so that the IP can't change?

Nope.

Or could you make the iChat preferences unwritable by the student so they couldn't enter an AIM account? And the firewall should work, if you block the right ports.

I am leaning towards this idea actually...

And why aren't you asking the parents to monitor their cable modem to make sure their children are using it?

Haha, that would actually involve parenting...welcome to 2003! Won't happen.

[Thinine]

If you don't access anywhere but from school, why aren't you using manual IPs? That would solve most of your problems. And you could track usage at school down to the person.

Strangely, I just tried iChat and the firewall in Panther and while the firewall blocks Rendezvous, it doesn't block AIM by default. So you're going to have to figure out how to make the firewall block iChat or do something to its preferences.

Stupid parents.

[gorickey]

Originally posted by Thinine:
If you don't access anywhere but from school, why aren't you using manual IPs? That would solve most of your problems. And you could track usage at school down to the person.

Managing 6,000+ (laptops) manual IP's isn't fun...DHCP fits our needs much better...and we can track usage via DHCP by their DHCP Client ID...