[Tennberg]

Hi everyone,

So our Mac user base is growing quite restless.

We recently moved them entirely to OS X (with no Classic) using an image-based method. It contains all the software they need and has been tested thoroughly.

One of the goals of the migration was to make these users non-admins to prevent unwanted software installation, unwanted removal of system or UNIX files, etc.

However, in the process, we have learned a couple things: Non-admin users cannot modify the date and time (if they travel to a different country). Non-admin users cannot modify energy settings for long road trips.

Granted these aren't deal-breakers. They can still use all their programs perfectly, and the OS is proving very stable.

However, they feel IT is treating them like children and that we don't trust them as admin users.

We in IT would like to avoid, at all costs, making them admin users (our PC users are just Power Users, not Administrators). Is there a hack available or a way to let them modify energy settings and the date/time setting?

Thanks in advance for any help.

[timmerk]

Just write a small app that changes those things and have the program authenticate itself first by storing the admin pass inside itself. This is easy to do with date/time, but I have no idea how to do it with energy settings.

[Moonray]

For some settings which can be done in the Terminal you could write shell scripts doing that task and set them suid root.

-

[Chuckit]

Why don't you just authenticate the non-admin user with your admin password? You don't have to be using the administrator in order to authenticate for something.

Oh, and embedding an unhashed password inside an application? You may as well just put a plaintext file at the root of the hard drive named "HERE'S MY PASSWORD IF YOU WANT IT."

[parsec_kadets]

You are treating them like children. If it's their every day or travel computer they should be able to install additional applications without needing your blessing. As for being afraid of people deleting UNIX files and such, I've never heard of an IT department that had a huge influx of people doing things like that. Windows has had the System folder for years now, and you don't hear about the droves of morons who delete Win32.dll on a daily basis. The better solution would be to encourage users to store all of their files in their home folder. If they never need to access root, then they are very unlikely to delete something from it by accident. Not to mention that all of the files that can really do damage if they're missing are owned by the system and not any user, even administrators.

[Brass]

Originally posted by parsec_kadets:
You are treating them like children. If it's their every day or travel computer they should be able to install additional applications without needing your blessing. As for being afraid of people deleting UNIX files and such, I've never heard of an IT department that had a huge influx of people doing things like that. Windows has had the System folder for years now, and you don't hear about the droves of morons who delete Win32.dll on a daily basis. The better solution would be to encourage users to store all of their files in their home folder. If they never need to access root, then they are very unlikely to delete something from it by accident. Not to mention that all of the files that can really do damage if they're missing are owned by the system and not any user, even administrators.

I agree. A user SHOULD have full access to their own computer. When the IT guys here install their crippled Windows stuff on the PC on my Desk, I pull out the Win2000 CD from my drawer the moment the walk out the door and do a clean install, giving myself exactly the setup that I want. After all it is a "Personal Computer" - they have no right to tell me what I can and can't do on my PERSONAL computer.

Sure it makes it more difficult for them to admin in SOME cases, but who is it that has to use this computer every day, them or me?

[RayX]

Originally posted by Brass:
I agree. A user SHOULD have full access to their own computer. When the IT guys here install their crippled Windows stuff on the PC on my Desk, I pull out the Win2000 CD from my drawer the moment the walk out the door and do a clean install, giving myself exactly the setup that I want. After all it is a "Personal Computer" - they have no right to tell me what I can and can't do on my PERSONAL computer.

Sure it makes it more difficult for them to admin in SOME cases, but who is it that has to use this computer every day, them or me?

No offence, but that is the stupidest thing I've ever heard. If you worked for any real organisation, you would be fired for breaching the I.T. Security policy.

You say personal computer like you own the thing, if that's the case, then this is a slightly different situation. But if you don't own the computer, they have every right to control it, and:

If you can do this and still have functioning system, it sounds like that organisation does not have a standard SOE (standard operating environment - a PC image basically). Meaning by reinstalling the system, you are removing any configuration, management agents, and standard software that may be critical for the operation of the computer in that environment. You would no longer be part of the domain, etc.

Full access to a Windows machine means full access for viruses and Trojans to run free. Windows machines in a corporate environment should be locked down, in regards to user rights. There is no need to be an administrator on a workstation in most cases (if you are just a user of applications). You should be able to use all the applications you need (which are pre-installed, or supplied by the IT department on demand) to do your job, and change any personal user settings, there is nothing else you should need.

The key point here is: If your supplied computer and working environment is preventing you from doing your job in some way, perhaps you should have a talk to management or the I.T. Department before compromising the security of the network.

[RayX]

Originally posted by parsec_kadets:
You are treating them like children. If it's their every day or travel computer they should be able to install additional applications without needing your blessing. As for being afraid of people deleting UNIX files and such, I've never heard of an IT department that had a huge influx of people doing things like that. Windows has had the System folder for years now, and you don't hear about the droves of morons who delete Win32.dll on a daily basis. The better solution would be to encourage users to store all of their files in their home folder. If they never need to access root, then they are very unlikely to delete something from it by accident. Not to mention that all of the files that can really do damage if they're missing are owned by the system and not any user, even administrators.

“You are treating them like children.” Sigh...

Again, if the organisation has no security policy or any other standard operating polices for I.T. equipment, then go nuts.

If the user needs to install applications because it is a job requirement, then fine. If not, then there is no reason to allow this.

Personally, I wouldn't want to receive a support call from some user in another country saying "I installed XYX application and now my computer doesn't work, fix it now!"

You should only need enough access to do the job. I guess yourself and Brass are the kind of people that would logon to a UNIX workstation (including OS X) using the Root account to check their e-mail and browse the web, because otherwise you would feel restricted? Give me a break.

Tennberg is trying to secure his environment as much as possible without blindly compromising the whole system by giving full access to everything on the system.

---

Tennberg: possibly investigate using 'sudo' to achieve this. Basically you can setup a list of commands that a user can execute as root (or another user), and nothing else. After that you would just need the appropriate scripts in place so the user only has to 'double-click' etc to make the changes, or use some other GUI to run them. Might be a better way, but quickly off the top of my head, that may be the right direction for you.

[superlarry]

Originally posted by RayX:
No offence, but that is the stupidest thing I've ever heard. If you worked for any real organisation, you would be fired for breaching the I.T. Security policy.

jeez, that seems a bit harsh. those can be good points, but i'm going to take a stab in the dark and say that brass knows what's up and isn't compromising anything. "real organisation"? most organizations can't afford or aren't interested in such strict policies, and the SOE is an alien idea in many places.
also, not everybody is lucky enough to have an understanding IT department that will see it from the perspective of the trying-to-be-productive user. the fact that brass had a problem in the first place tells me that the IT department in this case maybe wasn't up to snuff.
in the case that a restricted computer environment is getting in the way of the job and the IT department is unbudging, i'd recommend explaining matters to the boss. not that i've dealt with an IT department that will admit its subordinacy.. but the potential chewing out could at least be humbling.

[RayX]

Originally posted by Tennberg:

So our Mac user base is growing quite restless.

[snip]

However, they feel IT is treating them like children and that we don't trust them as admin users.

Another thing, don't keep your users in the dark as to why you are doing this, let them know that it is for security and management reasons. Maybe back it up with policies if required.

[RayX]

Originally posted by superlarry:
jeez, that seems a bit harsh. those can be good points, but i'm going to take a stab in the dark and say that brass knows what's up and isn't compromising anything. "real organisation"? most organizations can't afford or aren't interested in such strict policies, and the SOE is an alien idea in many places.
also, not everybody is lucky enough to have an understanding IT department that will see it from the perspective of the trying-to-be-productive user. the fact that brass had a problem in the first place tells me that the IT department in this case maybe wasn't up to snuff.
in the case that a restricted computer environment is getting in the way of the job and the IT department is unbudging, i'd recommend explaining matters to the boss. not that i've dealt with an IT department that will admit its subordinacy.. but the potential chewing out could at least be humbling.

Of course it's hard to know Brass's exact situation, I also took a stab in the dark with that one. By real organisation, I guess I meant an organisation that at least has *some* standards in place to do with I.T. What we have talked about is not *strict* at all. Not being able to change your desktop wallpaper for example, would be strict.

Policies don't exactly cost anything unless you need to bring people in, they're not that hard to write. Probably find some free templates on the web. I wouldn't say most organisations either.

Any environment that doesn't want a management disaster would have an SOE, or at least know what the standard config should be.

Anyway, as this is starting to get off topic now. I will try not to post further unless more related to the original question.

[Ov3rdraw]

I found something on another forum.

http://www.macosxhints.com/ is really useful for that kind of stuff!

Original post by SReubart on http://www.macfora.com/forums/index.php?showtopic=10271:

I was having a similar problem, and after experimenting all day, I think I have a solution.

I want my users to have access to only the "basic" System Preferences (i.e., the ones allowed when you UNcheck "Accounts/Capabilities/Open all System Preferences"). However, one of them also needs access to Displays and Speech. This is the one user who screws around with his system the most, and I do NOT want him to be able to access all of the System Prefs.

So here's what worked for me.

Log in as an admin. Go to System Preferences/Accounts. Select the user in question and uncheck the "Open all System Preferences" box.

Open NetInfo Manager and look at the user you just changed. There will be a property named "mcx_settings" with some XML code as its value. The trick is, this XML code is actually MANY lines long; you can only see the first line of it in NetInfo Manager. You need to select ALL of it to do the next step. Position the text entry cursor (blinking vertical bar) at the very beginning of the XML code, then click and drag down to select all of the text. Copy it to the clipboard.

Open BBEdit or other text editor and paste. The result should look something like the code below:

{
"authentication_authority" = ( ";basic;" );
"picture" = ( "/Library/User Pictures/Animals/Cat.tif" );
"mcx_settings" = ( "



mcx_application_data

com.apple.dock

Forced


mcx_data_timestamp
2003-06-17T17:11:35Z
mcx_preference_settings

contents-immutable





com.apple.systempreferences

Forced


mcx_data_timestamp
2003-06-17T17:11:35Z
mcx_preference_settings

EnabledPreferencePanes

com.apple.preference.desktoppictures
com.apple.preference.dock
com.apple.preference.general
com.apple.Localization
com.apple.preference.login
com.apple.preference.screensaver
com.apple.preference.universalaccess
com.apple.preference.mouse
com.apple.preference.keyboard
com.apple.preference.sound
com.apple.preference.myaccount

com.apple.preference.myaccount

ChangePassword








" );
"hint" = ( "" );
"uid" = ( "502" );
"_writers_passwd" = ( "staffuser" );
"realname" = ( "Staff User" );
"_writers_hint" = ( "staffuser" );
"gid" = ( "20" );
"shell" = ( "/bin/tcsh" );
"name" = ( "staffuser" );
"_shadow_passwd" = ( "" );
"_writers_tim_password" = ( "staffuser" );
"passwd" = ( "XXXXXXXXXXXXX" );
"_writers_picture" = ( "staffuser" );
"home" = ( "/Users/staffuser" );
"sharedDir" = ( "Public" );
}

Around the middle of this, look for the lines that look like:

com.apple.preference.screensaver
com.apple.preference.universalaccess
com.apple.preference.mouse

These are the preference panes that are enabled. So I just inserted a couple of lines between "universalaccess" and "mouse":

com.apple.preference.displays
com.apple.preference.speech

Then I copied EVERYTHING, pasted it back into the place it came from in NetInfo Manager, and saved the changes. Logged out and back in as the user, and voila! Displays and Speech were no longer grayed out, and everything else looked as it should.

Of course, be sure to make a backup copy of your NetInfo data before messing with this. I'm sure you can figure out how to do that if you don't already know.

Caveat: If you use Accounts/Capabilities to change anything about this user, it will go back to the default settings and you'll have to repeat this process.

Hope this helps! (I know it really came in handy for me.)

[Art Vandelay]

The MCX settings for the pref panes only sets what you can and can not see. It does not enable a non-admin user to make changes to pref panes that require an admin user.

[hashboy0519]

Brass you are why companies lock down systems to begin with. There is a reason there are stanardized Images in mid to large size companies. Asset managment and software compliance are major issues in companies and can be a major liability fiscally if not handeled properley. IT departments do install things such as SMS, ARD or Rsync etc.. in order to push out updates, and also have scripts that coincide with these in order to keep track of assets. You say end users should be able to install software, I agree if it is necessary for there job function. Software licensing is a big problem for most corparations, and can cost them quite a bit of money if all users just install anything they want and they do not have a license. If the company gets audited they can get slammed really badly with fines. So what is IT supposed to do? Let you install a pirated version of Photoshop or have you never pay for a peice of shareware you install and have the company be liable. For what, so you can feel all warm and fuzzy about your "WORK" computer, I think not.

[Brass]

Originally posted by RayX:
You should only need enough access to do the job. I guess yourself and Brass are the kind of people that would logon to a UNIX workstation (including OS X) using the Root account to check their e-mail and browse the web, because otherwise you would feel restricted? Give me a break.

Heheh... you're funny

I actually spend all my working day on a Unix machine (Solaris) and have to use the root user a lot as part of my job. However, I wouldn't use it unnecessarily for reading email, etc.

However, when the Window's admins feel they have to lock down my Windows PC so much that I cannot do basic things like install Oracle's JInitiator, etc (required for my job) I find it very annoying, and there's no way I'm going to call in the wintel admins to type their password every time I need to have additional privileges.

I understand that security policies and other configuration policies are there for a reason, however they should be made such that they do not interfere with the daily work flow of the users.

In my (according to you unreal) organisation, the Wintel policy is absolutely absurd. My machine is far faster than all of my colleagues and far more useable because I don't have all the extra baggage of the other users here. There is not a single person in this institution who doesn't moan when they get transferred to the new model, because it is that bad!

And NO, the wintel admin group do not listen to reasonable arguments to do things differently.

By the way, I'm not trying to suggest that every windows user in the company should be permitted to do what I do (I have the wintel admin's blessing). However, for OS X, allowing admin privileges is not quite as bad as on Windows - it's nowhere near as easy to break OS X ACCIDENTALLY as it is to break Windows ACCIDENTALLY, as the admin user.

[Brass]

Originally posted by hashboy0519:
Brass you are why companies lock down systems to begin with. There is a reason there are stanardized Images in mid to large size companies. Asset managment and software compliance are major issues in companies and can be a major liability fiscally if not handeled properley. IT departments do install things such as SMS, ARD or Rsync etc.. in order to push out updates, and also have scripts that coincide with these in order to keep track of assets. You say end users should be able to install software, I agree if it is necessary for there job function. Software licensing is a big problem for most corparations, and can cost them quite a bit of money if all users just install anything they want and they do not have a license. If the company gets audited they can get slammed really badly with fines. So what is IT supposed to do? Let you install a pirated version of Photoshop or have you never pay for a peice of shareware you install and have the company be liable. For what, so you can feel all warm and fuzzy about your "WORK" computer, I think not.

heheh... feeling warm and fuzzy ? good one

Although feeling warm and fuzzy about a Wintel computer is a good joke, it's not what I wish to achieve. I just want to be able to do my work efficiently. If I have to call the Wintel helpdesk every time an administrator password is required, it would drive me nuts! An would greatly inhibit my work (on the occasions when I have to use the Wintel).

I agree that standardised images are a useful tools to control security and licensing, however when those images are unnecessarily restrictive, they are terribly counter productive.

The Wintel admins here refuse to compromise by providing a suitable image, so I wipe their image of my HD completely, and re-install Windows the way that actually benefits my work. (Using the CD that came with the computer).

Only bugger is, that I always forget to download all the drivers (ethernet, audio, display) before I start, and then it's a major hassle afterwards.

[Brass]

Originally posted by RayX:
You say personal computer like you own the thing, if that's the case, then this is a slightly different situation. But if you don't own the computer, they have every right to control it

Oh dear... missunderstood again.

No I don't think I own the computer, any more than I own the desk it sits on. However, PC still stands for "Personal Computer" for good reason, in many cases. In my case, I'm the only person who sits at this desk, and I'm the only person who ever uses the PC. Makes it a rather personal computer, I think.

For that reason I think that as the only user, I should be able to configure the machine however I like (within REASONABLE restrictions of the actual owners of the machine). However, the owner's standard disk image applies what I believe are very unreasonable restrictions.

If they applied similar restrictions to my desk, I would have to ask them permission every time I wanted replace the ball point pen in the top drawer. Or listen to my own music while sitting there.

Not gonna happen.

They may own my workspace, but it's still MY workspace.

[hashboy0519]

Originally posted by Brass:
heheh... feeling warm and fuzzy ? good one

Although feeling warm and fuzzy about a Wintel computer is a good joke, it's not what I wish to achieve. I just want to be able to do my work efficiently. If I have to call the Wintel helpdesk every time an administrator password is required, it would drive me nuts! An would greatly inhibit my work (on the occasions when I have to use the Wintel).

I agree that standardised images are a useful tools to control security and licensing, however when those images are unnecessarily restrictive, they are terribly counter productive.

The Wintel admins here refuse to compromise by providing a suitable image, so I wipe their image of my HD completely, and re-install Windows the way that actually benefits my work. (Using the CD that came with the computer).

Only bugger is, that I always forget to download all the drivers (ethernet, audio, display) before I start, and then it's a major hassle afterwards.

I agree that most companies do have restrictive policies. What we do at my company is allow users to apply for Admin access, but our service level agreement is voided ie we don't have to be there within an hour to fix the problem. I develop the Mac OS X image for about 4000 systems worldwide, my tact is a 80/20 rule, 80 percent of users won't need admin access. As a rule all users that are either laptop/home users or developers/testers get admin access. All I do is restrict certain unix underpinnings for the admin group, and disable some system preferences I don't want them to have access(through a little bit hacking lol) such as filesharing so they cannot change there system name for example. The admins can install software, but we keep track of this on a daily basis through some fun unixy stuff I cannot discuss. So there is a middle ground that can be achieved as long as IT is customer driven, we are there to make life easier for the most part, but IT does have to take other issues into account as well.

[Brass]

Originally posted by hashboy0519:
I agree that most companies do have restrictive policies. What we do at my company is allow users to apply for Admin access, but our service level agreement is voided ie we don't have to be there within an hour to fix the problem. I develop the Mac OS X image for about 4000 systems worldwide, my tact is a 80/20 rule, 80 percent of users won't need admin access. As a rule all users that are either laptop/home users or developers/testers get admin access. All I do is restrict certain unix underpinnings for the admin group, and disable some system preferences I don't want them to have access(through a little bit hacking lol) such as filesharing so they cannot change there system name for example. The admins can install software, but we keep track of this on a daily basis through some fun unixy stuff I cannot discuss. So there is a middle ground that can be achieved as long as IT is customer driven, we are there to make life easier for the most part, but IT does have to take other issues into account as well.

Now THAT sounds like an excellent solution. I'm sure that the Wintel admins wouldn't support me if I asked for their help, but then again, if I wanted their help, I wouldn't have installed windows myself.

And this should apply to all systems.

It's good to hear of a customer driven policy like yours. Unfortunately, too many (such as here) make policies purely to make their own work easier, forgetting that the computers were not purchased to make their life easy, but were purchased to enable the users to get their work done more effiently.

Sounds like you've got a great compromise there.

Most of my OS X clients get admin access, but only if I think they need it. In most cases, most of them do need it, and I've never had a single problem caused by then doing something that they couldn't have done without admin privileges. Not one. However, that is very much dependant on your client base. in this case the clients all own their own computers and want the best for their business, themselves and the computers.

[RayX]

Originally posted by hashboy0519:
I agree that most companies do have restrictive policies. What we do at my company is allow users to apply for Admin access, but our service level agreement is voided ie we don't have to be there within an hour to fix the problem. I develop the Mac OS X image for about 4000 systems worldwide, my tact is a 80/20 rule, 80 percent of users won't need admin access. As a rule all users that are either laptop/home users or developers/testers get admin access. All I do is restrict certain unix underpinnings for the admin group, and disable some system preferences I don't want them to have access(through a little bit hacking lol) such as filesharing so they cannot change there system name for example. The admins can install software, but we keep track of this on a daily basis through some fun unixy stuff I cannot discuss. So there is a middle ground that can be achieved as long as IT is customer driven, we are there to make life easier for the most part, but IT does have to take other issues into account as well.

This is basically what happens at the organization I work for. There are a handful of users (mostly graphics/web design people) that we have given local administrator rights to on their PC. They do things like installing fonts, plugins, and are happy to handle upgrades to their software (flash, photoshop etc) and also playing with video hardware etc, so they need to be able to install drivers for that stuff. They still use the same image as everyone else, but with local administrator rights.

Our users are free to personalize any settings in their profile. The image basically just contains the necessary agents for Antivirus, remote management, patching, etc. Everything else such as configuration policy, software, etc is controlled and deployed centrally from the network.

I can't say that anything we do at the organization I work for gets in the way of the users. They seem to be quite happy with the current setup, it allows them to work with the applications they need, is secure, and as stable as Windows/Office can be. ;-)

We also make available certain application packages that users may wish to install if they need it. These applications are deployed using packaging technology and they install with elevated rights (using Microsoft's Windows Installer/MSI stuff). The Applications are published to the 'Add New Programs' component of Add/Remove Programs. Any other larger applications that are not critical, but a user may need, they just need to let us know, we add them to the group, and they receive the application on their PC. Application packaging/installation on Windows is a bit of a joke, but Windows Installer/MSI works reasonably well.

Laptop/Home users (work provided equipment), can generally be less restricted as there can be issues when locking these systems down. Eg, they call from some other country with a problem, the fix may need admin rights. Just need to be sure to step up the AntiVirus, patching, and other security measures on these systems etc (argh, I'd love to have an OS X client base!). It depends on your environment and what could go wrong - need to work out the best way to keep it under control.


It's unfortunate that there can be IT departments like Brass has to deal with. They really need to polish there SOE and administration/management skills.

[RayX]

Originally posted by Brass:
Heheh... you're funny
I actually spend all my working day on a Unix machine (Solaris) and have to use the root user a lot as part of my job. However, I wouldn't use it unnecessarily for reading email, etc.

I don't know what your job involves, but would 'sudo' be an option here? I use it on a couple of systems to virtually elimate the use of the root account.

[RayX]

Few ideas here:

http://www.macosxhints.com/article.p...30729113134293

[Brass]

Originally posted by RayX:
I don't know what your job involves, but would 'sudo' be an option here? I use it on a couple of systems to virtually elimate the use of the root account.

I'm a systems administrator (unix-only, thankfully - windows is handled by a separate group).

I usually use "sudo" in preference to "su -" on Mac OS X, but at work when the majority of commands I use involve root (or some other privileged) access, sudo would be very cumbersome. In fact, sudo isn't even installed with Solaris (at least not that I've noticed).