Mac OS in a Lab

jmu1 wishes to get to the core of the following issue: "I run a medium sized lab of Mac OS 8.6/9.x machines. They all have (shudder) FoolProof as an attempt of keeping the systems usable. Unfortunatly, it is quite easy to bypass the software, or even to remove it using AppleScript, etc. What I want to know is, what is a usable solution for securing a lab of Macs?"

OS X

[voisine]

install OS X?

Re:OS X

[questionlp]

The only problem there could be the fact that the machines are too old or have odd hardware that are unable to run Mac OS X. If the machines are the pizza box style PowerPC Macs or ones that are non-PCI based, then Mac OS 8.x/9.x might be the only Mac OS that will run on the machine.

Re:OS X

[jmu1]

Actually, the reason we still aren't running OS X(for which I already have a good secure setup) is that we don't have any way to make an image for it. I've tried using DiskCopy and ASR, but DC crashes... it's too big. I'm installing well over 6GB of programs etc...

Re:OS X

[questionlp]

Have you looked into standalone devices that can copy the data from one drive to another at the bit level? It may be expensive, but depending on the scale of the project, how many man hours it would take to find a working solution, and implementing it... you could end up justifying the price of such a device.

I'm not sure how well it would work... but it's probably an option for you.

Re:OS X

[jmu1]

I think that it would be best to either try assimilator as others have suggested... that is if the OS X request doesn't go through.

Re:OS X

[MyNameIsFred]

Look on VersionTracker for Carbon Copy Cloner, it great for copying MacOS X installations. Its simple and effective.

Re:OS X

[artfulbodger]

Carbon Copy Cloner is pretty good for getting OS X onto a machine initially, but would be a pain for regular maintenance. I actually use ASR for initial install (macosxlabs.org talks about it here [macosxlabs.org]).

I use radmind [radmind.org] for regular maintenance of the machines in the the labs I run. It's a powerful unixy tool, a little tricky to get the hang of but it's well worth the effort.

Re:OS X

[webToy]

Have you tried Carbon Copy Cloner? Worked really well for me w/ over 20GB. Of course you would need a firewire drive to image the machines....

Re:OS X

[jmu1]

We don't have any FW drives :( I do know that we can hook them up machine to machine to do it, but that's sort of out of the question. I have looked at mike's site... He's a good guy and has helped me in the past. As a matter of fact, he is the guy that got me hip to using DC and ASR! Before, the lab manager who had been there had been just copying the contents of the harddisk to a folder... that doesn't really work very well. Settings for programs, icons, etc. don't translate.

Re:OS X

[dtfarmer]

We don't have any FW drives :(

well, in the $150-$300 solution range, I think getting a FW drive would be a very good option...

Re:OS X

[EddydaSquige]

Apple provides the software to do this with OSX Server. You might however, try carbon copy cloner as others have suggested

Re:OS X

[JHromadka]

Try Carbon Copy Cloner [versiontracker.com]. I used it when I replaced the hard drive on my PowerBook and everything was exactly how it was.

Re:OS X

[Spyritus]

Use 2 partitions.

Install Mac OS X and all your programs on one. Then install Mac OS X on the other, boot from it and use its version of Disk Copy to make a image from device of the other partition.

The default Mac OS 9.2 version of Disk Copy can't handle images more then 2GB in size, the Mac OS X version of disk copy does not have this limitation.

Exactly.

[BoomerSooner]

I run os 9 on a PowerPC 8500 180 w/100MB Ram and a 2GB SCSI disk and it's lighting fast. On my PowerPC G3-333MHz 10.2 is slower than crap. Hell OS X 10.1.5 isn't fast on my G4 733, I've yet to upgrade to 10.2 even though the disks are setting there! It works and that is all I really need.

To answer his question all you need is all the lab macs facing the same direction and have some huge woman wrestler stand at the back of the room with her arms crossed and an angry look on her face. Women don't screw around generally in computer labs, and the boys that do don't want their ass kicked by a big burly woman.

Problem solved, now where is that Patent form...

Re:OS X

[DavidRavenMoon]

Why not run everything off a Mac OS X Server box? NetBoot all the other Macs. This way all the client Macs can't change anything on the server.

And also you only have to install the applications once.

I've worked at a few places that did this, and also some that used FoolProof... God I hate that program!

Upgrade to OS X? (nt)

[nosferatu-man]

'jfb

How Secure?

[Dawang]

The question is how secure do you want your system to be?

Foolproof can actually lock a Mac down pretty tightly, and using their Disk Locking you can deter most Malicious Beings from messing around.

Of course, you reduce the flexibility of your system. The less options you turn on in Foolproof, the easier it is to defeat.

What do the users of your system need to accomplish on these machines? How Evil are they? I've also tried PowerOn's [poweronsoftware.com] On Guard, but didn't like it as much.

Re:How Secure?

[jmu1]

I'd like for students to not feel inhibited in their activities... but then again, I put a whole lot of work into getting the machines into the state they are in. I tend to not like having to re-image them every morning.

Inhibit away...

[lsommerer]

I administer a high school mac lab with Foolproof, and I don't see anything wrong with locking them up fairly tight.

They have access to all the tools they need for classes and research, but most other things are locked. And everything that could make life miserable for the next person to use that machine is locked. Storage is available for each student on the server.

We occationally do games after school, and I unlock those programs at that time.

I inherited the FoolProof solution, and can't say anything about it's overall security, but we haven't had any troubles with it. I do think it's important to recruite any students that are showing enough interest in doing things that make your life tougher (might as well just put them to work).

It's also important for the students to know what type of things will get their computer access terminated.

Re:Inhibit away...

[Tuzanor]

I'm not sure about the Mac version of foolproof, but the Windows version SUCKS (or at least sucked, its been 3 years since i graduated from HS).

Firstly, it was way to easy to get around. Just boot off a DOS floppy and move foolproofs exexutable. Oops, "cannont find foolp.exe" (or whatever it was called). Secondly, it had this REALLY annoying bug, where you could move the taskbar out of the way, but you could not bring it back up, needless to say, the punk kids had a ball with this one...

NetBoot

[SandSpider]

I would start with NetBoot. You can use the Macintosh Manager of OS X server (or later versions of ASIP, I believe), and set up a default image of OS 9. Then, anything they may do to the computers is wiped away at the next reboot.

=Brian

Re:NetBoot

[jmu1]

We are trying to get a copy of OS X 10.2 Server. We have a copy of OS X Server 1.2 but it doesn't seem to like me messing with it much, and as per usual, I can't find any documentation for that software... anywhere. There is no telling if we will actually get the funding at this point, hince the story submission.

Re:NetBoot

[SandSpider]

The documentation should all be on Apple's Site.

Let's see...The OS X Server Admin Guide [apple.com] is a very long document that should tell you anything you need to know about setting up the server. All of the rest of the information is at Apple's OS X Server Site [apple.com].

Net boot shouldn't need Jaguar Server. If you can get, or have, a copy of a later AppleShare server software, then you should be able to use the Macintosh Manager on that.

=Brian

Re:NetBoot

[jmu1]

I really did try using the documentation but it wasn't of any use to me at all. I couldn't find out how to create a new image to use with it, nor how to specify what image to use, nor how to control it. It really was a pain. The OS X Server version I have is really really old. I still don't know why they even shipped it. I've had to reinstall it several times because it would just lock up... not doing anything with it... it'd just lock up. As far as MM goes, I really couldn't find any useful docs on it. It seems the more I read Apple documentation, the more it seems that Apple documentaion is another form of marketing. At every turn it seems that instead of describing the steps to get something done, they are telling you all the great things that the software can do. I've spent countless hours and bottles of carbonated caffine trying to get some useable stuff out of those docs(and their Carbon docs... trying to write for OS 9 and X is not nearly as easy as they make it sound). I'm just at my wit's end.

Re:NetBoot - useful info

[Anonymous Coward]

I found this link [utah.edu] to be far better than any of the casual pdfs documention apple offers for netbooting w/o shelling out atleast $500 for 10.2 Server.

Also there is a link to how to implement it under linux (read free, as in ninja-bonghits when I'm packing) which 100% works with OS9 clients if you read the explaination of how things work and try to implement it on your own.

Re:NetBoot

[Spyritus]

Mac OS X Server 1/1.2 had net boot in it and it would boot computers to Mac OS 9.x.

The secret to using Mac OS X Server is to do NOTHING on the computer, bu to do it all externally through the admin software and privileged users (though I'll admit the Web Based Macintosh Manager/Net info admin of server 1.2 sucked).

To update the images you needed to make and new copy of them, mount the copy on another computer with read-write access, modify them as desired, change the images to read only and then replace the Net Boot disk with the copies, on the next boot computers started using the new images.

As for help with Mac OS X Server, best is through the Apple Mailing Lists at http://lists.apple.com/ [apple.com]. There are mailing lists here for Mac OS X Server, Macintosh manager and also Net Boot.

seal the doors

[vipw]

Seal the doors and any windows and then fill the room with concrete from a heating vent in the ceiling.

Re:seal the doors

[vipw]

I just had another thought. I suppose you could upgrade the systems to OS X instead.

Assimilator

[Dephex Twin]

I would definitely go with something that returns the system to a default state on reboot as opposed to locking down the whole thing. In our Mac lab at my school, we used Assimilator. You can actually use the desktop and download a little program or two if you want, and on reboot, the system syncs back to a default state. Works great.

Let Them Go Crazy

[potuncle]

For each diffrent configuration, make a copy of the Applications and System Folder (you could burn them onto a CD).

Let the kids do whatever they want. When a system becomes unusable delete the existing Applications and/or System Folder and copy a fresh one from you backup copy.

You can just copy the folders or use Disk Copy or Stuffit to create single files out of the folders. I have know users that have had great sucess using Disk Copy and System Restore to restore custom configurations.

This is one of the many reasons I love Mac's. I can restore an OS 9.2 or newer computer to a default configuration as fast as I can copy files off a CD or over the network.

Netboot

[SandSpider]

Okay, let's try that again, this time with more information.

Netboot [apple.com] is some nice technology from Apple. It allows you to set up a default system on some server, then have the computers on your network boot from that server. When the computer reboots, it reloads the system from the image on the server, rather than from something on the hard disk. It is very difficult for a user to change the information on the server. It's not impossible, but we all know that undefeatable security doesn't exist.

But NetBoot was made for exactly this sort of situation, so it's definitely worth checking out.

=Brian

revrdist/Assimilator

[mbrubeck]

My school used Assimilator [stairways.com] to manage its Mac labs. This is a commercial program by Peter N. Lewis of Anarchie fame. It works by synchronizing all lab computers to a disk image stored on a server. I like this because it leaves the computer fully functional -- users can download or run whatever they want while they're using the computer, and at the end of the day (or end of week, or whenever the admin feels like it), the disk is restored to a pristine image. It doesn't provide the same level of restrictions as FoolProof, but I consider that a good thing.

revrdist [purdue.edu] is a free (public domain) program with the same basic function. Its setup is a bit more involved and it doesn't have all of Assimilator's features, but it's a well-tested program that definitely works. Use it if you can handle the extra administration and prefer a free solution. The reverdist home page also has links to other Mac administration programs.

Re:revrdist/Assimilator

[jmu1]

Thanks for the links... I'll be checking those out in the AM tomorrow. There isn't a way to just copy the program off the pc and reboot is there? That is the whole problem we have with FoolProof...asside from having to be so damn restrictive on users.

Re:revrdist/Assimilator

[extra88]

Here's how you use Assimilator. Set up your perfect machine and upload it to your file server. Create an Assimlator client app (the Admin app creates it for you) which is set to pull the files from the shared "perfect image." Try running it on one client and see what breaks. If there are files which need to be unique on each machine, Assimilator uses special filename suffixes on the perfect image to identify them (a character like a diamond followed by the client's AppleTalk name). Assimilator also uses label colors to identify how different files/folders should be treated, the two most useful being the "always erase" and "never erase." If you have different models of Macs, there may be some extensions you don't want to download to all machines.

We use a cron program to automatically run Assimilator at night plus an Empty Trash program which does what it says.

You don't have to put the perfect image on a a file server, it can be on any mountable volume. I've thought of making self-assimilating machines which would have a disk image containing the perfect image. The only time there would be network traffic generated is when lab staff had to replace the disk image file. However that makes the software deployment aspect less convenient.

We hope to switch to OS X in the lab this Spring but haven't really done much preparatory work yet. We'll probably use RsyncX, Mac Manager, and the built-in restrictions to keep those machines in shape.

Re:revrdist/Assimilator

[jhealy1024]

Amen to revdist. I administered the mac labs at my college in the pre-osx days, and I used revrdist to do so (about 60 machines). We looked into netbooting, but there's a fair amount of net traffic for that, so the net guys said no. revrdist is also a lot of traffic, but only during disting. If you set the boxes to boot early in the morning, the dist happens when nobody's around and the network isn't clogged.

It is tricky to set up (uses a weird flag-based config file), but once you've got it tweaked right, administration is a breeze. Just burn a CD with a bootable system folder and revrdist on it and you can boot a hosed machine off the cd, copy the sys folder over, reboot, and the machine will fix itself.

We looked into using a "lockdown" program to prevent abuse of the machines, but decided that people who want to get around it will. revrdist helps lower the blood pressure by ensuring that fixing any software problem takes 5 minutes of your time, at most. You stop caring if people hose the machines because it takes much longer for them to wreck 'em than it does for you to fix 'em.

As a bonus, installing new apps on the machines is easy -- just update the server, set the macs to reboot every morning at 4am (energy saver control panel), and you're good to go!

Re:revrdist/Assimilator

[wirelessbuzzers]

This may be a biased comment, but the only setups of revrdist that I have seen have not been worth jack. This is probably just due to incompetant systems administrators, but the systems seemed to be easily cracked and revrdist easily disabled. If you do use it, set it up carefully. I am not an admin and don't know the options, just that if not set up right, it sucks.

MacPrefect

[Alan Partridge]

our graphic design and imaging tech labs were locked down with MacPrefect. Frustratingly, it DID seem to work...

Re:MacPrefect

[coolgeek]

MacAdministrator [hi-resolution.com]is the network-aware product from the same company as MacPrefect, Hi Resolution Systems [hi-resolution.com].

My buddy and I run a network composed in part of around 100-110 Macs in a High School environment. We've had fairly good success with MacAdministrator, although using "Target Disk Mode" is a way to defeat it with a firewire cable and a handy student-supplied notebook. I assume the same applies to MacPrefect. Nonetheless, it keeps the kids from making stupid mistakes that would otherwise cost big support time.

It also has some neato features that log you in automagically to servers and puts an alias to a home folder on the user's desktop. You can also deploy software remotely, although we prefer Retrospect for workstation production. We use remote deployment when appropriate.

The guys at Hi Resolution are top-notch, IMO, and always provide sensible answers. The documentation leaves a lot to be desired because while every module is extensively and exhaustively documented, there are no solution-oriented/howto guides. Their tech support fills that gap pretty well.

High School students

[mclaren_1010]

I used to be the admin in my high school mac lab. Since I was the only one fimiliar with macs I got the job. I decided to stay with FoolProof because it was simple, we had good support if anything went wrong, and nothing did for 2 years. Another reason why we kept FP was because I knew that the students in the class dont know enough to hurt the system. As for external problems I set up a rather decent firewall on a linux box. What are you worried about that you think FP cant handle?

Re:High School students

[muon1183]

Heh, They used foolproof in the labs at my high school. Of course, one of the things the labs were used for was programming classes, so they had to allow programs you wrote to be able to run. So, method 1 of killing foolproof was to write a program to take it out (it took us about a week to figure out how to do this, but it didn't always work, and invariably, our instructor would just restore from image, not that we ever did any damage, just unloaded foolproof). Method 2 was, one day, somebody fell asleep on the keyboard, and accidentally disabled foolproof, so we figured out what he did (it was a short keystroke combination). Method 3 was, once somebody temporarily disabled foolproof, somebody else installed a keystroke logger and got the instructors password for foolproof. Of course, there was always the method of just overwriting the kernel, but that killed the computer, so we only did that to computers that were to be destroyed already (that was tons of fun, on the last day it would be around, one of us (me, since I knew how to do it), would overwrite the kernel), computers are all sorts of fun without kernels, and they do all sorts of funky stuff). So don't underestimate your students, they will figure out how to get around the minimal foolproof security.

you sure about that?

[Stenpas]

Easy to bypass foolproof? No offense sir, but if you can't set up foolproof correctly, then you should not be admining that lab.

For those who have never used it, it's a cheesy-looking program, but it's a great solution for computers that run MacOS 9 and below. You can set it so you can't get info, move files, and there is a list of allowed/disallowed programs. Bypassing by holding down shift at startup won't work, etc.

There's a whole lot of other stuff it can do. All in all, when set up correctly, there is one way to bypass it, and one way to mess up a system, which I will not go into detail about. Our setup apparently works well, because I haven't seen any students bypass it.

Seriously, anyone who's used it knows that you just click on a bunch of check boxes and maybe disallow a few programs. Changing the default password is a good idea also. This is not a difficult thing to do.

Sten

Re:you sure about that?

[jeffehobbs]

Sten is exactly right... as far as ways to lock down OS 8/9 go, Foolproof is pretty darn good. I'd look over the manual again, as there's plenty of ways to lock down a system using it.

~jeff

Re:you sure about that?

[sonicsft]

The problem is that by the time you're done locking down the system to the point where it can't be bypassed easily the system is so crippled that students don't want to use it. But if you want to lock the system down so that the users can only use 1 set program then FoolProof is probably the easiest to set up. I prefer however the NetBoot method becuase it gives people more freedom, if students feel hindered by the computers lack of functionality they're more likely to be turned off of learning. If a student has full access they feel slightly responsible for the system, especially if they have to use that computer everyday. I successfully helped run a low-budget mac lab, with no spiffy netboot servers, and no security software. The only thing we ran was Net Assistant to lock screens for lecture times. If a machine got messed up we'd load up the fresh system image we created at the beginning of the year with all of our apps working, and re imaged the machine. The only thing you might want to do is find a way to disable internet services. We had the problem of kids going on line in the middle of lectures/work time when the screens were unlocked and loading sites with embeded midi at full volume.

-sonic

What did they need to do?

[lsommerer]

I run a lab using FoolProof, and I'm wondering what types of things you wanted students to be able to do that they couldn't do?

I'm probably missing something, but I can't see what people want to let students do that they aren't able to do. Lots of phrases like "crippled" and "lack of functionality" are floating around without alot of definition.

Re:What did they need to do?

[lsommerer]

Accurate, but it doesn't shed any light on this particular question.

Re:you sure about that?

[zaren]

If configured properly, FoolProof was almost impossible to beat. You couldn't move stuff around on the drive, you couldn't boot off of external media, you couldn't bypass the extension with the shift key, you couldn't even write to the drive without permission, and yet students were still able to launch apps, save to external media, even run Internet apps without problems. I had several labs configured with FoolProof, and never had any complaints about the machines being hacked, or about the students being unable to use the machines.

One of the most important things to remember about configuring FoolProof is to NOT allow the execution of applications on remote volumes. That way, you couldn't use an external AppleScript, or a remote application, or (my favorite) an installer on a floppy that overwrote the FoolProof files with a copy that had a password that *you* knew (which I acquired from a machine that hadn't been locked down properly).

I would highly recommend taking another look at the manual and playing with the software some more before dismissing it.

Re:you sure about that?

[extra88]

A lab I visited on occasion didn't disallow the execution of apps on remote volumes which is how I was able to run the programs of my choice, simply by puttin copies of them on an AppleTalk share with the Type and Creator codes changed to match Notepads (FoolProof uses Type/Creator codes to identify what can or cannot be run).

not all that hard

[bill_mcgonigle]

I once worked in a place where they got rid of a bad employee who had installed foolproof on a production machine (without permission). After he left, they asked me to get into the machine. Tried a few basic things inside foolproof, which didn't work. So, I grabbed my tools drive, hooked it up to the SCSI port and forced an external boot. Did a little HDT fiddling, and the system was back. It could have been done with one of those System 7.5/HDSC Setup floppies too.

You sort of have to know how macs use hard drives, but beyond that, if the user has physical access to the boot drive there's not much you can do.

The Netboot suggestion is a good one.

FoolProof had some vulnerabilities.

[Andy Dodd]

FoolProof's developers trapped the API at a point where it would interfere with MOST applications.

In fact, in the cases of applications where FP was defeatable, only certain parts of that application might bypass FoolProof.

Specifically, back in high school about 6 years ago, I took a BASIC course (easy A :). They used some wacko dialect of Basic called TrueBasic.

Well, FP worked to block file access for TB's normal file open/close functions. (Specifically, the editor open/close)

But anything that you compiled would access files like FoolProof wasn't there.

3 lines of code replaced the FoolProof program with a 0-byte text file.

Ah the Memories

[Anonymous Coward]

I remember in middle school writting an apple script which dumped fool proof off of all of the machines in any apple talk zone, and then copied Bolo to replace it. It drived my teacher insane. Sometimes she would turn her back and find the entire classroom playing multiple 16 player tourneys.

I also remember fool proof didn't recognize ftp access to a system. I could access files quite easily through that.

Oh don't even ask what I did with ResEdit.

Re:Ah the Memories

[MalleusEBHC]

It drived my teacher insane.

If that was your English teacher, I doubt that's the only thing that drove her crazy.

Proof that the poster is Ralph Wiggum

[Lovejoy]

Look Lisa: I learnded!

Me fail English? That's unpossible!

Re:OnGuard

[DiscoOnTheSide]

I work for the computing department of Rutgers University. We secure our macs with assimilator, and we dont have many "misuse" issues. This is with G4 450Mhz towers and 700Mhz eMacs but I hear the system has been used for a while so I imagine your results would be similar

Re:OnGuard

[colforbin]

I worked as a tech at my High School for a couple of years after college, and we used OnGuard there to lock down all the Macs. It worked very nicely, was very easy to configure for different labs to have different priveledges, etc. I would recommend it in a heart beat.

Really can't do it.

[gerardrj]

Older Macs don't have the OpenFirmware ROMs, and so don't have the ability to lock out alternate boot devices, I recall they also can't boot to the network. You don't mention what type of protection level you are trying to achive, or the repricutions of a security failure, I can't really get a handle on that from the responses either. Is this just a lab on campus where you want to keep games and P2P apps off the systems, or is this a research lab where a breach could cause panic or lost money or saftey concernes?

Unless you remove or disable the floppy, CD-ROM drive, and external SCSI connector you have little chance of truely securing a Mac lab. There will always be some way for a malcontent to get control, rather easily in fact.

I recall some stuff like DiskVault, I think, that would alter the directory layout or something so that unless you booted to the drive that was protected, you couldn't use the protected volumes. Of course, installing the software on a bootable CDR would get you around this, as would booting to an external drive that the hacker controlled and had installed the software on.

Personally, I have never encountered a disk/system lockdown utility on older Macs that I couldn't bypass with an alternate boot disk and, at most, a few hours of tinkering. The most you could ask for is that wandering lab monitors might find people hacking the thing before it goes too far. Anectodally, at one place I worked they installed GraceLAN to keep track of app lauches, prevent software installs, force LAN-wide software installs, etc. I used ResEdit and a disk editor on a floppy to locate the admin password. I then installed the admin program on my own system and force installed the old "Energizer Bunny" init on all 120 systems in the office. Of course I renamed it to something like "Apple SoundManager Tuner". THAT was a blast!

If it's just simple protection to keep the honest people honest: use SimpleFinder or AtEase that each limit what users can do. For all its problems, AtEast is a nice little application/Finder replacement for labs. It allows you to create a tab for each type of application, or on a per-course basis.

Re:Really can't do it.

[b1t r0t]

Older Macs don't have the OpenFirmware ROMs

Actually, all PCI Macs have OpenFirmware. You just don't know it because older ones are normally configured to talk through the serial ports. XPostFacto will let you change this to keyboard/video.

MacManager

[akgunkel]

A year ago I was the admin for an edu network with ~200 macs. I used MacManager on them. I never had any problems with the any of the brighter students breaking it. None of my macs were ever screwed up from tampering. I did have problems with earlier versions of AtEase though...

Assimilator sucked hard in it's early days (circa 1998.) It was pretty easy to bypass. I'm not sure how it is now.

YMMV

Now I work on a corporate network with Win2k. PCs may be "real computers" in the eyes of most geeks, but being the admin for a Mac network is a hell of a lot more fun.

Not OnGuard

[OrangeHairMan]

OnGuard, a program by the guys at PowerOn Software, has many security holes in it, so I can't reccomend it. It is easy to get by (like accessing someones files on a server is just as easy as going into Netscape and going file:///Server/), and only protects from normal file and OS stuff, like launching, deleting, moving, etc. Anything that bypasses the OS, like Internet Explorer, AppleWorks 6, and others can get by easily. (Ex: AppleWorks 6's normal open dialog shows everybody's folders (While ClarisWorks 5 does not), and Internet Explorer allows anybody to launch any apps that are on any of the hds.)

You can try it, download the demo, but try and get past it and you you'll see how easy it is. Or not. At my school, the security is a joke. So test it, if you like it, use it, but I reccomend against it.

More info here: http://poweronsoftware.com/products/onGuard/ [poweronsoftware.com].

Orange

I know a way...

[ike6116]

AtEase anyone? :-D

Well...

[djupedal]

As already suggested, OS X is a good start, but you perhaps should outline your environment and goals a bit better first.

That said:
1.) Educate your users and let them know your expectations.
2.) Learn how to lock down a drive and system folder.
3.) Learn how to hide various folders and how to track changes
4.) Create and deploy an easy to use and reliable backup program.
5.) Inventory your hardware and software.

Don't bother locking them down

[Dragonfly]

I used to manage the labs at a liberal arts college in New England, and we at one time used a combination of RevRDist and MacPrefect. Unfortunately, RevRDist stopped working for us with OS 9, and Assimilator, which we chose as a replacement, did not work with MacPrefect. So, we dumped MacPrefect, and set Assimilator to run every night using a freeware scheduler named DaemonChron Lite. We put an alias to the Assimilator called "Clean This Mac" in the Apple Menu to provide users with a way of fixing troublesome computers. Despite the lack of security, we had no problems wich machines getting disabled due to vandalism. Email me directly and I can send you a complete how-to that was written for our labs.

MacAdministrator

[oboeaaron]

We use MacAdministrator from Hi-Resolution to administer about 300 macs in several labs on a large college campus. If you can afford it, I highly recommend this product. It's highly customizable, and straightforward to learn. It allows you to lock down the hard drive on a folder-by-folder basis, handles software distribution, print quotas, and controls access to the chooser and control panels (again on an individual basis). You'll need a server running Appleshare IP 6.3 I believe, although they are supposed to have an OS X server available soon.

Overall, there is nothing I have wanted to accomplish in my labs that MacAdmin has not allowed me to do. I have not tried Assimilator because, frankly, MacAdmin + Apple Software Restore do every thing I need.

I'm looking into the same problem

[namtro]

I'm an admin at a similar institution and we're trying to solve the very same problem. I've always been very disappointed as to what FoolProof could do for us. It always seemed to get in the way when we didn't want it to, and it never seemd to really do what we did want it to do. We're currently looking very seriously into the netboot options. We don't have an Apple server, so we're looking to role our own Linux solution, but I'm not sure the setup time for the server is really going to justify what we would gain. (We don't have *that* many macs -- 1 lab primarily.) One of the most promising alternative solutions is Mac Admistrator [hi-resolution.com] which promises the world for us (linux and/or NT authentication, drive image resortation/sanity chekcing, etc.) I would think it would be something you'd really like to look into. Paul

Yuppy pants

[Graymalkin]

There's tons of different solutions that have been outlined here, it seems from your comments you dismiss them because they "encumber" your students and make them feel bad and icky. It is not their network nor are the computers theirs, they don't have rights to them. Lab computers belong to whoever owns them and not whatever student sits down in front of them. If you're worried about them feeling encumbered by your security you're not doing your job properly.

You make the systems secure so no one can easily screw them up preventing other students from using them. There's a lot of jackasses that love to break systems or "customize" them preventing anyone else from getting any use out of them at all. There's also the people who feel that because a school has a particular amount of bandwidth, they ought to be able to monopolize it to download ripped DVDs and MP3s. You secure your systems and your network so everyone can use it because it is a shared resource. You aren't supposed to leave systems wide open for them to be abused.

Let people do what they need to do with as little hassle as possible. Don't allow people to abuse your systems though. I've managed a Mac lab before and the previous admin decided not to lock down any of the systems. The computers crashed constantly and hardly anyone could get on the web. I spent weeks getting Carracho servers, SETI@Home clients, and copies of Starcraft off all the systems. After the systems were locked down we didn't have any problems. If people want to play Starcraft or run a Carracho server (which was probably used to ship off copies of software we had) they can do it at home. They don't need to use your lab for it unless you specifically allow them to.

Re:Yuppy pants

[domefreak]

It's fine to be hard-nosed like this, and it's worthwhile to safeguard the computers, but you have to find a balance. If you make the lab computers too restricted, you will only be challenging the students to hack your system.

The problem with encumbering students is not that you make them feel 'icky' but that they cannot do what they need to do. No, the lab computers are not their personal computers, but they are there for student use.

If you think of your users as jackasses, you are setting up an adversarial relationship that will just make your job harder.

Nothing.

[andfarm]

*shudder*

Is there any reason you have to set up any such system? I'm a student myself, and I've found in my experience (doing innocent things like coding) that any "idiot-proofing" system tends to make the computers much harder to use for legitimate purposes.

Much better than a program to prevent people from doing certain things would be teaching the people to just not do those things. Worried about people saving things on specific hard drives? Tell them to not do it! Worried about people installing unauthorized software? Tell them to not do it! (And take off the programs that they invariably will install.)

Re:Nothing.

[j!mmy v.]

"Why?" Is that a troll? It's the system administrator's job to adequately secure systems in his/her domain, and not to take the word of "innocent" students. If you had the choice of (a) intelligently locking your workstations once or (b) spending the rest of your natural life reinstalling legit apps and uninstalling BonerWare, which would you choose?

Re:Nothing.

[andfarm]

Hate to bite on this one, but the main reason I say that locking down machines is a Bad Idea is that it tends to keep people from doing legitimate things with the machines. Setting up machines to reset their state is just fine. Preventing any changes *at* *all* is bad.

rev r disk

[Suppafly]

They use rev r disk here to manage the macs.. not sure if its good persay, but it seems to get the job done.. then again not that many people use the macs.. and the ones that do bitch about them taking 15 minutes to load up because the previous users killed it before rev r disk could finish.

mac os x server is the way to go

[poil11]

get them to buy mac os x server. its the best solution for administering users and the programs that they use. we used foolproof and the kids at my school figured out the password and bypassed the foolproof and uninstalled it. mac os x server works great, i can add users, change pws, disable users. and the combination of remote desktop i can moniter students, do a class with examples, by sharing my screen. and it works pretty fast.

Would this work?

[Joe Tennies]

Could you: - install a form of Linux/PPC on a server and all the clients - install Mac On Linux on the server along with the applications you want on the clients - Make the Mac disk image on the server readonly - install X11 on the clients and have them connect to the server - Only accept X11 connections on the server from within the campus Only real issue I see would be licenses... but it should work if you have site licenses.

Couple thoughts...

[DAQ42]

For those of you who didn't know, yes, on the older Mac's (ones with the hardware ROM) you can lock out boot volumes. You can even password protect the boot up. You just have to know how to program in Forth >:)
As for alternatives, if your not completely tied to using the Mac OS, install your favorite flavor of Linux and use those lock down tools (which are more plentiful and complete than the existing Mac ones). Then there is the option (depending on how old the systems are) of using the original Lock Down directly from Apple, AtEase. This software is great for foiling a would be hacker since once the machine is booted, you have to have administrator access to shut it down again. It also came with some developer stuff (of course I have no idea how your going to get your hands on this stuff now) that enabled the boot password and other fun hardware hacks.

Whee!!!!
Hooray for the old skool software that still sucks.

Managed Clients for X and Macintosh Manager 2.2.1

[njpomeroy]

Apple bundles these managed client apps with it's server license.

It allows centralized preference and application management, workgroup shared folders, etc.

MCX is is totally sweet (a stripped down version can be found in in the Accounts prefpane of every Jaguar install (that has a non-admin user), but the industrial strength version is included with OS X Server.

Macintosh Manager is pretty good, but with Apple's focus *away* from classic OSes, it won't get any better. It'll just fade away.

Macintosh Manager and/or NetBoot

[gozar]

Macintosh Manager (now also called Workgroup Manager which controls OS X machines) can lock down machines to where the users can only run what you allow them to run. It can also control preferences (like forcing the homepage for Internet Explorer). It is easy to bypass if you have a boot disk, but you could setup open firmware to not allow booting from an external device. This is more of a user issue, just put in your AUP that they cannot manipulate the boot process.

NetBoot puts your disk image on the network which all the machines then use to boot and run applications from. To set up a new machine in this scenerio, you pull it out of the box, plug it in, and hold down the N key as it's turned on.

You can also use Apple Software Restore in conjuctions with a NetBoot server. The machines normally boot off of their hard drive, but if you need to re-image, you hold down the N key and have a set of AppleScripts on the netbooted image that restores the machine and sets it to boot off of the hard drive. For OS X machines you need to contact your Apple SE to get a copy of ASR that works with OS X.

Believe me, Macintosh Manager is a life saver, once it is set up (and be sure your network can handle it) and it's free (with OS X Server)!

Need help locking out foolproof

[DeenaLarsen]

Hi, I have about 200 Mac Classics, Classic II and SEs that I am trying to reconfigure. Trouble is, that I got these from a school, and they have FoolProof 1.0 on them. (Systems range from 6.0 to 7.5). The admin knew what s/he was doing--the hard drive is set to 0 so you can't boot off of a SCSI. I do not want to crack 200 mac boxes (It is a huge job just to get a new system on all of these!). Is there an easy way to disable this? Does anyone have the apple script to do this? Thanks!

Re:Need help locking out foolproof

[adrew]

You could always boot from a floppy, erase the HDD, and do a fresh OS install.