disable disk image mounting.

I'm unsure whether you are speaking of encrypting their home directories or encrypting the disk images. I'll address both.

Encrypting home directories - doesn't help as they will still be able to mount disk images.
Encrypting disk images - doesn't help because they can download any disk image they want and mount it from there.

ACL's are obviously what am a looking for as you can tell from any mounted disk image it gets default permissions 755 for the user:group that opens it.

Unfortunately since disk images act much akin to USB hotplug devices I can't simply perform ACL operations on something that has yet to be opened.

Best effort I can do without knowing where these defaults come from is to change the permission on the root /Volumes .. however that's quite useless as that is also where the hard drive is mounted and obviously I want them to be able to use that.

I wish it was that simple, no I am referring to any disk image you can find on the internet or otherwise.

I am well aware of what ACL's are and what they can do, I've been a unix/linux/mac sysadmin for over 10 years now.

I am not sure if the workgroup manager will work as users are not local, but in fact ldap users (not AD or OD). I have yet to see a solid solution arise to the case of integrating ldap into a situation such as this (or the use of say iCal server), although Apple documentation has assured me that it can be done (without ever explaining how).

I'll give it a shot in the morning, thanks for the help thus far guys.

Cheers!

Hey guys,

So the ultimate solution to this thus far (and a really cruddy one at that I might add) is to turn off diskarbitrationd.

This is done via the launchctl command:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist

The -w flag writes the disable into the plist instead of just stopping the daemon.

This basically does the exact same thing as KJ's suggestion of modifying ACL's which I prefer not to do as some program installs generate improper permissions as such it is habit to run 'fix permissions' from the Disk Utility after my initial install of a new program. This habit breaks the idea of using ACL's to modify the behaviour.

Overall this solves both my problems (USB drives and disk images). Albeit, I find it hard to believe that modifying the mounting options and permissions sets of both USB and disk images is UNMODIFYABLE in OSX, but both Linux and Windows both contain these feature sets.

I would love my users to still be able to play their iPods through their machines, but not be able to write information back out to them. I would love them to be able to copy things onto our system via their USB drives but not write back to them. I would think that this is a feature set that should have a prevalent use as OS X becomes more and more integrated into the corporate world.

As well the method described works exactly the same way as the Workgroup manager solution and the ACL modifying solution in that double clicking a .dmg will generate a 'no child process found' error and opening Disk Utility will generate a 'Unable to start Disk Utility background process' hanging error that requires a 'force quit'.

Solution awarded to KJ.

Indeed it does V.K. In fact I just managed to crash my machine by hitting eject key too many times with diskarbitrationd unloaded.

The ultimate solution is for non-admins not to be able to mount disk images and USB drives to be read only.

I'm going to give the Workgroup Manager a shot, but this is a far from ideal solution already. Either someone at Apple has greatly under estimated the usefulness of being able to configure this spectrum of events or its so far removed (or right under my nose) that I have yet to locate it.

You have to be in the admin group to launch diskarbitrationd. Although the ACL's make it look otherwise.