13 Replies Latest reply: Oct 13, 2013 8:34 AM by etresoft
idimch Level 1 (20 points)

Due to some restrictions I can't let my users mount external HDD's/USB Flash etc. in RW mode. Onle read is allowed, so how can I do that without OS X Server installed?

  • Alberto Ravasio Level 4 (3,902 points)

    Have a look at this little utility

     

    https://github.com/aburgh/Disk-Arbitrator

  • etresoft Level 7 (27,808 points)

    idimch wrote:

     

    Due to some restrictions I can't let my users mount external HDD's/USB Flash etc. in RW mode. Onle read is allowed, so how can I do that without OS X Server installed?

    What is wrong with OS X Server?

  • idimch Level 1 (20 points)

    Nothing wrong, except I did not have it and I'm not going to buy it.

  • etresoft Level 7 (27,808 points)

    idimch wrote:

     

    Nothing wrong, except I did not have it and I'm not going to buy it.

    It costs $50.

  • softwater Level 5 (5,370 points)

    Probably not money well spent. Anyone even thinking of going down this road would do well to read the ArsTechnica review here:

     

    http://arstechnica.com/apple/reviews/2012/01/is-lion-server-suitable-for-home-us e-ars-investigates.ars/1

  • etresoft Level 7 (27,808 points)

    Apple doesn't market Lion Server to home users and the original poster seems to be a business user.

     

    Lion Server certainly seems like it would be able to accomplish the task.

  • softwater Level 5 (5,370 points)

    There is little distinction in practice between a home user and an SME. The points made in the ArsTechnical article seem pretty valid to me. I wound't touch with a bargeople (and I'm a small business user, too).

  • idimch Level 1 (20 points)

    Thanks for all, I did my task with workgroup manager, installed locally:

     

    20120425124243.png

  • Alberto Ravasio Level 4 (3,902 points)

    Good to know.

     

    Thanks for the feedback.

  • idimch Level 1 (20 points)

    Hi there,

     

    I spent too much time finding how to recover my user profile on this forum, because from some time it is separated from my apple ID, but it uses same email

     

     

    Well, this solution (I mean Workgroup Manager being locally installed) still work well, except one thing: if your "limited" user will reboot your Mac - he will have a full access to the hard disks connected to this, because at booting stage OS will mout everything using root privileges... Any idea how to prevent OS from doing this?

  • etresoft Level 7 (27,808 points)

    Physical access trumps all security. If you were using true managed accounts such as with OS X Server or Active Directory, then you can control the machine's access to your network and the users on it. A user could still reformat the hard drive, but then they couldn't reconnect to the server and you would know something was up.

  • idimch Level 1 (20 points)

    Well, actual knowing about an accident is not enough for company where I'm working. If somebody will steal pre-release version of feature we producing, the penalties could be very impressive. In Windows environment I did that block what I'm talking about - using some antivirus software But with Mac I still did not find perfect solution, which will fit all requirements...

  • etresoft Level 7 (27,808 points)

    Windows is no different. If someone had physical possession of that Windows machine and the intellectual property residing on it, they could have copied that off if they were determined enough. This is not a question of differences in operating sytems, but the pragmatic realities of mobile devices and human beings. All you can really do it make the task more difficult for the hacker. But if you are unwillng to try easy solutions like OS X Server, then I doubt you would be interested in 3rd party full-disk encryption requiring CAC card access. You can have as much security as you are willing to pay for up to a limit of just under 100%. You have to combine the technological solutions with social solutions like references and background checks. Even people who specialize in such things get burned from time to time.