User profile for user: sysadmin
sysadmin Author
User level: Level 1
37 points

Disable Hardware Devices

As part of our corporate security policy, we are forced to disable various hardware devices as part of our image build. As a result, before we deploy our production OS X image we need to disable the following devices in such a way that would prevent a user from enabling them again.

AirPort (no wireless devices)
Bluetooth
iSight camera (MacBook)

Basically wireless devices and cameras are not permitted on the premises. Initially I thought I could delete the extensions, but that has had no effect. I can turn off Bluetooth or AirPort, but there is nothing preventing a user from turning them back on. The biggest concern is probably the camera, of which I see no way to disable. Can anyone provide a way to globally disable these devices and prevent a user from re-enabling them (w/o admin access)?

MacBook, Mac OS X (10.4.7)

Posted on Oct 5, 2006 12:48 PM

Reply
5 replies
User profile for user: J D Knight III
J D Knight III
User level: Level 4
3,423 points

Oct 5, 2006 1:24 PM in response to sysadmin

These suggestions are assuming that users do not need any admin rights and that you will be testing these first on a non-crital system as I have done some, but not all of the suggestions I'm making and your results may be less than desirable. That said, lets play.

Bluetooth is easy. Turn it off in that user, turn off show in menu bar and turn off the other options. If no user will need access then as an admin navigate to System/Library/PrefrencePanes, (make a copy to the admin desktop for backup if you wish) and delete the control Bluetooth.prefPane. There are 3 items in System/Library/CoreServices that you may want to delete as well.

For Airport I would do the same turning off and hiding as Bluetooth, but you can't delete the preference pane as it is needed for networking. If you manage the user and do NOT check the Open all System Preferences you can keep them from making any setting or joining any wireless network if they added in an airport or slot network card. Just leave the only active Network setting as Ethernet and to Automatic. As long as you don't have to worry about the user having to make proxy/network changes you will be ok.

iSight... I would look for all of the drivers I could find and delete them. The only one I found with my quick look was System/Library/Extensions/Apple_iSight.kext.

Don't forget to set the Firmware Password with the utility from Apple (Newer systems have it on disc one) to prevent malicious override of the systems as well.

Hope this helps, JD
Reply
User profile for user: sysadmin
sysadmin Author
User level: Level 1
37 points

Oct 5, 2006 3:00 PM in response to J D Knight III

Thanks for the feedback - much appreciated.

The OPFW password has been enabled on all systems and the PreferencePanes have set with restrictive permissions, as opposed to completely deleting them. I used chmod and set the permissions to 711. This will prevent users from accessing the PrefPane, but it can be restored in the future if needed.

One thing I neglected to mention is that the system we build the image on (PowerMac, MacPro) doesn't have Bluetooth or AirPort, so disabling them during the image creation process is not possible. Once the image is deployed to a laptop (w/aforementioned devices), the bluetooth and AirPort devices are then available.

I tried deleting the iSight extension from /System/Library/Extensions/Apple_iSight.kext, but the camera still works. For the average home user, the camera is great, but for a corporate environment it's problematic. This device should be an option IMHO.

Nonetheless, I should be able to use the info you provided. Ideally I would be able to either permission (or delete) the required device files (in case the device isn't present on the source system), or be able to do this via command line so that it can be sent via ARD. Thanks again for the feedback.
Reply
User profile for user: biovizier
biovizier
User level: Level 5
7,931 points

Oct 5, 2006 3:16 PM in response to sysadmin

One thing that might be worth trying to disable a built in iSight is to remove the "execute" privileges from "/System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component". I'm not sure what else such a change might disable, but it is often mentioned when the subject comes up, eg:

This obviously won't be effective against anyone with "admin" privileges, and also note that repairing permissions or installing Apple system or security updates may also re-enable the function.
Reply
User profile for user: sysadmin
sysadmin Author
User level: Level 1
37 points

Oct 6, 2006 1:30 PM in response to biovizier

Thanks for the info. I used chmod and modified the permissions as you indicated, and it did indeed disable the use of the camera. Of course I'll have to add the permission change to our config script as you indicated this will be reversed by a 'repair permissions', which is inevitable at some point. I would be interested to know the potential impact of changing the permissions on "QuickTimeUSBVDCDigitizer.component" as I'm not familiar with this component. Thanks again.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Disable Hardware Devices

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up