Want to highlight a helpful answer? Upvote!
Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >
Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >
We are working on setting up our school's mac computers to allow users to sign in with active directory. We have this working, but after a user signs in we want to restrict access to applications and system preferences as is done with parental controls.
OS X Server-OTHER, null
Congrats on the AD integration. It is the right thing to do until you get to one to one and DEP.
Ah, but now you are at a crossroads. The easy answer is to tell you to get an MDM server and manage the Macs through policy. By far this is the right way to do this. You can still use AD authentication, but management is delivered through a management console. Options include OS X Server's Profile Manager, JAMF, Bushel, Airwatch, etc, etc. There are a lot of MDM solutions available. You need to research and choose the one that fits your needs and budget.
Now, if you don't have the means of implementing an MDM it still is possible to apply restrictions to AD accounts. Here are some options.
1: Customize the user template.
All home folders are created by copying the user template to /Users. If you customize the template then all new accounts receive your custom settings. The drawback here is that the settings are a one time thing. On account creation the account receives the settings. Once the account is created, student can override the setting if they want. There is no lasting management. You can only ensure an initial consistent user experience.
2: Manually enforce user policy by altering the existing user accounts
This gets pretty tricky. But if you are skillful, you can pull this off. Just document what you do and test. Trust but verity. So, the first question is where are Parental Controls stored? The answer is in the user account in a key named MCXSettings. Yep. Ugly. MCX is dead... ya right. But still can be manually modified. Stay with me here.
So, you can create a test account. Apply Parental controls to the account. Log in to the account to make sure you are getting exactly what you expect. If you are, then the MCXSettings can be captured and distributed out to all other users. Use Directory Utility to extract the MCXSetting from the test account and save them to a file. You then can use dscl . mcximport /Users/<the_user> /path/to/masterMCX.plist to import the settings into other accounts. Now granted, you have accounts already created. So you can use ARD to iterate through each user on eachmachine to set the values. The next time the user logs in they will be "managed." Lots of work and a high level of skill but doable. I've done it. Can be done.
3: Edit the AD user template
So once again, this is good if you are starting out (Depending on OS). But also can be good if you already have users in place. Let me try and explain. Sorry, this is a lot of years of plumbing the depths. OS X has a default AD template located here: /System/Library/OpenDirectory/ManagedClient/Active\ Directory\ Default.plist In the old days (before El Cap), this file could be edited to modify the behavior of all AD accounts before the unit was even bound to AD. (El Cap's System Integrity Protection prevents modification) Call this was the "hey I won't deploy OS X Server and I don't want to purchase Centrify" solution. However, once the machine is bound, you have a new file located here: /Library/Preferences/OpenDirectory/Configurations/Active\ Directory/<yourADdomain>.plist This file can be modified even after account creation as MCX setting are dynamically applied on each login. I will admit I have not tried this on El Cap so keep that in mind.
I am sure I can come up with a few more methods. But I think I am done for the week. This will give you some thoughts to work on. Hope this helps.
Reid
Apple Consultants Network
Author "El Capitan Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
Author "El Capitan Server – Control & Collaboration" :: Exclusively available in Apple's iBooks Store
Author of Yosemite Server and Mavericks Server books
Congrats on the AD integration. It is the right thing to do until you get to one to one and DEP.
Ah, but now you are at a crossroads. The easy answer is to tell you to get an MDM server and manage the Macs through policy. By far this is the right way to do this. You can still use AD authentication, but management is delivered through a management console. Options include OS X Server's Profile Manager, JAMF, Bushel, Airwatch, etc, etc. There are a lot of MDM solutions available. You need to research and choose the one that fits your needs and budget.
Now, if you don't have the means of implementing an MDM it still is possible to apply restrictions to AD accounts. Here are some options.
1: Customize the user template.
All home folders are created by copying the user template to /Users. If you customize the template then all new accounts receive your custom settings. The drawback here is that the settings are a one time thing. On account creation the account receives the settings. Once the account is created, student can override the setting if they want. There is no lasting management. You can only ensure an initial consistent user experience.
2: Manually enforce user policy by altering the existing user accounts
This gets pretty tricky. But if you are skillful, you can pull this off. Just document what you do and test. Trust but verity. So, the first question is where are Parental Controls stored? The answer is in the user account in a key named MCXSettings. Yep. Ugly. MCX is dead... ya right. But still can be manually modified. Stay with me here.
So, you can create a test account. Apply Parental controls to the account. Log in to the account to make sure you are getting exactly what you expect. If you are, then the MCXSettings can be captured and distributed out to all other users. Use Directory Utility to extract the MCXSetting from the test account and save them to a file. You then can use dscl . mcximport /Users/<the_user> /path/to/masterMCX.plist to import the settings into other accounts. Now granted, you have accounts already created. So you can use ARD to iterate through each user on eachmachine to set the values. The next time the user logs in they will be "managed." Lots of work and a high level of skill but doable. I've done it. Can be done.
3: Edit the AD user template
So once again, this is good if you are starting out (Depending on OS). But also can be good if you already have users in place. Let me try and explain. Sorry, this is a lot of years of plumbing the depths. OS X has a default AD template located here: /System/Library/OpenDirectory/ManagedClient/Active\ Directory\ Default.plist In the old days (before El Cap), this file could be edited to modify the behavior of all AD accounts before the unit was even bound to AD. (El Cap's System Integrity Protection prevents modification) Call this was the "hey I won't deploy OS X Server and I don't want to purchase Centrify" solution. However, once the machine is bound, you have a new file located here: /Library/Preferences/OpenDirectory/Configurations/Active\ Directory/<yourADdomain>.plist This file can be modified even after account creation as MCX setting are dynamically applied on each login. I will admit I have not tried this on El Cap so keep that in mind.
I am sure I can come up with a few more methods. But I think I am done for the week. This will give you some thoughts to work on. Hope this helps.
Reid
Apple Consultants Network
Author "El Capitan Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
Author "El Capitan Server – Control & Collaboration" :: Exclusively available in Apple's iBooks Store
Author of Yosemite Server and Mavericks Server books
Using Parental Controls with Active Directory Users
