Slashdot Mirror
Mac OS in a Lab
jmu1 wishes to get to the core of the following issue: "I run a medium sized lab of Mac OS 8.6/9.x machines. They all have (shudder) FoolProof as an attempt of keeping the systems usable. Unfortunatly, it is quite easy to bypass the software, or even to remove it using AppleScript, etc. What I want to know is, what is a usable solution for securing a lab of Macs?"
install OS X?
'jfb
To spur "enterprise Linux," Big Bang, the distributed two-phase commit.
The question is how secure do you want your system to be?
Foolproof can actually lock a Mac down pretty tightly, and using their Disk Locking you can deter most Malicious Beings from messing around.
Of course, you reduce the flexibility of your system. The less options you turn on in Foolproof, the easier it is to defeat.
What do the users of your system need to accomplish on these machines? How Evil are they? I've also tried PowerOn's On Guard, but didn't like it as much.
=Brian
There is nothing so good that someone, somewhere, will not hate it.
Seal the doors and any windows and then fill the room with concrete from a heating vent in the ceiling.
I would definitely go with something that returns the system to a default state on reboot as opposed to locking down the whole thing. In our Mac lab at my school, we used Assimilator. You can actually use the desktop and download a little program or two if you want, and on reboot, the system syncs back to a default state. Works great.
If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
For each diffrent configuration, make a copy of the Applications and System Folder (you could burn them onto a CD).
Let the kids do whatever they want. When a system becomes unusable delete the existing Applications and/or System Folder and copy a fresh one from you backup copy.
You can just copy the folders or use Disk Copy or Stuffit to create single files out of the folders. I have know users that have had great sucess using Disk Copy and System Restore to restore custom configurations.
This is one of the many reasons I love Mac's. I can restore an OS 9.2 or newer computer to a default configuration as fast as I can copy files off a CD or over the network.
Netboot is some nice technology from Apple. It allows you to set up a default system on some server, then have the computers on your network boot from that server. When the computer reboots, it reloads the system from the image on the server, rather than from something on the hard disk. It is very difficult for a user to change the information on the server. It's not impossible, but we all know that undefeatable security doesn't exist.
But NetBoot was made for exactly this sort of situation, so it's definitely worth checking out.
=Brian
There is nothing so good that someone, somewhere, will not hate it.
revrdist is a free (public domain) program with the same basic function. Its setup is a bit more involved and it doesn't have all of Assimilator's features, but it's a well-tested program that definitely works. Use it if you can handle the extra administration and prefer a free solution. The reverdist home page also has links to other Mac administration programs.
our graphic design and imaging tech labs were locked down with MacPrefect. Frustratingly, it DID seem to work...
That was classic intercourse!
I do consulting for a variety of school districts that utilize MacManager to safeguard there systems. If you have a box that is capable of running OS X Server, I would recommend trying it out. Not a perfect solution but allows students to save work on servers, only allows students to work with certain applications, etc, etc.
If you have the time it is worth the look.
I used to be the admin in my high school mac lab. Since I was the only one fimiliar with macs I got the job. I decided to stay with FoolProof because it was simple, we had good support if anything went wrong, and nothing did for 2 years. Another reason why we kept FP was because I knew that the students in the class dont know enough to hurt the system. As for external problems I set up a rather decent firewall on a linux box. What are you worried about that you think FP cant handle?
For those who have never used it, it's a cheesy-looking program, but it's a great solution for computers that run MacOS 9 and below. You can set it so you can't get info, move files, and there is a list of allowed/disallowed programs. Bypassing by holding down shift at startup won't work, etc.
There's a whole lot of other stuff it can do. All in all, when set up correctly, there is one way to bypass it, and one way to mess up a system, which I will not go into detail about. Our setup apparently works well, because I haven't seen any students bypass it.
Seriously, anyone who's used it knows that you just click on a bunch of check boxes and maybe disallow a few programs. Changing the default password is a good idea also. This is not a difficult thing to do.
Sten
I remember in middle school writting an apple script which dumped fool proof off of all of the machines in any apple talk zone, and then copied Bolo to replace it. It drived my teacher insane. Sometimes she would turn her back and find the entire classroom playing multiple 16 player tourneys.
I also remember fool proof didn't recognize ftp access to a system. I could access files quite easily through that.
Oh don't even ask what I did with ResEdit.
Here at my univeristy , we use OnGuard, and I can say that it works much better than FoolProof in my experience. Washington University uses Assimilator, but their computers generally have a lot more problems. The other thing you could try is to load up a few FireWire or SCSI hard drives (depending on your computers) with your lab's disk image, and Apple Software Restore. Boot from the external HD's and restore the image to your lab machines nightly.
Older Macs don't have the OpenFirmware ROMs, and so don't have the ability to lock out alternate boot devices, I recall they also can't boot to the network. You don't mention what type of protection level you are trying to achive, or the repricutions of a security failure, I can't really get a handle on that from the responses either. Is this just a lab on campus where you want to keep games and P2P apps off the systems, or is this a research lab where a breach could cause panic or lost money or saftey concernes?
Unless you remove or disable the floppy, CD-ROM drive, and external SCSI connector you have little chance of truely securing a Mac lab. There will always be some way for a malcontent to get control, rather easily in fact.
I recall some stuff like DiskVault, I think, that would alter the directory layout or something so that unless you booted to the drive that was protected, you couldn't use the protected volumes. Of course, installing the software on a bootable CDR would get you around this, as would booting to an external drive that the hacker controlled and had installed the software on.
Personally, I have never encountered a disk/system lockdown utility on older Macs that I couldn't bypass with an alternate boot disk and, at most, a few hours of tinkering. The most you could ask for is that wandering lab monitors might find people hacking the thing before it goes too far. Anectodally, at one place I worked they installed GraceLAN to keep track of app lauches, prevent software installs, force LAN-wide software installs, etc. I used ResEdit and a disk editor on a floppy to locate the admin password. I then installed the admin program on my own system and force installed the old "Energizer Bunny" init on all 120 systems in the office. Of course I renamed it to something like "Apple SoundManager Tuner". THAT was a blast!
If it's just simple protection to keep the honest people honest: use SimpleFinder or AtEase that each limit what users can do. For all its problems, AtEast is a nice little application/Finder replacement for labs. It allows you to create a tab for each type of application, or on a per-course basis.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
but really the better way to go is to net-boot os-X.
Finally, I dont see why you need a FW dirive at all. just mount the disks over ethernet. if your lucky enough to have gigbit ethernet ports on your macs its even faster than firewire. (skip the router and just use a cross-over cable maco-a-maco.
Some drink at the fountain of knowledge. Others just gargle.
A year ago I was the admin for an edu network with ~200 macs. I used MacManager on them. I never had any problems with the any of the brighter students breaking it. None of my macs were ever screwed up from tampering. I did have problems with earlier versions of AtEase though...
Assimilator sucked hard in it's early days (circa 1998.) It was pretty easy to bypass. I'm not sure how it is now.
YMMV
Now I work on a corporate network with Win2k. PCs may be "real computers" in the eyes of most geeks, but being the admin for a Mac network is a hell of a lot more fun.
Have you tried a program called KidsMenu (versiontracker.com). It does a pretty good job of locking down workstations and it runs on all Macs using MacOS 8.6 or higher! There are alot of options to customize to your liking. It can also trap the force-quit sequence on the workstations as well.
OnGuard, a program by the guys at PowerOn Software, has many security holes in it, so I can't reccomend it. It is easy to get by (like accessing someones files on a server is just as easy as going into Netscape and going file:///Server/), and only protects from normal file and OS stuff, like launching, deleting, moving, etc. Anything that bypasses the OS, like Internet Explorer, AppleWorks 6, and others can get by easily. (Ex: AppleWorks 6's normal open dialog shows everybody's folders (While ClarisWorks 5 does not), and Internet Explorer allows anybody to launch any apps that are on any of the hds.)
You can try it, download the demo, but try and get past it and you you'll see how easy it is. Or not. At my school, the security is a joke. So test it, if you like it, use it, but I reccomend against it.
More info here: http://poweronsoftware.com/products/onGuard/.
Orange
I administer a high school mac lab with Foolproof, and I don't see anything wrong with locking them up fairly tight.
They have access to all the tools they need for classes and research, but most other things are locked. And everything that could make life miserable for the next person to use that machine is locked. Storage is available for each student on the server.
We occationally do games after school, and I unlock those programs at that time.
I inherited the FoolProof solution, and can't say anything about it's overall security, but we haven't had any troubles with it. I do think it's important to recruite any students that are showing enough interest in doing things that make your life tougher (might as well just put them to work).
It's also important for the students to know what type of things will get their computer access terminated.
I concur with Mac Manager coupled with Network Assistant (osx version called Apple Remote Desktop I hear is very buggy) is amazing. You can manage all your users/workgroups, which applications/printers/disk quotas/shared files etc each user/workgroup can access along with 'ghosting' your whole lab at once (when ghosting using network assistant the computers still keep their computer/user names etc unlike other (PC based) ghosting software.
Anyway enough babbling... Mac Manager is the way to go... it also has a future with OSX as well both client and server. We used to run MM1.4 on OS9 with Apple Share IP and OS9 clients. We now run MM2 on OSX with OS9 clients. We will soon run MM2 on OSX with OSX clients.
Trantiom
AtEase anyone? :-D
Are you secure enough in your masculinity to run 'man touch'?
I run a lab using FoolProof, and I'm wondering what types of things you wanted students to be able to do that they couldn't do?
I'm probably missing something, but I can't see what people want to let students do that they aren't able to do. Lots of phrases like "crippled" and "lack of functionality" are floating around without alot of definition.
As already suggested, OS X is a good start, but you perhaps should outline your environment and goals a bit better first.
That said:
1.) Educate your users and let them know your expectations.
2.) Learn how to lock down a drive and system folder.
3.) Learn how to hide various folders and how to track changes
4.) Create and deploy an easy to use and reliable backup program.
5.) Inventory your hardware and software.
I used to manage the labs at a liberal arts college in New England, and we at one time used a combination of RevRDist and MacPrefect. Unfortunately, RevRDist stopped working for us with OS 9, and Assimilator, which we chose as a replacement, did not work with MacPrefect. So, we dumped MacPrefect, and set Assimilator to run every night using a freeware scheduler named DaemonChron Lite. We put an alias to the Assimilator called "Clean This Mac" in the Apple Menu to provide users with a way of fixing troublesome computers. Despite the lack of security, we had no problems wich machines getting disabled due to vandalism. Email me directly and I can send you a complete how-to that was written for our labs.
I found this link to be far better than any of the casual pdfs documention apple offers for netbooting w/o shelling out atleast $500 for 10.2 Server.
Also there is a link to how to implement it under linux (read free, as in ninja-bonghits when I'm packing) which 100% works with OS9 clients if you read the explaination of how things work and try to implement it on your own.
We use MacAdministrator from Hi-Resolution to administer about 300 macs in several labs on a large college campus. If you can afford it, I highly recommend this product. It's highly customizable, and straightforward to learn. It allows you to lock down the hard drive on a folder-by-folder basis, handles software distribution, print quotas, and controls access to the chooser and control panels (again on an individual basis). You'll need a server running Appleshare IP 6.3 I believe, although they are supposed to have an OS X server available soon.
Overall, there is nothing I have wanted to accomplish in my labs that MacAdmin has not allowed me to do. I have not tried Assimilator because, frankly, MacAdmin + Apple Software Restore do every thing I need.
Journey onward.
If they are new enough to have Firewire, then first, go ahead and load OS X. Then, create a default system on a Firewire harddrive, preferably a small, portable, bus powered one (I just got a 20 gig EZQuest from SmallDog for $170) so it's easy to move. Then, just boot from the FW drive and Carbon Copy Clone the systems onto the internal drives.
You can also use CCC to copy an entire system to a DVD, if your machines have DVD drives - less expensive (if you have a DVD burner) but it will take longer to clone.
CCC can't operate over the network (yet,) but either of these options will work.
Look Lisa: I learnded!
Me fail English? That's unpossible!
Yes, it's a blog. Sorry if that offends you.
ahh...good ol' MN school districts using FoolProof. well, thats pretty much all I have to say about it except for the fact that it taints everyone's (read, school populus) view on macs "they crash"..."no, foolproof crashes"...of course then they think I'm just making excuses. Oh well.
use Netboot
I'm an admin at a similar institution and we're trying to solve the very same problem. I've always been very disappointed as to what FoolProof could do for us. It always seemed to get in the way when we didn't want it to, and it never seemd to really do what we did want it to do. We're currently looking very seriously into the netboot options. We don't have an Apple server, so we're looking to role our own Linux solution, but I'm not sure the setup time for the server is really going to justify what we would gain. (We don't have *that* many macs -- 1 lab primarily.) One of the most promising alternative solutions is Mac Admistrator which promises the world for us (linux and/or NT authentication, drive image resortation/sanity chekcing, etc.) I would think it would be something you'd really like to look into. Paul
Install Mac OS 10 (X)
There's tons of different solutions that have been outlined here, it seems from your comments you dismiss them because they "encumber" your students and make them feel bad and icky. It is not their network nor are the computers theirs, they don't have rights to them. Lab computers belong to whoever owns them and not whatever student sits down in front of them. If you're worried about them feeling encumbered by your security you're not doing your job properly.
You make the systems secure so no one can easily screw them up preventing other students from using them. There's a lot of jackasses that love to break systems or "customize" them preventing anyone else from getting any use out of them at all. There's also the people who feel that because a school has a particular amount of bandwidth, they ought to be able to monopolize it to download ripped DVDs and MP3s. You secure your systems and your network so everyone can use it because it is a shared resource. You aren't supposed to leave systems wide open for them to be abused.
Let people do what they need to do with as little hassle as possible. Don't allow people to abuse your systems though. I've managed a Mac lab before and the previous admin decided not to lock down any of the systems. The computers crashed constantly and hardly anyone could get on the web. I spent weeks getting Carracho servers, SETI@Home clients, and copies of Starcraft off all the systems. After the systems were locked down we didn't have any problems. If people want to play Starcraft or run a Carracho server (which was probably used to ship off copies of software we had) they can do it at home. They don't need to use your lab for it unless you specifically allow them to.
I'm a loner Dottie, a Rebel.
Is there any reason you have to set up any such system? I'm a student myself, and I've found in my experience (doing innocent things like coding) that any "idiot-proofing" system tends to make the computers much harder to use for legitimate purposes.
Much better than a program to prevent people from doing certain things would be teaching the people to just not do those things. Worried about people saving things on specific hard drives? Tell them to not do it! Worried about people installing unauthorized software? Tell them to not do it! (And take off the programs that they invariably will install.)
TANSTAAFI: There Ain't No Such Thing As A Free iPod.
You can get a copy of AtEase from somewhere pretty cheap, if it's discontinued I'm sure someone could spot you a copy.
:)
No real problems with security. Use the Home edition (it's easy enough). You can't keep the bastards from using boot disks but that's just about it.
I was formally one of the aforementioned bastards that hacked into my schools computers in 6th grade and put simpletext documents on the desktop of the main ASIP fileserver that read something like "Stick to PC's Mrs. White!" (Mrs. White being the ONLY computer instructor/manager for the school).
But yeah, I had to use nothing short of a boot disk to get past AtEase. I didn't need jack sh!t to get past foolproof once I got to highschool
They use rev r disk here to manage the macs.. not sure if its good persay, but it seems to get the job done.. then again not that many people use the macs.. and the ones that do bitch about them taking 15 minutes to load up because the previous users killed it before rev r disk could finish.
I run os 9 on a PowerPC 8500 180 w/100MB Ram and a 2GB SCSI disk and it's lighting fast. On my PowerPC G3-333MHz 10.2 is slower than crap. Hell OS X 10.1.5 isn't fast on my G4 733, I've yet to upgrade to 10.2 even though the disks are setting there! It works and that is all I really need.
To answer his question all you need is all the lab macs facing the same direction and have some huge woman wrestler stand at the back of the room with her arms crossed and an angry look on her face. Women don't screw around generally in computer labs, and the boys that do don't want their ass kicked by a big burly woman.
Problem solved, now where is that Patent form...
I once worked in a place where they got rid of a bad employee who had installed foolproof on a production machine (without permission). After he left, they asked me to get into the machine. Tried a few basic things inside foolproof, which didn't work. So, I grabbed my tools drive, hooked it up to the SCSI port and forced an external boot. Did a little HDT fiddling, and the system was back. It could have been done with one of those System 7.5/HDSC Setup floppies too.
You sort of have to know how macs use hard drives, but beyond that, if the user has physical access to the boot drive there's not much you can do.
The Netboot suggestion is a good one.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
get them to buy mac os x server. its the best solution for administering users and the programs that they use. we used foolproof and the kids at my school figured out the password and bypassed the foolproof and uninstalled it. mac os x server works great, i can add users, change pws, disable users. and the combination of remote desktop i can moniter students, do a class with examples, by sharing my screen. and it works pretty fast.
Could you: - install a form of Linux/PPC on a server and all the clients - install Mac On Linux on the server along with the applications you want on the clients - Make the Mac disk image on the server readonly - install X11 on the clients and have them connect to the server - Only accept X11 connections on the server from within the campus Only real issue I see would be licenses... but it should work if you have site licenses.
For those of you who didn't know, yes, on the older Mac's (ones with the hardware ROM) you can lock out boot volumes. You can even password protect the boot up. You just have to know how to program in Forth >:)
As for alternatives, if your not completely tied to using the Mac OS, install your favorite flavor of Linux and use those lock down tools (which are more plentiful and complete than the existing Mac ones). Then there is the option (depending on how old the systems are) of using the original Lock Down directly from Apple, AtEase. This software is great for foiling a would be hacker since once the machine is booted, you have to have administrator access to shut it down again. It also came with some developer stuff (of course I have no idea how your going to get your hands on this stuff now) that enabled the boot password and other fun hardware hacks.
Whee!!!!
Hooray for the old skool software that still sucks.
Don't Ask Questions. I don't know the answers and even if I did I wouldn't tell you.
Apple bundles these managed client apps with it's server license.
It allows centralized preference and application management, workgroup shared folders, etc.
MCX is is totally sweet (a stripped down version can be found in in the Accounts prefpane of every Jaguar install (that has a non-admin user), but the industrial strength version is included with OS X Server.
Macintosh Manager is pretty good, but with Apple's focus *away* from classic OSes, it won't get any better. It'll just fade away.
Macintosh Manager (now also called Workgroup Manager which controls OS X machines) can lock down machines to where the users can only run what you allow them to run. It can also control preferences (like forcing the homepage for Internet Explorer). It is easy to bypass if you have a boot disk, but you could setup open firmware to not allow booting from an external device. This is more of a user issue, just put in your AUP that they cannot manipulate the boot process.
NetBoot puts your disk image on the network which all the machines then use to boot and run applications from. To set up a new machine in this scenerio, you pull it out of the box, plug it in, and hold down the N key as it's turned on.
You can also use Apple Software Restore in conjuctions with a NetBoot server. The machines normally boot off of their hard drive, but if you need to re-image, you hold down the N key and have a set of AppleScripts on the netbooted image that restores the machine and sets it to boot off of the hard drive. For OS X machines you need to contact your Apple SE to get a copy of ASR that works with OS X.
Believe me, Macintosh Manager is a life saver, once it is set up (and be sure your network can handle it) and it's free (with OS X Server)!
What, me worry?
Mac OS X Server allows you to boot Macs form the network - netboot - and have your students log on, get their home directory, personal environment and so on (Macintosh Manager).
Mac OS X "Jagwyre" Server 10.2 also offers something called "netinstall" that may be useful.
Other things that may be useful are FileWave (commercial) and radmind (free, as in beer AND speech).
I am trying to reformat 200 mac classics (System 6 through 7.5)which have Foolproof 1.0, and locked down SCSIs at 1.
What is the applescript for getting around foolproof?
thanks!
Hi, I have about 200 Mac Classics, Classic II and SEs that I am trying to reconfigure. Trouble is, that I got these from a school, and they have FoolProof 1.0 on them. (Systems range from 6.0 to 7.5). The admin knew what s/he was doing--the hard drive is set to 0 so you can't boot off of a SCSI. I do not want to crack 200 mac boxes (It is a huge job just to get a new system on all of these!). Is there an easy way to disable this? Does anyone have the apple script to do this? Thanks!
FoolProof's developers trapped the API at a point where it would interfere with MOST applications.
:). They used some wacko dialect of Basic called TrueBasic.
In fact, in the cases of applications where FP was defeatable, only certain parts of that application might bypass FoolProof.
Specifically, back in high school about 6 years ago, I took a BASIC course (easy A
Well, FP worked to block file access for TB's normal file open/close functions. (Specifically, the editor open/close)
But anything that you compiled would access files like FoolProof wasn't there.
3 lines of code replaced the FoolProof program with a 0-byte text file.
retrorocket.o not found, launch anyway?