Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS in a Lab

Posted by Cliff on from the keeping-your-users-in-check dept.

jmu1 wishes to get to the core of the following issue: "I run a medium sized lab of Mac OS 8.6/9.x machines. They all have (shudder) FoolProof as an attempt of keeping the systems usable. Unfortunatly, it is quite easy to bypass the software, or even to remove it using AppleScript, etc. What I want to know is, what is a usable solution for securing a lab of Macs?"

16 of 97 comments (clear)

  1. OS X by voisine · · Score: 3, Informative

    install OS X?

    1. Re:OS X by MyNameIsFred · · Score: 3, Informative

      Look on VersionTracker for Carbon Copy Cloner, it great for copying MacOS X installations. Its simple and effective.

    2. Re:OS X by artfulbodger · · Score: 3, Informative

      Carbon Copy Cloner is pretty good for getting OS X onto a machine initially, but would be a pain for regular maintenance. I actually use ASR for initial install (macosxlabs.org talks about it here).

      I use radmind for regular maintenance of the machines in the the labs I run. It's a powerful unixy tool, a little tricky to get the hang of but it's well worth the effort.

  2. Let Them Go Crazy by potuncle · · Score: 2, Informative

    For each diffrent configuration, make a copy of the Applications and System Folder (you could burn them onto a CD).

    Let the kids do whatever they want. When a system becomes unusable delete the existing Applications and/or System Folder and copy a fresh one from you backup copy.

    You can just copy the folders or use Disk Copy or Stuffit to create single files out of the folders. I have know users that have had great sucess using Disk Copy and System Restore to restore custom configurations.

    This is one of the many reasons I love Mac's. I can restore an OS 9.2 or newer computer to a default configuration as fast as I can copy files off a CD or over the network.

  3. Netboot by SandSpider · · Score: 5, Informative
    Okay, let's try that again, this time with more information.


    Netboot is some nice technology from Apple. It allows you to set up a default system on some server, then have the computers on your network boot from that server. When the computer reboots, it reloads the system from the image on the server, rather than from something on the hard disk. It is very difficult for a user to change the information on the server. It's not impossible, but we all know that undefeatable security doesn't exist.


    But NetBoot was made for exactly this sort of situation, so it's definitely worth checking out.


    =Brian

    --
    There is nothing so good that someone, somewhere, will not hate it.
  4. revrdist/Assimilator by mbrubeck · · Score: 5, Informative
    My school used Assimilator to manage its Mac labs. This is a commercial program by Peter N. Lewis of Anarchie fame. It works by synchronizing all lab computers to a disk image stored on a server. I like this because it leaves the computer fully functional -- users can download or run whatever they want while they're using the computer, and at the end of the day (or end of week, or whenever the admin feels like it), the disk is restored to a pristine image. It doesn't provide the same level of restrictions as FoolProof, but I consider that a good thing.

    revrdist is a free (public domain) program with the same basic function. Its setup is a bit more involved and it doesn't have all of Assimilator's features, but it's a well-tested program that definitely works. Use it if you can handle the extra administration and prefer a free solution. The reverdist home page also has links to other Mac administration programs.

    1. Re:revrdist/Assimilator by jhealy1024 · · Score: 4, Informative

      Amen to revdist. I administered the mac labs at my college in the pre-osx days, and I used revrdist to do so (about 60 machines). We looked into netbooting, but there's a fair amount of net traffic for that, so the net guys said no. revrdist is also a lot of traffic, but only during disting. If you set the boxes to boot early in the morning, the dist happens when nobody's around and the network isn't clogged.

      It is tricky to set up (uses a weird flag-based config file), but once you've got it tweaked right, administration is a breeze. Just burn a CD with a bootable system folder and revrdist on it and you can boot a hosed machine off the cd, copy the sys folder over, reboot, and the machine will fix itself.

      We looked into using a "lockdown" program to prevent abuse of the machines, but decided that people who want to get around it will. revrdist helps lower the blood pressure by ensuring that fixing any software problem takes 5 minutes of your time, at most. You stop caring if people hose the machines because it takes much longer for them to wreck 'em than it does for you to fix 'em.

      As a bonus, installing new apps on the machines is easy -- just update the server, set the macs to reboot every morning at 4am (energy saver control panel), and you're good to go!

  5. Re:NetBoot by SandSpider · · Score: 3, Informative
    The documentation should all be on Apple's Site.


    Let's see...The OS X Server Admin Guide is a very long document that should tell you anything you need to know about setting up the server. All of the rest of the information is at Apple's OS X Server Site.


    Net boot shouldn't need Jaguar Server. If you can get, or have, a copy of a later AppleShare server software, then you should be able to use the Macintosh Manager on that.


    =Brian

    --
    There is nothing so good that someone, somewhere, will not hate it.
  6. High School students by mclaren_1010 · · Score: 1, Informative

    I used to be the admin in my high school mac lab. Since I was the only one fimiliar with macs I got the job. I decided to stay with FoolProof because it was simple, we had good support if anything went wrong, and nothing did for 2 years. Another reason why we kept FP was because I knew that the students in the class dont know enough to hurt the system. As for external problems I set up a rather decent firewall on a linux box. What are you worried about that you think FP cant handle?

  7. you sure about that? by Stenpas · · Score: 3, Informative
    Easy to bypass foolproof? No offense sir, but if you can't set up foolproof correctly, then you should not be admining that lab.

    For those who have never used it, it's a cheesy-looking program, but it's a great solution for computers that run MacOS 9 and below. You can set it so you can't get info, move files, and there is a list of allowed/disallowed programs. Bypassing by holding down shift at startup won't work, etc.

    There's a whole lot of other stuff it can do. All in all, when set up correctly, there is one way to bypass it, and one way to mess up a system, which I will not go into detail about. Our setup apparently works well, because I haven't seen any students bypass it.

    Seriously, anyone who's used it knows that you just click on a bunch of check boxes and maybe disallow a few programs. Changing the default password is a good idea also. This is not a difficult thing to do.

    Sten

  8. Re:MacPrefect by coolgeek · · Score: 3, Informative

    MacAdministrator is the network-aware product from the same company as MacPrefect, Hi Resolution Systems.

    My buddy and I run a network composed in part of around 100-110 Macs in a High School environment. We've had fairly good success with MacAdministrator, although using "Target Disk Mode" is a way to defeat it with a firewire cable and a handy student-supplied notebook. I assume the same applies to MacPrefect. Nonetheless, it keeps the kids from making stupid mistakes that would otherwise cost big support time.

    It also has some neato features that log you in automagically to servers and puts an alias to a home folder on the user's desktop. You can also deploy software remotely, although we prefer Retrospect for workstation production. We use remote deployment when appropriate.

    The guys at Hi Resolution are top-notch, IMO, and always provide sensible answers. The documentation leaves a lot to be desired because while every module is extensively and exhaustively documented, there are no solution-oriented/howto guides. Their tech support fills that gap pretty well.

    --

    cat /dev/null >sig
  9. Really can't do it. by gerardrj · · Score: 4, Informative

    Older Macs don't have the OpenFirmware ROMs, and so don't have the ability to lock out alternate boot devices, I recall they also can't boot to the network. You don't mention what type of protection level you are trying to achive, or the repricutions of a security failure, I can't really get a handle on that from the responses either. Is this just a lab on campus where you want to keep games and P2P apps off the systems, or is this a research lab where a breach could cause panic or lost money or saftey concernes?

    Unless you remove or disable the floppy, CD-ROM drive, and external SCSI connector you have little chance of truely securing a Mac lab. There will always be some way for a malcontent to get control, rather easily in fact.

    I recall some stuff like DiskVault, I think, that would alter the directory layout or something so that unless you booted to the drive that was protected, you couldn't use the protected volumes. Of course, installing the software on a bootable CDR would get you around this, as would booting to an external drive that the hacker controlled and had installed the software on.

    Personally, I have never encountered a disk/system lockdown utility on older Macs that I couldn't bypass with an alternate boot disk and, at most, a few hours of tinkering. The most you could ask for is that wandering lab monitors might find people hacking the thing before it goes too far. Anectodally, at one place I worked they installed GraceLAN to keep track of app lauches, prevent software installs, force LAN-wide software installs, etc. I used ResEdit and a disk editor on a floppy to locate the admin password. I then installed the admin program on my own system and force installed the old "Energizer Bunny" init on all 120 systems in the office. Of course I renamed it to something like "Apple SoundManager Tuner". THAT was a blast!

    If it's just simple protection to keep the honest people honest: use SimpleFinder or AtEase that each limit what users can do. For all its problems, AtEast is a nice little application/Finder replacement for labs. It allows you to create a tab for each type of application, or on a per-course basis.

    --
    Article X: The powers not delegated... by the Constitution...are reserved...to the people
  10. MacManager by akgunkel · · Score: 2, Informative

    A year ago I was the admin for an edu network with ~200 macs. I used MacManager on them. I never had any problems with the any of the brighter students breaking it. None of my macs were ever screwed up from tampering. I did have problems with earlier versions of AtEase though...

    Assimilator sucked hard in it's early days (circa 1998.) It was pretty easy to bypass. I'm not sure how it is now.

    YMMV

    Now I work on a corporate network with Win2k. PCs may be "real computers" in the eyes of most geeks, but being the admin for a Mac network is a hell of a lot more fun.

  11. Re:OnGuard by DiscoOnTheSide · · Score: 2, Informative

    I work for the computing department of Rutgers University. We secure our macs with assimilator, and we dont have many "misuse" issues. This is with G4 450Mhz towers and 700Mhz eMacs but I hear the system has been used for a while so I imagine your results would be similar

    --
    Viva La Revolucion! Buy a Mac!
  12. Not OnGuard by OrangeHairMan · · Score: 3, Informative

    OnGuard, a program by the guys at PowerOn Software, has many security holes in it, so I can't reccomend it. It is easy to get by (like accessing someones files on a server is just as easy as going into Netscape and going file:///Server/), and only protects from normal file and OS stuff, like launching, deleting, moving, etc. Anything that bypasses the OS, like Internet Explorer, AppleWorks 6, and others can get by easily. (Ex: AppleWorks 6's normal open dialog shows everybody's folders (While ClarisWorks 5 does not), and Internet Explorer allows anybody to launch any apps that are on any of the hds.)

    You can try it, download the demo, but try and get past it and you you'll see how easy it is. Or not. At my school, the security is a joke. So test it, if you like it, use it, but I reccomend against it.

    More info here: http://poweronsoftware.com/products/onGuard/.

    Orange

  13. Re:NetBoot - useful info by Anonymous Coward · · Score: 1, Informative

    I found this link to be far better than any of the casual pdfs documention apple offers for netbooting w/o shelling out atleast $500 for 10.2 Server.

    Also there is a link to how to implement it under linux (read free, as in ninja-bonghits when I'm packing) which 100% works with OS9 clients if you read the explaination of how things work and try to implement it on your own.