Mac OS in a Lab

jmu1 wishes to get to the core of the following issue: "I run a medium sized lab of Mac OS 8.6/9.x machines. They all have (shudder) FoolProof as an attempt of keeping the systems usable. Unfortunatly, it is quite easy to bypass the software, or even to remove it using AppleScript, etc. What I want to know is, what is a usable solution for securing a lab of Macs?"

OS X

[voisine]

install OS X?

Re:OS X

[MyNameIsFred]

Look on VersionTracker for Carbon Copy Cloner, it great for copying MacOS X installations. Its simple and effective.

Re:OS X

[artfulbodger]

Carbon Copy Cloner is pretty good for getting OS X onto a machine initially, but would be a pain for regular maintenance. I actually use ASR for initial install (macosxlabs.org talks about it here).

I use radmind for regular maintenance of the machines in the the labs I run. It's a powerful unixy tool, a little tricky to get the hang of but it's well worth the effort.

Netboot

[SandSpider]

Okay, let's try that again, this time with more information.

Netboot is some nice technology from Apple. It allows you to set up a default system on some server, then have the computers on your network boot from that server. When the computer reboots, it reloads the system from the image on the server, rather than from something on the hard disk. It is very difficult for a user to change the information on the server. It's not impossible, but we all know that undefeatable security doesn't exist.

But NetBoot was made for exactly this sort of situation, so it's definitely worth checking out.

=Brian

revrdist/Assimilator

[mbrubeck]

My school used Assimilator to manage its Mac labs. This is a commercial program by Peter N. Lewis of Anarchie fame. It works by synchronizing all lab computers to a disk image stored on a server. I like this because it leaves the computer fully functional -- users can download or run whatever they want while they're using the computer, and at the end of the day (or end of week, or whenever the admin feels like it), the disk is restored to a pristine image. It doesn't provide the same level of restrictions as FoolProof, but I consider that a good thing.

revrdist is a free (public domain) program with the same basic function. Its setup is a bit more involved and it doesn't have all of Assimilator's features, but it's a well-tested program that definitely works. Use it if you can handle the extra administration and prefer a free solution. The reverdist home page also has links to other Mac administration programs.

Re:revrdist/Assimilator

[jhealy1024]

Amen to revdist. I administered the mac labs at my college in the pre-osx days, and I used revrdist to do so (about 60 machines). We looked into netbooting, but there's a fair amount of net traffic for that, so the net guys said no. revrdist is also a lot of traffic, but only during disting. If you set the boxes to boot early in the morning, the dist happens when nobody's around and the network isn't clogged.

It is tricky to set up (uses a weird flag-based config file), but once you've got it tweaked right, administration is a breeze. Just burn a CD with a bootable system folder and revrdist on it and you can boot a hosed machine off the cd, copy the sys folder over, reboot, and the machine will fix itself.

We looked into using a "lockdown" program to prevent abuse of the machines, but decided that people who want to get around it will. revrdist helps lower the blood pressure by ensuring that fixing any software problem takes 5 minutes of your time, at most. You stop caring if people hose the machines because it takes much longer for them to wreck 'em than it does for you to fix 'em.

As a bonus, installing new apps on the machines is easy -- just update the server, set the macs to reboot every morning at 4am (energy saver control panel), and you're good to go!

Re:NetBoot

[SandSpider]

The documentation should all be on Apple's Site.

Let's see...The OS X Server Admin Guide is a very long document that should tell you anything you need to know about setting up the server. All of the rest of the information is at Apple's OS X Server Site.

Net boot shouldn't need Jaguar Server. If you can get, or have, a copy of a later AppleShare server software, then you should be able to use the Macintosh Manager on that.

=Brian

you sure about that?

[Stenpas]

Easy to bypass foolproof? No offense sir, but if you can't set up foolproof correctly, then you should not be admining that lab.

For those who have never used it, it's a cheesy-looking program, but it's a great solution for computers that run MacOS 9 and below. You can set it so you can't get info, move files, and there is a list of allowed/disallowed programs. Bypassing by holding down shift at startup won't work, etc.

There's a whole lot of other stuff it can do. All in all, when set up correctly, there is one way to bypass it, and one way to mess up a system, which I will not go into detail about. Our setup apparently works well, because I haven't seen any students bypass it.

Seriously, anyone who's used it knows that you just click on a bunch of check boxes and maybe disallow a few programs. Changing the default password is a good idea also. This is not a difficult thing to do.

Sten

Re:MacPrefect

[coolgeek]

MacAdministrator is the network-aware product from the same company as MacPrefect, Hi Resolution Systems.

My buddy and I run a network composed in part of around 100-110 Macs in a High School environment. We've had fairly good success with MacAdministrator, although using "Target Disk Mode" is a way to defeat it with a firewire cable and a handy student-supplied notebook. I assume the same applies to MacPrefect. Nonetheless, it keeps the kids from making stupid mistakes that would otherwise cost big support time.

It also has some neato features that log you in automagically to servers and puts an alias to a home folder on the user's desktop. You can also deploy software remotely, although we prefer Retrospect for workstation production. We use remote deployment when appropriate.

The guys at Hi Resolution are top-notch, IMO, and always provide sensible answers. The documentation leaves a lot to be desired because while every module is extensively and exhaustively documented, there are no solution-oriented/howto guides. Their tech support fills that gap pretty well.

Really can't do it.

[gerardrj]

Older Macs don't have the OpenFirmware ROMs, and so don't have the ability to lock out alternate boot devices, I recall they also can't boot to the network. You don't mention what type of protection level you are trying to achive, or the repricutions of a security failure, I can't really get a handle on that from the responses either. Is this just a lab on campus where you want to keep games and P2P apps off the systems, or is this a research lab where a breach could cause panic or lost money or saftey concernes?

Unless you remove or disable the floppy, CD-ROM drive, and external SCSI connector you have little chance of truely securing a Mac lab. There will always be some way for a malcontent to get control, rather easily in fact.

I recall some stuff like DiskVault, I think, that would alter the directory layout or something so that unless you booted to the drive that was protected, you couldn't use the protected volumes. Of course, installing the software on a bootable CDR would get you around this, as would booting to an external drive that the hacker controlled and had installed the software on.

Personally, I have never encountered a disk/system lockdown utility on older Macs that I couldn't bypass with an alternate boot disk and, at most, a few hours of tinkering. The most you could ask for is that wandering lab monitors might find people hacking the thing before it goes too far. Anectodally, at one place I worked they installed GraceLAN to keep track of app lauches, prevent software installs, force LAN-wide software installs, etc. I used ResEdit and a disk editor on a floppy to locate the admin password. I then installed the admin program on my own system and force installed the old "Energizer Bunny" init on all 120 systems in the office. Of course I renamed it to something like "Apple SoundManager Tuner". THAT was a blast!

If it's just simple protection to keep the honest people honest: use SimpleFinder or AtEase that each limit what users can do. For all its problems, AtEast is a nice little application/Finder replacement for labs. It allows you to create a tab for each type of application, or on a per-course basis.

Not OnGuard

[OrangeHairMan]

OnGuard, a program by the guys at PowerOn Software, has many security holes in it, so I can't reccomend it. It is easy to get by (like accessing someones files on a server is just as easy as going into Netscape and going file:///Server/), and only protects from normal file and OS stuff, like launching, deleting, moving, etc. Anything that bypasses the OS, like Internet Explorer, AppleWorks 6, and others can get by easily. (Ex: AppleWorks 6's normal open dialog shows everybody's folders (While ClarisWorks 5 does not), and Internet Explorer allows anybody to launch any apps that are on any of the hds.)

You can try it, download the demo, but try and get past it and you you'll see how easy it is. Or not. At my school, the security is a joke. So test it, if you like it, use it, but I reccomend against it.

More info here: http://poweronsoftware.com/products/onGuard/.

Orange

Re:Ah the Memories

[MalleusEBHC]

It drived my teacher insane.

If that was your English teacher, I doubt that's the only thing that drove her crazy.

Yuppy pants

[Graymalkin]

There's tons of different solutions that have been outlined here, it seems from your comments you dismiss them because they "encumber" your students and make them feel bad and icky. It is not their network nor are the computers theirs, they don't have rights to them. Lab computers belong to whoever owns them and not whatever student sits down in front of them. If you're worried about them feeling encumbered by your security you're not doing your job properly.

You make the systems secure so no one can easily screw them up preventing other students from using them. There's a lot of jackasses that love to break systems or "customize" them preventing anyone else from getting any use out of them at all. There's also the people who feel that because a school has a particular amount of bandwidth, they ought to be able to monopolize it to download ripped DVDs and MP3s. You secure your systems and your network so everyone can use it because it is a shared resource. You aren't supposed to leave systems wide open for them to be abused.

Let people do what they need to do with as little hassle as possible. Don't allow people to abuse your systems though. I've managed a Mac lab before and the previous admin decided not to lock down any of the systems. The computers crashed constantly and hardly anyone could get on the web. I spent weeks getting Carracho servers, SETI@Home clients, and copies of Starcraft off all the systems. After the systems were locked down we didn't have any problems. If people want to play Starcraft or run a Carracho server (which was probably used to ship off copies of software we had) they can do it at home. They don't need to use your lab for it unless you specifically allow them to.