Mac OS in a Lab

jmu1 wishes to get to the core of the following issue: "I run a medium sized lab of Mac OS 8.6/9.x machines. They all have (shudder) FoolProof as an attempt of keeping the systems usable. Unfortunatly, it is quite easy to bypass the software, or even to remove it using AppleScript, etc. What I want to know is, what is a usable solution for securing a lab of Macs?"

Netboot

[SandSpider]

Okay, let's try that again, this time with more information.

Netboot is some nice technology from Apple. It allows you to set up a default system on some server, then have the computers on your network boot from that server. When the computer reboots, it reloads the system from the image on the server, rather than from something on the hard disk. It is very difficult for a user to change the information on the server. It's not impossible, but we all know that undefeatable security doesn't exist.

But NetBoot was made for exactly this sort of situation, so it's definitely worth checking out.

=Brian

revrdist/Assimilator

[mbrubeck]

My school used Assimilator to manage its Mac labs. This is a commercial program by Peter N. Lewis of Anarchie fame. It works by synchronizing all lab computers to a disk image stored on a server. I like this because it leaves the computer fully functional -- users can download or run whatever they want while they're using the computer, and at the end of the day (or end of week, or whenever the admin feels like it), the disk is restored to a pristine image. It doesn't provide the same level of restrictions as FoolProof, but I consider that a good thing.

revrdist is a free (public domain) program with the same basic function. Its setup is a bit more involved and it doesn't have all of Assimilator's features, but it's a well-tested program that definitely works. Use it if you can handle the extra administration and prefer a free solution. The reverdist home page also has links to other Mac administration programs.

Re:revrdist/Assimilator

[jhealy1024]

Amen to revdist. I administered the mac labs at my college in the pre-osx days, and I used revrdist to do so (about 60 machines). We looked into netbooting, but there's a fair amount of net traffic for that, so the net guys said no. revrdist is also a lot of traffic, but only during disting. If you set the boxes to boot early in the morning, the dist happens when nobody's around and the network isn't clogged.

It is tricky to set up (uses a weird flag-based config file), but once you've got it tweaked right, administration is a breeze. Just burn a CD with a bootable system folder and revrdist on it and you can boot a hosed machine off the cd, copy the sys folder over, reboot, and the machine will fix itself.

We looked into using a "lockdown" program to prevent abuse of the machines, but decided that people who want to get around it will. revrdist helps lower the blood pressure by ensuring that fixing any software problem takes 5 minutes of your time, at most. You stop caring if people hose the machines because it takes much longer for them to wreck 'em than it does for you to fix 'em.

As a bonus, installing new apps on the machines is easy -- just update the server, set the macs to reboot every morning at 4am (energy saver control panel), and you're good to go!

Really can't do it.

[gerardrj]

Older Macs don't have the OpenFirmware ROMs, and so don't have the ability to lock out alternate boot devices, I recall they also can't boot to the network. You don't mention what type of protection level you are trying to achive, or the repricutions of a security failure, I can't really get a handle on that from the responses either. Is this just a lab on campus where you want to keep games and P2P apps off the systems, or is this a research lab where a breach could cause panic or lost money or saftey concernes?

Unless you remove or disable the floppy, CD-ROM drive, and external SCSI connector you have little chance of truely securing a Mac lab. There will always be some way for a malcontent to get control, rather easily in fact.

I recall some stuff like DiskVault, I think, that would alter the directory layout or something so that unless you booted to the drive that was protected, you couldn't use the protected volumes. Of course, installing the software on a bootable CDR would get you around this, as would booting to an external drive that the hacker controlled and had installed the software on.

Personally, I have never encountered a disk/system lockdown utility on older Macs that I couldn't bypass with an alternate boot disk and, at most, a few hours of tinkering. The most you could ask for is that wandering lab monitors might find people hacking the thing before it goes too far. Anectodally, at one place I worked they installed GraceLAN to keep track of app lauches, prevent software installs, force LAN-wide software installs, etc. I used ResEdit and a disk editor on a floppy to locate the admin password. I then installed the admin program on my own system and force installed the old "Energizer Bunny" init on all 120 systems in the office. Of course I renamed it to something like "Apple SoundManager Tuner". THAT was a blast!

If it's just simple protection to keep the honest people honest: use SimpleFinder or AtEase that each limit what users can do. For all its problems, AtEast is a nice little application/Finder replacement for labs. It allows you to create a tab for each type of application, or on a per-course basis.