Slashdot Mirror

← Back to Stories (view on slashdot.org)

Setting Up Mac OS X for a Teenage Coffeehouse?

Posted by simoniker on from the not-teenage-cathouse dept.

WCityMike writes "I plan to donate a grape iMac to a local church-run non-profit coffeehouse for teenagers, and would like to give it to them appropriately set up for the atmosphere it'll be in. I'm seeking advice on a number of fronts - what freeware or shareware applications would be good for such an environment? Should visitors be allowed to have their own accounts (presumably created by the administrator), or should I just set up one 'student' account and one 'administrator' account? If the latter, is there a way to prevent students from saving things on the hard drive (thus forcing them to use a diskette and/or the CD drive?), and/or a 'Simple Finder' interface extant for OS X? Is there existing software that makes this easier or more configurable, or is it all inside the OS? I'm fairly familiar with Mac OS X, but have never needed to run anything outside a single-user environment."

17 of 348 comments (clear)

  1. A great act of kindness! by erick99 · · Score: 5, Informative
    First, I think it's wonderful that you are donating the computer as well as your time. Good for you!

    I would set up an admin account and several "template" accounts based on different types of usage such as "internet only," "power user," etc. You get the idea.

    I would then train someone within the organization on how to setup, modify, and maintain the accounts (unless that is going to be you.).

    Once again, your generosity of money and time is commendable.

    Happy Trails!

    Erick

    --
    http://www.busyweather.com/
    1. Re:A great act of kindness! by violajack · · Score: 5, Informative

      Multiple accounts is definintely an easy way to go. You only need one "admin" account with the ability to install stuff. Give that password only to the person in charge of the machine.

      In the Users pane of System Prefs you can create a student account and then click on capabilities and pretty much block them out of everything.

      In our OSX lab, we don't let them burn cds or open most of the utilites (including system prefs). They can't run most of the programs that came with OSX, like iMovie or the Address book. We just set up a new cafe image with only a browser and the most popular chat clients in the dock, and then turned off that user's ability to change the dock. The "Cafe" user only has the capability to run those programs. Simple Finder is also a good idea.

      Once, we accidentally left some of the system prefs access on and the machine had a new desktop background within hours. People, especially teenagers will want to push the rules just as far as they can, you have to lock them out of as much as possible.

    2. Re:A great act of kindness! by hoist2k · · Score: 4, Informative

      I set up a similar lab about 6 months ago. Went with eMacs, which have been stellar - almost zero problems. I was amazed at how well they stand up to abuse from kids, who can manage to obliterate a wintel box in a matter of minutes. I set up 2 accounts - an admin and a regular user. I actually had 4 machines networked together with the same accounts on all of them. The user accounts were somewhat restricted, just using the built-in user settings. As for shared disk space, the kids can save in their home directory if they want, but learn very quickly that it's not a good idea. Teach them how to use online storage (yahoo briefcase, xdrive, whatever) and burn CDs and they'll never go back to using the hard-drive again. It's not much different than college computer labs - sure you can save stuff on the drives, but the chances of it being there when you get back are quite slim. Also, encourage them to bring in their CDs and rip them to the harddrive - it's fun to see HUGE iTunes libraries (although it makes you feel really old). It also gets kids excited about "doing" things other than playing games & chatting.

      --
      Turns out that cute girl's A|X t-shirt didn't mean AIX. Who would've thought?!
    3. Re:A great act of kindness! by lullabud · · Score: 4, Informative
      That's key--I would make it a condition of the donation, unless you want to spend a lot more time re-jiggering that computer later. I can guarantee that even if they know what they want to do with it now, they'll come up with something different/additional within a month.
      Very true, there's a good chance that whatever the case is they'll call you back one of these days to fix/update/change it. I'd make sure to create a disk image of the hard drive after you've set it all up. That way when they call you back you can just boot into target-disk mode and restore the original image, make any tweaks from there, then re-image. I do this same thing in Windows using Norton Ghost and it's a HUGE time saver. Luckily OS X has this functionality all built in with the Disk Utility.
  2. Mac OS X Hints by El+Neepo · · Score: 5, Informative

    http://www.macosxhints.com/ is a great place to start looking for the misc answers you may need.

    1. Re:Mac OS X Hints by EvilAlien · · Score: 4, Informative

      In addition to the MacOS X specific sites, this might be useful: Open Kiosk.

      --
      perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
  3. Mac OS X does support limits. by gotr00t · · Score: 4, Informative
    Even though Mac OS X does not give the administrator as much control as other *NIX like systems (admin is not root, for example), it is possible to use the "system preferences" to limit the access of other users.

    You can prevent them from rearranging the desktop, writing to any folder except their own in the /Users/ directory, and taking off/putting stuff onto the dock. At a lab that I administered for a while, I just put a student and admin account on each computer, and it worked well. The users were able to use applications like InDesign and Photoshop perfectly, and they kept their files on USB flash drives.

  4. Take a look at by hackstraw · · Score: 5, Informative

    This pdf link. It tells you how to restore a dummy user's home directory after each login (Its for OSX, not sure if the grape can handle that or not).

    Aside from some software tweaking and installation, this should really help your setup.

  5. macosxlabs.org by daveschroeder · · Score: 5, Informative

    You're essentially looking to do the same thing many, many others have already done, and are doing every day, with Mac OS X in public lab-type environments. Do yourself a favor and visit

    http://macosxlabs.org/

    ...particularly the documentation section.

  6. Re:Flavor? by LordBanshee · · Score: 5, Informative

    It's common in the Mac community to give the "Flavor" instead of the full configuration. My guess is he wanted to give an estimation of the configuration involved, and that is good for me. for a Mac user "grape"= "iMac CRT 266 or 333, 6Mb VRAM, 6Gb HD, USB1, no Firewire", so yes I think "grape" is relevant information. On a grape iMac, you could run panther, and there is a "Simple Finder" equivalent on 10.3

  7. Mac OS X Labs by Anonymous Coward · · Score: 4, Informative

    Look at Mac OS X Labs. They have a lot of experience in setting up machines in school labs (read: hostile environments).

    If anyone would have info on locking down a system they would.

  8. A few questions and comments by dgallina · · Score: 4, Informative

    You didn't really specify what the machine would be used for. I'm assuming, given the environment, that it will be used mostly for Internet surfing & email. Unless you or another admin is going to be available to maintain user accounts, I *would* use a generic account for the users and a well-protected admin account. The Panther (10.3) finder *does* have a Simple Finder option. You can turn it on in the Accounts preferences pane after you create the user account. It gives you (some) options for limiting what the users are & aren't allowed to change as regards the desktop interface. If you need more granular control of applications or rights, you can add/remove apps from the machine and you can change the access rights via the underying UNIX group and permissions system. That level of detail might be more than you need or that you can administer, however, if you're not somewhat familiar with the UNIX underpinnings. In terms of recommended software: you definately want to supplement or replace IE with Safari and/or some of the Mozilla-derived browsers (Camino, Mozilla, Firefox). The various security glitches and pop-ups inherent in IE could make it a risk. You may want to consider adding some remote control software in case you have to remotely assist somebody or fix the machine remotely. Timbuktu and Apple Remote Desktop are popular commercial options. You might find something like VNC preferable for this environment, however, as it's free and relatively lightweight. All of these remote control options assume a broadband connection. You may also consider enabling remote SSH access if you need a lighter (terminal-only) remote admin mechanism. You *definately* want to turn the OSX built-in firewall on assuming that this machine will be directly connected to the Internet. The basic options are easy to setup via the sharing and related preference panes. You might also consider an anti-virus application such as Virex or Symantec NAV. I don't consider these critical for my personal use since there is so little OSX virus activity, but it's probably better to be prudent on a shared machine. Since this scenario uses a shared guest account on the machine, you'll probably want to avoid letting users use local mail applications such as Mail.App . Suggest that a web-mail interface might be simpler and require less maintenance on your part. Good luck

  9. OSX Kiosk Program by w00k13 · · Score: 5, Informative

    I have never used it. But here is an application to make it into a kiosk. Good Luck.

    http://www.ncsu.edu/mac/software/webXkiosk.html

    -Adam

  10. Same Deal at our Library by Vertig0gitreV · · Score: 5, Informative

    I have basically done the same thing with 4 iMacs (233Mhz 320mb RAM)I donated to my local public library. They are used as internet/office/iTunes/AIM stations in a young adults room (grades 4-9). They are currently running 10.3.4 with shadow killer (a MUST for older machines running 10.x. Found at http://www.haxies.com ).

    I set mine up with an Admin account (named staff) and a simple finder account (named student). Just go into the UserAccount section of system preferences, set the account you want limited to "simple finder" and limit what else you don't want them to have access to. It is also handy to give them a little bit of space to use for autosave in office and such (or scratch disks in Photoshop).

    I have attempted to do similar limitations for the Windows XP computers in the adult section of the library (Using XP Security Console plug-in by Doug Knox), but have had nowhere near the success as I have had with the Macs. They have been running for a year now with ZERO down time.

    Good Luck!!

  11. One Word: DriveShield by _Bunny · · Score: 5, Informative

    Take a tip from an administrator in a public school system:

    Pick up a copy a copy of DriveShield for the Mac, and allow the students to do whatever they wish to it.

    DriveShield is a driver that sits between the hard drive and the OS. Any writes made to the hard drive are redirected into a sratch area of the hard drive, and thus don't stick around for the next reboot. The machine will be back in the state it was in when it was locked on every reboot.

    I've tested it by even booting off a System CD and reformatting the drive... on the next reboot it comes right back to how you expect!

    The philosophy used to be to lock the machine down as tight as possible to prevent the users from making any changes to it. (Restricted Finder, Windows Policies, etc.) Products like DriveShield (DeepFreeze is another one) work differently -- they don't lock down the machine to the user at all, they just prevent any changes from sticking across a reboot.

    Protect the machine with DriveShield (or something similar), and have all the kids log in as the admin. Quick and easy to do, and the kids don't have to be restricted to a limited set of options on the computer!

    We've been using this technique in several of our schools now (only in the open labs, mind you -- not the staff computers!), and the only support calls we now recieve in those labs is for hardware problems, not software.

    - Bunny

  12. No prob. by cbiffle · · Score: 5, Informative

    Disclaimer: I didn't use OSX before Panther, so this may not apply to the version you have.

    Simple Finder is an incredible pain in the ass and confuses the hell out of Windows users. My girlfriend is largely computer-illiterate (she's memorized the motions and screen locations needed to operate Office, but not much else). I set up a limited account on my iBook because she couldn't seen to get to the web browser without dragging my Terminal icon off the dock. But that's a diatribe for another time.

    I set up Simple Finder. No good. I can't blame her -- I couldn't really figure out how to get much actual work done with it.

    In the end, I've been using a straight Limited Account for my Guest acct on the laptop, with much success. MacOS X already does a good job of keeping users out of one anothers' stuff, by properly setting homedir modes and whatnot. I've been working for a couple of weeks to bypass the Limited Account limitations, without luck. If you declare that the user cannot run a particular application, I haven't figured out a way around it that doesn't require admin.

    However, unlike my experience with Windows, a limited account on OS X is still quite usable. Programs don't automatically expect to have root, and aren't able to sneak off and get it without asking (*cough*WinIE*cough*). If the need arises, the Auth Services password-dialog provides a way for an employee to work magic if necessary.

    My recommendations, therefore:
    1. Set up a 'Managed' account for the coffee people. Don't do per-user accounts unless you want to set up an LDAP server to handle it; cloning account settings on a single-user MacOS X system is a bitch. Retain an admin account for the employees.
    2. Whitelist, not blacklist, the apps the user can run. Give them access to Safari and whatever else. Don't let them dork with the dock, etc. Specifically allowing access to a handful of apps will prevent them from firing up a new one from a USB key. Because they'll try. Oh, they'll try.
    3. Unfortunately, I'd recommend against giving them iChat. iChat, unlike Windows AIM and GAIM, doesn't give you an easy way to switch accounts -- which is a must-have on a public terminal.
    4. Lock down the keychain. Set Safari to not save passwords. Locking the keychain (with some known but non-obvious password) will prevent users from saving new items into it. This is a good thing.
    5. Giving access to iTunes puts you in an interesting legal gray area. Like iChat, it provides no easy way to change accounts (in terms of iTMS). It also enables users to rip CDs. This may not be a good idea.
    6. Unfortunately, OS X does not provide disk quotas, as far as I can tell (please, if someone knows different, clue me in!). The support is there in the filesystem, but there doesn't appear to be a UI. Keep this in mind.
    7. As admin, periodically use Repair Permissions in Disk Utility to check for anything that's become accessible to the peons. More importantly, do this after you're done with the initial software install -- you'd be amazed at how much commercial software starts out world-writeable. (Bad Adobe.)

    Good luck!

  13. Apple does it... by wfolta · · Score: 4, Informative

    Stop by an Apple store if you can. They give more free reign on their computers than you would, since people need to try them out.

    I've noticed that every night at closing time, a cron job or something fires off and all the machines put up a screen saying something like "Updating from image" and are evidently reloading themselves from a saved image to overcome the day's fiddling and messing up by customers.