Slashdot Mirror
Setting Up Mac OS X for a Teenage Coffeehouse?
WCityMike writes "I plan to donate a grape iMac to a local church-run non-profit coffeehouse for teenagers, and would like to give it to them appropriately set up for the atmosphere it'll be in. I'm seeking advice on a number of fronts - what freeware or shareware applications would be good for such an environment? Should visitors be allowed to have their own accounts (presumably created by the administrator), or should I just set up one 'student' account and one 'administrator' account? If the latter, is there a way to prevent students from saving things on the hard drive (thus forcing them to use a diskette and/or the CD drive?), and/or a 'Simple Finder' interface extant for OS X? Is there existing software that makes this easier or more configurable, or is it all inside the OS? I'm fairly familiar with Mac OS X, but have never needed to run anything outside a single-user environment."
I would set up an admin account and several "template" accounts based on different types of usage such as "internet only," "power user," etc. You get the idea.
I would then train someone within the organization on how to setup, modify, and maintain the accounts (unless that is going to be you.).
Once again, your generosity of money and time is commendable.
Happy Trails!
Erick
http://www.busyweather.com/
http://www.macosxhints.com/ is a great place to start looking for the misc answers you may need.
Image it first, because no matter what you do, someone will somehow find a way to trash it or release a virus or the hard drive will crash or lightning will strike it or....
Agile Artisans
You can prevent them from rearranging the desktop, writing to any folder except their own in the /Users/ directory, and taking off/putting stuff onto the dock. At a lab that I administered for a while, I just put a student and admin account on each computer, and it worked well. The users were able to use applications like InDesign and Photoshop perfectly, and they kept their files on USB flash drives.
This pdf link. It tells you how to restore a dummy user's home directory after each login (Its for OSX, not sure if the grape can handle that or not).
Aside from some software tweaking and installation, this should really help your setup.
In the Accounts preference in Panther, you can turn on a sort-of Simple Finder, as well as limit access to specific applications for users. You should play around with those options to get an idea of what you can do.
You're essentially looking to do the same thing many, many others have already done, and are doing every day, with Mac OS X in public lab-type environments. Do yourself a favor and visit
...particularly the documentation section.
http://macosxlabs.org/
You heart is in the right place for wanting to donate your old machine, but the grape iMacs are significantly less secure than the tangerine ones. Be careful!
if they're anything like the teenagers I grew up with, trust them with nothing and they'll be needing lots of porn.
Yes, there is a simple finder feature. It's available through the 'Accounts' preference pane.
-Ian
Don't tell the church that your Mac OS X box will be full of daemons. They will get exorcized over it!
Strange women lying in ponds distributing swords is no basis for a system of government.
No matter what platform you are using, I'd suggest that you create just one account for the end-users. As always, keep it simple.
-- Reality checks don't bounce.
Also, group policy is a great way to lock down a system. You can make a machine very fool proof in terms of not screwing things up. For instance, you could have a profile, and every time you log off the system discards it and uses the default one again.
It's common in the Mac community to give the "Flavor" instead of the full configuration. My guess is he wanted to give an estimation of the configuration involved, and that is good for me. for a Mac user "grape"= "iMac CRT 266 or 333, 6Mb VRAM, 6Gb HD, USB1, no Firewire", so yes I think "grape" is relevant information. On a grape iMac, you could run panther, and there is a "Simple Finder" equivalent on 10.3
The poster has an iMac. S/he wants to give it away. Why be mean and quibble about OSes? Windows, Mac, Linux, have their different merits in different environments but if it's free (as in beer) then no-one need gripe.
"Yes, I would like to order one cup of Cynicism and a mug of Disdain for the girl at the iMac."
Look at Mac OS X Labs. They have a lot of experience in setting up machines in school labs (read: hostile environments).
If anyone would have info on locking down a system they would.
Forgive me if I'm wrong, but I read the post as that he was donating an old Grap iMac to the school, and not buying a new machine. Are iMacs even available in "flavors" anymore?
In any case, using a Mac isn't rocket science. The "dock" is pretty self explanitory, and for complete newbies you can put shortcuts on the desktop to launch applications. For example, put a Safari shortcut on the desktop and label it "Internet," or a shortcut to iPhoto and call it "Picture Tools."
Maintaining a Mac isn't that bad. You can install updates in a similar manner as Windows (though they aren't as frequent). Likewise with antivirus software.
With windows (XP for example), some software won't run right (or at all) unless you have Power User or Administrative status (in which case, you're system is wide open to getting screwed). With a Mac, you can lock down write-access to everything but certain directories and the software should still run.
I'm torn. I'm only a recent convert, but not a zealot. I'd say, if he's jsut giving away his old iMac (or one he got for practically nothing), then power to him (or her). Mac OS X "just works."
But if the chruch is already used to PC's and has never used a Mac before, it'll just be a little harder to get used to.
Church's are used to getting donations, and are probably used to getting stuff they normally don't use. I'm sure most have learned to adapt, and an IT guy should be able to get the hang of OS X (even admin stuff) in a short time.
Many finder preferences can be locked down by creating a root account, logging into it via the GUI, opening up the /Users/normaluser/Library/Preferences and highlighting the .plist file you want to lock. Then do a command+i (apple+i), check the "Locked" button. Logout. That way, a normal user can change the interface all they want while they are working, but once they logout, and someone else logs back in, everything is restored to the way you set it up. Of course you need to setup the normal user account FIRST.
You didn't really specify what the machine would be used for. I'm assuming, given the environment, that it will be used mostly for Internet surfing & email. Unless you or another admin is going to be available to maintain user accounts, I *would* use a generic account for the users and a well-protected admin account. The Panther (10.3) finder *does* have a Simple Finder option. You can turn it on in the Accounts preferences pane after you create the user account. It gives you (some) options for limiting what the users are & aren't allowed to change as regards the desktop interface. If you need more granular control of applications or rights, you can add/remove apps from the machine and you can change the access rights via the underying UNIX group and permissions system. That level of detail might be more than you need or that you can administer, however, if you're not somewhat familiar with the UNIX underpinnings. In terms of recommended software: you definately want to supplement or replace IE with Safari and/or some of the Mozilla-derived browsers (Camino, Mozilla, Firefox). The various security glitches and pop-ups inherent in IE could make it a risk. You may want to consider adding some remote control software in case you have to remotely assist somebody or fix the machine remotely. Timbuktu and Apple Remote Desktop are popular commercial options. You might find something like VNC preferable for this environment, however, as it's free and relatively lightweight. All of these remote control options assume a broadband connection. You may also consider enabling remote SSH access if you need a lighter (terminal-only) remote admin mechanism. You *definately* want to turn the OSX built-in firewall on assuming that this machine will be directly connected to the Internet. The basic options are easy to setup via the sharing and related preference panes. You might also consider an anti-virus application such as Virex or Symantec NAV. I don't consider these critical for my personal use since there is so little OSX virus activity, but it's probably better to be prudent on a shared machine. Since this scenario uses a shared guest account on the machine, you'll probably want to avoid letting users use local mail applications such as Mail.App . Suggest that a web-mail interface might be simpler and require less maintenance on your part. Good luck
You're clearly out of your mind. Windows? Teens? "Safe from Viruses".
... no amount of Update Zone Alarm, New Updates or Anti Virus checking is going to prevent those teenagers from screwing the system.
...
Bwwwwaaaaahahahahahhahahahahahah!
Okay, sorry. OSX is a much, much, much safer environment for teens to be thrown loose into, than Windows.
I'm not even going to bother with the whole "Virus" thing
Out of the box, you can set up an OSX account that deletes itself at the end of each session and renews the home dir every time, through the OS, safely. Check macosxhints.com for details on how to do this
OSX is -designed- for people like this, in scenario's like this.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
I know it wont work for you, sicne your donating an iMac (i dont believe Knoppix is available for PPC's), but I recently setup a school computer lab and found the best solution to keep the computers working is just leave a knoppix cd in the drive and use knoppix live cd as the OS.
They can listen to their music, compose documents (OO), browse the web with flash, install plugins for firefox (granted its linux so they cant install much), etc. Plus, some of the older kids even like to mess around in linux to learn it a bit. They can do anything that they need to, and the best part: no matter what, when they reboot the computer is back to normal.
I've seen similar windows software (fortess, deep freeze), but they all resulted in crippled systems (fortress wouldnt let you right click because then you could potentially disable the program). I also was able to get around deep freeze in high school in about 30 minutes, and Im sure some smart student can bypass fortress if they truly wanted to (it was not used when i was in school). Knoppix, however, is not subject to such vulnerabilities and provides more functionality. Plus, its free and 3rd party apps can cost a heapload.
Seriously, if you're doing a project like this guy with x86's, at least consider knoppix as an option. It really does have a lot of pro's.
the byproduct of years of oppression by the white man
I have never used it. But here is an application to make it into a kiosk. Good Luck.
http://www.ncsu.edu/mac/software/webXkiosk.html-Adam
so Fonzie can get free credit when he kicks it. Aaaaaaaaaaaay!
I have basically done the same thing with 4 iMacs (233Mhz 320mb RAM)I donated to my local public library. They are used as internet/office/iTunes/AIM stations in a young adults room (grades 4-9). They are currently running 10.3.4 with shadow killer (a MUST for older machines running 10.x. Found at http://www.haxies.com ).
I set mine up with an Admin account (named staff) and a simple finder account (named student). Just go into the UserAccount section of system preferences, set the account you want limited to "simple finder" and limit what else you don't want them to have access to. It is also handy to give them a little bit of space to use for autosave in office and such (or scratch disks in Photoshop).
I have attempted to do similar limitations for the Windows XP computers in the adult section of the library (Using XP Security Console plug-in by Doug Knox), but have had nowhere near the success as I have had with the Macs. They have been running for a year now with ZERO down time.
Good Luck!!
I currently admin about 25 public Macs running OS X. What we currently do have two accounts- one guest and one admin. A clean copy of the guest account is kept compressed (tar) on the hard drive. At startup, the old guest home folder is removed and replaced the with backup that has nothing extra there. This saves lots of headaches since problems can usually be fixed with a restart. Couple that with some creative permissions and SetFile (found in developer tools) to make unnecessary things invisible and you have a secure workstation that can be put back to like-new condition with only a reboot.
You are not alone. This is not normal. None of this is normal.
Take a tip from an administrator in a public school system:
Pick up a copy a copy of DriveShield for the Mac, and allow the students to do whatever they wish to it.
DriveShield is a driver that sits between the hard drive and the OS. Any writes made to the hard drive are redirected into a sratch area of the hard drive, and thus don't stick around for the next reboot. The machine will be back in the state it was in when it was locked on every reboot.
I've tested it by even booting off a System CD and reformatting the drive... on the next reboot it comes right back to how you expect!
The philosophy used to be to lock the machine down as tight as possible to prevent the users from making any changes to it. (Restricted Finder, Windows Policies, etc.) Products like DriveShield (DeepFreeze is another one) work differently -- they don't lock down the machine to the user at all, they just prevent any changes from sticking across a reboot.
Protect the machine with DriveShield (or something similar), and have all the kids log in as the admin. Quick and easy to do, and the kids don't have to be restricted to a limited set of options on the computer!
We've been using this technique in several of our schools now (only in the open labs, mind you -- not the staff computers!), and the only support calls we now recieve in those labs is for hardware problems, not software.
- Bunny
I recently bought a Powerbook and found nothing at all that would make any reasonably sentient Windows user have a problem with email and surfing the web. The only things you have to look a bit for are precisely the things she doesn't want them to mess with!
The revolution will NOT be televised.
Disclaimer: I didn't use OSX before Panther, so this may not apply to the version you have.
Simple Finder is an incredible pain in the ass and confuses the hell out of Windows users. My girlfriend is largely computer-illiterate (she's memorized the motions and screen locations needed to operate Office, but not much else). I set up a limited account on my iBook because she couldn't seen to get to the web browser without dragging my Terminal icon off the dock. But that's a diatribe for another time.
I set up Simple Finder. No good. I can't blame her -- I couldn't really figure out how to get much actual work done with it.
In the end, I've been using a straight Limited Account for my Guest acct on the laptop, with much success. MacOS X already does a good job of keeping users out of one anothers' stuff, by properly setting homedir modes and whatnot. I've been working for a couple of weeks to bypass the Limited Account limitations, without luck. If you declare that the user cannot run a particular application, I haven't figured out a way around it that doesn't require admin.
However, unlike my experience with Windows, a limited account on OS X is still quite usable. Programs don't automatically expect to have root, and aren't able to sneak off and get it without asking (*cough*WinIE*cough*). If the need arises, the Auth Services password-dialog provides a way for an employee to work magic if necessary.
My recommendations, therefore:
1. Set up a 'Managed' account for the coffee people. Don't do per-user accounts unless you want to set up an LDAP server to handle it; cloning account settings on a single-user MacOS X system is a bitch. Retain an admin account for the employees.
2. Whitelist, not blacklist, the apps the user can run. Give them access to Safari and whatever else. Don't let them dork with the dock, etc. Specifically allowing access to a handful of apps will prevent them from firing up a new one from a USB key. Because they'll try. Oh, they'll try.
3. Unfortunately, I'd recommend against giving them iChat. iChat, unlike Windows AIM and GAIM, doesn't give you an easy way to switch accounts -- which is a must-have on a public terminal.
4. Lock down the keychain. Set Safari to not save passwords. Locking the keychain (with some known but non-obvious password) will prevent users from saving new items into it. This is a good thing.
5. Giving access to iTunes puts you in an interesting legal gray area. Like iChat, it provides no easy way to change accounts (in terms of iTMS). It also enables users to rip CDs. This may not be a good idea.
6. Unfortunately, OS X does not provide disk quotas, as far as I can tell (please, if someone knows different, clue me in!). The support is there in the filesystem, but there doesn't appear to be a UI. Keep this in mind.
7. As admin, periodically use Repair Permissions in Disk Utility to check for anything that's become accessible to the peons. More importantly, do this after you're done with the initial software install -- you'd be amazed at how much commercial software starts out world-writeable. (Bad Adobe.)
Good luck!
People may be more familiar with the use of Windows computers, but they are also more familiar with the abuse of Windows computers. Let the little hax0rs on your PC and see what happens. Yes, you can POLEDIT until your heart's content, until the hax0rs bring in their Linux boot CD with the Windows password cracker on it so they can get administrative rights and turn off the site blocker.
Keep in mind that there are NO known viruses for OS X, NO known spyware applications, and NO known adware applications. Not to start a flame war here, but the Mac system will likely be running the same way when you first put it in service as it will be months from now.
As for the setup of the computer, I would set up an administrator account and a user account. That's it. Do not allow the users to add/remove/modify accounts, change passwords, or even modify the dock. It works here at the school I work for -- it will work there too.
I just did something simular a few months ago. My dad is a highschool teacher and runs the "Tech" lab at the school. It has been a windows only lab, but after seeing how easy iMovie is to learn he has been wanting to get some Macs for a while now. Well the district just gave him money for two Macs, and since he isn't familiar with them I helped with integrating them into the Network and locking them down. Here is what I did.
/Users/student/ anyway. For our purposes this was good enough. All the windows computers had a program which restored the computer to a pristene state every time it was reboot, so the students were well trained that they needed to store everything on disc or thier network drive if they didn't want it to be lost. We were considering making a script that did the same to /Users/student, but decided it wasn't necisarry. The only potential problem would be if a kid messed with settings in /Users/student/Library/ that caused the program to behave unexpectedly. So we made a backup of that folder which the administrator can copy over the bad one if that does happen.
/Users/student to root and only give student read access, but you might run into problems. Things like programs complaining about not being able to save settings, or access a cache and temporary files in the home directory. You would have to play around with that.
You can lock down alot of things inside the users preferences. For example, you can specify that they are not allowed to changed any system settings (including those that would only effect their account like wallpaper), which applications they are allowed to run, and whether they can edit the doc. I locked all of these down, disallowing running the chat application and other things that they didn't need to be doing in class. I also locked down the terminal and disallowed >console login to prevent them from getting around what I had locked down. Anyway look there before you do anything else.
Not being a networking expert myself I didn't know if it was possible to have the kids logon to the windows domain, and automatically mount a home directory across the network (via smb). Furthermore it would a pain to manually recreate all those users, and I didn't have enough time to make an automated solution from scratch. So instead I just setup a single student account, and then wrote a script to mount thier network directories. I put a shortcut to the script in the doc. I also showed my dad how to create normal accounts, so that if a trustworthy student needs to do more than he can with the locked down student account he could give them an individual account.
For your purposes the big question is do the need to be saving things to the harddrive. If the answer is no (and I would expect it to be since they it is basically acting like a public terminal), just go with a single account. That will suffice for most people, and you can make special accounts for special cases.
As far as locking down the harddrive, by default they are restricted to
Actually I don't even know if it would be possible to completely lock the students out of using the harddrive altogether. Of course it would be trivial to just chown
Anyway I hope that helped.
Caffeine is a so-called "gateway drug", which can eventually lead to other things such as juice or even pop. Think twice before unleashing the power of coffee on unsuspecting teenagers. I wish someone had warned me when I was a teen. Look at me now, hanging out on Slashdot all day and drinking coffee*. Don't let it happen again.
If the Church is Amish, there may be problems with the iMac, being high technology and all. If they're against technology, give them an old Windows PC, there's less innovation in Win98 than a rusted salad fork, so it should be acceptable to even the most orthodox old dudes.
If these teenagers are anything like the teens I know, no matter what you do, one of them will have root access before you finish installing. Let them admin it, if you're over 30 they probably know more than you do anyway. It's sad that my non-computer-using wife can give me OS X tips, simply because she doesn't have to unlearn years of Windows and doing things the hard way.
* Even though the link between caffeine and Slashdot hasn't been proven to be cause and effect, empirical analysis supports the hypothesis. So monitor the system for warning signs, such as Slashdot being bookmarked.
I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."
I work for a web dev company and we need to test Safari and IE Mac compatibility, so I bought an old iMac from a friend of mine for this purpose. I created an Admin account and a general user shared account.
You specify which applications they are allowed to run through System Preferences, as well as prevent them from changing passwords, burning DVDs/CDs, etc. If you have any kind of proficiency with UNIX, you can prevent them from writing to anything on the hard drive by setting the permissions through the terminal. There might be a tool to do this already, but I just use the terminal for what I need.
First of all, best of luck with this! I think it's a great idea. (Among other things, teens are already hanging out at several coffee houses in my area, and since they are commercial/for-profit establishments, it's a pretty expensive pastime for them. A non-profit version geared just for them might help them socialize without loads of cash getting pried from their fingers at the same time.)
But back to the Mac, have you considered the possibility of just using MacOS 9.1 on the grape iMac instead of OS X? I know this might seem foolish, but I bring it up for a couple reasons.
1. There's an excellent program for locking down a MacOS 9.1 (or earlier) desktop environment, called FoolProof. It's usually used in educational settings, but it's a very flexible way to prevent people from saving files to specific devices, deleting or rearranging icons on the desktop, and so on. (And yes, it even prevents people from trying to bypass it by booting without extensions enabled.) FoolProof is commercial software, but there's a good chance someone might have a copy they're no longer using that they could donate to the cause.
2. MacOS 9.1 would run much faster on an older iMac than OS X does, so it might give a better user experience in that respect.
3. You won't have a great choice of web browsers under MacOS 9.x - but at least you have Internet Explorer 5 for the Mac which was fairly recently patched to fix security issues/bugs, and feels familiar to most users. You also have the iCab browser which could be thrown on there as an alternate.
Macs are great for people who can use them but when you take the general public (idiots in general hence why we have so many virus problems) and start to mix MS things become messy.
Just a few points:
These are teens we are talking about, not senior citizens. They'll figure it out.
Virus problems solved by Windows??
Windows easier to use than Mac?
What kind of stuff do you think they need to do that will be so confusing on a Mac? A web browser and a word processor would be sufficient and those can only vary so much.
Some friends of mine set something like this up for a local ministry useing Linux. Everything is locked down and the internet is filtered. There are always a good number of people using the machines doing homework and webmail. It works pretty well.
Why have 1 person driving a backhoe when you could employ 20 with shovels?
Check it out here.
blarg.
The tray-load CD (266 or 333 MHz, 66 MHz FSB, RagePro) or the slot-load CD (350+ MHz, 100 MHz FSB, Rage128) version? The slot-load models are **much** faster under OS X. If you have a tray-load version, you may want to consider running a flavor of Linux.
If you can, round up one or two sticks of RAM to upgrade the machine to 384 MB or more. If you're going with OS X, try to use 10.3.x, it's much faster than previous versions... not so important for a G4, but for a little G3-based iMac like you have, it will make a big difference.
How to set up a Mac as a Kiosk. Very informative!
Stop by an Apple store if you can. They give more free reign on their computers than you would, since people need to try them out.
I've noticed that every night at closing time, a cron job or something fires off and all the machines put up a screen saying something like "Updating from image" and are evidently reloading themselves from a saved image to overcome the day's fiddling and messing up by customers.
If I had mod points I'd have used them negatively on your post instead of posting. Part of learning any operating system, or anything, is spending time it, poking around, and doing things you didn't know how to do. Another large part is asking questions from people who have the know-how, just like the OP did. Instead of sharing knowledge, which you presumably have, you decided to deconstruct his or her post.
I can't think of a better way to learn than learning while helping charity. If the OP was doing this for money, or for a multi-million dollar company you'd be right. But since this is a library, isn't it well within the very spirit of public libraries to learn? Really, you ought to be asking yourself why you're not learning to do something for charity that you didn't know how to do.
Setup your user (admin user) and a regular user. Allow them to save to the hard disk with a caveat....no files exist longer then one day. Write a script to clean out everything and restore things like standard Safari settings and the like (run Reset Safari to clean it up..not sure if this is scriptable). Put the script in the Admin User's crontab or root's crontab. For user saving files to disk, use a USB hub and have them use USB Drives for saving their items. Failing that, they could use CD-RW's.
Gorkman
DeepFreeze is a program that i use in my 2 windows lab, but their is a OS X version available. It freezes the partition to a point that you can delete the partion, and when the computer is restarted everything returns to the frozen image. I use to reimage with a boot disk, but this is so much easier. the site is http://www.faronics.com/html/DFMac.asp Thank you for supporting youth, so many people forget them.
Here you go.t n2062 .html
http://developer.apple.com/technotes/tn2002/
Large source of information, links software and more.
I would rather do it with a pc running Netstop, but hay, if your set on a mac, then theres no changing your mind.
TruePunk | Games
Check this out
Don't setup individual accounts! That would be incredibly time consuming. I would definitely have Student and Administrator accounts. You can set the Student preferences in System Preferences - Accounts. You can set limits on what they can do and what programs they can run (Capabilities).
If you have a budget and some time to learn, creating a Disk Image on a Firewire drive would be a great idea. Basically: Get everything working perfectly, make a disk image of the system, store it on the firewire drive and when something goes wrong down the line, just install the disk image. Within a few minutes you'll have your system right back where it was, without having to re-install everything from scratch, which could take hours. Try Carbon Copy Cloner and NetRestore from Bombich Software. Both are free! The firewire drive might put you back $150 but it's well worth it.
Lots of good information directly from Apple can be found here.
Silly idea, but possibly one that might save you a phone call or two.
Change the "Safari" icon (or whatever browser you're planning to use-NOT IE) to the Internet Explorer icon, and possibly rename the browser to "Internet Explorer." (Of course, delete the original IE.)
Chances are, most kids are used to IE on a Windows machine; when they see "safari," they'll have NO idea how to use it/what it is/blahblah without help from the person in charge. I know I've let all of my family (who use Windows) borrow my iBook, and they had no idea how to open the internet browser. As long as kids see an address bar, they know what to do from there.
Icons can be changed by selecting an app, right-clicking, going into "Get Info," then clicking on the smaller icon and copying. Following that, open "Get Info" on the other app which has the icon you're changing, click on the smaller icon, and paste.
Sorry if I led anyone to actually believe that - it's a spoof, as described here.
But it's a damned good spoof, and has "gotten" a few people, not to mention the Register and infoworld, as mentioned in the linked article.
Porn. Lots and lots of porn.
:P
Straight porn for the kids, kiddie porn for the church staff.
This is going to cost me some karma, isn't it.
Assume I was drunk when I posted this.
Damn those pesky terrorists
The Permission of the Beast!
I am a viral sig. Please copy me and help me spread. Thank you.