Slashdot Mirror
Setting Up Mac OS X for a Teenage Coffeehouse?
WCityMike writes "I plan to donate a grape iMac to a local church-run non-profit coffeehouse for teenagers, and would like to give it to them appropriately set up for the atmosphere it'll be in. I'm seeking advice on a number of fronts - what freeware or shareware applications would be good for such an environment? Should visitors be allowed to have their own accounts (presumably created by the administrator), or should I just set up one 'student' account and one 'administrator' account? If the latter, is there a way to prevent students from saving things on the hard drive (thus forcing them to use a diskette and/or the CD drive?), and/or a 'Simple Finder' interface extant for OS X? Is there existing software that makes this easier or more configurable, or is it all inside the OS? I'm fairly familiar with Mac OS X, but have never needed to run anything outside a single-user environment."
I would set up an admin account and several "template" accounts based on different types of usage such as "internet only," "power user," etc. You get the idea.
I would then train someone within the organization on how to setup, modify, and maintain the accounts (unless that is going to be you.).
Once again, your generosity of money and time is commendable.
Happy Trails!
Erick
http://www.busyweather.com/
http://www.macosxhints.com/ is a great place to start looking for the misc answers you may need.
Image it first, because no matter what you do, someone will somehow find a way to trash it or release a virus or the hard drive will crash or lightning will strike it or....
Agile Artisans
You can prevent them from rearranging the desktop, writing to any folder except their own in the /Users/ directory, and taking off/putting stuff onto the dock. At a lab that I administered for a while, I just put a student and admin account on each computer, and it worked well. The users were able to use applications like InDesign and Photoshop perfectly, and they kept their files on USB flash drives.
This pdf link. It tells you how to restore a dummy user's home directory after each login (Its for OSX, not sure if the grape can handle that or not).
Aside from some software tweaking and installation, this should really help your setup.
In the Accounts preference in Panther, you can turn on a sort-of Simple Finder, as well as limit access to specific applications for users. You should play around with those options to get an idea of what you can do.
You're essentially looking to do the same thing many, many others have already done, and are doing every day, with Mac OS X in public lab-type environments. Do yourself a favor and visit
...particularly the documentation section.
http://macosxlabs.org/
You heart is in the right place for wanting to donate your old machine, but the grape iMacs are significantly less secure than the tangerine ones. Be careful!
if they're anything like the teenagers I grew up with, trust them with nothing and they'll be needing lots of porn.
Don't tell the church that your Mac OS X box will be full of daemons. They will get exorcized over it!
Strange women lying in ponds distributing swords is no basis for a system of government.
No matter what platform you are using, I'd suggest that you create just one account for the end-users. As always, keep it simple.
-- Reality checks don't bounce.
It's common in the Mac community to give the "Flavor" instead of the full configuration. My guess is he wanted to give an estimation of the configuration involved, and that is good for me. for a Mac user "grape"= "iMac CRT 266 or 333, 6Mb VRAM, 6Gb HD, USB1, no Firewire", so yes I think "grape" is relevant information. On a grape iMac, you could run panther, and there is a "Simple Finder" equivalent on 10.3
Look at Mac OS X Labs. They have a lot of experience in setting up machines in school labs (read: hostile environments).
If anyone would have info on locking down a system they would.
You didn't really specify what the machine would be used for. I'm assuming, given the environment, that it will be used mostly for Internet surfing & email. Unless you or another admin is going to be available to maintain user accounts, I *would* use a generic account for the users and a well-protected admin account. The Panther (10.3) finder *does* have a Simple Finder option. You can turn it on in the Accounts preferences pane after you create the user account. It gives you (some) options for limiting what the users are & aren't allowed to change as regards the desktop interface. If you need more granular control of applications or rights, you can add/remove apps from the machine and you can change the access rights via the underying UNIX group and permissions system. That level of detail might be more than you need or that you can administer, however, if you're not somewhat familiar with the UNIX underpinnings. In terms of recommended software: you definately want to supplement or replace IE with Safari and/or some of the Mozilla-derived browsers (Camino, Mozilla, Firefox). The various security glitches and pop-ups inherent in IE could make it a risk. You may want to consider adding some remote control software in case you have to remotely assist somebody or fix the machine remotely. Timbuktu and Apple Remote Desktop are popular commercial options. You might find something like VNC preferable for this environment, however, as it's free and relatively lightweight. All of these remote control options assume a broadband connection. You may also consider enabling remote SSH access if you need a lighter (terminal-only) remote admin mechanism. You *definately* want to turn the OSX built-in firewall on assuming that this machine will be directly connected to the Internet. The basic options are easy to setup via the sharing and related preference panes. You might also consider an anti-virus application such as Virex or Symantec NAV. I don't consider these critical for my personal use since there is so little OSX virus activity, but it's probably better to be prudent on a shared machine. Since this scenario uses a shared guest account on the machine, you'll probably want to avoid letting users use local mail applications such as Mail.App . Suggest that a web-mail interface might be simpler and require less maintenance on your part. Good luck
You're clearly out of your mind. Windows? Teens? "Safe from Viruses".
... no amount of Update Zone Alarm, New Updates or Anti Virus checking is going to prevent those teenagers from screwing the system.
...
Bwwwwaaaaahahahahahhahahahahahah!
Okay, sorry. OSX is a much, much, much safer environment for teens to be thrown loose into, than Windows.
I'm not even going to bother with the whole "Virus" thing
Out of the box, you can set up an OSX account that deletes itself at the end of each session and renews the home dir every time, through the OS, safely. Check macosxhints.com for details on how to do this
OSX is -designed- for people like this, in scenario's like this.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
I have never used it. But here is an application to make it into a kiosk. Good Luck.
http://www.ncsu.edu/mac/software/webXkiosk.html-Adam
so Fonzie can get free credit when he kicks it. Aaaaaaaaaaaay!
I have basically done the same thing with 4 iMacs (233Mhz 320mb RAM)I donated to my local public library. They are used as internet/office/iTunes/AIM stations in a young adults room (grades 4-9). They are currently running 10.3.4 with shadow killer (a MUST for older machines running 10.x. Found at http://www.haxies.com ).
I set mine up with an Admin account (named staff) and a simple finder account (named student). Just go into the UserAccount section of system preferences, set the account you want limited to "simple finder" and limit what else you don't want them to have access to. It is also handy to give them a little bit of space to use for autosave in office and such (or scratch disks in Photoshop).
I have attempted to do similar limitations for the Windows XP computers in the adult section of the library (Using XP Security Console plug-in by Doug Knox), but have had nowhere near the success as I have had with the Macs. They have been running for a year now with ZERO down time.
Good Luck!!
I currently admin about 25 public Macs running OS X. What we currently do have two accounts- one guest and one admin. A clean copy of the guest account is kept compressed (tar) on the hard drive. At startup, the old guest home folder is removed and replaced the with backup that has nothing extra there. This saves lots of headaches since problems can usually be fixed with a restart. Couple that with some creative permissions and SetFile (found in developer tools) to make unnecessary things invisible and you have a secure workstation that can be put back to like-new condition with only a reboot.
You are not alone. This is not normal. None of this is normal.
Take a tip from an administrator in a public school system:
Pick up a copy a copy of DriveShield for the Mac, and allow the students to do whatever they wish to it.
DriveShield is a driver that sits between the hard drive and the OS. Any writes made to the hard drive are redirected into a sratch area of the hard drive, and thus don't stick around for the next reboot. The machine will be back in the state it was in when it was locked on every reboot.
I've tested it by even booting off a System CD and reformatting the drive... on the next reboot it comes right back to how you expect!
The philosophy used to be to lock the machine down as tight as possible to prevent the users from making any changes to it. (Restricted Finder, Windows Policies, etc.) Products like DriveShield (DeepFreeze is another one) work differently -- they don't lock down the machine to the user at all, they just prevent any changes from sticking across a reboot.
Protect the machine with DriveShield (or something similar), and have all the kids log in as the admin. Quick and easy to do, and the kids don't have to be restricted to a limited set of options on the computer!
We've been using this technique in several of our schools now (only in the open labs, mind you -- not the staff computers!), and the only support calls we now recieve in those labs is for hardware problems, not software.
- Bunny
Disclaimer: I didn't use OSX before Panther, so this may not apply to the version you have.
Simple Finder is an incredible pain in the ass and confuses the hell out of Windows users. My girlfriend is largely computer-illiterate (she's memorized the motions and screen locations needed to operate Office, but not much else). I set up a limited account on my iBook because she couldn't seen to get to the web browser without dragging my Terminal icon off the dock. But that's a diatribe for another time.
I set up Simple Finder. No good. I can't blame her -- I couldn't really figure out how to get much actual work done with it.
In the end, I've been using a straight Limited Account for my Guest acct on the laptop, with much success. MacOS X already does a good job of keeping users out of one anothers' stuff, by properly setting homedir modes and whatnot. I've been working for a couple of weeks to bypass the Limited Account limitations, without luck. If you declare that the user cannot run a particular application, I haven't figured out a way around it that doesn't require admin.
However, unlike my experience with Windows, a limited account on OS X is still quite usable. Programs don't automatically expect to have root, and aren't able to sneak off and get it without asking (*cough*WinIE*cough*). If the need arises, the Auth Services password-dialog provides a way for an employee to work magic if necessary.
My recommendations, therefore:
1. Set up a 'Managed' account for the coffee people. Don't do per-user accounts unless you want to set up an LDAP server to handle it; cloning account settings on a single-user MacOS X system is a bitch. Retain an admin account for the employees.
2. Whitelist, not blacklist, the apps the user can run. Give them access to Safari and whatever else. Don't let them dork with the dock, etc. Specifically allowing access to a handful of apps will prevent them from firing up a new one from a USB key. Because they'll try. Oh, they'll try.
3. Unfortunately, I'd recommend against giving them iChat. iChat, unlike Windows AIM and GAIM, doesn't give you an easy way to switch accounts -- which is a must-have on a public terminal.
4. Lock down the keychain. Set Safari to not save passwords. Locking the keychain (with some known but non-obvious password) will prevent users from saving new items into it. This is a good thing.
5. Giving access to iTunes puts you in an interesting legal gray area. Like iChat, it provides no easy way to change accounts (in terms of iTMS). It also enables users to rip CDs. This may not be a good idea.
6. Unfortunately, OS X does not provide disk quotas, as far as I can tell (please, if someone knows different, clue me in!). The support is there in the filesystem, but there doesn't appear to be a UI. Keep this in mind.
7. As admin, periodically use Repair Permissions in Disk Utility to check for anything that's become accessible to the peons. More importantly, do this after you're done with the initial software install -- you'd be amazed at how much commercial software starts out world-writeable. (Bad Adobe.)
Good luck!
I just did something simular a few months ago. My dad is a highschool teacher and runs the "Tech" lab at the school. It has been a windows only lab, but after seeing how easy iMovie is to learn he has been wanting to get some Macs for a while now. Well the district just gave him money for two Macs, and since he isn't familiar with them I helped with integrating them into the Network and locking them down. Here is what I did.
/Users/student/ anyway. For our purposes this was good enough. All the windows computers had a program which restored the computer to a pristene state every time it was reboot, so the students were well trained that they needed to store everything on disc or thier network drive if they didn't want it to be lost. We were considering making a script that did the same to /Users/student, but decided it wasn't necisarry. The only potential problem would be if a kid messed with settings in /Users/student/Library/ that caused the program to behave unexpectedly. So we made a backup of that folder which the administrator can copy over the bad one if that does happen.
/Users/student to root and only give student read access, but you might run into problems. Things like programs complaining about not being able to save settings, or access a cache and temporary files in the home directory. You would have to play around with that.
You can lock down alot of things inside the users preferences. For example, you can specify that they are not allowed to changed any system settings (including those that would only effect their account like wallpaper), which applications they are allowed to run, and whether they can edit the doc. I locked all of these down, disallowing running the chat application and other things that they didn't need to be doing in class. I also locked down the terminal and disallowed >console login to prevent them from getting around what I had locked down. Anyway look there before you do anything else.
Not being a networking expert myself I didn't know if it was possible to have the kids logon to the windows domain, and automatically mount a home directory across the network (via smb). Furthermore it would a pain to manually recreate all those users, and I didn't have enough time to make an automated solution from scratch. So instead I just setup a single student account, and then wrote a script to mount thier network directories. I put a shortcut to the script in the doc. I also showed my dad how to create normal accounts, so that if a trustworthy student needs to do more than he can with the locked down student account he could give them an individual account.
For your purposes the big question is do the need to be saving things to the harddrive. If the answer is no (and I would expect it to be since they it is basically acting like a public terminal), just go with a single account. That will suffice for most people, and you can make special accounts for special cases.
As far as locking down the harddrive, by default they are restricted to
Actually I don't even know if it would be possible to completely lock the students out of using the harddrive altogether. Of course it would be trivial to just chown
Anyway I hope that helped.
Caffeine is a so-called "gateway drug", which can eventually lead to other things such as juice or even pop. Think twice before unleashing the power of coffee on unsuspecting teenagers. I wish someone had warned me when I was a teen. Look at me now, hanging out on Slashdot all day and drinking coffee*. Don't let it happen again.
If the Church is Amish, there may be problems with the iMac, being high technology and all. If they're against technology, give them an old Windows PC, there's less innovation in Win98 than a rusted salad fork, so it should be acceptable to even the most orthodox old dudes.
If these teenagers are anything like the teens I know, no matter what you do, one of them will have root access before you finish installing. Let them admin it, if you're over 30 they probably know more than you do anyway. It's sad that my non-computer-using wife can give me OS X tips, simply because she doesn't have to unlearn years of Windows and doing things the hard way.
* Even though the link between caffeine and Slashdot hasn't been proven to be cause and effect, empirical analysis supports the hypothesis. So monitor the system for warning signs, such as Slashdot being bookmarked.
I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."
First of all, best of luck with this! I think it's a great idea. (Among other things, teens are already hanging out at several coffee houses in my area, and since they are commercial/for-profit establishments, it's a pretty expensive pastime for them. A non-profit version geared just for them might help them socialize without loads of cash getting pried from their fingers at the same time.)
But back to the Mac, have you considered the possibility of just using MacOS 9.1 on the grape iMac instead of OS X? I know this might seem foolish, but I bring it up for a couple reasons.
1. There's an excellent program for locking down a MacOS 9.1 (or earlier) desktop environment, called FoolProof. It's usually used in educational settings, but it's a very flexible way to prevent people from saving files to specific devices, deleting or rearranging icons on the desktop, and so on. (And yes, it even prevents people from trying to bypass it by booting without extensions enabled.) FoolProof is commercial software, but there's a good chance someone might have a copy they're no longer using that they could donate to the cause.
2. MacOS 9.1 would run much faster on an older iMac than OS X does, so it might give a better user experience in that respect.
3. You won't have a great choice of web browsers under MacOS 9.x - but at least you have Internet Explorer 5 for the Mac which was fairly recently patched to fix security issues/bugs, and feels familiar to most users. You also have the iCab browser which could be thrown on there as an alternate.
The tray-load CD (266 or 333 MHz, 66 MHz FSB, RagePro) or the slot-load CD (350+ MHz, 100 MHz FSB, Rage128) version? The slot-load models are **much** faster under OS X. If you have a tray-load version, you may want to consider running a flavor of Linux.
If you can, round up one or two sticks of RAM to upgrade the machine to 384 MB or more. If you're going with OS X, try to use 10.3.x, it's much faster than previous versions... not so important for a G4, but for a little G3-based iMac like you have, it will make a big difference.
How to set up a Mac as a Kiosk. Very informative!
Stop by an Apple store if you can. They give more free reign on their computers than you would, since people need to try them out.
I've noticed that every night at closing time, a cron job or something fires off and all the machines put up a screen saying something like "Updating from image" and are evidently reloading themselves from a saved image to overcome the day's fiddling and messing up by customers.
Setup your user (admin user) and a regular user. Allow them to save to the hard disk with a caveat....no files exist longer then one day. Write a script to clean out everything and restore things like standard Safari settings and the like (run Reset Safari to clean it up..not sure if this is scriptable). Put the script in the Admin User's crontab or root's crontab. For user saving files to disk, use a USB hub and have them use USB Drives for saving their items. Failing that, they could use CD-RW's.
Gorkman
DeepFreeze is a program that i use in my 2 windows lab, but their is a OS X version available. It freezes the partition to a point that you can delete the partion, and when the computer is restarted everything returns to the frozen image. I use to reimage with a boot disk, but this is so much easier. the site is http://www.faronics.com/html/DFMac.asp Thank you for supporting youth, so many people forget them.
Check this out
'Ditto' will also do it, you one feels up to the command line. Ditto is a tool developed by Apple to replace cp, which doesn't know about certain Apple attributes, such as resource forks. It also allows for permissions to be retained.
(tig)
Ignorance and prejudice and fear
Walk hand in hand
Sorry if I led anyone to actually believe that - it's a spoof, as described here.
But it's a damned good spoof, and has "gotten" a few people, not to mention the Register and infoworld, as mentioned in the linked article.
Porn. Lots and lots of porn.
:P
Straight porn for the kids, kiddie porn for the church staff.
This is going to cost me some karma, isn't it.
Assume I was drunk when I posted this.