How do you secure Macintosh clients in an open-access computer lab?
Since I've actually run UNIX for personal use outside of work, that apparently makes me the newly anointed Macintosh expert at my workplace... I've got an open-access computer lab (12 iMacs )that will be used for limited video, photo, and audio editing. There is no central fileserver, and they are not joined to any directory service-- it's all got to be local user login.
How do I student-proof these workstations and minimize my headaches going forward? The students are going to be required to use their own external HDs for file storage, per the professors in question.
Solution 1:
If you don't want to store any user preferences etc. and if there are no personalized accounts at all for the students, I would do the following:
- Create a user, maybe without a password
- Activate parental controls and disallow password changes, and maybe other settings.
- Don't let the user auto-login, instead display the login window with user pictures.
- Configure every application with the defaults you want for that user
- Make a copy of this known good state of the user's homedir.
- Create a login script which will replace the user homedir with the known good copy you just created. For details, see Mike Bombich's page, who already did the work.
- Tell the students they have to logout if they are finished. The next one who log in will trigger the restore script.
Normally, non-admin users should be unable to modify stuff outside their account (like the Applications folder), but to be sure, you could regularly use something like Carbon Copy Cloner (Bombich again) or even Apple's Image server, which comes together with the server version of MacOS X and restore the whole system into a known good state.
Also, you could think about if OS X server wouldn't be a good investment, as it allows much more detailed restrictions on the configuration of both computers and users. A 10 user version would be enough if you don't require file sharing, and as an education version, it's not too expensive.
Solution 2:
A relatively simple, but non-free, solution would be to use something like Deep Freeze (link). Basically it will let the user do almost anything they want, but next time the system is rebooted, everything will be restored to the previous state.
The home-use price is $45.00, there are savings for educational use and lots of licenses.
Solution 3:
Have you looked at Parental Controls? It's been a version or two ago of OS X since I've used and I have heard it is much better now.