Open Area Configuration Overview

By: Mikio Moriyasu - Revised: 2006-08-03 devin

Introduction

Learn how to set up a standard OS X machine where users have greater overall access to applications, the hard drive, and operating system features.

Open Area Config


Mac OS X at its core is designed to be a multi-user operating system with every user having a unique username and password, individual settings, and hard disk access privileges. From this perspective, OS X is ideal for an open use lab environment where users must login in order to have general, non administrative access to the machines.

During the initial stages of our deployment, user access to the Open Area lab machines was limited to "Guest" or anonymous user only making them very similar to our Public Kiosks. In this configuration, users had access to a moderate range of office, desktop publishing, graphical, Internet/Email, utility, and helper applications. Like our kiosks, these machines were capable of operating relatively unattended, requiring minimal maintenance, and were easy to update. They were also set up to to restrict users from making changes to the system or hard disk.

In the Fall of 2002, the University of Utah implemented campus-wide authentication forcing faculty, staff, and students to login to configured machines. At this same time, Student Computing Labs was preparing to expand its test of a new UNIX based hard disk maintenance package called Radmind.

These two events allowed us to make significant changes to the Open Area machines. With authentication, users could now login to the machines eliminating the need for "Guest" or anonymous user access. In addition, the introduction of regular hard disk maintenance and machine restoration gave users the freedom insert removable media, copy and save files to the desktop, and copy and edit files from the desktop.

This is a list of the key modifications we made to set up our Open Area lab machines for Authentication:
  • Set Up For Authenticated User - Using Directory Setup, enable and configure for specific directory services
  • Configure the Mac - Configure Mac OS X exactly how you would like it deployed, including installing & configuration applications, setting the user file/folder privileges, and overall operating system configuration.
  • Login customization - Customize the login prompt to display information specific to your lab for your patrons.
  • Apple Menu customization - Using third party applications such as Fruit Menu, the Apple Menu can be customized to remove shutdown options, access "Get Mac OS X Software", and access "System Preferences".
  • Install Admin Utility - To allow administrative users to perform some admin procedures like restarting, shutting down, logging out, launching the Finder, but restrict these processes from the general kiosk user, we created an application which requires a password to access to these functions.
  • Access to passwd - If the guest user has access to the Terminal, the user can change the guest user password with the utility /usr/bin/passwd. To prevent this, change the permissions of the utility by typing the following in Terminal. sudo chmod o-rwx /usr/bin/passwd
  • Enabling SSH - If ssh is enabled, like using RsyncX, we recommend limiting who can connect by adding "AllowUsers username [username... ]" to the file /etc/sshd_config. The Our main purpose here is to allow read access but remove the ability to save or modify files.
  • Limit Write Access - Limit what a guest user can change on the hard disk by changing file permissions and ownership.
  • Applications that require write permission - Some applications require that the user have privileges to some folders and files. Depending on what applications you want to allow the user to run, you may have to allow write privileges to several folders.
  • Modify home folder privileges - This step modifies the privileges for the guest user's home folder and re-assigns owner & group permissions.
  • Enable Firmware Security - Enabling Firmware Security prevents users from making changes to the OS.
  • Idle Maintenance - Even though the system is locked down so that users can't make changes, Mac OS X and many applications require that the user be able to make changes to certain files in order to function correctly. To clean up these changes, use a script that runs at login, logout, a defined schedule, or when the machine is idle.
For detailed information regarding the configuration and deployment of Open Area lab machines please select from the following topics: (links dead)
  • Guest/Anonymous User Setup
  • Directory Services Configuration
  • Login Authenticators Configuration
These are links to dedicated documentation regarding Mac OS X Open Area lab machine operation located at: www.macosxlabs.org.