Public Kiosk Configuration Overview

By: Mikio Moriyasu - Revised: 2006-08-03 devin

Introduction

Learn how to set up an easy-to-use OS X machine that's restricted to a small collection of Internet browsers, utilities, and helper applications.

Public Kiosk Config


On a standard Mac OS X machine, users have greater overall access to the operating system features. They can run the Finder, use the Dock, launch most applications, and save files in their home folder. Public Kiosks, however, are significantly more "restrictive", limiting users' access to just a few applications. On our kiosks, the available applications are confined to a small collection of Internet browsers, utilities, and helper applications. The kiosks themselves have been set up to be extremely easy to use, capable of operating relatively unattended, require minimal maintenance, and are easy to update. Their key operating feature is the ability to restrict users from making changes to the system or hard disk.

This is a list of the key modifications we made to set up our Kiosks:
  • Set Up Guest User - Create a new user that does NOT have administrative rights to the machine and that has a REAL password.
  • Limit Write Access - Limit what a guest user can change on the hard disk by changing file permissions and ownership.
  • Enable Firmware Security - Enabling Firmware Security prevents users from making changes to the OS.
  • Customize Apple Menu - Using third party applications such as Fruit Menu, the Apple Menu can be customized to remove shutdown/logout options and prevent users from shutting down or logging out of the Mac.
  • Install Admin Utility - To allow administrative users to perform some admin procedures like restarting, shutting down, logging out, launching the Finder, but restrict these processes from the general kiosk user, we created an application which requires a password to access to these functions.
  • Replace the Finder - Many kiosks only allow users to use one application, such as a web browser. To do this, you will need to replace the Finder with the desired application by either changing the loginwindow preferences or swapping the Finder.app with another.
  • Disable the Dock - Disabling the Dock.app by renaming it, or changing the permissions prevents users from launching the Finder. It also creates more usable screen space on your kiosk machines.
  • Putting Web Browsers in "Kiosk Mode" - Some web browsers have a kiosk mode that limits what users can and cannot do. iCab is the only Mac OS X web browser that has built-in kiosk mode.
  • Maintenance - Even though the system is locked down so that users can't make changes, Mac OS X and many applications require that the user be able to make changes to certain files in order to function correctly. To clean up these changes, use a script that runs at login, logout, a defined schedule, or when the machine is idle.
For detailed information regarding the configuration and deployment of our Public Kiosks, please click here (link dead) to see dedicated documentation discussing Mac OS X Public Kiosk operation at www.macosxlabs.org.