Skip to main content

Greetings,



I work in a lab environment where we have 200+ Macs bound to Active Directory where students use their own AD accounts to log into the machines. In order to prevent unauthorized users from using our machines (i.e. students giving out their account credentials) we have attempted to enable a script to prevent a user from logging into more than one machine simultaneously. The script writes a users name and machine to a text file at login and then deletes it at logout. It also checks this file at login to see if the user name is already there and if so, it logs them out.



Unfortunately it's a bit inconsistent and we have also found it is easily bypassed by holding down "Shift" at login. I was wondering if anyone else has found a way to deal with this type of security situation and if so, what solutions they have found to deal with it. I am also wondering if a solution that is more directly integrated with Casper (i.e. somehow using Casper usage logs) might be possible.



Thanks!



-Andy



--



Andy McPherson
Mac Specialist
Academic Computing
Pratt Institute
amcphers at pratt.edu

We have no requirement to do this, but if you are using iMacs (or macs with built in cameras) you could always get your script to take a snapshot at log in to see who the offenders are.



If you really want security, then you may want to look at a smart card solution. No card, no log in! OSX and AD should work appropriately with this technology. Maybe someone else on the group has actually set up smart card use that could comment.



Sean

We use smart cards here, but we also use Centrify as our AD authentication plugin which pretty much automates the process. We do have some guys at other locations that have smart cards working with Apple's built-in AD plugin, but as I understand it's a bit of a mess.



I'm happy to answer any questions about this that I can.



Regards,



Drew McMillen, Desktop Engineering Team Lead
NIEHS Tech Services Team
(w) 919/313-7683
(m) 919/257-8333
mcmillen at niehs.nih.gov
https://apps.niehs.nih.gov/itsupport/web

SmartCards + Apple's implementation = headache. If you're using Centrify, cool. Otherwise, it's crazy expensive just for SCs.



j

Normally it is recommended not to do this, but to avoid the Safe Login from omitting the script you want to run, you can set the script to be launched by launchd in the /System/Library/LaunchDaemons folder. Take a peek at the developer pages on launchd and/or google for Lingon for help with the relevant file creation.



By putting the script here, your script will run no matter what, even in safe boot/safe login. This might be problematic later on, if a system update changes whatever your script calls and that causes an error. You effectively cannot easily omit anything in the System launchd items, but that is the exact point you raise.



Cheers,
- Douglas Worley



Sent from my Tricorder.

How do you force the logout?



I also agree with the idea to take a snapshot of the offender if an extra login is detected. But keep in mind that your users will not always remember to log out...

Reply


Terms & ConditionsCookie settings