We have been asked to lock down our users wallpaper. We locked the wallpaper down by placing a PNG in a folder in the /Library/FolderthatstoresPNG. Everyone has permissions to this folder. Then lock the wallpaper down with a config profile. BAM! wallpaper locked down. Well then some one was smart enough to REplace our PNG with their own PNG......So now their background is whatever they replace that PNG with. We have underestimated the sneaky sneak of some people.
So now i have place the PNG in our hidden management account which is in /private/var/Managementaccount/Documents
no one has permissions to this folder, so when the config profile looks for the PNG it does not find it.
Is it a permissions thing? or is it that the PNG is in a hidden account?
How are other people managing wallpapers?
Thank you! and happy FRIDAY!
You can create a package that stores the wallpaper.
With Composer, select New, go down to User Environment, Select Background, then done :D
We have ours set to push out on log out, so the next time they log in it will be reset to default.
with doing it that way couldn't they just change their wallpaper whenever they want to?
@rleatherwood
Yes. They could still change it. But it would get reset to default as soon as they logged out.
I believe there's a parental control setting that disables the option to change the wallpaper. But I'm not entirely sure how to do it that way.
Maybe through configuration profiles?
Are the users admins? Can you make the image, and the folder inside of it, read-only?
If they are admins, you could set a policy that runs at Logout that reinstalls the image, so the next time they log in, it's back ;-)
I ran into this by accident while trying to figure out how to use configuration profiles to push a wallpaper out on first login, but leave it unmanaged afterwards. I ended up disabling it but I know it works at least in testing. You can definitely use configuration profiles to lock the wallpaper down. We are running 9.62, not sure if that function exists in earlier versions.
sadly yes our users are admin. So we just have to be smarter then then lol
When you package the replacemen background, why not have the file as hidden in the gui?
chflags hidden [path to file]
After this, I'm pretty sure that all users will need read access to the file for the profile to use it?
Sounds like a few steps will be needed to try and prevent changes:
Not sure if this is for a company or a school, but if it was a company, taking the non-technical approach I would communicate to everyone that the desktop background isn't to be changed.
If people do it, take away their admin rights.
I would imagine that it's a permissions issue. Certainly easy to test.
At this point, someone else needs to be involved as this is a disciplinary issue.
Use a configuration profile. Here's an example:
https://github.com/gregneagle/profiles/blob/master/desktop_picture.mobileconfig
...and if you don't want the users to modify the desktop picture file itself:
1) Don't give them write rights to the file or the enclosing directory, and
2) Don't give them admin rights.
If they have admin rights, you're just wasting your time trying to lock stuff down. They now have as much power over the machine as you do.
You could set a logout policy which installs a package (maybe a DMG would be faster?) containing the correct desktop picture, placed at whatever path the config profile is configured for. Set it for ongoing execution and check the offline box - each client will cache the package and replace it at each logout.
