Jamf Nation Community

He have a 1-1 program in our 4-5-6 grades. We manage the system preferences and partental controls using Managed Preferences, and we handle updates/software installs/imaging, etc. through Casper. As mentioned, our students are manages mobile home directories with managed accounts. Giving students admin accounts would be a mistake, IMHO.

-John

--
John Wetter
Technology Support Administrator
Technology & Information Services
Hopkins Public Schools
952-988-5373
john_wetter at hopkins.k12.mn.us

Jeff,

My name is Tom and I work in a school district that has deployed 6,000
Macbooks in our 1:1. We are on our second year and last year they hired
me on to admin the servers and the casper suite. It has been quite a
crazy time so far. I can only imagine that your initial set up will be
OS X server Open Directory along with users logging in with mobile
accounts on their laptops. Mobile accounts are a god send. Once they
sync to the machine locally, the machine will authenticate locally but
still get group/user policy from OS X server. I won't go into a
superlative amount of detail but outline some basics for you. Assuming
you are running 10.5.x server/client.

Toss all the applications you don't want the user to have access to in
/Applications/Utilities. For instance I tossed in Automator and the
Apple script program, because the smart students figured out that those
applications can be used to open unauthorized applications. Once I get
every app I don't want them to be able to run in the
/Applications/Utilities folder and all the apps installed I want in the
base image in the /Applications folder I just apply an ownership change
to those directories, with this simple unix command.

sudo chown -R root:admin /Applications

That will change ownership of all folders under /Applications to be
owned by root, and in the admin group. Next I apply a permissions
command that will modify the rwx attributes.

sudo chmod -R 775 /Applications

This means that the root user and any user in the admin group have full
read-write-execute permissions, while everyone else only has read and
execute. So, your hidden local administrator account will have full
access as well as root (but root always should).

Then in Work Group Manager create a nested group that includes all
students. Manage their applications by folder in WGM, saying that only
applications may be ran from /Applications. Then, next deny them access
to any thing under /Applications/Utilities. So far this school year it
has seemed to work pretty well. I restrict that programs can only run
from the Applications folder period. You can't run an app from the
user's desktop. It will not work. Any app that I want an admin account
to have access to, but no one else is simply placed in
/Applications/Utilities. Since the utilities folder is restricted in
WGM by the Application preferences.

Also, it is my philosophy to create 2 separate hidden admin accounts. 1
account you give out to your IT staff for management and troubleshooting
of the machine, and the other one you create for all the casper
management. That way the casper management account never ever gets
touched. I don't give anyone the casper admin account password and I
don't even tell people it is on there. It only has one purpose, to
manage the machine for casper. Then anyone who needs admin rights to
the machine I can just give them the local hidden admin account and they
can use that. I have already had to do a massive password reset last
year because of someone who left a printed password list out. Mass
changing the password from Casper 5.13 to Casper 6 actually was kind of
a pain.

I use Casper for package deployment and policies mainly, as well as
inventory and imaging. I don't manage the applications with Casper
mainly because I don't like how you have to make a global exceptions
list. If I could manage them by smart group I would be more inclined,
since with Open Directory I can manage all students by the all students
group, or a group of students by building and graduation year, or an
individual student account just by managing their user account
specifically.

I would never give your students admin rights, they could root the
machine and erase whatever web filter app you have on there as well as
any tracking software, etc.

If you have any specific questions please feel free to post them.

thx

Hi all,

Next year our school of 1200 students will be going 1-to-1, where every
student has their own laptop that they end up purchasing (over four
years) through the cost of tuition. I have a couple logistical questions
and I would love to benefit from the experience on this list. Has anyone
gone 1-to-1 that I could bounce ideas around with? I’m mainly stumped by
what kind of access the students should be granted: should they be given
admin access on their machines? How does that impair management with
Casper? That kind of stuff.

Any help would be appreciated.

Thanks!

Jeffrey A. Strauss
Department of Educational Technology
Systems Administrator
Loyola High School of Los Angeles
1901 Venice Blvd.
Los Angeles, Ca 90006
(213) 381-5121 x265