Posted on 10-04-2016 07:01 AM
Does anyone have any suggestions for an alternative for DeepFreeze for Mac Lab Environments?
Thanks!
Posted on 10-04-2016 07:18 AM
I guess the two critical questions are: (1) are you giving your users admin access? (2) are you using local home directories?
I'm going to assume #2 is yes, as it seems very few people are using network homes these days (for good reason).
If you're not giving your users admin access, then the answer is generally pretty simple: nuke the home directories after they log out. I'm running a script at check-in that deletes all home directories except the administrator account, "Shared," and the currently logged in account. If they don't have admin access, the number of things they can alter outside their home directory is practically non-existent.
If you are giving them admin access... why?
We were using Deep Freeze for a while, mostly inertia because it is a beautiful tool to use on our Windows machines. After I realized that it was causing more headaches than it was a benefit to us on the Mac, I punted it in favor of nuking home directories, and really haven't had any issues (other than a frustrating issue with MDM commands, which I referenced in another thread).
Posted on 10-04-2016 07:18 AM
Yes, use configuration profiles to lock down where students can launch apps from (/Applications) and other folders that may need it (/Library/Sophos Anti-Virus) and delete user profiles. Make sure any folder you whitelist doesn't have read/write access for students.
Then also delete user profiles on machines. You used to be able to delete user profiles via config profiles, but it works in some OS versions and not others, so we script it now. If you search JAMFNation there are threads with example scripts for that. Post back if you can't find them.
Posted on 10-04-2016 07:21 AM
Oh, and one more thing: Firmware password! If you don't, they can easily boot into single user mode or off of external media, and then all bets are off. You need to corral them to your boot environment where you control the user permissions.
Posted on 10-04-2016 07:47 AM
So right now our lab machines are bound to AD and the student logs in using their AD credentials to log in. Once they log in, a script runs to mount a directory and alias' are created on their desktop to 2 specific folders. They do not have admin rights.
The biggest complaint we are getting is 2 minutes to log in.
We are using DeepFreeze incase something happens on the machine, a simple restart resets machine. Things like Adobe licensing issues, virus downloads, etc.
Posted on 10-04-2016 08:07 AM
We have an almost identical environment, @Caist. We too are bound to AD, and run a script to mount their Windows home directory (their "Q-drive" in our parlance).
Are your computers wireless or wired? 802.1x? The only time I've been aware of logons that slow for us were with our computers attempting to implement an 802.1x wi-fi user-level profile, but there's something mis-configured with our Aruba access control and it just never worked properly. We punted on that and switched to a computer-level profile and we've been fine since.
Posted on 10-04-2016 08:23 AM
They are hardwired right now, wifi is actually turned off on the machines.
Posted on 10-04-2016 11:40 AM
In Deep Freeze you can create a thaw space for kids to save data temporarily in case of a crash/reboot. We have Google for Education, so we tell students to save ll of their files to their Drive accounts. Then you can purge the thawspace every so often. If you want to get rid of Deep Freeze for good, you'd need to script a way to reset all of the caches, preferences, etc to the way you would like them.
Posted on 10-04-2016 11:51 AM
@rhoward but how does the thawspace work with AD accounts?
Posted on 10-05-2016 05:22 AM
You can use Faronics Data Igloo (i think its free with DF site license) to redirect the user profiles made by AD to the thaw space.
Essentially what was said above by @georgecm12 was what I thought about using DF on our macs since we have 1200 PC's using it, but it just didnt make sense with the ease of wiping user home directories easily with casper. So we elected to skip using DF on the macs. Also, seems to not play with fusion drives at all.......
Posted on 10-05-2016 05:27 AM
If you have AD and enterprise windows licensing, IMO DF doesn't make sense in Windows anymore either. We used it happily for years, but decided the risk of running machines that never patched wasn't worth it anymore.
With AD, you can set home directories to delete and set a shut down time so it happens each day (or every 7 days, whatever). You can also control what apps can launch from where (similar to what we do with OSX config profiles) via Applocker with whitelists by publisher.
The cert/publisher model in Applocker is actually even better than OSX config profiles because you can upload a .exe to applocker, it will read if it's signed, and you can say something like "allow all apps to run if they are signed by Cisco" or you can further lock it down and say "allow only Cisco webex version 15.2.4" to run if you didn't want to allow all of cisco, or lock it down to a particular version.
Yes, I know DF offers maintenance windows, but with laptops powered off in carts, it was never realistic for us to get machines patched. Oh and there's no extra cost to using AD if you already have the infrastructure.
Posted on 12-05-2016 09:32 AM
@Caist and @georgecm12 - You mention earlier that you are using specific scripts to mount home directories. Do you care to share what script you are using. Just looking for a template to do the exact same plus some. Thank you!
Posted on 12-07-2016 05:01 AM
My process is 2 fold actually. I have a policy that runs on login that runs 2 scripts:
Script 1 - Mount Network Share
This script I found in the JAMF Resource Kit (https://www.jamf.com/jamf-nation/third-party-products/files/476/mountnetworkshare-sh-mount-a-network-share) that basically goes and finds the kerberos ticket information for the logged in user and mounts a drive to a specific location I setup in the script.
Script 2 - Symbolic Links on Desktop
A custom script I made to create 2 symbolic links for 2 folders located in the drive that was mounted in script 1 (For us, this is the Documents and Desktop folder)
Posted on 12-07-2016 05:32 AM
thanks @Caist !