Jamf Nation Community

Permalink · ‎06-07-2011

With the impending release of Lion in July, we're quite concerned
about our students' ability to upgrade to Lion. We don't want them to.

- All our students are admin users on their laptops (yes, I know, I
know; but politically it's a sensitive issue and can't be changed)
- All laptops are running 10.6.x
- Politically, we can't block the Mac App Store, or remove it from our
systems. Students need to be able to use it to buy software they want
(just not Lion).

Can anyone think of a way to block the installation of Lion without
demoting our user base to standard users?

I know that the installer creates a hidden restore partition. Could
there be a way to block the creation of this restore partition which
would then cause the install to fail? Really just spitballing here.
We're scrambling to engineer a solution for this so we don't have
students returning in September with their laptops upgraded to Lion.

Any ideas?

Thanks,

Damien Barrett
System Technician
Montclair Kimberley Academy
Montclair, NJ 07042
973-842-2812

jafuller · ‎06-07-2011

Hey Matt,
Can you be more specific about this statement? I was just pressured to un-block the App Store here.

--
James Fuller | Technology Application Services | application developer II

talkingmoose · ‎06-07-2011

You really need to have your Legal department weigh-in on that decision:
On 6/7/11 2:06 PM, "James Fuller" <JaFuller at starbucks.com> wrote:

http://www.apple.com/legal/itunes/us/terms.html#APPS

One line says it all: "(i) You may download and use an application from
the Mac App Store ('Mac App Store Product') for personal, non commercial
use on any Apple-branded products running Mac OS X ('Mac Computer') that
you own or control."

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

Matt · ‎06-07-2011

The licensing for the App Store makes no sense. As a Corp. or School why would anyone want to enable purchases that are made by a company to the App Store. Once the person makes the purchase the App is attached to them and not the company forever.

--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>

Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST

stevewood · ‎06-07-2011

<snark machine: on>
On Tue, Jun 7, 2011 at 2:21 PM, Matthew Lee <Matt.Lee at fox.com> wrote:

Now, now, you are all assuming that Apple has the best interests of the
Enterprise in mind when they do these things. As long time administrators,
most of us, we should all know what Apple truly thins of the Enterprise. Just look at how they treated us at WWDC in 2010, and what about our
beloved XRAID, oh and don't forget the latest casualty, the XServe.

I love Apple and their products, but they've never had Enterprise high on
their priority list, so why start now with the App Store. If they truly
took Enterprise (and I will lump Education into this for this part)
seriously, they would give us an easy, documented (officially documented,
not a blog post on someone's page), way to not only disable the App Store
from running, but remove it from the machine and have it never come back
(unless we wanted it to).

Steve

Matt · ‎06-07-2011

You're right Steve. 2 months before WWDC an Apple Rep/Engineer gave us a "Roadmap" and we invested about 50 grand only to have been totally shafted. They straight up lied to us.

--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>

Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST

stevewood · ‎06-07-2011

I should also state, in all fairness, that every Apple SE I have ever worked
On Tue, Jun 7, 2011 at 2:40 PM, Matthew Lee <Matt.Lee at fox.com> wrote:
with (Al Stover and Dan Flynn among them) have been awesome, and have gone
out of their way to help us out. The SEs have always tried to help the
Enterprise, it just seems that the company as a whole has not felt like
there was a reason to go after the Enterprise.

I can remember being at WWDC in 2007 and talking with several IT folks over
beers at the Thirsty Bear (thanks AFP548 and Group Logic), and how excited
we were that Apple seemed to really be putting more effort into the
Enterprise tracks at WWDC. I remember a brown bag lunch session with Joel
Rennich, Bombich, Schoun Regan, and others, and it was GOOD! Then 2008
rolled around and the Enterprise track was slimmed down, and gone by 2009.

It's a shame, that's what it is....

Steve

Permalink · ‎06-07-2011

One would assume it will work the same way it does now with the Developer Previews: An app is downloaded, then you start the app and the install/upgrade starts.
In that case, you could just wait until Lion is released, see what the App is called and then disallow that app from starting, and so, no upgrades.

//Patrik

---------------------------------------------------------------
Patrik Sonestad
Avdelningsansvarig
Avdelningen för ABM och Bokhistoria
Institutionen för kulturvetenskaper
Lunds universitet
Telefon: 046-2223141, 070-3219074
E-post: Patrik.Sonestad at kultur.lu.se

7 jun 2011 kl. 16.04 skrev Damien Barrett:

Permalink · ‎06-07-2011

I'm going to grab a bag of popcorn for this one…
The AppStore is making me more nervous than a long tailed cat in a room full of rocking chairs. We also have a good size population of admin users that is growing and there is just nothing we can do about it.

The only thing I could contribute would be to botch up the permissions on any directories that are created as it prepares for the install, that would then cause the install to fail.
There must be a way to leverage JSS in this..

Nick Caro Senior Desktop Support Administrator

rob_potvin · ‎06-07-2011

You could check to see if there is a specific process that is being launched on the upgrade and then blacklist in Casper.

Would have to do some testing, see what is being launched when its purchased but if that specific process can't launch and is deleted then they won't be able to install leopard.

tlarkin · ‎06-07-2011

The app store will be barred I think from all users in our environment

rob_potvin · ‎06-07-2011

Might join you on this bag of popcorn. I just finished getting 50 plus ipad 2 ready for a cart and buying everything to one account and then restoring from backup on each ipad is a long process... bringing that to the mac is also making me nervous

jarednichols · ‎06-07-2011

We have a saying around here:

"Technical solutions can't fix social problems."

:)
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Permalink · ‎06-07-2011

I was able to add the process "Install Mac OS X.app" to the Restricted
Apps rule in JSS and it did indeed block the execution of my Lion DP3
installer. See screenshots.

So unless Apple changes how the Lion OS install works before it's
released, this should work for us.

Note, this will not stop a user from burning the Mac App Store
downloaded .dmg to a disc and then booting from said disk and running
the OS upgrade that way. However, if that happens, it's quite a
different issue.

Hope this helps,

Damien.

![external image link](attachments/906bef3cef5e4be396e7fc038ca1f637)
![external image link](attachments/0f6b42b13a9345afb02b29ad96ecdee1)

rockpapergoat · ‎06-07-2011

sounds like you're in for a world of pain.

can you explain the political problems?

i'd let things play out and use it as justification for removing admin rights. the political issues aren't going to go away unless there's some reason to work differently.

tell your higher-ups that you can't do your job in this environment, then back it up with facts.

Matt · ‎06-07-2011

Just Block the App store all together. The licensing scheme doesn't make any sense for anyone in a Corp. or School to have it enabled anyways.

--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>

Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST

SeanA · ‎06-07-2011

Nice. If you have not already, I would follow it up with a smart group
that monitors if you have 10.7 in your environment and, if so, emails you.

Sean

sean · ‎06-07-2011

Yes, you could use Casper to prevent processes from running, but there is nothing as you say to stop uses creating an image to install from another source. Once done, Casper wont be reporting anything if they do a fresh install, so you wont be able to capture 10.7 machines that way.

I have to say, take it up the chain of command as far as possible till you get someone to approve turning off admin rights. Education is suppose to be a learning curve to future jobs. We don't allow admin and some users are a pain complaining that they don't have it. This isn't helped with educational institutes allowing students to do what they want; "I had admin rights before elsewhere, why can't I have it here?"

If you need to provide some admin features to users, then your sudoers file should be amended to allow access to certain commands only.

You really need to push for a policy to remove admin rights and therefore all the headaches that come around from allowing this. You time would be better focused on this than spending a massive amount of time preventing all the admin problems.

It may be worth looking at which aspects of admin are considered necessary and see if there are ways to provide these without providing the users with full admin. If necessary, you could come up with a document demonstrating how the students could have what is required and how you can achieve this for them without them having admin rights. You really would be doing yourself a favour!

Sean

Permalink · ‎06-07-2011

Will,
What about the next paragraph in the terms?

(ii) If you are a commercial enterprise or educational institution, you may
download a Mac App Store Product for use by either (a) a single individual
on each of the Mac Computer(s) used by that individual that you own or
control or (b) multiple individuals on a single shared Mac Computer that you
own or control. For example, a single employee may use a Mac App Store
Product on both the employee’s desktop Mac Computer and laptop Mac Computer,
or multiple students may serially use a Mac App Store Product on a single
Mac Computer located at a resource center or library. For the sake of
clarity, each Mac Computer used serially by multiple users requires a
separate license.

Maybe I'm wrong, but in practice, I see teacher being able to purchase an
App using their personal iTunes account and have a copy on their school
laptop and home computer. This applies to Apps for iOS devices, too. We
don't want unauthorized/distracting software on student use computers, but I
can see teacher using apps they paid for legally on their school computers
in a legitimate fashion.
-Nathaniel Lindley

donmontalvo · ‎06-07-2011

Geez...where did I put those screen wipes.

If our clients dismiss our recommendations, they eventually pay the price. The client usually learns their lesson and they listen to us the next time.

Excellent thread...we're going to test adding "Install Mac OS X.app" to the restricted apps rule.

Don

So you demand admin rights for your users?

--
https://donmontalvo.com

talkingmoose · ‎06-07-2011

Good catch! I may have overlooked this or it may be new. I still wouldn't
On 6/7/11 3:15 PM, "Nathaniel Lindley" <tallmacman at gmail.com> wrote:
touch it.

Part (b) is similar to most basic software licenses. An administrator can
install the software and anyone sitting in front of the computer can use
it. That's easy to enforce provided your users aren't administrators.

Part (a) renders software license enforcement and auditing impractical or
even impossible because there is no reasonable means of enforcing who can
use specific software on each machine. Yes, I could use Casper's
Restricted Software feature, but I don't have the capacity to manage a
practically endless number of software titles for hundreds of users and
hundreds of computers.

Don't get me wrong. I'm not arguing that you can't legally do this.
However, the onus of proper licensing falls on the computer's legal owner.
I see no reasonable way to allow part (a) and ensure license compliance.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

holger · ‎07-06-2011

Hi,

I think we all have similar problems with upgrading to Lion and purchases with the Appstore.

When you just need to prevent the Lion-Upgrade I would create a restricted Software which kills the process.
If you want to restrict the whole Appstore.app you can create a restricted software too and aditionally I would use 'chflags' in a script:

chflags hidden /Applications/App Store.app

Thanks Apple for changing it all again! ;)

All the best,
Holger

sean · ‎07-06-2011

You may find this useful!

http://support.apple.com/kb/HT3303?viewlocale=en_US

Sean

Jamf Nation Community

Blocking 10.7 Lion Installation for Admin users