Blocking Lion

better remove ASR, disk utility, sudo, DVD drives, disable USB and lock the firmware with a 100 character password. Or just give up one or the other. but you better get it done quickly…

--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

Lion is posted to the app store.

John Wojda
Lead System Engineer, DEI & Mobility
3333 Beverly Rd.  B2-338B
Hoffman Estates, IL 60179
Phone:  (847)286-7855
Page:  (224)532.3447
Team Lead DEI: Matt Beiriger
Team Lead Mobility: Chris Sta Ana
                   Mac Tip/Tricks/Self Service & Support

"Any time you choose to be inflexible in your approach to an unpredictable project you are already building failure into your plan"

Are you using Casper's Managed Preferences (MCX) or its restricted
On 7/20/11 8:20 AM, "Swanson Noah" <SwansonNoah at JohnDeere.com> wrote:
applications feature to do this?

I'm using restricted applications to block the App Store because it takes
effect at the next policy refresh (about 15 minutes for us) and doesn't
require a log in. You can also display a warning message telling folks
that the App Store shouldn't be used and users should contact their
appropriate IT group.

Include a warning that violators will receive a stern look.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

In addition to those proactive steps, I would add this reactive step: add a smart group (set it to email if changes are made) detecting if Lion has been installed on any of your asset. If Lion is installed, then you can locate offender.

How do you Restrict App Store Purchase?

Sean
~~~~~~~~~
Sean Alexander
Desktop Analyst
Macintosh Services Delivery
Lockheed Martin - Enterprise Business Services
817-763-3259 (desk)
817-655-9153 (fax)
~~~~~~~~~

Yep! Just created that group this morning!

There was a MCX template for store purchases: com.apple.appstore Restrict App Store Purchases System Level Enforced RestrictPurchase Boolean true

Thanks
--Noah

Anyway for a policy to have users receive a notification message with a button to acknowledge? I would love to send a message every hour today to users telling them not to install and click ok to acknowledge.

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

You don't need to do all that. The MCX policy looks fine and you have a
written policy in place that people do not become their own IT shop. That
works as well. People can and will circumvent policies but if it as the risk
of service disruption, data loss, reprimand and non-compliance then the risk
tends to be lower. Eventually that system will make its way back to you one
way or another.

LOL Because that always works!!

Casper just picked up one user trying to install it already. Killed the process. This is fun.

Allen

Nice!

You can create a policy that displays a notification if not rebooting.
On 7/20/11 9:10 AM, "Matthew Lee" <Matt.Lee at fox.com> wrote:
Look under the Reboot tab, I believe. Users can simply move the window
aside, however, and clicking OK doesn't log anything useful for you to
record as an acceptance. Clicking OK also doesn't guarantee understanding.

Every hour sounds a little extreme to me. Rely on whatever policies you
have in place to be the "law". Notify users ahead of time via email that
they should not install any software (including Lion) without IT approval.
Block access to install. Make clear the penalties for violation.

If users are administrators they can do whatever they want. If they ignore
every block you put in front of them then the rest is a people issue and
not a technical issue.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

We have some pretty cunning users :)

I restricted Install Mac OS X Lion.app and it restricts it fine, but if I change the name of the app to just Mac OS X Lion.app then it lets the install proceed...

Anybody have any idea thoughts on how to proceed to block by wildcards or anything?

John Wojda
Lead System Engineer, DEI & Mobility
3333 Beverly Rd.  B2-338B
Hoffman Estates, IL 60179
Phone:  (847)286-7855
Page:  (224)532.3447
Team Lead DEI: Matt Beiriger
Team Lead Mobility: Chris Sta Ana
                   Mac Tip/Tricks/Self Service & Support

"Any time you choose to be inflexible in your approach to an unpredictable project you are already building failure into your plan"

Don't restrict the app restrict the binary

Install Mac OS X Lion

That is the name of the binary

Cheers

Is that set in the same restrict application location? Ie - just change what I have to remove the .app at the end?

John Wojda
Lead System Engineer, DEI & Mobility
3333 Beverly Rd.  B2-338B
Hoffman Estates, IL 60179
Phone:  (847)286-7855
Page:  (224)532.3447
Team Lead DEI: Matt Beiriger
Team Lead Mobility: Chris Sta Ana
                   Mac Tip/Tricks/Self Service & Support

"Any time you choose to be inflexible in your approach to an unpredictable project you are already building failure into your plan"

"Technical solutions can't solve social problems" is a frequent saying in these parts. If a statement goes out to your users instructing them not to install Lion and that machines found to be running Lion will be re-imaged to the supported OS then that should be plenty. Have a smart group that detects 10.7 in the JSS and leave it at that. The problem becomes them not being able to follow directions on a piece of equipment that isn't theirs. The remediation for that is not technological.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

I'm wondering if I should set to delete the installer with the Restrict Apps policy. Right now I just have it kill the process.

Are Restrict Apps offline?

Well, if your users are in an AD-enviroment they'll pretty soon regret upgrading as the AD-Kerberos-part of Lion is FOOBAR. Lion 11A511 cannot get a proper TGT from the DC so no access to services.

//P

20 jul 2011 kl. 16.40 skrev GolbigA at mskcc.org:

Holy King of Beasts, Batman! Just restrict admin access. No one will be able to install anything (as it should be). That'll hold for awhile.

Roy A. Baril
Director of Technology
UC Berkeley
journalism.berkeley.edu

Its not that easy. Especially, people who have walked into environment where Macs were always rogue. I walked in here 3 years ago and its taken me 3 years to just get Casper. Telling people were taking admin rights away would start a sh!tstorm of epic proportions with people who are big players in the media market. Not a battle I want to fight right now.

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

Same here. We have plenty of devs and programers with admin access.
It's not something that will go away in our environment and is actually gaining momentum everyday.
We just have to adapt and go with it.

Nick Caro Senior Desktop Support Administrator

Same here. Slowly have to restrict access. If it were as easy as removing admin rights I would. But I'm not interested in that battle right now.

It's even more fun when your organization employs a "stipend" model, where the machine IS technically theirs. They do agree to policies to access the network/company resources, and I've asked nicely for people NOT to upgrade for another week or two (until we get Casper 8.2 + other updates we need to be compatible). We'll see who listens (I already have one "techie" user who paid the $99 and installed the GM)...

In some cases, admin privileges are needed. We shouldn't deny that. I have
On 7/20/11 10:01 AM, "Nick Caro" <Nick.Caro at rga.com> wrote:
developers too who know their systems and software better than I do and
need access to admin-only areas to be able to do their work.

I'm looking forward to implementing Lion because I can virtualize it under
Apple's new policy. That means I can give my developers a managed machine
without admin privileges but they can create their own virtual machines
with unfettered access for testing and development.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

We're even looking at restricting admin on Windows. We were scolded when we didn't do this with Win7, but there are a lot of obstacles to work around for this. Anymore, you can't just be able to use your applications without admin access. It's a real shame!

I've been pushing it for the Mac's since it's a smaller community (150 vs 45000+) but all the people with Macs here think they're special and should be allowed everything.