Blocking Lion

noah_swanson
New Contributor

I know there have been discussions on how to block users from installing LION. But I know we have some people out there who will believe they "need" it.

In my efforts, I currently I have:

- a smart group to remove the app store if detected.

- MCX "Restrict App Store Purchase"

- "Mac OS X Installer" blocked on Software Restriction

Anything else I should put in place to prevent anyone from installing LION?

Thanks,
Noah Swanson
Imaging Specialist
Enterprise Desktop Services
Phone: 309-765-3153
SwansonNoah at johndeere.com

48 REPLIES 48

nessts
Valued Contributor II

better remove ASR, disk utility, sudo, DVD drives, disable USB and lock the firmware with a 100 character password. Or just give up one or the other. but you better get it done quickly…

--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

jwojda
Valued Contributor II

Lion is posted to the app store.

John Wojda
Lead System Engineer, DEI & Mobility
3333 Beverly Rd.  B2-338B
Hoffman Estates, IL 60179
Phone:  (847)286-7855
Page:  (224)532.3447
Team Lead DEI: Matt Beiriger
Team Lead Mobility: Chris Sta Ana
                   Mac Tip/Tricks/Self Service & Support

"Any time you choose to be inflexible in your approach to an unpredictable project you are already building failure into your plan"

talkingmoose
Moderator
Moderator

Are you using Casper's Managed Preferences (MCX) or its restricted
On 7/20/11 8:20 AM, "Swanson Noah" <SwansonNoah at JohnDeere.com> wrote:
applications feature to do this?

I'm using restricted applications to block the App Store because it takes
effect at the next policy refresh (about 15 minutes for us) and doesn't
require a log in. You can also display a warning message telling folks
that the App Store shouldn't be used and users should contact their
appropriate IT group.

Include a warning that violators will receive a stern look.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

SeanA
Contributor III

In addition to those proactive steps, I would add this reactive step: add a smart group (set it to email if changes are made) detecting if Lion has been installed on any of your asset. If Lion is installed, then you can locate offender.

How do you Restrict App Store Purchase?

Sean
~~~~~~~~~
Sean Alexander
Desktop Analyst
Macintosh Services Delivery
Lockheed Martin - Enterprise Business Services
817-763-3259 (desk)
817-655-9153 (fax)
~~~~~~~~~

noah_swanson
New Contributor

Yep! Just created that group this morning!

There was a MCX template for store purchases: com.apple.appstore Restrict App Store Purchases System Level Enforced RestrictPurchase Boolean true

Thanks
--Noah

Matt
Valued Contributor

Anyway for a policy to have users receive a notification message with a button to acknowledge? I would love to send a message every hour today to users telling them not to install and click ok to acknowledge.

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

Not applicable

You don't need to do all that. The MCX policy looks fine and you have a
written policy in place that people do not become their own IT shop. That
works as well. People can and will circumvent policies but if it as the risk
of service disruption, data loss, reprimand and non-compliance then the risk
tends to be lower. Eventually that system will make its way back to you one
way or another.

rob_potvin
Contributor III
Contributor III

LOL Because that always works!!

golbiga
Contributor III
Contributor III

Casper just picked up one user trying to install it already. Killed the process. This is fun.

Allen

Not applicable

Nice!

talkingmoose
Moderator
Moderator

You can create a policy that displays a notification if not rebooting.
On 7/20/11 9:10 AM, "Matthew Lee" <Matt.Lee at fox.com> wrote:
Look under the Reboot tab, I believe. Users can simply move the window
aside, however, and clicking OK doesn't log anything useful for you to
record as an acceptance. Clicking OK also doesn't guarantee understanding.

Every hour sounds a little extreme to me. Rely on whatever policies you
have in place to be the "law". Notify users ahead of time via email that
they should not install any software (including Lion) without IT approval.
Block access to install. Make clear the penalties for violation.

If users are administrators they can do whatever they want. If they ignore
every block you put in front of them then the rest is a people issue and
not a technical issue.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

Matt
Valued Contributor

We have some pretty cunning users :)

jwojda
Valued Contributor II

I restricted Install Mac OS X Lion.app and it restricts it fine, but if I change the name of the app to just Mac OS X Lion.app then it lets the install proceed...

Anybody have any idea thoughts on how to proceed to block by wildcards or anything?

John Wojda
Lead System Engineer, DEI & Mobility
3333 Beverly Rd.  B2-338B
Hoffman Estates, IL 60179
Phone:  (847)286-7855
Page:  (224)532.3447
Team Lead DEI: Matt Beiriger
Team Lead Mobility: Chris Sta Ana
                   Mac Tip/Tricks/Self Service & Support

"Any time you choose to be inflexible in your approach to an unpredictable project you are already building failure into your plan"

rob_potvin
Contributor III
Contributor III

Don't restrict the app restrict the binary

Install Mac OS X Lion

That is the name of the binary

Cheers

jwojda
Valued Contributor II

Is that set in the same restrict application location? Ie - just change what I have to remove the .app at the end?

John Wojda
Lead System Engineer, DEI & Mobility
3333 Beverly Rd.  B2-338B
Hoffman Estates, IL 60179
Phone:  (847)286-7855
Page:  (224)532.3447
Team Lead DEI: Matt Beiriger
Team Lead Mobility: Chris Sta Ana
                   Mac Tip/Tricks/Self Service & Support

"Any time you choose to be inflexible in your approach to an unpredictable project you are already building failure into your plan"

jarednichols
Honored Contributor

"Technical solutions can't solve social problems" is a frequent saying in these parts. If a statement goes out to your users instructing them not to install Lion and that machines found to be running Lion will be re-imaged to the supported OS then that should be plenty. Have a smart group that detects 10.7 in the JSS and leave it at that. The problem becomes them not being able to follow directions on a piece of equipment that isn't theirs. The remediation for that is not technological.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

golbiga
Contributor III
Contributor III

I'm wondering if I should set to delete the installer with the Restrict Apps policy. Right now I just have it kill the process.

Are Restrict Apps offline?

Not applicable

Well, if your users are in an AD-enviroment they'll pretty soon regret upgrading as the AD-Kerberos-part of Lion is FOOBAR. Lion 11A511 cannot get a proper TGT from the DC so no access to services.

//P

20 jul 2011 kl. 16.40 skrev GolbigA at mskcc.org:

Not applicable

Holy King of Beasts, Batman! Just restrict admin access. No one will be able to install anything (as it should be). That'll hold for awhile.

Roy A. Baril
Director of Technology
UC Berkeley
journalism.berkeley.edu

Matt
Valued Contributor

Its not that easy. Especially, people who have walked into environment where Macs were always rogue. I walked in here 3 years ago and its taken me 3 years to just get Casper. Telling people were taking admin rights away would start a sh!tstorm of epic proportions with people who are big players in the media market. Not a battle I want to fight right now.

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

Not applicable

Same here. We have plenty of devs and programers with admin access.
It's not something that will go away in our environment and is actually gaining momentum everyday.
We just have to adapt and go with it.

Nick Caro Senior Desktop Support Administrator

golbiga
Contributor III
Contributor III

Same here. Slowly have to restrict access. If it were as easy as removing admin rights I would. But I'm not interested in that battle right now.

RobertHammen
Valued Contributor II

It's even more fun when your organization employs a "stipend" model, where the machine IS technically theirs. They do agree to policies to access the network/company resources, and I've asked nicely for people NOT to upgrade for another week or two (until we get Casper 8.2 + other updates we need to be compatible). We'll see who listens (I already have one "techie" user who paid the $99 and installed the GM)...

talkingmoose
Moderator
Moderator

In some cases, admin privileges are needed. We shouldn't deny that. I have
On 7/20/11 10:01 AM, "Nick Caro" <Nick.Caro at rga.com> wrote:
developers too who know their systems and software better than I do and
need access to admin-only areas to be able to do their work.

I'm looking forward to implementing Lion because I can virtualize it under
Apple's new policy. That means I can give my developers a managed machine
without admin privileges but they can create their own virtual machines
with unfettered access for testing and development.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

noah_swanson
New Contributor

We're even looking at restricting admin on Windows. We were scolded when we didn't do this with Win7, but there are a lot of obstacles to work around for this. Anymore, you can't just be able to use your applications without admin access. It's a real shame!

I've been pushing it for the Mac's since it's a smaller community (150 vs 45000+) but all the people with Macs here think they're special and should be allowed everything.

jarednichols
Honored Contributor

Even on a stipend model there's acceptable use that they need to adhere to. Your AUP should speak to supportability if you're in a stipend model, IMHO. Sure, give them the playground, but there's still a fence they need to stay within, that fence being supportability.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Matt
Valued Contributor

If it were up to me admin rights and developers buying machines with a billion gigs of RAM would be stopped but alas, I am just a drone in a massive hive.

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

talkingmoose
Moderator
Moderator

Machines should be "right sized" for the job and in some cases for the
On 7/20/11 10:53 AM, "Matthew Lee" <Matt.Lee at fox.com> wrote:
user.

Our developers have been transitioning from Windows to Macs in our
organization because our Corporate IT group chose to standardize on a
couple of desktop and laptop computers for all users regardless of the
work they do. I was involved in researching the needs for our developers
and getting them Macs that would fit their needs. They have noticed that
time just compiling code has decreased 10-fold.

A long time ago we bought our Macs with 2 GB RAM standard when Corp IT was
installing 512 MB in their Windows systems. Today, our standard is 4 GB
while they have finally moved to 2 GB. One thing our Mac users rarely
complain about a slow machine. If they do then it's not the hardware
that's bottlenecking. Our Macs also have a longer lifespan in our
environment too. The difference in price has been well worth the
investment.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

sean
Valued Contributor

Regardless of the comments people made about having users with admin, this should never be the case or be required. When I took over our mac departments, several so called 'key' members of staff had admin rights. With the backing of my boss, I was able to remove this and prove that I could provide a better service, particularly with Casper, when it came to re-building their machines, pushing out software or plug-ins, etc.

I had to of course put up with an amount of flak from these members of staff, but it was all completely worth it and they are happy without these rights once it was proven to them that they could do everything they needed to be able to do.

Admin is what is says it is, for administering the machine, nothing more.

I would suggest the following:

1) Work out what is required from the various users and how to provide this to them. If you have this solved, then the end user will still be happy. For example, add your developers to the developers group, edit the sudoers file to provide commands that are required. None of our developers have admin rights and in fact a newer developer who joined us bitched about not having admin rights when he arrived and soon found that we were able to provide him everything he required without this and he is happy.

2) Deny access to the store over the network. I've posted this before, but here it is again:

http://support.apple.com/kb/HT3303?viewlocale=en_US

No overhead of analysing processes, no messing around with messages, the store just wont work and (unless you are giving out the admin password for your firewall as well) they can't change it.

I can't stress enough how much you will be helping yourself if you get admin rights removed and you will look back saying why didn't I push for this earlier! If you approach the task clearly and can demonstrate to the end user that they can do everything that they need to be able to do, they will be happy, almost certainly happier than you completely blocking the 'Store'.

Sean

Matt
Valued Contributor

Again, tell that to departments that have had admin rights for years, people who are highly influential in the media market, and you have to have the backing of your boss.

Some of us don't have the fire power we need to strip admin rights. Trust me if I could I would have.

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

jarednichols
Honored Contributor

Easier to ask for forgiveness than permission :)

Trust me, I understand. I'm in the same boat.
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Matt
Valued Contributor

We've started removing rights lately. Some users have no issues its always the "developers" and artist who need admin rights and 16 gigs of RAM ;)

tlarkin
Honored Contributor

We don't even manage developers, they can do what they want but they also get no support. I assume if you can code applications you can properly use a computer. If not, you probably shouldn't be a software developer....

just saying..

talkingmoose
Moderator
Moderator

Are you referring to the local "_developer" group? How does this compare
On 7/21/11 6:55 AM, "Sean Holden" <Sean.Holden at framestore.com> wrote:
to standard users? I've always taken the underscore as signifying that an
item is a system resource and not something to be touched. Not unwilling
to be told I'm wrong.

Also curious about how you determine what goes into your sudoers file. Are
you making your developers present you a list of what they need or are you
giving them access to access specific locations?

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

Matt
Valued Contributor

I see what you did there :) and I agree!!!

sean
Valued Contributor

Adding developers to group 204(_developer) should be enough for them. What other possible reason would they supply you with?

As for artists, admin rights just to draw pretty pictures?!?! Just tell them to follow the number/colour chart :) If they give you anymore grief, call them a 'tracer'!!!

Seriously, though, I did remove admin rights from people that had been using admin rights for years and these people are very influential within our company and some within our industry, so I understand the hill you need to climb. It was more of a mindset than anything else and then soon realised that they didn't actually need it. It's like taking away the packaging from a baby, you may have it now and it might be fun to chew on, but go any further and you are going to suffer so I'm going to take it away from you before it's too late.

Sean

talkingmoose
Moderator
Moderator

The problem with turning a blind eye to any person or group is that you
On 7/21/11 9:44 AM, "Thomas Larkin" <tlarki at kckps.org> wrote:
don't know what they're doing.

I've deployed nearly a dozen new Macs within the past couple of months to
developers here, some of which are newly hired contractors. Not that I
like it but our standard policy has been to allow them admin privileges
because they need access to more than a standard user on their machines. I
personally give each one a speech explaining that administrator privileges
do not mean they are allowed to purchase and install their own software.
Open source is fine as long as it falls under the project they're working
on. I've had two ignore that.

We take software licensing very seriously here. If I don't at least
monitor what they're doing then they could be violating our company
policies or vendor license agreements. I've found some blatantly turn a
blind eye themselves to licensing or are completely ignorant of why it's
important. All in the name of "doing what I need to get my job done."

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

tlarkin
Honored Contributor

Hahahaha @ call them a tracer....Luckily I was no drinking my coffee when I read that. Otherwise I would have spat it on my laptop.

I use extension attributes to detect admin rights on machines and then hand the report to the administrators of the buildings. They then punish the person for violating AUP. Then again I work in academia and we are a bit more authoritarian here than some places in the private sector.

-Tom

tlarkin
Honored Contributor

They are like 4 people, they write in house apps that run on Macs and PCs that are web based, mostly .NET stuff. I don't care what they do. My head boss oversees them personally. They also don't need our support. They do their own thing, we do ours. Their machines aren't even bound to the domain, nor do they have network accounts, they also don't have the casper client loaded on them. They are dev macs, and out of my jurisdiction. Which I am 100% OK with.

-Tom