Jamf Nation Community

mtiffany · ‎02-15-2017

I work for an Engineering College. We have very few Macs in our open computer labs. Up until recently we were making all users standard users and then nuking their home directories every morning with a cron job. Recently we've discovered when using development type apps the students need to be more than a standard user. Xcode for instance. I've tried using a script which added a user at login to the development group but didn't have success. So the current thought is to make everyone an admin, also tricky since we're bound to an AD, and using Deep Freeze to keep the Mac safe and functional.

Thoughts, road blocks, potential problems? I'm very inexperienced with this, sorry.

jhuls · ‎02-16-2017

We're moving the opposite direction. We've had DeepFreeze for years in both of our Windows and Mac labs. By the end of the summer the goal is to be completely free of DeepFreeze.

The reason being that it's a cost for something that has been problematic on the Windows side and gets in our way on both platforms. I just removed it from 3 Mac labs at the start of this semester and have implemented policies that clean out certain portions and then copy in specific applications settings. It's not perfect but it works. These aren't labs for development but design, and use Creative Cloud. Nobody gets admin rights in the Mac labs. Our current configuration has the labs with one generic login but going into the fall we're looking at students using their own AD accounts and using OneDrive for their storage. With the students having their own accounts, it reduces the need to automatically reset things. I still plan to have policies that resets settings back to defaults but the cleanup doesn't have to be automatic and Self Service is proving valuable for this sort of thing.

For what it's worth on the Windows side they're finally utilizing mandatory profiles in combination with removing admin rights. That combination works really well in replacing DeepFreeze. I did this for 11 years in a different dept when I was supporting Windows. The rest of campus is just now implementing it.

Also, you mentioned Xcode and needing admin rights. Have you spoke with Apple about this? Recently we were considering installing Xcode in a lab and I spoke with our systems engineer at Apple about now wanting to provide admin rights. He said there was an Apple support document on how to configure this. I never got the document as we ended up not going that route but I had also come across the following link as well. I haven't read it in detail since I don't need to worry about it but maybe it'll help.

http://www.richard-purves.com/2017/02/04/xcode-without-admin-rights/

Whether that helps or not, you might want to hit Apple up and see what they recommend.

mtiffany · ‎02-16-2017

@jhuls Thanks for the response and the link, I'll give that a read and see if I need to contact Apple as you suggested. As I mentioned above, we tried adding users on the fly at login with a script to the developers group to avoid being admins. However, I think because of the lack of a home file (deleted every morning) and because these are AD accounts it just wasn't working for us.

RE: Windows. We don't use Deep Freeze. We made a change several years back to provision all our windows lab computers with Citrix. This has worked very well for us. All users can be admins and they can load the worst virus or delete the registry and all we need do is reboot the computer and it's back to perfect condition again because of the Read Only vDisk. It's because of how well provisioning works for us that we still try to discourage Mac Labs. But I feel we'll start to lose this fight as we continue to grow and its hard to argue when half of the IT staff have Macs! lol

Thanks again!

If anyone has any input on AD users being added to the developers group at first login pretty please share! :o)

jhuls · ‎02-16-2017

Hope that works out for you. If you get it figured out, a followup here would be nice. There's a little chatter about maybe doing an iOS programming class so I might have to revisit this.

On the Windows topic they're also experimenting with vdi for another dept and they have ideas for expanding to labs if the money is there. Glad to hear it works well. I'm not sure what vdi solution they're testing though...I don't think it's citrix.

mtiffany · ‎02-16-2017

Citrix is a great solution. Support, which is critical, is superb. I believe there is a discount for higher learning institutions but if not it's still well worth the $ and the way of the future. We manage about 400+ windows computers with 4 IT staff. It takes about a week prior to classes starting to prepare the vDisks and after that when something goes wrong, we reboot it either remotely or directly.

Additionally with Citrix you can publish apps which is great for us Apple users. We publish Windows VM's, Active Directory, Linux VM's, Shares, SQLyog, along with all sorts of other applications for our students/faculty/staff. It's nice to be able to use a MacBook without any OS limitations like "I can't do AD changes on my Mac". That's a thing of the past.

If we get this Xcode thing figured out I'll post something on this thread. Thanks again for the help!

Byte · ‎02-17-2017

xcode will work fine under a non admin context, all my users are mobile accounts which are non admins

For xcode you will need a script similar to this

https://www.jamf.com/jamf-nation/discussions/21248/deploying-xcode-8-via-self-service-a-how-to

Since they cannot download simulators for xcode you need to do this https://www.jamf.com/jamf-nation/discussions/21888/xcode-running-as-a-non-admin

Making everything available in self service... is the way to go...

Hope this helps you

Jamf Nation Community

Deep Freeze and Casper Suite