Posted on 10-26-2015 09:17 AM
We use Casper Suite to manage devices at our school district. Today, we discovered that students are finding other student devices using the Network list and enabling a Screen Sharing session, connecting with the student victim's username and password (attained previously), and causing issues with taking over their computer, etc.
We are now tasked to disable the Network visibility all-together for the student MacBook Airs so they can't even see other devices on the network. I do not see the option in the Finder configuration profile definition. Is this something that can be done with built-in JSS functionality, or will I have to upload some type of MCX to config profile file into a Config Profile?
We do have Apple Remote Desktop client and VNC client running on each of these computers.
See screenshot for the sidebar item we want to hide and disable:
Solved! Go to Solution.
Posted on 10-26-2015 11:38 AM
For our short term fix, we have created a Restricted Software rule to kill 'Screen Sharing.app' for all student devices, which seems like it will do the trick.
Long term, I will re-evaluate having all users with screen sharing capabilities, likely going to include only 'admin' users. The kickstart command is such a PITA, so I'll have to mess with that again.
Thanks to everyone for their input!
Posted on 10-26-2015 09:59 AM
I could be mistaken here but wouldn't that only happen if the student had the other student's credentials? In other words, they must know the user credentials required for screen sharing. Why not tackle that particular issue?
Posted on 10-26-2015 10:07 AM
I agree with @bpavlov Seems you have a more serious issue on your hands of either very weak usernames and passwords for the students, or some generic account on the Macs that has been compromised or something to that affect. The only way to do Apple's Screensharing to control another Mac is to know an account username/password on the remote system. How are they obtaining that information?
The problem is, even if you disable the "All..." item from showing up in the sidebar, there are still other methods they can use to discover Macs broadcasting themselves on the network, (all you really need is an IP address once you have the username/password info) so its only a temporary deterrent, not a solid method of blocking the control.
Posted on 10-26-2015 11:17 AM
I completely agree that the first thing to respond to is the fact that students are getting each others' passwords. For some reason, they are convincing other students to share their information in our Student Information System, which also has their username/password listed. I don't have full info on their psychological techniques to get the students to show them, but that is definitely being addressed by the school administration. From a technical standpoint, we are trying to limit the potential damage by turning this functionality off for their devices.
If we disabled VNC, does that fix the issue? Or does the Screen Sharing also work if only ARD client is enabled?
Posted on 10-26-2015 11:23 AM
Based on the screen shot, it seems like you are wanting to removed the "Shared" section on the side bar. (But like other posters...you have some other things that may need to change.
+Short Term:+
To disable the "Shared" Section on the side bar:
Finder>>>Preferences>>>SideBar (Tab)>>> Uncheck everything under the "Shared Section"
Before:
After:
For Deployment purposes, you can use composer to capture the Sidebar PLIST file:
New>>>User Environment>>> Sidebar:
*You could create an install policy (Ongoing) on log-in so when a student logs in (scope appropriately)...it will revert to your preferences if they change the sharing settings. More than likely, your students will figure our how to turn the sidebar back on quickly...so this may only be a temporary fix.
Long Term
Long Term, you will want to lock down Remote management and Remote Login to only your Admin group. If I had to guess, your students probably have "All Users" selected in the Sharing menu of the system preferences
System Preferences>>>Sharing
Hope this helps.
Posted on 10-26-2015 11:25 AM
defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder ProgramArguments -array-add "-NoMulticastAdvertisements"
Not sure what the 10.11 solution is due to SIP, but I'm making that modification on my image pre-boot so SIP won't stop me. -T-
Posted on 10-26-2015 11:25 AM
Do you have Remote Management enabled and/or Screen Sharing enabled? May want to make sure it's only allowed for specified users and not all users.
Posted on 10-26-2015 11:29 AM
Apple Screen Sharing is controlled by either enabling the Screen Sharing or Remote Management checkbox options within the Sharing Preference Pane. VNC is kind of a separate option under the Computer Settings button under Remote Management (or Screen Sharing) which I definitely don't recommend enabling since it uses a static password not related to any account on the Mac. Note that when ARD is enabled, Screen Sharing becomes grayed out since you can only have one or the other enabled.
To completely stop any screen sharing you would need to turn both off. In past versions of Casper Suite, Casper Remote was able to temporarily enable the option when needing to do a remote screen share session, but I think as of 10.10 it has some trouble turning that on now. There's an ongoing thread on that, but I haven't followed it too closely.
As for stopping this without shutting everything off, you can try enabling ARD but setting it so it will only allow access to a specific account, meaning set up your local administrator on each box as the only one that can use it, equivalent to checking the box called "Allow access for: Only these users:" and adding an account name in the list below that. This should stop any other accounts from being able to control the Mac or do any remote management stuff.
Search around on here for examples on how to do that using the kickstart command. There are existing scripts, both from JAMF and JAMFNation users that should help get you in the right direction for doing this.
EDIT: Looks like everyone beat me to it. Same thing as what they are saying :)
Posted on 10-26-2015 11:38 AM
For our short term fix, we have created a Restricted Software rule to kill 'Screen Sharing.app' for all student devices, which seems like it will do the trick.
Long term, I will re-evaluate having all users with screen sharing capabilities, likely going to include only 'admin' users. The kickstart command is such a PITA, so I'll have to mess with that again.
Thanks to everyone for their input!
Posted on 10-26-2015 12:27 PM
The restricted software rule works well. When we encountered this, we restricted the screen sharing, set the policy to email us if it occurred and added the following script to specify our local admin accounts and deny all others.
Hope this helps,
-Chris
#!/bin/bash
#Set the Privs for admin and teacher
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -users admin,teacher -access -on -privs -DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings -restart
#Set Deny Access for others
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -restart
echo "ARD Set"
exit 0
Posted on 10-26-2015 03:10 PM
@thoule That's a launch daemon. You can still create launch daemons in /Library/LaunchDaemons/ that run as root.