Help

disable system preferences

dmeridith
New Contributor III

Posted on ‎10-10-2013 02:26 PM

I would like to disable some system preferences I have a configuration profile doing this but then all of my admins cannot access all of the preferences to make changes. we use just 1 account named admin. i have tried to exclude this username to no avail. any ideas?

0 Kudos
15 REPLIES 15

bajones
Contributor II

Posted on ‎10-10-2013 02:39 PM

I think if you use the Login Window payload and enable "Computer administrators may refresh or disable management" you can bypass this issue. It might override some of your other important settings, however.

0 Kudos

dmeridith
New Contributor III

Posted on ‎10-11-2013 07:41 AM

this is already enabled on my end. any other ideas?

0 Kudos

dmeridith
New Contributor III

Posted on ‎10-11-2013 07:41 AM

this is already enabled on my end. any other ideas?

0 Kudos

dmeridith
New Contributor III

Posted on ‎10-11-2013 07:41 AM

this is already enabled on my end. any other ideas?

0 Kudos

dmeridith
New Contributor III

Posted on ‎10-11-2013 07:41 AM

this is already enabled on my end. any other ideas?

0 Kudos

bajones
Contributor II

Posted on ‎10-11-2013 07:43 AM

When you log in as an admin, to you get the option to disable management?

0 Kudos

Sandy
Valued Contributor II

Posted on ‎10-11-2013 09:00 AM

When logging in as an admin, depending on how you "picked"the settings, you may not get prompted every time (if you chose to remember the settings)
I think if you hold down the option key when clicking login, it brings the choices back> choose disable settings>Remember choice

0 Kudos

dmeridith
New Contributor III

Posted on ‎10-11-2013 09:48 AM

I tried this but the preferences are still disabled for admin. the only way is to disable the configuration profile. i still cannot access them using our admin account

0 Kudos

easyedc
Valued Contributor II

Posted on ‎12-30-2013 07:36 AM

We're revisiting this internally and I wanted to see if anyone had any other suggestions. All we were able to do is come up with a login policy for the Admin account that executes the following: rm -Rf /Library/Managed Preferences/admin/

That's great if you're logging in as the "Admin" user, however if you are attempting to log in as an AD admin account then it doesn't work. It also removes all management settings, which is a tad overkill.

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎12-30-2013 07:54 AM

I haven't tested anything out regarding this, so I can't offer too much, other than the fact that you can change your above script command to only remove the com.apple.systempreferences.plist file inside the Admin folder instead of all managed preferences.
Anyway, with the horrible long standing security bug in OS X already outlined elsewhere, its absolutely trivial to get past blocked System Preferences without so much as opening Terminal or issuing a sudo command. I don't want to repeat the details about the bug here since these posts get picked up pretty easily in Google searches, and its a pretty bad bug (IMHO). Look it up, you'll find it.

0 Kudos

nessts
Valued Contributor II

Posted on ‎12-30-2013 07:54 AM

this works:
http://walkingtowel.org/2010/02/25/accessing-mac-os-x-leopard-greyed-out-preference-panes/
there is another way to use the view menu that is not so obtuse, there is a discussion here.
https://jamfnation.jamfsoftware.com/discussion.html?id=4548

0 Kudos

MrP
Contributor III

Posted on ‎12-30-2013 08:54 AM

I found that by revoking "everyone" access from the .prefPane files of choice in /System/Library/PreferencePanes and adding the group "admin" as read-only, the preference pane on which the permission was changed will disappear from any non-admin users's preferences panel. Further more if they try to run it elsewhere they will get an access denied. The items will not dissapear until the user logs off and back on. Until then it will just be a nondescript icon and provide access errors when you try to open.

To do this programatically you'll need to look up how to change the acl via the commandline and put it in a script.

0 Kudos

pblake
Contributor III

Posted on ‎08-19-2015 10:00 AM

Here is the script I am using in a package as a post flight script. Obviously feel free to edit it to your preference needs. The first line changes the group owner from wheel to admin. The following lines change the everyone group to no access, essential limiting access to root and administrators.

#!/bin/sh
sudo chown root:admin /System/Library/PreferencePanes/*.prefPane
sudo chmod 750 /System/Library/PreferencePanes/AppStore.prefPane 
sudo chmod 750 /System/Library/PreferencePanes/Profiles.prefPane
sudo chmod 750 /System/Library/PreferencePanes/TimeMachine.prefPane
sudo chmod 750 /System/Library/PreferencePanes/InternetAccounts.prefPane
sudo chmod 750 /System/Library/PreferencePanes/Network.prefPane
sudo chmod 750 /System/Library/PreferencePanes/Notifications.prefPane
sudo chmod 750 /System/Library/PreferencePanes/SharingPref.prefPane
sudo chmod 750 /System/Library/PreferencePanes/ParentalControls.prefPane
sudo chmod 750 /System/Library/PreferencePanes/Security.prefPane
sudo chmod 750 /System/Library/PreferencePanes/Spotlight.prefPane
sudo chmod 750 /System/Library/PreferencePanes/StartupDisk.prefPane
0 Kudos

rlandgraf
Contributor

Posted on ‎08-27-2015 03:15 PM

@pblake This method seems to work great until you do a repair permissions on the machine and it reverts them all back to the original settings.

0 Kudos

pblake
Contributor III

Posted on ‎08-27-2015 04:41 PM

@rlandgraf - Thanks for the heads up. Since our users aren't admins they can't fix permissions, so it won't happen often. So to cover my based I will also add the script as a daily policy.

If for some reason that ends up not being enough (which I doubt), I'll create a launch daemon and do it every 15.

Thanks again for spotting a hole.

0 Kudos