I would like to disable some system preferences I have a configuration profile doing this but then all of my admins cannot access all of the preferences to make changes. we use just 1 account named admin. i have tried to exclude this username to no avail. any ideas?
I think if you use the Login Window payload and enable "Computer administrators may refresh or disable management" you can bypass this issue. It might override some of your other important settings, however.
When logging in as an admin, depending on how you "picked"the settings, you may not get prompted every time (if you chose to remember the settings)
I think if you hold down the option key when clicking login, it brings the choices back> choose disable settings>Remember choice
We're revisiting this internally and I wanted to see if anyone had any other suggestions. All we were able to do is come up with a login policy for the Admin account that executes the following: rm -Rf /Library/Managed Preferences/admin/
That's great if you're logging in as the "Admin" user, however if you are attempting to log in as an AD admin account then it doesn't work. It also removes all management settings, which is a tad overkill.
I haven't tested anything out regarding this, so I can't offer too much, other than the fact that you can change your above script command to only remove the com.apple.systempreferences.plist file inside the Admin folder instead of all managed preferences.
Anyway, with the horrible long standing security bug in OS X already outlined elsewhere, its absolutely trivial to get past blocked System Preferences without so much as opening Terminal or issuing a sudo command. I don't want to repeat the details about the bug here since these posts get picked up pretty easily in Google searches, and its a pretty bad bug (IMHO). Look it up, you'll find it.
there is another way to use the view menu that is not so obtuse, there is a discussion here.
I found that by revoking "everyone" access from the .prefPane files of choice in /System/Library/PreferencePanes and adding the group "admin" as read-only, the preference pane on which the permission was changed will disappear from any non-admin users's preferences panel. Further more if they try to run it elsewhere they will get an access denied. The items will not dissapear until the user logs off and back on. Until then it will just be a nondescript icon and provide access errors when you try to open.
To do this programatically you'll need to look up how to change the acl via the commandline and put it in a script.
Here is the script I am using in a package as a post flight script. Obviously feel free to edit it to your preference needs. The first line changes the group owner from wheel to admin. The following lines change the everyone group to no access, essential limiting access to root and administrators.
#!/bin/sh sudo chown root:admin /System/Library/PreferencePanes/*.prefPane sudo chmod 750 /System/Library/PreferencePanes/AppStore.prefPane sudo chmod 750 /System/Library/PreferencePanes/Profiles.prefPane sudo chmod 750 /System/Library/PreferencePanes/TimeMachine.prefPane sudo chmod 750 /System/Library/PreferencePanes/InternetAccounts.prefPane sudo chmod 750 /System/Library/PreferencePanes/Network.prefPane sudo chmod 750 /System/Library/PreferencePanes/Notifications.prefPane sudo chmod 750 /System/Library/PreferencePanes/SharingPref.prefPane sudo chmod 750 /System/Library/PreferencePanes/ParentalControls.prefPane sudo chmod 750 /System/Library/PreferencePanes/Security.prefPane sudo chmod 750 /System/Library/PreferencePanes/Spotlight.prefPane sudo chmod 750 /System/Library/PreferencePanes/StartupDisk.prefPane
@rlandgraf - Thanks for the heads up. Since our users aren't admins they can't fix permissions, so it won't happen often. So to cover my based I will also add the script as a daily policy.
If for some reason that ends up not being enough (which I doubt), I'll create a launch daemon and do it every 15.
Thanks again for spotting a hole.