- Jamf Nation Community
- Products
- Jamf Pro
- Re: Disabling Desktop Modification
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Disabling Desktop Modification
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-18-2013 09:21 AM
Is there is managed preference that disables changes to desktop? There is one for the Dock but I don't know if there is one for the actual desktop. If I try to customize one, i cannot use the mcx-desktop-disabled as this pull the desktop picture MCX for some reason.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-18-2013 10:27 AM
Are you talking about making the Desktop immutable, so no-one can save files to it, or is the request to prevent changes to things like Icon size and other preferences that affect the Desktop view?
Although you could always address the latter by resetting Desktop preferences upon every login, there isn't anything native in MCX, Config Profiles or elsewhere that lets you make the Desktop immutable. Only thing I can think of would be to change ownership and permissions on the Desktop folder for every account on the Mac. For example, make it owned by root and change the group and other permissions to read only. Provided your users are not local admins that would stop them from saving anything to it and prevent them from setting themselves as the owner.
I'd be careful with that approach though since it could introduce some weirdness and issues on your Macs
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-18-2013 10:42 AM
Making the desktop immutable like the dock managed preference. I gather I would have to use a third-party software to do it. Any change there is something like dockutil that can do this?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-18-2013 11:13 AM
As for a 3rd party utility, I don't know of anything, at least not current. I had used something way way back in the day, on OS 8/9 that used to do this, but it was more a hack than anything. I don't know of anything for OS X that does this, but that doesn't mean there isn't something out there.
Regarding my previous comment on changing permissions, I realized after I wrote it that doing something like adding "staff" as the group to the Desktop folder, even with read only privs, would mean any other account on that Mac would be able to open and view the Desktop folder for other accounts. If you're locking down the Desktop with the intention of making sure nothing lands on it, it may not be an issue, but if anything needs to remain private on those Desktops, that could be a problem.
So, a better approach might be to simply set the System Immutable flag for Desktop folder for the user account.
sudo chflags uchg /Users/username/DesktopAfter doing this, trying to save to the Desktop, create new folders or any other operations that would write to it will fail with a Finder error. Even if a user is an admin and they enter their admin credentials when prompted, it fails. It essentially makes the root account the only account that can affect changes to the folder from that point on, until its unset again. To unset the system immutable flag, do this-
sudo chflags nouchg /Users/username/DesktopUsing that model, you could write a script run from Casper that would loop through all local home directories in /Users/ and set that bit on each Desktop folder.
Hope that helps.
