Jamf Nation Community

Cem · ‎03-04-2011

I want to grey out Remote Login and Remote Desktop from Sharing Prefs Pane, so even admin users can't switch them off. As it stops Client Macs SSH to JSS and ARD connections.

I wanted to do this with using Casper MCX. But removing the string from System Preferences Template is not just greying out Sharing option, but also greys out the rest of the 3rd party Prefs Panes.

Anyone achieved this without using WGM? We haven't extended AD and not using OD.

Cem

Report Inappropriate Content · ‎03-04-2011

If you figure this out, let me know. I've been able to disable the
entire Sharing Pane (or any pane for that matter) by using MCX (or
Casper's Managed Prefs) but never the granular items within a pane. I
would LOVE to prohibit my admin users from changing my ARD, SSH,
and/or sharing settings. So far, I've found ways to detect if a user
has made the changes, and we've written our AUP to say they are not
allowed to make the changes, but I've yet to find a lock-down
solution.

Here is my script to determine if anyone has modified the ARD settings:

#!/bin/bash

# Figure out what the desired privileges are and assign that number here
desiredPrivs="1073742079"

# Get the existing privileges and assign that number here
actualPrivs=`/usr/libexec/PlistBuddy -c 'Print
:ARD_AllLocalUsersPrivs'
/Library/Preferences/com.apple.RemoteManagement.plist`

# Now, compare the two numbers
# If they match, do something (or nothing)
# If they do NOT match, do something else

if [ "${actualPrivs}" -ne "${desiredPrivs}" ]; then
# The privileges DO NOT match echo "<result>NoMatch</result>" else
# The privileges DO match echo "<result>Match</result>"
# Do nothing because the privs match

fi
exit 0

So now, with this script inside an Extension Attribute, I can have JSS
collect this data from my client machines and then search against it,
so I can see a list of users who have modified their ARD settings. I
have similar scripts for "ARD OFF", "SSH OFF" and "Firewall ON".

Damien Barrett
System Technician
Montclair Kimberley Academy
Montclair, NJ 07042
973-842-2812

jarednichols · ‎03-04-2011

Perhaps something in /etc/authorization?

j
-- Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

tlarkin · ‎03-07-2011

MCX would be the preferred method, I would think. If you create a plist file for com.apple.systempreferences and then add the dictionary item for EnabledPreferencePanes-Raw and then create an array of strings of what preference is enabled. Anything not in the list will be disabled if this item is present in your plist file. So if I log into a managed user and inspect the items of that file I get this. Do note this is what is enabled:

$ strings com.apple.systempreferences.plist bplist00 EnabledPreferencePanes_ com.apple.preferences.users com.apple.preference.datetime_ com.apple.preference.dock_ com.apple.preference.spotlight_ com.apple.preference.trackpad_ "com.apple.preference.digihub.discs_ (com.apple.preference.desktopscreeneffect_ com.apple.preference.speech_ com.apple.preference.displays_ com.apple.preference.energysaver_ com.apple.preference.sound_ com.apple.Localization_ com.apple.preference.internet_ com.apple.preference.keyboard_ com.apple.preference.quicktime_ com.apple.preference.expose_ com.apple.preferences.Bluetooth_ com.apple.preference.general MultipleSessionEnabled

I don't have the sharing pref or network pref in my enabled list so it doesn't show up, and it is grayed out for the user.

dhowell · ‎03-07-2011

Just Rename it /System/Library/PreferencePanes to something without the .prefPane it will disappear out of system preferences. We do this. just get rid of the .prefPane to make it disappear.

D. Trey Howell ACMT, ACHDS, CCA
trey.howell at austinisd.org
Desktop Engineering
twitter @aisdmacgeek

tlarkin · ‎03-07-2011

Hmm, interesting method. Are there any draw backs to this? At least
with MCX something is always enforcing it, but with that method if you
rename it you get it back. However, I find that very interesting
indeed.

Cem · ‎03-07-2011

Nice one:) Will have go at this one. I guess I can always package the good version to replace or script to rename it to make it available if needed.

Sent from my iPhone

dhowell · ‎03-07-2011

I haven't had any drawbacks, if I need it back I add the prefPane back.
D. Trey Howell ACMT, ACHDS, CCA
trey.howell at austinisd.org
Desktop Engineering
twitter @aisdmacgeek

bentoms · ‎03-07-2011

Pkg. Nice!

Sounds like a good idea. As we've

sometimes struggled with mcx not refreshing. Regards,

Ben Toms

tlarkin · ‎03-07-2011

Yeah sounds like a good simple straight forward solution, just kind of
mad I didn't think of it first, hahaha. I still just use MCX.

This is why we need a Casper Hints site so we can document this stuff!

Report Inappropriate Content · ‎03-07-2011

A user can still get a copy from somewhere else, however. And install it for just that user. It's not foolproof, and should be combined with MCX.

bentoms · ‎03-07-2011

You could copy them to another folder & limit access to root.

Regards,

Ben Toms

RobertHammen · ‎03-07-2011

Only potential downside to this is, if there was an update to the prefPane as part of an OS update, it might install a partial/incomplete prefPane into /System/Library/PreferencePanes - although, if it was not a valid prefPane, it may not show up anyway - haven't tested this.
On Mar 7, 2011, at 12:47 PM, dhowell at austinisd.org wrote:

--Robert

Jamf Nation Community

Disabling Sharing Prefs Pane

Here is my script to determine if anyone has modified the ARD settings: