So,
I just thought I would share this with everyone since it seems to be working for quite well. Since we are in K-12 and in a 1:1 and our students are allowed to take their laptops home, this pretty much tosses out all security out the window. Especially since once a kid realizes how to google the right questions they can get simple walk through on clearing firmware passwords, booting into single user mode and removing a certain file that gives them the initial user creation screen and gives them the ability to create a local admin account. Trust me, I have seen kids do this already they are a lot smarter than you would think at times.
This has been a bit of a problem since the get go, since our AUP clearly states they cannot do such things, and with 6,000 laptops it is hard to check each one.
However, this assumes a few things.....it assumes that all local admin accounts home directories do not live in /Users. In fact I put all my local admin accounts in /private/var for this exact reason (plus many other reasons). Since I know for a fact there should be zero users in /Users that are admins, this helps out tremendously.
So, I have two policies.
1st policy is one that runs this script:
#!/bin/bash
##################################################################
# check local admin script for dummy package
# if a local admin account exists in /Users, then dummy package will be installed
# Use policy logs to generate a report of macihnes that have AUP violations on them
# where a local admin account has been enabled by the student hacking around built in
# securities
# by Thomas Larkin
# for KCKPS
#
# created on 01/11/10
#################################################################
# now loop through /Users and check the admin status
for i in `/bin/ls /Users | /usr/bin/grep -v "Shared"` ; do
if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep $i -c` == 1 ]]
then /usr/sbin/jamf policy -trigger hasadmin
else /bin/echo "No admin accounts found in /Users"
fi
done
exit 0
The 1st script just checks every User who has a home folder in /Users by looping through it, excluding the Shared folder, then takes that short name and tests it through dscl to read it from the admin group. If it returns a 1 (via grep -c) it will then execute my custom trigger policy which is a policy scoped to all assets, able to run off of any IP address, and runs 1 simple command in the advanced tab.
/bin/echo "This is a receipt proving that users in /Users have been promoted to admin against the AUP" >> /Library/Receipts/hasadmin.txt
Now I can go to my has admin policy log and get a full list of assets of every user that has broken AUP. I figured I would share as this really is a great way to determine stuff inventory wise by using just dummy files via a policy.
Have a good weekend
Tom
