Jamf Nation Community

jamfrigyyv · ‎03-20-2018

We've been trying to disable some of the PrefPanes for non-admin users (local or network) for Mac with OSX >=10.11.

We tried to modify the Pref Panes' access rights with a script launched with a policy (logon trigger) :

#!/bin/sh su sudo chown root:admin /System/Library/PreferencePanes/.prefPane sudo chmod 750 /System/Library/PreferencePanes/.prefPane sudo chmod 755 /System/Library/PreferencePanes/Accounts.prefPane sudo chmod 755 /System/Library/PreferencePanes/Appearance.prefPane

The script executes, but unfortunately an admin account does not have (at least anymore) the rights to modify the access on those files.

chown: /System/Library/PreferencePanes/Accounts.prefPane: Operation not permitted chown: /System/Library/PreferencePanes/AppStore.prefPane: Operation not permitted

We also tried to modify the systempreferences plist with another script:

defaults write $LoggedInUserHome/Library/Preferences/com.apple.systempreferences DisabledPreferencesPanes-Raw '( "com.apple.preference.desktopscreeneffect", "com.apple.preference.security", "com.apple.preference.energysaver", "com.apple.preferences.icloud", "com.apple.preferences.network", "com.apple.preferences.sharingpref", "com.apple.preferences.parentalconrol", "com.apple.preferences.appstore", "com.apple.preferences.dateandtime", "com.apple.preferences.startupdisk", "com.apple.preferences.timemachine", "com.apple.preferences.profiles", )'

The plist is modified, but we don't see any effect on the user access of the PrefPanes (the specified options are not disabled).

Does anyone have any idea about how to disable the PrefPanes options (>=10.11) ?

Thank you in advance.

MacSysAdmin · ‎03-20-2018

Have you tried config profiles?

blackholemac · ‎03-20-2018

Config profiles are the easiest way. Just remember upgrades will get you on both methods.

If you do it the OP’s way, You run a chance of Apple making changes in OS update

If you do it with a profile, remember to consider third party preference panes when planning your strategy.

https://www.jamf.com/jamf-nation/articles/204/adding-custom-system-preferences-to-the-restrictions-payload-for-macos-configuration-profiles

This article also covers backups when upgrading your JSS.

amoscaritola · ‎03-20-2018

You can make a config profile with custom settings. Upload a .plist like this. Set the preference domains to "com.apple.systempreferences" Although this won't disable the preference panes, just hide them.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>HiddenPreferencePanes</key>
    <array>
        <string>com.apple.preference.security</string>
        <string>com.apple.preference.energysaver</string>
        <string>com.apple.preference.network</string>
        <string>com.apple.preferences.sharing</string>
        <string>com.apple.prefs.backup</string>
        <string>com.apple.preferences.configurationprofiles</string>
        <string>com.apple.preference.startupdisk</string>
        <string>com.apple.preferences.appstore</string>
        <string>com.apple.preferences.icloud</string>
    </array>
</dict>
</plist>

jamfrigyyv · ‎03-20-2018

Thanks for your answer.

We've already tried Config profiles. But we already have machine profile related to the domain com.apple.systempreferences. Then the user Config profiles have no effect on the domain com.apple.systempreferences. We have heard the it not supported to have multiple Config profiles to the same domain. Is it true ?

ICTMuttenz · ‎03-21-2018

on which level you Scope the Profile? Computer or User level?

Jamf Nation Community

Enable/Disable PrefPanes for non admin users