Help

Enable/Disable PrefPanes for non admin users

jamfrigyyv
New Contributor

Posted on ‎03-20-2018 03:07 AM

We've been trying to disable some of the PrefPanes for non-admin users (local or network) for Mac with OSX >=10.11.

  1. We tried to modify the Pref Panes' access rights with a script launched with a policy (logon trigger) :
#!/bin/sh su sudo chown root:admin /System/Library/PreferencePanes/.prefPane sudo chmod 750 /System/Library/PreferencePanes/.prefPane sudo chmod 755 /System/Library/PreferencePanes/Accounts.prefPane sudo chmod 755 /System/Library/PreferencePanes/Appearance.prefPane
  1. The script executes, but unfortunately an admin account does not have (at least anymore) the rights to modify the access on those files.
chown: /System/Library/PreferencePanes/Accounts.prefPane: Operation not permitted chown: /System/Library/PreferencePanes/AppStore.prefPane: Operation not permitted
  1. We also tried to modify the systempreferences plist with another script:
defaults write $LoggedInUserHome/Library/Preferences/com.apple.systempreferences DisabledPreferencesPanes-Raw '( "com.apple.preference.desktopscreeneffect", "com.apple.preference.security", "com.apple.preference.energysaver", "com.apple.preferences.icloud", "com.apple.preferences.network", "com.apple.preferences.sharingpref", "com.apple.preferences.parentalconrol", "com.apple.preferences.appstore", "com.apple.preferences.dateandtime", "com.apple.preferences.startupdisk", "com.apple.preferences.timemachine", "com.apple.preferences.profiles", )'

The plist is modified, but we don't see any effect on the user access of the PrefPanes (the specified options are not disabled).

Does anyone have any idea about how to disable the PrefPanes options (>=10.11) ?

Thank you in advance.

0 Kudos
Reply
5 REPLIES 5

MacSysAdmin
Contributor

Posted on ‎03-20-2018 04:07 AM

Have you tried config profiles?

0 Kudos
Reply

blackholemac
Valued Contributor III

Posted on ‎03-20-2018 04:22 AM

Config profiles are the easiest way. Just remember upgrades will get you on both methods.

If you do it the OP’s way, You run a chance of Apple making changes in OS update

If you do it with a profile, remember to consider third party preference panes when planning your strategy.

https://www.jamf.com/jamf-nation/articles/204/adding-custom-system-preferences-to-the-restrictions-payload-for-macos-configuration-profiles

This article also covers backups when upgrading your JSS.

0 Kudos
Reply

amoscaritola
New Contributor III

Posted on ‎03-20-2018 09:45 AM

You can make a config profile with custom settings. Upload a .plist like this. Set the preference domains to "com.apple.systempreferences" Although this won't disable the preference panes, just hide them.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>HiddenPreferencePanes</key>
    <array>
        <string>com.apple.preference.security</string>
        <string>com.apple.preference.energysaver</string>
        <string>com.apple.preference.network</string>
        <string>com.apple.preferences.sharing</string>
        <string>com.apple.prefs.backup</string>
        <string>com.apple.preferences.configurationprofiles</string>
        <string>com.apple.preference.startupdisk</string>
        <string>com.apple.preferences.appstore</string>
        <string>com.apple.preferences.icloud</string>
    </array>
</dict>
</plist>
0 Kudos
Reply

jamfrigyyv
New Contributor

Posted on ‎03-20-2018 11:54 PM

Thanks for your answer.

We've already tried Config profiles. But we already have machine profile related to the domain com.apple.systempreferences. Then the user Config profiles have no effect on the domain com.apple.systempreferences. We have heard the it not supported to have multiple Config profiles to the same domain. Is it true ?

0 Kudos
Reply

ICTMuttenz
Contributor

Posted on ‎03-21-2018 04:56 AM

on which level you Scope the Profile? Computer or User level?

0 Kudos
Reply