How locked down do you make your student Macs?

davidacland
Honored Contributor II

Hi all,

We have been setting up Macs in schools for some time and have traditionally set the "lockdown" options requested by the customer (we're a pro services company). There are a lot of settings being pushed around such as fixed docks, fixed desktop backgrounds, options removed from the "go" menu etc and I wonder how useful they really are for the classrooms.

Assuming the students are set as non-admins, I'd be interested to hear your opinions on how "locked down" you like to make your classroom Macs.

10 REPLIES 10

jkent
New Contributor

We have about 250 lab iMacs in our institution managed with DeepFreeze and Casper. Students log in with a standard "student" (non-admin) user.

Each drive has a Scratch partition that is not frozen with DeepFreeze which is the only place where students can save work that will be there after a reboot. That's in addition to network and external drives. Basically the students can change what ever a non-admin can but after reboot everything is reset anyway so it's locked down. The happy side effect is that it's possible to fix almost anything by simply rebooting in addition to preventing the malicious types from causing too much damage.

The downside is that lab machines are not included in Casper's automated policies, unlike faculty and staff. All software distribution is done via casper remote after machines are "thawed." Setting up a schedule for automated thawing at night is not an option since a lot of students have projects rendering or transcoding over night. So, installing software on the lab machines takes a bit of planning and attention.

Hobbs155
Contributor

All our Macs are joined to our domain. When we build a base image we configure all the computer preferences the way we want them as standard for staff and students, we have then packaged the specific user and computer preferences and push them out as dmg's. Students are non-admins and we are starting to move more towards configuration profiles to log the system down, we run a logout hook that deletes the profile from the mac when students log out, they are able to save their work to their network mapped/mounted drive and all of them are aware to save to this network location otherwise work is lost, so even if they they decide to change anything the next time they log in they will get the standard profile again. Hope this makes sense.

CasperSally
Valued Contributor II

@jhatfield we use deepfreeze on our PCs, but on our macs we find it much more efficient to delete student accounts on logout (we now config profile to do this, used to be a script). Students can only save to users/shared, external drives, or network space. Might be worth looking into because it gives you back flexibility to push whatever to them whenever you want versus dealing with thawing. We also have config profiles set up to only allow students to run programs from designated folders (that they don't have write access to) to further lock things down.

jduvalmtb
Contributor

We're 1:1 and our MacBooks are fairly locked down. Last month, I had to disable Spaces/Mission Control at request of Administration. Any of the personal preferences like Docks, wallpapers, etc, are free-for-all, though.

On the Carts, though, we do try to lock those down, eg, Dock position, what's on the Desktop, etc. Working with teachers long enough, it does make sense to me - you only have 43 minutes to teach a class, and it's a waste of time trying to figure out where the Dock is from the previous user. 3rd graders have a hard time with change. We don't currently use directory services, so just have a generic "student" login for all cart machines. It's a much easier experience if the user interface is identical across all cart/lab machines.

damienbarrett
Valued Contributor

I've written about our 1:1 program several times on these boards.

https://jamfnation.jamfsoftware.com/discussion.html?id=11689#responseChild67351
https://jamfnation.jamfsoftware.com/discussion.html?id=9329#responseChild51079
https://jamfnation.jamfsoftware.com/discussion.html?id=9329#responseChild51105

The TLDR is that we allow all our students to be administrators of their MacBook Airs, but they must first prove they understand our AUP and can pass our "Driver's Test"

I presented on this at JNUC a year or so ago. You can see the video here: https://jamfnation.jamfsoftware.com/jnucEvent.html?eventId=14

I'm happy to answer any questions you might have about our environment. Our philosophy is to entrust our users with the responsibility to use the equipment properly and then to treat mistakes or boundary-pushing as learning experiences. Very rarely, we get a student who pushes too far and then disciplinary measures are taken, but for the most part, it's been working extremely well for more than five years. My advice is to consider a change in perception about how you (or the administration) looks at technology. Change the culture, if possible, and reap the rewards.

Chris_Hafner
Valued Contributor II

Much fun in this, and it's associated threads. I actually may have to jump in those and edit myself accordingly.

We have been 1:1, under full implementation since 1993. We (Brewster Academy) are an international boarding school that averages 365 students yearly, though we have several separate summer programs as well. We've run about every type of purchasing, leasing and lending scheme you've ever seen. At the moment we have been BYOD for 4-5 years. After 21 years in 1:1, we've developed and learned much lessons along the way. To answer this question directly; Our students are NOT administrators. However, they are not heavily restricted either. Our faculty and staff ARE administrators and restricted where they need to be.

We believe in the adage that I know @damienbarrett][/url posted on another thread that goes something like "Try not to use Technology to solve social issues". We very much believe in this philosophy! Yet, in having had such integration for so long it's easy to loose track of the fact that most edu's don't.

So, here are a few tidbits regarding our students computer privileges:

• Our students are NOT administrators and have a very well defined AUP. One that is often review with them in advisory groups early in the year.

• Our students are REQUIRED to run their own updates via both Software update and Self-Service (We track, remind and force updates where necessary). This will be a critical skill as they move onward in life and we need to education them!

• Our students can install their own printers and adjust preferences such as Energy Saver and Time Machine. After all, these are pretty basic things and authorizationdb allows for this type of easy granular control. Academic printers are added via Self-Service".

• Students are required to setup their own TM or other backup and are reminded of this as often as we can. As an extension, lost work due to failing hard drives are NOT an allowable excuse here at BA. Again, this is necessary education prior to college!

• Our student can install any Mac App Store application they want. These are all legal, sandboxed and generally supported. Because of the level of engagement that students have with their advisors or dorm parents. We can help point out any trouble spot and educate them accordingly. After all, we can always restrict individual students if it becomes too much of a distraction and yet we prefer not to. Again, these can easily turn into teachable moments. Academically distributed, optional apps are available via Self-Service.

• We detect and track behavior that is contrary to our AUP and acceptable behavior policies. EA's are great for this! Again, we're looking to teach rather than restrict or punish though sometimes it does come down to that regardless.

I could talk about a great many more things as I'm sure others could but I'll end with this one thing to keep in mind. We have hundreds of policies and SMART groupings in our installation. Just remember this: For your technology to work well in class, students must be as engaged in class as the technology is. Allowing as much privilege as possible without compromising the integrity of the classroom is often the best way to ensure this engagement and maintain the focus on learning, not IT. Students need some room to breath and learn. It's our responsibility to make sure that in doing so, they don't negatively affect other students while they learn. We need to teach them how to use these devices as tools to help them do their jobs in this modern age. Utilizing the Casper suite allows us all to have fine granular control over that entire process.

P.S. As an aside; we were so focused on teaching technology as a tool rather than a focus, we've only begun to teach computer science as it's own course. Strange eh? ;-)

damienbarrett
Valued Contributor
I could talk about a great many more things as I'm sure others could but I'll end with this one thing to keep in mind. We have hundreds of policies and SMART groupings in our installation. Just remember this: For your technology to work well in class, students must be as engaged in class as the technology is. Allowing as much privilege as possible without compromising the integrity of the classroom is often the bast way to ensure this engagement and maintain the focus on learning, not IT. Students need some room to breath and learn. It's our responsibility to make sure that in doing so, they don't negatively affect other students while they learn. We need to teach them how to use these devices as tools to help them do their jobs in this modern age. Utilizing the Casper suite allows us all to have fine granular control over that entire process.

Heads up, Chris, I'm totally stealing some of this language to further explicate our 1:1 documentation. So well-stated! I'm happy to see that we're not the only school that sees the paramount value in teaching this generation how to use the technology properly because it's training for their adult lives. This generation is going to be asked to make decisions about how to ethically/unethically use technology in their lives in ways that none of us can possibly imagine. We need to stop being reactionary about how we teach technology and be proactive in its use as a productive and complementary tool for learning.

Chris_Hafner
Valued Contributor II

@damienbarrett Good! I agree. It's part of why I ended up finding and following your posts!

Chris_Hafner
Valued Contributor II

To follow up on this, I'm finding a lot of the same philosophy is helping in the enterprise as well... where feasible that is!

pblake
Contributor III

Looking for some advice, and this is a great thread!

@Hobbs155 - I am trying to do a similar thing as you. I would love to chat with you about your logouthook you are using. We find sometimes it fails. Would you be willing to chat about it? Share your hook?

@CasperSally - I would be interested how you got a config profile to work doing that. I have been unsuccessful.

How are you handling the App Store? Non Admins can install apps, so how do you lock that out?

Any help would be appreciated, as I would love to get improvements for the Spring semester.

Thanks!