Jamf Nation Community

does enabling that MCX setting lock out local admins as well?

Admins are locked out too, unless they login disabling MCX (ie. hold down option and select disable).

Hi Lisa,
jhbush's question is always something I want to know. When you apply system level MCX, you don't really want Local Admin locked out too. So do I just hold down Option key when login or when start up?
Btw, when you say have an empty array, do you need to have "name 0" in every line of string? Because I didn't give any value to that MCX setting and left unchanged. It didn't work for me after I apply it.

I *think* for the disable option to work you have to enable "Computer administrators may refresh or disable management". In WGM, this is in Preferences > Login > Options.

Someone please correct me if that's not right.

I'm not having any luck using option to disable MCX. Is there a MCX setting or plist I need to have installed to have this option active or is this for OD users only?

Hi Anderson,
I don't see that option. I want to attach a screen shot but I don't know how.
I checked System Preferences -> Login Options under the Root user. I am on 10.5.8
Thanks.

Hi guys,
Any advice on AD environment? It seems like the option for enable "Computer administrators may refresh or disable management" is for OD only.

Has anyone figured out how to enable custom "Other" preference panes?

The list is a white list or a black list. You need to add them to the list off approved pref panes if you're whitelisting.

I know the MCX for restricting Application directories has a black and white list, but managed to find the MCX for System Preferences. Problem is, I would add a string for the specific pref.pane I need to enable but the OS still keeps it "greyed" out.

Not sure what I could be doing incorrectly, and Configuration Profiles doesn't allow you to get this specific.

In response to taking care of AD and "Computer administrators may refresh or disable management" all you need to do is just delete /Library/Managed Preferences and re-open System Preferences and the panes will then be available. All other changes happen immediately (SUS server etc.)

As far as allowing 3rd party prefpanes you have to go into the PrefPane bundle and get the Bundle Identifier from the Info.plist.

com.apple.systempreferences -> EnabledPreferencesPanes-Raw array // contains string objects for each preference that is allowed eg. name 0 type string value com.apple.preference.displays name 1 type string value com.apple.preference.sound

Sorry to revive this thread. I was task to enable the Accounts pane. We currently have an existing config that we pushed to the clients, this config profile has the Accounts pane disabled, we want this now enabled. So I've tried editing the existing config file and added the below on EnabledPreferencesPanes-Raw array

type string value com.apple.preference.users - I've taken this from the CFIdentifier.

For some odd reason the Accounts pane is still disabled. I can confirm that the config changes settings were pushed to the clients. Rebooting and logging out does not help as well.

The laptop in question is under Yosemite 10.10.4. In Mavericks this config works well.

Am I forgetting something? or this plsit wont work any more on yosemite?

appreciate any help on this one.

Phil

System panels are located at: /System/Library/PreferencePanes/ and add-on panels are usually stored at: Library/PreferencePanes/. Disabling them through configuration profile or MCX I find is good and bad. The good is it keeps most users from accessing it, the bad is it also keeps the techs from using it as well.

What we did was take a different approach that alleviates both issues. We created a hidden folder on the hard drive and moved the panel we don't want the users accessing to there. We then created a policy that is run by a trigger to put the panels back or disable them again. Because this requires admin access, only techs can do it. So techs get access when they need it, and users are not able to access it.

Thanks roiegat.

The profile seems to work for our environment and was working smoothly under mavericks. I am kinda stuck with the accounts pane at the moment as this is the only pane that I could not enable on yosemite. I have tried other panes and I can easily enable/disable it by just adding/removing it on

com.apple.systempreferences -> EnabledPreferencesPanes-Raw array

I have double checked the Accounts.prefpane CFBundleIdentifier under system/library/preferencepanes/ and it still com.apple.preference.users unless this was changed.

just to revive again this thread the correct CFBundleIdentifier is

com.apple.preference.users

This now works for me in Yosemite and El Capitan.

There are two ways:
1) Right Click on Pane --> Rempve Pane
2) Go to ~/HomeFolder/Library/PreferencePanes and delete needed pane from there
Resource - https://nektony.com/blog/how-to-remove-system-preferences-panes-on-mac