Jamf Nation Community

@lifelike, if I wanted to go that route, how could that be pushed out via casper? I don't see how I could scope the managed prefs and/or configuration profile to only that user. I cannot visit every machine. Any ideas?

I was doing this very thing via a lot of MCX, but it currently won't transplant to v9 of Casper.

If you name the guest user something specific, you can scope MCX to that username. I've got a post on custom guest users available here:

http://derflounder.wordpress.com/2013/12/29/creating-custom-guest-users-on-os-x/

I would create a user called "Change Password" or something.

There are some techniques for locking down this account using Parental Controls, or using some techniques described here: https://developer.apple.com/library/mac/technotes/tn2062/_index.html

And you can create this user via policy on all of your machines, then pkg up this user's home folder from the one machine you used to set it up and install that via policy to all of your machines.

@lifelike - I like the idea here. Would Parental Controls be in the profile, if the profile was pkg'ed up?

Not sure where Parental Control settings live, but you might be able to do a before/after snapshot in Composer to grab them.

The special user approach is probably the best. It's nearly impossible to get Safari (or any other web browser) to launch properly and display a GUI at the loginwindow, and if you do succeed, it's a huge security risk, as you are now running a web browser AS ROOT.

Thanks for the advice guys. Here is my plan, I will let you all know how it goes.

I play to use a script to create a new user.
Then package up using composer the setting of this user and deploying it.

Hopefully the parental restrictions can be deployed to multiple machines. My issue is I need to be able to deploy the solution to all machines not just create the environment on one.

@rtrouton - Thanks for the script. It worked great except one issue. When I launch safari I get a Keychain error on 10.8.5. Any ideas why? Also do you know if you can limit websites on a guest account via parental controls, it seems not to work.

@pblake,

Do you have a customized user template? The guest user has no password and would be unable to unlock an existing login keychain in the event that one exists in the user template.

You should be able to manage access to websites with parental controls, though I'm not certain how parental controls would work if the Mac in question is already managed with MCX. There's a write-up on parental controls that includes info on website filtering available here:

http://www.macworld.com/article/2030156/configuring-parental-controls.html

You may need to do some research on which specific settings are affected with regards to the website restrictions, as I haven't looked into that previously.

@rtrouton - When I log in I get this error each time I launch Safari.

Keychain Not Found
A keychain cannot be found to store "Safari"
[Cancel] [Reset to Defaults]

I've been seeing that occasionally. It seems that the keychain folder (and others) isn't being created properly in 10.9 for the user. No idea why unfortunately but I have been able to rule out AutoDMG.

double post

It is 10.8.5. I am wondering if it because the account has no password. When I try to reset to defaults and create a keychain it forces me to create a password.