We want to give users an option to go to a webpage to change their password if they are expired. I want them to be able to do this from the login screen since they cannot log in. Anyone have any thoughts how to do this?
Thanks in advance nation!
Question
Launch a Webpage from the Login Window
+11+3Why not create a guest account that ONLY launches Safari and lets them visit the change password web page?
+11@lifelike, if I wanted to go that route, how could that be pushed out via casper? I don't see how I could scope the managed prefs and/or configuration profile to only that user. I cannot visit every machine. Any ideas?
I was doing this very thing via a lot of MCX, but it currently won't transplant to v9 of Casper.
If you name the guest user something specific, you can scope MCX to that username. I've got a post on custom guest users available here:
http://derflounder.wordpress.com/2013/12/29/creating-custom-guest-users-on-os-x/
+3I would create a user called "Change Password" or something.
There are some techniques for locking down this account using Parental Controls, or using some techniques described here: https://developer.apple.com/library/mac/technotes/tn2062/_index.html
And you can create this user via policy on all of your machines, then pkg up this user's home folder from the one machine you used to set it up and install that via policy to all of your machines.
+11@lifelike - I like the idea here. Would Parental Controls be in the profile, if the profile was pkg'ed up?
+3Not sure where Parental Control settings live, but you might be able to do a before/after snapshot in Composer to grab them.
+10The special user approach is probably the best. It's nearly impossible to get Safari (or any other web browser) to launch properly and display a GUI at the loginwindow, and if you do succeed, it's a huge security risk, as you are now running a web browser AS ROOT.
+11Thanks for the advice guys. Here is my plan, I will let you all know how it goes.
I play to use a script to create a new user.
Then package up using composer the setting of this user and deploying it.
Hopefully the parental restrictions can be deployed to multiple machines. My issue is I need to be able to deploy the solution to all machines not just create the environment on one.
+11@rtrouton - Thanks for the script. It worked great except one issue. When I launch safari I get a Keychain error on 10.8.5. Any ideas why? Also do you know if you can limit websites on a guest account via parental controls, it seems not to work.
Do you have a customized user template? The guest user has no password and would be unable to unlock an existing login keychain in the event that one exists in the user template.
You should be able to manage access to websites with parental controls, though I'm not certain how parental controls would work if the Mac in question is already managed with MCX. There's a write-up on parental controls that includes info on website filtering available here:
http://www.macworld.com/article/2030156/configuring-parental-controls.html
You may need to do some research on which specific settings are affected with regards to the website restrictions, as I haven't looked into that previously.
+11@rtrouton - When I log in I get this error each time I launch Safari.
Keychain Not Found
A keychain cannot be found to store "Safari"
[Cancel] [Reset to Defaults]
I've been seeing that occasionally. It seems that the keychain folder (and others) isn't being created properly in 10.9 for the user. No idea why unfortunately but I have been able to rule out AutoDMG.
+11It is 10.8.5. I am wondering if it because the account has no password. When I try to reset to defaults and create a keychain it forces me to create a password.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.