Work for a school and we are moving away from paper based finals. But a general student laptop is wide open to all sorts of stuff. How do we lock it down? iOS has Kiosk mode options but MacOS doesn't have anything (that I've found) as straight forward.
I've cobbled together a couple of config profiles that get the job mostly done but it also throws permission errors. Looking for advice on:
1. what other schools have used, in relation to laptops, Jamf Pro and testing in a Kiosk-esque setup.
2. how I can tinker the config profile to not throw so many errors.
Let's start at the beginning. 2 config profiles (Dock & Kiosk Mode).
Dock limits the dock to only Text Edit, Self Service & System Pref. Fairly strait forward and works like a champ.
Kiosk Mode does a bunch of stuff:
Restrictions are set as follows:
-Disables everything in Sys Pref except - Network and Parental Controls
- Restricts app to only TextEdit
- Widgets are turned off
- Media allows for external discs, but doesn't require auth or read-only
- Sharing Serv are all unchecked
- Functionality allows config profile install and AirPrint
Our students log into the shared laptops as Guest and do not know the Admin passwords. TextEdit works but often times auth pop-up for various apps/drivers pop up (see link).
This is for a interactive driver, but it also popped for printers, Jamf Protect and other various bits.
Because these test are happening on a lab environment I can remote in and admin password through it but its clunky.
Thoughts? Ideas? Recommendations?
Does your Org have an LMS that they normally teach through? there should be some controls using the LMS or you could check out something like lockdown browser. what you are doing, while noble, is a bit of a lost cause as students will work at getting around the restrictions vs actually taking the test. if you still want to pursue the lock down method (say the test is on using AutoCAD or whatever) you can just restrict the apps you know of vs only allowing text edit. lots of software will have helpers and other extensions that if you apply restrictions will constantly pop up about permission to use it(as you note). without knowing a bit more about what exactly you're doing with the profiles/settings it'll be difficult to say what to try next. likewise you could always ask this question to email@example.com and we could help you out directly.
Thanks for the reply. Lockdown browsers are an option but we have had poor experiences with them...
I'm curious about the middle part of your reply, where you offer, "you can just restrict the apps you know of vs only allowing text edit" can you elaborate on that?
Hi Kevin - Actually, for MacOS it does not appear you can pick the Apps you do not want to launch, that's an iOS thing, my apologies there. What you can do is to add the ~/Library/Applicaiton Support/ directory to the allow list and it should let the helper apps etc through while still restricting the other apps you want to be locked. You may actually need to do this with a few directories depending on the software behind the scenes. I just tried this out and it works fairly well. Alternatively, you could leverage SANTA as was mentioned prior - https://santa.dev/
You can restrict apps for macOS, but it's not done as a configuration profile. You need to use the restrictions portal on the left side menu under computers in jamf. Within this portal you can setup restrictions for each app you do not want users to be able to use. You can force uninstall and kill the app on devices there.