Jamf Nation Community

Chriskmpruitt · ‎01-30-2015

We have been asked to lock down our users wallpaper. We locked the wallpaper down by placing a PNG in a folder in the /Library/FolderthatstoresPNG. Everyone has permissions to this folder. Then lock the wallpaper down with a config profile. BAM! wallpaper locked down. Well then some one was smart enough to REplace our PNG with their own PNG......So now their background is whatever they replace that PNG with. We have underestimated the sneaky sneak of some people.

So now i have place the PNG in our hidden management account which is in /private/var/Managementaccount/Documents

no one has permissions to this folder, so when the config profile looks for the PNG it does not find it.

Is it a permissions thing? or is it that the PNG is in a hidden account?

How are other people managing wallpapers?

Thank you! and happy FRIDAY!

davidacland · ‎01-31-2015

Sounds like a few steps will be needed to try and prevent changes:

Lock out the Profiles system preference
Lock out the Desktop and Screensaver system preference
Make sure the file is in a hidden folder, but have the permissions set so the system can still read it

Lock the PNG file with ``` chflags uchg /path/to/file

- As @daz_dar mentioned, hide it with the ```
chflags hidden

command

Not sure if this is for a company or a school, but if it was a company, taking the non-technical approach I would communicate to everyone that the desktop background isn't to be changed.

If people do it, take away their admin rights.

View solution in original post

Rayfield · ‎01-30-2015

You can create a package that stores the wallpaper.

With Composer, select New, go down to User Environment, Select Background, then done :D

We have ours set to push out on log out, so the next time they log in it will be reset to default.

Chriskmpruitt · ‎01-30-2015

with doing it that way couldn't they just change their wallpaper whenever they want to?

@rleatherwood

Rayfield · ‎01-30-2015

Yes. They could still change it. But it would get reset to default as soon as they logged out.

Rayfield · ‎01-30-2015

I believe there's a parental control setting that disables the option to change the wallpaper. But I'm not entirely sure how to do it that way.

Maybe through configuration profiles?

RobertHammen · ‎01-30-2015

Are the users admins? Can you make the image, and the folder inside of it, read-only?

If they are admins, you could set a policy that runs at Logout that reinstalls the image, so the next time they log in, it's back ;-)

laurendc · ‎01-30-2015

I ran into this by accident while trying to figure out how to use configuration profiles to push a wallpaper out on first login, but leave it unmanaged afterwards. I ended up disabling it but I know it works at least in testing. You can definitely use configuration profiles to lock the wallpaper down. We are running 9.62, not sure if that function exists in earlier versions.

Chriskmpruitt · ‎01-30-2015

sadly yes our users are admin. So we just have to be smarter then then lol

daz_wallace · ‎01-31-2015

When you package the replacemen background, why not have the file as hidden in the gui?

chflags hidden [path to file]

After this, I'm pretty sure that all users will need read access to the file for the profile to use it?

davidacland · ‎01-31-2015

Sounds like a few steps will be needed to try and prevent changes:

Lock out the Profiles system preference
Lock out the Desktop and Screensaver system preference
Make sure the file is in a hidden folder, but have the permissions set so the system can still read it

Lock the PNG file with ``` chflags uchg /path/to/file

- As @daz_dar mentioned, hide it with the ```
chflags hidden

command

Not sure if this is for a company or a school, but if it was a company, taking the non-technical approach I would communicate to everyone that the desktop background isn't to be changed.

If people do it, take away their admin rights.

adamcodega · ‎01-31-2015

I would imagine that it's a permissions issue. Certainly easy to test.

At this point, someone else needs to be involved as this is a disciplinary issue.

gregneagle · ‎01-31-2015

Use a configuration profile. Here's an example:

https://github.com/gregneagle/profiles/blob/master/desktop_picture.mobileconfig

...and if you don't want the users to modify the desktop picture file itself:

1) Don't give them write rights to the file or the enclosing directory, and
2) Don't give them admin rights.

If they have admin rights, you're just wasting your time trying to lock stuff down. They now have as much power over the machine as you do.

bvrooman · ‎02-02-2015

You could set a logout policy which installs a package (maybe a DMG would be faster?) containing the correct desktop picture, placed at whatever path the config profile is configured for. Set it for ongoing execution and check the offline box - each client will cache the package and replace it at each logout.

Jamf Nation Community

Managing The Wallpaper