Jamf Nation Community

Students are not administrators.

Students are responsible for installing updates (via Self Service). Students can install a variety of extra apps (via Self Service). Students can add and remove printers, as we have put everyone in the lpadmin group.

We also do not allow students to be admins on our district machines (currently). This is a discussion we have often with administrators. Self Service is the way we deliver all of the student content. We often have to remind folks that the machines are not personal property.

We also do not allow students to be admins.

We are required to comply with CIPA, and use a proxy filter to do so. If the students are admins it is a trivial matter for them to disable the proxy settings.

Note that adding a user to the lpadmin group allows them to add printers, however they will not be able to install drivers.

Currently our staff are admins, but that will change at the end of this school year. Too many administrators leads to too many different configurations for troubleshooting. I can deliver a more stable environment to our users if all of the devices are consistent and only running tested software.

Our staff will still have access to admin privileges through self-service using a variant of @Andrina's 15 minutes of admin privileges process. I log the installation activity during these 15 minutes so that I can a.) remove the program if necessary and b.) train the staff in responsible installation practices.

No admin privs for staff or students. No regrets. Those that do allow students to be admins talk about teaching responsibility, but often those are the admins messing with restricted apps in JSS, or malware detection, etc.

We also don't allow students to be local admins. We add users to the lpadmin group so they can add home printers and map network printers via login script. Apps tend to be automatically deployed in the background, though that's more of a cultural thing (make it easy and automated!!) when I started here and am trying to push for usage of Self Service next year. I've heard a few schools who allow students to be local admins, but it only worked because they spent YEARS figuring out a proper plan to make sure it worked. I won't be doing it, but do think allowing students to be local admins can work, but it requires the right culture, support system, and lots of planning.

I'd love to disable local admin for staff, but I doubt that's happening anytime soon.

The Teaching 1:1 Responsibility presentation from last year's PSU MacAdmins was pretty interesting and adjusted my view about students being admins.

While I don't recommend anyone other than Mac admins be admins on shared computers and devices, allowing students to be admins on their 1:1 devices can be a catalyst for teaching digital citizenship. It requires planning and building a curriculum around responsibility but it reduces the whack-a-mole mentality your school will develop when students begin working around management.

You'll still have discipline problems. But this squarely puts the role of discipline back into the hands of the school officials to manage, which I like.

Thanks for the link to my presentation, @talkingmoose.

We allow our students to be admins. No regrets (mostly). Yes, I spend a lot of time with restricted apps and malware/adware remediation, but we still feel that the benefits of teaching our students to be good admins and stewards of the technology outweighs the negative ramifications of having novice admins. Our program mirrors the real world and it builds good digital citizenship skills and responsibility. If we denied administrator access to our user base, we could not easily teach things like "how to keep your computer up-to-date" and "how to better identify what is adware" and good troubleshooting and upkeep methodologies.

It's not for everyone. Some schools do not have the latitude we have as an independent school. But we're very happy and proud of the program we've built. There are challenges. Just last night, I have to discipline a student for installing a key logger. But the good outweighs the bad.

As a tech, I love that I don't have to spend time with so much of the mundane tasks--the students do much for themselves because they are admins. My students also don't spend crazy amounts of time trying to get around the arbitrary controls that might be set in an environment where machines are locked down.

I'm happy to answer questions in more detail. I've posted to these boards on several occasions where I discuss in detail our program. Search for my username and you'll see them. Hope this helps!

Our students are not admins, faculty and staff are admins at the school I work at.

We add students to the lpadmins group as well as _appstore and unlock a few other system preferences with the security command. We also don't restrict downloading self bundled applications (spotify for example) because it doesn't have to be ran from the Applications directory. Things from the App Store are self contained and the things that do make changes to the system will still need an admin password to do their thing. So we don't restrict that. Though funny enough, once an app is downloaded from the App Store the students can't delete it even without an admin password.

We pre-install a bunch of the driver packages from Apple (HP, Brother, Epson, etc) so that usually covers almost all the different printers so they won't be asked to install drivers when they use it at home.

And applications that need admin access to install that a lot of people use like DropBox and Google Drive, we try to make available in Self Service. Same with printers here at school.

I feel like we've made a nice middle ground, a sort of power user if you will.

Teaching 1:1 Responsibility

+1 this is a great way to teach users (ahem, family) how to be good. ;)

Great discussion. For us, students are not admins, though we have made sure to open up printing, time machine, energy saver and screen saver preference panes. We also require students to run updates (not critical ones, we push those) just to get used to dealing with that. We also allow MAS apps. We could get a little deeper into the conversation I'm sure. In the end we only want to prevent them from causing 'real' damage while allowing them to maintain that personal connection with their technology. They tend to be more creative and accomplish more in this way then if the units were completely locked down.

Neither students or teachers have admin access here. Like other posts, we do make them members of the lpadmin group. They can add and delete printers, but it doesn't allow them to install drivers if needed.

Self Service allows our users to run Apple updates or install software/utilities that are used in our curriculum.

I do agree with the model @damienbarrett's school is using. I feel it is very important to teach students the proper way to maintain a computer, as it is in the real world. Self service is a great way to protect users and only authorize software that has been approved, but it definitely holds back from that "real world" experience. I don't feel our district is ready to take on full admin privileges yet, but would definitely like to test it out in the future.

Thanks everyone for the feedback! I believe we are going to go with the non-admin route.

Thanks!