Jamf Nation Community

pty10 · ‎03-12-2015

I work in a school environment and I'm using configuration profiles to restrict access to most of the settings within system preferences.

I re-image the computers, the policies applied and system preferences look like pic attached (#1) where the students can access the enabled settings and the blocked settings are greyed out, which is the way I want it.

What happens now if that some of the kids where able to get around this and as you can see in pic #2, the greyed out settings are gone from system preferences but if you click on 'view' at the top, all system preferences are enable.

To good part about this is that even though they got access to all the settings, they can't access them since they don't know the admin password. I have looked at the logs is casper and on their Macbook and can't find any evidence of they knowing the admin password

Not sure how they where able to enable all the settings in system preferences, does anyone know how to replicate what happened ? (removing the disable settings from system preferences but able to see them enable in 'view) so I can tackle the problem. I'm assuming they deleted a file(s) somewhere to make it happen.

By the way, they can duplicate system preferences and remove the NSPrefpaneGroups.xml from the contents folder if they are login as admins which isn't the case since the NSPrefpaneGroups.xml file is still there.

Macbooks are running osx 10.9.5
Using casper 9.6

Cheers,

Henry

nessts · ‎03-12-2015

If you google there are plenty of sites that tell you how to copy system preferences to your home directory and remove the xml file and then get access. if the users remove a file under /Library/Managed Preferences/shortname and restart the cf preferences daemon then they can see them all for a period time as well. Its certainly not perfect and anybody determined with internet access will get into preference panes.
Other options are either removing those panes or changing ownership and permissions on them which I have done and they wont show up greyed out they will just be missing. for regular users, and you could then make your local admin the owner and that account could get to pref panes. just a thought.

mm2270 · ‎03-12-2015

This is long standing known bug regarding the HiddenPreferencePanes array in the preference settings. Apple doesn't seem to believe its a bug, but this has been an issue going back several versions of OS X, and affects MCX as well as Config Profiles. But, there is a way to help stop this from occurring.

What we do for Yosemite is deploy a Configuration Profile that grays out just the Pref Panes we don't want users to access, but also control the HiddenPreferencePanes array by forcing it to a blank array. This means the users can't go into Customize... and uncheck preference panes, which then makes them visible in the menu after relaunching System Preferences. Well, they still can uncheck them, but the settings don't stick, so after they restart System Preferences, the panes are still visible and grayed out.
We aren't doing it yet and may never need to, but we may consider locking the Config profile with a password required for removal, in case we find that some users are removing the Profile with the profiles command.

jduvalmtb · ‎03-12-2015

Link to one method.

pty10 · ‎03-12-2015

@jduvalmtb:

Thanks for the tip. Doesn't work in my case as students can only run apps inside the application folder

Cheers

Jamf Nation Community

System Preferences issue