Jamf Nation Community

I would prefer to say AD GROUP and USER1 has access but all else does not.

its a bit complicated to make the enabling/disabling user based, and not computer based, especially if not doing it through an OD Server.

One possibility is to set up a Self Service policy scoped to certain users that uses a PlistBuddy command to write into the logged in user's managed preference plists located at /Library/Managed Preferences/username/com.apple.systempreferences.plist. You can write back in all of the ones that are disabled, or just select ones.
The thing about this is, its not permanent. Next time the Mac checks in it will set the plist array back to what is set on the JSS, graying those items out again.

We have developers here who think QA should be done on their production machines and they change DNS, Sharing Names, enable Root, etc and I need a way to stop this.

FWIW...developers are a breed of users we usually give a lot of freedom...but we provide our requirements so they know where the line is drawn in terms of support. If they call for support and breach our guidelines, their department is hit with a charge for unnecessary support due to breaching our guidelines.

We're looking at going the model of offering a managed (read locked down) Mac for the developers, & Parrallels VM templates that they are full admins off.

So they can spin up VM's & do what they want. But their main OS is managed.

So, what exactly are you looking to do then? Have the MCX setting in place for everyone except a handful of admin accounts?
See, now here is where an exclusion list in a policy or groups would be super handy. But, since we don't have that, you will have to find some other method, such as using some identifiers on the system gathered by an EA to help with excluding those Macs.
Though I'm still not sure how you'd make it work on a user basis, unless you use the User Group limitation options.

I agree with Don. And sounds like your developers are admins on their own machines already, which will make enforcing anything nearly impossible. On top of that you're trying to fix a social issue with technology.

You might look into providing your developers machines where they're standard users and having them use VMs where they can be admins. Rather than fighting them give'em a sandbox. With. Very. Tall. Walls.

From JAMF's Jeff Strauss via Twitter:

@jeff_strauss: Hide/Show Preference Panes from Terminal http://t.co/Prf5EQSs via @jeff_strauss

@bentoms This is an excellent idea!!!:

We're looking at going the model of offering a managed (read locked down) Mac for the developers, & Parrallels VM templates that they are full admins off. So they can spin up VM's & do what they want. But their main OS is managed.

...along the same lines, this is what we do for users who demand to be on the cutting edge (read: wanting to run Mountain Lion as soon as it comes out). :)

Don

I tredi Jeff Stauss' info and its not removing the panes :(

Ding ding ding! Don's reference to Jeff's blog post appears to be the ticket to getting this to work easily using managed preferences (MCX) in Casper. I wasn't aware of the HiddenPreferencePanes key introduced in Lion.

These settings worked in my testing to hide the Accounts and Bluetooth panes in System Preferences:

Domain: com.apple.systempreferences
Key Name: HiddenPreferencePanes
Key Type: Enter Manually (Array or Dictionary)
Apply Setting To: User Level Enforced
Value:```
<array> <string>com.apple.preferences.users</string> <string>com.apple.preferences.Bluetooth</string>
</array>
```
Scope this to a user group in the JSS and it should fill the need.

Talkingmoose,

I tried to implement the MCX that you described but I can not get it to work in Mountain Lion (10.8.4). Can you confirm that it still works?

Thanks!

I'm not at a place where I can easily test in Casper right now but I did test this manually and it still works.

By "test manually", I mean I edited my ~/Library/Preferences/com.apple.systempreferences.plist file on my OS X 10.8.4 system to include:

<key>HiddenPreferencePanes</key>
<array>
    <string>com.apple.preferences.users</string>
    <string>com.apple.preferences.Bluetooth</string>
</array>

Because System Preferences is just an application the effect is immediate the next time I launch it. No need to log out. If it works this way then it should work through Casper. Be sure to open System Information.app, select Managed Client on the left and verify your test machine is receiving the MCX setting there.

You could just as easily make this into a plist to import into a new profile and see if it works there:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>HiddenPreferencePanes</key>
    <array>
        <string>com.apple.preferences.users</string>
        <string>com.apple.preferences.Bluetooth</string>
    </array>
</dict>
</plist>

If that doesn't work then post back.

@donmontalvo, Do you happen to have a copy of what you're referencing from Jeff Strauss's blog? His website is offline and I'm interested in learning more about Hiding/Showing Preference Panes from Terminal.

Most likely his blog was referencing a way to script setting up the HiddenPreferencePanes key in the plist, which is fine, but then you run into the bug that has existed in OS X since this was introduced where those panes show up in the menu and are fully accessible by even non-admin users, completely defeating the purpose.
Sure you want to do that?

Nope, I was mostly curious what the method being used was. If that's all it was then I'll consider my curiosity satisfied. This is one sore subject, huh @mm2270? ;-)

@cstout Well, to be fair, I don't know for sure if that's what his blog detailed on this matter. But given I see some older posts around that time from others talking about the HiddenPreferencePanes key I assume that's what it was about.

And yeah, I guess it peeves me that Apple doesn't seem to consider this a bug or issue at all. One really needs to work hard to redefine what a bug or issue is to make this problem fall out of that bucket.

There are also the "DisabledPreferencePanes" and "EnabledPreferencePanes" keys, which will either disable the panes or enable only the panes defined in the respective arrays.

A problem I ran into is that I have some 'disabled' prefpanes and I don't want the user to see them (when disabled, they're greyed out), but if I put the same prefpane in a HiddenPreferencePanes array, then it seems to override the disabled key…

I found the following article that explains it better than I can: http://www.afp548.com/2013/12/16/system-preferences-profiles-in-mavericks-plus-a-security-hole/

I'm just wondering if anyone else has run into this.

I've run into this in the last week. One crafty student of mine was able to find this unfortunate bug/feature. Being a kid he of course showed his buddies. This is on 10.8 (10.8.4-10.8.5) FWIW so it's not just 10.9 that's affected. To correct this I applied the com.apple.systempreferences fix talkingmoose showed further up the page expect I removed any references to any pref panes so it's simply the HiddenPreferencePanes key and nothing else. Buttoned it right up.

The following appears to be working for me to both hide and disable the Time Machine preference pane. Standard Users can still unhide it, but it remains disabled. It is re-hidden whenever System Preferences is re-launched.

I think it is a good option if you don't want to use the built-in whitelist approach (which will block any panes you don't specifically add in to your JSS, see https://jamfnation.jamfsoftware.com/article.html?id=204) and just need to specifically block a pane or two.

Computer level Configuration Profile, Custom Settings:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>DisabledPreferencePanes</key>
    <array>
        <string>com.apple.preferences.TimeMachine</string>
        <string>com.apple.prefs.backup</string>
    </array>

    <key>HiddenPreferencePanes</key>
    <array>
        <string>com.apple.preferences.TimeMachine</string>
        <string>com.apple.prefs.backup</string>
    </array>
</dict>
</plist>