Restrict AIM

[truss64130]

I manage a lab at a university and I'm trying to prevent users from using AIM while working for me. Every time they download AIM, it creates a new copy of it, so I cannot restrict it with the User Limitations via system preferences. For example, they just download AIM and it makes AIM (copy1, etc) and same thing when it is installed.

Any suggestions for locking down AIM?

I'm running 10.3.9

 

[bobw]

AIM uses tcp port 5190, so if you block that, it will prevent them from using AIM.

 

[truss64130]

I thought of that, but is there a way to do that from the MAC (built in firewall or something.) I'm not in charge of the campus firewall so it would have to be for that computer only.

 

[bobw]

You could probably block that port in the Firewall.
Open the Sharing PreferencePane and click Firewall and then New.

 

[truss64130]

just tried that, it only works for incomming connections. What blows my mind is that I set the different user permissions for applications in user accounts (the only apps they are allowed to use) but then OSX lets them run an app they downloaded. That feature seems rather useless if I cannot prevent downloaded programs from running.

Any other suggestions?

 

[sinclair_tm]

make them limited accounts that only give them the icons of the apps they need, not of the whole system.

 

[truss64130]

tried that, but you can still open IE or Safari, (both programs are needed) and download / install AIM. I tried both in some limitations and a simplified finder accounts.

I appreciate all of your help though.

 

[bobw]

Disable Stuffit and DiskImageMounter. Maybe that would prevent open the downloaded file.

 

[truss64130]

how do you diable those programs? I know they are not checked off (allowed) for the limited account.

 

[bobw]

DiskImageMounter is located here;

System/Library/CoreServices

In the Accounts PreferencePane/Parental Controls select Finder&System
Click Configure
Check Other
Click the Locate button then navigate to the DiskImageMounter.

 

[truss64130]

There are no parental control option in my accounts settings. I see it is there on another machine we have that is 10.4, but not on the public machine (10.3).

Back to the drawing board. Thanks though.

 

[Flying Meat]

You could set up a launchd (or startup item) daemon that runs facelessly in the background and checks the drive for the offending software, then deletes the software mercilessly from it's location.
mwaaahahahahaha!

 

[truss64130]

That sounds appealing... Are there any freeware apps to do this or is this something that is more for the programming-mac savvy? I'm mostly a PC guy, but I can work my way around a MAC fairly well.

 

[dlloyd]

You understand, of course, that even if you do somehow manage to block the AIM application any one who knows anything about Macs will find iChat, Adium, Proteus, or Fire, and even if they somehow miss those, there are also online options like AIM Express and Meebo.com?
Sounds to me like a losing battle if you must achieve this by force. Perhaps just asking nicely would do the trick?

 

[bobw]

Take a look at IPNetSentryX or Firewall Builder

If you want to try blocking from Terminal Read This

Also, check - man ipfw - in Terminal for blocking.

 

[bobw]

Also Flying Buttress

 

[Flying Meat]

dlloyd is correct, ultimately.

Though bobw's firewall suggestions will handle many of the alternate products since they must communicate with the AIM server on a specific port (not sure about the web alternatives). But external proxie servers would allow connections through alternate ports...

The best way to handle it is to make the computer usage policy clear (regularly even) and play no favorites. Two warnings, one office administrative action, and finally, termination.

Not allowed on office premises! Can be fired for this!
(or the equivalent student punishment = banishment from the labs)

Make the policy clear and well known.

 

[truss64130]

Sadly, to have any sort of diciplinary actions at my office is rather impossible. Asside from murder, it is hard to actually fire someone due to those above me not able to make a stand on any issue. I'll give some of the other options a try and I'm fairly sure they will be effective. The student workers are much less knowledgeable about macs than me, (which obviously I'm no expert). I'll let you know how I make out.

 

[truss64130]

I finally got around to trying flying buttress. It works great except one thing. When the computer restarts, the Startup script does not load, therefore making the firewall useless. If I go into the startupitems folder and try to run the script through the Managed account, it says I need to have root priveleges to run it. Any way of running a script as the admin account when the managed account starts up?

 

[bobw]

Try putting a StatupItems folder in the User Account/Library and add there and see if that works.