Securing Mac OS X Tiger from immature college kids

C

cius

Registered
I'm the primary salesman in a university bookstore that sales Apple computers. We have two displays models that we allow people to come in and use freely in spirit of "try before you buy". People come in all the time and play with the built-in camera on our iMac, or they play around with Garageband or one of the other iLife apps we have isntalled on the demo units. We don't mind the little things like that. After all, thats what we put them there for. However, we also have people who come in and do things like download things to the desktop. Seeing as the majority of our customers are college students, they typically download things they think are "funny". I don't mind humor, but some things might be "funny" to a college student that qualify as "unacceptable" to my boss. I've created a "guest" account on the units and did NOT check the "let this user admin this computer" box. I figure that's atleast a bare minimum. However, I'm not sure exactly what this disallows them from doing. I would assume they can't affect system files now, but this likely doesn't do anything to protect the home directory (including desktop) from their prying. So, I beseech your help.

Any recommendations on how to "lock down" these demo units? I want people to be able to mess around, but I don't want them to be able to change anything major. Specifically, I don't want them to be able to change the screensaver, the safari homepage, or save anything to the desktop. Is there a way to restrict these things? I figure there is, with OS X having a unix core and all, but I'm not totally familiar with Unix or OS X yet (still learning :) ). Any help would be appreciated, as well as any advice.
 
You may want to contact Apple directly about this, as they've got machines set up in Apple retail stores that prevent misuse such as that. Apparently, the machines are reset to a "default" state at a specified time every day, or when changes are made to the state of the computer.

It's quite nice, as it keeps the computer in the same pre-determined state from day to day and doesn't allow people to screw everything up. Being a university as well as an Apple reseller, I'm sure Apple would be willing to point you in the right direction for a solution such as that.

Also, you could create a normal user account and restrict access to certain things, like the Dock and certain applications -- this should be available in the "Accounts" pane of the System Preferences.
 
Thanks ElDiabloConCaca, I'll try contacting apple to see if they have a solution. I messed around in the Accounts panel but didn't see much that was useful (other than making a restricted account for their use). I'll look again though, just to be sure.
 
cius,

You have a simple problem for which there is a simple solution. Your demo account can be setup so that it cannot change system settings or install software.
 
Or how about just removing the demo account once or twice a day, and creating a new? Seems easier to me. It's about a minutes work each time, and effectively cleanses the hard drive every time.
 
elander said:
Or how about just removing the demo account once or twice a day, and creating a new? Seems easier to me. It's about a minutes work each time, and effectively cleanses the hard drive every time.
Click to expand...

That's what I would do - very simple. You can also do things like locking the desktop folder for that user, and, as you noticed, change user parameters.
 
elander, that sounds pretty easy, I'll probably try that for now while I look into the other suggestions. Deep Freeze sounds wonderful, but alas my boss won't be willing to pay for something like that. He's reluctant to pay for anything that isn't going to reap us profit. :) I've been looking into unix security and it seems like if I just chown the home directory of the guest user, it should prevent them from changing it. This sound good to the more unix kowledgable of you?
 
You must log in or register to reply here.
Back
Top