PDA

View Full Version : Point of profile manager if user can change it anyway?




yalag
Jul 17, 2012, 11:57 AM
I'm not sure I understand the concept of profile manager. What is the point of the profile manager if the user can change anything?

Say, I set some login items for all the users in the office. The user can just go into preferences and just remove it!

Say, I set some policy on the dock. The user can just go into preferenes and change it....

Can someone explain? Maybe this is more designed for the iOS?



Mattie Num Nums
Jul 19, 2012, 11:25 AM
Part of the EULA in the iOS management is users need to be able to opt-out. So far configuration profiles are the same for OSX and iOS. Will this change in ML? Who knows! If it doesn't though, and MCX seems to be dying, then management of OSX will pretty much die.

kermit4161
Jul 19, 2012, 12:27 PM
From what I can see, Apple is dumbing down all of their enterprise/professional products to 'consumer' levels. This happened with Final Cut Pro, the Xserve and now OS X Server software.

I'm just now upgrading my labs to Lion Server and wish I could just stay at either Leopard or SL Server flavors. The Server App is just ridiculous in my opinion and I'm still fighting with it. I think I'm going to abandon my old network profiles and just dumb down the OD to one account for each class with a corresponding share. Or, if push comes to shove, just create shares and let AD do all of the authentication and access, basically turning a $6000 server into a NAS. It is a shame.

I really liked Leopard server, even with all of its quirks. As long as you kept current OD database archived, you were good to go. But I don't think Apple really wants to deal with Enterprise situations any more. They are making enough money on the consumer products, so they are abandoning the very entities that gave them life and kept them alive through the lean years. At least for managed computers...

Mattie Num Nums
Jul 19, 2012, 01:06 PM
Leopard Server was great!

minik
Jul 19, 2012, 06:22 PM
We just migrated from Snow Leopard server to Lion server. About 250 10.7.4 Macs were auto-enrolled on Profile Manager and 100 or so 10.6.8 machines stayed within Workgroup Manager.

Besides some funky printer and custom settings, I like Profile Manager. You can easily restrict system preferences.

Mattie Num Nums
Jul 24, 2012, 03:02 PM
We just migrated from Snow Leopard server to Lion server. About 250 10.7.4 Macs were auto-enrolled on Profile Manager and 100 or so 10.6.8 machines stayed within Workgroup Manager.

Besides some funky printer and custom settings, I like Profile Manager. You can easily restrict system preferences.

I think its the whole iOS management theory being handed down to us that is scary. Management is not giving people opt-out abilities.

yalag
Jul 24, 2012, 03:04 PM
We just migrated from Snow Leopard server to Lion server. About 250 10.7.4 Macs were auto-enrolled on Profile Manager and 100 or so 10.6.8 machines stayed within Workgroup Manager.

Besides some funky printer and custom settings, I like Profile Manager. You can easily restrict system preferences.

No you can't I just told you, anything you set in profile manager can be reverted by the user. I'm struggling to see the point of profile manager.

Mattie Num Nums
Jul 24, 2012, 03:30 PM
No you can't I just told you, anything you set in profile manager can be reverted by the user. I'm struggling to see the point of profile manager.

Honestly, Configuration Profile's are just MCX's wrapped up and delivered in an Apple package with the ability to opt-out or in. Its the exact same method they use for MDM and its just the "iOSification" of OSX happening on a management level now. In theory I love it, but in practice being able to opt-out is like sending someone to jail and telling them they can go home whenever they want.

yalag
Jul 24, 2012, 03:33 PM
Honestly, Configuration Profile's are just MCX's wrapped up and delivered in an Apple package with the ability to opt-out or in. Its the exact same method they use for MDM and its just the "iOSification" of OSX happening on a management level now. In theory I love it, but in practice being able to opt-out is like sending someone to jail and telling them they can go home whenever they want.

I was hoping that will not be the case, as it makes no sense from an business management point of view. Was hoping someone can shed some light.

Mattie Num Nums
Jul 24, 2012, 03:34 PM
I was hoping that will not be the case, as it makes no sense from an business management point of view. Was hoping someone can shed some light.

At this point the best thing to do is look for alternative solutions or get creative with managing MCX's. JAMF Casper has been my life saver!

Anonymous Freak
Jul 24, 2012, 05:55 PM
No you can't I just told you, anything you set in profile manager can be reverted by the user. I'm struggling to see the point of profile manager.

If you set the users as "Standard" users not Administrators (as you should be,) and lock Preference Panes to Admin-only, the settings can be enforced.

You can lock down a Mac pretty tight if you follow Apple's security hardening guidelines and use centralized authentication.

yalag
Jul 24, 2012, 06:00 PM
If you set the users as "Standard" users not Administrators (as you should be,) and lock Preference Panes to Admin-only, the settings can be enforced.

You can lock down a Mac pretty tight if you follow Apple's security hardening guidelines and use centralized authentication.

I suppose you can but the computer quickly become useless because no users will be able to install applications as that is an admin level operation.

I guess I'm making parallel to the windows environment. In any business environment you would be allowed to install applications but yet still enforce some level of security.

Les Kern
Jul 24, 2012, 06:25 PM
In any business environment you would be allowed to install applications but yet still enforce some level of security.

HUH? Any administrator who allows users to install software is, frankly, insane. Not just the licensing issues and staying legal as the company is the owner of the machine, but also the nightmare of a fair number of idiots visiting download.com. Nope, my users are standard, we own the software, they use what we give them and if a department wants a new title we check it out, clear it if it's okay, then install it.

minik
Jul 24, 2012, 11:35 PM
I suppose you can but the computer quickly become useless because no users will be able to install applications as that is an admin level operation.

I guess I'm making parallel to the windows environment. In any business environment you would be allowed to install applications but yet still enforce some level of security.

Woah!

I'm lucky that I can clean install Windows/OS X and join to the domains afterwords. By that I know the local admin account. However, users have standard privileges and they cannot even update Flash player for example. Of course I didn't create a set of approved software on Profile Manager, some students might download the latest version of Firefox and run it.

Given the user non-Admin account is the first rule. We have DeepFreeze on the Windows side too.

yalag
Jul 25, 2012, 12:13 AM
HUH? Any administrator who allows users to install software is, frankly, insane. Not just the licensing issues and staying legal as the company is the owner of the machine, but also the nightmare of a fair number of idiots visiting download.com. Nope, my users are standard, we own the software, they use what we give them and if a department wants a new title we check it out, clear it if it's okay, then install it.

Clearly you've never had a job. No work environment would function without admin privileges. As the other poster has pointed out, you can't even install a flash player let alone all the other software updates for the applications. Clearly it won't work.

Anonymous Freak
Jul 25, 2012, 03:18 PM
Clearly you've never had a job. No work environment would function without admin privileges. As the other poster has pointed out, you can't even install a flash player let alone all the other software updates for the applications. Clearly it won't work.

And in a 'locked down' environment like you are trying to get, that should all be done by IT, not by the end users. If an end user has to deal with maintenance of their machine, you're doing it wrong. (Yes, installing and updating software is 'maintenance'.) OS X Server can be used to push out software and updates in a centralized manner.

If your environment is so small that you don't have a dedicated IT staff to deal with this routine work, then you probably don't have an environment that needs the level of detail of Profile Manager, either.

matspekkie
Jul 25, 2012, 04:32 PM
And in a 'locked down' environment like you are trying to get, that should all be done by IT, not by the end users. If an end user has to deal with maintenance of their machine, you're doing it wrong. (Yes, installing and updating software is 'maintenance'.) OS X Server can be used to push out software and updates in a centralized manner.

If your environment is so small that you don't have a dedicated IT staff to deal with this routine work, then you probably don't have an environment that needs the level of detail of Profile Manager, either.

I totally agree with Anonymous Freak if you let end users maintain their machines in a corporate environment you will get hell. I found profile manager works pretty good. But i would like to see some more control over what a specific user can / can't do without having to make too many groups. Furthermore a lot of the old serveradmin tools moved over to profilemanager what makes sense not to have too many things double. I think they also changed the bit where it finally opens the correct port (if natting) to send the profiles/changes out to the machines over internet what makes this a pretty powerfull tool in my opinion. I do agree there should be more and better documentation on how to implement all this the right way.

MachineShedFred
Aug 2, 2012, 03:31 PM
Clearly you've never had a job. No work environment would function without admin privileges. As the other poster has pointed out, you can't even install a flash player let alone all the other software updates for the applications. Clearly it won't work.

Clearly you've never heard of centralized software distribution, and clearly you don't have any idea what you're talking about.

Go research JAMF CasperSuite, FileWave, DeployStudio, Apple Remote Desktop, and even Symantec's Altiris suite of solutions - they all have agents that run on the client endpoint with escalated permissions, and run the install as delivered by the management system over the wire (or wireless).

The days of a user needing to be an admin on their own machine for anything but development died with Windows XP. I've had several hundred Macs running with users not being admins since Mac OS X 10.3 due to all applications being installed via FileWave. You don't even have to be an admin for Windows 7 to work properly, if the system is set up right, and you have a software deployment infrastructure in place.

Less support calls, less problems, less costs. Isn't that what every IT department is looking for?

dyn
Aug 2, 2012, 05:15 PM
It doesn't work with every piece of software. Some pieces of software require users to be local admins to even run. It's not a huge problem because this is where things like SLA comes in. An SLA is simply a list of what the customer can expect from you and vice versa. If they have local admin rights then they have more responsibility too (with great power...). If they have local admin rights then the cost for fixing things is higher too. And so on. That's what managing IT is about. Making things possible for the user with the highest quality and the lowest costs/risks for both the customer as well as the IT department.

Btw, local admins in any OS can disable any kind of management/policy software because that's what local admins have as rights. I've had people disabling lots of things which eventually let to a complete re-installation of the machine because they messed around too much and I can't spent all the time to fix it (against the SLA). If they lose any data, settings, apps then that's their problem (of course they get time to backup these things but backing up is their own responsibility, not ours).

Mr-Stabby
Aug 16, 2012, 07:29 PM
Isn't there an option in Profile Manager, at least in 'Mountain Lion Server' to not allow users to delete profiles once they are installed?

AlanShutko
Aug 16, 2012, 08:19 PM
Clearly you've never had a job. No work environment would function without admin privileges.

Most of my company's 30k employees don't need admin rights. Some jobs do (software developers, for instance, can get it) but there's a request process that requires yearly audits and CIO approval.

As the other poster has pointed out, you can't even install a flash player let alone all the other software updates for the applications. Clearly it won't work.

That's correct. Normal users are not allowed to do that. The IT department rolls those updates out for users.

deconstruct60
Aug 17, 2012, 10:21 PM
I suppose you can but the computer quickly become useless because no users will be able to install applications as that is an admin level operation.

Once you make a user an Administrator they can sudo into a shell and do anything root does... which amounts to pretty much everything on that specific machine. That privileged can blow away anything that you can set. If the people are trustworthy enough to give root access to the machine they are manage their own settings. If not, profile manager is a "side show" issue.

Bobby.e
Aug 18, 2012, 08:10 AM
The average user probably doesn't know how to use shell or root.