Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Non-Administrative Users can run software updates?

I

islandsnow

macrumors member
Original poster
Feb 14, 2008
37
0
i have mac osx 10.5.x leopard. i have configured and binded to our work active directory. So my user can log into his mac and have his account authenticated against our active directory. thats fine. but i do not want to create this user to be able to administer the mac he is on (so that this person won't install unauthorized apps).

but because this person cannot administer the computer, what happens with apple system software updates? will it run? and if it runs, will it prompt them to enter the administrator password? if i give this person the admin or root account and password, doesn't that defeat the purpose of not allowing them to install things on the computer in the first place? is there a way to allow apple software updates to run without prompting them for admin password to the computer, and not allow them to install p2p apps, instant messengers, etc.???
 
islandsnow said:
i have mac osx 10.5.x leopard. i have configured and binded to our work active directory. So my user can log into his mac and have his account authenticated against our active directory. thats fine. but i do not want to create this user to be able to administer the mac he is on (so that this person won't install unauthorized apps).

but because this person cannot administer the computer, what happens with apple system software updates? will it run? and if it runs, will it prompt them to enter the administrator password? if i give this person the admin or root account and password, doesn't that defeat the purpose of not allowing them to install things on the computer in the first place? is there a way to allow apple software updates to run without prompting them for admin password to the computer, and not allow them to install p2p apps, instant messengers, etc.???
Click to expand...

You need an admin password for software updates, it will ask for it, also apps being installed by the Installer.
 
bluedoggiant said:
You need an admin password for software updates, it will ask for it, also apps being installed by the Installer.
Click to expand...

then why even have regular accounts? might as well make everyone a administrator. i think for windows, it will still install the system updates even if you are not an administrator level.
 
islandsnow said:
then why even have regular accounts? ...
Click to expand...
Have you thought through your question? The Installer requires Administrator authentication. The Installer does not require that the Administrator be logged-in while given authentication. Do you really not understand the difference?

Hint: The Mac is a multi-user system on which each user may have one or more accounts with differing privilege levels.
 
MisterMe said:
Have you thought through your question? The Installer requires Administrator authentication. The Installer does not require that the Administrator be logged-in while given authentication. Do you really not understand the difference?

Hint: The Mac is a multi-user system on which each user may have one or more accounts with differing privilege levels.
Click to expand...

sorry, i guess i don't think. sorry i'm not a mac geek like everyone here, i'm a windows type of person but need to now support macs and trying to learn how mac does things.

if i am logged in as a regular non-administrator account and i need to install a software update, it asks me for an account with administrator privileges right? so if i give the user the administrator username and password in order to install this update, won't they now be able to log out, and log back in with this administrator account and now have access to install whatever they want? which is what i DIDN'T want them to do? even if you tell your users NOT to install non-supported software, they will if they can. thats what i'm trying to avoid. but if i give them the password to install necessary apple software updates, whats preventing them from downloading limewire and installing that? comprehendo? or am i again not understanding and thinking through my own question?
 
I authorise software updates manually on each Mac I administrate at the current time, i.e. I enter the root password when the prompt appears. My users don't have access to any accounts on their Macs other than the Open Directory-managed one.
 
islandsnow said:
or am i again not understanding and thinking through my own question?
Click to expand...

Yes, sorry. This is why you don't give your standard users an admin username and password. If you don't want them to run updates, you make them standard users and then you log into the computer yourself as an admin and run updates when you want to do so.

It's not that complicated... it's basic parallel of the way the entire Unix world works. Your standard users will be able to log in, run programs, create and save documents, etc. They won't be able to change the contents of /Applications or the system folders. You'll do that whenever you wish as an administrator. If you enable it, you can even remote login as an admin and do these tasks.
 
You'll also have to enable parental controls (I believe) to prevent programs except for specified ones from being run, to prevent someone from downloading limewire and running it from the desktop.
 
mkrishnan said:
Yes, sorry. This is why you don't give your standard users an admin username and password. If you don't want them to run updates, you make them standard users and then you log into the computer yourself as an admin and run updates when you want to do so.

It's not that complicated... it's basic parallel of the way the entire Unix world works. Your standard users will be able to log in, run programs, create and save documents, etc. They won't be able to change the contents of /Applications or the system folders. You'll do that whenever you wish as an administrator. If you enable it, you can even remote login as an admin and do these tasks.
Click to expand...

ok thanks. so basically that means i have to manually go to each mac and run or authorize these updates to run. more work for me especially if these users are in remote locations but thats how it has to be done if i want to make sure they don't have a field day installing non-authorized software. thanks, got it. just wanted to make sure thats what needs to be done
 
mkrishnan said:
If you enable it, you can even remote login as an admin and do these tasks.
Click to expand...

No, that's what remote administration is for.

http://www.apple.com/remotedesktop/remoteadministration.html

That's the tool that OS X Server comes with (if you have a decent number of clients, you may wish to run Leopard Server on one computer). From that tool, I believe you can basically select computers and instruct them to update without having to actually remotely log into them individually.

If you adjust the settings appropriately on your clients, I believe you can also set it up so that you can just vnc to the computers and update them. If permitted, you can reboot from VNC. You could also set up scripting so that the update process would be fairly painless....
 
islandsnow said:
sorry, i guess i don't think. sorry i'm not a mac geek like everyone here, i'm a windows type of person but need to now support macs and trying to learn how mac does things.

if i am logged in as a regular non-administrator account and i need to install a software update, it asks me for an account with administrator privileges right? so if i give the user the administrator username and password in order to install this update, won't they now be able to log out, and log back in with this administrator account and now have access to install whatever they want? which is what i DIDN'T want them to do? even if you tell your users NOT to install non-supported software, they will if they can. thats what i'm trying to avoid. but if i give them the password to install necessary apple software updates, whats preventing them from downloading limewire and installing that? comprehendo? or am i again not understanding and thinking through my own question?
Click to expand...


Not quite. The same thing happens in Windows.

You have ADMINISTRATOR accounts and POWER USER accounts. If you create a "standard user" account in Windows... you aren't installing any software either.

XP has 3 distinct types of accounts.

OS X only has 2.

And you CAN create an OS X account with Administrator rights to install software... just click the "allow user to administer" checkbox when you are creating the account in OS X.

As an IT guy in charge of 300+ machines, both Mac & PC... I can promise you all our Windows XP accounts also do the same thing. You can't run updates / install programs.

It's not a Mac thing.
 
GotPro said:
OS X only has 2.
Click to expand...

Well, technically, it also has three... Admin, Standard, and Managed (which lets you impose even more restrictions down to the point of the Simple Finder).

Related to this question, do you have to use Managed accounts if you wish to prevent users from installing eligible software to the ~/Applications folder and running it from there?
 
Xp has more than 3 accounts.

GotPro said:
Not quite. The same thing happens in Windows.

You have ADMINISTRATOR accounts and POWER USER accounts. If you create a "standard user" account in Windows... you aren't installing any software either.

XP has 3 distinct types of accounts.

OS X only has 2.

And you CAN create an OS X account with Administrator rights to install software... just click the "allow user to administer" checkbox when you are creating the account in OS X.

As an IT guy in charge of 300+ machines, both Mac & PC... I can promise you all our Windows XP accounts also do the same thing. You can't run updates / install programs.

It's not a Mac thing.
Click to expand...
 
mkrishnan said:
No, that's what remote administration is for.

http://www.apple.com/remotedesktop/remoteadministration.html

That's the tool that OS X Server comes with (if you have a decent number of clients, you may wish to run Leopard Server on one computer). From that tool, I believe you can basically select computers and instruct them to update without having to actually remotely log into them individually.

If you adjust the settings appropriately on your clients, I believe you can also set it up so that you can just vnc to the computers and update them. If permitted, you can reboot from VNC. You could also set up scripting so that the update process would be fairly painless....
Click to expand...

thanks, i'll check out remote administration and scripting. i think scripting may be the answer for me. i have all windows servers on the backend so no os x server.
 
mkrishnan said:
Well, technically, it also has three... Admin, Standard, and Managed (which lets you impose even more restrictions down to the point of the Simple Finder).

Related to this question, do you have to use Managed accounts if you wish to prevent users from installing eligible software to the ~/Applications folder and running it from there?
Click to expand...

i think if i have active directory binded to my domain, then when you log in with your domain account, doesn't that automatically create a managed account? so i don't think it was a choice i had. i want them to log in with their domain account because then they can access network shares, change their domain password, etc...
 
for those of you that posted with great suggestions. thanks! i think apple remote desktop is the way to go for my situation
 
islandsnow said:
for those of you that posted with great suggestions. thanks! i think apple remote desktop is the way to go for my situation
Click to expand...

Yeah, sounds like it to me, too. If you're using active directory binding and managed accounts, and remote updating, it should be very easy for you to keep all the computer set up according to your design. :)
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back