Mac Security: Help Needed

Discussion in 'Mac Apps and Mac App Store' started by BWhaler, Sep 6, 2004.

  1. BWhaler macrumors 68020

    BWhaler

    Joined:
    Jan 8, 2003
    #1
    Hi,

    I am looking for software which will totally lock-down a Mac. No use of SuperDrive, no use of any of the ports, etc.

    The program FileGuard used to do all of this, but it is for OS9 only. I know I can control access through OSX, but I want to make Macs completely locked down through software.

    Thanks so much for your help.

    BW
     
  2. cb911 macrumors 601

    cb911

    Joined:
    Mar 12, 2002
    Location:
    BrisVegas, Australia
    #2
    can't you do these things by creating a new user in OS X, using a limited account?
     
  3. iMeowbot macrumors G3

    iMeowbot

    Joined:
    Aug 30, 2003
    #3
    Not completely. Program access can be vastly restricted with a managed or simplified account, but there are still ways to get stuff in and out.

    If you have OS X an an iPod handy, try creating a new simplified account and give it access to just one or two programs. Log in as that user, and plug in the iPod. iTunes starts and lets you do all the usual things you can do with an iPod, even though the user hasn't been given the ability to launch iTunes from the simple finder. Now, files that the allowed applications can open can be taken from the local disk or network, and saved to the iPod.

    Similarly, access to burn CDs can easily be taken away, but that leaves intact access to insert CDs and read files. Opening a file on that CD and saving it to a company or school network can be used to move material there that violates local policy.

    If, say, TextEdit is available to the user, that allows quite a bit of content to be transferred.

    There are probably more possibilities, those are just two from the top of my head, but this is why a lockdown utility (or at least some sort of comprehensive howto/cookbook thingy) would be useful.
     
  4. cb911 macrumors 601

    cb911

    Joined:
    Mar 12, 2002
    Location:
    BrisVegas, Australia
    #4
    yeah, i know there's ways to get around being locked out with an account, using Termnial, telnet, et al.

    but there's always going to be a way around things. you've just got to take the best you can get.

    if you really want to disable the optical drive i guess you could hack around with the firmware. :D you could also just take lots & lots of apps off the computer... i don't know if you could delete the admin account and leave the limited user accout. that should really lock things down, but you'd probably have to re-install OS X if you wanted to change anything.
     
  5. 7on macrumors 601

    7on

    Joined:
    Nov 9, 2003
    Location:
    Dress Rosa
    #5
    you could just delete iTunes and unhook the optical drive from teh IDE cable.
     
  6. wordmunger macrumors 603

    wordmunger

    Joined:
    Sep 3, 2003
    Location:
    North Carolina
    #6
    If you don't want a user to have access to an app, but you still want access, then put it in your home folder, not in the main "applications" folder. It works, even in the "iTunes" situation described above.
     
  7. iMeowbot macrumors G3

    iMeowbot

    Joined:
    Aug 30, 2003
    #7
    Now your touching on the original poster's dilemma. Products like FoolProof and FileGuard allowed all this to be done on an OS 9 machine without major hacking on the local end, and maintenance was still straightforward. OS X kind of forces one into buying and usiong a server for netboot, or something along those lines.

    OS X has a decent permissions system that should be able to do the job locally on a machine, but this gets back to what public and school labs need: a good list of what can be disabled without breaking the system. Currently, the solution for each site is to find someone who understands Unix permissions, has the time to mess around with everything in OS X to figure out what needs to be present, and can do that again with easch new release and machine.

    That's the kind of thing the original poster is asking about, in an automated form. It was available for OS 9, it's still available for Windows. As replies in this thread highlight, there isn't any obvious solution for OS X :(
     

Share This Page