Any way to mount encrypted disk image without option to save password?

panjandrum

macrumors 6502
Original poster
Sep 22, 2009
314
370
United States
So, long story short, again, I hope:

Here is the situation. School with far less than a 1:1 ratio of students:Macs. Network home folders have long been a deprecated technology, and have suffered from increasing issues post-Snow Leopard, making it a solution that needs to be moved away from.

We have moved to OS X Server 5.x and Profile Manager on Sierra and all Sierra clients.

Since we don't have a device per student, assigning profiles/settings/apps by users and groups of users is out of the question , we will have to manage things by devices and groups of devices. (Want to have some fun? Watch what happens when you try to manage devices AND users given network home folders on Open Directory from Mac OS X Server 5.x; it's possible to completely take-down the server and permanently break it in about 10 minutes that way. It goes absolutely ape-****-crazy trying to figure out why managed users are logging-in on multiple devices (not at the same time, mind you), throws up it's hands, and kisses it's arse goodbye. Good going Apple! Your continued destruction of your once excellent Server/Client software in the pursuit of forcing a 1:1 ratio of devices to users isn't making you any friends. If schools ever have to go 1:1 guess what? The vast, vast majority of them won't be able to go Apple even if they wanted to, due to per-unit cost!)

Anyway, off my high-horse and back to the topic. Since we won't be creating network home-folders moving forward, we will move back to a shared resource for file-storage so that students can access their work from any computer they might be using.

The best solution seems to me to be encrypted disk images (sparsebundle so they will backup without filling up the backup drives instantly) housed on this network volume. Students can connect if they wish and open their disk image. Using a disk-image allows me to easily limit their available disk-usage, say to 32GB per student, AND they can save iMovie libraries to the disk image, something that can't be done directly to the shared volume. So in many ways this is an elegant solution. We hand the students their password and ask them not to share it with others. Yes, I have to create the disk-images, but that's an easy process and really not a burden.

The only problem is the inability to disable the "save to keychain" feature. The systems needs to work normally (teachers need to save website passwords easily, etc), so locking the login keychain is not an option. But unless there is some way to disable that students will invariably click the "save to keychain" option, allowing other students access to their work.

So I'm looking for a solution, something along the following would work:

1) An applescript or automator function that asks a user which disk-image is theirs and prompts for their password, bypassing the Finder's "save to keychain" dialog completely.

2) Third-party software which creates a disk-image which asks for a password in a proprietary way, bypassing the "save to keychain" function.

3) If there is no way to prevent the "save to keychain" option from being available, then the next best option might be an automator/applescript application that asks for credentials, mounts the requested disk image, and then immediately deletes that specific password from the keychain. (I've found some examples of this, but so far nothing that actually looks doable; most of them are logout hooks, and a lot of times students don't logout properly).

4) Something else I haven't thought of...

Well, that wasn't short, but any suggestions would be helpful, thank you!
 

DJLC

macrumors 6502a
Jul 17, 2005
757
140
North Carolina
So wait..... why not define a network home but disable mobile account syncing + set the Macs to use network accounts w/ a local home folder template? End result: every student has their own private folder on the network to store their documents, and it's accessible from any Mac they log in to. But OS X doesn't crap itself trying and failing to sync.

I would +1 on assigning profiles and apps by device groups. That's what we do for our student Macs.
 
  • Like
Reactions: adib

IT Easy

macrumors newbie
Sep 4, 2017
2
1
So, long story short, again, I hope:

Here is the situation. School with far less than a 1:1 ratio of students:Macs. Network home folders have long been a deprecated technology, and have suffered from increasing issues post-Snow Leopard, making it a solution that needs to be moved away from.

We have moved to OS X Server 5.x and Profile Manager on Sierra and all Sierra clients.

Since we don't have a device per student, assigning profiles/settings/apps by users and groups of users is out of the question , we will have to manage things by devices and groups of devices. (Want to have some fun? Watch what happens when you try to manage devices AND users given network home folders on Open Directory from Mac OS X Server 5.x; it's possible to completely take-down the server and permanently break it in about 10 minutes that way. It goes absolutely ape-****-crazy trying to figure out why managed users are logging-in on multiple devices (not at the same time, mind you), throws up it's hands, and kisses it's arse goodbye. Good going Apple! Your continued destruction of your once excellent Server/Client software in the pursuit of forcing a 1:1 ratio of devices to users isn't making you any friends. If schools ever have to go 1:1 guess what? The vast, vast majority of them won't be able to go Apple even if they wanted to, due to per-unit cost!)

Anyway, off my high-horse and back to the topic. Since we won't be creating network home-folders moving forward, we will move back to a shared resource for file-storage so that students can access their work from any computer they might be using.

The best solution seems to me to be encrypted disk images (sparsebundle so they will backup without filling up the backup drives instantly) housed on this network volume. Students can connect if they wish and open their disk image. Using a disk-image allows me to easily limit their available disk-usage, say to 32GB per student, AND they can save iMovie libraries to the disk image, something that can't be done directly to the shared volume. So in many ways this is an elegant solution. We hand the students their password and ask them not to share it with others. Yes, I have to create the disk-images, but that's an easy process and really not a burden.

The only problem is the inability to disable the "save to keychain" feature. The systems needs to work normally (teachers need to save website passwords easily, etc), so locking the login keychain is not an option. But unless there is some way to disable that students will invariably click the "save to keychain" option, allowing other students access to their work.

So I'm looking for a solution, something along the following would work:

1) An applescript or automator function that asks a user which disk-image is theirs and prompts for their password, bypassing the Finder's "save to keychain" dialog completely.

2) Third-party software which creates a disk-image which asks for a password in a proprietary way, bypassing the "save to keychain" function.

3) If there is no way to prevent the "save to keychain" option from being available, then the next best option might be an automator/applescript application that asks for credentials, mounts the requested disk image, and then immediately deletes that specific password from the keychain. (I've found some examples of this, but so far nothing that actually looks doable; most of them are logout hooks, and a lot of times students don't logout properly).

4) Something else I haven't thought of...

Well, that wasn't short, but any suggestions would be helpful, thank you!
[doublepost=1504536478][/doublepost]Have the students use a guest account. The keychain will be cleared at every logout. You can even set defaults for the guest account (such as idle time before auto logout)-but that is more complicated.
 
  • Like
Reactions: superscape

panjandrum

macrumors 6502
Original poster
Sep 22, 2009
314
370
United States
Thanks for your replies!

I've tried a variety of scenarios like those, but unfortunately none of them are really suited to our needs. For example, using the Guest account would be a HUGE burden on the teachers, who would have to re-enter their passwords for sites over and over again for the students, etc. One of our primary goals has always been for things to work pretty much seamlessly - the tech needs to "get out of the way" and just let the teachers teach. Any solution that is a time-waster of any sort gets thrown out because the teachers simply won't use it; they don't have the time to do so and I fully sympathize with them on issues like this. (For example, Apple's "iPad sharing" solutions in the past involved teachers having to assign iPads to a student each day - that's not going to happen, ever, period. I haven't looked into the Apple School Manager program yet, but when speaking with Apple's Education reps prior to this year's big changes they said that ASM wouldn't be an ideal solution in an environment with less than a 1:1 ratio of devices:students, so based on that I put my efforts elsewhere for the time-being.)

I've implemented encrypted disk-images and we will see how it goes this year. I think it will work fine. I'll just be training students not to save their unique password in the keychain, and letting them know that if they do so accidentally they won't be in trouble and just to let the teacher know so I can remove their password from that system.

Moving forward I guess I might have to look into solutions other than MacOS X Server. Sad day; up through the SL era Apple's own software solutions did everything we needed well, with relatively few bugs, and a feature-set perfect for a school environment.
 

DJLC

macrumors 6502a
Jul 17, 2005
757
140
North Carolina
Guest account — you could look into modifying the default account template. The guest account will always reset to the default template. So if you modify that to add customizations (Dock items, saved passwords, etc), your student accounts will always be clean and just the way you left them. Granted, to deploy that you'd probably be looking at reimaging all of your Macs.

iPads — you're correct. Although ASM does allow for "shared iPads," the teacher has to open the Classroom app and assign each student to an iPad every time they want to use them. For our shared carts, we just keep them open with no lock codes or Apple ID and let the MDM handle apps and restrictions. No need for ASM in this use case, although I do sync all our data into it since we have 1:1 iPads in 4th-8th grades.

Servers — indeed, OS X Server is no longer an all-in-one solution for schools. Although I keep it around for the Caching service on our 2009 Xserve, we've transitioned to Windows Server 2012 for everything important (Active Directory, file shares, DNS, etc). It all works together pretty well; AD users and groups populate into Server.app seamlessly. We define a network home in AD, specify mobile accounts w/ local home on the MacBooks when binding, and the end result is that users have a personal network folder that auto-mounts when logging into a Mac or Windows workstation. We then impose a 10GB per user limit with Windows file sharing quotas.

Totally agree w/ tech getting out of the way; best of luck to you this school year! :)