Granular System Permissions

shadowfayre

macrumors regular
Original poster
Jan 17, 2006
106
4
Is there a way in OSX to give users certain permissions to do activities normally sectioned off for administrators? One example being System Updates and Package Updates. We have several Mac Pro's in the office that unlike Windows with Windows Update Services; users on the Mac's must have admin permissions or wait for a tech to come by and enter a password to install updates. This can become a PITA when you have hundreds of Mac units. Same applies when the same user needs to install say Adobe updates (although, this particular issue is no different on a Windows unit).

We do not want users having admin permissions; having access to all system configurations and being able to install any said application.

Thanks!
 

ScoobyMcDoo

macrumors 65816
Nov 26, 2007
1,189
34
Austin, TX
I think that OS-X server has some sort of service you can use to push system updates to mac clients. That would probably be a better option for you.
 

shadowfayre

macrumors regular
Original poster
Jan 17, 2006
106
4
1) We are a Windows environment here at the office. No X-Servers
2) I thought X-Server was dead?

I know Apple does not care about the Enterprise; but I also know we are not the only one that have both Apple and Windows units trying to work peacefully together. :)
 

ScoobyMcDoo

macrumors 65816
Nov 26, 2007
1,189
34
Austin, TX
1) We are a Windows environment here at the office.
As far as endpoint management goes Microsoft is probably only going to deal well with Windows machines and Apple with macs. If you indeed need to deal with a heterogeneous environment, you might need to move to something like Tivoli.

2) I thought X-Server was dead?
The rack-mount x-server line is indeed dead, however they do still sell OS-X server, which I believe is now just a set of tools you put on top of OS-X. it sells for $20 on the app store. You could buy a mac pro, or even a mini to run it on. I think they still sell mini's with server pre-loaded.
 
Last edited:

shadowfayre

macrumors regular
Original poster
Jan 17, 2006
106
4
What Tivoli Product would allow me to push patches to Macs? And does it work with 3rd party applications as well?

----------

Also is there no other way to give users the permission to install updates? I really do not need an management tool just so the Macs stay up to date. What are others doing in the Enterprise? Surely IT is not giving their Mac users full access to their clients....
 

ScoobyMcDoo

macrumors 65816
Nov 26, 2007
1,189
34
Austin, TX
Well, if you think about it, updates involve writing files to parts of the file system you really don't want your users to have access to. So, even if there were a way to give the granularity you want, I don't think file system access is something you want to give your users.

In our organization, there are only two people who have macs - I am one of them. Both of us have full control of our macs. It's a pretty small company though - about 100 employees.

Have you considered calling Apple and asking them? If you do, please post back here and let us know what they say.
 

BrianBaughn

macrumors 603
Feb 13, 2011
6,488
987
Baltimore, Maryland
Does your office have "several" Macs or hundreds?

If it's hundreds, a server could be the way to go. With several...naah.

Just turn off automatic software updating for the Macs. A tech can visit the Macs periodically during off hours to check for and install updates. With automatic updates off, the users won't be interrupted.
 

shadowfayre

macrumors regular
Original poster
Jan 17, 2006
106
4
We have 9 macs in total but they are spread out. I am the only tech that wears many hats; including managing the network (100 user company).

Currently we do periodically run updates. I was just hoping for an alternative solutions. Windows clients can install updates without admin permissions, as they are configured to run automatically in the background (and that is without the use of Windows Update Services). That said in a corporate environment with WUS we do have control on what updates are available.

Same with 3rd party updates. These are handled using Group Polices. Something again I realize is a Microsoft to Microsoft solution.