Initial secure multi-user setup of OS X

Discussion in 'macOS' started by OS/4, Aug 4, 2015.

  1. OS/4 macrumors newbie

    Joined:
    Jul 27, 2015
    #1
    I am new to Mac OS X, but I work in IT and have used a few different OSs before (DOS, OS/2, Ubuntu - and reluctantly Windows at work). I am fully switching our family PC to Mac OS X and accept that we have to unlearn/change some habits and am open-mindedly trying the "Apple" way unless I feel I have a good reason not to.

    From the start, I've been noting down all steps of my setup, and after over a month of use, it looks like I'm quite happy with it, so I thought I'd post it and see what feedback or comments I get from people more experienced with OS X.

    This list is not intended for computer novices, and not spelled out in a fool-proof way, but I'd be more than happy to explain my reasoning (which may not be right ;-) or provide more details. My notes are a bit terse and probably only make sense when you actually have the settings windows, etc. in front of you.

    -----------------------------

    First, a few words on the hardware - I ordered a 27" retina iMac online and was very impressed with the packaging - wow!
    The initial setup was a breeze, just plug in the network cable, keyboard (wired), power, turn on the mouse and turn on the iMac.

    We already had an Apple ID and I proceeded to set up an admin account. I did not set up any iCloud or let iCloud user reset password, because I have no intention of using iCloud. While I trust Apple more than e.g. Google re data online, I prefer to have as little personally identifyable data online and as little automated online interactions/auto-updates, etc. happening. I realise this increases my workload as the admin of our family PC, but that way I know what's going on and see it as an opportunity to learn more about the system as I go. So, in that vein, I also unticked to send diagnostics & usage data.

    System Preferences
    • Mouse: Turn on Secondary click (who wouldn't want that?), Smart Zoom (neat!), and on such a big screen, I found the preferred tracking speed to be one notch from the fastest.
      Speaking of mouse, the Apple Magic Mouse is sleek and stylish, but the scrolling direction took about 2 weeks to get used to. It actually wasn't until later that I found out that you can change it by turning off natural scrolling direction, but it is more consistent with touch devices and I can understand the reasoning that it's the content that is the target of the swipe operation, not the scroll bar.
      To ease my re-learning, I flipped the scrolling direction on my work laptop (Windows) to align it with the iMac by entering the following command in PowerShell (Windows!):
      Code:
      Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Enum\HID\*\*\Device` Parameters FlipFlopWheel -EA 0 | ForEach-Object { Set-ItemProperty $_.PSPath FlipFlopWheel 1 }

    • Keyboard: Fast repeat, Short delay, and on the Text tab deleted the example "omw" and turned off spell checking and smart quotes - these are really personal preferences and I know plenty of people who benefit greatly from auto-spell checking, but I find it annoying when it gets it wrong (terms that aren't in the dictionary) and it shows underlines or dots or whatever.

      Going through the list of shortcuts, I remove the following because I don't see a need for them - removing them means users (e.g. the kids) have one less thing they can accidentally press and get confused:
      - Increase/Decrease Brightness - what's the point, they're on F keys anyway
      - Show Dashboard (F12) - seems deprecated, and I had a look and don't really see a need for it
      - Input Sources - don't see me ever changing them
      - Change the way Tab moves focus
      - Turn keyboard access on or off
      - Convert Text to Chinese (x2)
      - Text > Add to iTunes as a spoken track
      - Turn VoiceOver on or off
      - Show Accessibility controls
    • For the admin user and myself, I added the service "Files and Folders > New Terminal at Folder" - handy!
    • I set Full keyboard access all controls - I find it handy, e.g. for web development.
    • In the General setting, I set Show scroll bars Always - for someone not that familiar with the system, before I did that, I was sometimes looking for things that didn't seem there until I realised they were just not showing and I had to scroll down! I prefer the obvious hint of a scrollbar that instantly shows me there's more
      Turned off Allow Handoff - neat feature, but for now I have no plans to use it.
    • Dock: Turned on Automatically hide and show the Dock - nice, but while I personally like it like that, some of our family prefer it always showing, so they've left it "off".
    • Languages & Regions: Set first day of week to Monday
    • Security & Privacy -> Privacy: Turned off Enable Location Services - like I said, I prefer these things off as much as possible
      Advanced... : Turned on Require an administrator password to access system-wide...
    • Spotlight Search Results: Turned off Bing Web Search, turned off Allow Spotlight Suggestions in Spotlight & Look up - the way I see it, I expect Spotlight to search only locally and certainly wouldn't want my query for local files to be sent to Bing! If I want to search the internet, I'll use a browser - clear separation to me.
    • Displays: Turn off Show mirroring options - just because I have no use for it
    • Energy Saver: Turned off everything - our family is well "trained" to turn off the computer when they're done, and with the SSD in the iMac, the shutdown/startup times are quick anyway.
    • Logging in with the Apple ID, I also turned off everything in iCloud: Turned off everything in Photos, turned off everything else, sign out, delete all - I prefer privacy and explicit control over what goes online or not ;-)
    • Extensions: First went to Notifications/Today and turned off Stocks (click (i) and remove all stocks) and Weather; then in Today: Turned off Weather, Stocks. - If I want to search up stocks or weather, I use a browser (clear separation), and I don't want the system to do internet queries in the background. Also, those global weather forecasts are hopeless compared to local websites.
    • Network: Wi-Fi: Turned off Show W-Fi status in menu bar. Turned off WiFi because I have an Ethernet cable connection anyway. One less thing to be running needlessly
    • Bluetooth: Advanced - turned off everything - again, one less thing that's not needed for my personal circumstances
    • Users & Groups: Login Options: Auto-login Off (obviously!, for security), all else turned off
    • Dictation & Speech: Turned off shortcut (one less thing to accidentally turn on)
    • Accessibility: Display: Turn on Reduce transparency (performance), Zoom: Turn off Smooth images (if I zoom in, I want to see the pixels)
    • Clock -> Date & Time Preferences: Set clock to show date (handy)
    • Notes: Firewall is not needed as long as the router has a firewall and NAT. Bluetooth File Exchange was turned off by default - good (for me).

    Next came the setup of basic applications:

    Finder, etc.
    • Finder > Preferences
      * General: New Finder windows show: home directory (the logical choice)
      * Sidebar: Turned off iCloud Drive, AirDrop, Applications, Desktop, Back to my Mac, Bonjour (don't use these), turned on home directory (handy)
      * Advanced: Turn on Show all filename extensions (in the theme of preferring to know what's going on ;-)
      For the admin user and myself, I turned off Show warning before changing extension, and turned off Show warning before emptying trash - I know both are a safety net, but I'm personally comfortable without that (I left both "on" for the other users)
    • Finder > View > Customize Toolbar: Remove Share icon (I don't intend to "share" ;-)
    • Finder > View > Show Path Bar (very handy, since you can double-click on any folder in the path)
    • Double-click Macintosh HD in Path Bar and switch to list view
      Right-click > Show View Options
      Turn on Always open in list view, turn on Browse in list view, Arrange By None, Sort By Name
      Change Show Columns to Date Modified, Size, Kind. Turn off Use relative dates, turn off Show Icon preview
      Click Use as Defaults
      I have to admit, I've gotten used to Windows Explorer, but this view setup (Finder List View with Arrange By None) works quite well and gives you a kind of tree view, and like I said, for now at least, I'm giving the "Apple way" a good go rather than installing 3rd party apps.
    • For the admin user and myself, I also right-clicked > Show View Options and turned on Show Library Folder. (in the spirit of learning what's going on and what is stored where)
    • Drag Users folder and Shared folder to Favorites (above home dir) - a lot of things that are shared between all users, e.g. family photos, will go into Shared/...
      Deleted Public/Drop Box folder (not really needed, and I found its working a bit confusing for the less experienced users, and I've got the Shared folder anyway)
    • I renamed the sub-folders in Shared to "Shared Documents", "Shared Downloads", "Shared Movies", "Shared Music", "Shared Pictures", so noone confuses them with their own private folders. The concepts of home folder and private folders (except the Public folder), and the Shared folders were easy enough to explain to every user, even the kids (on Ubuntu I never bothered with a multi-user set up, so that's new, but everyone loves that they can now change their own desktop background, what they have in the dock, etc.).
    • In the Preview (View > Customize toolbar), I also removed Share, and replaced Zoom with the one with (1) (100%), and added Zoom to Fit and Magnify - all handy when looking at photos
    • My initial setup for everyone's dock was to remove Mail, Maps, and iBooks. I have no plan to use the Mail application, briefly checked out Maps but found it not as good as Google Maps, and have no plans to use iBooks, since we already have Kindle.
      For the admin user and myself, I added Terminal from Utilities to Dock
    • Launchpad is neat, but I found it odd that you cannot "remove" anything, but rather have to hide things in a folder. I moved the following to "Other" to hide them: Mission Control (has an F key anyway), Dashboard, Mail, Preview (why would you go into Launchpad to click on Preview?), Game Center (won't be using it), iBooks
    • In Contacts, for now I deleted all contacts (Apple, and the contact created for myself) - don't know yet whether I will use "Contacts"

    Minor command line tweaks
    • To speed up appearance of auto-hidden Dock, I entered:
      Code:
      defaults write com.apple.dock autohide-delay -float 0
      killall Dock
      
      and it does make a noticable difference
    • Since we're not using Dashboard, I disabled it via:
      Code:
      defaults write com.apple.dashboard mcx-disabled -boolean true

    • I use "list of users" for login, so I set the admin user to be hidden from that list of login user icons (which are really neat by the way) via:
      Code:
      sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add <adminuserid>

      I also hid the admin user's home folder in Finder by entering:
      Code:
      chflags hidden <adminuserid>
      I really like this setup, it's the best of both worlds: The users have their name and pretty icon to click on at login, but the admin's name is not evident and you have to type in both name and password.
    • Some of my family members didn't like the accent popup on pressing-and-holding letter keys (e.g. typing "Noooooooo" or things like that ;-), so I disabled it for them via:
      Code:
      defaults write -g ApplePressAndHoldEnabled -bool false
    Lastly, I booted the iMac while holding Command + R, and then in "Utilities > Firmware Password Utility" set a firmware password - I understand this would prevent someone from easily booting the Mac from an external source e.g. if it would be stolen.

    Multi-user Setup
    Users & Groups
    I setup each user as a standard user (as opposed to admin) using only each person's first name, each with their own password, and with no hint. Not sure whether I'll make use of it, but while I was at it, I added everyone to a newly created "family" group and us parents to a "parents" group.

    The kids' users are "managed users", and in the "Parental Controls...", I limited the applications and set an "Allow App Store Apps" age limit, just in case they start using the App Store at a later stage. What struck me as a pickle is that I'd have to change that age limit every year, oh well, never mind.

    In Allowed Apps: Other Apps, I enabled Automator, disabled Dashboard, enabled FaceTime (the older kids already use it on their iPod Touches and have their own Apple IDs with a non-personally identifyable name and know the dos and don'ts), enabled Font Book, disabled iBooks, enabled Image Capture, disabled Mail, enabled QuickTime Player, disabled Time Machine.
    In Utilities, I enabled Activity Monitor, Grab, Grapher, Script Editor - Grab is of course very useful, and the rest seem harmless enough, not that I expect any of the kids will actually poke into these, but it might be handy for me diagnosing something for them when they're logged in, or setting up a script for them
    Web: Left default "Try...", but deleted all allow access websites from box (I like a clean slate, and these websites were pretty irrelevant anyway

    What was a bit of a pain was that I had to do the whole preferences setup above for every user, but that goes with a multi-user setup. At first logoff for each user, I also turned off Reopen windows when logging back in.

    Browser
    As with all of the above, I did a good amount of googling/reading, and came to the (happy) conclusion that we'll keep using the included Safari as the web browser.
    The consensus seems that Safari is now about as fast as Chromium and possibly more stable. As for Firefox (which I use on Windows) - some say it's faster, others say it's slower, so no compelling reason for it over Safari.

    uBlock (www.ublock.org) seems to be the best ad blocker - it uses less memory/CPU than AdBlock Plus - so I installed it, and it's been working very well indeed!
    After the install, go to Safari > Preferences > Extensions, click to see the Preferences, turn off Show the number of blocked requests (no real use for it)
    In Safari's "View > Customize Toolbar...", I removed the Share icon (as usual) and the uBlock icon (no real need for it)

    Having kids who love to play Tanki or games on Miniclip, it was inevitable I had to install that dreaded piece of rubbish called Flash, but I wanted to tie it down as much as possible:
    In Safari > Preferences > Security: Internet plug-ins Website Settings... set other websites to Block, and I only enabled specific web sites I know about and trust. I also went to YouTube and expressly set Flash to be blocked so I get proper video instead of Flashified video.
    I quite like this setup - if anyone goes to some other website that may or may not use Flash, it just silently won't use Flash - great! If the kids want to use Flash on some new website, they ask me and I enable that site. I wish I could set it so it requires an admin password - the older kids know how to enable it themselves, but I trust them enough not to.

    -----------------------------

    So, that's the basic setup, and I've been very happy with it so far. Comments and suggestions appreciated, just keep in mind some of these choices are purely personal preference.
     
  2. Bruno09 macrumors 68020

    Joined:
    Aug 24, 2013
    Location:
    Far from here
    #2
    Hi,

    I would add the ability to copy from a QuickLook window :

    Code:
    defaults write com.apple.finder QLEnableTextSelection -bool true;killall Finder
    Very handy in my opinion.
     

Share This Page