Kiosk Mac Setup

Discussion in 'macOS' started by JuliusPIV, Feb 9, 2016.

  1. JuliusPIV macrumors newbie

    Feb 9, 2016
    I've been asked to setup a 'Kiosk' type Mac for some guests to use. They need to be able to use a few specific apps but I need to prepare and lock down the system:
    1. Diaabke Sherlock (or whatever it's called today)
    2. Disable and block read/write access to USB
    3. Disable and block read/write access to Thunderbolt
    4. Disable (or othwise nerf TCP/IP) Ethernet
    5. Disable (or othwise nerf TCP/IP) WiFi
    6. Disable (or othwise nerf TCP/IP) Bluetooth
    7. Prevent installation of any new software while remaining the ability to run existing software.
    8. Prevent elevation to bypass any if these measures
    9. Prevent access to BIOS
    10. Block startup key access
    I realize this isn't the community's problem but I figured since time is something of a factor, I thought it would be wise to ask around while I do my own due diligence.

    Any assistance is greatly appreciated!
  2. DeltaMac macrumors G3


    Jul 30, 2003
    So, no internet needed at all?
    So, the apps for guests would NOT involve connection to any kind of server, such as for tickets, or ordering food, or other types of services that you might offer to guests? No outside access at all, and nothing other than what is stored locally on that kiosk?

    You could cover the ports, so nothing more can be mechanically inserted, other than keyboard/mouse. That could be done for a kiosk with a cabinet/cover that would only provide access to screen and keyboard, etc.

    You would not want to block USB or bluetooth, as that would essentially block any kind of in-out, such as a keyboard or mouse.
    But, you can do a lot of what you want with a managed account, or just have a Standard user account (which has no admin privileges), or you could leave normal access only to guest users, who can do some things, then anything that the guest does is deleted when the guest user logs out.

    The last few - prevent installs or bypasses using Parental Controls, plus enabling a firmware password.
    Parental controls also controls the time that the Mac can be used, and limits the apps that can be opened, along with other limits.
    There is no BIOS on any Mac.
    You can block startup key access by setting a firmware password on any Mac.

    Finally, kiosk mode would be an ideal use for an iPad.
  3. JuliusPIV thread starter macrumors newbie

    Feb 9, 2016
    Thank you so much for the response!
    So, a bit more information: Its not an actual 'Kiosk' machine for random people. We know who will be using it but we dont necessarily trust them.

    We need to make sure the software and/or data we load stays on that box and isn't tampered with outside of what's been provided. That's why no network access or communication of any kind is allowed be it Ethernet, WiFi, Bluetooth etc.

    They won't be using USB mice or keyboards; in fact the machine will be physically secured to help prevent actual use of the ports. (See attached)
    I just want to do my part on the software side just in case. (Every layer helps)

    I'll test this out tomorrow. Thanks again for your speedy and helpful response!

    Attached Files:

  4. Strider64 macrumors 6502a


    Dec 1, 2015
    Suburb of Detroit
    I would check the usb ports on the mouse and keyboard every so often if they are usb, for a keylogger could be inserted between the device and the usb port. Never mind...just looked at your picture.....o_O:)
  5. DeltaMac macrumors G3


    Jul 30, 2003
    Keep in mind that even the internal keyboard and trackpad both use the internal USB bus, so disabling that bus would essentially not let anyone do anything.

    I think that standard user accounts, plus parental controls, and a firmware password (although your physical installation should go a long way to prevent intentional access without damaging the MBPro) will leave you with a fairly secure portable.
    If you know who the users are, then you can make standard accounts for each potential user, or just one account that all your "untrusted" users can use. Standard accounts need to enter an admin password to make almost any changes, other than settings that modify the user appearance but not much more. And, of course, your standard users won't know passwords for any admin accounts (which would defeat the whole purpose, eh? :D ), and each user would know only the login password to their own account.
  6. CreatorCode macrumors regular


    Apr 15, 2015

Share This Page