Mac OD Best Practices

Discussion in 'Mac OS X Server, Xserve, and Networking' started by mainstay, Oct 24, 2011.

  1. mainstay macrumors 6502

    mainstay

    Joined:
    Feb 14, 2011
    Location:
    BC
    #1
    Hi All,

    Just wondering what best practices you admins have when setting up an OD Master where you are seriously locking down mac workstations.

    This includes preventing the users from making system changes, installing/removing applications, locking out websites, ensuring the user's dock always has at least these "x" icons and alias's, etc. etc.

    What permissions do you often give to the user?

    What is your methodology to how you approach these security measures?

    Do you control this at the user level, the group level, the computer level, or the computer group level?

    Do you communicate every decision to the owner / CEO?

    Do you provide documentation on who has what privileges?

    Every office is different and every situation differs, but I just would love to hear how others approach this critical segment of deployment.

    All the best!

    --Matthew
     
  2. Mattie Num Nums macrumors 68030

    Mattie Num Nums

    Joined:
    Mar 5, 2009
    Location:
    USA
    #2
    This isn't a matter of best practices more than just understanding the basics of desktop management using OSX server. Using Work Group Manager and MCX's is a best practice but its up to you on how you want to implement it. As for the other few questions you asked those are SLA's that need to be set by the IT Director or CIO.
     
  3. Mr-Stabby macrumors 6502

    Joined:
    Sep 1, 2004
    #3
    I run the Mac network in our local college's Media department. Around 250 users.

    We lock down our workstations to some extent, but the one thing i've made sure not to do is to lock down something purely for the sake of having control. You need to give users some freedom, otherwise they will be frustrated with using your system. PC networks, especially education PC networks like to lock down absolutely everything, for no real reason i can think of.

    On the Mac side, i've seen some network admins disallow simple things like Photobooth, or iTunes. Even the ability to change the colours on their machine or their desktop wallpaper is often locked out. All because they either want control or are just overprotective. It's amazing the good will a techie can lose from a user just by doing simple things like this. I see it all the time. I have quite a good relationship with my users, because they get the impression i'm there to help them rather than just keep my network the way i want it. It does mean i have to be open to changes that may make my job harder, but that's life :) It's a bit cheesy to say so, but any settings you have must be for the benefit of the user, not the benefit of the techie running it.

    The only things i lock down are either for the safety of the network (so things like the Network and Sharing preferences for example) or something which affects teaching. In my case, i do set what applications are on the Dock and where, but that's only because when you're lecturing to 20 odd students, you need to know that they have the apps on their dock in exactly the right place so you don't waste valuable time just opening the application because they can't find it. Though they can add their own, just not remove the ones i have already put there.

    Most if not all of my settings are done by computer group. 2 main groups for all computer settings (One Leopard for our older PowerPC computers, one Snow Leopard), and separate groups for printing (setting up the users printers for each room, what default printer they are set to etc requires a new group for each room)

    The only user group settings i set is what is on their Finder sidebar, so i can add group folders and Media Library folders that are on the network, so they can easily access them.

    As for communication, i never talk to my line manager or anyone else about network matters unless they want something installed on all machines, or setup in a specific way.

    Hope this helps :)
     
  4. mainstay, Oct 31, 2011
    Last edited: Oct 31, 2011

    mainstay thread starter macrumors 6502

    mainstay

    Joined:
    Feb 14, 2011
    Location:
    BC
    #4
    Thank you for the considered responses.

    I very much appreciate the comment on not locking down just to demonstrate control (and I've certainly done this in the past, but with experience have learned not to flex ones IT muscles unless needed).

    "In my case, i do set what applications are on the Dock and where, but that's only because when you're lecturing to 20 odd students, you need to know that they have the apps on their dock in exactly the right place so you don't waste valuable time just opening the application because they can't find it."

    This was exactly what I was looking for feedback on... just trying to get a feel for what others do in their networks.

    I like the idea of having set icons and protocols so that I can better support people via the phone and remotely.

    "The only user group settings i set is what is on their Finder sidebar, so i can add group folders and Media Library folders that are on the network, so they can easily access them."

    +1


    "i never talk to my line manager or anyone else about network matters unless they want something installed on all machines, or setup in a specific way."

    I am in one office at the moment where the ACCOUNTANT (yes, of all people) is constantly looking over my shoulder and wanting a "rationale" behind every single decision I make. So this comment of yours sure sounds nice =) He's not necessarily objecting to my decisions, but wants every last decision documented and itemized. (I'm not kidding, I just had to document that Excel 2003 only supports 256 columns and this is being relayed as a memo to all department heads)...

    So thank you for your great and thoughtful input.

    Working as an independent IT provider I don't get enough of an opportunity to hear / see how others do things.
     

Share This Page