Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacBook Help Security and AirPort

M

markh789

macrumors newbie
Original poster
May 26, 2010
8
0
Hi,
I need a bit of help with MacBook security for school laptops.

The first issue is Single User Mode.
It is disable via firmware BUT students are able to take a stick of memory out of the laptop, and then they can boot into it. How can we stop this?

The second issue is students watching movies, etc, in class, they do this by turning off the airport. We fixed that, but now they go "Join Other Network", they type in gibberish, and it disconnects. No longer can we watch them. How can we make it so it attempts to re-connect to a certain network if it is disconnected like that?

Much thanks!
 
markh789 said:
Hi,
The first issue is Single User Mode.
It is disable via firmware BUT students are able to take a stick of memory out of the laptop, and then they can boot into it. How can we stop this?
Click to expand...

Don't give them the laptop. If you are relying on Single User mode as a security measure, you need to seriously rethink both your security policy and your motivations for letting students use laptops owned by your organization.


The second issue is students watching movies, etc, in class, they do this by turning off the airport. We fixed that, but now they go "Join Other Network", they type in gibberish, and it disconnects. No longer can we watch them. How can we make it so it attempts to re-connect to a certain network if it is disconnected like that?
Click to expand...

Remove the airport card or the wireless access point.
 
For concern #1, there's no direct solution. There's no security solution that can prevent someone with complete physical access to a PC/Mac from modifying it.

For concern #2, you can require an Administrator password to change AirPort settings. This option is in the Advanced section of AirPort settings (in System Preferences).

Going back to #1, you could probably tell if the occasional student reset the firmware password if you notice they no longer appear on your remote monitoring software.

Best of luck!
 
There is a firmware password set, and that is bypassed by taking a stick of memory out, starting the laptop with command+s and when done, put it back in.

You can still click "Join Other Network" and type gibberish and press OK and then click cancel as it connects, and the airport will not connect to an airport.

Maybe theres an SH script that you could help me make that will check if the network "EXAMPLE" is available for joining (if not joined to any already) and join it, that checks this every minute or something like that?

Were not going to take the laptops off the students, they've paid for half of it, and every student in the school from years 7 to 12 has one. It's part of a 1:1 Learning Program through MAC1.
 
I didn't mean take it off them for good.

If you catch a student doing something wrong, take it off them for 1 day, then 3 etc and send a letter home to their parents.

Not exactly high tech but it should stop most students.
 
If they are physically removing memory to bypass a firmware password the best you can likely hope for would be to add some sort of physical barrier.

-Some of the "Warranty Void if Removed" type holographic stickers would be ideal.
-It's possible you could physically attach the memory by some means such as some form on NON-conductive sealant/epoxy.
-You could also potentially replace the access screws with some sort of security screws.

This doesn't prevent them from doing it but makes it easy to tell upon inspection it has been tampered with. You could implement a policy that tampering with systems will have some sort of fine/penalty associated with it. In the end, if they have unsupervised physical access to the systems there isn't much you can do to prevent it as it is a fail-safe in case of lost/forgotten password.

As for the wireless issue... in a single user setup there isn't much you can do to prevent it. If you are willing to migrate to a multi-user setup you can check out the KB article at http://support.apple.com/kb/HT3389. You could mimic a single user setup but still have it be a restricted multi-user setup. Restrict the user that they have access to and you restrict the amount they can do with and to the system. You can restrict the ability to run certain programs, change certain settings, etc.

If they take these systems home and wish to use their home based wifi with the laptop (for school work obviously) you could add the default access point names, specify a certain one they would have to reset their home AP to, or you could provision it on an individual basis.

You may say you don't want to restrict the students/users too much, but the fact is if you want the systems secure you pretty much have to. The best way of doing this is with a multi-user setup with an Administrator account that they are not allowed to access. Yes, it does restrict the functionality and flexibility of having a laptop, but seeing as it is a school laptop it should be restricted to school tasks.

EDIT: I just reread that you said they pay for half of the laptop. That certainly makes it a murky dilemma indeed. However, I stand by the suggestions for mitigating the tampering. The school pays for half. Therefor you (the school) has as much legal right as they do to them. If they are caught tampering with the systems they could be fined. They should have the option of being released from the restrictions under the condition they repay the school's portion of the laptop.

I understand now why you have simply done a single user setup, but it's a trade-off. Do you want control and them to use the laptops for schoolwork, or do you want them to have free reign. You can't have both.

Fact is, in the end, if you lock something down they will try that much harder to unlock it. I did it myself when I was young and I still do it to this day.
 
Thanks Moomba that was some helpful information.

Because now there is a big issue, thats starting to come up in all the schools under the 1:1 Program, is students "selling" there skills, for them to take the laptop, and create them an administrator account.

Is there a way (in boot screen) that we can run commands?
Such as running the following:
passwd -l root

And could we also change the password to an account called "ARD"? But we don't want to give away the password, maybe we could just supply a hash (something to do with /etc/shadow).

Also know, there are only two accounts on the laptop, One being ARD (Apple Remote Desktop, the Administrative account) and the students account, which is a Mobile account (and very limited).

Is there any other suggestions you could give to me, for locking down the laptops a bit more.

In-fact, is it possible to get a battery that even requires a key to open it (and if we can; could we get it custom made).
 
I think the suggestion of putting some sort of holographic sticker over the battery is the best way to go, as there should really be no reason for students to take the battery out.
 
From the sounds of it your students have the older MacBooks that have a very accessible battery compartment. If this is the case the a holographic sticker over the memory compartment would work, but then you are left with the issue of enforcement. Are you or anyone EVER going to actually be checking them? I highly doubt this.

If your students have the newer MacBooks that do not have user replaceable batteries things are a little easier. You would need eight Phillips #00 screws for the newer units if you were to go with security screws.

Actually, come to think of it... this same approach would work for the older units too. The only difference is that instead of replacing all the chassis screws you could replace only the three screws used to access the memory compartment.

Although, if you have very resourceful students they may opt to remove the entire chassis to access the memory. In this case you may want to also replace one or two of the chassis screws with the security screws as well.

From a quick search I found http://www.brycefastener.com/ and http://www.tamperproof.com/. You would need to check and find the actual size & pitch of the screws used. They are super tiny but if you can find a company that has or will make some for you it would go a LONG way to helping defeat the students hacking past the firmware password while being relatively unobtrusive to end users.
 
I don't know if this is the right place to post this, but I'm having a wee little problem with my Macbook 13". I get disconnected so often from the router at home, I always have to restart airport. I never have problems getting access to the internet when I'm at my dormitory. My macbook is upgraded to the Snow Leopard and I'm trying to find a solution to this. Any help would be greatly appreciated! Thanks :)
 
leosaysfosho said:
I don't know if this is the right place to post this, but I'm having a wee little problem with my Macbook 13".
Click to expand...

You're right... it's not the right place. You should create a separate thread for your question. Doubly so considering the thread topic really has virtually nothing to do with your question. :(

That said, keep in mind not all wireless access points are created equal, and that the layout & construction of your home/dorm will greatly effect your signal quality/strength.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back