New Holes in Mac Security

[Sidkik23]

Okay, so I am the tech intern at a High School (i'm fairly new to the job and would consider myself pretty tech savvy) and we recently received a large grant to buy MacBook Airs (11-inch, Early 2015) for all of the students. To put it simply, we locked down the MacBooks tighter than a maximum security prison. The users startup keys have been disabled, so any form of boot mode is out (just in case we put a firmware password on all Mac's). We blocked them from accessing many of the System Preference areas (everything but Dock, Trackpad, Desktop, Printers & Scanners, Sound, Notifications, General, App Store, Accessibility, and Internet Accounts) and a majority of the ones they can open are password locked. We have LightSpeed installed on the computers (so its a portable filter rather than just on our internet ((a side note is that LightSpeed blocks of all communication if it cannot find internet), and FileWave to push new updates whenever needed. We also have Remote Connection to all the Mac's so it's possible to monitor and control all of them from one computer. In spite of all these precautions, our cadets say that they are seeing other students downloading, opening, and installing programs on their Mac's (which should not be possible) They also have seen others getting on applications such as Terminal and Disc Utility. It would be very much appreciated if you could tell me how these students are doing this, and how to further block them from doing this. Thank You!
Below is an attachment of what the students see on the System Preference menu.

 

[avemestr]

This will probably be considered at very stupid reply, but...

How about spending your resources on talking with the students about appropriate behaviour instead of engaging in a never-ending whack-a-mole game?

They are high school students. They have all the time in the world to find ways to circumvent whatever restrictions you put in place. You cannot win.

I also wonder what kind of situations you're attempting to prevent by applying all these restrictions.

 

[cerberusss]

Well, it's a Mac. Users can drop an application anywhere they like, and run it from there. A nice place is to install it in the Applications folder in the user's home folder, I.e. /Users/some name/Applications

 

[Shirasaki]

So here is another case showing Mac is not able to compete with Windows on enterprise environment.
You can download more apps to further block students from installing apps. Oh, yes.
One new choice: what about guest account? If students can complete their tasks under guest account, you don't need to worry much of those things because guest has rather limited access of resources than standard account. With FileVault on, guest can only access safari. I rarely use guest account, though.

 

[MacModMachine]

So here is another case showing Mac is not able to compete with Windows on enterprise environment.
You can download more apps to further block students from installing apps. Oh, yes.
One new choice: what about guest account? If students can complete their tasks under guest account, you don't need to worry much of those things because guest has rather limited access of resources than standard account. With FileVault on, guest can only access safari. I rarely use guest account, though.

not really , they work the same way as windows in an enterprise environment if you know what you are doing.

Just like windows , OSX needs an solid End point manager, another option is using Deepfreeze from faronics.

 

[chrfr]

So here is another case showing Mac is not able to compete with Windows on enterprise environment.

Nonsense. There are plenty of tools to secure Macs that work just fine. Even Windows security tools depend on being configured properly and doing so on any platform is a non-trivial job.

 

[Shirasaki]

Nonsense. There are plenty of tools to secure Macs that work just fine. Even Windows security tools depend on being configured properly and doing so on any platform is a non-trivial job.

Ok. I would never expect my comments to be something valuable.
You win.

 

[Sidkik23]

This will probably be considered at very stupid reply, but...

How about spending your resources on talking with the students about appropriate behaviour instead of engaging in a never-ending whack-a-mole game?

They are high school students. They have all the time in the world to find ways to circumvent whatever restrictions you put in place. You cannot win.

I also wonder what kind of situations you're attempting to prevent by applying all these restrictions.

We have sat the students down and talked to them about appropriate behaviour, and I realize the creativity many high school kids can conjure up when given a problem. We are attempting to minimize the damage and un-educational use of the Macs, just as a workplace would do with the computers they distribute.

 

[Sidkik23]

Well, it's a Mac. Users can drop an application anywhere they like, and run it from there. A nice place is to install it in the Applications folder in the user's home folder, I.e. /Users/some name/Applications

We have locked the Applications folder so they students cannot add, remove, move, or otherwise edit the folder.

 

[cerberusss]

We have locked the Applications folder so they students cannot add, remove, move, or otherwise edit the folder.

I wasn't talking about the /Applications folder (note the leading slash), I as talking about the /users/username/Applications folder.

And besides... That doesn't matter. Usually, you can drop an application anywhere and just run it. The /Applications folder is more of a rule of thumb than a necessity.

 

[chrfr]

We have locked the Applications folder so they students cannot add, remove, move, or otherwise edit the folder.

Many applications don't require being in /Applications to run so locking that folder will only provide minimal protection.

 

[cerberusss]

just as a workplace would do with the computers they distribute.

Most workplaces actually are relaxing their policies, allowing you to bring your own device.

What you are doing, is showing them a jar of sweets, then punishing cleverness to obtain said sweets. I personally think it's weird.

 

[CreatorCode]

So far as I can tell, you haven't done anything at all to restrict the applications the kids can launch. The most obvious way to do this is with the built-in Parental Controls, or through Apple Remote Desktop.

If you are doing this, or suing some other solution, either you've neglected to mention it or I've missed it.

 

[Spink10]

Most workplaces actually are relaxing their policies, allowing you to bring your own device.

What you are doing, is showing them a jar of sweets, then punishing cleverness to obtain said sweets. I personally think it's weird.

He isn't here for your philosophy of education but a solution to his problem. That probably sounds harsh but I'm smiling.

 

[Sidkik23]

So far as I can tell, you haven't done anything at all to restrict the applications the kids can launch. The most obvious way to do this is with the built-in Parental Controls, or through Apple Remote Desktop.

If you are doing this, or suing some other solution, either you've neglected to mention it or I've missed it.

We have implemented parental controls not allowing the use of certain applications; this was my fault, I forgot to mention this.

 

[Sidkik23]

Most workplaces actually are relaxing their policies, allowing you to bring your own device.

What you are doing, is showing them a jar of sweets, then punishing cleverness to obtain said sweets. I personally think it's weird.

We have spent lots of money to obtain these MacBooks, and we allow students to bring their devices. However it's best that we limit students usage of the MacBook to reduce the use of non-educational applications and or other uses in the classroom as well as to limit the abuse and mistreatment of the Macs. We do not punish the students for finding holes (because that was our fault) unless the intent was to damage said property otherwise, we simply fix the hole.

 

[SmOgER]

Are you sure they don't boot into recovery with CMD+R and/or they aren't left with ability to re-enable the startup keys ?

 

[Sidkik23]

I wasn't talking about the /Applications folder (note the leading slash), I as talking about the /users/username/Applications folder.

And besides... That doesn't matter. Usually, you can drop an application anywhere and just run it. The /Applications folder is more of a rule of thumb than a necessity.

 

[SmOgER]

that still doesn't explain how they could get admin privileges in terminal and such.

Btw, have you disabled the access to open apps not from app store?

 

[chrfr]

that still doesn't explain how they could get admin privileges in terminal and such.

Btw, have you disabled the access to open apps not from app store?

There's no mention that the students have admin privileges in Terminal.

We have implemented parental controls not allowing the use of certain applications; this was my fault, I forgot to mention this.

You need to whitelist, not blacklist if you're trying to restrict application use and you should restrict launching of applications outside of /Applications.
If you're blacklisting applications, there's no way to prevent someone from copying an application from elsewhere, renaming it, and running it.

 

[satcomer]

Most school system have gone with OpenDNS.com. I use it to block known Trojan hosting Sites as well as Block p0rn sites and such, even blocking and whitelisting other sites! This way even if Kids try to disable regular accounts they still can't block DNS blocks, they aren't smart enough to know about DNS.

 

[Sidkik23]

Are you sure they don't boot into recovery with CMD+R and/or they aren't left with ability to re-enable the startup keys ?

Even if students did hold CMD+R, we put a randomized Firmware Passcode on all MacBooks. And on the re-enabling of the startup keys, I don't thinl students could unless anyone here knows of one.