New Holes in Mac Security

Discussion in 'Mac Basics and Help' started by Sidkik23, Oct 30, 2015.

  1. Sidkik23 macrumors newbie

    Sidkik23

    Joined:
    Oct 30, 2015
    Location:
    Miami, FL
    #1
    Okay, so I am the tech intern at a High School (i'm fairly new to the job and would consider myself pretty tech savvy) and we recently received a large grant to buy MacBook Airs (11-inch, Early 2015) for all of the students. To put it simply, we locked down the MacBooks tighter than a maximum security prison. The users startup keys have been disabled, so any form of boot mode is out (just in case we put a firmware password on all Mac's). We blocked them from accessing many of the System Preference areas (everything but Dock, Trackpad, Desktop, Printers & Scanners, Sound, Notifications, General, App Store, Accessibility, and Internet Accounts) and a majority of the ones they can open are password locked. We have LightSpeed installed on the computers (so its a portable filter rather than just on our internet ((a side note is that LightSpeed blocks of all communication if it cannot find internet), and FileWave to push new updates whenever needed. We also have Remote Connection to all the Mac's so it's possible to monitor and control all of them from one computer. In spite of all these precautions, our cadets say that they are seeing other students downloading, opening, and installing programs on their Mac's (which should not be possible) They also have seen others getting on applications such as Terminal and Disc Utility. It would be very much appreciated if you could tell me how these students are doing this, and how to further block them from doing this. Thank You!
    Below is an attachment of what the students see on the System Preference menu.
     

    Attached Files:

  2. avemestr macrumors regular

    Joined:
    Aug 14, 2012
    #2
    This will probably be considered at very stupid reply, but...

    How about spending your resources on talking with the students about appropriate behaviour instead of engaging in a never-ending whack-a-mole game?

    They are high school students. They have all the time in the world to find ways to circumvent whatever restrictions you put in place. You cannot win.

    I also wonder what kind of situations you're attempting to prevent by applying all these restrictions.
     
  3. cerberusss macrumors 6502a

    cerberusss

    Joined:
    Aug 25, 2013
    Location:
    The Netherlands
    #3
    Well, it's a Mac. Users can drop an application anywhere they like, and run it from there. A nice place is to install it in the Applications folder in the user's home folder, I.e. /Users/some name/Applications
     
  4. Shirasaki macrumors 603

    Shirasaki

    Joined:
    May 16, 2015
    #4
    So here is another case showing Mac is not able to compete with Windows on enterprise environment.
    You can download more apps to further block students from installing apps. Oh, yes.
    One new choice: what about guest account? If students can complete their tasks under guest account, you don't need to worry much of those things because guest has rather limited access of resources than standard account. With FileVault on, guest can only access safari. I rarely use guest account, though.
     
  5. MacModMachine macrumors 68020

    MacModMachine

    Joined:
    Apr 3, 2009
    Location:
    Canada
    #5

    not really , they work the same way as windows in an enterprise environment if you know what you are doing.

    Just like windows , OSX needs an solid End point manager, another option is using Deepfreeze from faronics.
     
  6. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #6
    Nonsense. There are plenty of tools to secure Macs that work just fine. Even Windows security tools depend on being configured properly and doing so on any platform is a non-trivial job.
     
  7. Shirasaki macrumors 603

    Shirasaki

    Joined:
    May 16, 2015
    #7
    Ok. I would never expect my comments to be something valuable.
    You win.
     
  8. Sidkik23 thread starter macrumors newbie

    Sidkik23

    Joined:
    Oct 30, 2015
    Location:
    Miami, FL
    #8
    We have sat the students down and talked to them about appropriate behaviour, and I realize the creativity many high school kids can conjure up when given a problem. We are attempting to minimize the damage and un-educational use of the Macs, just as a workplace would do with the computers they distribute.
     
  9. Sidkik23 thread starter macrumors newbie

    Sidkik23

    Joined:
    Oct 30, 2015
    Location:
    Miami, FL
    #9
    We have locked the Applications folder so they students cannot add, remove, move, or otherwise edit the folder.
     
  10. cerberusss macrumors 6502a

    cerberusss

    Joined:
    Aug 25, 2013
    Location:
    The Netherlands
    #10
    I wasn't talking about the /Applications folder (note the leading slash), I as talking about the /users/username/Applications folder.

    And besides... That doesn't matter. Usually, you can drop an application anywhere and just run it. The /Applications folder is more of a rule of thumb than a necessity.
     
  11. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #11
    Many applications don't require being in /Applications to run so locking that folder will only provide minimal protection.
     
  12. cerberusss macrumors 6502a

    cerberusss

    Joined:
    Aug 25, 2013
    Location:
    The Netherlands
    #12
    Most workplaces actually are relaxing their policies, allowing you to bring your own device.

    What you are doing, is showing them a jar of sweets, then punishing cleverness to obtain said sweets. I personally think it's weird.
     
  13. CreatorCode macrumors regular

    CreatorCode

    Joined:
    Apr 15, 2015
    Location:
    US
    #13
    So far as I can tell, you haven't done anything at all to restrict the applications the kids can launch. The most obvious way to do this is with the built-in Parental Controls, or through Apple Remote Desktop.

    If you are doing this, or suing some other solution, either you've neglected to mention it or I've missed it.
     
  14. Spink10 macrumors 601

    Spink10

    Joined:
    Nov 3, 2011
    Location:
    Oklahoma
    #14
    He isn't here for your philosophy of education but a solution to his problem. That probably sounds harsh but I'm smiling. :)
     
  15. Sidkik23 thread starter macrumors newbie

    Sidkik23

    Joined:
    Oct 30, 2015
    Location:
    Miami, FL
    #15
    We have implemented parental controls not allowing the use of certain applications; this was my fault, I forgot to mention this.
     
  16. Sidkik23 thread starter macrumors newbie

    Sidkik23

    Joined:
    Oct 30, 2015
    Location:
    Miami, FL
    #16
    We have spent lots of money to obtain these MacBooks, and we allow students to bring their devices. However it's best that we limit students usage of the MacBook to reduce the use of non-educational applications and or other uses in the classroom as well as to limit the abuse and mistreatment of the Macs. We do not punish the students for finding holes (because that was our fault) unless the intent was to damage said property otherwise, we simply fix the hole.
     
  17. SmOgER macrumors 6502a

    Joined:
    Jun 2, 2014
    #17
    Are you sure they don't boot into recovery with CMD+R and/or they aren't left with ability to re-enable the startup keys ?
     
  18. Sidkik23 thread starter macrumors newbie

    Sidkik23

    Joined:
    Oct 30, 2015
    Location:
    Miami, FL
    #18
     
  19. SmOgER macrumors 6502a

    Joined:
    Jun 2, 2014
    #19
    that still doesn't explain how they could get admin privileges in terminal and such.

    Btw, have you disabled the access to open apps not from app store?
     
  20. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #20
    There's no mention that the students have admin privileges in Terminal.
    You need to whitelist, not blacklist if you're trying to restrict application use and you should restrict launching of applications outside of /Applications.
    If you're blacklisting applications, there's no way to prevent someone from copying an application from elsewhere, renaming it, and running it.
     
  21. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #21
    Most school system have gone with OpenDNS.com. I use it to block known Trojan hosting Sites as well as Block p0rn sites and such, even blocking and whitelisting other sites! This way even if Kids try to disable regular accounts they still can't block DNS blocks, they aren't smart enough to know about DNS.
     
  22. Sidkik23 thread starter macrumors newbie

    Sidkik23

    Joined:
    Oct 30, 2015
    Location:
    Miami, FL
    #22
    Even if students did hold CMD+R, we put a randomized Firmware Passcode on all MacBooks. And on the re-enabling of the startup keys, I don't thinl students could unless anyone here knows of one.
     

Share This Page