New Holes in Mac Security

Sidkik23

macrumors newbie
Original poster
Oct 30, 2015
9
3
Miami, FL
Okay, so I am the tech intern at a High School (i'm fairly new to the job and would consider myself pretty tech savvy) and we recently received a large grant to buy MacBook Airs (11-inch, Early 2015) for all of the students. To put it simply, we locked down the MacBooks tighter than a maximum security prison. The users startup keys have been disabled, so any form of boot mode is out (just in case we put a firmware password on all Mac's). We blocked them from accessing many of the System Preference areas (everything but Dock, Trackpad, Desktop, Printers & Scanners, Sound, Notifications, General, App Store, Accessibility, and Internet Accounts) and a majority of the ones they can open are password locked. We have LightSpeed installed on the computers (so its a portable filter rather than just on our internet ((a side note is that LightSpeed blocks of all communication if it cannot find internet), and FileWave to push new updates whenever needed. We also have Remote Connection to all the Mac's so it's possible to monitor and control all of them from one computer. In spite of all these precautions, our cadets say that they are seeing other students downloading, opening, and installing programs on their Mac's (which should not be possible) They also have seen others getting on applications such as Terminal and Disc Utility. It would be very much appreciated if you could tell me how these students are doing this, and how to further block them from doing this. Thank You!
Below is an attachment of what the students see on the System Preference menu.
 

Attachments


avemestr

macrumors regular
Aug 14, 2012
177
23
This will probably be considered at very stupid reply, but...

How about spending your resources on talking with the students about appropriate behaviour instead of engaging in a never-ending whack-a-mole game?

They are high school students. They have all the time in the world to find ways to circumvent whatever restrictions you put in place. You cannot win.

I also wonder what kind of situations you're attempting to prevent by applying all these restrictions.
 

cerberusss

macrumors 6502a
Aug 25, 2013
867
325
The Netherlands
Well, it's a Mac. Users can drop an application anywhere they like, and run it from there. A nice place is to install it in the Applications folder in the user's home folder, I.e. /Users/some name/Applications
 

Shirasaki

macrumors G3
May 16, 2015
9,423
3,439
So here is another case showing Mac is not able to compete with Windows on enterprise environment.
You can download more apps to further block students from installing apps. Oh, yes.
One new choice: what about guest account? If students can complete their tasks under guest account, you don't need to worry much of those things because guest has rather limited access of resources than standard account. With FileVault on, guest can only access safari. I rarely use guest account, though.
 

MacModMachine

macrumors 68020
Apr 3, 2009
2,248
131
Canada
So here is another case showing Mac is not able to compete with Windows on enterprise environment.
You can download more apps to further block students from installing apps. Oh, yes.
One new choice: what about guest account? If students can complete their tasks under guest account, you don't need to worry much of those things because guest has rather limited access of resources than standard account. With FileVault on, guest can only access safari. I rarely use guest account, though.

not really , they work the same way as windows in an enterprise environment if you know what you are doing.

Just like windows , OSX needs an solid End point manager, another option is using Deepfreeze from faronics.
 

chrfr

macrumors G3
Jul 11, 2009
8,190
2,517
So here is another case showing Mac is not able to compete with Windows on enterprise environment.
Nonsense. There are plenty of tools to secure Macs that work just fine. Even Windows security tools depend on being configured properly and doing so on any platform is a non-trivial job.
 

Shirasaki

macrumors G3
May 16, 2015
9,423
3,439
Nonsense. There are plenty of tools to secure Macs that work just fine. Even Windows security tools depend on being configured properly and doing so on any platform is a non-trivial job.
Ok. I would never expect my comments to be something valuable.
You win.
 

Sidkik23

macrumors newbie
Original poster
Oct 30, 2015
9
3
Miami, FL
This will probably be considered at very stupid reply, but...

How about spending your resources on talking with the students about appropriate behaviour instead of engaging in a never-ending whack-a-mole game?

They are high school students. They have all the time in the world to find ways to circumvent whatever restrictions you put in place. You cannot win.

I also wonder what kind of situations you're attempting to prevent by applying all these restrictions.
We have sat the students down and talked to them about appropriate behaviour, and I realize the creativity many high school kids can conjure up when given a problem. We are attempting to minimize the damage and un-educational use of the Macs, just as a workplace would do with the computers they distribute.
 

Sidkik23

macrumors newbie
Original poster
Oct 30, 2015
9
3
Miami, FL
Well, it's a Mac. Users can drop an application anywhere they like, and run it from there. A nice place is to install it in the Applications folder in the user's home folder, I.e. /Users/some name/Applications
We have locked the Applications folder so they students cannot add, remove, move, or otherwise edit the folder.
 

cerberusss

macrumors 6502a
Aug 25, 2013
867
325
The Netherlands
We have locked the Applications folder so they students cannot add, remove, move, or otherwise edit the folder.
I wasn't talking about the /Applications folder (note the leading slash), I as talking about the /users/username/Applications folder.

And besides... That doesn't matter. Usually, you can drop an application anywhere and just run it. The /Applications folder is more of a rule of thumb than a necessity.
 
  • Like
Reactions: Sidkik23

chrfr

macrumors G3
Jul 11, 2009
8,190
2,517
We have locked the Applications folder so they students cannot add, remove, move, or otherwise edit the folder.
Many applications don't require being in /Applications to run so locking that folder will only provide minimal protection.
 

cerberusss

macrumors 6502a
Aug 25, 2013
867
325
The Netherlands
just as a workplace would do with the computers they distribute.
Most workplaces actually are relaxing their policies, allowing you to bring your own device.

What you are doing, is showing them a jar of sweets, then punishing cleverness to obtain said sweets. I personally think it's weird.
 

CreatorCode

macrumors regular
Apr 15, 2015
139
118
US
So far as I can tell, you haven't done anything at all to restrict the applications the kids can launch. The most obvious way to do this is with the built-in Parental Controls, or through Apple Remote Desktop.

If you are doing this, or suing some other solution, either you've neglected to mention it or I've missed it.
 

Spink10

Suspended
Nov 3, 2011
4,259
1,002
Oklahoma
Most workplaces actually are relaxing their policies, allowing you to bring your own device.

What you are doing, is showing them a jar of sweets, then punishing cleverness to obtain said sweets. I personally think it's weird.
He isn't here for your philosophy of education but a solution to his problem. That probably sounds harsh but I'm smiling. :)
 
  • Like
Reactions: Weaselboy

Sidkik23

macrumors newbie
Original poster
Oct 30, 2015
9
3
Miami, FL
So far as I can tell, you haven't done anything at all to restrict the applications the kids can launch. The most obvious way to do this is with the built-in Parental Controls, or through Apple Remote Desktop.

If you are doing this, or suing some other solution, either you've neglected to mention it or I've missed it.
We have implemented parental controls not allowing the use of certain applications; this was my fault, I forgot to mention this.
 

Sidkik23

macrumors newbie
Original poster
Oct 30, 2015
9
3
Miami, FL
Most workplaces actually are relaxing their policies, allowing you to bring your own device.

What you are doing, is showing them a jar of sweets, then punishing cleverness to obtain said sweets. I personally think it's weird.
We have spent lots of money to obtain these MacBooks, and we allow students to bring their devices. However it's best that we limit students usage of the MacBook to reduce the use of non-educational applications and or other uses in the classroom as well as to limit the abuse and mistreatment of the Macs. We do not punish the students for finding holes (because that was our fault) unless the intent was to damage said property otherwise, we simply fix the hole.
 
  • Like
Reactions: Weaselboy

SmOgER

macrumors 6502a
Jun 2, 2014
658
36
Are you sure they don't boot into recovery with CMD+R and/or they aren't left with ability to re-enable the startup keys ?
 

Sidkik23

macrumors newbie
Original poster
Oct 30, 2015
9
3
Miami, FL
I wasn't talking about the /Applications folder (note the leading slash), I as talking about the /users/username/Applications folder.

And besides... That doesn't matter. Usually, you can drop an application anywhere and just run it. The /Applications folder is more of a rule of thumb than a necessity.
 

SmOgER

macrumors 6502a
Jun 2, 2014
658
36
that still doesn't explain how they could get admin privileges in terminal and such.

Btw, have you disabled the access to open apps not from app store?
 

chrfr

macrumors G3
Jul 11, 2009
8,190
2,517
that still doesn't explain how they could get admin privileges in terminal and such.

Btw, have you disabled the access to open apps not from app store?
There's no mention that the students have admin privileges in Terminal.
We have implemented parental controls not allowing the use of certain applications; this was my fault, I forgot to mention this.
You need to whitelist, not blacklist if you're trying to restrict application use and you should restrict launching of applications outside of /Applications.
If you're blacklisting applications, there's no way to prevent someone from copying an application from elsewhere, renaming it, and running it.
 

satcomer

macrumors 603
Feb 19, 2008
6,290
928
The Finger Lakes Region
Most school system have gone with OpenDNS.com. I use it to block known Trojan hosting Sites as well as Block p0rn sites and such, even blocking and whitelisting other sites! This way even if Kids try to disable regular accounts they still can't block DNS blocks, they aren't smart enough to know about DNS.
 

Sidkik23

macrumors newbie
Original poster
Oct 30, 2015
9
3
Miami, FL
Are you sure they don't boot into recovery with CMD+R and/or they aren't left with ability to re-enable the startup keys ?
Even if students did hold CMD+R, we put a randomized Firmware Passcode on all MacBooks. And on the re-enabling of the startup keys, I don't thinl students could unless anyone here knows of one.