Non-Administrative Users can run software updates?

Discussion in 'macOS' started by islandsnow, Apr 5, 2008.

  1. islandsnow macrumors member

    Joined:
    Feb 14, 2008
    #1
    i have mac osx 10.5.x leopard. i have configured and binded to our work active directory. So my user can log into his mac and have his account authenticated against our active directory. thats fine. but i do not want to create this user to be able to administer the mac he is on (so that this person won't install unauthorized apps).

    but because this person cannot administer the computer, what happens with apple system software updates? will it run? and if it runs, will it prompt them to enter the administrator password? if i give this person the admin or root account and password, doesn't that defeat the purpose of not allowing them to install things on the computer in the first place? is there a way to allow apple software updates to run without prompting them for admin password to the computer, and not allow them to install p2p apps, instant messengers, etc.???
     
  2. bluedoggiant macrumors 68030

    bluedoggiant

    Joined:
    Jul 13, 2007
    Location:
    MD & ATL,GA
    #2
    You need an admin password for software updates, it will ask for it, also apps being installed by the Installer.
     
  3. islandsnow thread starter macrumors member

    Joined:
    Feb 14, 2008
    #3
    then why even have regular accounts? might as well make everyone a administrator. i think for windows, it will still install the system updates even if you are not an administrator level.
     
  4. MisterMe macrumors G4

    MisterMe

    Joined:
    Jul 17, 2002
    Location:
    USA
    #4
    Have you thought through your question? The Installer requires Administrator authentication. The Installer does not require that the Administrator be logged-in while given authentication. Do you really not understand the difference?

    Hint: The Mac is a multi-user system on which each user may have one or more accounts with differing privilege levels.
     
  5. islandsnow thread starter macrumors member

    Joined:
    Feb 14, 2008
    #5
    sorry, i guess i don't think. sorry i'm not a mac geek like everyone here, i'm a windows type of person but need to now support macs and trying to learn how mac does things.

    if i am logged in as a regular non-administrator account and i need to install a software update, it asks me for an account with administrator privileges right? so if i give the user the administrator username and password in order to install this update, won't they now be able to log out, and log back in with this administrator account and now have access to install whatever they want? which is what i DIDN'T want them to do? even if you tell your users NOT to install non-supported software, they will if they can. thats what i'm trying to avoid. but if i give them the password to install necessary apple software updates, whats preventing them from downloading limewire and installing that? comprehendo? or am i again not understanding and thinking through my own question?
     
  6. miniConvert macrumors 68040

    miniConvert

    Joined:
    Mar 4, 2006
    Location:
    Kent, UK - the 'Garden of England'.
    #6
    I authorise software updates manually on each Mac I administrate at the current time, i.e. I enter the root password when the prompt appears. My users don't have access to any accounts on their Macs other than the Open Directory-managed one.
     
  7. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #7
    Yes, sorry. This is why you don't give your standard users an admin username and password. If you don't want them to run updates, you make them standard users and then you log into the computer yourself as an admin and run updates when you want to do so.

    It's not that complicated... it's basic parallel of the way the entire Unix world works. Your standard users will be able to log in, run programs, create and save documents, etc. They won't be able to change the contents of /Applications or the system folders. You'll do that whenever you wish as an administrator. If you enable it, you can even remote login as an admin and do these tasks.
     
  8. thejadedmonkey macrumors 604

    thejadedmonkey

    Joined:
    May 28, 2005
    Location:
    Pa
    #8
    You'll also have to enable parental controls (I believe) to prevent programs except for specified ones from being run, to prevent someone from downloading limewire and running it from the desktop.
     
  9. islandsnow thread starter macrumors member

    Joined:
    Feb 14, 2008
    #9
    ok thanks. so basically that means i have to manually go to each mac and run or authorize these updates to run. more work for me especially if these users are in remote locations but thats how it has to be done if i want to make sure they don't have a field day installing non-authorized software. thanks, got it. just wanted to make sure thats what needs to be done
     
  10. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #10
    No, that's what remote administration is for.

    http://www.apple.com/remotedesktop/remoteadministration.html

    That's the tool that OS X Server comes with (if you have a decent number of clients, you may wish to run Leopard Server on one computer). From that tool, I believe you can basically select computers and instruct them to update without having to actually remotely log into them individually.

    If you adjust the settings appropriately on your clients, I believe you can also set it up so that you can just vnc to the computers and update them. If permitted, you can reboot from VNC. You could also set up scripting so that the update process would be fairly painless....
     
  11. GotPro macrumors 6502

    Joined:
    Jan 29, 2007
    #11

    Not quite. The same thing happens in Windows.

    You have ADMINISTRATOR accounts and POWER USER accounts. If you create a "standard user" account in Windows... you aren't installing any software either.

    XP has 3 distinct types of accounts.

    OS X only has 2.

    And you CAN create an OS X account with Administrator rights to install software... just click the "allow user to administer" checkbox when you are creating the account in OS X.

    As an IT guy in charge of 300+ machines, both Mac & PC... I can promise you all our Windows XP accounts also do the same thing. You can't run updates / install programs.

    It's not a Mac thing.
     
  12. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #12
    Well, technically, it also has three... Admin, Standard, and Managed (which lets you impose even more restrictions down to the point of the Simple Finder).

    Related to this question, do you have to use Managed accounts if you wish to prevent users from installing eligible software to the ~/Applications folder and running it from there?
     
  13. greenmeanie macrumors 6502a

    greenmeanie

    Joined:
    Jan 22, 2005
    Location:
    CT
    #13
    Xp has more than 3 accounts.

     
  14. islandsnow thread starter macrumors member

    Joined:
    Feb 14, 2008
    #14
    thanks, i'll check out remote administration and scripting. i think scripting may be the answer for me. i have all windows servers on the backend so no os x server.
     
  15. islandsnow thread starter macrumors member

    Joined:
    Feb 14, 2008
    #15
    i think if i have active directory binded to my domain, then when you log in with your domain account, doesn't that automatically create a managed account? so i don't think it was a choice i had. i want them to log in with their domain account because then they can access network shares, change their domain password, etc...
     
  16. islandsnow thread starter macrumors member

    Joined:
    Feb 14, 2008
    #16
    for those of you that posted with great suggestions. thanks! i think apple remote desktop is the way to go for my situation
     
  17. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #17
    Yeah, sounds like it to me, too. If you're using active directory binding and managed accounts, and remote updating, it should be very easy for you to keep all the computer set up according to your design. :)
     

Share This Page