When looking to lock down which preference panes your end-users can access on “their” OSX devices you have a few options.
Option 1 – Profile/MCX policies
Option 2 – File based permissions
Using option 1, you will be required to create a .mobileconfig profile with-in Apple’s Profile Manager (20$ app from the App Store). This config can be exported and then imported into LANDesk 9.5.1 to be included in your policies or agent configs.
You also have the option to manually install the profile from the GUI or install it from the terminal (sudo profiles -I -F /path/profilename.mobileconfig).
The level of control that this option provides you with is actually fairly good.
– You can create system wide OSX restrictions that block access to system preference panes of your choice.
– You can control the settings centrally from Profile Manager.
– What you set, pretty much goes.
– Whatever setting you choose, locks out both administrators and non-administrators from accessing the GUI system pane.
– Altering these settings requires either removing the profile and pushing an updated profile over the original, which can be time consuming.
– Can be removed if the profiles are not secured properly.
– Icons still are displayed in the system preference pane, just greyed out.
– Any 3rd party preference pane icons are also greyed out (java, flash, etc).
I prefer option 2. By using file based permissions you can provide a more granular level of control than with option 1.
Unlike option 1 where you get to use a GUI to configure your settings, with option 2 you will be required to write them via .sh scripts.
Grant only administrators access to the Users and Groups pane:
chmod o-r /System/Library/PreferencePanes/Accounts.prefPane chown root:admin /System/Library/PreferencePanes/Accounts.prefPane
Grant users who are a member of the “osx_access_usersgroups” in the domain access to the Users and Groups pane:
chmod o-r /System/Library/PreferencePanes/Accounts.prefPane chown root:osx_access_usersgroups /System/Library/PreferencePanes/Accounts.prefPane
– Granular control of panes
– Integration with AD groups
– Can create system wide OSX restrictions
– 3rd party apps can be controlled individually
– Icons are not displayed to users when they do not have control of them
– You can control the settings centrally from LANDesk.
– Non-standard method
– Anyone with sudo rights can override these settings
Either of these methods can help improve control over a device when you are required to grant a user administrative permissions. You will be able to limit what access they can easily access.
I prefer method two because I can include it easily in a compliance patch in LANDesk, and grant permissions to panes via AD group memberships.