Locking Down Mac OS X

My school has a Mac lab, but unfortunately doesn’t really have an administrator for that lab. The lab consists of 20 of the newest iMacs, plus one quad-core Mac Pro with dual 20″ Apple Cinema Displays. I’ve taken on the task of assisting the instructor for that lab in kind of locking down the Macs.
As it stands, there is one user account on each Mac. It is a full administrator account, and a password is set. However, automatic login is enabled and students do not know this password. The challenge is this: to lock down these Macs more or less as much as the Windows XP machines in other parts of the school. Unfortunately, there is no easy way to do this on the Mac side as there is on the Windows side. (If you’re looking to do the same thing for Windows, you might check out Adam’s tutorial on Group Policy Objects.) In this article, I’m assuming that you are comfortable with the Terminal and with digging through the ~/Library/Preferences folder.

I’ve managed to do only two (and a half) things so far:

  • Disable the Share Screen button
    • In Leopard, a Share Screen button appears when you select a networked Mac. This allows you to remotely control any Mac you have the password for without buying Apple Remote Desktop. Disabling the share screen button is a very simple procedure. Simply open Terminal (or prepare to send a UNIX command via Apple Remote Desktop) and use the following command:
      sudo rm -r /System/Library/CoreServices/Screen\ Sharing.app
      You will be prompted for your password if you are working locally (it will look like you are not typing, but you are. Type the password and press return.) In Apple Remote Desktop, you will need to type the password on a new line. This command deletes the application that runs when you press Share Screen. This effectively turns the Share Screen button into a “do nothing button.”
  • Lock the dock
    • The only locks I’ve been able to place on the dock so far prevent changes to the contents of the dock, the size of the dock, and the magnification settings. Before you do this, make SURE you have the dock set up the way you want. In our Mac lab, I set up the dock on one iMac and copied the Dock preference files to the other iMacs and rebooted them. To do this, copy all the files beginning with “com.apple.Dock” in ~/Library/Preferences to the same location on the other Macs. Then, either reboot the other Macs or reset the dock using the following Terminal command.
      killall Dock
      Now that you have the dock on every Mac set up the way you want, you’re ready to begin to lock the dock. Run the following series of commands in the Terminal on each Mac (or, again, send it to all the Macs via Apple Remote Desktop).
      defaults write com.apple.Dock size-immutable -bool yes
      defaults write com.apple.Dock contents-immutable -bool yes
      killall Dock

      The first command disables changes to the size of the dock. The second command disables changes to the contents of the dock. The last command resets the dock again so that it adopts these new settings.
    • UPDATE: I was messing around in Terminal and figured out how to make users unable to change the Dock location. It’s rather obvious if you think about it…
      defaults write com.apple.Dock position-immutable -bool yes
      killall Dock
  • Disable access to System Preferences (which halfway accomplishes a few key things)
    • Disabling access to System Preferences accomplishes (and halfway accomplishes) several things. First, it completely prevents students from changing all settings on the computer. This includes account changes, security settings, Apple Remote Desktop settings, and screen saver settings. The only setting that I’ve found that this doesn’t completely disable is the desktop image (or wallpaper). Safari 3 allows users to right-click on an image and set it as the desktop image, which completely bypasses System Preferences.
      To disable access:
      sudo chmod 000 /Applications/System\ Preferences.app
      And if you need to re-enable access for yourself:
      sudo chmod 774 /Applications/System\ Preferences.app

These probably aren’t the *best* ways to lock down a Mac OS X workstation, and it’s definitely a lot easier to have two accounts: one for students, and one for administrators. However, if you’re in the position where you have twenty plus Macs that students have already begun working on and don’t have the time to reconfigure each machine, these steps can help lock down some of the more major things. I’ll add to this article as I discover more…

Posted by John Mairs on Apr 15 2008 under School, Tech

7 Responses to “Locking Down Mac OS X”

  1. Adam Says:

    Great job John! Hope you don’t mind, but I’m going to link you off my site.


  2. Locking Down a Mac « Adam DiMella : Techblog v4.0 Says:

    [...] Locking Down Mac OS X [...]

  3. Kevin W Says:

    Um, you’d lock a lot of stuff out if you don’t let them use an admin account. set up a Standard User account to auto-login, and set restrictions on it.
    A Standard account automatically can’t change things in the Applications folder without a password – an admin account can delete things from Applications without a password – for example. Further restrictions can be set from the System Prefs. If you’re lucky enough to be running 10.5 Leopard, it has enhanced parental controls that would be ideal in an environment like this.
    Definitely use Standard accounts, otherwise you’re creating work for yourself.

  4. Pete Says:

    If I send a command such as
    sudo chmod /Applications/System\ Preferences.app 777
    to number of macs using ARD’s Send UNIX Command, how do I input the requested password in to get it to complete the job? Any help would be appreciated.

  5. Caleb Says:

    I tried the System Preferences lock down that was posted on a iMac running 10.5 and it did not work, I was not able to get it to recognize the file. Plus it locks out everyone. I just opened the System Preferences and did the Get Info and shut off the privileges for specific users. It worked great

  6. Alden Says:

    SOmething easy you can do is download the server tools (free from apple), and then tell the workgroup manager to log into This will allow you to set a lot of permissions like you would on a server.

  7. Disable access to System Preferences - OS X Daily Says:

    [...] to lock down the machines in a small Mac lab, I came across an interesting piece of advice from John Mairs who was tasked with basically the same thing. He suggests disabling access to System Preferences [...]

Leave a Comment