Managing and Hardening Snow Leopard: Policies for Use in Education - - PowerPoint PPT Presentation

managing and hardening snow leopard
SMART_READER_LITE
LIVE PREVIEW

Managing and Hardening Snow Leopard: Policies for Use in Education - - PowerPoint PPT Presentation

Nov 25, 2023 99 likes •415 views

Managing and Hardening Snow Leopard: Policies for Use in Education Doug Brown Redlands College XW11 Overview Standard Operating Environment Configuration Settings Restrictions Deployment Issues Adobe Suite Logic and

slide-1
SLIDE 1
slide-2
SLIDE 2

XW11

Doug Brown Redlands College

Managing and Hardening Snow Leopard:

Policies for Use in Education

slide-3
SLIDE 3

XW11

Overview

  • Standard Operating Environment
  • Configuration Settings
  • Restrictions
  • Deployment Issues
  • Adobe Suite
  • Logic and Final Cut Studio
slide-4
SLIDE 4

XW11

Overview

  • This workshop will be interactive and

hands-on

  • These slides should be used as

reference materials

  • For each topic, we will examine the

code and see how it is applied

slide-5
SLIDE 5

XW11

SOE Configuration Settings

slide-6
SLIDE 6

XW11

Minor Settings

  • Turn on SSHd
  • systemsetup -setremotelogin on
  • Change umask
  • echo "umask 077" >> /private/etc/launchd-

user.conf

  • Enable Fast User Switching
  • defaults write /Library/

Preferences/.GlobalPreferences MultipleSessionEnabled -bool 'YES'

slide-7
SLIDE 7

XW11

Login Window Acceptable Use Policy

  • defaults write /Library/Preferences/com.apple.loginwindow

LoginwindowText "This machine is the property of REDLANDS COLLEGE, provided for educational purposes. Students may be requested to demonstrate a school-related activity for which they are using ICT resources to complete. Illegal, immoral, unethical, nuisance harmful or activities which contravene the College ethos are strictly

  • forbidden. Users must report any physical problems of ICT equipment

to a teacher and/or the IT Department as soon as it is noticed. Care must be taken when using or carrying a laptop. Movement of the machine should be kept to a minimum. For ICT related enquires, please call Help Desk on x555."

slide-8
SLIDE 8

XW11

Login Window Background

  • Create an organisational background

picture

  • Make a package to install your image to
  • /System/Library/CoreServices/

DefaultDesktop.jpg

  • Be sure to check your image is the

same pixel ratio as the original

slide-9
SLIDE 9

XW11

Certificate Authority Distribution

  • security add-trusted-cert -d -k /Library/Keychains/

System.keychain /path/to/CA.der

  • I have removed the "-p eap" flag between the '-d'

and '-k /Lib…' flags because this way the certificate will be trusted for everything; rather than just eap authentication

  • "-d trustAsRoot" is recommended after the '-d' flag,

but it doesn't work for some reason

slide-10
SLIDE 10

XW11

Apple Remote Desktop Settings

  • /System/Library/CoreServices/RemoteManagement/ARDAgent.app/

Contents/Resources/kickstart -activate -restart -agent -console

  • /System/Library/CoreServices/RemoteManagement/ARDAgent.app/

Contents/Resources/kickstart -configure -users administrator -access -

  • n -privs -DeleteFiles -ControlObserve -TextMessages -

OpenQuitApps -GenerateReports -RestartShutDown -SendFiles - ChangeSettings

  • /System/Library/CoreServices/RemoteManagement/ARDAgent.app/

Contents/Resources/kickstart -configure -allowAccessFor - specifiedUsers

slide-11
SLIDE 11

XW11

System Proxy Settings

  • Proxy must be set individually for each

service, ie. Ethernet, AirPort, etc.

  • Currently no API for proxy auto detect
  • However pac file can be set using:
  • networksetup -setautoproxyurl

servicename http://yourserver/your.pac

slide-12
SLIDE 12

XW11

Custom LDAP Mappings

  • If your organisation doesnʼt use OD or

AD, you will probably have difficulties programmatically setting custom LDAP mappings

  • This requires a bit of a hack, letʼs see

it now...

slide-13
SLIDE 13

XW11

Setting Usersʼ Locale

  • Use Appleʼs Login hook to execute:
  • su $1 -c 'defaults write "Apple Global

Domain" AppleLocale "en_AU"'

  • Letʼs see this in action...
slide-14
SLIDE 14

XW11

Standard Dock Items

  • Use Appleʼs Login hook to execute:
  • cp /path/to/dock/default.plist /Users/

$1/Library/Preferences/ com.apple.dock.plist

  • killall -u $1 Dock
  • Letʼs see this in action...
slide-15
SLIDE 15

XW11

Password Change Distribution

  • Some organisations have a static

administrator account on all machines

  • How can you distribute a change of

password for this account in a more practical way than using ARD?

  • Letʼs see that now...
slide-16
SLIDE 16

XW11

Roaming Apple Update URL

  • This policy I use on startup and wake of

client machines

  • If the machine cannot contact the

internal update server then it changes the Apple Update URL back to Apple

  • Letʼs see this in action...
slide-17
SLIDE 17

XW11

SOE Restrictions

slide-18
SLIDE 18

XW11

noexec

  • noexec is from UNIX
  • It allows a file system to be mounted

without the ability to execute binaries

  • The noexec policy mounts all foreign file

systems noexec

  • Letʼs see the code...
slide-19
SLIDE 19

XW11

System Preference Pane Lock

  • Requires a password to unlock each

System Preference pane

  • security authorizationdb write

system.preferences < /path/to/plist

  • Letʼs see the plist file...
slide-20
SLIDE 20

XW11

Deployment Issues

slide-21
SLIDE 21

XW11

Adobe Suite

  • Enterprise deployment difficulties
  • Size of package produced is huge
  • Installation process is very slow
  • Package duplicates built-in

functionality of Apple packages with black-box binaries

slide-22
SLIDE 22

XW11

Adobe Suite

  • Enterprise deployment difficulties
  • Repackaging is very difficult as

capture tools are unable to handle software suites of this size and complexity

slide-23
SLIDE 23

XW11

Adobe Suite

  • Enterprise deployment solution
  • logGen and pkgGen can capture and

produce a fauxroot clone of installed components

  • Your favourite package making utility

(like Iceburg) can then be used to produce the packages

slide-24
SLIDE 24

XW11

Adobe Suite

  • Enterprise deployment solution
  • Repackaging Adobe Suite results in:
  • Significantly smaller packages
  • Packages which install over network
  • n average in 30 seconds
  • Individual components can be

associated and installed with machines as required

slide-25
SLIDE 25

XW11

  • Each of the studio suites are 9 DVDs

and approximately a 50GB install

  • Installation typically takes hours
  • Difficult to deploy in organisations with

site licenses

Logic and Final Cut

slide-26
SLIDE 26

XW11

  • Deployment options
  • Producing a DMG image of each DVD

and installing it from a firewire HDD OR

  • Combining the packages from all the

DVDs into the first diskʼs metapackage on a firewire HDD

Logic and Final Cut

slide-27
SLIDE 27

XW11

  • How to produce a single meta package

1.Copy LogicStudio.mpkg from first DVD to firewire HDD 2.Copy all [meta]packages from install DVDs to LogicStudio.mpkg/ Packages 3.Modify meta packageʼs .dist file

Logic and Final Cut

slide-28
SLIDE 28

XW11

  • Structure and modification of .dist file
  • <choice>
  • <pkg-ref>
  • Change all “x-disc://diskname/Installer/

Packages/packagename.pkg” to “file:./ Contents/Packages/packagename.pkg”

Logic and Final Cut

slide-29
SLIDE 29

XW11

  • How to automate .dist file modification
  • sed -i .original -e 's|">x-disc:\/\/.*\/

Installer\/Packages\/|">file:\.\/Contents \/Packages\/|' -e 's|">x-disc:\/\/.*\/ Installer\/|">file:\.\/Contents\/Packages \/|' -e 's|">file:\.\.\/Packages\/|">file:\.\/ Contents\/Packages\/|' LogicStudio.dist

Logic and Final Cut

slide-30
SLIDE 30

XW11

Questions?