Authors: Adam Gray cism

səhifə	3/11
tarix	25.06.2016
ölçüsü	279 Kb.

1 2 3 4 5 6 7 8 9 10 11

Groups

Groups were available in Tiger and below but have only been added to the Accounts System Preference pane in Leopard. Groups can be used to secure access to files and folders on the system.
To create a group:

Open the System Preferences application.
Click on the Accounts icon to open the Account System Preference Pane.
If locked, click on the padlock to allow changes and authenticate.
Click on the plus sign to create a new account.
From the New Account: drop-down list select Group.
Enter a name for the group in the Name field.
Click the Create Group button.

Once you have created a group you will need to add users to the group. To do so:

Open the System Preferences application.
Click on the Accounts icon to open the Account System Preference Pane.
If locked, click on the padlock to allow changes and authenticate.
Click on the group you would like to add members to and check the box for each member in the Membership: field.

Securing Non-administrator Accounts

Non-administrator accounts have several options. The default user account has very few options for additional lockdown. It has rights to control printers, burn CDs/DVDs, change passwords, open the system preferences, and run any application on the system. You cannot use the Parental Controls feature of Mac OS X with an administrative account.
Each Managed with Parental Controls account has additional selections depending on the need. The ability to control e-mail, system options, chat, browse the web, and view dictionary items are all available for the Managed with Parental Controls account. These items can be controlled via the Parental Controls System Preference pane. When parental controls are enabled the user is changed from a Standard User to a Managed with Parental Controls account.
In Mac OS X 10.5 you can now manage parental controls from a remote system (that is also running Leopard). To enable Parental Controls to be managed from a separate system:

Open the System Preferences application.
Click on the Parental Controls icon to open the Parental Controls System Preference Pane.
Check the box for Manage Parental Controls from another computer.

To manage Parental controls for an account:

Open the System Preferences application.
Click on the Parental Controls icon to open the Parental Controls System Preference Pane.
Click on the user who you would like to setup parental controls for.
Click on Enable Parental Controls.
Set the Parental Controls for the account in question (see list below).

Parental Controls include the following:

System

The System tabs allow you to customize several items that control access to local resources. The Simple Finder restricts changes to the dock and only allows applications to be run that are part of the applications folder. Simple Finder also restricts users from using shortcut keys such as Command-C to copy files. Simple Finder also puts a user into a sandboxed environment graphically. The Simple Finder selection is important to use if users are not trusted or require very strict operating environments.

For users who should not have full system access enable the SimpleFinder.

The Allow only selected applications: section allows you to restrict the applications that a user has access to. When you check the box for restricting Applications you will then need to check the box for each Application and Widget that a user will have access to.

Allow Managed users to only have access to applications that are required.

The bottom of the System tab allows for more granular control over other components of the system. This can give you a full Finder menu while still allowing for control over items that include CD/DVD-burner capabilities, change password, administration of printers and whether a user is able to modify the dock.

Disable features users should not have access to.

Content

The Dictionary control blocks access to certain types of words within the dictionary. This is mostly related to items containing profanity and drug related information. This can be done by simply clicking the check-box for the Hide profanity in Dictionary but does not allow for more granular controls at this time.

Consider using the dictionary to limit access to inappropriate material.

The Website Restrictions control allows administrators to control access to web sites that a managed user can access through Safari. The Website Restrictions feature does not pertain to Firefox or other third party web browsers. There are three settings for Website Restrictions. The Allow unrestricted access to websites setting places no restrictions on the user. The Try to limit access to adult websites automatically setting allows the system to automatically block certain sites and allows the administrative user to customize sites that are always and never blocked. Finally, the Allow access to only these websites feature allows you to allow only certain sites to be accessible.

Block inappropriate sites for managed user accounts.

Mail & iChat

The mail security tab allows for configuration of e-mail permissions. This allows the administrator to review the inbound and outbound permissions on email. The iChat controls are very similar to the mail control. This allows an administrator to control who a managed non-Administrator account can chat with. Mail settings are only applied to Mail.app and iChat settings are only applied to iChat. Neither can be used to control 3^rd party applications such as Entourage or AIM.
Communications are restricted for both iChat and Mail.app if each setting is enabled. The easiest way to allow access is to add users to your Address Book using the Address Book application and then select the users that can be communicated with within the Parental Controls Preference pane based on Address Book entries.

Set the permissions on email and iChataccess. Add all users who a managed user should be able to communicate with.

You can also use the Send permission requests to: feature to enable the managed user the ability to email you with requests to add new users that can be communicated with.

To reiterate, the –mcximport extension of the dscl command can be used to import mcx settings at the group level. See the help section for the –mcx* extensions of dscl for more information on how to set these up.

1 2 3 4 5 6 7 8 9 10 11