We've had to balance the needs of our users with our need for management and security; ease of use for our users, while mitigating potential problems that come from a shared system.
Lets try AD!
At first we had the Macs allowing people to log in via Active Directory. They had their own logins under which they could save files.
The problem was they would log in and forget to log out, leaving not just (potentially sensitive) files available but often access to their online accounts like Google. They also had the default Dock configuration, so sometimes users would try reinstalling applications that already existed on the Mac (like Chrome.)
Another issue we frequently ran into involved Keychain, the built-in OS X password management system. Users would change their password from a Windows workstation, and the next time they used the shared Mac they would often fail to update the Keychain password, leading to a constant stream of Keychain access prompts. Confused users would quickly go from annoyed to extremely frustrated, especially when trying to give a presentation or in the middle of video conferences.
The bit rot of accumulating login accounts and eating away at storage space with each new login instance was a relatively minor inconvenience compared to the Keychain password mismatches, from the usability point of view.
Let's try Guest!
The next obvious solution is to try Guest. A feature built into OS X, Guest allows users to log in without a password for a temporary session; upon logging off, all the files are deleted. Coupled with the "inactivity logout" setting found by clicking the "Advanced..." button in the Security & Privacy pane, this seemed like the ideal setup!
But alas, it wasn't.
Three big issues for the end users could have been solved with what should have been some simple tweaks to default settings. When using a system that allows temporary "guest" accounts, most Unix systems use a skeleton or template directory from which to copy files. That didn't seem to work in this case.
Our users wanted to use Chrome as a default browser; with each login Safari was reinitialized as the default. Second, the users wanted the Chrome icon available in the dock as a default available application to choose from; the idea of opening Applications or Spotlight first confused the hell out of them. And third, every time the users wanted to use Office, it would have them go through the "first run" wizard. That was not confusing, but it was understandably annoying.
But the biggest issue was one we never could figure out why it was happening. Keychain. Again.
If the system was left on and had a few login/logoffs of Guest, suddenly Keychain would complain about needing a password. Guest works, in part, by generating a random password and transparently using it where needed for the Guest login session. These temporary keychains should have disappeared when Guest logged off since the Library files, along with the rest of the home directory, were deleted when Guest logged off.
A quick sanity check from a local administrator account via SSH showed that yes, that Guest folder was actually gone when the user logged off.
But Keychain acted like the old file was still held open or cached. File's gone. Keychain's not running. LSOF didn't show an open file holding anything under a guest home directory open. Yet the only thing that cleared the errors was a complete system reboot.
A minor irritation was the number of times I'd check on the Mac only to find the Guest login still logged in after several hours, prompting a nonexistent person in the room if they were really sure they wanted to delete all the files and log off. Are you sure? Are you really sure?
Great...users would still constantly forget to log out, but instead of doing what I told it to do and log out when the inactivity timer was triggered, it would get hung up on the logoff prompt. The only thing it really did right was when it was forced to log off, it deleted all the Guest home directory files so the user's private files and potential data leaks were removed.
Guest, in theory, is a way to create a kind of temporary session for your Mac. I thought there had to be a way to customize some of the configuration (through altering some preference files in a template directory) for little things like , but some research on the Interwebz told me that there may have been a way to do that with older version of OS X, but it was rendered obsolete in newer versions.
I contacted our account rep at Apple and asked to get in touch with an engineer, which they obliged. I sent them a description of what was happening and what we were trying to do with regards to registering Office in the temporary session, customizing the default web browser selection and adding an icon to the dock, and most perplexing, the Keychain errors. I was hoping that an Apple engineer would know more about how to alter these settings (and get whatever was holding that keychain open to release it...), or set me straight if I were missing a particular way to manage the Mac clients that could control the interface.
The response:
The guest account doesn’t
quite fit your requirements. You could create your own guest account
and then manipulate the prefs files for default browser, office
licensing file, etc.
Other than that there are products like Deep Freeze or FileWave to manage lab or kiosk type machines.
For the keychain issue try this on a test machine first
Delete the "User Template/English.lproj/Library/Keychains/" folder.
Guest must be suitable only for a very narrow set of use cases. I verified there wasn't a Keychains folder in that template directory, too.
It seems Guest is really kind of a worthless feature in most cases, as far as I can tell.
Last try...Deep Freeze
That brings me to the final round. We purchased several Deep Freeze licenses and created a new user named Login. I configured Login to have no password and tweaked the default home to have minimal dock icons, add the icons that were useful, told the Chrome browser it should be the default, and registered Office with generic user settings.
The login is local, so there's no worry about a password change causing Keychain to get out of sync and start spitting errors.
I had limited exposure to Deep Freeze on the Windows platform before, and no exposure to a Mac version of the application. Basically the application redirects filesystem writes to a temporary location that is wiped at restart. Unlike Guest, that only deleted files from the Guest home directory, Deep Freeze will clear changes made to the whole system. One of my favorite cathartic activities when I ran Deep Freeze on Windows was to delete the Windows subdirectory, or delete other system subfolders until Windows started throwing errors before crashing. Upon reboot, all went back to the previous configuration, system files and all.
Note you should only do that in a "frozen" state. If the machine were thawed and the files were deleted, you were kind of boned.
Monitoring the Freeze status came from an extended report to Apple Remote Desktop, unlike the Windows version that connected to a management control program.
The user I named "Login" had no password, making it easy to use for our users.
Deep Freeze has a setting that causes the system to reboot when you log out, causing the system to reset. So far I haven't run into a system waiting at a logoff prompt as I did for Guest, so reboots with Deep Freeze seem to be working (and resetting) fine.
Office was registered before being frozen for the Login user, so users no longer get that prompt.
And of course the Dock has the icons for the most used applications, along with Chrome set to the default web browser.
My only complaint so far with Deep Freeze has been the inability to get along with Apple's Core Storage volume driver nor Fusion Drive. We didn't have Fusion Drive-equipped systems...but I thought I'd throw that in there.
I think the Core Storage system, which is kind of like a pluggable file system for the Mac that handles features like File Vault, doesn't get along with Deep Freeze because I suspect Deep Freeze inserts itself at a similar driver level.
I was able to install Deep Freeze on most of our existing systems because I think we accidentally broke the default-Core-Storage-enabled volumes when we upgraded the hard drives in the Mac Mini's. If you didn't upgrade them and Core Storage is enabled, the fix is basically going to involve a reinstall of the operating system. That...is annoying. Especially after spending time tweaking all the settings and getting everything set up until you get to the Deep Freeze install stage, just to have it spit an error back at you.
In summary...
Does anyone actually use Guest on their Mac? If you do, what is it used for? It seems unsuitable for use as a kiosk. It can't be tweaked with regard to preferences or icons in the dock. I contacted an Apple engineer hoping I was stupidly overlooking something simple, only to be told that I was asking too much of the Guest capabilities (was I really asking all that much?)
In my opinion, with Guest being so limited, Apple should just eliminate it. Especially with that lingering Keychain bug...
Wonderful post. Great photos. I miss NYC soo much. Thanks and have a lovely day.
ReplyDeleteKeychain online with Photo