[QUOTE][u]Quote by: catfeetstop[/u][p]I’m new to enterprise Mac administration and I’m trying to figure out the best way to handle admin rights on our client Macs. I’ve looked around already and I know a lot of these questions have been answered elsewhere but I’m still having a hard time understanding the topic. If you have references to those other answers I’d love to see them. I still have some questions that I was looking for your input on and would love to hear your experiences. We’d like to create the best user experience possible and we don’t think our users will be happy if every time they want to install/update software or use the Mac AppStore they have to wait for a Sysadmin’s interaction.

Currently in our setup, our users login to their Macs as “standard” users using their AD credentials. We have our AD schema extended to allow MCX management through Workgroup Manager. Our Sysadmins administer the client computers because of the “Allow administration by…” option of the AD plugin. We have a growing number of Macs in our business and my questions are:

1. How do you guys handle admin accounts for client computers?[/quote]

I work in academia, so we have departments. Students are never given admin rights at all. Optional software is done via Self Service installs the students can trigger themselves (part of Casper Suite). Other departments and staff are granted admin rights, but we just roll out a local admin account for them to use. They still log into their own network account which is managed (very lightly) and when they need to use admin credentials to install their own software or whatever, they just use the local admin account they are given. Which is a separate account from all other local accounts so I can zap it or mass password change it if it gets leaked or abused.

[quote]2. Do you allow all users to be admins on the computer so they can install/update software?[/quote]

No, this is done via self service and Casper under the hood. I have 6 SUS servers set up, one parent and six children, and the parent cascades down to the children. The client just opens up self service and clicks install and the Casper framework does all the installs in the background. There are other tools, like Munki, Radmind and Puppet which can accomplish this as well, but it may be different in application.

[quote]3. If they’re “standard” users, do you just push the software/updates to them individually through Apple Remote Desktop (or something similar) when requested?[/quote]

There are many ways to do this. You can do it via ARD task server, or scripts, third party – Munki, Absolute, Casper, Puppet, Radmind, etc. Some are free, some cost money.

[quote]4. Do you physically go to their computer and type in your Sysadmin credentials to install/update software when requested?[/quote]

I got about 8,000 Macs in my work place, so no way! We use tools to deploy updates remotely, previously mentioned in my other answers.

[quote]5. Do you allow admin access and use some sort of application whitelisting/blacklisting system allow/disallow certain apps?[/quote]

I use MCX to block applications running by file path. The con is that you gotta approve every path that may have an app in it, including things like /Library/Application Support and so forth. Then any app I don’t want that group to use I toss in /Applications/Utilities. The pro is you don’t have to maintain a list, different groups can get different MCX settings, and it doesn’t allow users to run apps of their USB flash drive or what not.

[quote]6. Do you use the ~/Applications folder?[/quote]

Nope, but I think the app store will install personal apps there

[quote]7. Should each client computer have a local admin account in which we give each user the credentials to so they can install/update software? If so, can we disable login for this admin account?[/quote]

Depends on what you users needs are. Do they need to run admin? It is a security risk when users have admin rights. Yes, you can delete and disable and change passwords of accounts remotely, via ARD admin if you had to.

[quote]8. Is there a way to have a limited admin user that can only administer certain features? (i.e. install/update software only)[/quote]

Yes, this is possible via MCX. John DeTroy from Apple wrote a white paper on MCX that I think touched on this. The problem is, if they are admin and you give them access to the terminal they can easily undo lots of stuff. I think it is way more work than it is worth, so I wouldn’t recommend it.

[quote]9. Does Munki help with this dilemma and if so, how? (I’m not totally sure how Munki works or what it’s for)[/quote]

Munki is a tool to deploy software. It can help with lots of things you want to accomplish.

[quote]10. Do you know if any of this will change when Lion comes along? If so, in what way are things changing?[/quote]

NDA states that this cannot be discussed. However, there are a few users over a reddit that have purposely broken NDA and described 10.7. You can search that site to see what they are saying about it. I don’t advise breaking NDA but if you really want to know there are people that are willingly and blatantly breaking it.