key value for creating a managed user

[Kim Young]

I have just got CreateUser pkg to work but now I would like to create a managed user. Any one know the key value to do this. Thanks.

[Allister Banks]

You mean with parental controls applied? That may escape even dscl and go into direct user record(plist) manipulation. Do you have access to a directory service? Can you enforce things computer-wide, so it doesn’t matter what (standard) user is created? There’s a great book about it you can find here:
[url]http://managingosx.wordpress.com/2010/08/08/enterprise-mac-managed-preferences/[/url]
Sorry if I’m not directly answering your question, if you could describe what you want the end result to be when it comes to user experience that would be great.

Allister

[Kim Young]

At this point in my education I am looking to make only one change at a time. Any more than that will just confuse me. I got a standard user created with the create user pkg. Now I hope to create a managed user. I do not care about any other customizations at this time. If “0” gives me a standard user and “1” gives me an admin user, what value give me a managed user?

[Allister Banks]

Sorry, that script does not generate any other type of user. Please explain what you mean by managed user, what do you need to achieve with that. Thanks,

Allister

[Greg Neagle]

[QUOTE][u]Quote by: Kim+Young[/u][p]At this point in my education I am looking to make only one change at a time. Any more than that will just confuse me. I got a standard user created with the create user pkg. Now I hope to create a managed user. I do not care about any other customizations at this time. If “0” gives me a standard user and “1” gives me an admin user, what value give me a managed user?[/p][/QUOTE]

No one value gives you a managed user. In order for a user to appear as “managed”, it must have one or more MCX policies applied. In other words, you must manage something about the user. It’s not just a binary on/off switch.

[dmueller]

I had just recently set up something similar to this for some kiosk systems we use.
You can make an installer with a little design effort and you can use dscl to export out the managed setting you want to use (Example from 10.6.8, may differ some with Lion).

Create the user (testuser in this case) and enable parental controls
Open parental controls and make any desired modifications.
Open Terminal, cd to you location you want the export you parental control settings to and:
[code]sudo dscl . -mcxexport /Users/testuser -o parental_controls.plist[/code]
You can now use it as part of an installer/script to create and set the user as managed. An example script I used for an installer:
[code]#!/bin/bash
if [[ $UID -ne 0 ]]; then echo “Please run $0 as root.” && exit 1; fi

dscl . -create /Users/kiosk
dscl . -create /Users/kiosk UserShell /bin/bash
dscl . -create /Users/kiosk RealName “Kiosk”
dscl . -create /Users/kiosk UniqueID “1010”
dscl . -create /Users/kiosk PrimaryGroupID 20
dscl . -create /Users/kiosk NFSHomeDirectory /Users/kiosk
dscl . -passwd /Users/kiosk kiosk
dscl . -mcximport /tmp/parental_controls.plist
srm /tmp/parental_controls.plist
defaults write /Library/Preferences/com.apple.loginwindow “autoLoginUser” ‘kiosk'[/code]
In the above example, I had the kcpassword file used by autologin (dropped into /private/etc) and the parental_controls.plist dropped by the installer. Just substitute your user and password. The kcpassword file would be captured from you creating this previously with the desired account info.

It took a little sifting through Google, but with the information I found, I was able to get this to work well (for a local account).

As mentioned, this will essentially be a local MCX policy for the Managed User.

Best of luck.

[Anthony Reimer]

As stated previously in this thread, you have to manage something in order for the account to become managed. I use Local MCX settings, established using the Workgroup Manager app (from the Server Admin Tools). Search this forum for “Local MCX” or poke around the Internet for Greg Neagle’s essential work on this topic. (The second post in this thread by Allister gives a link to what appears to be the culmination of that work.)

In short, take a test machine, run Workgroup Manager but connect to the local machine (localhost) as the Server. Select the account you want to manage, click on the Preferences tab and you will see all sorts of things you can lock down. (Note that if you use this method, you don’t usually use Parental Controls settings unless you want time-based restrictions.) Once you have the restrictions working the way you want, capture the following file and put it in a package:
[code]/private/var/db/dslocal/nodes/Default/users/USERNAME.plist[/code]
where USERNAME is the short name of the managed user. (Greg’s instructions vary from these, as he uses a more robust solution that sets up a group of restricted users; mine only works for a single, predictable user.)

In my workflow, we generally need to tweak a couple of small things manually in the restricted account after deployment, so we make those tweaks, log out (but stay booted) and install the MCX package using ARD.

Hope that helps.

[Kim Young]

UHG! Pooh!

I had hoped I would not have to go that deep but I guess I was dreaming.

We are a one to one private school where the families buy and therefore own the laptops. I load a school constructed image on the machines so the students have the appropriate software and then I support them as needed through the school year. I want to make it as easy as possible for the families to manage their kids so I want to set up an admin account for the parents and then set up the student as managed so the parents can apply whatever controls they want as their own situations warrant. As much as I dread it, it looks like I have to learn dscl.

Thanks for all the helpful ideas.

[Anthony Reimer]

[QUOTE][u]Quote by: Kim+Young[/u][p]
[i]I load a school constructed image on the machines so the students have the appropriate software and then I support them as needed through the school year. I want to make it as easy as possible for the families to manage their kids so I want to set up an admin account for the parents and then set up the student as managed so the parents can apply whatever controls they want as their own situations warrant. As much as I dread it, it looks like I have to learn dscl.[/i]
[/p][/QUOTE]

Now that you’ve described the situation more completely, you may not need any of the suggestions we’ve made so far. You just want three accounts on the machine: an admin account for school technical staff like yourself, an admin account for the parents, and a standard account for the student. You can do that all with CreateUser. A Standard account becomes Managed when any parental controls (or MCX settings) are applied. So you can still set it up simply (and with InstaDMG) if the managed settings will be created manually by an administrator. Of course, you’ll need to train the parents and insist that they change their password (otherwise it will leak out somewhere and compromise everything), but even if they never apply any managed controls, the students will only be able to run what you put on there for them (which would include unfiltered web browsing).

The only reason you would need to use the techniques described previously is if you (or your school) insist that there be certain controls already implemented that are more managed than a Standard account if the parents never change the settings.

[Author]

Posts