Working local MCX breaking months after install

[Ebonfyre]

Background: Educational environment, InstaDMG 10.5.8 base image working beautifully on iBook G4’s, MCX settings restricting certain System Pref Panes (created using WGM) applied as a pkg immediately after asr restore of base image. Everything has been working great since imaging last summer.

Recently two problems have been surfacing:

The first, non-admin users are presented with a dialog box request from SystemUI Server for the admin password upon launch. This started happening about 2 months ago. All research says this is likely permissions related. Repairing permissions sometimes fixes this but not always. Simply entering admin password makes it go away permanently. Unsure if this is related to bigger problem below.

I wasn’t concerned about this but in the last week I’ve had 3 machines come in with another weird error, users cannot browse standard websites in any browser. Users can browse secure websites just fine. Image does have parental controls turned on for logging purposes. If I turn off parental controls, web usage returns to normal but all my custom MCX settings are immediately wiped, users can access all Pref Panes. If I rerun the pkg the MCX settings are correctly reapplied but the browser behavior returns to restricting port 80 traffic. If I completely wipe the disc and reimage, everything behaves perfectly like it did last summer.

I’m above my pay grade on this one… anyone have any thoughts about what may be going on under the hood and what I might be able to do to avoid simply wiping the users drive and starting over?

And should just turning off Parental Controls completely wipe my custom MCX settings?

[Ebonfyre]

OK, lets simplify and break down my questions to increase the chance that someone has some insight.

Most importantly, should turning on or off Parental Controls wipe all of my custom local MCX records?

[Allister Banks]

Semi-answering one question before asking several others:
Yes, Parental Controls leverages a similar framework to managed preferences(nee MCX). If you run FSeventer while enabling or disabling, you’ll see activity in many of the same directories as MCX would enforce management through, depending on….

How is the MCX management provided by your package taking effect? At the Computer level, Group level, User or ComputerGroup? Once/Often/Always?
Please let us know more about what exactly is in that package. Please join us in IRC if you’d like some real-time feedback, a link is in the sticky on this forum.

Oh, and back to your original post, it would seem an update applied to your image while out in the field is causing that prompt, but otherwise wouldn’t be related to your prefs issue.

Allister

[Ebonfyre]

My pkg is created by launching WGM on a newly imaged unit, making the changes I wish, and then adding the plists in /private/var/db/dslocal/nodes/Default/users for each of my users into a pkg using Composer (failed horribly using PackageMaker). This method seems to have worked perfectly for many months.

I’ve confirmed using “diff -y” on a before and after copy of a user plist that turning on Parental Controls in this case does completely destroy everything in the mcx_settings section of the plist.

This seems like a huge pitfall against this method of preference management. There are many innocent and legitimate reasons to want to turn Parental Controls on and off.

The user in question has the following preferences managed:
Dock: Dock Items: Once
Media Access: Other Media: Disc Images: Require Authentication: Always (I think this is what is causing the SystemUI Server bug)
Parental Controls: Content Filtering: Hide Profanity in Dictionary: Always
System Preferences: (uncheck show) Expose&Spaces, Sharing, Software Update, Startup Disk: Always

[Allister Banks]

Hey there,

I’m resisting the urge to plug my github repo and encourage doing localMCX the same way I do, but among other differences I manage at the computergroup level, instead of specifying for a particular user. I would find it very hard to believe that you can only accomplish something with parental controls that WGM can’t, especially since WGM can import plists as part of managing any particular preference. Have you consulted the oracle, Greg Neagle(his managingosx wordpress blog has a lot of content regarding localMCX), and or his book with Ed Marczak on Apress?

Allister

[Greg Neagle]

Parental Controls adds MCX info into the local DS record, and therefore is incompatible with Local MCX at the user level (both things assume they have complete control of the user’s MCX info).

Possible workarounds include:

– Using Local MCX only at the computer/computer group level, and Parental Controls for the user-level stuff.

– Avoiding Parental Controls altogether and using only Local MCX.

-Greg

[QUOTE][u]Quote by: Ebonfyre[/u][p]My pkg is created by launching WGM on a newly imaged unit, making the changes I wish, and then adding the plists in /private/var/db/dslocal/nodes/Default/users for each of my users into a pkg using Composer (failed horribly using PackageMaker). This method seems to have worked perfectly for many months.

I’ve confirmed using “diff -y” on a before and after copy of a user plist that turning on Parental Controls in this case does completely destroy everything in the mcx_settings section of the plist.

This seems like a huge pitfall against this method of preference management. There are many innocent and legitimate reasons to want to turn Parental Controls on and off.

The user in question has the following preferences managed:
Dock: Dock Items: Once
Media Access: Other Media: Disc Images: Require Authentication: Always (I think this is what is causing the SystemUI Server bug)
Parental Controls: Content Filtering: Hide Profanity in Dictionary: Always
System Preferences: (uncheck show) Expose&Spaces, Sharing, Software Update, Startup Disk: Always[/p][/QUOTE]

[Ebonfyre]

Allister – Much of what I have accomplished is based on Gregs online content, though I was not aware of a full book (may be useful to seek out). My need for this level of control only happens once a year when I make the new image for the school year, so I’m not as familiar with the nuances that may be associated with it – hence this plea.

Greg – Thanks for your clarification, that is exactly what I was looking for.

[Ebonfyre]

So, summer is here and it’s image building time. I wanted to continue this thread because it is still a pain in my side.

Based on the recommendations here I have attempted to use Local MCX at the computer/computer group level rather than at the user level in my earlier image. Following Greg’s excellent book I have successfully programmatically created the local_computer user, the mcxadmin user, changed to a different node, and added that node to the DS path. I have successfully altered the login window and the docks of each of my 3 standard users by assigning computer groups to the local_computer computer.

However, again Parental Controls is a thorn in my side. When I create a computer group in WGM dedicated to enabling Parental Controls, it only enables it on my admin account, not on any of my other accounts (which is exactly the opposite behavior I want actually). As I understand it, by doing it at the computer/computer group levels it should apply to all of my users, like it is for my dock.

Is this another incompatibility between Parental Controls and MCX?

[Allister Banks]

Hey there,

I will test for you and let you know what I find as soon as I can.

Allister

[Author]

Posts