Password Application

Is there a way to password an application? I want to keep students from using Safari at certain Macs. I don’t want to take it off completely. I used a script to place a password on a folder, but as I was testing it I thought about searching for Safari and I could open it that way.

Connie

This is the wrong forum for where I’m about to take this, but if your in a student environment this scenario would best be handled by managed preferences from a Open Directory Master. Simply deny Safari access at the student group leval or for only specific machines at the machine group level.

I am not sure, but if you are talking about setting up different accounts, some of the server products won’t work right when there is a limited account. If this isn’t what you are talking about then I don’t have a clue.

Is there a way to password an application?

Thanks,
Connie

Hi Sweet

Could you not move it out of the applications folder into a home folder of a user they don’t have access to!

I have been searching and I guess this isn’t really possible. I think I will just try to fake them out by changing the name of Safari and the icon then making an applescript that has the Safari name and icon and asks for the password.

If anyone knows of a way to password Safari, please post.

Thanks,
Connie

But, they can still search for the real Safari.

I wonder if you can place Safari in an encrypted disk image. When the user clicks on your fake Safari named script and enters the correct password, the script mounts the disk image and runs Safari. This is a lot of work though.

There must be an easier way to do this. Maybe change the permissions for Safari? I don’t know what you would change it to.

How about zip -P password. That’s not particularly secure, but it takes some sophistication to dig it out. Then your run-only script would ask for a hidden password, compare, and unzip the file with its password and launch a background only stay-open watcher to remove the unzipped file when it was quit.

I just found out that I don’t need to figure this out. They will have to use Safari because the server is going to be web based in a month. The librarian was having problems with her assistants surfing when and where they shouldn’t. I was just trying to help her out.

Thanks for all the help. You guys always go above and beyond to help me and I really appreciate it

Just when I found a solution. You just make Safari non-executable and users have to enter the password to make it executable.

chmod -x /Applications/Safari.app

I wonder if you need to do this on the actual application or if on the package is ok. I just tried it out on a regular applet. Anyway, it’s moot.

Good thought Kel - I was going to set it to invisible… but yours would probably work better…

Moot point now sure, but if the user is an admin then you have more problems anyways.

They could most likely bybass any security measure put in place. Or install a different browser. Or run one off of a thumb drive.

True the best thing to do would be to install a firewall that restricts the student’s ability to access material deemed “questionable”.

Too bad there is no icon here for ::opening a can of worms::

Or use a directory system and manage the rights to the account… finding a way to work around requirements of certain application privileges.

There is a firewall that blocks a lot of things. It is impossible to block everything questionable.

I think the best solution is set ground rules and follow up when the rules are broken. It is not always easy to keep an eye on them while they are on the computer. They can be sneaky like someone said using pen drive or whatever.

She wanted to keep them out of it but not remove it entirely. I figured a password would work. I like the puzzle of trying to figure it out, plus I get to stop by and say hi to all of you.

Has anyone seen Kai lately?

Thanks for all the help

Kai is working on a blockbuster script (I’ve been beta testing it for him) that will, at some point, make its way to a MacScripter.net tutorial. I’ll leave it to him to reveal any more than that.

Some years ago, I chaired the committee responsible for the Faculty’s student network (in the Faculty of Engineering at a local university) and we had a very simple rule (which, as Dean of Engineering I enforced without exception): If you were caught playing any interactive game (Doom, in particular), viewing any pornographic material, downloading music or videos, or sending suggestive emails to others, you lost all computer privileges for 336 hours from that moment - exactly two weeks.

There were no excuses, no reprieves, no paths to forgiveness – not even if your entire term project or a vital homework assignment was there. Large notices were posted in all the machine rooms warning students of the consequences of violation. We had to do it once, sometimes twice per academic year, usually in the first two weeks of the first term, but the word got around (at a baud rate that only student rumor mills can manage) and we never had any more of violations that year. We ran the student machines in the Engineering Library on a separate subnet that required a password to get to an outside connection (for Librarians), and the password was not issued to students. Right across the hall from the Library entrance was a public machine room, so if students needed WAN access, they had to go there. Any less harsh policy swamped the student subnet with stuff that had nothing to do with their studies and slowed the network (even with a fiber backbone) to a crawl.

Tell Kai Hi please

If it were my classroom, that is how it would work. I would take away their rights to use the computer for a while. I am a tech and I work at two schools. Part time at each. I have 4 labs with at least 25 computers in each to take care of and about 100 computers and printers that I take care of too. If I were at one school and in the lab all the time, I could stay on top of what students do. It is left up to the teachers and a lot of them are clueless.

I think it is great that you kept students to a set of rules and enforced the consequences. I would love to do that here. The computers would stay a lot cleaner and be easier to maintain.

I’m late to this thread, but that’s not unusual for me…

The following is a different (and rather Draconian) approach to the problem on a per user basis. Save the script below as a stay open application bundle (with an obfuscated name that you will be sure to remember, but the casual user would not likely guess), substituting user names and the target app name and add:

LSUIElement

… to the bundle’s Info.plist. This will make the script app background only… requiring a trip to the Activity Monitor and a correct guess of the scripts’s process name to quit.

It would have to be a login item to be effective, and could probably be defeated that way, I suppose. I’m strictly an ‘admin’ user and haven’t tried another account to see what can and can’t be bypassed. Changing the displayed name of the script would help hide it’s identity… but won’t change the name of the process.

Don’t know if this will be of use to anyone or not, but… what the hey…

Have fun.

Peter B.

property allowed_user_names : {"Dick", "Jane"}

on idle
	my Quit_App()
	return 5
end idle


on Quit_App()
	
	tell application "System Events"
		
		set user_name to short user name of (system info)
		set running_apps to the name of every process as list
		
		if user_name is not in allowed_user_names then
			if "TextEdit" is in running_apps then
				
				tell application "TextEdit"
					quit
				end tell
				
			end if
		end if
		
	end tell
	
end Quit_App

Done, SWeeT

Yes, I had a full-time IT guy who had “watchers” for illicit activity (particularly group gaming which eats bandwidth) and we kept a rolling cache of the last “n” emails that were sent from the system - If someone complained about an inappropriate email, we’d copy the cache to freeze it, and look for the offender. There was no guarantee of privacy using our “public” machines or your own laptop on our subnet.

We spent a fortune every year keeping the system up to date - replaced 1/3 of the machines every year, upgraded all the engineering software packages, added new stuff as it came along. The student’s free use of that system was a privilege; not a right. What they did on their home computers (and they all had one) was their business. What they did on ours, was our business too - they were using our expensive and limited resources.

You need to have a look at Apple Remote Access if you are admin on all those computers. Great program.

vince

I have Apple Remote Desktop 3. It doesn’t work with the way I have changed things to keep kids out of System Prefernces. I changed the Ownership and Preferences so that System Preferences doesn’t open. So far it has worked to keep kids out. I think if they had more time, they could figure it out. Or if they had a Mac at home they would be able to play and figure it out. For some reason ARD doesn’t work right with it. I guess because it accesses something in System Prefernces. ARD is really fun though. I like how you can shut down all the computers with one click. I prefer in the lab that they don’t mess the computers up and so far they are all still the same.

Thanks for suggesting it

Connie