Organization: MAC and PC Software developer in Germany
Hello David,
I forgot to mention it in my initial post, the machines run Mac OS X
(10.2). The users don't have administrative rights. The number of
Macs in this environment is not very huge (around one dozend G4 Macs)
and they are currently administrated manually. The users most certainly
will not try to "hack" the machines, so the solution to restrict certain
USB devices does not have to be 100% secure (what is 100% anyway ;-).
Of course it should not be possible to disable the protection
by simply stopping the controlling application or restarting the
machine.
At Tue, 28 Oct 2003 13:00:01 -0800, David Ferguson wrote:
>
> This is a pretty hard problem if you require real security. How are
> you deploying these machines/software?
>
> I guess what I'm asking is:
>
> - Do users have access to the front of the machine (can the
> reset/restart it?) Can you prevent access to all ports (USB,
> Firewire, and Network)?
The users can reset or restart the machine. The machines are older
models and don't have Firewire, however Firewire could become an
issue in the future. Network access is controlled through a firewall,
the users cannot download software.
> - Will you pre-install the software for these machine -- can you make
> custom kernels based on Darwin sources?
An administrator will install the software on those machines and he
will also take care about software updates. I can install a custom
kernel based on Darwin if required.
> - You may need to modify IOKit or IOUSBFamily to get the
> functionality you want. Can you arrange for these pieces to be
> installed?
Yes, this could be done.
> I don't think there is going to be any other way to gain the level of
> control you need to prevent a user from restarting a machine.
> Disabling or unloading drivers while other parts of the system are
> using them is probably not a good idea.
What I allready tried was modifying the Info.plist file of
the USB mass storage driver so that it will no longer match
memory devices. This worked, after removing the kext cache
and restaring the machine no new drives were mounted if an
USB mass storage device was plugged in.
However I am also thinking about an advanced solution which
would allow to define the USB devices which can be used on
the machines. This would give the administrator more control.
> David Ferguson
> USB Software Team
> Apple Computer, Inc.
Best regards,
Dieter Spaar
--
Dieter Spaar, Germany email@hidden
_______________________________________________
usb mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/usb
Do not post admin requests to the list. They will be ignored.
