Re: [Rockies-Edu] Disk Integrity
Re: [Rockies-Edu] Disk Integrity
- Subject: Re: [Rockies-Edu] Disk Integrity
- From: Weldon Dodd <email@hidden>
- Date: Thu, 16 Mar 2017 12:34:09 -0600
I assume you mean System Integrity Protection. Forgive me if I misunderstood.
To directly answer your question, when you disable SIP it behaves like it did before 10.11. It does remove a key security feature of the OS that is there mainly to prevent malware from making system changes if installed with admin credentials.
My own opinion is that building your workflow around disabling SIP seems like a bad idea. It's new in 10.11 so it takes some new thinking to work with it, but I wouldn't assume that it will be possible to disable in future versions.
You can achieve many (but perhaps not all) of the desired results by using configuration profiles to restrict access to some apps (Facetime, iMessage, Siri, Game Center). Screen Sharing permissions are still configured with preferences, but that can be done with a script that loads during imaging or later. The app itself is in /System/Library but if permissions on client computers are locked down, then there isn't much to do with it. You can exclude Applications from spotlight results to try and hide it (students could still launch it directly), but anything else with require disabling SIP. jamf Pro would allow you to kill that process from running even if students found it.
While MDM makes it a lot simpler to deploy config profiles, it is possible to install them in your Deploy Studio workflow or after imaging with other tools like Munki.
We don't use master images in our workflow. We install a base OS and install management tools with Deploy Studio and then control configuration management with those tools (Munki or jamf Pro). That approach saves a lot of time and effort in fixing master images. As needs change, we adjust the configuration in real time instead of waiting to reimage. It also allows us to work with systems that are enrolled in DEP without someone in IT even touching the computer.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Rockies-edu mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden