Jamf Nation Community

jrserapio · ‎08-14-2014

Hey JN community.

I would like to control the Security and Privacy Preference pane, while allowing access to 1 portion of it. I want to block the General tab, the File Vault tab and the the firewall tab(though the firewall tab is not too big of an issue), while allowing access to the Privacy tab. Not sure if this is even possible. Ive been looking at the Authorization db, but doesn't look like you can get too granular (at least what Ive read)

The privacy tab > accessibility section is needed for quite a few 3rd party tools. When you install these tools, it requires access to this part of the preference pane.

We are looking at maybe creating out own custom preferences panes to possibly get around this, but wondering if anyone had any thoughts on how to do this without a custom preference pane.

Thanks for reading.

mm2270 · ‎08-14-2014

Sadly, I don't believe there's a way to do this. It would be awesome if each tab or section within any Preference Pane could be managed in this way, but Apple doesn't include that level of granularity with the OS in most cases.
For example, I'd like to be able to granularly control the items within the Sharing Preference Pane, but its an all or nothing deal. If you lock it, you lock the whole thing.

That said, if you're using FileVault and want to lock the Disable FileVault button, that can be done now in Mavericks with a Configuration Profile. Greg Neagle posted a working example on his blog and here on one of the threads. I've tested it and it does work to grey out that button. I don't know if it grays it out to prevent it from being turned on as well though.
I can't offer much for the General tab other than the fact that the one item that can be managed with MCX or Config profiles is the "Require password X minutes after screensaver or sleep" It can be both set to a value and disabled for the end user, so they can't change it.

What are the other items you're concerned about and looking to prevent manipulation of?

jrserapio · ‎08-15-2014

Thanks for the reply @mm2270.

Here are the items that I want to prevent manipulation.

In the general tab:
Require password immediately after sleep or screen saver begins (Locked by MCX)
Gatekeeper Settings

In File Vault tab:
Turning FV off (though McAfee policy will turn it back on, but would rather not have users be able to mess with it)

Privacy Tab:
Disable enabling location services

My coworker found that the privacy tab is controlled by the TCC db.
Going to look into that route. Found a site that may point me in the right direction if its possible.
http://macops.ca/modifying-the-tcc-db/

thuluyang · ‎08-31-2014

I think you can only restrict the security and privacy as a whole, but not for different pay load. That is just my guess, not a official answer.
You can use configuration profile->restriction->Restrict items in System Preferences, choose security and privacy.

Jamf Nation Community

Security - Locking down Security and Privacy Pref Pane while allowing access to the privacy tab