Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.
CCT Badge CCA Badge
12

Managing The Wallpaper

Posted: 1/30/15 at 1:43 PM by Chriskmpruitt

We have been asked to lock down our users wallpaper. We locked the wallpaper down by placing a PNG in a folder in the /Library/FolderthatstoresPNG. Everyone has permissions to this folder. Then lock the wallpaper down with a config profile. BAM! wallpaper locked down. Well then some one was smart enough to REplace our PNG with their own PNG......So now their background is whatever they replace that PNG with. We have underestimated the sneaky sneak of some people.

So now i have place the PNG in our hidden management account which is in /private/var/Managementaccount/Documents

no one has permissions to this folder, so when the config profile looks for the PNG it does not find it.

Is it a permissions thing? or is it that the PNG is in a hidden account?

How are other people managing wallpapers?

Thank you! and happy FRIDAY!

12

Posted: 1/30/15 at 1:50 PM by rleatherwood

You can create a package that stores the wallpaper.

With Composer, select New, go down to User Environment, Select Background, then done :D

We have ours set to push out on log out, so the next time they log in it will be reset to default.

CCT Badge CCA Badge

Posted: 1/30/15 at 2:01 PM by Chriskmpruitt

with doing it that way couldn't they just change their wallpaper whenever they want to?

@rleatherwood

Posted: 1/30/15 at 2:10 PM by rleatherwood

Yes. They could still change it. But it would get reset to default as soon as they logged out.

Posted: 1/30/15 at 2:12 PM by rleatherwood

I believe there's a parental control setting that disables the option to change the wallpaper. But I'm not entirely sure how to do it that way.

Maybe through configuration profiles?

CCA Badge CJA Badge

Posted: 1/30/15 at 2:12 PM by RobertHammen

Are the users admins? Can you make the image, and the folder inside of it, read-only?

If they are admins, you could set a policy that runs at Logout that reinstalls the image, so the next time they log in, it's back ;-)

CCA Badge

Posted: 1/30/15 at 2:15 PM by laurendc

I ran into this by accident while trying to figure out how to use configuration profiles to push a wallpaper out on first login, but leave it unmanaged afterwards. I ended up disabling it but I know it works at least in testing. You can definitely use configuration profiles to lock the wallpaper down. We are running 9.62, not sure if that function exists in earlier versions.

CCT Badge CCA Badge

Posted: 1/30/15 at 2:24 PM by Chriskmpruitt

sadly yes our users are admin. So we just have to be smarter then then lol

CCA Badge CCE Badge CJA Badge CMA Badge Integrator Badge

Posted: 1/31/15 at 9:31 AM by daz_wallace

When you package the replacemen background, why not have the file as hidden in the gui?

chflags hidden [path to file]

After this, I'm pretty sure that all users will need read access to the file for the profile to use it?

CCA Badge CCE Badge CJA Badge Integrator Badge

SOLVED Posted: 1/31/15 at 12:01 PM by davidacland

Sounds like a few steps will be needed to try and prevent changes:

  • Lock out the Profiles system preference
  • Lock out the Desktop and Screensaver system preference
  • Make sure the file is in a hidden folder, but have the permissions set so the system can still read it
  • Lock the PNG file with ``` chflags uchg /path/to/file
    - As @daz_dar mentioned, hide it with the ```
    chflags hidden
    command

Not sure if this is for a company or a school, but if it was a company, taking the non-technical approach I would communicate to everyone that the desktop background isn't to be changed.

If people do it, take away their admin rights.

CUG Badge

Posted: 1/31/15 at 12:47 PM by adamcodega

I would imagine that it's a permissions issue. Certainly easy to test.

At this point, someone else needs to be involved as this is a disciplinary issue.

Posted: 1/31/15 at 5:35 PM by gregneagle

Use a configuration profile. Here's an example:

https://github.com/gregneagle/profiles/blob/master/desktop_picture.mobileconfig

...and if you don't want the users to modify the desktop picture file itself:

1) Don't give them write rights to the file or the enclosing directory, and
2) Don't give them admin rights.

If they have admin rights, you're just wasting your time trying to lock stuff down. They now have as much power over the machine as you do.

CCA Badge CMA Badge

Posted: 2/2/15 at 7:33 AM by bvrooman

You could set a logout policy which installs a package (maybe a DMG would be faster?) containing the correct desktop picture, placed at whatever path the config profile is configured for. Set it for ongoing execution and check the offline box \- each client will cache the package and replace it at each logout.