- Jamf Nation Community
- Products
- Jamf Pro
- Restrict "Sharing" Preferences but not "File Shari...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Restrict "Sharing" Preferences but not "File Sharing"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-04-2016 12:16 PM
I know that I can lock down the entire Sharing preference pane, but I am wondering if there is a way to lock down everything in the pane except for File Sharing? Even if this has to be a custom payload, I am ok with managing that. We have a need to block users from changing their screen sharing settings and VNC settings/etc, but still want them to have the ability to use File Sharing if they have a use for it. Has anyone encountered a similar situation and found a solution? Thanks in advance!
Labels:
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-04-2016 02:00 PM
I don't believe what you're wanting to do is possible. Locking individual System Preferences Panes is an all-or-nothing deal. If you lock the Sharing Pane you can still use the "sharing" command in terminal to manage share points -- not something you're going to want users to mess with for sure. You may wind up having to create an app or something to leverage the sharing command if you really want to lock down those prefs & let your users manipulate file shares. They'd have to be admins to do it though.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-04-2016 02:05 PM
Yes, its all or nothing as @Berrier stated. Apple never added in that granular level of control in either MCX or Config Profiles to lock only portions of at least that Preference Pane. But same is true for most of them.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-04-2016 02:10 PM
I haven't tried but could you use a custom payload to SET the Sharing settings how you want and then the pref pane is open for the rest of the settings you don't need to manage. Alternatively, if that doesn't work you could make a daemon that uses the ard kickstart command to continually set those settings how you want.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-04-2016 02:27 PM
Or, you could lock down the Preference Pane but then maybe create some kind of AppleScript applet or something similar that will create shares for your users. I don't think that would be too difficult. Disabling the Sharing pane doesn't disable the services themselves.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-04-2016 02:38 PM
I took a couple minutes to look this up, but maybe something like this:
#!/bin/bash mkdir ~/Desktop/SharedData sharing -a ~/Desktop/SharedData launchctl load -w /System/Library/LaunchDaemons/com.apple.smbd.plist defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist EnabledServices -array disk chown -R whatever_user:whatever_group ~/Desktop/SharedData
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-04-2016 02:45 PM
It IS too bad that Apple hasn't done this. Makes so much sense given the importance of controlling items in there, without an all or nothing approach...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-05-2016 12:44 AM
There is a file called servicelist.xml in /System/Library/PreferencePanes/SharingPref.prefPane/Contents/Resources and this guy says that editing the servicelist.xml will remove the options from the SharingPref.prefPane.
Because I'm currently traveling away from my test environment I haven't fully tested this, and if you do this you will clash pretty hard with SIP.
I've tested it briefly on 10.11.3 (modified in target disk mode) and it worked, not sure if it will stick or SIP / future updates might revert it. And modifying anything in /System is bad in my opinion but that's up to you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-05-2016 06:12 AM
After testing with some of the suggestions, here are my findings:
Locking down the preference pane and then running an AppleScript to make modifications does not work. If the pane is not accessible via the GUI, AppleScript can't handle it.
I do like the idea of an AppleScript application to set File Sharing via bash commands, so I may look into this a bit further.
Modifying the servicelist.xml in /System/Library/PreferencePanes/SharingPref.prefPane/Contents/Resources is something that would be useful for us, but SIP is ruling me with an iron fist. So no go on that front (we do not wish to disable SIP at this time).
I'm bummed that all of these important settings are controlled under one pref pane but there's no granular control. For security reasons we need to lock down the remote management and screen sharing settings, but we also want to allow users access to File Sharing. Thanks for your input thus far!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-05-2016 10:52 AM
It's a shot, and if enough people ask, you never know. I'm guilty of complaining and not asking, so more = better.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-05-2016 10:57 AM
Done! Most likely nothing comes of it, but I submitted feedback nonetheless.
