Jamf Nation Community

Why is this post searchable from Google? I have students using this command to remove Self Service Components.

@aschultz][/url][/url,

Two questions:

1. Why do your students have admin privileges? They would need to be administrators to use sudo, which in turn would be needed to run the linked command with root privileges.

2. If your students need admin privileges, why are they granted sudo privileges? You can restrict those privileges by editing the /etc/sudoers file on your students' Macs. It's possible to have be in the admin group (which gives administrative privileges in the OS X GUI) while not having the rights to run sudo.

One way to do this would be to remove the admin group from /etc/sudoers:

external image link

and replace it with entries for just your local administrator account and your Casper management account.

external image link

Thanks for the advice! I a a JAMF rookie, and struggling. I'm trying to manage 1000 MacBooks, that were all set up on admin accounts before I got here. My QuickStart with JAMF didn't cover some of these issues, and I'm learning on the go.

@aschultz, to answer one of the questions you asked, why are things posted on this community public? In my opinion, if it weren't public it wouldn't be nearly as successful as it is.

Rich gave a fantastic answer as always, he must not sleep, he's a machine! But you can also look at other resources that were given at the National User Conference.

https://jamfnation.jamfsoftware.com/jnucEvents.html?type=1

Specifically:
- Teaching Students Ethics and Responsibility Through the Use of Technology (didn't see it myself)
- Managing the Unmanageable-In a Hacker Culture (did see this one)

The second on was folks from Facebook. This one was certainly a bit more advanced in how they dealt with the issue you are talking about, specifically that command. They said you would have employees ON Facebook type that command and then a few hundred employees liking it, so it spread well. However, they have another tool in place to repair that change if needed. For you that might be a bit much, but it was another good example.

Unfortunately not all of the resources from the conference are there yet, like the videos, but the Fb guys said they would post what they could.

We're all here to help!

@aschultz wrote:

Thanks for the advice! I a a JAMF rookie, and struggling.

We all got here from different places, and everyone here is still learning to some extent. :)

Damien Barrett explained his perspective on the use of technology last year, very happy to see him present on stage. Catch his interview video at the 2013 JNUC keynote. :)

My temporary fix to the situation is to block Terminal from launching. Any other advice?

That'll work for the time being, but as @rtrouton asked above, you may want to ask if your students need to be administrators on their Macs. Totally understand you inherited this and whoever set it up before wasn't really thinking things through, but if you have some leeway in changing that situation, I say you take it. If you decide to remove admin rights, that can be done with some example scripts from other threads here. There are actually some examples that show how to "add" admin rights to all local accounts, but you can simply use the same idea and flip it around, to remove the local accounts from the admin group.

If the students need to be able to manage certain admin level items, such as unlocking some System Preferences, managing printers, etc. besides Rich's solution, you could also look at modifying the authorization file. Modifying it will allow you to change some rule sets to do something like add a local group that you can put all the students into, such as lpadmin.

Hey all- as far as the value of this being public- I just bought a used Mac that I thought had been totally wiped clean, but a few days I opened it, I accidentally clicked on a pop-up box saying that Xerox Business Services wanted to configure my computer- and suddenly Self Service was installing a million and one apps that I have no use for. I deleted them all from the applications window, but the Self Service app itself continues to reappear, and I have no idea what else has happened in the background. I'm not a student, or an employee of Xerox, but I guess whoever I bought this computer from was. I'm not a programmer, and would rather stay out of Terminal if possible, but I'll do whatever I need to do to get my Mac back under my own control. Help!

@bmesser It sounds like you bought a computer that is still enrolled into an organizations Device Enrollment Program (DEP), typically if an organization is actually selling old hardware this should be removed at that time. There are steps listed above to remove the management settings but the pop up will always come back. You will have to contact the people you bought the device from to get this computer removed from their system. There is nothing you or anyone on here can do to get your computer un-enrolled from a DEP setup.