First I unbound all of our Mac machines from our domain and created a new user. After removing all the other users except the Administrator account and our State Testing account, I setup the new user (hereafter "Student") with the settings and Apps that I wanted. I also changed the permissions for the apps I didn't want users accessing to ug=wrx o= and the user/group all set to root:admin. I also removed the sticky bit with a chmod -t on all the applications I didn't want users seeing (Safari, iTunes, System Preferences all come to mind). The only app that Student has full access to is Google Chrome.
Next I set the Chrome settings. This is probably the most important in the daily operation since without proper setup, taking your PC off the domain leaves you open to anonymous browsing. The per-user settings on the device are located at ~/Library/Preferences/com.google.Chrome.plist and the keys that the plist accepts are found at chrome://policy and check the box in the top right that says "Show policies with no set value". Or you can read through http://www.chromium.org/administrators/policy-list-3 which contains all the policies, what the expected value is, and what platforms they work on.
Here is the output from Student's defaults read com.google.Chrome.plist
{AutoFillEnabled = 0;ForceSafeSearch = 1;HomepageIsNewTabPage = 0;HomepageLocation = "chrome://chrome-signin/?source=0";IncognitoModeAvailability = 1;LastRunAppBundlePath = "/Applications/Google Chrome.app";NSNavLastRootDirectory = "~/Downloads";NSNavPanelExpandedSizeForOpenMode = "{712, 514}";"New Key" = "";PasswordManagerEnabled = 0;RestrictSigninToPattern = "*@wgsd.us";SafeBrowsingEnabled = 1;URLBlacklist = ("http://*","https://*");URLWhitelist = ("m.google.com",);
}
You will notice that the URLBlacklist key is set to "http://*, https://*" which blocks access to the internet until a user logs in. In order to clear this value, you must have a managed account that changes the value to anything. This is what I have in my admin console to clear the URLBlacklist. It also populates in the chrome://policy page, but SaveToDrive won't take a screenshot of that.
This also prevents users from logging into their private gmail accounts, since the fields aren't cleared with unmanaged accounts. Student accounts are set to Ephemerial mode which automatically logs them out if they close the browsing windows (Windows/Mac/Linux only). The homepage is set to the Login to Chrome page, though occasionally after a student closes the window it goes to the new tab page instead.
Once Student account was the way I liked it (Google Chrome launch on startup, History empty, ChromeAppLauncher in Dock, mouse, power, login screen, and inactive logout settings), I logged into the Administrator account and use the Student account as a template. I created a folder in /Library called Default and copied the user folder into the newly created folder. Using "cp -Rp /Users/student /Library/Default/" preserved the permissions in the Template.
From here we have a blank starting point we can revert back to at anytime. A simple bash script executes and reverts the profile back to our starting point. Add in a LogoutHook and whenever someone logs out of an account, the profile resets. Basically, a poor-man's DeepFreeze on an account. Here's the script and command to create the LogoutHook
/Library/Default/refresh.sh
!#/bin/bash
rm -rf /Users/student
cp -Rp /Library/Default/student /Users/student
chown student:admin /Users/student
and for the hook (as administrator);
sudo defaults write com.apple.loginwindow LoginHook /Library/Default/refresh.sh
Make sure that the script is in the right location, is owned by root:admin and is executable (chmod 770 refresh.sh). Test the script and hook by logging into the student account, changing some local setting like the background. Then logout and log back in. If the background went back to the original, it's working.
Presently, I've done nothing other than push out Google Chrome with the preferences listed above in the plist file. I have also restricted the application "iexplore.exe" to keep students from using alternative browsers. I am toying with the idea of having a local account that the computers auto-login to or a local account with no password, but a large part of me wants to say screw it and leave them as they are. I don't want to have to manage a second set of login credentials (Active Directory & Google). I know there are tools to do a one way sync, but it's the wrong way for what I'm wanting to do (they sync local to cloud, not cloud to local). The ultimate goal is to get rid of both Windows and Mac and be 100% Google for Authentication, Authorization and Auditing. Ok, so auditing is still a ways off, but that is the ultimate goal.
CONFIDENTIALITY NOTICE: This email & attached documents may contain confidential information. All information is intended only for the use of the named recipient. If you are not the named recipient, you are not authorized to read, disclose, copy, distribute or take any action in reliance on the information and any action other than immediate delivery to the named recipient is strictly prohibited. If you have received this email in error, do not read the information and please immediately notify sender by telephone to arrange for a return of the original documents. If you are the named recipient you are not authorized to reveal any of this information to any other unauthorized person. If you did not receive all pages listed or if pages are not legible, please immediately notify sender by phone. http://harper.txed.net
----
You received this message because you are subscribed to the Google
Groups "Google Apps K12 Technical Forum" group.
To post to this group, send email to k12ap...@googlegroups.com
To unsubscribe from this group, send email to
k12appstech...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/k12appstech?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to k12appstech...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
I have done the Netbook-to-Chromebook and we have it as a cart in our science room. It took less time overall to set up locked down Chrome Browser than make sure that all the Netbooks could connect due to the Broadcom NIC that is installed in the Netbooks.
Stephen Gale
Director of Technology
970-364-6196
-Sent from my Galaxy S4
You received this message because you are subscribed to a topic in the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/k12appstech/5o7xK2IX_ug/unsubscribe.
To unsubscribe from this group and all its topics, send an email to k12appstech...@googlegroups.com.
--
--
You received this message because you are subscribed to the Google
Groups "Google Apps K12 Technical Forum" group.
To post to this group, send email to k12ap...@googlegroups.com
To unsubscribe from this group, send email to
k12appstech...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/k12appstech?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to k12appstech...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Lisa Fusco
Director of Educational Technology & Innovation
The Moriah School
53 S. Woodland Street
Englewood, NJ 07631
201-567-0208 ext. 325
You received this message because you are subscribed to a topic in the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/k12appstech/5o7xK2IX_ug/unsubscribe.
To unsubscribe from this group and all its topics, send an email to k12appstech...@googlegroups.com.
How would you go about enrolling converted pc>chromebooks into the management console? Strictly by user?
Trae
- Mahatma Gandhi
"In times of change learners inherit the earth; while the learned find themselves beautifully equipped to deal with a world that no longer exists."Sec. Getting on my Chrome book instead of the phone.
Stephen Gale
Director of Technology
-Sent from my Galaxy S4
You received this message because you are subscribed to a topic in the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/k12appstech/5o7xK2IX_ug/unsubscribe.
To unsubscribe from this group and all its topics, send an email to k12appstech...@googlegroups.com.
- Mahatma Gandhi
"In times of change learners inherit the earth; while the learned find themselves beautifully equipped to deal with a world that no longer exists."Does the Chrome Os mode act.like a chromebook?
Can it be managed?
Kevin M. O'Donnell
Belmar Elementary School
Technology Education and Support
Authorized Google Education Trainer
You received this message because you are subscribed to a topic in the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/k12appstech/5o7xK2IX_ug/unsubscribe.
To unsubscribe from this group and all its topics, send an email to k12appstech...@googlegroups.com.
This is what I set up for our older machines:It installs Ubuntu which only launches Chrome, can run on Macs or Windows. On quit, the Chrome profile is deleted. With the remote browser set up we have iBook G4 still in service (they have to be plugged in, but they're pretty compact).
We have done this for our 7 year old DakTek devices. It helps with speed since users don't log in to AD, only to Chrome.
Stephen Gale
Director of Technology
-Sent from my Galaxy S4
--