While most of our accounts are managed through workgroup manager, we often set up local accounts to be used for end-of-term governmental exams at the K-12 institition where I work.
It would be nice to lock down the computers such that students can only use their word processor during the exam, and have no access to the internet. I made a local user test account and tweaked some settings under Parental Controls. Then, I was able to export them:
dscl . -mcxexport /Users/testuser -o parental_controls.plist
And re-import them to good effect:
dscl . -mcximport /Users/testuser parental_controls.plist
Watching the filesystem while doing this, I noticed that the applications I whitelisted were signed in the background by Parental Controls, and this was remembered in the settings. My exported plist has lined like this (reformated for readability):
<key>appID</key>
<data>+t4MAAAAACgAAAABAAAACAAAABQOiCi6O1EFrBaCbNrFU4pEjwH8zg==</data>
<key>bundleID</key>
<string>com.microsoft.Word</string>
<key>displayName</key>
<string>Word</string>
<key>path</key>
<string>/Applications/Microsoft Office 2008/Microsoft Word.app</string>
I found a nice guide to codesigning. Unfortunately, it says that you'll need your own certificate to sign applications with. [And, as this was already becoming more work than I had in mind, and I may just go to 60 computers manually and do it, scripting the keychain to create a new codesigning certificate so that I could then sign some specific apps to then enable parental controls seems like a place where madness lies.]
I did test to see what would happen if I removed the key, and the managed user can not launch the application.
Is there a sensible way to either
- script this process
- perhaps I can use an existing certificate?
- perhaps Apple has a Parental Controls CLI utility I can call that will sign them?
- manage a local account from Workgroup Manager for a whole lab?
- or otherwise perform the same steps for many computers?