-2

I'm system administrator in a small company. I've a requirement to monitor some Macs. The requirement is that, if the HDD serial number don't match with predefined list, I've to prevent Mac from rebooting from next time it is started. I know how to retrieve HDD serial number and match with my list. How do I prevent it from re-booting next time. Its ok if I've to remove from system files for this.

Satyam
  • 109
  • 1
  • 1
    System administration questions belong over on superuser or serverfault. Besides, this doesn't even make sense. If I bring in a mac with an unauthorized hard drive, then you've never had the chance to install your security program on it. – Tim Hoolihan Jul 26 '11 at 04:03
  • 4
    Sounds like you just actually need a real NAC (Network Access Control) system. – EEAA Jul 26 '11 at 04:15

3 Answers3

2

I'd be interested in learning the reasoning behind this. Like I said in my comment above, it sounds like you actually just need some sort of Network Access Control system. This type of system typically requires network clients to satisfy a certain set of criteria before being "admitted" to the network. If they don't satisfy the pre-configured criteria, they are usually dumped into a very limited or completely isolated "black hole" VLAN. Some examples of criteria are:

  • certain OS patch level
  • correct user credentials
  • up-to-date antivirus definition files
  • etc.

With some custom programming, you could probably include checks on the hard drive serial number as well.

It seems that there could be a lot of possible problems with the approach you're suggesting. What if an employee brings their personal laptop to work? How do you suppose you're going to prevent that from booting? What if your logic screws up or you forget to add a certain serial number to your access list? Then that computer gets nuked, needing OS recovery. In the end, you'll be relying on a binary on the end-user's workstation to query the serial number and send it back to your monitoring program. As such, that binary could be easily altered to provide inaccurate information or a "known good" serial number.

EEAA
  • 108,414
  • 18
  • 172
  • 242
1

My guess is what you want to do is to prevent (or sanction) the boot from external disks, which is much easier to do with a Mac than with a Windows PC.

I had a few clowns that did this to prevent some restrictions on their accounts and I ended up password-protecting the firmware. See this article for how it's done. This prevents the boot from external drives, but AFAIK doesn't stop a real determined user replacing the internal disks (which is only easy in case of the MacPro where you could use a padlock to keep the case shut).

Sven
  • 97,248
  • 13
  • 177
  • 225
0

You might be better off looking at the Profile Manger that you get in OS X server, it might give you what you want to do using Apples owns system for this type of requirement.

Here are some links that you might find useful.

http://www.apple.com/au/macosx/server/features/

http://www.appleinsider.com/articles/11/02/28/inside_mac_os_x_10_7_lion_server_remote_lock_disk_wipe_and_administration.html

http://www.afp548.com/article.php?story=lion-pm-setup

enterzero
  • 453
  • 6
  • 15