Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: Prevent users from ejecting CDs with dscl System 10.5
Sometimes in may become necessary to restrict access to local resources to certain users on a given workstation. In the past, NetInfo was the easiest way of accomplishing that finite control. Now with 10.5, that tool is no longer available, but has been replaced with the ever-popular dscl.

Recently I acquired a 10.5 machine for my two kids, and it became necessary to lock their access to the CD-ROM (since they broke the one on the 10.3 machine). Using some of the information I've gathered in the past from this site, I managed to put together the necessary command line arguments to lock that access. Read on for my solution.

Here's what I did:
  1. Output the mcx_settings to a text file saved to the root directory:
    dscl . -read /Users/kids mcx_settings > /mcx_settings.txt
  2. Opened this text file and found the entry for com.apple.finder. Then, I entered the following info in the file under the mcx_preference_settings node:
         <key>ProhibitEject</key>
         <true/>
    Save and close the text file.
  3. Create a new text file and entered the following: Save the second file as /mcx_flags.txt.
  4. Run the following commands:
    $ mcx_set=`cat"$basepath"/mcx_settings.txt`
    $ mcx_flags=`cat"$basepath"/mcx_flags.txt`
    $ sudo dscl . -create /Users/kids "mcx_flags" "${mcx_flags}"
    $ sudo dscl . -create /Users/kids "mcx_settings" "${mcx_set}"
    Note: The top two commands use back quotes and not single quotes, which can trip you up depending on the font you're reading this in.
  5. Reboot.
Now the user "kids" cannot open the CD-ROM from the keyboard (or anywhere else, as far as I can tell). This combination of commands can also be used to automate user creation or control, and can be extended to limit access to a number of resources (more of which, such as ProhibitBurn, can be found in this older hint). All this trouble because NetInfo was removed from 10.5.

[robg adds: I haven't tested this one...]
    •    
  • Currently 2.20 / 5
  You rated: 3 / 5 (5 votes cast)
 
[8,326 views]  

10.5: Prevent users from ejecting CDs with dscl | 11 comments | Create New Account
Click here to return to the '10.5: Prevent users from ejecting CDs with dscl' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Prevent users from ejecting CDs with dscl
Authored by: lolopb on Jan 16, '08 07:55:11AM
I like simplicity and dscl allows one-liners, try this :

sudo dscl localhost -mcxset /Local/Default/Users/kids com.apple.finder ProhibitEject always -bool 1

It should work and, it's scriptable...

[ Reply to This | # ]

10.5: Prevent users from ejecting CDs with dscl
Authored by: deeproy on Jan 17, '08 03:48:33PM

I had tried this approach it doesn't work alone. You still need to set simultaneous_login_enabled, so this command would only work once mcx_flags are set.



[ Reply to This | # ]
10.5: Prevent users from ejecting CDs with dscl
Authored by: lolopb on Jan 19, '08 01:26:54PM

Are you sure ? I tested on my computer, it worked, kids account could not eject, even after many reboots and changing the optical media.

Have you really set the mcx to "always" as in my example.

I looked at what WorkGroup Manager and Parental Control set, they don't define the "has_mcx_enabled" and the settings apply anyway.



[ Reply to This | # ]
10.5: Prevent users from ejecting CDs with dscl
Authored by: mzso on Jan 16, '08 09:44:39AM
Recently I acquired a 10.5 machine for my two kids, and it became necessary to lock their access to the CD-ROM
I wonder how long is this going to hold? ;-) Kids always find a way to break through restrictions put in place by their parents. :-) They just have to Google a little bit and soon find out how to boot in single user mode from a boot CD. They could boot from a Mac OS X install disc and remove the restriction ... or boot from a Live CD (eg. Knoppix) and have a full featured desktop at their hands. I remember my younger years, when I had to work around similiar restrictions (and not just on the PC) ... it was always a nice challange ... for a day or two. ;-)

[ Reply to This | # ]
10.5: Prevent users from ejecting CDs with dscl
Authored by: lithoman on Jan 16, '08 11:16:39AM

You should use the parental controls to prevent CD/DVD burning or all they have to due is in I-Tunes is go to burn a playlist and the mac will open the CD tray to insert a blank. They can then cancel and insert the disc they want. I am sure they have seen this behavior on someone elses machine. There are several ways to open the tray during boot-up, unfortunately.



[ Reply to This | # ]
What if your kids hold down the mouse button at startup?
Authored by: gabester on Jan 16, '08 11:26:52AM

Somehow I think this solution only works once the OS is up! It might be viable for a lab of computers with a scheduled startup and shutdown outside of the open access hours, when reboot is also disabled... but even that seems a stretch if someone physically unplugs the computer.



[ Reply to This | # ]
10.5: Prevent users from ejecting CDs with dscl
Authored by: markowen27 on Jan 16, '08 08:54:57PM

As of 10.5 you can actually install the server admin tools and use Workgroup Manager to manage the directory.
From here you can manage access to CD/DVDs and so much more



[ Reply to This | # ]
10.5: Prevent users from ejecting CDs with dscl
Authored by: TheCrunge on Jan 17, '08 09:50:15AM

You could also use WGM in 10.4 to do this as well.



[ Reply to This | # ]
10.5: Prevent users from ejecting CDs with dscl
Authored by: deeproy on Jan 17, '08 03:50:20PM

IF you have OS X server available.

This is also doable through NetInfo if you happen to have 10.4.



[ Reply to This | # ]
10.5: Prevent users from ejecting CDs with dscl
Authored by: lolopb on Jan 19, '08 01:32:45PM

No, you don't need Mac OS X Server to use WorkGroup Manager. Just download (it's free) and install the Server Admin tools. Then launch /Applications/Server/Workgroup Manager.app, when you're prompted to connect to a server hit command-D and voila, you're on the local Directory Service. You'll need to authenticate and you'll then be able to set MCX with the Preferences pane.



[ Reply to This | # ]
10.5: Prevent users from ejecting CDs with dscl
Authored by: mkutny on Jan 17, '08 06:05:49PM