Security and Privacy

• Removed access to the "Security and Privacy" System Preferences pane.
  • FileVault Settings
  • Firewall Settings
  • Privacy and Location tracking settings
  • Apple Gatekeeper settings
• Enforce ask for password immediately after screensaver or sleep.

• Enforce screensaver enabled after 15 minutes of inactivity.

Users and Groups

• Unable to set add or remove users.
• Unable to remove Active Directory Binding.
• Unable to change login screen settings.

• Unable to change user login items.

Sharing

• Removed access to the "Sharing" System Preference pane.
  • Unable to change SSL, Remote Management, and Screen Sharing settings, etc.

• • Unable to change computer name.

Parental Controls and Profiles

• Removed access to the "Parental Controls" System Preference pane.
  • Unable to create child user and enforce policies.
• Removed access to the "Profiles" System Preference pane. 
  • Unable to add or remove configuration profiles, including the Biola profile, which enforces all these restrictions.

Startup Disk

• Removed access to the "Startup Disk" System Preference pane.
  • Unable to boot to flash drive, network drive, or target disk mode. 
• Enabled EFI Firmware password
  • Requires password to boot using keyboard commands, such as "Option Boot."

Login Window

• Users are required to enter username and password to login to the computer - automatic login disabled. 
• Biola University contact information added to the login screen.

Disk Encryption

• FileVault 2 Disk Encryption is enabled on the boot drive of the computer.
  
  • On computer restart, users will be presented with the FileVault 2 login screen. 
  • Only "enabled" users will be allowed to login to the computer.
    • Active Directory groups are not supported by FileVault 2. 
• Password changes
  • When a user changes their NetID password (via login.biola.edu, for example), the password is scripted to sync with the computer, so on next boot the will enter their new password. 
    • Users will have to update their keychain password after login by entering their old password. 
  • If a user can't login using their new password, the user should login with the old password while connected via ethernet cable. This will get the user past the FileVault 2 screen, but not the OS login screen. The user will then need to login using the new password at the OS login screen. This will then force a sync. 
• Helpdesk Support
  • When a user needs help from the Helpdesk, a Helpdesk technician will first need to enable the IT Helpdesk user account to get past the FileVault 2 login screen.

BitLocker Disk Encryption

• BitLocker Disk Encryption is enabled on the boot drive of the computer.
  • The user experience will be seamless as BitLocker directly integrates with Active Directory.
  • Any user that is "allowed" to log-in to the computer can "unlock" the computer.
  • Password change procedure has not changed.
• Helpdesk Support
  • Helpdesk technicians will continue to use their admin_NetID accounts to service computers.

BIOS Restrictions

• Bios Admin password has been set. (Never to be given to the end user)
• Users will only be able to boot to the local HDD/SSD. 
  • PXE and Alternative media boot will need the BIOS Admin password.

Screen Saver and Lock Screen

• Screen Saver is enabled by default.
• Mystify screen saver has been set and can not be changed.
• The screen saver has been set to start after 15 minutes of inactivity and can not be changed.
• On screen saver exit (computer resume) the computer will display the logon screen.  This can not be changed.