Summer 2015 - Computer Configuration Changes

Security and Privacy

• Removed access to the Security and Privacy System Preferences pane.
  • FileVault Settings
  • Firewall Settings
  • Privacy and Location tracking settings
  • Apple Gatekeeper settings
• Require a password immediately after screensaver or sleep.
• Enforce screensaver enabled after 15 minutes of inactivity.

Users and Groups

• Removed access to the Users and Groups System Preference pane.
• • Unable to add or remove users.
  • Unable to remove Active Directory Binding.
  • Unable to change login screen settings.
  • Unable to change user login items.

Sharing

• Removed access to the Sharing System Preference pane.
  • Unable to change SSL, Remote Management, and Screen Sharing settings, etc.
  • Unable to change computer name.

Parental Controls and Profiles

• Removed access to the Parental Controls System Preference pane.
  • Unable to create child user and enforce policies.
• Removed access to the Profiles System Preference pane. 
  • Unable to add or remove configuration profiles, including the Biola profile, which enforces all these restrictions.

Startup Disk

• Removed access to the Startup Disk System Preference pane.
  • Unable to boot to flash drive, network drive, or target disk mode. 
• Enabled EFI Firmware password
  • Requires password to boot using keyboard commands, such as Option-booting.

Login Window

• Users are required to enter a username and password to log in to the computer - automatic login disabled. 
• Biola University contact information added to the login screen.

Disk Encryption

• FileVault 2 Disk Encryption is enabled on the boot drive of the computer.
  
  • On computer restart, users will be presented with the FileVault 2 login screen. 
  • Only "enabled" users will be allowed to log in to the computer.
    • Active Directory groups are not supported by FileVault 2. 
• Password changes
  • When a user changes their NetID password (via login.biola.edu, for example), the password is scripted to sync with the computer, so on next boot the will enter their new password. 
    • Users will have to update their keychain password after login by entering their old password. 
  • If a user can't log in using their new password, the user should log in with the old password while connected via Ethernet cable. This will get the user past the FileVault 2 screen, but not the OS login screen. The user will then need to log in using the new password at the OS login screen. This will then force a sync. 
• Helpdesk Support
  • When a user needs help from the Helpdesk, a Helpdesk technician will first need to enable the IT Helpdesk user account to get past the FileVault 2 login screen.

BitLocker Disk Encryption

• BitLocker Disk Encryption is enabled on the boot drive of the computer.
  • The user experience will be seamless as BitLocker directly integrates with Active Directory.
  • Any user that is "allowed" to log-in to the computer can "unlock" the computer.
  • Password change procedure has not changed.
• Helpdesk Support
  • Helpdesk technicians will continue to use their admin_NetID accounts to service computers.

BIOS Restrictions

• Bios Admin password has been set. (Never to be given to the end user)
• Users will only be able to boot to the local HDD/SSD. 
  • PXE and Alternative media boot will need the BIOS Admin password.

Screen Saver and Lock Screen

• Screen Saver is enabled by default.
• Mystify screen saver has been set and can not be changed.
• The screen saver has been set to start after 15 minutes of inactivity and can not be changed.
• On screen saver exit (computer resume) the computer will display the login screen.  This can not be changed.