Technology at Geneseo Community School District 228
Facebook
18 Jun
At Geneseo CUSD 228 we have many iMac labs and Macbook Pro mobile labs.  After watching teachers and students use these labs I believe the optimum setup is to have the machine run as a kiosk which is always logged in ready to go.  This way if a student needs to quickly check grades, look up a book, take an online assessment, do research there is practically zero downtime as the machine is always logged in and ready.  This setup replicates what I see in many University computer labs such as Western Illinois University, University of Missouri, ect.  Students who need to work on a project or save a document will be instructed and moved in the direction of saving to cloud storage (or USB flash drive) learning the necessary skill set of how to save and retrieve information independent of location or platform.  This setup minimizes downtime as a user login is not required and minimizes downtime from user error as machine is restored to default setup on reboot.
How to create a Mac Kiosk without any 3rd party software like DeepFreeze
First I created a perfect image machine and setup an account called student which auto logs in and has the Dock, background, Apps all configured just right.
Next Logout and login as an Adminstrator account and enable the root account.  Here are instructions from Apple on how to enable the root account if you are unsure.  http://support.apple.com/kb/ht1528.
Now with the root account enabled logout of the admin account and login to Mac as the root account.
Once logged in navigate finder to the /Users/ directory.  Here find our perfect /Users/student account and copy this folder to the desktop.  On the desktop rename the student folder as studentperfect.  Now copy this back to the /Users folder so that you have both a /Users/student
and a /Users/studentperfect.
Now I created a script that will delete recursively the /Users/student account, then will copy the /Users/studentperfect folders back to the /Users/student.  Finally the script will set the permissions on the newly copied /Users/student so that it  can be used.  In essence you are simply copying from an undisturbed perfect image of kiosk account and replacing the student account.
My Simple Script.
I saved the script as /.cleanstudent
Now open terminal and add the execute permission to the script.
chmod +x /.cleanstudent
(Note: I saved the script as .cleanstudent instead of cleanstudent simply so it is somewhat hidden and does not appear in Finder.  This is not necessary and if you want could save the script in /usr/bin)
Now with the script ready we just need to setup a Login Hook so that this script runs every time the machine gets logged in.
Activating a Login Script
Open terminal and type sudo defaults write com.apple.loginwindow LoginHook /.cleanstudent
That is it.  Now when the machine is restarted as it auto-logs in as the standard Kiosk account student,  the machine will first delete all the contents of this account, then copy back a blank perfect image from studentclean directory and thus you will have a perfect blank kiosk everytime the machine reboots.  (Can find out more on Login and Logout hooks here. http://seeskill.wordpress.com/2012/02/23/mac-os-x-login-and-logout-scripts-demystified/)
This keeps the machine running clean, minimum maintenance, and replicates the functions of many third party software like DeepFreeze but at the wonderful price of free.
With the perfect Kiosk machine made, tested and working I then use DeployStudio and Netboot to mass deploy this to all buildings and Labs.  DeployStudio is free and I highly recommend, easiest way to mass deploy machine images for both PC and Mac quickly and efficiently.
7 Responses for "Create a Mac Kiosk without using DeepFreeze"
Not sure how old this is but it came up in google top ten. For current users(2014 now) OS X’s sandboxed guest accounts completely remove the need for any of this.
Hi ,
i’m trying to implement this solution for a 9 machines lab in a university in brasil… i just did not realyze how to force users to be alowed to only save files in an usb disk or a network folder, could you help me with that ?
really apreciate the article,
thanks,
Leonardo
bianchileos@gmail.com
Not really the sandboxed guest account does not allow the same level of customization. You can customize the guest account using server admin tools and jumping through a few hoops but I found that with specific registered applications and specific preferences was easier to use my method then admin tools method. Also many apps create extensive folders and files on startup, think office 2010, using a guest account each time the machine starts it creates a Microsoft user profile, generates a font list, creates a template and cached setting for the user. This is very slow if using a sandboxed guest account and happens on each login.
This is exactly what I have been seeking. However, I am a Mac newbie. How do I create scripts in OS X that can be called?
thank you in advance.
Joseph
I am using OSX mavericks. If I run the script as root, my copied “student” is owned by root, and I have to add “chown student:admin student” to the script. In addition, Mavericks introduces a keychain issue that can be solved by removing “everyone deny delete” attributes recursively from the backup “cleanstudent” user profile directories.
I wrote an application called eCrisper that does just that – it has been very popular with universities.
The problem is if you delete a shortcut that I put on the bar, it doesn’t come back when you run the script. Is there a way to do this?
Leave a reply