Process for Configuring & Managing Macs for Exams

Working for a school, historically we’ve had students with computer accommodations conduct written portions of exams on Windows laptops.  This is because by default Microsoft’s built-in Notepad application does not offer any spelling or grammar features and therefore requires very little configuration or hands-on time in order to be exam-ready.

Recently however, I ran into some issues with a student taking a language exam on a PC as this required the student to use accented letters (é, ñ, etc.) using the Windows alt codes.  Unfortunately, because the exam was taken on a laptop we had difficulties using the Windows alt codes on PCs without a NumPad requiring us then to use the character map, which isn’t great for test-taking.

characterMap2.png

Since accented letters are a bit easier to enter on Mac – and don’t require you to memorize or reference a series of alt codes – I started down the path of how to configure our Macs for taking either written or auditory exams.

Below are the list of things I wanted to accomplish:

  • Setup a separate testing user
    • Since our students have network folders, we don’t want them signing in with their own credentials on the machine and accessing these resources.
  • Disable Internet connectivity
    • Since most exams involving a computer don’t require an Internet connection, we want to disable the network service entirely so there isn’t a risk of Wi-Fi being turned back on.  That being said, I also want to do this in a way that for me and my team is quick and easy to both turn on & off as needed without having to connect to our network.
  • Determine the application for written exams & lock it down
    • While Microsoft Word is the more widely used word processor on the Mac, many of its settings (at least as of this writing) are not manageable.  Microsoft Office 2016 versions 15.33-36 have started to add additional managed preferences (see this Google Doc for a complete list), but as of yet don’t meet our needs here.  TextEdit then is the logical choice, but offers spelling and grammar checking, which we need to disable.
  • Have audio output to multiple sources for auditory exams
    • In the case of language exams, we need to be able to have both the student and the proctor hear the same audio.  Thankfully, the Mac natively allows you to output audio to multiple sources, but takes a bit of configuration.
  • Prevent access to Spotlight
    • While a really handy tool for finding files, performing calculations, and defining words, we don’t want students to utilize this functionality during exams.  So how do we lock down something embedded in macOS that can’t really be turned off?

Click below for more details.

Setting Up a Separate Testing User

This could either be a network account or a standalone local user.  I opt for the standalone local user because it’s easy enough to create to do manually or through an MDM.  We use jamf.

For creating local users, I personally like to create a policy that my team can run either through Self Service or through Terminal using a Custom Trigger.

If you’ve never used a Custom Trigger to run a policy before, you can do so by checking the “Custom” checkbox under your policy triggers and entering a string of text.  You can then call this policy by running:

sudo jamf policy -event <nameofyourpolicytrigger>

or

sudo jamf policy -trigger <nameofyourpolicytrigger>

I work in an AD environment, so I also make the policy available through Self Service to set limitations on who can run the policy based on AD security group.  This ensures only me and my colleagues can run the policy and on any of our managed machines.

Screen Shot 2017-07-16 at 1.04.49 PM

Testing User Policy Template

  • Local Accounts Payload: Create non-admin user
  • Trigger: Custom
  • Execution Frequency: Ongoing
  • Scope:
    • Targets – All Computers
    • Limitations – specified AD security groups or JSS user groups

Screen Shot 2017-07-16 at 1.00.06 PM.png

Disabling & Enabling Network Services

One of the very first bash scripts I wrote when we setup our jamf server was to disable the Wi-Fi network service on our Mac Desktops.  I made this a Self Service policy and limited it to being run by our Helpdesk and AD Domain Admins.

However, reenabling the Wi-Fi network service in the same way required the computer to be physically connected to our network in order to be enabled (that is unless you know the networksetup command to reenable it manually).

I have subsequently built on that script and have installed it locally on our machines.  Regardless of whether the script is run on a laptop or desktop it correctly identifies the Wi-Fi device id and disables it.  As a security measure, the script can only be run by the root user from the command line, otherwise the script exits.

Solution – Scripts

You can find the script on my Github.

Locking Down TextEdit for Written Exams

Solution – Configuration Profile

It turns out that all of the preferences in TextEdit can be set and locked with a configuration profile.  Below are the default TextEdit preferences.

Screenshot 2017-05-11 21.55.41.png

For whatever reason, the com.apple.TextEdit PLIST doesn’t live in ~/Library/Preferences.  You’ll find it in /Users/USER/Library/Containers/com.apple.TextEdit/Data/Library/Preferences/com.apple.TextEdit.plist

  1. Change your preferences in TextEdit to the desired settings and quit the app
  2. Make a copy of the com.apple.TextEdit.plist from the location above
  3. Open the copied PLIST in your text editor of choice (I opt for BBEdit)
  4. Remove everything except the applicable key/values
  5. Save the PLIST
  6. Convert the PLIST from binary to xml for upload to the JSS – plutil -convert xml1 /path/to/com.apple.TextEdit.plist
  7. Upload the PLIST to a configuration profile as a Custom Settings payload.  The profile can be computer or user-level.

You can download a copy of the final PLIST from my Github.

Configure Multiple Audio Outputs on Mac

Solution – Create Multi-Output Device in Audio MIDI Setup

  1. Open the Audio MIDI Setup app (/Applications/Utilities/Audio MIDI Setup.app).
  2. Click the + plus button located in the bottom left corner of the window and select Create Multi-Output Device.
  3. Select the newly created Multi-Output Device from the list in the sidebar and select the checkbox adjacent to your additional output device(s).  The Built-in Output and and any other desired output device(s) checkboxes under the “Use” column must be checked.
  4. Right-click the Multi-Output Device and select Use this device for sound output.
  5. Verify that played audio now comes through your desired sources.

Locking Down Spotlight

Solution – Configuration Profile

Because there is no “off” switch for Spotlight, the only effective way to disable it is to disable each of the various search result categories.  This way if Spotlight is invoked no results will appear.

Don’t bother manually deselecting each checkbox or locking down the Spotlight System Preferences pane.  Create a profile!

Screenshot 2017-05-11 21.35.30.png

  1. Make a copy of the ~/Library/Preferences/com.apple.Spotlight.plist to work from.
  2. Open the copied PLIST in your text editor of choice.
  3. Remove everything except the orderedItems array.
  4. Switch the boolean value for each enabled key from <true/>to <false/>.
  5. If you don’t have Xcode installed on your machine, the option won’t be present to disable the Developer category from Spotlight.  See the very bottom of the PLIST below for SOURCE.  This is the name for the Developer category .
  6. Save the PLIST
  7. Convert the PLIST from binary to xml for upload to the JSS – plutil -convert xml1 /path/to/com.apple.Spotlight.plist
  8. Upload the PLIST to a configuration profile as a Custom Settings payload.  The profile can be computer or user-level.

You can download a copy of the final PLIST from Github.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s