Authentication Services provides Group Policy extensions that mirror the functionality available in Apple Workgroup Manager console. Workgroup Manager Settings are located in the Mac OS X Settings folder (or in the Policies folder, if you are using the new Group Policy Management Editor.)
For additional information about any of the topics covered in this section, refer to Chapter 10: Managing Preferences in the Mac OS X Server User Management manual available from Apple. Apple's User Management guide is written for Workgroup Manager, but most of the settings and information also apply to Group Policy for Mac OS X.
To open the properties of the various settings described in this section
The Applications Properties settings allow you to control access to specific applications and paths to applications using digital signatures. The Applications, Widgets, and Front Row tabs apply only to users of Mac OS X 10.5 or later. The Legacy tab applies only to users of Mac OS X 10.4.
You can apply Application Properties settings under both Computer Configuration and User Configuration.
The Application tab settings control which applications are allowed to execute on Mac OS X and support the following management modes: Never, Always. The Applications settings apply only to Mac OS X 10.5 and later.
Application restrictions are controlled by means of folder paths. Group Policy does not currently support application management using digital signatures, therefore to allow or prevent users from launching an application, add the application or the path to the application to one of two lists:
Add folders containing applications that you want to prevent users from opening. All applications in sub-folders of disallowed applications are also disallowed.
Add folders containing applications that you want users to launch. If an application or path to the application appears in both the disallow and the allow lists, then the disallow list takes precedence and the user is not allowed to launch the application.
If an application does not appear in either of these lists, the user can not launch the application.
Click Add to open the New Application Item dialog. You can type the absolute Unix path or you can click Remote Browse to log into a remote Mac OS X machine (by means of SSH) and browse for the target folder. It displays recently specified paths. To reuse a recently specified path, double-click the item in the list.
Note: Both disallow and allow paths support the %HOME% macro-expansion to the user's Unix home directory. For example, to restrict a user from running applications in their home directory, specify %HOME%. This macros is only supported by user policies; machine policies do not support this macro type.
Front Row is media center software for Mac OS X. Front Row tab settings allow you to control whether or not Front Row is allowed to execute and supports the following management modes: Never, Always.
Select Allow Front Row, to allow Front Row to execute on Mac OS X.