Applies to: All versions of Centrify DirectControl for Mac OS X 10.6 and above.
In the "Finder Settings" group policies, there is no option to disable the "Shared" section of the Finder sidebar to prevent users from browsing the network.
(Disabling all the items under "Shared" will remove the whole section from the sidebar)
Is there any way to force this setting and/or to restrict network browsing on Mac systems via group policy?
Unfortunately there is no way to disable network browsing altogether - this is a restriction of OS X.
However there are several steps that can be performed to take those options off of the default view for AD Mac users:
Enforce security permissions on all network shares on the domain.
This will not hide the computers themselves from the Mac network browser, but it will stop users from browsing into the computers and is also good general practice for network environments.
Disable the "Connect to Server" option with the group policy:
User Config / Centrify Settings / Mac OS X Settings / Finder Settings / "Configure Finder commands"
Enable this GP and then deselect the "Connect to Server" checkbox.
This will take that option out of the Finder > Go menu.
Use the following script to disable the Shared Finder sidebar items by default.
Note that this does NOT prevent users from going into the Finder Preferences themselves and re-enabling them manually - but since the script always runs at login - it does make sure that the view is always reset back to hidden at the start of every login session.
The Finder > Sidebar preferences can be toggled via the following Terminal commands in sequence:
defaults delete com.apple.sidebarlists networkbrowser
defaults write com.apple.sidebarlists networkbrowser -dict-add Controller -string "CustomListItems"
defaults write com.apple.sidebarlists networkbrowser -dict-add CustomListItems "<array/>"
(The following command has been split and indented for clarity, but should actually be run as a single line in the Terminal)
defaults write com.apple.sidebarlists networkbrowser -dict-add CustomListProperties
defaults write com.apple.sidebarlists systemitems -dict-add ShowServers -bool NO
defaults write com.apple.sidebarlists favorites -dict-add ShowServers -bool NO
defaults write com.apple.finder SidebarSharedSectionDisclosedState -bool NO
The above commands can be placed in a login script and pushed out via Group Policy.
To achieve this, please use the following steps:
Create a login script containing the commands above. (Or just use the one attached at the end of this KB)
Save the script to the following folder on the AD server:
Set up the Login Script GP at:
User Configuration / Centrify Settings / Mac OS X Settings / Scripts / "Specify multiple login scripts"
- Enter the filename of the script only: disable_shared_sidebarlists.sh
- The "Parameters" field can be left blank.
Note: Do NOT use the "Specify login script" GP for this script as it needs to be run within the user context.
To allow the GP to take affect immediately, go to the Mac as the AD user, open up Terminal and run the command:
The setting will take effect the next time the user logs out and logs back in.
The first time an AD user logs onto a Mac with this script, the com.apple.sidebarlists.plist will still be freshly made, and so the "Shared" section in Finder will still be visible, but it will be in the collapsed position so the computers will still be hidden.
Subsequent logins of the AD user into the Mac will hide the "Shared" section completely as the plist can now be configured completely at login time.