Is there a way to force users to accept an AUP the first time they log into an OSX computer? We want to keep them from doing anything until they accept and if they don't they will be logged out.
Is there a way to force users to accept an AUP the first time they log into an OSX computer? We want to keep them from doing anything until they accept and if they don't they will be logged out.
The quickest thing I can think of is having an AppleScript with the AUP run at login and have two options. Accept will close the window, remove it from login items, and not show up again. Decline will log the user out.
Probably not the best option(especially if the user is able to force quit the script or switch to another window, though the latter might be handled by setting the script, if possible, to grab focus, and not allow anything else) but it is quick and easy to implement.
I'd probably look into setting them up as an account "Managed with Parental Controls", then forcing them to run the AUP agreement, and have it run an suid program (or otherwise flags the account for some other root process to deal with) that'd set their user back to a regular user.
Apple has some info on ways to add 'LoginHooks' in Customizing Login and Logout, but recommends against it.
What we do here is have a message that use of the system requires them to comply with local policies and grants us authorization to monitor them (so no expectation of privacy, therefore the wiretap laws don't apply), and we set it as
LoginwindowText
in/Library/Preferences/com.apple.loginwindow.plist
.