So the OS is the Finder, then?

If you make the criteria sufficiently small I guess you can say that, but, really, the Finder is a very, very small part of the OS as a whole. Certainly nothing that can substantiate the claim about changes between Vista and Windows 7 being greater than the changes between 10.0 and 10.5. There are _huge_ changes in the latter.

JAMF sends an inventory report from a computer to the JAMF software server. It contains a list of the current hardware and software inventory, and the current software settings. It will show a diff. If there's no report for a specific MAC address, that will show up as well.

Seriously, I don't feel the chances of a student spoofing a MAC address and writing their own "hacked" JAMF binary application so they can subvert this to be sufficiently realistic. They are not hacking the Kremlin; they're trying to get around usage restrictions.

JAMF will know if it's not reporting in, because the system is booted from CD or DVD.

Look, if the students have physical access to the machines (and they do), it is virtually IMPOSSIBLE to stop them from hacking the system and circumventing it. The thing is, the monitoring software can notice this, and something can be done about it.

Because let's be frank: It's also virtually IMPOSSIBLE to keep the students from taking a book and throwing it at the teacher.

But both can have corrective actions. The punishment may be different (say, taking away the computer for a week versus a 2-day suspension), but still, you can address both cases. This isn't a game of trying to make it impossible to hack the system. Just to know when it's been done, and JAMF (and other monitoring software) can easily do that. The fact that you haven't gotten a daily report in 4 days is evidence enough ;-)

::blink::

It's not that hard to run management software which checks these things and resets them on a daily (or hourly) basis. e.g. http://www.jamfsoftware.com/

Can a student (who doesn't have an admin account on the box) get an admin account by booting off an external DVD and resetting the password, and then remove the software? Why yes. Yes they can. Will the administrator notice within a day that it's no longer running the admin software and thus not reporting in? Why yes, yes they will. What then? Well, the same thing as if they'd gone to your care with a baseball bat... a little visit to the principal's office.

No, you don't need to lock down the machine like it's Fort Knox. Set sensible policies, and then verify them regularly and punish non-compliance accordingly. It's really not that difficult, there are regulations and precedents to help in an edu setting, and there are millions of Macs being used for just this purpose. TPM, access keys, trusted computing... LOL.

There's a big difference between 6-12 grade education and college. College, you can do what you want, and if you flunk out... that's your problem. In K-12 education, if the kid flunks out, it's the STATE'S problem. And maybe also the schools, because if a kid flunks out because they're dicking around on a computer all day and there was no management on the machines to PREVENT them from doing so, you can bet there's going to be a lawsuit.

It's all about protecting your asses, because any trouble that kids get into that the schools don't prevent... isn't presumed to be the fault of the kids _or_ the kids' parents.

And it's just not possible for the teachers to have their eyes on all 30 students in a class at all times, to ensure nobody's doing what they're not supposed to.

Well, scratch that. With Apple Remote Desktop you can actually watch the screens of all the machines remotely at the same time... of course the icons would be pretty small unless you had a 30" display and that's not so cheap.

That's ridiculous. They are educational tools, they're not for collecting and surfing porn. Not to mention, in many cases, schools can be exposed to criminal liability if students do some classes of things. Some degree of control is necessary to limit this liability.

Also, if you just give the kids the computers, they'll fart around on them all day long and pay NO attention to the classes. It's often necessary to use something like Apple Remote Desktop to lock the students' screens so they'll actually pay attention during class.

I'm not convinced that a laptop per child improves the overall learning experience. But certainly if it does, it has to be managed to some extent.

Seriously, Apple has these 1:1 things going on in hundreds or thousands of school districts. They have been well publicized. There are resources at Apple who have helped others in your exact situation... and know the tools you can use to lock things down (Managed Preferences or MCX), use proxy servers or other site filtering applications to deal with this, etc.

There are varying degrees of "lockdown" you can put on the machines, depending on where your priorities lie -- liabilities (legally) versus freedom. And the Apple SEs in the education group have seen it before, tens if not hundreds of times.

Really I think that would be a better route to go than asking here on /. Where locking down machines isn't looked upon kindly, but random Linux machines in the classroom with no management is just _not_ productive.

This assumes, of course, that he didn't sign something in the first place. After signing an agreement/employment contract and later writing all the code, is NOT the time to "negotiate" this.