Chapter 20
In This Chapter
Enjoying the advantages of a multiuser iMac
Understanding access levels
Adding, editing, and deleting user accounts
Restricting access for managed accounts
Configuring your login window
Sharing files with other users
Securing your stuff with FileVault
Everybody wants a piece. (Of your iMac, that is.)
Perhaps you live in a busy household with kids, significant others, grandparents, and a wide selection of friends — all of them clamoring for a chance to spend time on the Internet, take care of homework, or enjoy a good game.
On the other hand, your iMac might occupy a classroom or a break room at your office — someplace public, yet everyone wants his own Private iDaho on the iMac, complete with a reserved spot on the hard drive and his own hand-picked attractive Desktop background.
Before you throw your hands up in the air in defeat, read this chapter and take heart! Here you find all the step-by-step procedures, explanations, and tips to help you build a safe multiuser iMac that’s accessible to all.
(Oh, and you still get to use it, too. That’s not being selfish.)
Okay, so you don’t have Cinderella, Snow White, or that porridge-loving kid with the trespassing problem. Instead, you have your brother, Bob.
Every time Bob visits your place, it seems he needs to do “something” on the Internet, or he needs a moment with your iMac to bang out a quick message, using his web-based e-mail application. Unfortunately, Bob’s forays onto your iMac always result in stuff getting changed, like your Desktop settings, Contacts database, and Safari bookmarks.
What you need, good reader, is a visit from the Account Fairy. Your problem is that you have but a single user account on your system, and Mavericks thinks that Bob is you. By turning your iMac into a multiuser system and giving Bob his own account, though, Mavericks can tell the difference between the two of you — keeping your druthers separate!
With a unique user account, Mavericks can track all sorts of things for Bob, leaving your computing environment blissfully pristine. A user account keeps track of stuff such as
Plus, Bob gets his own reserved Home folder on your iMac’s hard drive, so he’ll quit complaining about how he can’t find his files. Oh, and did I mention how user accounts keep others from accessing your stuff? And how you can lock Bob out of where-he-should-not-be, such as certain applications, Messages, Mail, and websites (including that offshore Internet-casino site that he’s hooked on)?
Naturally, this is only the tip of the iceberg. User accounts affect just about everything you can do in Mavericks and on your iMac. The moral of my little tale? A Mark’s Maxim to the rescue:
Get one thing straight right off the bat: You are the administrator of your iMac. In network-speak, an administrator (or admin for short) is the one with the power to Do Unto Others — creating new accounts, deciding who gets access to what, and generally running the multiuser show. In other words, think of yourself as the Monarch of OS X (the ruler, not the butterfly).
In this section, I explain the typical duties of a first-class iMac administrator.
The three most common levels of individual user accounts offered by Mavericks are
Another Mark’s Maxim is in order:
Standard accounts are quick and easy to set up, and I think they provide the perfect compromise between access and security. You’ll find that standard access allows your users to do just about anything they need to do, with a minimum of hassle.
Managed accounts (with Parental Controls) are highly configurable, so you can make sure that your kids don’t end up trashing the hard drive, sending junk mail, or engaging in unmonitored chatting. (Note: Parents, teachers, and those folks designing a single public access account for a library or organization — this means you.)
All right, Mark, enough pregame jabbering — show this good reader how to set up new accounts! Your iMac already has one admin-level account set up for you (created during the initial Mavericks setup process), and you need to be logged in with that account to add a user. To add a new account, follow these steps:
If your New User button is grayed out, your Users & Groups pane is locked. Remember that you can toggle the padlock icon at the lower-left corner of most of the panes in System Preferences to lock or allow changes. To gain access, do the following:
Now you can click the New User button.
Choose Administrator, Standard, or Managed with Parental Controls.
You should have only one or two administrator-level users, and your account is already an admin account.
Mavericks displays this name on the Login screen, so behave! (For example, “Bob” has only one “o” the last time I checked.)
Generally, I recommend using a password of at least six characters, using a mixture of alphabetic and numeric characters.
Run out of password ideas? No problem! Click the key button (to the right of the Password text box) to display the Password Assistant, from which Mavericks can automatically generate password suggestions of the length you specify. Click the Suggestion pop-up menu or type directly into the field, and Mavericks automatically adds the password you generated into the Password field.
From a security standpoint, password hints are taboo. (Personally, I never use ’em. If someone is having a problem logging in to a computer I administer, you better believe I want to know why.) Therefore, despite the recommendation Mavericks shows here, I strongly recommend that you skip this field. But and if you do offer a hint, keep it vague! Avoid hints like “Your password is the name of the Wookie in Star Wars.” Geez.
The new account shows up in the list at the left of the Users & Groups pane.
Each user’s Home folder has the same default subfolders, including Movies, Music, Pictures, Sites, and such. A user can create new subfolders within his Home folder at any time.
Here’s one more neat fact about a user’s Home folder: No matter what the account level, most of the contents of a Home folder can’t be viewed by other users. (Yes, that includes admin-level users. This way, everyone using your iMac gets her own little area of privacy.) Within the Home folder, only the Sites and Public folders can be accessed by other users from within a Finder window — and only in a limited fashion. More on the Sites and Public folders later in this chapter.
Next, consider the basic modifications that you can make to a user account, such as changing existing information or selecting a new picture to represent that user’s unique personality.
To edit an existing account, log in with your admin account, display the System Preferences window, and click Users & Groups to display the account list. Then follow these steps:
Don’t forget to unlock the Users & Groups pane if necessary. See the earlier section “Adding users” to read how.
For example, you can reset the user’s password, or (if absolutely necessary) upgrade the account to admin level.
An easy way to get an image is to use one from your hard drive by simply dragging a new image from a Finder window into the Picture well. Click iCloud to choose an image from your Photo Stream, or click Faces to pick one of the faces that you’ve tagged within iPhoto. Alternatively, you can click Camera and then click the Snapshot button — which bears a tiny camera — to grab a picture from your iMac’s FaceTime HD video camera. After you capture the essence of your subject as a photo, click Done to return to the Users & Groups pane.
Using the default login settings, Mavericks displays this image in the Login list next to the account name.
You don’t need to save your changes (as a separate step) within System Preferences. Mavericks does that automatically when you close the System Preferences window.
Not all user accounts last forever. Students graduate, co-workers quit, kids move out of the house (at last!), and Bob might even find a significant other who has a faster cable modem. We can only hope.
Anyway, no matter what the reason, you can delete a user account at any time. Log in with your admin account, display the Users & Groups pane in System Preferences, and then follow these steps to eradicate an account:
Mavericks displays a confirmation sheet, as shown in Figure 20-4. By default, the contents of the user’s Home folder are saved in a disk image file — which you can restore with Disk Utility — in the Deleted Users folder. This safety option is a good idea if the user might return in the future, allowing you to retrieve her old stuff. However, this option is available only if you have enough space on your hard drive to create the Home folder image file. You can also choose to leave the user’s Home folder as-is (but naturally you won’t regain any space, even though the user account is deleted).
Mavericks wipes everything connected with the user account off your hard drive.
Time once again for a Mark’s Maxim:
Every account on your iMac can be customized. Understandably, some settings are accessible only to admin-level accounts, and others can be adjusted by standard-level accounts. In this section, I introduce you to the things that can be enabled (or disabled) within a user account.
Login Items are applications or documents that can be set to launch or load automatically as soon as a specific user logs in — for example, Apple Mail or Contacts. In fact, a user must be logged in to add or remove Login Items. Even an admin-level account can’t change the Login Items for another user.
If an application appears on your Dock, you don’t need to follow the upcoming steps to add that application to your Login Items list; instead, simply right-click the application icon on the Dock, choose the Options submenu, and then choose Open at Login.
To set Login Items for applications that don’t appear on your Dock, follow these steps:
It bears repeating: You can change the Login Items for only the account that’s currently logged in, so make sure to select the Current User account in the list at the left.
If you’re in the mood to drag and drop, just drag the applications you want to add from a Finder window and drop them directly into the list.
A standard-level account with restrictions is called a managed account. (You can read about these accounts earlier in this chapter.) With these accounts, you can restrict access to many different places within Mavericks and your iMac’s applications via Parental Controls. (Naturally, admin-level accounts don’t need Parental Controls because an admin account has no restrictions.)
To display the Parental Controls for a standard account, start here:
Now click the Open Parental Controls button to display the specific category tabs that you see in Figure 20-6:
Mavericks keeps a number of different types of text log files (which track where the user goes on the Internet, which applications are launched by the account, and the contents of any Messages conversations in which the user was a participant). To view these logs from any of the tabs, click the Logs button at the bottom of the pane. From this single sheet, you can monitor all the logs for a particular account and track Internet activity for any managed user.
If you want a notification if the user is attempting to send an e-mail to someone not in the list, select the Send Requests To check box to enable it and then type your e-mail address in the text box.
If you’re creating a single standard-level account for an entire group of people to use — for example, if you want to leave the machine in kiosk mode in one corner of the office, or if everyone in a classroom will use the same account on the machine — I recommend disabling the ability to change the account password. (Oh, and please do me a favor and promise me you won’t create a system with just one admin-level account that everyone is supposed to use! Instead, keep your one admin-level account close to your bosom and create a standard-level account for the Unwashed Horde.)
Of particular importance are the Apps controls. Click the Apps tab to modify these settings:
To locate a specific application, click in the Search box and type the application name.
After you’re hip on user accounts and the changes you can make to them, turn to a number of topics that affect all users of your iMac — things like how they log in, how a user can share information with everyone else on the computer, and how each user account can be protected from unscrupulous outsiders with state-of-the-art encryption. (Suddenly you’re James Bond! I told you Mavericks would open new doors for you.)
Hey, how about the login screen itself? How do your users identify themselves? Time for another of my “Shortest books in the For Dummies series” special editions. (The title’s practically longer than the entire book.)
Mavericks offers four methods of logging folks in to your multiuser iMac:
When you enter your username and password, you see bullets instead of your password because Mavericks displays bullet characters to ensure security. Otherwise, someone could simply look over your shoulder as you type and see your password.
To switch to another account, follow these steps:
Mavericks displays the login window, just as if the iMac had been rebooted.
The previous user’s stuff is still running, so you definitely shouldn’t reboot or shut down the iMac!
To switch back to the previous user, follow these steps:
For security, Mavericks prompts you for that account’s login password.
I strongly recommend that you use auto login only if
Working in a public environment? Never set an admin-level account as the auto login account. This is the very definition of ASDI, or A Supremely Dumb Idea.
To set up a username/password or list login, open System Preferences, click the Users & Groups icon, and then display the Login Options settings (see Figure 20-8). Select the List of Users radio button for a list login screen, or select the Name and Password radio button to require your users to type their full username and password.
To enable Fast User Switching, mark the Show Fast User Switching Menu As check box (as shown in Figure 20-8). You can specify whether the menu displays a user’s full name (the default), a short name, or an account icon in the Finder menu bar.
To set Auto Login, choose the account that Mavericks should use from the Automatic Login pop-up menu (as shown by the now-legendary Figure 20-8).
Logging out of Mavericks all the way (without Fast User Switching) is a cinch. Just click the Apple menu () and then choose Log Out. (From the keyboard, press +Shift+Q.) A confirmation dialog appears that will automatically log you off in one minute — but don’t forget that if someone walks up and clicks Cancel, he’ll be using your iMac with your account! You can bypass the confirmation dialog by pressing Option while choosing Log Out (or combining it with the keyboard shortcut). Your iMac returns to the login screen, ready for its next victim. Heed this Mark’s Maxim:
You might wonder where shared documents and files reside on your iMac. That’s a good question. Like just about everything in Mavericks, there’s a simple answer. The Users folder on your iMac has a Shared folder within it. To share a file or folder, you should place it in the Shared folder.
Each user account on your iMac also has a Public folder within that user’s Home folder. This is a read-only folder that other users on your iMac (and across the network) can access: They can only open and copy the files that it contains. (Sorry, no changes to existing documents from other users, or new documents from other users.) Every user’s Public folder contains a Drop Box folder, where other users can copy or save files but can’t view the contents. Think of the Drop Box as a mailbox where you drop off stuff for the other user.
Storing sensitive information and documents on your iMac always incurs a risk. Although your login password should ensure that your data is off limits to everyone else, consider an extra level of security to prevent even a dedicated hacker from accessing your stuff — especially if you’re sharing your iMac computer in a multiuser environment. (In other words, consider a little more protection than just user permissions for those all-important Fantasy Football formations that you’ll unleash next season.)
To offer that extra level of security, Mavericks includes FileVault, which provides disk encryption that prevents just about anyone except the CIA or FBI from gaining access to the files on your hard drive. (You’ll notice that things slow down just a bit when you’re logging in and out or working with files that are several gigabytes in size, but for those of us who need the peace of mind, this minimal performance hit is worth it.) You can enable the FileVault feature from the Security & Privacy pane in System Preferences.
Two passwords control access to your hard drive when FileVault is active, and without them, the data contained on your hard drive is impossible for just about anyone to read:
To turn on FileVault protection within Mavericks, follow these steps:
Mavericks displays a sheet that lists all the user accounts on your iMac. Naturally, given that you’re logged in, Mavericks has already confirmed your account. However, in order for other users to access your hard drive after FileVault is running, each user account must be separately enabled. (If an account is not enabled, that person can no longer access anything on the hard drive after it has been encrypted.)
Mavericks displays a sheet prompting you to type the user’s account password. After a user is enabled, she gets a cheery green check mark in the list.
You can also take a snapshot of your screen while the Recovery Key is displayed and then print that image separately. Doing so is A Good Idea because it helps prevent errors while copying that excruciatingly long Recovery Key by hand. To take a snapshot image of the screen, press +Shift+3. (The image file appears on your Desktop.)
You’re done — and far more secure!