that depends: how comfortable are you with taking your machine back to the IT department and admitting what you were trying to do if something goes horribly wrong? that's always my touchstone before i go a-hacking about with my company's hardware.

if you feel pretty comfortable, and are also decent with computers, you can try this, but if it doesn't work, you might have to reinstall.
posted by koroshiya at 1:48 PM on May 4, 2012 [1 favorite]

Are they going to let you connect the computer to their network if it's not configured how they want it? Do you own the computer outright?
posted by dgeiser13 at 1:56 PM on May 4, 2012

What would you do before you make an end run around the IT department from hell.

It sounds like this is your workplace and your work computer. In that case, I'd update my resume before doing this.

use my computer the way I see fit

If it's provided by your employer, it's not your computer. I suggest sleeping on it for a bit before you do anything.

As for not signing anything: at my office the employee manual says very clearly that all computers and the data on them and traffic through the network belong to the company. You probably have something similar in your workplace.

If you go ahead with it, it will surely eventually come up that you DO need software or network access that they provide. If you can't perform a job function because of this, you'll have explaining to do and it might not be pretty.
posted by fritley at 1:57 PM on May 4, 2012 [3 favorites]

If there are no real consequences, then why not just do it and get over feeling like an idiot? Surely there are better things to feel like an idiot about?

That having been said, I reinstall the OS on my Macbook Pro all the time. Well, once every two months or so. And I've never had a problem with the process before.
posted by dfriedman at 1:57 PM on May 4, 2012 [1 favorite]

Setting aside for a moment the question of ownership... if you don't know anything about Mac, why do you think you need administrator access?

I only ask as a "formerly windows now osx" convert; part of the process for me has been getting ok with the fact that you don't really need to micromanage everything.
posted by lilnublet at 2:05 PM on May 4, 2012 [1 favorite]

If the university bought it for you, it's entirely possible that the recovery partition contains a custom image with exactly the software you're trying to avoid. Wouldn't kill you to try it, I suppose, but you might well be disappointed.
posted by restless_nomad at 2:10 PM on May 4, 2012 [3 favorites]

Personally, I would first boot to the recovery partition, run "resetpassword" from the Terminal, and change the password on an admin account. Then reboot into your normal account and use those admin credentials to give your normal account admin access. (See OS X Daily's "Reset a Mac OS X 10.7 Lion Password" if you need clearer instructions)

And yes, you can buy Lion in the store and wipe it that way, but it will be on a little USB drive, not on a DVD. If you get in trouble down the line, you can always plead ignorance and say a Genius in the Apple Store did it for you.
posted by bcwinters at 2:17 PM on May 4, 2012 [3 favorites]

What would you do before you make an end run around the IT department from hell.

I would ask them if they could help me get admin privileges, and listen to them as they explain the whys and wherefores of their setup.

FWIW, I don't let my users have admin rights either. Not because they are idiots, though sometimes I do wonder. I do it because that provides an absolute chance for me to become involved in software installation or configuration change. Often, the thing they want to do will go better because I've spent my entire career doing this, and they have spent their career doing something else.

Yes, you can buy the DVD and install the OS. The apps you'd have to reinstall, so you need to buy those, too.

Depending on your IT department and staff policies, you could be looking at something of no consequence to a firing offense. It's their computer, not yours. If you want to manage your own computer, go buy one.
posted by Pogo_Fuzzybutt at 2:18 PM on May 4, 2012 [6 favorites]

There are valid reasons for limiting the account. If you want support from IT then I suggest attempting to live within those restrictions and make a good faith effort to use IT support when you encounter issues that require admin privileges. Either they'll decide you're justified in needing the access after you've submitted N help requests or you can point out how often you're needing those privileges and offer to refrain from requesting help beyond a re-imaging should you hose the system.
posted by roue at 2:21 PM on May 4, 2012 [2 favorites]

What sort of things do you need the administrator password for? Are you sure you need this?

Since you're not accustomed to macs, you might not even need administrator access to do the things you want to do. Macs are generally better about this sort of thing.

Is this something you know for sure you'll need or is it something you just think you're going to need?
posted by kpmcguire at 2:25 PM on May 4, 2012

What would you do before you make an end run around the IT department from hell.

Talk to my boss about getting Admin access for me, for the computer.
posted by Brandon Blatcher at 2:31 PM on May 4, 2012

another thing i thought of before i replied: they may also have some kind of monitoring software on your computer. if you reinstall and circumvent it and the brand new computer drops off their system, you might have a lot of 'splainin' to do, lucy.
posted by koroshiya at 3:16 PM on May 4, 2012

AFTER i replied. jeez. friday brain, indeed.
posted by koroshiya at 3:17 PM on May 4, 2012

Just for the sake of "what if" . . . Could someone buy a copy of OSX from the Apple store and install the OS from a DVD?

A caveat to Pogo_Fuzzybutt's answer: Only if the disc copy is a later version than the one the computer shipped with. Earlier versions will not have the correct drivers present for the hardware you have, even if you can manage to crowbar the installation past the point where it says your system won't support that version.
posted by fearnothing at 3:36 PM on May 4, 2012

You could you do a Time Machine backup to an external hard drive, and then try it. Maybe then, if anything goes wrong, you can revert to the IT Department backup.
posted by smitt at 3:46 PM on May 4, 2012 [1 favorite]

I, too, would make a last-ditch effort to talk to the IT department. On my campus, I called the IT department and sweetly requested admin rights on my Windows machine, and they complied. I'm curious to know, too, what is being restricted - for me, it was software installation, and I got sick of calling IT every time I needed to install Skype or whatever.
posted by woodvine at 4:02 PM on May 4, 2012

Are you sure wifi is actually open? Most corporate networks I have worked at had wifi that was secured with client side certificates and may appear to be open (as there is no password prompt) but is not. I would verify this before trying to reinstall the OS.
posted by wongcorgi at 4:38 PM on May 4, 2012

The university bought me a new MacBook Air. It came installed with the suite of programs the university gives us: Office, Acrobat, and stuff like that. So far so good. But they also severely restricted the user account, which pisses me off mightily, since I had administrator rights on my old computer. I have been informed that my administrator rights are gone for good, which is what happens now when anyone gets a new machine.

This doesn't sound arbitrary to me; why spend all this money if they didn't have to? Workplaces are generally very bottom-line about spending.

It seems logical they bought new computers and restricted access for a reason. It's possible they've had issues with viruses, security (confidential material being leaked maybe), people messing up the work software by adding third-party stuff--I can think of a thousand reasons why the IT department would make this choice.

You are coming across as throwing a tantrum because you don't have the ideal setup you want for a computer that, technically-speaking, isn't even yours.

The "Windows friend couldn't even delete an icon" is really irrelevant; you have a Macbook Air running a completely different operating system. Can you delete icons? For that matter, why delete an icon at all? Usually icons on the desktop are shortcuts to programs you want available. On a mac, those programs are on the dock, and you remove them from the dock just by bringing them down to the trash can. No admin privileges needed for that.

So, asking again, as it has been asked before in this thread: Is there anything you need to do that you cannot do without the Admin rights? Hell, is there even anything you WANT to do that you can't do now?

If so, perhaps getting IT to address that specific problem issue is called for, rather than nuking the whole operating system from orbit.

If not, though, I suggest you graciously accept the gift of a very expensive laptop from your workplace.
posted by misha at 5:36 PM on May 4, 2012

I haven't played with the Recovery Partition on Lion yet, but if you can launch Terminal from it...

This command should (untested) add your user to the admin group without modifying the password of the current admin:

dscl \
-f /Volumes/[System Drive Name]/var/db/dslocal/nodes/Default \
localonly \
-append \
/Local/Target/Groups/admin \
[your username]

Might want to do that with the staff group too.

PS: I work IT in higher ed and we give our users admin rights on their workstations and laptops.
posted by sbutler at 5:56 PM on May 4, 2012 [1 favorite]

Addendum: to address your point about just buying a new copy of OS X Lion or other software, do bear in mind this is not your computer and while IANYL and do not know your specific jurisdiction, anything you install or otherwise put on the computer likely becomes the property of the university - or at the very least could cost a whole lot of headaches to get back if they reclaim the Mac or you leave your job.
posted by pahalial at 6:50 PM on May 4, 2012

You could remove the current hard drive, keep it in a safe place, and install a fresh drive with a new OS install. If the shit hits the fan in some way, swap them back.
posted by werkzeuger at 7:35 PM on May 4, 2012

Oops. I had a typo in my command. But this should work. dscl does not appear on the Recovery Partition, but we can get around that. Assuming your disk name is "OS X":

"/Volumes/OS X/usr/bin/dscl" \
-f "/Volumes/OS X/var/db/dslocal/nodes/Default" \
localonly \
-append \
/Local/Target/Groups/admin \
GroupMembership
[your username]

If you have FileVault2 turned on then your system disk is encrypted and won't be available by default. No problem! Here's what you do:

diskutil coreStorage list

This will list a tree of objects. One of them will say "Logical Volume AAAAAAAA-BBBB-CCCC-DDD-EEEEFFFFFFFF" and under that in the propery list it will say "LV Name: [name of your system disk]". That's how we know we've found the right one.

Then run, using the unique identifier above:

diskutil coreStorage unlockVolume AAAAAAAA-BBBB-CCCC-DDD-EEEEFFFFFFFF

When prompted use any password that you might use to boot the system.
posted by sbutler at 8:12 PM on May 4, 2012

You could remove the current hard drive... If the shit hits the fan... swap them back.

I think an easier way would be to just to make a bootable backup to an external drive using SuperDuper! or Carbon Copy Cloner. Then if you run into problems later, just boot off your external backup and copy (backup) your original setup back to the internal SSD.
No screwdrivers or spudgers required.
posted by blueberry at 1:57 AM on May 5, 2012

The restrictions are unreasonable by anyone's standards. I was helping a colleague on her Windows machine and discovered that she did not have permission to delete an icon from her desktop.

How does this relate to you and your Mac, though. Pretty much the only thing a non-admin user on a Mac can't do is install/uninstall software and change network (and other system-wide) settings. Your desktop is yours to do with as you like.
posted by Thorzdad at 4:53 AM on May 5, 2012

In many cases a legitimate reason to have admin access will be granted by any reasonable IT policy ( say for example you are a software developer). If your company/University doesn't have this exception policy work within the system to initiate change.
Changing the Admin password is easy, but what happens when IT wants to use the admin account to remote into your, ahem, their laptop to install an update or whatever?
It is not your computer. A very good way to get on the wrong side of the IT people is to think otherwise.
posted by Gungho at 5:20 AM on May 5, 2012

Does the university allow you to use a personally owned machine on their networks? Will they give you the necessary software to install on a machine you already own?

Buy one.
posted by spitbull at 5:32 AM on May 5, 2012

You went through exactly this same problem with your prior Windows machine just a bit over a year ago. Why would the answer from IT be any different on a Mac? Seriously, if you are that into having admin control of your machine, you need to own your own machine, obviously, given this institution's policies, if you are correctly representing them.

Tell the IT department that you regularly need to evaluate new software for your teaching and research. See what they say.

That said, I've never heard of any *American* university of any stature, public or private, locking down faculty machines' admin rights, let alone claiming a priori ownership over any data on the machine or network. Both would be challengeable on academic freedom grounds. Are you in the UK? Last time I was at Oxford I noticed the most absurdly draconian level of IT security I had ever seen, which sort of went with the surveillance cameras everywhere you looked and a general attitude of repression and constant surveillance and nanny-state intrusion in the UK. Thank god I don't have to teach or live there.
posted by spitbull at 5:39 AM on May 5, 2012 [1 favorite]

You could remove the current hard drive, keep it in a safe place, and install a fresh drive with a new OS install.

Not on an Air you can't.

You could ask for Windows to be installed in a bootcamp partition, then run Win7 there and beg for Admin.

I wouldn't give it to you.

The restrictions are unreasonable by anyone's standards.

Considering this is pretty standard across the industry I would submit you've been an anomaly or babied, but not allowing Admin rights is fairly standard.

Even on my personal Macs/PCs I don't run as an admin.
posted by cjorgensen at 10:36 AM on May 5, 2012

I used to work in a Help Desk for a university Computer Science department.

For all laptop loaners, we would give the user admin access, because they would be taking this machine home and we can't support them 24/7. However, if they came in during business hours, we would be happy to help them. They got access to all of our services.

For all desktop loaners, we would traditionally never suggest the idea of giving admin access to a user, but users could ask for it. If a user did ask for it, they would be asked if their absolutely certain if they want to do this because after reinstalling the machine as an admin user, the machine would be unsupported. We would move these machines to their own network, so they couldn't touch our other stuff (with the side effect of not being able to use network shares). The only thing they could usually request from us is to be returned to a supported machine, or for things like hardware issues. They would also have to do their own backups, as well as lose access to most of our other services, besides email and a few others.

I understand that it's annoying for your laptop to be locked down like we lock down our desktop machines (although you seem to not know specifically how locked down), but I have to sympathize with your IT department here. They probably have a reason to be doing this, a reason that may not be too clear to you as you pull the "restore" trigger.

So far, you haven't said a single reason why you, as a Mac user, should need admin access. Macs work very differently from windows machines, and you will rarely need to ever put in an admin password at all. At this point all you are doing is thinking of ways to make the IT department (and possibly the school's legal department) mad at you in the future.
posted by azarbayejani at 7:43 AM on May 6, 2012 [2 favorites]

There are probably things that won't work once you do this. (E.g., the computer won't be bound to the domain, you may not even be able to log in to the domain, you may not be able to print or access file servers, you won't have access to your networked home directory, you may not have access to anything but the Internet and DMZ hosts, etc., etc.) And the things done to all university-owned PC & Macs which you are not even have been aware of definitionally can't be reproduced, like configuration to pass any NAC or VPN platform.

You probably won't have the software you need, either, as IT has most likely installed it using campus-wide license numbers.

Software that you install yourself my not actualy work wih line-of-business applicaitons, too, which iften require specific -- and old! -- versions of plug-in, libraries, and other junk.

There are reasons for IT to do what they did to your computer. You might be suspicious of me, considering I am a .edu IT manager, but I myself have come round to the idea that I need to get my MacBook in line with IT policy and stop being a maverick-y maverick all the damn time, just so I can get some work done.
posted by wenestvedt at 9:32 AM on May 10, 2012

There are also regulatory regimes to which your employer is subject that may require specific logging and auditing, which a self-installed OS won't be doing. Not running this stuff will get the university an ass-whooping, and you will be next in line.

Here, my acronyms, let me show them to you: FERPA, HIPPA, GLB, PCI-DSS, FTC "Red Flag," and the nightmarish moving target of the Mass. CFR privacy-protection swamp.
posted by wenestvedt at 9:36 AM on May 10, 2012

This thread is closed to new comments.