How can I restrict ProctorU's access?
January 6, 2019 5:16 AM   Subscribe

ProctorU wants access to my MacBook Air and warns me that it'll be able to "transfer, delete, overwrite or copy files" and "run scripts." I can't allow that. If I create a new user account under macOS Mojave, will that successfully restrict what ProctorU can access?

I need to use ProctorU to take an online test. When I tried to give ProctorU access to my computer, I got the following warning:
Access may be used to:
  • Control or view your desktop
  • View system information & Reboot
  • Transfer, delete, overwrite or copy files"
  • Run scripts
  • Invite technician for collaboration
Some of that, I'm not okay with. Some I don't understand. Either way, it's a nonstarter. I have client files on this computer that I can't reasonably move just to take this test—but even if I didn't, I'm not giving some random company unrestricted access to my computer.

The simplest solution seems to be to create a new user under "System Preferences" just for this exam, then delete it afterward. But I don't know enough about computers to know for sure: will that work? If I create a new user ("TestTaker") and give ProctorU the access it's requesting, will it nevertheless be able to copy and delete files and run scripts under my other user accounts?

If that idea won't work, can you suggest a different solution? Libraries are probably out because (I think) I need to let the proctor watch me on camera and speak to me. I can't easily borrow a computer, but that's what I'll do if necessary. Thanks.
posted by anonymous to Computers & Internet (9 answers total) 1 user marked this as a favorite
 
If I create a new user ("TestTaker") and give ProctorU the access it's requesting, will it nevertheless be able to copy and delete files and run scripts under my other user accounts?

Copy, probably; delete or change, probably not; run scripts as other users, not unless you set up TestTaker with the ability to use sudo, which you absolutely should not do.

The "probably" and "probably not" reflect the state of the default permissions for user-owned files and folders on OS X, which make them readable by everybody but writable only by the user account that owns them. If you have client files on the machine that nobody but the user account whose home folder they're stored inside should be able to read, you can use the owning user account to change their permissions and/or that of their containing folder to achieve that.

All that said: if I had a need to use a service that demanded that level of access to my computer, I'd wheel out VirtualBox and give it access to a disposable virtual machine only.
posted by flabdablet at 5:43 AM on January 6 [6 favorites]


I would recommend using a different computer if you're that worried about it. Virtualbox wouldn't really work, as one of the things the scripts test for is whether you are in a VM or not. Basically, the scripts run through to check you're not running other programs and it shuts down ones that could be reasonably used in the course of cheating on your test. The person on the other side of the connection used to do this manually but at some point they changed to a script. I don's see why a different user account wouldn't work but it is down to your level of obligation to your client files and paranoia about possible exposure.
posted by Hal Mumkin at 5:59 AM on January 6 [4 favorites]


Do you have time capsule? You could backup your current machine state to that disk, make a clean empty user, run a boring user for the duration of the test, then wipe the machine and restore it after.
posted by nickggully at 7:46 AM on January 6 [1 favorite]


Another option is to configure a USB drive as a boot disk, then use FileVault to encrypt your default boot drive. Once you've booted off the USB drive, all your files on your main disk will be inaccessible.

(Caveat: I haven't done this on Mac OS, but have done the equivalent under Linux)
posted by Devonian at 7:52 AM on January 6 [5 favorites]


Also - if you have confidential client files on your computer, you may like to consider diskwide encryption as part of good practice in case your machine gets lost or stolen. I do this for systems I have to use in public places, and it's not onerous.
posted by Devonian at 8:02 AM on January 6 [1 favorite]


Seconding flabdablet's suggestion of using a Virtual Machine.
posted by Greg_Ace at 10:34 AM on January 6


I recommend the USB boot solution à la Devonian. Here's some more detailed instructions on how to do this. Some notes:

* If encrypting your built-in disk would be too much work, you can probably get away without it, just boot from your USB disk and "eject" the built-in disk. It feels pretty unlikely that the script will look for random attached disks to mount.
* You can also do this on a partition of your built-in disk instead of a USB disk, Disk Utility will let you shrink a disk partition pretty easily.
posted by vasi at 1:10 PM on January 6 [3 favorites]


If you create a Standard user account, log out of your admin account, log into the new account, and are still able to install ProctorU without typing your admin password, that would mean the software is able to run only as your new Standard user, which won't have access to the main user's data.
posted by odinsdream at 6:07 PM on January 6


Basically, the scripts run through to check you're not running other programs and it shuts down ones that could be reasonably used in the course of cheating on your test.

This is pointless, stupid security theatre, resting as it does on the assumption that the computer the ProctorU software is running on is the only one accessible to the user.

If I were trying to run ProctorU in a VM and found that it refused to cooperate on that basis, my immediate response would be researching how to defeat whatever check it was using rather than give it access to anything non-virtual.
posted by flabdablet at 7:00 PM on January 6


« Older First Person Creepy Stories In Medical Settings?   |   Blog suggestions like McMansion Hell? Newer »

You are not logged in, either login or create an account to post comments