Watching good administrators go bad

Uncle BenTraining is one of my favorite responsibilities as a consultant with 318. This past summer I’ve trained a few dozen new and experienced Mac administrators as part of their Casper JumpStarts but while most are very good at their jobs, practically all of them have briefly succumbed to the dark side during their training.

Movie wisdom

I use a lot of movie references in my JumpStarts because my captive audience usually gets the associations I’m making to the lessons. Practically every time I demonstrate one specific feature of Casper, I have to quote Uncle Ben from Spiderman: “With great power comes great responsibility.”

Already, I’ve referenced two movies to set up this story. This should tell you I’m speaking to an administrator’s human struggle to offset evil with good. I’ve had to fight this evil side of myself. For those of you who are not part of the IT world, please understand administrators are only human too.

If you’re a Casper administrator, stop and think about the one feature that probably turned you evil too… for just a moment.


While waiting for a large operating system package to copy to the Casper distribution point or for Adobe’s AAMEE tool to finish repackaging Creative Suite 6, I usually sidebar during a JumpStart into something that’s standalone and easy to grasp in those few minutes. This is when I demonstrate Restricted Software.

Restricted Software allows a Casper administrator to disable the use of software that’s illegal or detrimental to his environment. BitTorrent software, for example, is often used for anonymously downloading and sharing copyrighted material. While it does have legitimate uses too, it thwarts tracking a user’s activities, which makes it a liability.

At my former company I used Restricted Software to block applications thwarting our screen saver lock policy. Our company’s mandate stipulated all computers idle for more than 15 minutes must lock automatically, requiring the user to to have to re-enter his password to unlock the computer. The goal was to prevent unauthorized employees from accessing files and services under the logins of those who were authorized.


As soon as I started enforcing the locking policy I was discreetly told some users were downloading and running a free Mac application called Caffeine. Like BitTorrent software, Caffeine has legitimate uses but my users were downloading it to disable the screen saver and therefore disable their computers from automatically locking when idle.

This was my first need for Restricted Software.

I created a new record in Casper to block the Caffeine process. I also enabled three of the four additional features to kill the application, delete the application and send me an email when this policy was triggered.

The one feature I didn’t enable was displaying a message to the user about what just happened. Here started my journey down the wrong path.

Six email alerts in 30 minutes

The same evening I enabled the policy I started receiving email alerts that a user was tripping it.

The first email was very informative. Not only did it tell me the computer name but the user’s name as well. Cool, the Restricted Software feature was working great!

Then I received a second email. He’d tried running Caffeine again and again Casper killed it and deleted the application. The user was thwarted once more! Hah!

A third email. “OK,” I thought, “I’ll have to add this guy to my naughty list.”

And a fourth email message. The user had tried hiding the application deep inside a hidden folder where I couldn’t find it. But because Casper worked by killing the process name, I didn’t need to worry about where the application sat. Restricted Software still killed the process and deleted the application. “Geez!”, I thought to myself, “This guy has no respect for company policy. What a jerk!”

Now, another email. He’d tried renaming the application and hiding it.

Cold hard epiphany

I was being a jerk. No, a dick.

‘I was being a jerk. No, a dick.’

An administrator expects everyone to know company policies—especially the IT policies he already knows himself. As much as he’d love the user to set his browser homepage to the company’s Intranet site and read and understand all the new developments and announcements, he knows deep down the user won’t. And then the administrator thinks, “It’s the user’s fault for not knowing what’s happening.” Ignorance of the law, afterall.

My user was confused and I’m sure after five tries very frustrated.

I tapped in to my Casper server and enabled that fourth feature to display a message to the user and wrote, “The application you’re trying to use prevents Company’s policy to enforce your computer to lock when idle for 15 minutes and is automatically restricted from running. Please do not attempt to disable your screen saver.”

One more email and then they stopped coming. The part of the message about “is automatically restricted from running” was to reassure my user no one was watching even through I really was monitoring the entire situation. I had no need to make him afraid of the “IT Police” and every need to let him know what was happening.

Guiding new administrators

During a JumpStart I demonstrate Restricted Software using the TextEdit application and let the new Casper administrator set the options he likes. Some enable the message to alert users and practically all of them write something like “You’re fired!”, “BOOM!” or “Gotcha!” I let them see the entire process happen and a big smile comes across their faces.

It’s funny. It’s a power trip.

Then I tell my story and explain the user’s perspective about what just happened. They all get it and understand. It’s still one of their favorite features but I leave hoping they’ll use it wisely. I’m sure most do.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s