Mac OS X: Prohibit/prevent network users from copying apps to the desktop

Mac OS x: the question of disabling/preventing network users from copying apps to the desktop is as follows: for Mac OS X network users who use OD management, the user's home folder is stored on the server by default, that is to say, it is no longer stored on the local hard disk of the computer, the advantage is to achieve centralized management of user resources, and provides consistent login and use environments. Windows also supports such user management environments. If you store too many files on the Desktop, slow user login and occupying a large amount of network resources may occur. This is because, the system needs to read the user's resources on the server. The most common is that the user downloads the program and stores it on the Desktop, or copies the program in/Applications to the Desktop, for other reasons. solution: In order to solve this problem, while educating users about the correct usage habits, we can use the following two methods to apply technical restrictions. in other words, you can only use technical means. For example, for elementary school users, if you only want to restrict the replication of applications, you can change the application. the file or directory attribute in the app. because you do not have to have the read permission when running a program, as long as you have the permission to run the program, everyone has the read permission by default, therefore, you can think of changes and prohibit everyone from being readable, so that the program can run normally and the user cannot copy them. Note that you should be careful when selecting files/directories and perform full tests. For the administrator, this possibility should be taken into account when creating the release package.
The preceding method has its own limitations, and users cannot download other files and save them on the desktop. This solution is to solve this problem and prevent users from copying files on the desktop. You can change the user's desktop folder ~ /Desktop/. Use the soft connection method to redirect to a user's read-only folder, so that the user has no write permission. However, some programs need to access the user's Desktop by default. For example, FireFox, the download directory is the user's Desktop by default, so the administrator should pay attention to the testing and setting of these programs. of course, for a large number of existing network users in the deployed network environment, the system administrator needs to write or modify the Login Hook script program for each user's home.