Fri May 11, 2018 6:25 am
Hi all, please forgive me if this issue is addressed elsewhere (& if so, let me know), I've tried extensive searching but haven't located a similar issue so I'm posting a new thread.
Short version: We manage lab machines at a University and our users all login individually with non-Administrator (AD) accounts on our Macs (which are all macOS 10.13.2 on a range of hardware - mostly 21.5" iMacs, 27" iMacs & Mac Pros - all with 16+GB RAM and plenty of storage). We'd like to use DaVinci Resolve but we're seeing problems with project permissions / ownership of projects/caches etc. This issue occurs on the latest stable version (v14.3 and also on the v15.0b version).
e.g. User1 logs in and launches, steps through the intro, selects default cache location (/Users/User1/Movies/ProjectName) and thats fine.
User2 logs in and launches, sees no intro and gets errors that they can't write to the cache location (/Users/User1/Movies/ProjectName) and asking them to dig through settings & renominate cache in three locations. When this is done, they see User1's project which is not an ideal way for shared lab software to operate.
User2 should not see any of User1 files.
Investigation shows that DaVinci Resolve has overly permissive settings on "/Library/Application Support/BlackMagic Design/DaVinci Resolve" and "/Library/Preferences/BlackMagic Design/DaVinci Resolve" (allowing write access for group "staff" of which all users are members) & user data is being written to this global local Library (rather than to the individual user's own "Users/USERNAME/Library/Application Support/BlackMagic Design/DaVinci Resolve") which is contrary to Apple's Filesystem Programming Guide ( "You are not allowed to post URLs!" ).
A separate version of the DaVinci Resolve application exists which does respect Application Sandboxing (total separation of user data/settings and machine-wide settings) & solves all of our issues, its the App Store version. We would love to deploy this and the only way to do so is via VPP (Volume Purchase Program which is described here You are not allowed to post URLs! ).
I've tested this App Store version of DaVinci Resolve v14.3 and it works except for one hopefully minor choice about the way it was released. It was published with only 'User Assignment' enabled (which means every user signs in with AppleID and inherits the App') rather than 'Device Assignment' enabled for VPP so we cannot distribute it to our labs.
The reason we cannot use 'User Assignment' VPP apps because we can't allow individual users to apply updates as it breaks the consistency of our environment (which is under a whole Change Management regime) and for this reason we block user's access to the App Store on shared machines).
Ideally, what I seek is one of two resolutions...
1- Either the freely distributable version of DaVinci Resolve to be made with full sandboxing (the same as the App Store version achieves).
or
2- The App Store version of DaVinci Resolve to have 'Device Assignment' enabled so that we can distribute it to labs.
Attempting to pass this request on to BlackMagic via the forum but of course any helpful advice gratefully received.
Joe.
Short version: We manage lab machines at a University and our users all login individually with non-Administrator (AD) accounts on our Macs (which are all macOS 10.13.2 on a range of hardware - mostly 21.5" iMacs, 27" iMacs & Mac Pros - all with 16+GB RAM and plenty of storage). We'd like to use DaVinci Resolve but we're seeing problems with project permissions / ownership of projects/caches etc. This issue occurs on the latest stable version (v14.3 and also on the v15.0b version).
e.g. User1 logs in and launches, steps through the intro, selects default cache location (/Users/User1/Movies/ProjectName) and thats fine.
User2 logs in and launches, sees no intro and gets errors that they can't write to the cache location (/Users/User1/Movies/ProjectName) and asking them to dig through settings & renominate cache in three locations. When this is done, they see User1's project which is not an ideal way for shared lab software to operate.
User2 should not see any of User1 files.
Investigation shows that DaVinci Resolve has overly permissive settings on "/Library/Application Support/BlackMagic Design/DaVinci Resolve" and "/Library/Preferences/BlackMagic Design/DaVinci Resolve" (allowing write access for group "staff" of which all users are members) & user data is being written to this global local Library (rather than to the individual user's own "Users/USERNAME/Library/Application Support/BlackMagic Design/DaVinci Resolve") which is contrary to Apple's Filesystem Programming Guide ( "You are not allowed to post URLs!" ).
A separate version of the DaVinci Resolve application exists which does respect Application Sandboxing (total separation of user data/settings and machine-wide settings) & solves all of our issues, its the App Store version. We would love to deploy this and the only way to do so is via VPP (Volume Purchase Program which is described here You are not allowed to post URLs! ).
I've tested this App Store version of DaVinci Resolve v14.3 and it works except for one hopefully minor choice about the way it was released. It was published with only 'User Assignment' enabled (which means every user signs in with AppleID and inherits the App') rather than 'Device Assignment' enabled for VPP so we cannot distribute it to our labs.
The reason we cannot use 'User Assignment' VPP apps because we can't allow individual users to apply updates as it breaks the consistency of our environment (which is under a whole Change Management regime) and for this reason we block user's access to the App Store on shared machines).
Ideally, what I seek is one of two resolutions...
1- Either the freely distributable version of DaVinci Resolve to be made with full sandboxing (the same as the App Store version achieves).
or
2- The App Store version of DaVinci Resolve to have 'Device Assignment' enabled so that we can distribute it to labs.
Attempting to pass this request on to BlackMagic via the forum but of course any helpful advice gratefully received.
Joe.
Joe Bird
RMIT University
RMIT University