Skip to main content
Question

clients randomly losing ability to launch executables

  • September 5, 2015
  • 6 replies
  • 39 views
SincerelyJoshin
Forum|alt.badge.img+4

Hey folks, really hoping someone out there has had some experience dealing with the issue I am about to describe…

Workstations are randomly losing ability to launch any executable in my environment, only current solution to the issue is to restart the device. Upon reboot ability to launch applications is restored until it randomly happens again…

Clients are running 10.9.5, build 13F34, being managed by configuration profiles and logging into to local accounts. I have 22 profiles in total scoped to machines, each broken down by respective preference domain (for troubleshooting purposes). While troubleshooting I have found that if the configuration profile controlling application whitelisting and blacklisting, com.apple.applicationaccess.new preference domain, is removed from the machine ability to execute is restored. If reapplied apps once again do not launch.

I have attemped the following, all of which end in random inability to launch executables:
-deploying only com.apple.applicationaccess.new configuration profile
-rebuilding com.apple.applicationaccess.new configuration profile
-building new profile using JSS’s Restrictions Payload
-testing using freshly built OS X installer using AutoDMG and individually testing all 3 above configuration profiles
-testing by enrolling a fresh OS, installed via recovery partition, and individually testing all 3 above configuration profiles

I have been advised to try Yosemite, as Mavericks has a known issue with restricting application access via configuration profile, but I refuse to believe that no one else out there has had success with applying restrictions to Mavericks. Any help would be greatly appreciated.

    6 replies

    S
    Forum|alt.badge.img+4
    • Swift
    • Contributor
    • September 7, 2015

    I have zero experience of whitelisting/blacklisting apps via com.apple.applicationaccess.new. (I do it another way).

    However since no-one else has answered, do you by any chance have a pathBlackList/pathWhiteList that is causing you issues?

    SincerelyJoshin
    Forum|alt.badge.img+4
    • SincerelyJoshin
    • Author
    • Contributor
    • September 8, 2015

    I do not believe so. I have used a similar config going back to 10.6, MCX. Didn't have any issues our last deployment with 10.8.5, config profile.

    I have the following locations whitelisted:
    Applications/
    /Library/Application Support/
    /Library/Internet Plug-Ins/
    /Library/Java/
    /Library/LaunchAgents/
    /Library/LaunchDaemons/
    /Library/Printers/
    /System/Library/
    /private/
    /usr/bin/
    /private/tmp/
    /usr/local/bin/
    /usr/lib/
    /usr/share/
    /Library/Keychains/
    /dev/

    with the following blacklisted:
    /Users/
    /Applications/Game Center.app/
    /Applications/Automator.app/
    /Applications/FaceTime.app/
    /Applications/Messages.app/
    /Applications/Time Machine.app/
    /Applications/Utilities/Activity Monitor.app/
    /Applications/Utilities/AirPort Utility.app/
    /Applications/Utilities/AppleScript Editor.app/
    /Applications/Utilities/Bluetooth File Exchange.app/
    /Applications/Utilities/Boot Camp Assistant.app/
    /Applications/Utilities/Console.app/
    /Applications/Utilities/Disk Utility.app/
    /Applications/Utilities/Migration Assistant.app/
    /Applications/Utilities/Network Utility.app/
    /Applications/Utilities/Terminal.app/
    /Applications/Utilities/X11.app/
    /System/Library/CoreServices/Applications/Network Utility.app/

    J
    Forum|alt.badge.img+7
    • jdziat
    • Contributor
    • September 8, 2015

    I wonder if it has something to do with the Gatekeeper. Have you tried SSHing into an affected system and executing spctl -a /Applications/{{applicationname.app}}, what output does it give?

    If you run "spctl --master-disable" what happens?

    SPCTL Documentation
    https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/spctl.8.html

    J
    Forum|alt.badge.img+7
    • jdziat
    • Contributor
    • September 8, 2015

    You may want to try out "https://github.com/google/santa/" if this continues to be a problem as well

    S
    Forum|alt.badge.img+4
    • Swift
    • Contributor
    • September 8, 2015

    Or you could try http://sourceforge.net/projects/appwarden/ ...which catches WillLaunch, DidLaunch and DidTerminate Application Notification events, to allow you to run custom code when an application launches or quits.

    BTW, I'm guessing that there is a typo, and you have whitelisted:
    /Applications/
    and not:
    Applications/
    ?

    SincerelyJoshin
    Forum|alt.badge.img+4
    • SincerelyJoshin
    • Author
    • Contributor
    • September 8, 2015

    @Swift Correct, that was a copy/paste typo.

    Terms & ConditionsCookie settingsAccessibility statement