From a security finding our Infosec team has task us with finding a way to “Enable any settings that can prevent download of unwanted and/or malicious software”. has anyone been able to prevent downloading in Safari and Chrome?
Question
Enable any settings that can prevent download of unwanted and/or malicious software
+24Remove admin/elevation rights. Done.
In a nutshell, you can stop downloads inside of chrome by denying it using a policy...I can’t remember the plist right off hand but it’s here in CEC:
+12We had an Issue where even without admin rights there are a lot of applications that were installing in the user space and didnt not require admin access at all so we blocked any applicaion running in the user space, and well as some other folders within our restriction profile
I was able to accomplish what our security team wanted by doing the following I found online. Be I am using integer value 2. This is based off DownloadRestictions from Chrome Enterprise
Step 1: Create the Configuration Profile in Jamf Pro
- Log in to Jamf Pro.
- Navigate to Computers > Configuration Profiles.
- Click New.
- In the General payload, give the profile a name (e.g., "Chrome - Download Restrictions - Level 1").
Step 2: Configure the Application & Custom Settings Payload
- Click on the Application & Custom Settings payload.
- Click Configure (or Add).
- Choose the Upload File method (or External Applications if you have the Chrome bundle already set up).
- Set the Preference Domain to:
com.google.Chrome - Upload a
.plistfile or paste the following XML/JSON configuration:
PLIST Configuration (XML):
xml
<dict>
<key>DownloadRestrictions</key>
<integer>1</integer>
</dict>
Note: Setting <integer>1</integer> specifically blocks malicious downloads and dangerous file types as requested.
Step 3: Scope and Save the Profile
- Click the Scope tab.
- Add the target computers or smart groups to receive the policy.
- Click Save.
How to Verify the Policy
Once the policy is deployed, you can verify it on the client machine:
- Open Google Chrome.
- Type
chrome://policyin the address bar. - Search for DownloadRestrictions and ensure it is set to
1
+2I’ve had to answer this exact “can we just stop downloads?” question a few times, and the (annoying) reality is: there isn’t a single MDM checkbox that reliably prevents all downloads in Safari + Chrome.
What usually works better is layering controls:
- Web/content filtering (block known bad categories / file-hosting / newly-registered domains, etc.).
- Endpoint protection (to catch the stuff that still lands).
- Keep Gatekeeper/notarization checks enforced and don’t train users to bypass prompts.
- If your goal is specifically “stop installing random apps”, focus on controlling *execution/install* vs the download itself (managed installs via Self Service, deny unmanaged apps, etc.).
If you’re evaluating options that take a “block risky domains/apps at the source” approach, this is the overview I point people at:
Shadow IT – Manage Blocklist Key Features
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.