I have been tasked by our security team to limit the terminal app to only allow admin accounts to open it due to a vulnerability. Any suggestions or best practices/advice on this? I do not want to rescrict the app completely because we use it for troubleshooting but we want the standard user to be locked down as much as possible.
Question
Limit Terminal access to admin only
+1
+26This is something your security team should be doing with an Endpoint Permissions Manager tool. You can block list the application with a Jamf app restriction, but that is all or nothing. If they want this to be granular they will need to onboard a tool (if one does not already exist) that can do this.
+7You should also then look into blocking apps like iTerm. That would be an easy work around for any developer. Maybe a better tactic is to block sudo access or make people standard users.
+13You can use JAMF Restrictions to restrict Terminal access by scoping it to all Mac devices and setting up an exclusion. Create a policy that adds a device to the exclusion list for a set time, which users can run from Self Service. You can limit access to this policy by scoping it to specific AD groups, so only those users can log in to Self Service with their credentials. This way, Terminal access is blocked by default and only allowed when needed for certain users.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.