Managing Applications on MacBooks

With admin rights enabled, it makes enforcement complicated. You can't really prevent anyone from installing apps into the main Applications folder or any other locations.

You could start by generating a list of all known applications that you'd like to block and begin putting these into Jamf Pro's Restricted Software. My suggestion is to locate and use the actual process name when the application is running, instead of using the application bundle name, since the latter can be trivially bypassed by renaming the app to something else. Users (even admins) cannot rename the application executable without breaking the app, short of compiling it from code under a different executable name or something drastic like that.

You could also use some of the carrot and stick approach here. Create Smart Groups for machines that have some of the bigger violating apps installed on them (like torrent apps, etc.) and use those groups as Exclusions for some of the items that the clients really need, like WiFi access or something else that's business critical. When they install those apps and the machines recons, it will land in those groups and remove access to the resources they need, which should get their attention. You might need to pair something like that to a policy that pops up a message to them explaining that their Mac is in violation of company policy because of unapproved apps, or something to that effect.

In the end, this really is a people problem and not a technical one. Set the expectation up front on this that there is only so much you can do with technology. Repeat offenders should be directed to an HR person/department to have a discussion with them about adhering to company policy. What I mean is, you can remove and restrict apps all you want, but if they keep doing it, the only thing that might work to stop it would be the prospect of being let go by the organization because of it.

@tgoodpaster Long time Jamf user here (since like version 5) and software packaging, deployment and patching has always been sort of a crunchy process with many management tools, jamf is no exception here. I put up this feature request to manage the Application state of devices and do it from a local code/inventory base.

Now it doesn't stop people from installing Steam on their computers, but there are ways to do that if you so decide to. Jamf has built in app blocking and there are open source tools like Santa that can do black/white listing of apps/binaries.

Now my personal opinion is, let people have admin access and if they break the rules by playing video games at work their management and HR should resolve that issue, not IT. I get it though, you are at a start up, so you lack a lot of infrastructure and structured process, I know this too well because I also have worked at and currently work at a start up.

So, right now you might have to chain together policies and use restricted Software in jamf, but take a look at my feature request for managing the application state with an application catalog

Thanks
Tom

I like the idea Tom has come up with. As a stopgap you can always make a few smart-groups that if the steam app is installed put them into that group then run an rm -rf steam.app and make that an ongoing policy. That way if the machine falls into that group it'll be removed. You can also put it into restricted software but being that they are admins they might be able to override that, i could be wrong on that bit.

Restricted Software section in Jamf. You just figure out what the process name is, and restrict it from running. It can kill the process, email you when it triggers, notify the user, and I believe delete the app.