I have a fun head scratcher. Curious if any of you have input, as I'm out of ideas.
I have a JSS in a lab environment, and the client wants to block the developers from downloading and installing local apps, as well as them being managed local accounts, and having access to the internet. The use case is a highly secure environment where the users cannot have the ability to send potentially sensitive data to the outside world, so installing apps is not acceptable. However, these users are running Xcode, which itself creates applications.
We have no LDAP of any sort, are handling MCX via JAMF, and have some Restricted Software settings in place. The relevant MCX is the application.access settings providing whitelists and blacklists.
By telling the Mac where it can or cannot allow the current user to execute code, combined with standard file permissions, this provides a paradox worthy of a silly man in a blue box. Xcode ends up trying to run processes and execute project files not specifically allowed but the MCX, and ends up in an endless loop of admin passwords that never actually end. The result in unusable.
We can't fully rely on Restricted Software, as that Whack-A-Mole style of process management does not scale.
I've thought of scripts or launchd items to watch specific folders, but that only alerts of problems that already exist and doesn't actually block the user.
I don't want to suggest blocking off the network for these computers, but that might be the only option.
My head hurts thinking about this. Does anybody have a bright idea?
Thank you!
- D