Restrict the admin user from installing any applications on Mac.

Not directly.  You could look at other software, such as Google Santa to restrict certain actions. 

I guess the question is why leave the user as an admin if you don't want to them to install software. Why not demote them to a standard user. if there is something they need admin ability for you, there are several options. You could use a simple "Make me an Admin" script in Self Service, use a tool like Privileges or Jamf Connect for temporary privilege escalation, or a dedicated EPM tool that allows for very granular escalation. 

Local admins can do anything including installing software. That’s what the privilege of being an admin allows.

If you want to restrict this privilege, you should change this user a standard user.

As you ask? No. Admins have admin rights.

You could demote all users to standard after enrollment and then add either a 'Make me admin'-like profile/app with approval of each time limited request, or add a hidden admin with a static, yet computer specific password.

Not meaning to pile on here, but what others above have stated is correct. You can't restrict a local admin from doing admin-y things, because that's what being an admin gives them. You can lock some things down in the UI using profiles that even an admin can't override, but installing software is not one of those things.

I suppose you could block the Installer.app in the OS (/System/Library/CoreServices/Installer.app) using a Restricted Software title, but they could still use the command line "installer" to install software if they are determined and savvy. And that wouldn't help at all in the case of drag and drop installs, like many browsers and simple apps for example. No, the only foolproof thing to do is demote them to standard users. 

I know the latter is sometimes difficult to roll out in environments that started with no device management and you are trying to get your arms around a wild west type situation, and I'm only taking a guess that might be your case (sorry if that's wrong), but keep in mind that you can heavily leverage Self Service policies to give the end users some level of control to do some admin like tasks without them being admins all the time. It can be a nice compromise between no control and total control. Or like mentioned, use one of the many make me an admin style workflows out there.

Good luck.

You cannot restrict admins from doing admin things as others have said. You really don't want your users to have admin access, and need to evaluate why your users need admin access. If it's for things like mapping printers, or messing with networks, those rights can be given to non-admin users. If users must have elevated access, look in to permissions management tools like Cyberark EPM to handle the permissions management (which can block an admin from doing things like running a .pgk).

Hello, bringing this back to life because, as per my understanding, standard users can also install apps on their own Application folders. For those who mentioned demoting the user to a Standard account, how do you deal with this? 

Thanks

You could block access to user’s Applications folders (e.g. by making them owned by root:wheel), but it’s just a folder. The user could create another folder within their home directory (e.g. Applications2) or simply run a downloaded app from the Downloads folder. As long as the installer doesn’t try to write to a location outside of the user’s home directory, it won’t require admin rights.

So it depends what you’re trying to achieve. Is there a particular security concern of users running apps within their own home directories?

If you want fine grained control over restricting what apps a user can run on a Mac then you might want to look at the Santa tool (formerly a Google project, now being developed by North Pole Security):

https://github.com/northpolesec/santa

 https://santa.dev

I'm using northpolesec santa. Deploying StaticRules profiles via Jamf pro custom settings. The profiles are deployed to Macs properly. But Santa doesn’t seem to ‘respect’ the rules and apps are still able to launch even when set to BLOCKLIST.

Wondering is anyone have any idea how to solve this? And why this is happening?

Mode is set to Monitor.

Just wanted to throw in an idea I haven’t seen here yet… and my apologies as I haven’t tested this but if you have Jamf protect, you could block mounting a .dmg or running a .pkg using the agent pretty quickly. Bonus points if you set it up only for the logged in user so it doesn’t get in the way of policies you might have that would also want to use a .dmg or .pkg. My apologies if I haven’t read something in here that makes me look extra silly.

That said, like everyone else I wonder about the problem statement in the first place. If you have admin users you can’t trust, the issue may need a non-technical resolution. So I do wonder why you’re in the position you are with this. 

Restricting a local admin from installing software is a bit like giving someone the keys to a house but trying to lock them out of the kitchen as long as they have "sudo" rights, they can usually find a way around most native restrictions.

Here are the most practical ways to handle this:

1. The "Cleanest" Way: Demote the User
If you don't want them installing software, they shouldn't be an admin.

Change their account type to Standard.

Use a tool like Privileges (by SAP) or MakeMeAdmin. This allows them to request admin rights temporarily for specific approved tasks, rather than having them permanently.

2. Use a Binary Authorization Tool
Since Jamf configuration profiles primarily target the App Store or specific Preferences, you need something that monitors the file system level:

Google Santa: This is the industry standard for macOS. You can set it to "Monitor" or "Lockdown" mode. In Lockdown, only binaries you've explicitly whitelisted can run, effectively blocking any new .pkg or .app installations.

3. Restricted Software Records (Jamf Pro)
If you have specific apps you want to block:

Go to Computers > Restricted Software.

Add the process name (e.g., Install macOS Sequoia or Dropbox).

Check the box to "Kill Process" if it's found. It’s not a blanket ban, but it’s very effective for known installers.

4. MDM Restrictions
In your configuration profile, ensure you have these toggled:

Restrict App Store (which you've done).

Disable "Allow identified developers" in Security & Privacy. This forces the system to only allow App Store apps, though an admin can still manually override this in Settings unless you've also restricted that pane.

We’re also moving in the standard user direction.  For lots of reasons.  A plethora, in fact…   🤓

​@deep786 If the user has admin rights, completely blocking PKG/DMG installations isn’t possible using native macOS controls, as admins are allowed to install software by design.

A more effective approach in enterprise environments is to use EDR/security tools (like Defender) to enforce application control (whitelisting/blacklisting), 

Let’s change the naming of this

allow listing / disallow listing

I would ask what problem are you trying to solve?. Saying you don’t want them to install anything sounds like a solution to a problem but not what the problem is. The solution you have in mind may not be the only solution to your problem.

You can consider using the following function:
1. In the description file, go to 【Restrictions】---【Media】--- 【Disk Images】--- uncheck the box (disallow access to DMG files)
Note: The restriction on not allowing the mounting of DMG files in the description file may not take effect. The official said this function will be removed. (Restart is required) 2.Restricted Software
Do not use the "installer" command on the terminal to prevent the terminal from installing pkg applications.
Do not use the "hdiutil" command on the terminal to prevent users from mounting DMG files. 
This is just a suggestion for your reference. Good luck!!!