Posted on 03-06-2023 12:08 AM
May I know if we have a way to prevent admin users to uninstall an app from Macbook
Any lead:- Configuration profile from Jamf
Posted on 03-06-2023 03:20 AM
as far as i can think of, there is no way to stop Adminusers from uninstalling Apps. However you can create a sort ofSelf-Repairing Policy for the App.
For this you need to create a Smart Group that checks if the App is installed.
The Installation Policy of that App then is Set to ongoing and excludes the Smart Group of Computers that have this App installed.
This heavily depends on how often you are collecting a new Inventory for this Device.
Posted on 03-06-2023 03:22 AM
Don't we have a way that we can put a kind of Lock mode for an app from Jamf Configure profile.
And when any user try to uninstall, shows restricted/unauthorized.
Posted on 03-06-2023 04:01 AM
Well there is a key to disallow uninstallation of apps. Even According to Apple:https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf#34
but that is an all or nothing option. You sadly can not stop a User from uninstalling specific App.
I assumed from your text that you wanted to prevent the uninstallation for specific Apps. Which is why i said it is not possible and wrote down the option of using smart groups.
But if you want to disallow uninstallation of all Apps for Users you can try the Configuration Profil
Posted on 03-06-2023 05:42 AM
Without doing drastic measures like flagging the file as immutable there is not much you can do aside of removing admin access.
If the app in question is mission critical I would recommend making a smart group to read if the app is installed. Then scope that group to a policy to install the app. If a user removes the App it will reinstall at next check in.
Posted on 03-06-2023 05:47 AM
I understood this is the way major people suggested. However, I was looking if we can get a way from Jamf Configure we can deploy a payload and that will either restrict the app from uninstallation or ask for a password. :(
Posted on 03-06-2023 06:11 AM
What you are wanting is something called privilege management, and this is not within Apples MDM workflows that JAMF uses. There are 3rd party tools you can get to do exactly what you are wanting though.
CyberArk Endpoint Privilege Manager for macOS
How configuration profiles work, is they basically set a value to a key pair. The key pair needs to already exist for a configuration profile to utilize it, JAMF cannot "magic" a key pair in to existence. Key pairs come in to existence usually one of two ways.
Not that I recommend this in the slightest, but you can flag a file as immutable. A user can remove the flag if they knew it was there with sudo access, and you need to remove the flag before you could update or do anything to the application but it is an option.
How to Use File Flags to Modify File Behavior in macOS - Make Tech Easier
Posted on 03-11-2023 07:40 PM