Jamf Nation Community

Users are also running SWF files in their own web browsers. Is this something we can block???? Thanks for the suggestions Andy!

Can't wait till they figure out that here!!

What we are doing is running an Applescript to check if "java" is the frontmost Application, and if so, just kill java. This way java web applets are not affected. If you wanted to do it all in applescript:

tell application "System Events"
    set frontApp to the name of every process whose frontmost is true
end tell

set isMatch to "0" = (do shell script "[[ " & quote & frontApp & quote & " =~ [Jj]ava ]]; printf $?")

if isMatch is true then
    do shell script "ps -axo pid,comm | awk '/[Jj]ava/{print $1}' | xargs kill"
end if

This is only minimally tested, but it's pretty close to what I do that already works.

I thought of something like that unfortunately I am running papercut here and all users have to use the papercut client, which is a java app.

Anyway until there is a way to lock down java there is really nothing we can do, just have the teachers teach responsible computing...

Thanks for posting the process list @AndyBeaver

Very Nice DVG

We actually use a script to search for "minecraft", crank the machine volume to 10 and use a Say command to not play Minecraft on this machine, as it is against our AUP. It's not foolproof, but it's been a pretty good deterrent--our teachers actually appreciate it when we catch someone because they're immediately aware. Our next step is to start deleting map files and the app itself, but I'd just rather disable the process, if possible. Our EOC browser is a jar, so we can't kill java outright.

@DVG : That I would like to see! Can you post that script please DVG?

@JRM. Awesome. Love you. And yes I am mean. :)

Rm a coming kids...

Okay still will discuss it with the edu team.

JRM,

I have errors come up saying that fi is error when I run this policy/script what is wrong?

I have the same issue as technicholas. This is the error log I get.

Any ideas?

/usr/sbin/jamf is version 8.63
Executing Policy Stop Minecraft App Support...
Mounting smb://jss.bcpsk12.net/CasperShare to /Volumes/CasperShare...
Running script Stop Minecraft App Support.sh...
Script exit code: 2
Script result: /private/tmp/Stop Minecraft App Support.sh: line 15: syntax error near unexpected token `fi'
/private/tmp/Stop Minecraft App Support.sh: line 15: `fi'
Unmounting file server...

Apologies: I never saw that there were issues on this. The if statement was missing a "then"

#!/bin/sh
# current user is $3
set -x
# first, lets make the directory if one doesn't exist.
if [ ! -d "/Users/$3/Library/Application Support/minecraft" ]; then 
    mkdir "/Users/$3/Library/Application Support/minecraft" 
fi

cd "/Users/$3/Library/Application Support/"

# Remove the permissions on the folder and everything in it unless they were already set
if [ ! `ls -la | grep minecraft | awk '{print $1}'` == "d---------" ]; then 
     chmod -R 000 "/Users/$3/Library/Application Support/minecraft"
fi 

# Set the owner and group to root : wheel
if [ ! `ls -la | grep minecraft | awk '{print $3}'` == "root" ] && [ ! `ls -la | grep minecraft | awk '{print $4}'` == "wheel" ]; then
     chown -R root:wheel "/Users/$3/Library/Application Support/minecraft"
fi

This applescript seemed to work pretty well, we set it to a 60 second launch agent. For some reason it needs to be saved from Applescript Editor as Text, not as a script. Then point to it using osascript /path/to/text.applescript

try tell application "System Events" ignoring white space and case set killme to unix id of every application process where displayed name contains "minecraft" end ignoring end tell do shell script "kill " & killme
on error errorMessage log "Minecraft isn't running"
end try

Assuming something in the users minecraft directory changes at launch or shortly afterwards

/Library/LaunchAgent/your.plist

Set a plist with a watchpath to the users minecraft directory (or sub directory as appropriate). As of 10.8, LaunchAgents recognise ~/. If it changes:

killall -HUP loginwindow

or

reboot

Aggressive, but they'll soon learn!

So I just launched Minecraft (on my personal machine) and the process comes up as "Minecraft". What is the problem with just blocking that Process?

cd /users find . -type d -name 'Minec' -exec rm -rfv {} ; find . -type d -name 'minec' -exec rm -rfv {} ; find . -type f -name 'Minec' -exec rm -rfv {} ; find . -type f -name 'minec' -exec rm -rfv {} ; osascript -e 'set volume 10' say 'Do not play minecraft at school!'

Sorry it took me a bit to post this...Crude, yes, but effective.... :)

I realize this thread is fairly old but I used to just block the JAR launcher in /System/Library/CoreServices/ which effectively prevented this in the past only to find now it does not. JAMF pops up saying JAR Launcher is a restricted app but still launches the file. Currently I have implemented the AppleScript and Launch Daemon method as I don't know of any java based apps we actually utilize and can deploy the script and daemon only to known offenders by creating an EA that looks for the existence of the minecraft folder then create a Smart Group from that EA and scope a policy to install a pkg containing the Launch Daemon plist and script.

EA:

#!/bin/sh
if [ -d /Users/*/Library/Application Support/minecraft ]
then 
  echo "<result>True</result>"
else
  echo "<result>False</result>"
fi

Daemon: (Changing "yourcompany" in the Label string, possibly the path to where you want the script to reside, and the "x" under StartInterval to a number in seconds for how often you want it to run)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>KeepAlive</key>
    <dict>
        <key>SuccessfulExit</key>
        <false/>
    </dict>
    <key>Label</key>
    <string>com.yourcompany.nominecraft</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/bin/osascript</string>
        <string>/Library/Scripts/NoMinecraft.scpt</string>
    </array>
    <key>RunAtLoad</key>
    <false/>
    <key>StartInterval</key>
    <integer>x</integer>
</dict>
</plist>

Script: per @nextyoyoma

tell application "System Events"
    set frontApp to the name of every process whose frontmost is true
end tell

set isMatch to "0" = (do shell script "[[ " & quote & frontApp & quote & " =~ [Jj]ava ]]; printf $?")

if isMatch is true then
    do shell script "ps -axo pid,comm | awk '/[Jj]ava/{print $1}' | xargs kill"
end if

The pkg can be put into a policy scoped only to computers in the Smart Group and the daemon can be kicked off by configuring a Files & Processes payload to include "launchctl load /Library/LaunchDaemons/com.yourcompany.nominecraft.plist" as an execute command... no " " needed in the actual command.

As I am doing this in Mojave I did have to also create a PPPC for osascript in /usr/bin using [PPPC Utility](https://github.com/jamf/PPPC-Utility as of 10.14.5 this is working.

Thanks @nextyoyoma I also tried @JRM solution for what I found on a student computer but it didn't seem to have any effect on the ability to launch the jar files they had in their /Library/Application Support/minecraft folder.

I have a similar daemon and applescript for kids that search for unblocked games in class all day that simply looks for keywords in the tabs of browsers and closes the tabs it finds those keywords in for Safari and Chrome. I'm all for teaching responsible computer use and classroom management but sometimes you just need a hammer.