Allow/Restrict Application launch folders (Noob!)

New Contributor

Hi guys,

I'm basically trying to achieve running the Unreal4 Engine on our macs here at school.

I initially got the program to work by simply granting permissions to a few folders. These were the folders.


Now, when the students access textures and such, it needs access to a whole lot of other folders, the user is given a "You do not have permission to launch X" error

You can see in my screen shot, I'm starting to add way to much stuff, when really, I'm just trying to grant full read access from
- (Currently still need to specify specific exact folders, they dont inherit permissions from this level)

Attached is a screen shot of the policy. Nothing else is scoped out to the device.

Thanks alot!


Contributor III

Can you try a wildcard?


Valued Contributor II

How does your school system block and unblock games/applications? In addition to the how, what is their primary purpose in doing so? That can have a big effect on the ways you SHOULD blacklist/whitelist apps and app locations.

There are many ways to skin this particular cat!

New Contributor

Working on it this as we speak guys.

Firstly will try packaging the program with proper read/write access.

Next I'll try the wildcard.

Thanks - Will update you!


I've tried the wildcard, unfortunately this doesn't push down permissions to the subfolders.

I've also tried packaging the program with full read access, but the above profile is still blocking the subfolders.

Any ideas? I know a sudo chmod 777 would work however the students would then have too much access.

Valued Contributor II

Funny question... how do you KNOW that a 'sudo chmod 777' will work. If the profile is blocking said sub folders then all the things your doing to the permissions aren't going to matter. At least I don't think they would. What are the restrictions that you have set?

P.S> Have you contacted JAMF support?

New Contributor II

nothing else is scoped to the device? not even disallowed folders?

New Contributor

No other profiles scoped to the machine. Do you guys think it may be the 'Restrict which apps are allowed to launch' tickbox?

I actually dont know the chmod777 would work, just an assumption. I'll test.

Thanks for the ongoing support

I now ran a config profile with an unticked Restrict which apps are allowed to launch tickbox. It now works, but now the students could potentially run any app, game etc. So I'm not sure this is a complete solution. Does anyone have anything further?


Valued Contributor II

What are you specifically trying to prevent? Students shouldn't be able to just install anything without an administrative password. OK, so MAS apps are different but those can be sorted out with the check box in your picture above "Restrict App Store to Software Updates Only".

And yes, I'm probably missing much about your situation.