Jamf Nation Community

Are the users local administrators on their Macs? Because if they are, you/your org should really consider removing that ability from them. One of the nice things about using Jamf Pro for device management is that it greatly lessens the need for the users to have any admin rights on their Macs to do stuff. A lot can be pushed to their machines from Jamf, especially software installs, which tends to be the biggest reason why someone wants to be admin, or these things can be published to them in Self Service to run on their own.

Because once a user has admin rights, the unfortunate fact is that it's really hard to prevent them from making changes to 3rd party installed software. Apple has the OS itself locked down now for several OS versions, so there's not much to worry about there, but other tools can be fair game.

Of course, Crowdstrike can be configured to use InstallShield, which prevents it from being removed, which can help. I don't know about Rapid 7 and if it has something similar.

Other options could be restricting programs like Terminal and tools like Activity Monitor, so they can't tamper with much.

They are admins, based on the original post...

But I agree with @mm2270 about self service.  Some folks need to be admins, but many don't.  Self Service can take care of most needs for an average user...

For those applications specifically you will need to look into the "tamper" options if the vendor allows it.  you can also restrict the launching of other common applications.  The other super effective option is to enforce penalties for users who disable or remove certain apps that are required.  I.E. - If you are able to read a plist from crowd strike to see if its working(state)...based off that info you can then say, have a restrictive profile dropped onto the machine that restricts the opening of Outlook or other essential apps and maybe cutting network access - making your own on-device-based compliance that's non-removable as its a profile.  If they remove the software you can create a smart group that reports the violation and send it off to their manager(s).  I only bring these to the table as many places that have Admin rights currently will pushback hard when you start removing it.  

You need to reach out to the respective vendors. If they don't want their products messed with, they need to add anti tamper options. 

I suggest letting the venders earn their paycheck. However, if you want to try to reinvent the wheel. You can write scripts and extension attributes for JAMF to run which can do a health check on the applications and take action based on the results. Granted the fastest this could be is every check in but may prove to be a useful stopgap. 

We faced a similar dilemma.  Our solution (as other companies have tried) is CyberArk. We're slowly on-boarding that app, but it should have the ability to control what your users can/can't do even if they're admins. It was brought in for our Windows population, and the Macs are lumped in (we're about 1% of our overall fleet, so sort of an afterthought). But in early testing it does allow me to granularly control what can be done, even from terminal commands.  So far, I've got it blocking everyone's favorite - sudo jamf removeFramework - successfully. We also tested BeyondTrust, but found CA to be more robust/better user interface as well. It is not a cheap/quick/easy fix but if you go that route, you'll get the control you're after. 

Very true - it falls into line with the traditional mantra that Macs are second class citizens when working with corporate apps.

Securing Macs in a corporate environment is crucial. To prevent administrators from tampering with security software like CrowdStrike and Rapid7 on Macs managed by Jamf Pro, consider using a configuration profile to enforce restrictions. Create a profile using Jamf Pro that limits administrative access, restricts certain system preferences, and prevents users from modifying or disabling specified applications. Additionally, leverage Jamf Pro's management capabilities to regularly audit and ensure the integrity of your security software configurations.

I think providing a secure environment may depend on administrators discouraging tampering with Mac security software. Configuration profiles may give you some control over settings, but they may not give you the fine-grained control you're looking for. Using Jamf Pro's management features to impose restrictions on specific applications or system configurations is one way worth exploring. To prevent administrators from removing or disabling important security programs, custom configuration profiles or scripts can be written. Personally, I don't always pay attention to this. I can play here now on a slot machine, and in a couple hours go to play somewhere already on a non-authoritative resource. Therefore, in the light of constant changes, I advise you to pay attention to security and authoritativeness, if it is, for example, gaming.