Does anyone know if this can be automated?
We would like to compare a list of pre approved applications to what applications are currently installed on our managed machines and which machines have those un approved applications.
So far, i've been searching the inventory using .app to search and manually comparing this to our pre approved software list.
Application searching in jamf is sorta madness, I would try to look at local system states, but it would require a lot of work. It will require a lot of work either way. I am a huge fan of spotlight, so if you have an approved app list, I would feed that into code and do a spotlight search for all apps and then return the delta
Spotlight will index everything on your computer, sans a few file system paths. It also tags those objects with metadata, which is very useful and powerful.
mdfind -name "kMDItemKind = Application" -onlyin /Applications/
That will return a list of every Application in
From there you can compare that to your list of pre-approved apps, and then take whatever action you want in code. Of course running an Application White List via parental controls or MDM config profile payload may be the better answer for this. You can also look at third party projects like Santa from Google, which do binary white/black listing.
Last you can use restricted software settings in jamf to manage this as well, but that can be very labor intensive. Basically, it will be a full time job managing black/white lists of apps, unless you have some sort of automation system in place to handle it.
So, I was actually working on a side project during the time this was posted. I have put together a Spotlight framework for app tagging and possible removal of the app if it leaves your management program. Mainly around the idea of BYOD, but my employer does not allow BYOD, so this was just for fun. I then wrapped DEP Notify around it