Block High Sierra snapshots


At JNUC this year, Rich Trouton gave a great panel on all that is APFS. I learned a ton and one of those things that I remembered from him panel was that APFS natively supports OS snapshots. While this is still different from Time Machine it is invoked by using the tmutil command.

We currently block access to Time Machine via config profile payload blocking the panel in System Preferences. Does anyone know if there's a way to restrict snapshots altogether other than the ones that OS natively captures, like the snap it takes before doing an OS upgrade?

I may be overthinking it or I might be overly paranoid, but I just want to make sure we're covered, especially because we use CrashPlan for file backup so, to me, there's no need for our organization to use snapshots.



New Contributor III

What is the concern around users triggering a snapshot? And are they technical enough that they will open up the Terminal to create one?