Posted on 06-28-2024 06:52 AM
Hello Team,
I want to block two commands (sysadminctl and dscl) on mac devices through JAMF. Please let me know if I can do it through config profile, I can change the permission(000) by a script/command and run it via a JAMF policy but users are admin and very smart so that they will create another users via commands, so I am planning for config profile so that they cant run or change anything to make run on macs. Any idea will be appreciated. Thanks!
Posted on 06-28-2024 07:45 AM
You can use a Configuration Profile to disable Users and Groups, but Configuration Profile would not do anything like blocking a command from running unless apple made a domain to manage that function like they do with FileVault.
What you are wanting is something Jamf Protect can do or pretty much any other EDR tool like CyberArk, Carbon Black or Sentinel One. However, this is not something a Mobile Device Management platform like Jamf Pro can't do as this is a part of Apples Security Framework not the MDM Framework.
TL;DR: Use the right tool for the job or have a bad time, you need an EDR client and want to look at removing Admin access from users.
Posted on 06-28-2024 10:03 AM
I believe you should be able to use Restricted Software for this. Just enter the process name in the Process Name field.
Be careful when restricting access to sysadminctl. This is a system binary that macOS may call for some operations. You might break some core functionality it or Jamf Pro needs.
Posted on 07-03-2024 02:36 AM
You can also set up command groups in Terminal
https://www.networkworld.com/article/964736/building-command-groups-with-sudo.html