Blocking DMG

pty10
New Contributor III

Is there a way I can stop or block .DMG's from being run from MacBook Desktops or external sources? (e.g Usb's, external HDD's)

I work at a school and want to stop kids from running apps using DMG's. I have been able to stop them running apps directly using manage preferences (e.g. whitelisted /applications,/applications/library) but if they download a DMG or bring a DMG from home to install an app, they are able to do so and I want to stop that.

I'm aware of the option in configuration profiles to restrict media but I don't want to do that since students need to be able to access their documents in USB's, external HDD's, etc.

Any idea how to block just DMG's from running?

Thanks for reading,

Henry

2 REPLIES 2

dbrodjieski
New Contributor III

Henry-
Using configuration profiles, there is a setting to restrict Disk Images. Its in the same payload as the other media restrictions. You can still allow external disks, but you can change the restrictions for .DMGs specifically. Your choices are Allow, Require Authentication, and Read-Only. This should prevent your students from being able to mount .DMGs.

Hope that helps!

pty10
New Contributor III

Thanks Dan, that seems to work but have an issue. I find that it works best when I disable disk images in the payload and when I try to run the DMG, you get the error that you can't. But if you try to run the DMG a second time, the DMG tries to run, gets stock in 'attaching' but nothing happens and the only way you can stop it is by killing the process or rebooting the MacBook. Maybe something gets cached somewhere?

Not that I'm complaining, we might that way get students to come to the helpdesk asking why this happened and catch them that way trying to use a DMG they not suppose to.

If I use 'allow' and 'read only' in the payload for disk images, it doesn't always work. Required Authentication isn't an option we can use since some of the students know the admin password.

Cheers,

Henry