Hey Jamf Nation,
Is there a way to block local font installs on users computers? Right now we manage fonts with Extensis UTC. We have issues with people downloading fonts from the internet and then installing them outside of UTC. This causes issues when other users go to open decks and creative files with those fonts. Is there a way to block them from downloading or installing fonts on their machines outside of UTC?
Thanks in advance.
Yes, actually. However, it's going to require the use of a script and a LaunchAgent.
You'll want to save the following as enforce_Font_Policy.sh and place it in /Library/Scripts/.
#!/bin/sh rm -rf /Users/$USER/Library/Fonts/*
Then, save the following as com.toplessbanana.launchd.FontPolicy.plist and place it in /Library/LaunchAgents/.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.toplessbanana.launchd.FontPolicy</string> <key>ProgramArguments</key> <array> <string>sh</string> <string>/Library/Scripts/enforce_Font_Policy.sh</string> </array> <key>QueueDirectories</key> <array/> <key>RunAtLoad</key> <true/> <key>StartInterval</key> <integer>300</integer> <key>WatchPaths</key> <array/> </dict> </plist>
This way, any time the user logs into their account, the contents of ~/Library/Fonts/ will be deleted every 5 minutes. However, you're welcome to play around with the value StartInterval to suite your needs.
UTC can perform a similar function using it's System Font Policy, but we found that it would have required us to whitelist every single font on the system. Including those installed by macOS and third-party applications. Just wasn't practical in the long run.