Can you block System Settings?

mgdmdz
New Contributor

https://community.jamf.com/t5/jamf-pro/macos-ventura-amp-blocking-access-to-users-amp-groups-pane-in...
here there are some good suggestions regarding blocking panes inside the system settings.

My question is- can you block the System Settings app altogether from launching? Like PathBlackList magic?

So that it'd require admin password to launch?

 

<key>pathBlackList</key>

this doesn't seem to work.

 

4 REPLIES 4

sdagley
Esteemed Contributor II

@mgdmdz You could create a Restricted Software configuration that blocked the process named System Settings but it's probably not a good idea. And there is no option on a Restricted Software configuration to allow the restricted process to run if you have an admin password.

mgdmdz
New Contributor

thank you, actually PathBlackList started working miraculously (or it just took its sweet time).

sdagley
Esteemed Contributor II

@mgdmdz I believe the Configuration Profile restrictions require a restart before they become active.

If you decide the PathBlackList isn't sufficient for your needs, and want to investigate EPM tools which provide more fine grained access control like @AJPinto suggests I'll mention BeyondTrust's Privilege Management for Mac product as an option. I'm not mentioning it as an endorsement, but as a product that has very good vendor engagement on the MacAdmins Slack (specifically in the #beyondtrust-priv-man channel).

AJPinto
Honored Contributor III

You cannot require something to have admin access to open, its block or do not block. I would not recommend blocking system preferences, that is a very bad idea.

 

Sounds like you guys probably want a 3rd party tool to control what opens and who has access to open it. Look in to something like cyberark epm. It can restrict individual binaries and either allow anyone to open it, block it for everyone, or require specific credentials to open. It can also run a process as admin even if the user is a standard user.