Jamf Nation Community

mgdmdz · ‎02-23-2023

https://community.jamf.com/t5/jamf-pro/macos-ventura-amp-blocking-access-to-users-amp-groups-pane-in...
here there are some good suggestions regarding blocking panes inside the system settings.

My question is- can you block the System Settings app altogether from launching? Like PathBlackList magic?

So that it'd require admin password to launch?

<key>pathBlackList</key>

this doesn't seem to work.

sdagley · ‎02-23-2023

@mgdmdz You could create a Restricted Software configuration that blocked the process named System Settings but it's probably not a good idea. And there is no option on a Restricted Software configuration to allow the restricted process to run if you have an admin password.

mgdmdz · ‎02-23-2023

thank you, actually PathBlackList started working miraculously (or it just took its sweet time).

sdagley · ‎02-24-2023

@mgdmdz I believe the Configuration Profile restrictions require a restart before they become active.

If you decide the PathBlackList isn't sufficient for your needs, and want to investigate EPM tools which provide more fine grained access control like @AJPinto suggests I'll mention BeyondTrust's Privilege Management for Mac product as an option. I'm not mentioning it as an endorsement, but as a product that has very good vendor engagement on the MacAdmins Slack (specifically in the #beyondtrust-priv-man channel).

AJPinto · ‎02-24-2023

You cannot require something to have admin access to open, its block or do not block. I would not recommend blocking system preferences, that is a very bad idea.

Sounds like you guys probably want a 3rd party tool to control what opens and who has access to open it. Look in to something like cyberark epm. It can restrict individual binaries and either allow anyone to open it, block it for everyone, or require specific credentials to open. It can also run a process as admin even if the user is a standard user.

Jamf Nation Community

Can you block System Settings?