- Jamf Nation Community
- Products
- Jamf Pro
- Re: clients randomly losing ability to launch exec...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
clients randomly losing ability to launch executables
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-04-2015 06:55 PM
Hey folks, really hoping someone out there has had some experience dealing with the issue I am about to describe…
Workstations are randomly losing ability to launch any executable in my environment, only current solution to the issue is to restart the device. Upon reboot ability to launch applications is restored until it randomly happens again…
Clients are running 10.9.5, build 13F34, being managed by configuration profiles and logging into to local accounts. I have 22 profiles in total scoped to machines, each broken down by respective preference domain (for troubleshooting purposes). While troubleshooting I have found that if the configuration profile controlling application whitelisting and blacklisting, com.apple.applicationaccess.new preference domain, is removed from the machine ability to execute is restored. If reapplied apps once again do not launch.
I have attemped the following, all of which end in random inability to launch executables:
-deploying only com.apple.applicationaccess.new configuration profile
-rebuilding com.apple.applicationaccess.new configuration profile
-building new profile using JSS’s Restrictions Payload
-testing using freshly built OS X installer using AutoDMG and individually testing all 3 above configuration profiles
-testing by enrolling a fresh OS, installed via recovery partition, and individually testing all 3 above configuration profiles
I have been advised to try Yosemite, as Mavericks has a known issue with restricting application access via configuration profile, but I refuse to believe that no one else out there has had success with applying restrictions to Mavericks. Any help would be greatly appreciated.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-07-2015 05:48 AM
I have zero experience of whitelisting/blacklisting apps via com.apple.applicationaccess.new. (I do it another way).
However since no-one else has answered, do you by any chance have a pathBlackList/pathWhiteList that is causing you issues?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-08-2015 05:07 AM
I do not believe so. I have used a similar config going back to 10.6, MCX. Didn't have any issues our last deployment with 10.8.5, config profile.
I have the following locations whitelisted:
Applications/
/Library/Application Support/
/Library/Internet Plug-Ins/
/Library/Java/
/Library/LaunchAgents/
/Library/LaunchDaemons/
/Library/Printers/
/System/Library/
/private/
/usr/bin/
/private/tmp/
/usr/local/bin/
/usr/lib/
/usr/share/
/Library/Keychains/
/dev/
with the following blacklisted:
/Users/
/Applications/Game Center.app/
/Applications/Automator.app/
/Applications/FaceTime.app/
/Applications/Messages.app/
/Applications/Time Machine.app/
/Applications/Utilities/Activity Monitor.app/
/Applications/Utilities/AirPort Utility.app/
/Applications/Utilities/AppleScript Editor.app/
/Applications/Utilities/Bluetooth File Exchange.app/
/Applications/Utilities/Boot Camp Assistant.app/
/Applications/Utilities/Console.app/
/Applications/Utilities/Disk Utility.app/
/Applications/Utilities/Migration Assistant.app/
/Applications/Utilities/Network Utility.app/
/Applications/Utilities/Terminal.app/
/Applications/Utilities/X11.app/
/System/Library/CoreServices/Applications/Network Utility.app/
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-08-2015 07:39 AM
I wonder if it has something to do with the Gatekeeper. Have you tried SSHing into an affected system and executing spctl -a /Applications/{{applicationname.app}}, what output does it give?
If you run "spctl --master-disable" what happens?
SPCTL Documentation
https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/spctl.8.html
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-08-2015 07:42 AM
You may want to try out "https://github.com/google/santa/" if this continues to be a problem as well
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-08-2015 08:03 AM
Or you could try http://sourceforge.net/projects/appwarden/ ...which catches WillLaunch, DidLaunch and DidTerminate Application Notification events, to allow you to run custom code when an application launches or quits.
BTW, I'm guessing that there is a typo, and you have whitelisted:
/Applications/
and not:
Applications/
?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-08-2015 11:51 AM
@Swift Correct, that was a copy/paste typo.
