Configuration Profile Allow/Disallow Folders

New Contributor III

Running Casper version: 8.71

The documentation and JAMF Nation don't really have a good description of the relationship between the allow and disallow folders in the Restrictions tab of configuration profiles. We are trying to restrict applications to only run from the local hard drive, thus restricting applications running from flash drives, etc. Trying a few different combinations results in varying behavior:

Test 1:
Allow: /Volumes/Macintosh HD
Disallow: /Volumes
Idea: Allow applications to run from local disk, but not from any other mounted volume, assuming Allow list takes priority
Result: Several applications are blocked from running on the local disk, but not all of them. Flash drive applications are blocked as well.

Test 2:
Allow: /Volumes/Macintosh HD
Disallow: <nothing>
Idea: Allow applications to ONLY run from local disk
Result: Nothing is blocked, even from mounted volumes, such as flash drives.

Any suggestions on how to accomplish our original goal or an explanation on the relationship between allow and disallow folders would be greatly appreciated. Thanks!


New Contributor III

Bump, anyone with similar experiences?