Posted on 07-31-2015 06:03 AM
So I'm looking for something to disable users being able to install safari extensions. I've been looking around and saw that in the old safari there was an extension folder I could have monitored and removed any extensions. But seems with Safari v8 things have moved around. So wondered if anyone else out there was blocking extensions?
I was able to stop the users from allowing the opening of safe downloads by using a configuration profile with a MCX preference using AutoOpenSafeDownloads. But when I added ExtensionsEnabled to that mcx, it doesn't seem to work. The user can still turn on Extensions and download them.
Any suggestions?
Posted on 07-31-2015 07:07 AM
I'm running Safari 8.0.7 and Safari extensions are still getting dropped into ~/Library/Safari/Extensions/
Are you not seeing them placed there?
If that's there, just pre-create that directory for every account with a script and lock it down with the system immutable flag so even root can't write into it. Also make it invisible in the Finder for good measure. That should stop any Safari Extensions from being installed.
Posted on 07-31-2015 07:18 AM
@mm2270 Folder was there...not sure why I couldn't find it before. Will put the smackdown on that folder to make it unusable.
Any suggestions to make the extensions on/off button disabled. I'd like them to know visually that we don't allow extensions before they even try downloading them.
Posted on 07-31-2015 07:23 AM
@roiegat, I don't know of any way to disable the button, no. If there is an option to do that with MCX/Profiles, I've never seen it.
Posted on 07-31-2015 07:25 AM
@mm2270 The ExtensionsEnabled flag seems to get moved when it's turned on and off when it's moved. But putting that in the MCX doesn't seem to work. So will keep looking.
Thanks for your help.
Posted on 07-31-2015 07:27 AM
This may be a tough one, because Safari extensions now also store information in the login keychain:
https://macmule.com/2014/10/15/deploying-installing-safari-extensions-on-safari-6-1-7-2/
If you're concerned about blocking adware extensions, it looks like Apple has begun blocking them via XProtect. If you run the following command, you should see which extensions are being blocked:
cat /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
Posted on 07-31-2015 07:30 AM
I would try converting a custom plist with just that one setting in it to a Configuration Profile with mcxToProfile, and avoid straight MCX altogether. MCX under 10.10 has become very unreliable.
Posted on 07-31-2015 08:37 AM
As a quick follow up, I created a quick and dirty Config Profile that contained only the ExtensionsDisabled key with a boolean value of false, and installed the config profile. While it turns off the Extensions on/off switch, it won't disable or gray it out, so I can switch it back on. However, quit and relaunch of Safari puts it back to Off. So in quick testing, its not going to do what you want. Only certain items can be grayed out in the OS, and this switch doesn't appear to be one of them.