Posted on 06-25-2021 10:42 AM
Hi all,
Bit of an odd one. Our organisation needs to allow some aspect of local storage access to accommodate work on large files without constantly writing to network drives. They work on these files and then copy them to mounted AD drives.
I want to restrict the local files that can be written to. My solution has been to create a launchagent that hides all default folders using chflags hidden and schg on the first login of a user. I have used a launchagent because of the impending threat of login hooks being removed.
The issue is that Documents and Downloads never have the flag applied and I have no idea why. It applies to every other folder. I have added a delay before the script is run, added the script to the sudoers file so it can be run as root, changed the code, killed finder and kept it killed for the script duration, and even made the script just try to hide documents and nothing works.
Any suggestions would be appreciated.
FYI I have tried:
find ~ -maxdepth 1 -mindepth 1 -type d -not -name '.' -not -path "/Library" -not -path "*/Desktop" -exec sudo chflags schg {} ; -exec sudo chflags hidden {} ;
sudo chflags hidden $HOME/Documents
sudo chflags hidden ~/Documents
Posted on 06-25-2021 10:54 AM
@Autton Ever heard the old joke where the patient says to the doctor "It hurts when I do..." and the doctor replies "Then don't do..."? That pretty much sums up trying to make modifications to the Documents folder as of Big Sur. Enabling iCloud Drive on older versions of macOS, especially if the user enabled the Desktop & Documents option, would also blow away any changes every time a Mac restarted. I hadn't seen that behavior with the Downloads folder, but I got tired of fighting the OS before I tried mucking with it.
Posted on 06-28-2021 01:01 AM
I used to "re-adjust" the Home folders, but gave up banging my head against that one.
However
If you really have to do it, Please note, I have not tried this since Mavericks.
The method I used was to have the Launch agent script, pass the Username to a Launch Daemon script, and have the Daemon script do the heavy lifting. LaunchDaemons run as root. I did it with watch files. Launch Agent runs a touch /path/to/watchfile and the LaunchDaemon is set to activate on the watchfile being looked at. Set the Agent to save the username to a temp file, and pull that into the Daemon script. Just put your watchfile somewhere safe, but where the User permissions allow the logging in user to access it to touch it.
Examples of the plists etc are in my reply here
https://www.jamf.com/jamf-nation/discussions/39124/purge-users
But I have not tried to adjust the Home folders since Mavericks, and therefore suggest you do loads of testing, if you are going to go down this route. The basic concept of getting a LaunchAgent to run a LaunchDaemon still works, its the Home Folder side I can't say will work.
If Apple is willing to protect Chess with SIP, then I guess they will protect a whole bunch of more important things.
Posted on 06-28-2021 03:59 AM
@sdagley It is unfortunately beginning to look that way. It applies to every folder aside from Documents and Downloads. I do wonder if it is because of iCloud drive, even if it is not on. I think the last thing that I will do is look for a way to stop any iCloud drive daemons or plists from launching on boot before I give up. I have kept a log of my tried methods and descent into madness here: https://apple.stackexchange.com/questions/423046/hiding-default-folders-via-launchagent-not-applying-to-documents
Is there anything on the Jamf Pro side of things that may allow me to achieve what I want?
Thanks.