Jamf Nation Community

G_M_ · ‎04-02-2019

I've been (easy job, I know) able to block Apps process through Jamf but...what if I'd like to hide those MacOs native apps which are present in the Applications folder..??

Like for example App Store, Calendar, Contacts..etc etc..

Like ever, thanks for your support guys!!

mm2270 · ‎04-02-2019

Not sure that will be possible. Since you can't actually delete those applications from the system, I don't think you can modify their Finder attributes, which would be the only way I can think of to hide them. Meaning you would do something like:

chflags hidden /Applications/App Store.app

You could try the above, but I have a feeling the OS won't allow you to make such a modification to protected applications. Most, if not all of the apps that ship with the OS these days are protected. Even things like Chess.app which is totally ridiculous, but that's how it is.

If you run the following command, you will see all the Apple apps have an extended attribute called "com.apple.rootless" on them, which means they are protected even from root.

ls -l@ /Applications/

View solution in original post

PaulHazelden · ‎04-02-2019

Disable SIP is the only way to do some of the Apps.

sudo chflags -h hidden /PATH/TO.app will only sort a few, to bring them back it is sudo chflags -h nohidden /PATH/TO.app
Try it on one, if it is protected you will get "Operation not permitted" error.

View solution in original post

mm2270 · ‎04-02-2019

Not sure that will be possible. Since you can't actually delete those applications from the system, I don't think you can modify their Finder attributes, which would be the only way I can think of to hide them. Meaning you would do something like:

chflags hidden /Applications/App Store.app

You could try the above, but I have a feeling the OS won't allow you to make such a modification to protected applications. Most, if not all of the apps that ship with the OS these days are protected. Even things like Chess.app which is totally ridiculous, but that's how it is.

If you run the following command, you will see all the Apple apps have an extended attribute called "com.apple.rootless" on them, which means they are protected even from root.

ls -l@ /Applications/

Chris · ‎04-02-2019

What @mm2270 said.
You can't modify/remove/hide SIP protected apps

ls -laO /Applications/ | grep restricted
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 App Store.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Automator.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Books.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Calculator.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Calendar.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Chess.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Contacts.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Dashboard.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Dictionary.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 FaceTime.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Font Book.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Home.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Image Capture.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Launchpad.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Mail.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Maps.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Messages.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Mission Control.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 News.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Notes.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Photo Booth.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Photos.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Preview.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 QuickTime Player.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Reminders.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Safari.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Siri.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Stickies.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Stocks.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 System Preferences.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 TextEdit.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 Time Machine.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 VoiceMemos.app
drwxr-xr-x@   3 root       wheel  restricted    96 Mar 28 17:04 iTunes.app

PaulHazelden · ‎04-02-2019

Disable SIP is the only way to do some of the Apps.

sudo chflags -h hidden /PATH/TO.app will only sort a few, to bring them back it is sudo chflags -h nohidden /PATH/TO.app
Try it on one, if it is protected you will get "Operation not permitted" error.

G_M_ · ‎04-02-2019

@PaulHazelden

As you all said the command only functions when SIP is disabled.

I've just tried disabling SIP in (recovery mode) Terminal and then launched the

chflags hidden /Applications/App Store.app

and the App Store just got hidden...

The question now is..
is there any way to disable and then re-enable by Policy/Script the SIP through JAMF..? (I know that it is a not suggested action, but..)

mm2270 · ‎04-02-2019

is there any way to disable and then re-enable by Policy/Script the SIP through JAMF..? (I know that it is a not suggested action, but..)

Nope. Cannot be automated. You would have to manually reboot each machine into Recovery mode, disable SIP, make the necessary changes and then likely reboot to re-enable SIP (unless you wanted to leave that security feature off, which is not recommended) That's a lot of touching systems.

larry_barrett · ‎04-02-2019

I don't know if this would be entirely helpful, but here's how I do it.

Step 1: Settings -> Computer Management -> Dock Items. In here go +New, fill in display name and Path to application (e.g. Macintosh HD/Applications/app store.app. Do as many or as few as you want. For me, I did everything in the Applications Folder. Do it once and you're done.

Step 2: Make a Policy (I call it Dock - Add Programs). Set your Trigger to login and execution frequency Ongoing. Choose Dock Items from Options. Here we are going to setup a custom Dock. Each Item that you added in Step 1 will be available to Add. Add all of them. The ones you don't want in the dock, Choose Remove From Dock. The ones you want to Show, Choose Add to Beginning (or end) of Dock.

Step 3: Remove Applications from Finder Favorites. If there is a way to obfuscate the Menu Bar to navigation to Applications, I don't know what it is.

This method works well for an elementary school Cart. The most important part (for us) was to remove Launchpad from the dock. It basically only leaves SpotLight Search (which I think you can turn off) and navigating through Finder (which you can't remove from dock) menu bar.

Again, its not perfect, but you can give the illusion of having only a few applications available to your user. Our Elem Carts have Finder (which you can't remove), Word, Chrome and Trash on their Dock.

I make it available in self service and call it "Dock Reset" so Teachers and Techs can fix anything the kids remove or add to the dock.

Jamf Nation Community

Hiding native MacOS Applications