Posted on 09-23-2020 12:56 PM
One of the tasks i've been given as of late is to restrict the installation of software that we've been seeing in the environment, such as some torrent downloader apps, games, etc etc. Currently our environment is a bit of a wild west, so I think our users don't realize that I can see everything they have installed.
I'm going to pull a large list of apps and start making restricted software policies for as many of them as I can, but my question is, is this out of the ordinary to do it this way? Do others use restricted software policies to block dozens and dozens of apps on their devices? I will be working with our isoc to determine a more permanent and appropriate list of restricted apps, but I just want to make sure i'm not using this tool incorrectly by having potentially over 30-50 restricted software policies. Does anyone have any tips for how to make sure these work as intended as well?
Thank you,
Dan
Posted on 09-24-2020 06:14 AM
@sheltond3 I would suggest getting a meeting together with your security and network team, to block access to webpages that allows downloads of these apps.
Also there should be some type of policy of what is/is not allowed on workstations. 30-50 restricted software policies in Jamf is excessive. We normally use restrict software for OS upgrades(until we're ready to upgrade), and a few 3rd party apps here and there. Everything else should be handled by Network Security policies.
Posted on 09-24-2020 07:11 AM
Keep in mind that if the user has admin you might be fighting a losing battle but then removing admin can also have it's own headaches. Also, be aware that you can only see applications where Jamf inventories. I've seen more than one user run software out of the Desktop or Downloads folder and this does not get inventoried unless you specify. If they run them out of mounted dmg's, you should probably just give up at that point.
I work in a campus environment so the best things done on this front has been removing admin from all student and part time systems. There was resistance to that because out faculty wants to have everything open and available to everyone. Never mind the mess it created with unstable systems but they came around to the idea and are ok with it now. Full time staff and faculty only have admin because of the politics involved but that might be changing since our campus was hit hard by ransomware a few months ago on the Windows side. Currently the students could still run applications within their user profile as in the past I couldn't block that due to silly things like Google putting stuff in there for Chrome if I recall correctly. I plan to revisit this soon as I know Google has made some changes. I'm hoping some simple whitelisting combined with no admin will finally accomplish what we want.
Regarding restricted software policies themselves I keep them at a minimum. The only things I put in there now are new macOS updates when we're not ready to update yet. I don't really want to get into the cat and mouse game of managing a list that would only grow.