How to restrict Screenshots and Downloading Of Emails on employee devices?

Anonymous
Not applicable

Hello , 

I'm a sys admin and use Jamf Pro . Is there any way to restrict the ability to screenshot and download emails on employee devices through policies or some other way ?

Thanks .

4 REPLIES 4

Tangentism
Contributor III

Looks like you found the thread discussing using a config profile

In answer to your questions on that thread:

 

1. Its applied to all apps. As tlarkin mentions in that thread, trying to limit it to/or disable it on specific apps causes issues and trying to apply it in other ways can face undesired race conditions with the restriction being applied in time.

2. It's a config profile so distributed through the MDM, not policies.

You will no longer be able to add a config profile to a machine locally without the users approval (i.e., packaging it then using the profiles terminal command to install it). Not the best method if applying a security requirement.

mm2270
Legendary Contributor III

Using the information on the link from above, this is easy to do, for disabling Screenshots.

In Terminal run this:

defaults write ~/Desktop/com.apple.applicationaccess.plist allowScreenShot -bool false

Then run

plutil -convert xml1 ~/Desktop/com.apple.applicationaccess.plist

Then back in Jamf Pro, create a new Config Profile and add the Application & Custom Settings payload. Choose the Upload option from the items in that payload and then upload that plist file created above. Make sure the domain gets imported or added, which should be com.apple.applicationaccess

Scope and deploy to a test Mac. Once it's applied, you should be blocked on that Mac from taking any screenshots.

 

For blocking downloading of emails, I don't have anything to help with that. You might need to explain a little bit more what you're trying to do with that.

Anonymous
Not applicable

@mm2270 I want  to stop download of attachments in emails that belong to corporate account

mm2270
Legendary Contributor III

You should really be looking at doing that on the email server side, or with a DLP product, not with Jamf. You're going to be very limited in what you can do within Jamf on the endpoints to control this.

Of course, you could look to see if the email program everyone uses in the company has any settings that can be applied in a configuration profile for controlling this, but I kind of doubt it.