Is it possible to restrict user access to only their home folder on a Mac?

sparrowhawk
New Contributor II

I am predicting a few "Why do you want to do that?" replies to this question, but I just want to know if it's feasible. I want to ensure that two different users on the same Mac cannot exchange files between them.

Thanks

1 ACCEPTED SOLUTION

Honestly its best to let your DLP team find an application for macOS to do what they are wanting. Trying to force JAMF to do things outside its lane never ends well, I know this from experience. JAMF is not a DLP application in the slightest. 

 

MacOS has several directories a user can write to outside of their directory. Generally users do not have access to other users files, however as I mentioned before there are "shared" spaces on macOS where anyone can write to. In this manner think of macOS as Windows if you are more familiar with that. Everyone has read access to Root (or c:\), and read/write access to many sub directories off of Root. Many applications require a user to be able to write to preference files which will be outside of the user directory like in /Library/Application Support (C:\Application Data) for example or even in /Applications (C:\Program Files) in some cases. You could write a script to change all those file permissions with chmod -R but that will massively impact the ability to even use macOS. a DLP applications like Endpoint Protector (formerly Forcepoint) or Digital Guardian (ext) can monitor file activity and have rules setup to prevent the modification of specific files or directories and leave other stuff alone. Sure your DLP team will need to learn a lot more about macOS but they really should know macOS to begin with if they want it secured. 

 

I am the "Mac Expert" for my employer. Security has tried more times than I can count to push stuff off on me to manage using the excuse they don't know macOS well enough to do XYZ. I had to learn to draw a hard line in the sand, either you compensate me a lot more or you get your people the training they need. Its not fun but its how I stop myself from being abused if that makes sense. No one person should be responsible for both managing an environment, AND recurring it. Endpoint Management and Endpoint Security are also two totally different career fields lol, with Endpoint Security paying quite a bit more in most cases. 

View solution in original post

7 REPLIES 7

tak10
Contributor II

Out of the box, you shouldn't be able to do it. However, if the user is an admin user, they can technically access if they use sudo in terminal.

If they are a standard user, the loop hole shouldn't be there and unable to access. 

AJPinto
Contributor III

If they have admin access, no. Admins can change file permissions and all kinds of things to jump out of your restrictions without tools specifically designed to manage that kind of stuff. If they dont have admin access they only have access to stuff in their "profile" (home folder, home directory, whatever) and shared directories.

 

As far as setting it up to only allow access to their "profile" I only see it causing problems. There is a lot that you need that is not located in your "profile", like pretty much every component of MacOS. 

sparrowhawk
New Contributor II

Thanks for your replies guys.

Neither user would have admin privileges, so that's not an issue. I need them to not be able to copy a file outside their home directory. This is a DLP thing. One account would have privileges to secure locations and servers that the other user would not. The user accounts would belong to the same person and they would log out of one and into the other to perform specific duties. So the public and shared directories would have to be locked down for a start. I assume that they would require admin rights to be able to write into the System, Library or Applications folder? So the permissions for those directories could stay as they are? I understand this isn't a very elegant way of switching roles, but it is the method I have been asked to explore.

Honestly its best to let your DLP team find an application for macOS to do what they are wanting. Trying to force JAMF to do things outside its lane never ends well, I know this from experience. JAMF is not a DLP application in the slightest. 

 

MacOS has several directories a user can write to outside of their directory. Generally users do not have access to other users files, however as I mentioned before there are "shared" spaces on macOS where anyone can write to. In this manner think of macOS as Windows if you are more familiar with that. Everyone has read access to Root (or c:\), and read/write access to many sub directories off of Root. Many applications require a user to be able to write to preference files which will be outside of the user directory like in /Library/Application Support (C:\Application Data) for example or even in /Applications (C:\Program Files) in some cases. You could write a script to change all those file permissions with chmod -R but that will massively impact the ability to even use macOS. a DLP applications like Endpoint Protector (formerly Forcepoint) or Digital Guardian (ext) can monitor file activity and have rules setup to prevent the modification of specific files or directories and leave other stuff alone. Sure your DLP team will need to learn a lot more about macOS but they really should know macOS to begin with if they want it secured. 

 

I am the "Mac Expert" for my employer. Security has tried more times than I can count to push stuff off on me to manage using the excuse they don't know macOS well enough to do XYZ. I had to learn to draw a hard line in the sand, either you compensate me a lot more or you get your people the training they need. Its not fun but its how I stop myself from being abused if that makes sense. No one person should be responsible for both managing an environment, AND recurring it. Endpoint Management and Endpoint Security are also two totally different career fields lol, with Endpoint Security paying quite a bit more in most cases. 

View solution in original post

sparrowhawk
New Contributor II

It appears that Endpoint Protector and Forcepoint still have separate sites. Has one bought the other recently?

It looks like Forcepoint may be rebranding to Endpoint Protector. I have not done much digging around on this matter unfortunately. 

sparrowhawk
New Contributor II

Hi AJ, thanks for your input. We are a small IT team of three and we primarily use JAMF and PDQ for deploying most things, along with AD GPs and Sophos for endpoint protection. So I was hoping to be able to use our existing tools, but you make a good point about using a tool designed for the job. I'll check those two that you mentioned out.

The other reason I asked here is that I downloaded the CIS Mac OS hardening guide (https://downloads.cisecurity.org/#/) and it does give some Terminal commands designed to limit user access to other home folders on page 201. Although it doesn't address the shared folder though. Rich Trouton is listed in the acknowledgements so that was another tick for validity, knowing how much of a Mac/JAMF guru he is.

If we need another piece of software to do this easily and effectively, then we'll have to find some more budget.

Thanks for chiming in, it's good to get feedback from others who have been through the same process.

Cheers