In our integration testing of Jamf Pro and Microsoft Intune, we've had a handful of users directly launch the Microsoft Company Portal after it was installed.
Since users will need to launch the Company Portal app from Jamf Self Service for macOS to register their ..., we're testing out the following Files and Processes > Execute Command to hide the Company Portal.app after its installed:
/usr/bin/chflags hidden /Applications/Company Portal.app/ ; /bin/sleep 30 ; /usr/bin/sqlite3 $(/usr/bin/sudo find /private/var/folders -name com.apple.dock.launchpad)/db/db "DELETE FROM apps WHERE title='Company Portal';" && /usr/bin/killall Dock
Also, we've observed that the version of Microsoft AutoUpdate bundled with the Company Portal installer is out-of-date, so we're installing Microsoft_AutoUpdate_4.1.18070902_Updater.pkg right after Microsoft Company Portal-1.5.pkg is installed.
The following update for Mojave will disable:
System Preferences > Dock > Show recent applications in Dock
/usr/bin/chflags hidden /Applications/Company Portal.app/ ; /bin/sleep 30 ; /usr/bin/sqlite3 $(/usr/bin/sudo find /private/var/folders -name com.apple.dock.launchpad)/db/db "DELETE FROM apps WHERE title='Company Portal';" ; /usr/bin/su - "`/usr/bin/stat -f%Su /dev/console`" -c "/usr/bin/defaults write com.apple.dock show-recents -bool NO" && /usr/bin/killall Dock
We also have the problem, that many users are not reading our guide and trying to register with Company Portal directly from the applications folder and not with Self Service.
We then tried to play with restricted software (block Company Portal as long as you're not registered). This would be the perfect solution, as users are not able to run Company Portal before registering with Self Service, but after the register, they can use Company Portal for checking their state.
Unfortunately this does not work, as Self Service is just starting Company Portal from the local Mac and this triggers the restriction rule. It seems Self Service only allows restricted programs, when they are started from inside a Self Service package.
It would be great, if JAMF could change this in the future, so any apps which are started from Self Service (but are already located on the local device) would not be blocked by the restriction rule. This would give us many more possibilities...