Limit what apps to run

Contributor III

I'm trying to tighten security in our organization and would like to control what applications can be launched.

Right now my biggest issue is someone bringing an app in on a USB drive and launching it or dragging it their desktop and launching it from there. I want them to still be able to use USB drives but I want to control what apps can launch system wide.

I have a test configuration profile setup with restrictions enabled. I can add each and every app that I want to allow to run but that seems tedious. I can only allow apps in the Applications folder to run but that doesn't help with the USB issue.

Anyone doing something similar or have a better way to do this ?

Thanks in advance.


New Contributor III

Maybe try disallowing /Volumes ?

Contributor III

@mike.pinto We mount file shares on login for the user which resides in /Volumes. I think that would get affected ?

Legendary Contributor III

It can be problematic, but if you set up Config Profile restrictions for the whitefolder and blackfolder locations you can specify that apps can run from the Applications folder and a number of other common locations, but restricted anywhere else (other paths) which would stop them from running apps from mounted volumes of any kind. You can also add in /Users/ as a restricted path to stop items launching from the Desktop, but I think you'll run into problems with apps that have a tendency to install helper tools into the user space and run them from there.