Help

Limit what apps to run

Chuey
Contributor III

Posted on ‎11-22-2016 05:49 AM

I'm trying to tighten security in our organization and would like to control what applications can be launched.

Right now my biggest issue is someone bringing an app in on a USB drive and launching it or dragging it their desktop and launching it from there. I want them to still be able to use USB drives but I want to control what apps can launch system wide.

I have a test configuration profile setup with restrictions enabled. I can add each and every app that I want to allow to run but that seems tedious. I can only allow apps in the Applications folder to run but that doesn't help with the USB issue.

Anyone doing something similar or have a better way to do this ?

Thanks in advance.

0 Kudos
3 REPLIES 3

mike_pinto
New Contributor III

Posted on ‎11-22-2016 05:59 AM

Maybe try disallowing /Volumes ?

0 Kudos

Chuey
Contributor III

Posted on ‎11-22-2016 06:02 AM

@mike.pinto We mount file shares on login for the user which resides in /Volumes. I think that would get affected ?

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎11-22-2016 06:53 AM

It can be problematic, but if you set up Config Profile restrictions for the whitefolder and blackfolder locations you can specify that apps can run from the Applications folder and a number of other common locations, but restricted anywhere else (other paths) which would stop them from running apps from mounted volumes of any kind. You can also add in /Users/ as a restricted path to stop items launching from the Desktop, but I think you'll run into problems with apps that have a tendency to install helper tools into the user space and run them from there.

0 Kudos