Skip to main content

We have a small number of users in our company who are now utilizing python for their daily workflows. With this in mind, we want to ensure that we are maintaining our security standards and see what Python pkgs these users are installing. Is there a way for us to list all of the installed Python pkgs in Jamf Pro?

It seems like the native package list does not include these items. I have looked into attempting to build this out as an extension attribute, but am hitting some roadblocks. We are very new to Python, and any feedback would be greatly appreciated. 

 

Thank you!

Try pip list or pipdeptree.

TLDR: The short answer is no, not in any sane way. Python doesn't have just one place to install packages or one way to retrieve that information, so gathering a conclusive list isn't going to be simple.

To get a list of python packages installed, you would first need to know where Python is installed. MacOS recommends that be this goes in "/Library/Frameworks/Python.framework/Versions/{VERSION_NUMBER}". If you install python using python.org's installer packages then this is where it gets installed.

However, this is just a suggestion.

  • Homebrew for example installs python to into it's "$(brew --prefix)/Cellar". This path is different on different architectures and also completely can be user defined (though discouraged).
  • pyenv installs its pythons into ~/.local/share/pyenv/versions
  • It's also possible to install Python into any directory on the machine (see relocatable-python).

So, even if you are wanting to only gather globally installed packages per python installation, you are going to need to scan every file structure on the machine to look for python executables. Then you could plausibly use '/path/to/python3 -m pip list --format freeze 2>/dev/null' to get a list of installed packages with versions (assuming pip is installed in that particular python environment).

In the same vein, more than one python version can be installed on a machine at the same time and each one has a different global environment. So if your user has python3.10, python3.11, and python3.12 on a machine then you have to check each one separately. Most python developers will indeed have more than one version as updating python by default doesn't remove the old version. 

To further complicate things, python uses virtual environments to create isolated sets of dependancies. These environments also have their own completely unique set of packages separate from those of the "global" python environment. Also, there is no standard method for creating virtual environments and each tool does it slightly differently (e.g., pip, pipenv, hatch, poetry, uv, etc.). In short, it's a bit of a complicated mess to decipher if you're not the one who set it up. 

All this is to say, gathering a list of python installed packages into a EA is probably not the way to go. My recommendation is instead to rely on an EDR tool which can scan for vulnerabilities globally and notify you when there is an issue. 

 

Reply


Terms & ConditionsCookie settings