Jamf Nation Community

EMCSD-IT · ‎07-30-2015

I would like to be able to easily lock and unlock Utilities options on an Apple computer- easily like how System Preferences can be locked down in Configuration Profiles.

scottb · ‎07-30-2015

You can use "Restricted Software" to keep certain apps from loading. It's easy to setup and done in the JSS web interface...
Or are you talking about something different?

Nix4Life · ‎07-30-2015

change permissions to admin access and make hidden. also remove it from spotlight

LS

EMCSD-IT · ‎07-30-2015

@scottb - I could go into Restricted Software to limit access per app, but it would be a lot handier to have it set up in Config Profiles. Most Utilities don't change from OS to OS.

@ LSinNY - easy way to change to just admin access/hide to 300+ laptops?

scottb · ‎07-30-2015

@tnunnikhoven :

So what you were asking for is a "Feature request"?

Dunno, there's so many things being asked to add to the JSS already. I'd prefer some really difficult things to be added and forgo the simple stuff like this so that JAMF can spend more time on stability.

Restricting apps is easy, and you could do that in short order and it would work going forward on new OS's as well - most likely. It's pretty easy and quick to do now.

bvrooman · ‎07-30-2015

You could use a config profile to disallow launching of apps in /Applications/Utilities, and then use scoping/exceptions to apply those settings to only the accounts that you want to restrict.

scottb · ‎07-30-2015

The problem with locking/limiting a folder (location) is that someone can copy stuff from another Mac and run the Terminal from the ~Desktop, as an example. If you use restrictions, it blocks the process and it doesn't matter where it is.

EMCSD-IT · ‎07-30-2015

Im already faced with restricting apps- I have had a few students get into the CoreServices folder of a MBP and play around with a few of the apps. Ive ended up restricting these apps since I cant restrict the CoreServices folder (most of the apps and data are needed).

lwindram · ‎07-30-2015

@scottb has a good point about locking/limiting not being totally effective. However it is super easy to do and should provide a good first line of defense.

You can write a short script then send it out via policy:

#!/bin/sh

if [ -d /Applications/Utilities ]; then
   mv /Applications/Utilities /Applications/.Utilities
fi
chmod -R 700 /Applications/Utilities

exit 0

Create an EA that checks for the existence of /Applications/Utilities:

#!/bin/sh

if [ -d /Applications/Utilities ]; then
   echo "<result>accessible</result>"
else
   echo "<result>not accessible</result>"
fi

exit 0

Make a smart group based for every computer that doesn't report "not accessible" and scope the policy to it.

You will also need a script to reverse this for when IT needs access.

#!/bin/sh

mv /Applications/.Utilities /Applications/Utilities
chmod -R 755 /Applications/Utilities

exit 0

Scope it to a policy without an execution frequency and make it available from authenticated self service.

The contents of /Applications/Utilities will remain visible in launchpad, but they won't be accessible. If you need them out of launchpad as well, then add the modified commands from this post to the first script.

I should add that it seems like you might be going down the "tech solution to a behavior problem" route. It might be worth getting administration involved early. Not that I'm speaking from experience or anything.. :)

talkingmoose · ‎07-30-2015

Assuming your students are Standard users and not admins, what are they doing with items in the Utilities folder and CoreServices that's causing problems? They shouldn't be able to change anything with the OS.

Jamf Nation Community

Lock Utilities Folder in Apple Products