Posted on 02-06-2019 08:29 AM
Hi everyone!
IT manager here for a startup that has been around for a few years and they never really had any IT infrastructure till I showed up. We are looking at tightening security on our MacBooks (we already have JAMF installed on all of them) however we would like to review every single application installed on them.
I have come up with a list of 500 applications that I have been able to see via JAMF inventory. So my real question is, how the heck do I enforce what end users can and cannot install now? I know some have installed things like Steam and Battle.net which is not going to be allowed going forward.
Do I create a few policies in JAMf that remove them and then lock down installs via Firewall permissions?
Right now we are allowing our Engineers admin rights to machines but I foresee them just reinstalling Steam, etc...until I prevent it.
Thoughts? Suggestions?
Appreciate it.
Posted on 02-06-2019 08:49 AM
With admin rights enabled, it makes enforcement complicated. You can't really prevent anyone from installing apps into the main Applications folder or any other locations.
You could start by generating a list of all known applications that you'd like to block and begin putting these into Jamf Pro's Restricted Software. My suggestion is to locate and use the actual process name when the application is running, instead of using the application bundle name, since the latter can be trivially bypassed by renaming the app to something else. Users (even admins) cannot rename the application executable without breaking the app, short of compiling it from code under a different executable name or something drastic like that.
You could also use some of the carrot and stick approach here. Create Smart Groups for machines that have some of the bigger violating apps installed on them (like torrent apps, etc.) and use those groups as Exclusions for some of the items that the clients really need, like WiFi access or something else that's business critical. When they install those apps and the machines recons, it will land in those groups and remove access to the resources they need, which should get their attention. You might need to pair something like that to a policy that pops up a message to them explaining that their Mac is in violation of company policy because of unapproved apps, or something to that effect.
In the end, this really is a people problem and not a technical one. Set the expectation up front on this that there is only so much you can do with technology. Repeat offenders should be directed to an HR person/department to have a discussion with them about adhering to company policy. What I mean is, you can remove and restrict apps all you want, but if they keep doing it, the only thing that might work to stop it would be the prospect of being let go by the organization because of it.
Posted on 02-06-2019 09:52 AM
@tgoodpaster Long time Jamf user here (since like version 5) and software packaging, deployment and patching has always been sort of a crunchy process with many management tools, jamf is no exception here. I put up this feature request to manage the Application state of devices and do it from a local code/inventory base.
Now it doesn't stop people from installing Steam on their computers, but there are ways to do that if you so decide to. Jamf has built in app blocking and there are open source tools like Santa that can do black/white listing of apps/binaries.
Now my personal opinion is, let people have admin access and if they break the rules by playing video games at work their management and HR should resolve that issue, not IT. I get it though, you are at a start up, so you lack a lot of infrastructure and structured process, I know this too well because I also have worked at and currently work at a start up.
So, right now you might have to chain together policies and use restricted Software in jamf, but take a look at my feature request for managing the application state with an application catalog
Thanks
Tom
Posted on 02-06-2019 11:46 AM
I like the idea Tom has come up with. As a stopgap you can always make a few smart-groups that if the steam app is installed put them into that group then run an rm -rf steam.app and make that an ongoing policy. That way if the machine falls into that group it'll be removed. You can also put it into restricted software but being that they are admins they might be able to override that, i could be wrong on that bit.
Posted on 02-06-2019 11:58 AM
Restricted Software section in Jamf. You just figure out what the process name is, and restrict it from running. It can kill the process, email you when it triggers, notify the user, and I believe delete the app.