- Jamf Nation Community
- Products
- Jamf Pro
- Managing developers... a nice conundrum
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Managing developers... a nice conundrum
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-12-2011 06:41 PM
I have a fun head scratcher. Curious if any of you have input, as I'm out of ideas.
I have a JSS in a lab environment, and the client wants to block the developers from downloading and installing local apps, as well as them being managed local accounts, and having access to the internet. The use case is a highly secure environment where the users cannot have the ability to send potentially sensitive data to the outside world, so installing apps is not acceptable. However, these users are running Xcode, which itself creates applications.
We have no LDAP of any sort, are handling MCX via JAMF, and have some Restricted Software settings in place. The relevant MCX is the application.access settings providing whitelists and blacklists.
By telling the Mac where it can or cannot allow the current user to execute code, combined with standard file permissions, this provides a paradox worthy of a silly man in a blue box. Xcode ends up trying to run processes and execute project files not specifically allowed but the MCX, and ends up in an endless loop of admin passwords that never actually end. The result in unusable.
We can't fully rely on Restricted Software, as that Whack-A-Mole style of process management does not scale.
I've thought of scripts or launchd items to watch specific folders, but that only alerts of problems that already exist and doesn't actually block the user.
I don't want to suggest blocking off the network for these computers, but that might be the only option.
My head hurts thinking about this. Does anybody have a bright idea?
Thank you!
- D
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-12-2011 07:17 PM
Douglas
We have a similar situation here with students that we want to be able to run Xcode (specifically the iOS simulator) but not any other applications. Here is what I ended up doing:
On user login delete the /.Xcode folder to clean out apps (multiple users can use the same computer, prevents same filename errors)
On user login I create a /.Xcode folder if it doesn't already exist, changing its permissions and owners as required
Add the user to the _developer group on the local machine (to prevent admin prompts when building and using iOS simulator)
Use MCX to manage the Xcode setting which controls the build location to point to /.Xcode
Use MCX to allow applications to run that are in /.Xcode
Use MCX to turn off the 'Go to Folder' setting in Finder
(Extra step for iOS Simulator) Create a symlink in the users home folder to direct the iOS Simluator folder to the /.Xcode folder so it can run apps, then hide the symlink
I use Workgroup Manager for MCX, I haven't used JAMFs version so I don't know if it can do the same type of stuff. The outcome of the above steps is that there is a hidden folder on the local computer that the user can run apps from, but they are unable to browse to it using the Finder so they can't copy other apps into it. Our students can't run Terminal or any other apps outside the /Applications folder so I am hoping there is no other way for them to get to my hidden /.Xcode folder.
I hope this helps you, I know its not exactly what you are trying to do but it may give you some ideas on how to proceed.
Heres my really bad scripting which makes this work:
#!/bin/bash
# $1 is the shortname for the current logged in user
HOMEDIR=finger $1 | grep Directory | cut -f2 -d" " | cut -f1
#clean out .Xcode folder to assist iOS simulator to run stuff better
rm -rf /.Xcode
#if Xcode hidden folder doesnt exist, create it and modify permissions
if [ ! -d /.Xcode ]
then
echo "Creating /.Xcode folder..."
mkdir /.Xcode
chmod -R 777 /.Xcode
chown -R adminusername:usergroup /.Xcode
fi
dscl . -delete /Groups/_developer GroupMembership
dscl . -append /Groups/_developer GroupMembership $1
#create symlink for iPhone Simluator folder to hidden .Xcode folder to allow simulator to run apps
rm -rf $HOMEDIR/Library/Application Support/iPhone Simulator
ln -s /.Xcode $HOMEDIR/Library/Application Support/iPhone Simulator
SetFile -P -a V $HOMEDIR/Library/Application Support/iPhone Simulator
chmod -R 777 /.Xcode
chown -R adminusername:usergroup /.Xcode
Patrick Lawrence
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-13-2011 08:27 AM
Thank you, that's offering some help.
Can you send me a screenshot or details of the mcx to tell Xcode where to save its repositories?
Cheers, - D
Sent from my Tricorder. ?
