Posted on 04-23-2015 10:00 AM
Okay, I know this isn't JAMF related, but I need some advice. I have some students that keep loading games onto my macs and I have decided to have a little bit of fun. I have created an AppleScript to force a restart and then SavedAs an App, I also changed the icon and name to match the game. The only issue is that the applescript has admin username and password visible when you go to "show package contents" and look at main script. Is there a way to secure this so that the script is gibberish(encrypted). Please also understand that I know macs really well, but I don't know a whole lot about Apple Scripting as I never had a use in my previous life. Thanks for the help!!!
Posted on 04-23-2015 10:02 AM
When you save it there is an option to make it "run only" so they can't see the script contents.
Posted on 04-23-2015 10:05 AM
You can also try an immutable flag on the file.
Posted on 04-23-2015 10:45 AM
Why are they allowed to install games? Why not use JSS Restricted Apps? Why not let them play games when taking a break to begin with?
Posted on 04-23-2015 01:25 PM
@davidacland I finally see how to do that, you have to export to get the run only option to show up, because Save As doesn't offer that option.
@cshepp I'm going to google that... :)
@adamcodega Restricted Apps works only when you get the name the same and doesn't when they change the name by one letter. JSS restricted apps isn't all that great because of this. Restricting installs to the /Application folder is a good idea, and for some reason not one we thought about, but what about ~/Application, to my knowledge there isn't a way to restrict this without causing a huge headache for the rest of their user folder. Takes up HD space, unnecessary network bandwidth, it's against school Acceptable Use Policy, and it's fun to be able to reek a bit of havoc on their fun(Man that last bit sounded a bit evil, hahahahaha)
Posted on 04-23-2015 01:41 PM
facepalm
this thread.
• First off you need to reevaluate your life choices. Be part of the solution not the problem.
• Second you can easily make a configuration profile to allow apps to launch from /Applications and deny from /Users/ (assuming they are not admins and cannot move applications into /Applications). Or, it should be easy enough to come up with the short list of application you need to whitelist and black list the rest. Technical problem solved. The problem of being a jerk, not sure how to fix that.
EDIT
Do they need to run some applications from the user space? This configuration profile will block ALL apps from launching out of /Users.
Posted on 04-23-2015 01:48 PM
Alright we got that out of our systems.. lets all take a breath.
Guess we all got excited after yesterday's Ice-Out.
Posted on 04-27-2015 06:47 AM
I am just now finally able to get back to this post and was sort of shocked and saddened.
@Kaltsas Thank you for the kind words and support. I wish there were more people like you who had the ability to call out my "being a jerk". I'm pretty sure I was not intending to harm you or your well being in anyway, and I guess that through my text you were unable extract the joke. So for further communications I'd appreciate less of your assistance and/or kind words. Oh and just to be clear this time I'm not joking. And just a quick side note, your picture is awesome I love Brawndo, The Thirst Mutilator, to bad it's not on better terms.
I do appreciate everyones input into alternative means of stopping this and I will try those instead of the apple script.
Jerk out...
Posted on 04-27-2015 08:31 AM
http://www.sveinbjorn.org/platypus
Posted on 04-27-2015 10:21 AM
Your AppleScript trick is going to cause confusion. That's not a professional way to handle any situation. If students are downloading apps you should then figure out how to restrict their downloads or prevent the apps from running. And don't leave out addressing a behavioral issue by having an authority figure speak with them.
Casper's Restricted Apps feature doesn't have to use an application's name. It can also use it's process name. For example, you'll see in Activity Monitor that TextEdit is the process name when running TextEdit.app as well as RenamedTextEdit.app. (It's a little more effort to work around this but it's still possible.)
Using a configuration profile to deny running applications in /Users makes more sense. And be sure to publish your policies publicly for transparency. Documented policy makes your decisions look less like ad hoc policy.
Posted on 04-27-2015 06:36 PM
+1 this is a bad idea. I agree with Kaltsas. Don't be a dick.
There are better tools at your disposal. Restrict apps using restricted apps or use config profiles to limit apps launching directories.
If thats not enough, then use monitoring tools and escalate the issue through the proper channels. ie record the behaviors and have their teacher/dean/co-ordinator/principal whatever deal with the social side of their disobedience.