Jamf Nation Community

speterson · ‎05-06-2014

I've see a couple of things related to this with, white list and black list for folders. I work at a school and for next year i would like to make it so that if a kid downloads a .dmg they cant mount it and run the .app from the mounted .dmg. Any thoughts

Thanks

tkimpton · ‎05-07-2014

Hi Shawn, heres snippits from my procedure

Application control is so that applications are allowed to only run from specified locations with exceptions known as “whitelists” and particular applications known as “bundleIDs”

Without this an end user can install and run application from e.g their Desktop and such makes administration and license compliancy unmanageable.

Components

The components used to achieve this are:-

Raw xml preference file exported from WGM com.apple.applicationaccess.new.plist

(my example as a property list text file)

{ whiteList = ( { bundleID = "com.unkown.FontExplorerXAutoLoad"; appStore = NO; displayName = "FontExplorerXAutoLoad.app"; }, { bundleID = "com.unknown.jamf-relauncher"; appStore = NO; displayName = "jamf-relauncher"; }, ); "familyControlsEnabled" = YES; "whiteList-Raw" = ( { bundleID = "com.barco.clickshare"; appStore = NO; displayName = clickshare; }, { bundleID = "com.unkown.FontExplorerXAutoLoad"; appStore = NO; displayName = "FontExplorerXAutoLoad.app"; }, ); pathWhiteList = ( "/Volumes/ClickShare/ClickShare_for_MacOSX.app/Contents/MacOS/", "~/Library/Application Support/Juniper Networks/", "/Applications/", "/Library/", "/System/", "/opt/", "/private/", "~/Library/Application Support/Linotype/", "~/Library/Application Support/Linotype/FontExplorer X/", "~/Library/Application Support/Linotype/FontExplorer X/FontExplorerXAutoload.app/Contents/MacOS/", "~/Library/Application Support/Linotype/FontExplorer X/FontExplorerXAutoload.app/Contents/Resources/", ); pathBlackList = ();
}

The raw xml file is then converted to a Configuration Profile using mcxToProfile tool via the command line

https://github.com/timsutton/mcxToProfile?

The configuration profile is then uploaded on to the JSS and scoped to All machines

See page 267

http://resources.jamfsoftware.com/documents/products/documentation/Casper-Suite-9.31-Administrators-Guide.pdf

View solution in original post

alexjdale · ‎05-06-2014

Can you blacklist "/Volumes/*"? That would knock out a lot of other legitimate stuff (network drives, any secondary internal/external drives) which I guess you could whitelist as needed, maybe?

lwindram · ‎05-07-2014

I have been playing around with this in preparation for next year. Allowing the kids to run applications from the mounted .dmg or to just run applications from the downloads folder has been an issue for us this year (first year with Macs), as we have had ongoing issues with gaming during class.

We have a config profile established and distributed to all of the student machines. The restrictions payload is set to allow apps to launch from a few folders, primarily /Applications and /Library/Application Support. Moving files to either location requires authentication, which effectively ends the use of unapproved apps. I did have to add some additional folders in order to allow some of our less standard software to run (LanSchool, Lightspeed agent, CS6, etc).

Next year we plan to roll this out to the entire student body. Currently it is deployed to all of our student computers, but scoped only to LDAP users who have been caught playing games in class. These users are serving as my test group to refine the restrictions prior to full deployment.

tkimpton · ‎05-07-2014

Hi Shawn, heres snippits from my procedure

Application control is so that applications are allowed to only run from specified locations with exceptions known as “whitelists” and particular applications known as “bundleIDs”

Without this an end user can install and run application from e.g their Desktop and such makes administration and license compliancy unmanageable.

Components

The components used to achieve this are:-

Raw xml preference file exported from WGM com.apple.applicationaccess.new.plist

(my example as a property list text file)

{ whiteList = ( { bundleID = "com.unkown.FontExplorerXAutoLoad"; appStore = NO; displayName = "FontExplorerXAutoLoad.app"; }, { bundleID = "com.unknown.jamf-relauncher"; appStore = NO; displayName = "jamf-relauncher"; }, ); "familyControlsEnabled" = YES; "whiteList-Raw" = ( { bundleID = "com.barco.clickshare"; appStore = NO; displayName = clickshare; }, { bundleID = "com.unkown.FontExplorerXAutoLoad"; appStore = NO; displayName = "FontExplorerXAutoLoad.app"; }, ); pathWhiteList = ( "/Volumes/ClickShare/ClickShare_for_MacOSX.app/Contents/MacOS/", "~/Library/Application Support/Juniper Networks/", "/Applications/", "/Library/", "/System/", "/opt/", "/private/", "~/Library/Application Support/Linotype/", "~/Library/Application Support/Linotype/FontExplorer X/", "~/Library/Application Support/Linotype/FontExplorer X/FontExplorerXAutoload.app/Contents/MacOS/", "~/Library/Application Support/Linotype/FontExplorer X/FontExplorerXAutoload.app/Contents/Resources/", ); pathBlackList = ();
}

The raw xml file is then converted to a Configuration Profile using mcxToProfile tool via the command line

https://github.com/timsutton/mcxToProfile?

The configuration profile is then uploaded on to the JSS and scoped to All machines

See page 267

http://resources.jamfsoftware.com/documents/products/documentation/Casper-Suite-9.31-Administrators-Guide.pdf

Jamf Nation Community

Not Allowing Apps to Run From DMG