OS X Config Profile App & Folder Blacklist

apizz
Valued Contributor

This is still our first year with Casper, but in testing a few things I stumbled across the app & folder whitelist and blacklist option in configuration profiles (we're on 9.82 still).

I went through the Admin guide but couldn't find anything on using this functionality or in JAMFnation, but perhaps I wasn't searching for the right things, so sorry if this ends up being a duplicate post.

I'm trying to lockdown the ability of our students to launch downloaded apps from anywhere in their user folder. My thinking was to manually choose the folders in users' home folder (~/Desktop, ~/Downloads, etc.) but I realized this would still allow kids (if they're clever enough) to copy apps to the root of their home folder. My conundrum is how to do this without blocking apps which may exist in users' home library folder, but I wonder if there are any apps that would really warrant this exception.

So 1) can I just blacklist ~ in the config profile or 2) if I should manually choose each folder (~/Desktop, etc.) how can I allow the ~/Library folder while blocking everything else?

Could I blacklist ~ and whitelist ~/Library, or would that cause problems?

7 REPLIES 7

JamesJhoung
Contributor

Are you planning on restricting them from using externally connected drives as well?

apizz
Valued Contributor

@jamez179 we want to restrict any apps that we haven't installed ourselves, so yes this would include external drives.

We have Netboots and bootable external drives with any apps that we might not install but need to run for troubleshooting issues.

CasperSally
Valued Contributor II

We use a combo of white and black folder lists to accomplish what I think you're trying to do.

Allowed folders example
/Applications
/Library/Application Support/Microsoft (i think this is for silverlight)
/Library/Sophos Anti-Virus

Make sure any folder you allow doesn't have read/write access to students.

Blocked folders list includes anything in allowed that has read/write permissions because of bad app developer programming - or apps you want blocked.

Blocked folders ex
/Applications/Game Center.app
/Applications/Utilities/Terminal.app
/Library/Application Support/Microsoft/PlayReady (this folder has to be read/write I believe, so we add it to block list so students can put programs there, but they can't launch them)

We have /Users explicitly in blacklist, but I am not sure now that's needed if your allow list is setup properly, I'd assume not.

I'd suggest starting with allow folders for /Applications only with the apps your students need. Then login to and you'll probably get some blocked app messages. Login as admin and search console for 'mcx' which will give you the path of what's being blocked for you to investigate.

If you have questions, I'm on slack techgrltweeter.

apizz
Valued Contributor

Thanks @CasperSally ! I need to do some more testing here, but this is a great start.

apizz
Valued Contributor

So here's my dilemma ...

As far as I can tell, the app folder whitelisting / blacklisting works as follows: everything listed in the whitelist is allowed while everything else is blocked, and everything listed in the blacklist is blocked while everything else is allowed.

Ultimately, all I want to do is prevent users from launching apps they've downloaded anywhere in their user folder, but there are things that certain apps (like Chrome) put in the ~/Library folder. So I can't just blacklist /Users or ~ if I want to allow ~/Library, but in allowing ~/Library and blocking the other folders within the /Users/user folder I expose the ability for apps to be launched from the root of their user folder ...

What's the secret formula so I can block the entire /Users folder, except the ~/Library folder, and allow everywhere else?

Or is there another method or way I should be thinking about this?

emmayche
New Contributor III

Did you ever find a solution for this?

CasperSally
Valued Contributor II

if you're blacklisting /Users/ from launching apps, I don't think you can cherry pick out folders within /Users to whitelist.

For any app that has to run out of there, you can move the app and use sym links to point to new location, but that's a little tricky to set up if you aren't familiar with sym links. We just don't allow apps to run out of /users. For Chrome, we change permissions on that file that tries to launch so that it can't run & patch on our own.

Acrobats update mechanism tries to launch out of there, as well, even though we set the bupdater flag to no updates. I tried working with Adobe on it and gave up. Users just click away the MCX error until their Acrobat updates.