Jamf Nation Community

bkuiper · ‎11-09-2023

I'm the new admin at my school, but apparently this problem has plagued our 1:1 Macbook program for years. We whitelist/blacklist programs for a specific set of allowed functions, and our students get constant "You don't have permission to use the application [X]" popups. I'm talking 5-6 at start up and multiple times an hour beyond that. The names of these processes have changed over time, but the most common ones are:

MessagesActionExtension
TVCacheExtention
launcher
Google Updater (this one is recent, I might have the name wrong)

among many others. I've contacted JAMF support and they said to allow /Applications/Utilities/ and ~/Library into the whitelisted folders directory, but this does not solve the issue. It also allows Terminal use which is not what we wanted.

Trying to find and kill individual processes via Restricted Software has no effect positive or negative.

mschlosser · ‎11-09-2023

i'd go through the policies / config profiles / software restrictions, that may be causing these pop ups and unscope them; and re think your approach. In my opinion there is little advantage to blacklist terminal as an example, after all, if your users do not have admin rights as they shouldn't they can't do anything truly dangerous in terminal anyway so why restart it. 3rd party software that you didn't want, certain users ot use could just be moved to a directory where those users didn't have access. Long way of saying more than one to skin a cat. Rethink your approach; not the first time I had to untangle poorly thought restrictions. Just because you can restrict something doesn't mean you should.

Alanj72 · a month ago

Was this something you ever resolved? We had some very crafty students getting around restrictions and moved to a more locked down approach. Now we get the 'launcher' app requests occasionally. It doesn't list any application path so I don't know where to allow this.

bkuiper · a month ago

Not with any consistency... I had some brief luck using the Restricted Apps and "Restrict Exact Process Name" to get rid of "MessagesActionExtension." I needed to run "sudo jamf manage" in terminal to get it to do anything. I haven't had time to really try further, and haven't tested with "launcher" but it seems to be less effective than it was at time of implementation.

Also blocking one process seems to have another process take its place in the window. I don't know how many I'd have to implement to get rid of them all.

Alanj72 · a month ago

Thanks for the quick response!

That's a bummer. Launching applications is just too easy even as a standard user. I was hoping to restrict only to the Applications folder but so many extra functions take place outside that folder. This is how my configuration profile is built. I'm not sure what to change to improve behavior...

Allow Folders: The user can always launch apps in these folders
/Applications/
/System/Library/
/Library/
/bin/
/usr/bin/
/Library/Application Support/
/System/Cryptexes/App/System/Library/CoreServices
/System/Volumes/Preboot/Cryptexes/App/System/Library/CoreServices
/System/Volumes/Preboot/Cryptexes/
~/Library/Application Support/
/System/

Disallow Folders: The user can never launch apps in these folders
/Users/
/Downloads/

Jamf Nation Community

Overwhelming Permission Popups