Prevent Apps from Executing in ~, Desktop Etc

michael_lewis
New Contributor

I have experimented with Apple's restriction profile to try and prevent our students from installing / executing apps on their desktop, documents, and misc home folders. However, there are too many misc apps which have software updaters in crazy locations and this profile seems to be buggy at best. Why can't apple just create a profile which disallows app execution from the set of folders you specify without having to list all folders which are allowed? If I could just say don't allow app execution from the Desktop and Downloads I would be golden..at least starting out. Anyone have a way of doing this?

7 REPLIES 7

davidacland
Honored Contributor II
Honored Contributor II

It was a real shame when Apple reversed this behaviour. The early days of OS X server had a blacklist option but I think it went away around 10.4/5.

I've had a few customers ask for this type of functionality but I have always avoided putting together a funky scripted solution. In theory you could set the directories as watch folders and trigger a script to alter permissions on any .app bundles that it finds. You could strip out finder extensions that tell it to behave like an app, or just remove any execute permissions on the enclosed items.

Personally I think it would be a real battle to get it working and the students would spend their time trying to find ways around it. I would favour a more direct social approach.

michael_lewis
New Contributor

David, I agree with you as that is what I have been doing...social approach. Just wanted to make sure I wasn't missing something that I could do technically to prevent it. Thanks for the feedback.

Michael

CasperSally
Valued Contributor II

We use a folder white list and a folder black list via config profiles. Works great once you take the time to tweak it (and then retweak as you add apps that run out of non standard areas). Make sure whitelisted folders don't have RW access.

We did the same with MCX for years.

davidacland
Honored Contributor II
Honored Contributor II

Is it possible to to use profiles to stop apps being launched from external drives like USB sticks?

michael_lewis
New Contributor

CasperSally,
Did you create your own xml profile or is this something I can view in Casper or Profile Manager? Care to share if it is custom code?

Thanks,
Michael

Joseph_Morris
Contributor

When I was working in K-12, we would essentially approve only the applications that we had installed on the system. This would prevent any unauthorized applications from launching. This process was done in the configuration profile under Restrictions. This would allow us to enable System services, district installed applications, and any updater or helper applications that are required for applications to run. Make sure that you build a custom profile and test, test, test before deploying. The last thing that you want to do is deploy a profile restricting applications and then have it tell you that you can't run a specific application that is required. The only problem that we have ever run into with this situation is involving computer programming classes where students are required to be able to run their own applications that they wrote in the IDE.

ElliottSeven
New Contributor II

David, I'm curious about restricting apps running from external drives too.
There's always the option to block users using external drives at all, but I'm assuming that you still want users to be able to use them for opening/saving files. Instead, you could black list app execution in /Volumes/* and whitelist /Volumes/Macintosh HD or whatever the internal drive is. I would set that as a user profile so that administrators can log in and run updates which mount a DMG in /Volumes , use external drives, etc.