3 weeks ago
Hi everyone,
We manage a fleet of approximately 1,500 M2 MacBook Air devices used by students. All student accounts are standard users with App Store access blocked. Applications can only be installed via Self Service.
To prevent unauthorized software use, we've restricted app execution from the Desktop, Documents, and Downloads folders. However, students have found a workaround: they are dragging applications into the Dock and launching them from there.
I’d prefer not to implement a policy that constantly removes unknown apps from the Dock, as it can negatively affect user experience.
Has anyone encountered a similar situation? Are there any recommendations or best practices to prevent applications from being run via the Dock if they aren’t located in the /Applications folder or haven’t been approved via Self Service?
Appreciate any advice or suggestions!
Thank you.
Solved! Go to Solution.
3 weeks ago
The easier option is to simply lock the dock down so that nothing can be added to it. The downside is they can’t make any changes at all, even authorized applications.
The slighter harder solution is to make a configuration profile that explicitly says where applications can be run from.
In the Applications section to can set which folders applications are allowed to be launched from and restrict which applications can be launched.
/Applications/
/Library/
/System/
/usr/
/bin/
plus any others you have that are non-standard locations. Any locations not specifically added are effectively on the block list.
This option is going to both require more testing and maintenance on your part for future applications.
3 weeks ago
Hi @user-gssZPuMBaw ,
You may configure a custom Dock according to your application list,
and then lock it using the Dock payload by setting contents-immutable
,
preventing users from adding new applications to the Dock.
3 weeks ago
The easier option is to simply lock the dock down so that nothing can be added to it. The downside is they can’t make any changes at all, even authorized applications.
The slighter harder solution is to make a configuration profile that explicitly says where applications can be run from.
In the Applications section to can set which folders applications are allowed to be launched from and restrict which applications can be launched.
/Applications/
/Library/
/System/
/usr/
/bin/
plus any others you have that are non-standard locations. Any locations not specifically added are effectively on the block list.
This option is going to both require more testing and maintenance on your part for future applications.
2 weeks ago
I agree, i'd set the dock so that it cannot be modified;, also i'd remove everything from the dock except for /Applications and ~/Downloads, that way they can access the apps folder in a manner similar to the start menu; and it automatically updates as Apps are added, no intervention necessary; further every user can access there downloads folder. works well here.
2 weeks ago
I've never heard of the Dock providing any sort of access regarding permission to run software. My understanding is that it's merely a launcher of sorts. Meaning your problem isn't with the Dock but with that the students have the software in a location that is not locked down.
Based on your post I'm wondering if the software is located in ~/Applications as I don't see anything in your post that would block that. This is a common location that some installers will look for. I'm looking at you Grammarly. In the end though my experience is that the most effective way to probably do what you're wanting is to only allow specific areas. If you block areas, now you're in the business of whack-a-mole where you have to seek out locations to block. One area someone could get around the whack-a-mole is throwing an application into a ~/Library folder. Sometimes vendors will put an app in ~/Library(I think google used to do this) so blocking ~/Library isn't the best idea.
If you decide to allow specific areas, be sure to TEST! TEST! TEST! as you can bite yourself in the butt if you don't allow something you need.
Of course your mileage might vary but that's what I recall when playing around with blocking applications.