Prevent Students from Running Unauthorized Apps from the Dock

user-gssZPuMBaw
New Contributor

Hi everyone,

We manage a fleet of approximately 1,500 M2 MacBook Air devices used by students. All student accounts are standard users with App Store access blocked. Applications can only be installed via Self Service.

To prevent unauthorized software use, we've restricted app execution from the Desktop, Documents, and Downloads folders. However, students have found a workaround: they are dragging applications into the Dock and launching them from there.

I’d prefer not to implement a policy that constantly removes unknown apps from the Dock, as it can negatively affect user experience.

Has anyone encountered a similar situation? Are there any recommendations or best practices to prevent applications from being run via the Dock if they aren’t located in the /Applications folder or haven’t been approved via Self Service?

Appreciate any advice or suggestions!

Thank you.

1 ACCEPTED SOLUTION

GadgetVirtuoso
New Contributor III

The easier option is to simply lock the dock down so that nothing can be added to it. The downside is they can’t make any changes at all, even authorized applications. 

The slighter harder solution is to make a configuration profile that explicitly says where applications can be run from. 

In the Applications section to can set which folders applications are allowed to be launched from and restrict which applications can be launched. 
/Applications/
/Library/


/System/


/usr/


/bin/

 

plus any others you have that are non-standard locations. Any locations not specifically added are effectively on the block list. 
This option is going to both require more testing and maintenance on your part for future applications.

View solution in original post

4 REPLIES 4

agungsujiwo
Contributor II

Hi @user-gssZPuMBaw ,
You may configure a custom Dock according to your application list,
and then lock it using the Dock payload by setting contents-immutable,
preventing users from adding new applications to the Dock.

 

dock.png

GadgetVirtuoso
New Contributor III

The easier option is to simply lock the dock down so that nothing can be added to it. The downside is they can’t make any changes at all, even authorized applications. 

The slighter harder solution is to make a configuration profile that explicitly says where applications can be run from. 

In the Applications section to can set which folders applications are allowed to be launched from and restrict which applications can be launched. 
/Applications/
/Library/


/System/


/usr/


/bin/

 

plus any others you have that are non-standard locations. Any locations not specifically added are effectively on the block list. 
This option is going to both require more testing and maintenance on your part for future applications.

mschlosser
Contributor III

I agree, i'd set the dock so that it cannot be modified;, also i'd remove everything from the dock except for /Applications and ~/Downloads, that way they can access the apps folder in a manner similar to the start menu; and it automatically updates as Apps are added, no intervention necessary; further every user can access there downloads folder. works well here.

jhuls
Contributor III

I've never heard of the Dock providing any sort of access regarding permission to run software. My understanding is that it's merely a launcher of sorts. Meaning your problem isn't with the Dock but with that the students have the software in a location that is not locked down.

Based on your post I'm wondering if the software is located in ~/Applications as I don't see anything in your post that would block that. This is a common location that some installers will look for. I'm looking at you Grammarly. In the end though my experience is that the most effective way to probably do what you're wanting is to only allow specific areas. If you block areas, now you're in the business of whack-a-mole where you have to seek out locations to block. One area someone could get around the whack-a-mole is throwing an application into a ~/Library folder. Sometimes vendors will put an app in ~/Library(I think google used to do this) so blocking ~/Library isn't the best idea.

If you decide to allow specific areas, be sure to TEST! TEST! TEST! as you can bite yourself in the butt if you don't allow something you need.

Of course your mileage might vary but that's what I recall when playing around with blocking applications.