Jamf Nation Community

jhuls · ‎06-30-2016

If I place an alias to an application located in /Applications on a user's desktop, is it possible to prevent the user from removing that alias?

Currently most of our users have admin privileges so I understand that this might make it impossible or difficult but I've been tasked by the powers that be to try to make this work. Somewhere down the road our users might not have admin privileges but that's not a done deal yet and could be awhile. The alias I'm referring to is for an application to summon public safety...more or less something like a 911 app. It's important to try to keep it on the desktop.

mm2270 · ‎06-30-2016

Currently most of our users have admin privileges so I understand that this might make it impossible or difficult

Yes, unfortunately with admin rights there really isn't going to be any real way to stop them from deleting it. You can make it difficult to do, or have some mechanism in place that checks to see if the alias is there and if it isn't, recreates it (likely annoying your users in the process) but there won't be any way to truly prevent them from removing it.

If you ever get to the point that your users don't have local admin rights, then your options open up considerably.

If you need any pointers on some ways to make it a bit less easy to remove the aliases, post back and I can show a few options.

htse · ‎06-30-2016

You might consider the system immutable flag on the alias. It can resist the UI, sudo rm and rm by root, unless the flag is reversed, before the file can be acted upon, unlike "Locked" in Finder or user immutable. Of course the user can still remove the flag, but it would involve more work than clicking Continue.

https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/chflags.1.html

mm2270 · ‎06-30-2016

The system immutable flag was one of the things I was thinking about when I posted before. It will make it more "work" to remove it, but not at all impossible if the user has local admin rights, and has decent knowledge on the command line or good Google-fu skills. Its really just a deterrent, not a perfect solution.

What I was thinking of really, was a LaunchDaemon that could run every so often and run a script that:
a) Checks to see if someone is logged in
b) Checks if the logged in user's Desktop has the requesite alias on it
c) If not, recreate the alias and lock it down with chown and chflags commands

If the alias is present, have the script just exit.
This would provide a way to add it back even if the user goes through the trouble of undoing the system immutable flag and removes it. Still not perfect, just because if they are persistent enough they can discover what keeps putting it back (the LaunchDaemon) and just disable/remove that as well. As you can see, with admin rights in all honesty, all bets are off on preventing users from making such modifications.
But the above would be about the closest I could see on enforcing this.

Look · ‎06-30-2016

As @mm2270 said, a pretty simple way would be to simply have a policy or agent that checked and recreated the alias on some kind of schedule (probably login).
If you really want to get draconian and achieve something similar you could use a preconfigured dock instead and have it deployed as a profile that was enforced.

jhuls · ‎06-30-2016

Thanks everyone!

I'm looking into some of that and knew my answer would probably be at the command line or script where I'm not as strong as I'd like to be. I've considered the scheduled check and looking into that as well. I also considered the dock but I can't lock it down completely without a backlash and scheduling a check of it using dockutil would get annoying if the user removes it and the dock gets killed each time to replenish it.

I'm off tomorrow and next week so hopefully I remember this when I get back. lol

Preventing users from deleting an alias to an application