- Jamf Nation Community
- Products
- Jamf Pro
- Removing Permission to Open /Library
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Removing Permission to Open /Library
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-16-2016 01:20 PM
I have some extremely technically savvy users who have tried to skirt organizational requirements by modifying files within the root library. I want to remove the ability for all users except IT staff and our local admin account to open/execute the root library at all.
My issue is that when I test it by being in my user account and attempt to do this via terminal (chmod u-x /Library), terminal tells me that the operation isn't permitted.
What am I missing here?
Labels:
- Labels:
-
Tips & Tricks
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-16-2016 02:52 PM
Have they enabled the root user?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-17-2016 03:17 AM
@duffcalifornia Are they admins?
Also, can those settings that they are changing be enforced via a profile instead?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-17-2016 09:18 AM
I am wondering if you could create a script that would look if /library has been open and then exclude them from a profile. We found removing the wireless profile gets our users attention.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-17-2016 12:04 PM
If they haven't got admin rights they shouldn't be able to modify much if anything there.
If they are admins, well then they are admins...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-19-2016 06:54 AM
@CapU - Not that we're aware of. There aren't many of these users who are the combination of "tech savvy enough to mess with things" and "resistant to the idea that we're managing them". We're just trying to be proactive. IT isn't the most trusted or respected department at my org.
@bentoms , @Look - They are, sadly, due to precedent. I'm looking to just modify the permissions for the root Library to rw- as opposed to rwx
@jared_f That's a possibility I suppose, though we'd have to figure out what to take away as not all of our users are on wifi...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-19-2016 07:00 AM
I sincerely don't think its possible, or recommended to change the permissions on the root Library folder. Many applications need to be able to read support files and other items from those directories that are in the root Library folder, so messing with the permissions is very likely to break stuff on you. The general rule of thumb is, never change the permissions on a directory that is managed and owned by the operating system. I would not do it.
Can you detail some of the concerns you have about what they may mess with, or what you've already seen messed with? That may help us help you come up with a more realistic solution.
