Help

Restrict installations via Terminal

blee
New Contributor

Wednesday

We're looking into solutions for restricting users from download packages or software via Terminal. Just as an example, installing Homebrew via Terminal to install Python. Once users have access to Python, they are able to install and Python packages they please.

It's been getting difficult to track who has Python installed and what sorts of packages installed as well. If a user installed Python via the Python website, we can see the installer listed in Jamf's app list for their device but found that if they installed it via Terminal, the only way to detect it is to run 'python3 --version' in Terminal to see if it returns a Python version.

I'm exploring to see if we can restrict certain Terminal commands with an Admin password (such as restricting running the command that installs Homebrew). I'm open to seeing if Terminal can be completely locked down with an Admin password but would much like to explore other options first, if available. Has anyone else ran into something like this and can offer possible solutions or suggestions? 

0 Kudos
Reply
4 REPLIES 4

sdagley
Esteemed Contributor II

Wednesday - last edited Thursday

@blee That's beyond the scope of Jamf Pro's built-in features. You'd need to look at an Endpoint Privilege Management (EPM) tool for that level of restriction. I won't provide a specific recommendation for an EPM tool, but searching this forum should turn up some results.

If controlling what process are allowed to run is of interest I would recommend you take a look at Google's Santa tool (https://github.com/google/santa) which offers much more flexibility than Jamf Pro's built-in Restricted Software feature.

0 Kudos
Reply

AJPinto
Honored Contributor III

Wednesday

To more or less part @sdagley , this is well out of the scope of Jamf Pro. You need to look in to permissions management, ideally removing admin access from your users and handing permissions escalation with a EPM Tool like Cyber Ark EPM.

Reply

Shyamsundar
Contributor

Wednesday

You can remove the admin rights for all the users and deploy a Privilege Management tool like Previleages or Elevate, Which will give the temp admin rights to the user for only a certain period and you can list probable options are ask the user to enter why they need admin rights.  

Reply

AJPinto
Honored Contributor III
In response to Shyamsundar

Thursday

The problem with any tool that grants temporary admin access is admin access is admin access. If the user has the trigger, they still have admin access. If the user does not have the trigger, then a tech is providing the admin function. Tools like privileges are just placebos for actual permissions management, it just makes you think the situation is better.

0 Kudos
Reply