Posted on 12-11-2024 12:50 PM
We're looking into solutions for restricting users from download packages or software via Terminal. Just as an example, installing Homebrew via Terminal to install Python. Once users have access to Python, they are able to install and Python packages they please.
It's been getting difficult to track who has Python installed and what sorts of packages installed as well. If a user installed Python via the Python website, we can see the installer listed in Jamf's app list for their device but found that if they installed it via Terminal, the only way to detect it is to run 'python3 --version' in Terminal to see if it returns a Python version.
I'm exploring to see if we can restrict certain Terminal commands with an Admin password (such as restricting running the command that installs Homebrew). I'm open to seeing if Terminal can be completely locked down with an Admin password but would much like to explore other options first, if available. Has anyone else ran into something like this and can offer possible solutions or suggestions?
12-11-2024 02:09 PM - edited 12-12-2024 11:32 AM
@blee That's beyond the scope of Jamf Pro's built-in features. You'd need to look at an Endpoint Privilege Management (EPM) tool for that level of restriction. I won't provide a specific recommendation for an EPM tool, but searching this forum should turn up some results.
If controlling what process are allowed to run is of interest I would recommend you take a look at Google's Santa tool (https://github.com/google/santa) which offers much more flexibility than Jamf Pro's built-in Restricted Software feature.
Posted on 12-11-2024 05:11 PM
To more or less part @sdagley , this is well out of the scope of Jamf Pro. You need to look in to permissions management, ideally removing admin access from your users and handing permissions escalation with a EPM Tool like Cyber Ark EPM.
Posted on 12-11-2024 10:01 PM
You can remove the admin rights for all the users and deploy a Privilege Management tool like Previleages or Elevate, Which will give the temp admin rights to the user for only a certain period and you can list probable options are ask the user to enter why they need admin rights.
Posted on 12-12-2024 05:18 AM
The problem with any tool that grants temporary admin access is admin access is admin access. If the user has the trigger, they still have admin access. If the user does not have the trigger, then a tech is providing the admin function. Tools like privileges are just placebos for actual permissions management, it just makes you think the situation is better.