We want to be able to restrict software on user accounts to be used for exams. So for example we don't want them to access web browsers (Safari/Chrome/etc.) or email clients (Mail/Outlook). But we don't want to disable these for everyone on a particular Mac, just the specific group of exam users.
The Restricted Software section of the JSS seems to have the right sort of tools for us to do this but it can only be scoped to computers, not users? And the Restrictions section of Configuration Profiles only has an "Allowed Apps" section, not a "Denied Apps" section. The users will be using peripherals such as graphics tablets, scanners and cameras, which have any number of different background processes etcetera we would have to allow if we were to try and set up an "Allowed Apps" section, so a "Denied Apps" list would be better.
How can we accomplish this?
Dan Jackson (Lead ITServices Technician)
Long Road Sixth Form College
Restricted Software cannot be scoped to LDAP user groups from what I recall. There's a long feature request for it. https://jamfnation.jamfsoftware.com/featureRequest.html?id=184
Disclaimer: I have not tested the below so test test test.
What if you took a configuration profile using the Restrictions payload:
Click Applications tab
Check "Restrict which apps are allowed to launch"
Scroll down and fill out the "Disallow Folders" section with the full path to the app (e.g. /Application/Mail.app).
Note: This won't stop them though if they launch the app from another location. For example, they could download Chrome to their downloads folder and it would still launch if that were the case since it's not in /Applications/Google Chrome.app.
The exam accounts would be separate from normal student accounts so they would have no opportunity to download Chrome or Firefox into the user Applications area, so it's just the system versions that we'd need to worry about.
I will try your suggestion regarding the "Disallow Folders" setting.
@bpavlov Unfortunately your suggestion was not successful.
I created a configuration profile with the Restrictions payload, selected for it to be a User Level profile, added /Applications/Google Chrome.app in the "Disallow Folders" section. I scoped it to All Users but applied a Limitation to the Active Directory group Examinees. I then logged on to a Mac with a member of Examinees but was still able to launch Google Chrome.
I'm going to try using Parental Controls to restrict access to websites with a blank access list; this will still allow them to launch web browsers but they should not then be able to get anywhere with them.
Unfortunately applying Parental Controls via a Configuration Profile seems to be different than applying Parental Controls manually through System Preferences - app restrictions (on all apps) are enabled, with no way to turn them off or add exceptions.
Is it possible to write a script that runs at logon when a member of Examinees logs on that just carries on running in the background and kills Google Chrome or Safari if it finds them in the running processes?