Posted on 05-22-2024 05:38 AM
We would like to restrict our admin user from installing any applications via installer files (pkg or dmg) on their Mac. There is a functionality in the configuration profile under Restrictions that allows us to check "Restrict the App Store," but this only prevents users from opening the App Store. They can still download package files from the web and install them. Is there any way to restrict admin users through a script or configuration profile?
Posted on 05-22-2024 06:03 AM
Not directly. You could look at other software, such as Google Santa to restrict certain actions.
I guess the question is why leave the user as an admin if you don't want to them to install software. Why not demote them to a standard user. if there is something they need admin ability for you, there are several options. You could use a simple "Make me an Admin" script in Self Service, use a tool like Privileges or Jamf Connect for temporary privilege escalation, or a dedicated EPM tool that allows for very granular escalation.
Posted on 05-22-2024 06:05 AM
Local admins can do anything including installing software. That’s what the privilege of being an admin allows.
If you want to restrict this privilege, you should change this user a standard user.
Posted on 05-22-2024 08:22 AM
As you ask? No. Admins have admin rights.
You could demote all users to standard after enrollment and then add either a 'Make me admin'-like profile/app with approval of each time limited request, or add a hidden admin with a static, yet computer specific password.
Posted on 05-22-2024 02:37 PM
Not meaning to pile on here, but what others above have stated is correct. You can't restrict a local admin from doing admin-y things, because that's what being an admin gives them. You can lock some things down in the UI using profiles that even an admin can't override, but installing software is not one of those things.
I suppose you could block the Installer.app in the OS (/System/Library/CoreServices/Installer.app) using a Restricted Software title, but they could still use the command line "installer" to install software if they are determined and savvy. And that wouldn't help at all in the case of drag and drop installs, like many browsers and simple apps for example. No, the only foolproof thing to do is demote them to standard users.
I know the latter is sometimes difficult to roll out in environments that started with no device management and you are trying to get your arms around a wild west type situation, and I'm only taking a guess that might be your case (sorry if that's wrong), but keep in mind that you can heavily leverage Self Service policies to give the end users some level of control to do some admin like tasks without them being admins all the time. It can be a nice compromise between no control and total control. Or like mentioned, use one of the many make me an admin style workflows out there.
Good luck.
Posted on 05-30-2024 04:56 PM
You cannot restrict admins from doing admin things as others have said. You really don't want your users to have admin access, and need to evaluate why your users need admin access. If it's for things like mapping printers, or messing with networks, those rights can be given to non-admin users. If users must have elevated access, look in to permissions management tools like Cyberark EPM to handle the permissions management (which can block an admin from doing things like running a .pgk).