Restrict to only allow to open and run things out of Applications folder



I am on Casper 9 and this has always not worked correctly, I created a configuration profile to only run things out of applications looks like this.

external image link

The problem I have is a pop up that comes up like ksadmin blocked or google software updater am I missing something?


Valued Contributor

I fought this one for a long time. Here's what I learned before giving up (soft of):

ksadmin is "keystone admin" which is part of Google's autoupdating mechanism. If their software followed some kind of normal authoring process, we'd just be able to whitelist its location and add it to the allowed path(s), as you've started to do in your screenshot above. However, Google's engineers have decided to write their software so that ksadin spawns in a randomly-named folder in /tmp. Because it's a randomly-generated folder name, you can't provide an absolute path to the ksadmin instance. It's different, literally every single time.

Right, so I can just white-list /tmp then, right? You can try, but every time I've tried this, it hasn't worked for me.

In the end, I decided that it'd just be easier to tell GoogleUpdater to not check for updates every 15 minutes, as this check is what is triggering the admin password prompt. You can use the defaults write command to change this value:

defaults write checkInterval 604800

Where "604800" is the number of seconds in a week, so this will tell it to check every 7 days intend of every 15 min.

Valued Contributor III

Do you know if you set this to 0 will it disable update checking?

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

Valued Contributor

Yes, setting it to 0 will disable the updater from checking.


For our own internal reasons, we didn't want to completely disable checking.