Restricted apps running on the desktop

TBenolkin
New Contributor II

Might be a quick easy fix, but hoping someone can help.

I work at a school and manage 800+ computers (2013 MacBook Air)

after adding game emulators, web browsers, and non-apple developer applications to the restricted software list, I'm finding students have been running things in the downloads/desktop folders.
Has anyone else seen this and found a fix?
Any help would be great,
Thank you.

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor II

Look into something called folder whitelisting and blacklisting, which lets you set up locations apps can run from, meaning only from /Applications and /Applications/Utilities/ for example, and maybe a few other system level directories. Since I assume your students don't have admin access, they won't be able to add applications into the allowed folder locations. Anything from a restricted path, like /Users/ will not launch.

It can be done in Managed Preferences (look under com.apple.applicationaccess.new) and I'm pretty sure with Configuration Profiles as well, under the Restrictions payload.

View solution in original post

10 REPLIES 10

mm2270
Legendary Contributor II

Look into something called folder whitelisting and blacklisting, which lets you set up locations apps can run from, meaning only from /Applications and /Applications/Utilities/ for example, and maybe a few other system level directories. Since I assume your students don't have admin access, they won't be able to add applications into the allowed folder locations. Anything from a restricted path, like /Users/ will not launch.

It can be done in Managed Preferences (look under com.apple.applicationaccess.new) and I'm pretty sure with Configuration Profiles as well, under the Restrictions payload.

TBenolkin
New Contributor II

Thanks, I have set it up to only whitelist the applications folder. Hopefully this is the answer, I will know on monday.

damienbarrett
Valued Contributor

We also do this for our non-admin users, but I ran into a problem where the Google Software Updater mechanism (ksfetch) was prompting for admin access to run every 15 minutes. Because Google's programmers have decided to load a new ksfetch process into a randomly-generated folder in /tmp *every single time* it spawns, there is no way to whitelist the path for the application (ksfetch) to run. So your non-admin users are continually harassed.

Seeing no way to whitelist this, the best solution I could come up with was to set the Google Software Updater to run once every 7 days instead of once every 15 minutes. The non-admin user will still get the pop-up once every 7 days (and also once at login), but it's far less annoying than once very 15 min.

defaults write com.google.Keystone.Agent checkInterval 604800

Use the command above in the Advanced section of a policy to change the frequency setting or Google Software Update check.

jimlee
New Contributor III

Is this something new for ksfetch? I've been able to whitelist this in the past.

mm2270
Legendary Contributor II

@damienbarrett][/url, couldn't you just whitelist all of /tmp/? Not sure if that would work since its a transient kind of location, but maybe? I guess it could lead to a situation where if a student copied something to tmp, they could then run the application from there, but what are the odds of that? I'm asking honestly since I don't work in edu. The little rascals may be cleverer than I imagine. :)

Short of that, I'd consider just disabling ksfetch altogether, or setting the check interval to some really long time span. If programmers are gonna be stupid like that, they don't deserve to run on our Macs. I'd just deal with manually updating their apps instead.

@TBenolkin][/url One thing I didn't mention was that to get that process to work you actually have to set up all 3 MCXs, assuming that's what you're doing and not a Config Profile. The Folder whitelist, Folder blacklist and the general Restrict Applications ones all have to be set, or it may not work properly. It actually mentions that in the description field for any of them, so maybe you already saw that.

damienbarrett
Valued Contributor

@mm2270, whitelisting all of /tmp was the very first thing I tried once I learned what ksfetch was doing. But it didn't work and I don't know why.

I've set the updater to run once every 7 days, which is an acceptable amount of annoyance for my non-admin users. If anyone really starts to complain, I'll build a Self Service tool they can click to "disable" Google Software Update by setting it ti update once/year (that's lot of seconds). But I don't think that'll be the case; just a contingency plan.

mm2270
Legendary Contributor II

Yeah, I hear you.
In thinking about the ksfetch process, I changed my mind a bit. My guess is Google did this for security reasons. Randomizing the location the updater check runs from would make it pretty much impossible for any malware to try to intercept it, and possibly inject some code into Chrome or other apps. So it kind of makes sense.
Its odd that whitelisting /tmp didn't work, but it could be because of the nature of the kind of directory /tmp is.

GSquared
New Contributor II

+1 to the ksfetch nonsense.

Whitelisted /tmp/ and still getting reports of it. Was trying to not use the updater seconds change, but it looks like it is necessary. Too many complaints about it.

freezig
New Contributor

I distribute Restriction Profiles that restrict apps and add "Disallow Folders" (all user directories not including ~/Library).

To make this work in our environment and limit error messages, I specifically set the "Allow Folders" to include every Application and /Library, /System/Library and ~/Library. We use Mobile Users, set ksfetch to one month and normally I install Apps in /Library/Application Support because I am too lazy to install a new profile with new app installs.

Obviously there are holes in this method, such as students could move the downloaded application to ~/Library and run it from there, but it works well to keep most students from running random apps from their desktop.

donmontalvo
Esteemed Contributor II

It would be nice if the restrict process feature worked. this way is doesn't matter where the app launches from. :)

--
https://donmontalvo.com