Jamf Nation Community

We can't restrict them completely (if we could this would be easy). They need USB flash drive access for file saving and retrieval.

Have you tested using the Restricted Software piece of JAMF? If you run an app from a flash drive, it would still create a process and JAMF should still be able to detect it and kill it.

The only way to do this is to use the Allow Apps restriction settings in a Config Profile under the "Restrictions" payload (this was done via MCX in the old days)

Go into Config Profiles, click the Restrictions payload, then click Applications, and then check the Restrict which apps are allowed to launch checkbox and you can add in folders to allow launch from, such as /Applications/, /Users/, etc. If /Volumes/ is not included, any apps that are in a /Volumes/ path, like from a mounted USB drive, won't be allowed to run.

Be forewarned though, these settings can be very tricky to get right, and you may find yourself playing a game of whack-a-mole as you need to keep adding in whitelisted paths to allow application "helpers" and such to run without restrictions. For example, you might have to add in paths like /Library/Application Support/ among others.

mm2270,

I tried doing the same thing in Profile Manager before JAMF and it was a nightmare to keep updated with all the CC helpers. Was hoping someone here found an easier solution.

Thanks for the response though!

@sanaumann

Would love to use the restricted software area in JAMF, but there are hundreds of thousands of games. I can't add them to the restricted software area until a student runs one.

@RobertBasil Not a JAMF product, but...

Endpoint Protector

@RobertHammen

I looked at that, but it does not allow read/write access to USB drives while blocking only execute.