Is there a way to restrict app execution on any flash drive connected to the computer? We can't restrict execution by volume name as all the flash drives have different names.
Question
Restricted execution of apps on USB flash drives?
+7+7We can't restrict them completely (if we could this would be easy). They need USB flash drive access for file saving and retrieval.
+8Have you tested using the Restricted Software piece of JAMF? If you run an app from a flash drive, it would still create a process and JAMF should still be able to detect it and kill it.
+24The only way to do this is to use the Allow Apps restriction settings in a Config Profile under the "Restrictions" payload (this was done via MCX in the old days)
Go into Config Profiles, click the Restrictions payload, then click Applications, and then check the Restrict which apps are allowed to launch checkbox and you can add in folders to allow launch from, such as /Applications/, /Users/, etc. If /Volumes/ is not included, any apps that are in a /Volumes/ path, like from a mounted USB drive, won't be allowed to run.
Be forewarned though, these settings can be very tricky to get right, and you may find yourself playing a game of whack-a-mole as you need to keep adding in whitelisted paths to allow application "helpers" and such to run without restrictions. For example, you might have to add in paths like /Library/Application Support/ among others.
+7mm2270,
I tried doing the same thing in Profile Manager before JAMF and it was a nightmare to keep updated with all the CC helpers. Was hoping someone here found an easier solution.
Thanks for the response though!
+7Would love to use the restricted software area in JAMF, but there are hundreds of thousands of games. I can't add them to the restricted software area until a student runs one.
+7I looked at that, but it does not allow read/write access to USB drives while blocking only execute.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.