Restricted execution of apps on USB flash drives?

RobertBasil
Contributor

Is there a way to restrict app execution on any flash drive connected to the computer? We can't restrict execution by volume name as all the flash drives have different names.

8 REPLIES 8

sanaumann
New Contributor III

Are you wanting to restrict external flash drives completely or only certain apps on the drives?

RobertBasil
Contributor

We can't restrict them completely (if we could this would be easy). They need USB flash drive access for file saving and retrieval.

sanaumann
New Contributor III

Have you tested using the Restricted Software piece of JAMF? If you run an app from a flash drive, it would still create a process and JAMF should still be able to detect it and kill it.

mm2270
Legendary Contributor III

The only way to do this is to use the Allow Apps restriction settings in a Config Profile under the "Restrictions" payload (this was done via MCX in the old days)

Go into Config Profiles, click the Restrictions payload, then click Applications, and then check the Restrict which apps are allowed to launch checkbox and you can add in folders to allow launch from, such as /Applications/, /Users/, etc. If /Volumes/ is not included, any apps that are in a /Volumes/ path, like from a mounted USB drive, won't be allowed to run.

Be forewarned though, these settings can be very tricky to get right, and you may find yourself playing a game of whack-a-mole as you need to keep adding in whitelisted paths to allow application "helpers" and such to run without restrictions. For example, you might have to add in paths like /Library/Application Support/ among others.

RobertBasil
Contributor

mm2270,

I tried doing the same thing in Profile Manager before JAMF and it was a nightmare to keep updated with all the CC helpers. Was hoping someone here found an easier solution.

Thanks for the response though!

RobertBasil
Contributor

@sanaumann

Would love to use the restricted software area in JAMF, but there are hundreds of thousands of games. I can't add them to the restricted software area until a student runs one.

RobertHammen
Valued Contributor II

@RobertBasil Not a JAMF product, but...

Endpoint Protector

RobertBasil
Contributor

@RobertHammen

I looked at that, but it does not allow read/write access to USB drives while blocking only execute.