Restricted Software - Application blocking via ProcessName

jmariani
Contributor

Hi Everyone,

I am looking to test blocking some software via jamf and the restricted software section.

Considering one can simply change the Application name (thus changing the process name) and bypass the restriction....has anyone found a better solution to this?

The wildcard does not really apply, since one can change the name to something entirely different from the original name.

Looking forward to hearing what the community has come up with :)

1 REPLY 1

mm2270
Legendary Contributor III

Use the actual process name and not the application name. So for example, if the application in question is named "My Great App.app", you can find the process name either by running the app and then using the Terminal to list running processes - ps axwww for example, and locating the name there. Or you can usually use Activity Monitor and find the running process.
Finally, in many cases the process name is the same as the executable located inside the app bundle's MacOS directory. I would probably use one of the first 2 methods above as they are usually safer than the last one.

Once you know the process name. Say for our made up app above it is just mygreatapp, then you enter that into the Restricted Software title. No .app or any other extension should be included. Jamf will see the app running, even if the user changes "My Great App.app" to "Foo.app" The process name will not be changed and it actually can't be changed short of getting the code and refactoring it and compiling it under a different name, which I'm guessing would be out of reach for almost everyone.

The above is the way I've been using Restricted Software in Jamf for years now and it hasn't let me down. That said, there is one item you should be aware of. If you use the Delete function in the Restricted Software, it's not going to delete the entire app bundle this way. It will only delete the process, usually again the executable in the MacOS directory of the app bundle. But this effectively destroys the application from running again, since it's dead without its main executable.