Jamf Nation Community

@PaulHazelden the scope in Restricted Software doesn't even offer the ability to select user groups, only computer groups. I can also see the ability to exclude LDAP usernames but we have a couple of thousand students so it really isn't practical to enter all their usernames in that box.

This isn't really how I'd use restricted software (at all). If you are changing permissions for testing purposes you'd be better served with a Configuration Profile and use the Restrictions payload (which can be scoped to groups). You can restrict applications in Restrictions - Preferences - Restrict which apps are allowed to launch - Allow Apps - Fill in the apps you want them to use.

Be really careful with Configuration Profiles. Make sure its as easy to remove them as it was to put it on. :)

Test, Test, Test!

@larry_barrett I need the opposite of that though, I just need to be able to block specific apps from running if the user is a member of a specific group. It looks like the configuration profile can only whitelist apps?

I am having the same issue as @DanJ_LRSFC

We have a couple of local user names on our Macs, so I have been able to exclude/include these.

However like Dan we have alot of students that will be using the Macs. Fortunatley for us all their user names begin with an S. So I tried entering the wildcard symbol to see if that would work; s* (didn't work) s% (didn't work)

So just wondering whether using a wildcard actually works in the LDAP/Local Users?

UPDATE: I have been in talks with JAMF support and had the following response:

'Unfortunately, we would have to provide the exact username, that probably would be frustrating. However, as far as I am aware, it may be possible to achieve by creating a Launch Daemon which would verify the user's unique id'

I'm not the best at scripting, but during my seach I came across this http://www.theinstructional.com/guides/gatekeeper-fundamentals-part-2

Unfortunatley this did not work for me, it might for others. I will continue to see if there is a way. Please let me know if anyone else comes up with a solution.

UPDATE 2: My colleague came across this link: https://derflounder.wordpress.com/2017/05/20/application-blacklisting-using-management-profiles/

We edited the script to block Safari, Chrome, and Firefox. Creating the config profile as mentioned by @larry_barrett, we added a limiation to target the user account we wanted to restrict.

When we implemented it and logged into the account the profile had done what we had asked it to do, all three browsers where blocked from running. We then logged in with another account to check that the browsers where launching fine (which they were)

However, logging back into the restricted account we found that for some reason the config profile (even though it was still showing in the profiles) had stopped implementing the browser restriction. Not sure why.

I also believe that if the user was to move the application out of the application folder then they would still be able to open it even if the config profile was working.

We're getting close I can feel it :)

Hi @Redshirt26 thanks for the above links, they were helpful. However, I'm not sure how to create the add the script described in "UPDATE 2" to the Configuration Profile. Would appreciate it if you would elaborate on how you used that script and a Configuration Profile together?