Posted on 10-19-2016 12:59 PM
Hi,
I came across an issue with restricted software. I have noticed that I can only restrict software like (FaceTime, Messages, AppStore, & Email) for students when I also have the configuration profile set to only allow certain apps to run.
If I just have restricted software set and no configuration profile to restrict apps it will allow these apps to run. Is it supposed to work this way, where restricted software only works with configuration profile restrictions?
Any thoughts/suggestions are greatly appreciated.
Posted on 10-19-2016 01:09 PM
Are you sure you scoped the restricted software correctly? If you don't specify target computers in the Scope of the Restricted Software Record it won't apply to anyone.
Posted on 10-19-2016 01:12 PM
Hi @NaomiT ,
My understanding is that the JAMF binary running in the background is what monitors and kills processes restricted using Computers > Restricted Software tab. It should work independently from the configuration profile.
You may need to allow the binary to check in to receive the latest info about which Apps should be restricted, which should happen at the next device check-in (or perhaps the next device inventory event).
Try double-checking your scope to make sure the test computer does have the Restricted Software payload scoped (Computers tab > Search and choose test computer > Management tab > Restricted Software).
Then on the test computer try the following command via terminal:
sudo jamf recon; sudo jamf management; sudo jamf policy
There are three separate commands on this line since I can't remember which one might be the relevant one, but I think it is the management command :)
After that, see if the App is successfully restricted. This is just speculation on my part--I can only provide the steps I would use to troubleshoot the issue myself :)
Posted on 10-20-2016 07:22 AM
Hi @sdagley ,
Thanks. I checked that 3 restrictions software apps scoped out to one of my student test MacBook Pros and I was able to launch those apps. The student configuration profile restricting apps is not scoped out to this machine.
Posted on 10-20-2016 07:32 AM
The list of apps to be restricted is stored in a file named .blacklist.xml in the /Library/Application Support/JAMF/ directory. It's updated when the client checks in, or you can force an update by doing a sudo jamf policy. I'd suggest looking for the existence of the .blacklist.xml file on one of your client machines after you'd configured a Restricted Software Record to make sure it's being applied as you expected.
Posted on 10-20-2016 07:34 AM
Have you run a sudo jamf manage
command in Terminal on those Macs? Try that to see if the restriction comes down. Its possible they just haven't received the setting yet. Its not automatic once you click Save in the Restricted Software title.
Posted on 10-20-2016 07:55 AM
Hi @cpdecker ,
Thank you. I checked that the test computer has the restricted software payload scoped. I also ran the sudo jamf manage command but the restricted apps seem are still able to launch. I'm not sure what is causing the issue.
Posted on 10-20-2016 08:54 AM
@sdagley I was able to access the application support folder but there was no JAMF subfolder available. I also ran the sudo jamf manage command earlier this morning. I'm not sure why it's not listed.
@mm2270 I ran the sudo jamf manage command earlier this morning but the restricted apps were still able to launch.
Posted on 10-20-2016 09:01 AM
@NaomiT Can you post any details on how the Restricted Software settings are set up? Maybe a screenshot? I'm wondering if something needs to be adjusted to get it to work.
Also, can you elaborate on what you mean by no JAMF folder under Application Support? Are you looking inside the root "Library" directory? it should be located at /Library/Application Support/JAMF
If you're not seeing that at all, there's a much larger issue going on. That folder should always be there under a Casper managed Mac.
Posted on 10-20-2016 10:23 AM
Perhaps we are overlooking the obvious here.
Are you using the "Restrict exact process name" checkbox, and have you confirmed that the correct and precise name is being used?
For example, to restrict access to mail, we use the process name "Mail.app", without quotes, and we are restricting exact process name and also have the box checked to terminate the process when found.
Also wondering along with @mm2270, any chance you forgot to re-enroll your test machine with Casper after an image or something?
Posted on 10-20-2016 10:51 AM
@mm2270 I've attached some screen shots of the restricted software.
On the test Mac I selected option on the keyboard: Then Go on the menu bar, selected library, selected application support folder and I see other subfolders here but not the JAMF folder. I have attached a screenshot of this as well.
Posted on 10-20-2016 10:57 AM
@NaomiT The Go menu takes you to the user's Library folder, you need to look in the Library folder on the root of the hard drive. Open a Terminal window and type cd /Library/Application Support/JAMF
then do an ls -la
to list all files in that directory, including invisible ones
Posted on 10-20-2016 11:00 AM
In addition, the App Store process name should be App Store.app
Posted on 10-20-2016 11:05 AM
@NaomiT I think the issue (actually 2 issues) is that you entered "AppStore.app" instead of just App Store.app. Its not meant that you literally add the double quotes around the name as you have. Second, go back to the Applications folder and look at the App Store name. There's a space between App and Store, which you also omitted. So two issues with how you've entered the process name are preventing it from working.
But outside that, double check the root /Library/Application Support/
folder for the JAMF directory as outlined above by @sdagley and others. I think you're looking in the user level "invisible" Library folder, not the root one. As long as your test Mac is enrolled properly, you'll find the JAMF directory there.
Posted on 10-21-2016 05:33 AM