Restricted Software

NaomiT
New Contributor

Hi,

I came across an issue with restricted software. I have noticed that I can only restrict software like (FaceTime, Messages, AppStore, & Email) for students when I also have the configuration profile set to only allow certain apps to run.

If I just have restricted software set and no configuration profile to restrict apps it will allow these apps to run. Is it supposed to work this way, where restricted software only works with configuration profile restrictions?

Any thoughts/suggestions are greatly appreciated.

14 REPLIES 14

sdagley
Esteemed Contributor II

Are you sure you scoped the restricted software correctly? If you don't specify target computers in the Scope of the Restricted Software Record it won't apply to anyone.

cpdecker
Contributor III

Hi @NaomiT ,

My understanding is that the JAMF binary running in the background is what monitors and kills processes restricted using Computers > Restricted Software tab. It should work independently from the configuration profile.

You may need to allow the binary to check in to receive the latest info about which Apps should be restricted, which should happen at the next device check-in (or perhaps the next device inventory event).

Try double-checking your scope to make sure the test computer does have the Restricted Software payload scoped (Computers tab > Search and choose test computer > Management tab > Restricted Software).

Then on the test computer try the following command via terminal:

sudo jamf recon; sudo jamf management; sudo jamf policy

There are three separate commands on this line since I can't remember which one might be the relevant one, but I think it is the management command :)

After that, see if the App is successfully restricted. This is just speculation on my part--I can only provide the steps I would use to troubleshoot the issue myself :)

NaomiT
New Contributor

Hi @sdagley ,

Thanks. I checked that 3 restrictions software apps scoped out to one of my student test MacBook Pros and I was able to launch those apps. The student configuration profile restricting apps is not scoped out to this machine.

sdagley
Esteemed Contributor II

The list of apps to be restricted is stored in a file named .blacklist.xml in the /Library/Application Support/JAMF/ directory. It's updated when the client checks in, or you can force an update by doing a sudo jamf policy. I'd suggest looking for the existence of the .blacklist.xml file on one of your client machines after you'd configured a Restricted Software Record to make sure it's being applied as you expected.

mm2270
Legendary Contributor III

Have you run a sudo jamf manage command in Terminal on those Macs? Try that to see if the restriction comes down. Its possible they just haven't received the setting yet. Its not automatic once you click Save in the Restricted Software title.

NaomiT
New Contributor

Hi @cpdecker ,

Thank you. I checked that the test computer has the restricted software payload scoped. I also ran the sudo jamf manage command but the restricted apps seem are still able to launch. I'm not sure what is causing the issue.

NaomiT
New Contributor

@sdagley I was able to access the application support folder but there was no JAMF subfolder available. I also ran the sudo jamf manage command earlier this morning. I'm not sure why it's not listed.

@mm2270 I ran the sudo jamf manage command earlier this morning but the restricted apps were still able to launch.

mm2270
Legendary Contributor III

@NaomiT Can you post any details on how the Restricted Software settings are set up? Maybe a screenshot? I'm wondering if something needs to be adjusted to get it to work.

Also, can you elaborate on what you mean by no JAMF folder under Application Support? Are you looking inside the root "Library" directory? it should be located at /Library/Application Support/JAMF If you're not seeing that at all, there's a much larger issue going on. That folder should always be there under a Casper managed Mac.

cpdecker
Contributor III

Perhaps we are overlooking the obvious here.

Are you using the "Restrict exact process name" checkbox, and have you confirmed that the correct and precise name is being used?

For example, to restrict access to mail, we use the process name "Mail.app", without quotes, and we are restricting exact process name and also have the box checked to terminate the process when found.

Also wondering along with @mm2270, any chance you forgot to re-enroll your test machine with Casper after an image or something?

NaomiT
New Contributor

@mm2270 I've attached some screen shots of the restricted software. b9c63077fbfd4cf7abf1ae3a6b8d91ef
ca6fa162fc8d4e749dd374d06ab741c5
98b21d61d7244051adea31d8d422073d
1d04fa14ffe04d14801171b40c550210
d5251021190c4081adc79f845360592a

On the test Mac I selected option on the keyboard: Then Go on the menu bar, selected library, selected application support folder and I see other subfolders here but not the JAMF folder. I have attached a screenshot of this as well.6c186df3b5244a88b55489db45fad3b4

sdagley
Esteemed Contributor II

@NaomiT The Go menu takes you to the user's Library folder, you need to look in the Library folder on the root of the hard drive. Open a Terminal window and type cd /Library/Application Support/JAMF then do an ls -la to list all files in that directory, including invisible ones

sdagley
Esteemed Contributor II

In addition, the App Store process name should be App Store.app

mm2270
Legendary Contributor III

@NaomiT I think the issue (actually 2 issues) is that you entered "AppStore.app" instead of just App Store.app. Its not meant that you literally add the double quotes around the name as you have. Second, go back to the Applications folder and look at the App Store name. There's a space between App and Store, which you also omitted. So two issues with how you've entered the process name are preventing it from working.

But outside that, double check the root /Library/Application Support/ folder for the JAMF directory as outlined above by @sdagley and others. I think you're looking in the user level "invisible" Library folder, not the root one. As long as your test Mac is enrolled properly, you'll find the JAMF directory there.

NaomiT
New Contributor

Thank you @cpdecker , @mm2270 , and @sdagley ! I appreciate it. I made the corrections and verified 3 of the apps are blocked now. There is another issue with mail but I'll just re-image it and that should fix the issue.