Jamf Nation Community

You do need to scope the restriction to the users you wish for it to apply to.

I restrict 'Install OS X El Capitan' without the .app and without exact process name checked and it works.

Hi

Have added a scope to the restricted software policy?

@dstranathan yes, you have to add some Macs to the scope or it will not get applied. Also, when you say you're testing on a Mac with "both apps installed" are you running the applications as well? It's not going to pop up until the applications are launched on the Macs. This is in addition to the scope requirement.

-

@mm2270 Ahhh. I thought the JAMF binary would report the EXISTENCE of the apps, regardless if they were being executed or not.

Forgot to mention: I have Restricted Software scoped to the Target of "All Computers." (Ill make an exception for IT's Macs in the future after my testing is completed)

@kitzy I'm checking in every ~15 minutes

@dstranathan No, the way Restricted Software works is, it watches the process list for the items you have deemed "restricted" and will do your bidding, if thats killing the process, deleting it from the machine and sending up a message, or any combination of those, as soon as it sees them running. It does not report on them if they are just installed but not active in the running process list. For that you could just use a Smart Group looking for those apps in the application inventory and enable the option to receive an email notification on the Smart Group change.

I can't seem to get Restricted Software to work. I've have (2) restricted apps actively running on 4 managed Macs for ~24 hours straight. Nothing. Macs are checking in OK. Other policies and profiles are working.

@mm2270 - A Smart Group sounds like the way to go for my environment.

@dstranathan If the Restricted Software isn't working on Macs you are certain are in scope of the Restricted Software items, I would check to make sure they have run a jamf manage command. You can try running sudo jamf manage on one of them manually and see if it starts working after that.

My Smart Group and Policy to delete the apps is working. Im getting the hang of this (finally). It yanked the (running) app right-out from underneath the user. Bam - Take that, out-of-compliance-end-user!

Hey - all this power might go to my head.

Restricted Software is definitely set up correctly, but doesnt work. I kinda like my home-made Smart Group/Policy better anyway.

Hi all,
Resurrecting this old post to see if I can get some answers.

Restricted software is working OK to a point.

It will happily block software, but what we want here (education environment) is to only block software while on the local LAN.

I have a smart group called "Blocked software" to which we add groups of computers to be blocked (e.g. student Macs)
I have two smart groups that check the local IP called "LAN connected" and "Not LAN connected"

In the restricted software scope, I include "Blocked Software" and have an exclusion for "Not LAN connected" but it never seems to work.
Apps are blocked all the time. Rebooting doesn't help. jamf manage doesn't help.
Is this meant to work with exclusions?

Thanks
Matt Waite

Can the computers check in when "Not LAN Connected"? or is your JSS on an internal network? The other problem is that the computer won't change groups till after it runs an inventory (every 24hrs by default). Then it needs about 15 mins after that to update the blocklist (which may or may not be expedited with 'jamf manage') You can fix that by having a Self Service policy called 'Unblock Software' which runs an inventory update, then jamf manage, then a message that says "Software will be unblocked shortly". Assuming they can get to the JSS while off network.

If they can't get to the JSS while off network, then find a way to delete /Library/Application Support/.blacklist.xml file and see how that goes...

@thoule Yes the JSS is accessible externally. If the groups don't change quick enough, that will be the problem.
I'll try your suggestion of an "Unblock Software" self service policy. Much appreciated.