restricted software

tlarkin
Honored Contributor

So, I am just now getting around to updating some restricted software through Casper. I want it to kill and delete skype. Before I was using the find command and a script but I think that flooded my database with a bunch of jibberish in the log files. So now I am just going to use the pre built tools. Which I should have done in the first place.

So, you just need to type in exactly what the system sees the process as right? ps -A | grep Skype returns that the system calls the process Skype.app. Now some users run this from any path, could be off a disk image or flash drive. So Casper will shut down Skype.app but me just listing it exactly what the process is called right?

Thanks,



Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

15 REPLIES 15

milesleacy
Valued Contributor

2009/3/2 Thomas Larkin <tlarki at kckps.org>

So Casper will shut down Skype.app but me just listing it exactly what the process is called right?

Right. I'd enter a message to display to the user, unless you want them to
think that the app's failure to launch is a system issue, then you can have
the help desk scold them when they call in. πŸ™‚

What I really like is that you can send email notifications and delete the
offending app too. This eliminates the need for "search and destroy"
scripts for offending apps that you know about and don't want on your
systems.

----------
Miles A. Leacy IV

? Certified System Administrator
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

tlarkin
Honored Contributor

Well I was using search and destroy scripts using the find command and
it killed my logs. I deleted those policies and I shaved off, get this,
an epic 5 gigs off of my MySQL database on the JSS. It looks like the
find command was indexing every single file on the computer, which is
like millions, and even with limited scope search paths it was still too
much.

The find commands work well for one time execution over ARD admin
though.



Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

milesleacy
Valued Contributor

Assuming your users aren't admins, you could limit your search & destroy
scripts to locations that a user has access to (i.e., ~ and /Users/Shared/).
If your users are admins, you've got bigger problems. πŸ™‚

----------
Miles A. Leacy IV

? Certified System Administrator
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

tlarkin
Honored Contributor

I had to let it search out mounted disk images and thumb drives, and
there was one application folder with botched permissions that allowed
them write access. They aren't admins but they have the brute force
hacker mentality where they just keep trying every possible thing until
they get it right.



Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

Not applicable

I found a bug with the Restricted Software feature that causes the computers to always stay awake since the checking for processes apparently resets the sleep timer. This was an issue for us because of our green initiatives on campus.

That being said, I find that feature far superior to search and destroy scripts for a couple of reasons:

  1. It doesn't matter where the applications is running from, since it looks for process information, it will spot the process and delete the app.
  2. For the most part, a user can't just rename the .app and fool the system (i.e., search and destroy can be fooled if a user renames "LimeWire.app" to "LW.app", since Casper uses process names, thats a little more difficult.

One thing that might be interesting to check out is if you can make a launchd item that will monitor the process list and be started up if a process with a certain name, similar to how it can be notified on folder change. This would eliminate polling and maybe fix the sleep issue, but I haven't looked at the man page enough to see if it can be done.

Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu

Not applicable

We want to restrict iChat to our lab machines only and no one else. What is the best practice to do this? We currently use restricted software, but even though we have a global exemption list it doesn't work. Users on this list still have issues using iChat. Any ideas? Thank you.



Kathie Iorizzo
Lower School Technician
The Latin School of Chicago
kiorizzo at latinschool.org
312.582.6136

Not applicable

In the machines that you don't want iChat being used, simply remove iChat from those machines. Or move iChat to the local admin's home.

Matt

tlarkin
Honored Contributor

You do not run open directory do you?

Not applicable

No we use AD.



Kathie Iorizzo
Lower School Technician
The Latin School of Chicago
kiorizzo at latinschool.org
312.582.6136

talkingmoose
Honored Contributor II

Rather than trying to find a different way to solve this problem, why not
try to fix what's not working with Restricted Software in the JSS?

Is there a reason why this shouldn't work for you? Have you addressed this
with JAMF Support?

--

bill

William M. Smith, Technical Analyst
MCS IT
Merrill Communications, LLC
(651) 632-1492

Not applicable

We have to list every user in the exemption list. I have users listed there and they still get access denied on the application.



Kathie Iorizzo
Lower School Technician
The Latin School of Chicago
kiorizzo at latinschool.org
312.582.6136

tlarkin
Honored Contributor

Well, there is a MCX setting somewhere that restricts what users can run by Folder. Now there are some stipulations for this, but what I do at my work is toss all apps that I want some users to have access to and put them into /Applications/Utilities. Then I create a policy for all students that denies access to the utilities folder so they can't run any apps from there.

I don't know where that setting is nested personally, but I am sure you can reproduce the same thing in Casper v7.

Now the stipulation is, that you must select every folder path they are allowed to run applications with. Like, for example Adobe puts a lot of stuff in /Library/Application Support/ which also much be approved otherwise CS3 and CS4 will not run.

Other than that, I find it a simple approach to manage applications. If I get more time in the next month I may try to pull that plist out and see if I can't reproduce that in Casper version 7, but I am also sure their support staff could also help you accomplish this. Then a simple move script to move all the apps you want to restrict into /Applications/Utilities or where ever you wish will do the job for you.



Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

tlarkin
Honored Contributor

Bill

There are a few things left to be desired in the restricted software
list. For example, we have had students drop Halo into a writable
folder (yeah kids are that smart) in /Applications and play it during
class and it annoys teachers. So, I put it on the restricted software
list for all users and it did not stop it from running because it is
actually part of a few bigger frameworks that are already running with
the system.

So instead I wrote scripts that changed the permissions of that folder,
and then searched out and deleted all Halo installs. So depending on
how the application is written it will or will not work.

I had an open ticket last year to help me kill Halo and the answer was,
it can't really be done. Now that was with version 6 last year, so who
knows with 7?

-Tom



Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

Not applicable

Has anyone figured out how to reproduce this setting using Casper's MCX settings?

Nancy Fay
Tech Support Specialist
West Chester Area School District
829 Paoli Pike West Chester, PA 19380

On 9/8/09 5:23 PM, "Thomas Larkin" <tlarki at kckps.org> wrote:

Well, there is a MCX setting somewhere that restricts what users can run by Folder. Now there are some stipulations for this, but what I do at my work is toss all apps that I want some users to have access to and put them into /Applications/Utilities. Then I create a policy for all students that denies access to the utilities folder so they can't run any apps from there.

I don't know where that setting is nested personally, but I am sure you can reproduce the same thing in Casper v7.

Now the stipulation is, that you must select every folder path they are allowed to run applications with. Like, for example Adobe puts a lot of stuff in /Library/Application Support/ which also much be approved otherwise CS3 and CS4 will not run.

Other than that, I find it a simple approach to manage applications. If I get more time in the next month I may try to pull that plist out and see if I can't reproduce that in Casper version 7, but I am also sure their support staff could also help you accomplish this. Then a simple move script to move all the apps you want to restrict into /Applications/Utilities or where ever you wish will do the job for you.



Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

Not applicable

Thanks for pointing me the right direction. The domain ended up being com.apple.applicationaccess.new, and in addition to entering the values for pathWhiteList-Raw I also had to set the key familyControlsEnabled in the same domain to true.
Nancy