Restricting .app

pty10
New Contributor III

Is there anyway I can restrict or block all applications using the restricted software option in Casper and then create a list of allowed or exempted software? I work at a school and I'm looking for a way to block kids from playing games or having software installed on their macbooks that aren't suppose to have. I think it will be easier to have a list of allowed software instead of trying to block every single software that the kids try to use. I tried adding .app as the process to look for and enabled kill process but kids are still able to run apps. Any idea on how to achieve this? Can it be done for package (.pkg) as well to stop them from installing software?

Regards,

Henry

8 REPLIES 8

ernstcs
Contributor III

Henry,

You should post this as a Feature Request. I don't have a need for this necessarily at the moment, but would certainly vote it up. Sometimes restricting all and making the exceptions is the easier approach.

Craig E

pty10
New Contributor III

Will do, thanks Craig

pty10
New Contributor III

BTW Craig, based on your answer I take that isn't possible to just enter .app on the list of restricted software?

jake
Contributor II
Contributor II

Hi Henry -

We should be able to accomplish something like this with MCX. Here is a discussion outlining a whitelist setup with MCX. Does this help?

https://jamfnation.jamfsoftware.com/discussion.html?id=33

Thanks!

pty10
New Contributor III

Hey Jake,

Thanks for the link. Just had a few questions, hopefully It makes sense

  1. Will I need to create a file and save it as a .plist ?
  2. Once saved as .plist will I need to then go to managed preferences/create managed Preference so I can upload a copy of the of the .plist file?

  3. the statement below is included in the MCX file:

<key>ID</key>
<string>com.apple.widget.calendar</string>
<key>Type</key>
<string>bundleID</string>
<key>mcx_DisplayName</key>
<string>iCal</string>

Just for me to understand, does it mean that the calendar is allowed to run within the applications? If I where to remove the statement above from the MCX file, the calendar will then not run?

Cheers,

Henry

SeanA
Contributor III

A different perspective. In some cases, location matters.

I know of one school IT administrator who had a situation with students installing unauthorized software to the Desktop, so he used JSS to kill (or delete) apps--or anything--that was installed to the Desktop.

technicholas
Contributor

pty10,

We do something similar but we do not allow students to run items from the Desktop that they try to run.

I would try this I don't know if this would work or not use composer and drag all your applications in a folder called "ApprovedApp" folder in the Application folder. Change the permissions to only allow your Tech's to write in it. Go into your configuration folder on Casper and set the approved apps /Applications/ApprovedApp Then if a student installs a application it will go to the Application folder and say this is not allowed.

Maybe this will work NOT SURE have not had to do this.

mm2270
Legendary Contributor III

As mentioned above, MCX should work for you in this case, unless the students are admins and can add applications to the main Applications folder. In that case, your options are more limited.
But assuming that is not the case, with the MCX for com.apple.applicationaccess.new, you can add the approved (whitelist) paths for where programs can run from and also the restricted locations, like /Users/. That would prevent users from running apps fro their home directories, which is a common issue since many apps are just bundles they can copy from a disk image.
You may have to fiddle with things a bit to get it working without problems for your users. Some apps require users to be able to launch supporting applications from locations like /Library/Application Support for example.