Restricting .app

Henry,

You should post this as a Feature Request. I don't have a need for this necessarily at the moment, but would certainly vote it up. Sometimes restricting all and making the exceptions is the easier approach.

Craig E

Will do, thanks Craig

BTW Craig, based on your answer I take that isn't possible to just enter .app on the list of restricted software?

Hi Henry -

We should be able to accomplish something like this with MCX. Here is a discussion outlining a whitelist setup with MCX. Does this help?

https://jamfnation.jamfsoftware.com/discussion.html?id=33

Thanks!

Hey Jake,

Thanks for the link. Just had a few questions, hopefully It makes sense

1. Will I need to create a file and save it as a .plist ?

2. Once saved as .plist will I need to then go to managed preferences/create managed Preference so I can upload a copy of the of the .plist file?

3. the statement below is included in the MCX file:

<key>ID</key>
<string>com.apple.widget.calendar</string>
<key>Type</key>
<string>bundleID</string>
<key>mcx_DisplayName</key>
<string>iCal</string>

Just for me to understand, does it mean that the calendar is allowed to run within the applications? If I where to remove the statement above from the MCX file, the calendar will then not run?

Cheers,

Henry

A different perspective. In some cases, location matters.

I know of one school IT administrator who had a situation with students installing unauthorized software to the Desktop, so he used JSS to kill (or delete) apps--or anything--that was installed to the Desktop.

pty10,

We do something similar but we do not allow students to run items from the Desktop that they try to run.

I would try this I don't know if this would work or not use composer and drag all your applications in a folder called "ApprovedApp" folder in the Application folder. Change the permissions to only allow your Tech's to write in it. Go into your configuration folder on Casper and set the approved apps /Applications/ApprovedApp Then if a student installs a application it will go to the Application folder and say this is not allowed.

Maybe this will work NOT SURE have not had to do this.

As mentioned above, MCX should work for you in this case, unless the students are admins and can add applications to the main Applications folder. In that case, your options are more limited.
But assuming that is not the case, with the MCX for com.apple.applicationaccess.new, you can add the approved (whitelist) paths for where programs can run from and also the restricted locations, like /Users/. That would prevent users from running apps fro their home directories, which is a common issue since many apps are just bundles they can copy from a disk image.
You may have to fiddle with things a bit to get it working without problems for your users. Some apps require users to be able to launch supporting applications from locations like /Library/Application Support for example.