We've been noticing a good amount of students downloading and launching .app files from their Desktop and Downloads folders. Is there a good way to prevent .app files from launching from these folders?
I have been using Restricted Software, but it is a large amount of work to up keep.
I am now messing with Configuration Profiles with Application Restrictions, but it doesn't seem to be working as I hoped. Right now I have ~/Users/Desktop and ~/Users/Downloads in the Disallow Folder. Nothing is currently set in Allow Apps or Allowed Folder. With these settings it seems as if every app no matter the location is being blocked. Are the Allow Apps or Allowed Folder options required when messing with these settings?
My main goal is to prevent applications from running in a users Desktop or Downloads folder. This seems to be the typical location that students have been saving/running from.
We are running 9.6.1 of the JSS.
Thank you in advance!
When using that function, you have to set up the blacklisted locations and the whitelisted locations, such as /Applications/ and /Library/Application Support/ for example. And set /Users/ as the blacklisted path. No need to specify exact folders within the /Users/ path in most cases. There are some exceptions you may need to end up making, because some applications like putting helper apps inside a user's home folder and must run from there for the application to work.
As you found, if you don't set the Allowed folders, no applications will be able to launch. These settings work together. If one is missing, it doesn't work properly.
I have found luck with using Configuration Profiles to restrict applications by defining the allowed folders to be set to:
This prevents users from downloading applications an running them from their home folders.
EDIT: I'm not sure why we have the /bin/ and /usr/bin/ folders defined, as I don't think there are any application bundles that reside there.
So since this post I created a Configuration Profile to restrict which apps are allowed to launch. It seems to have been working great.
In our allowed list I have:
Just recently we are seeing students getting a message stating that they don't have permissions to use the application "jamfAgent."
I see the jamfAgent is located in /usr/sbin/. I am planning to add that to the allowed list, but why all of sudden did this just happen? Is anyone else seeing this? Not sure if it is coincidence or not, but we are seeing it after the 9.65 update.
I'm not sure I get why you would want to suppress those dialogs. That's part of how the whole function of whitelisted/blacklisted folders works. If you suppressed those somehow (though pretty certain there is no way to anyway) what would happen when the user tries to launch an app from the restricted directory? They would double click it and.... nothing? Sounds like a very confusing and poor user experience to me, and a recipe for getting loads of help desk calls about broken Macs.
Unless I'm misunderstanding what you're referring to here?
@mm2270 I found that Chrome is running update daemons in the ~/Library/Google/ location. So when a user opens Chrome they get multiple popup boxes telling them that the Google Software Update applications couldn't run because they don't have permission. But I have since found a way to fix this issue. Originally I was just going to manage Chrome and disable updates but our security team is pushing to get rid of Chrome from our network completely as it is less secure as a browser. We may be using primarily Firefox which solves this issue anyways.
Also, I found that I cannot make an exception for a file in the /Users/ folder if I have black listed that folder, attempting to do so just allows the entire /Users/ folder to run apps again. This makes sense of course from a logical stand point, but would be nice to be able to do this.
Also again, the section that allows users to always run "x" applications is a drop down menu of predetermined applications. Is there a way to add to this list?
I have an account on MacBooks that is created for students to do diploma tests. They have no access to internet and only a handful of apps. When I login to the account to make sure everything is working like it should I get a two pop ups. One is secure websites for Microsoft AU Daemon which I do not care about because they can click OK and it is gone. But I have another one that is giving me problems. It says "You don't have permission to use the application "Acrobat Update Helper" then changes to "JamfAgent". Is there a script I can push out from JAMF Pro so it will allow these and any others that may be blocked that can be ignored so they do not pop up. It would be very time consuming to go to every site and allow them manually on every MacBook.
Edited: BTW the OS is 10.11.6
I have two or more questions about allowing & Disallowing certain locations to launch an application from as well as a coding question.
I added several whitelisted items, as seen below:
It seems to be working with an Hey you can't open this message. But then the below image shows up allowing them to select allow, which opens a new popup asking for the admin password.
Well these users are admins of their device, so basically I think I am chasing my tail here as they can approve what they can launch. Is that correct?
Another question I have is some allow/disallow path names are written /Applications/, whereas others are written ~ /Applications/... so as a non-coder what is the difference?
I have been trying to do this myself after I found that several of our users are running their development environment from within the downloads folder which is also being scanned by the antivirus and slowing down the computer.
I found that it is possible to use either the ~ or $USERNAME to block the downloads path as below
The issue which I found is ANY application which has been used in the ~/Downloads folder will NOT be blocked once the profile has been installed. Any new application copied into the ~/Downloads folder WILL be blocked. If you copy a working application from the ~/Downloads folder then copy the same application back into the ~/Downloads folder it will NOW be blocked.
So far I have not worked out how to reset the application history. I have already reset the gatekeeper database with
sudo spctl --reset-default
and this had no effect. So I am assuming that I may have to reset the spotlight database to blocked the applications from running after the profile deployment.
@rhooper Were you ever able to figure out your issue? I'm trying to stop my users from running applications from the downloads folder and desktop. I copied your allowed folders and disallowed folders path but I'm running in to the same issue every time I launch chrome.
Does anyone have any other paths that should be added so that this error stops occurring? Please let me know. Thanks for your help in advance!
@msalvaleon According the key order of the Managed Preferences com.apple.applicationaccess.new.plist, I think the system check the disallow folder list first when you try to run the apps, that means if you have disallow folder path /A and allow folder /A/B, and try to run /A/B/c.app, the system will kill c.app. So if you have child folders need to be allowed, you shouldn't add the parent folder to the disallow folders list.
in the first screenshot, I have Firefox app in disallow and allow folder, and ~/ in disallow folder, and ~/Library/Google in allow folder list. the result is I don't have permission to run Firefox and Google updated.
in the second screenshot, I created an Apps folder on Desktop and copy Firefox to Apps folder, add Apps folder to disallow folder list and add parent folder Desktop to allow folder, the result is Firefox is been killed and other apps on Desktop are not.
And I tried to change order of the pathBlackList and pathWhiteList use PlistEdit, the key pathBlackList still keep on the top in the plist file.