Restricting Applications in a Users folder

sburrows
New Contributor III

We've been noticing a good amount of students downloading and launching .app files from their Desktop and Downloads folders. Is there a good way to prevent .app files from launching from these folders?

I have been using Restricted Software, but it is a large amount of work to up keep.

I am now messing with Configuration Profiles with Application Restrictions, but it doesn't seem to be working as I hoped. Right now I have ~/Users/Desktop and ~/Users/Downloads in the Disallow Folder. Nothing is currently set in Allow Apps or Allowed Folder. With these settings it seems as if every app no matter the location is being blocked. Are the Allow Apps or Allowed Folder options required when messing with these settings?

My main goal is to prevent applications from running in a users Desktop or Downloads folder. This seems to be the typical location that students have been saving/running from.

We are running 9.6.1 of the JSS.

Thank you in advance!

18 REPLIES 18

mm2270
Legendary Contributor II

When using that function, you have to set up the blacklisted locations and the whitelisted locations, such as /Applications/ and /Library/Application Support/ for example. And set /Users/ as the blacklisted path. No need to specify exact folders within the /Users/ path in most cases. There are some exceptions you may need to end up making, because some applications like putting helper apps inside a user's home folder and must run from there for the application to work.

As you found, if you don't set the Allowed folders, no applications will be able to launch. These settings work together. If one is missing, it doesn't work properly.

dbrodjieski
New Contributor III

I have found luck with using Configuration Profiles to restrict applications by defining the allowed folders to be set to:
/Applications/
/System/Library/
/Library/
/bin/
/usr/bin/

Disallow folders:
/Users/

This prevents users from downloading applications an running them from their home folders.

EDIT: I'm not sure why we have the /bin/ and /usr/bin/ folders defined, as I don't think there are any application bundles that reside there.

sburrows
New Contributor III

Thanks for the advice! I'll give these a try.

sburrows
New Contributor III

So since this post I created a Configuration Profile to restrict which apps are allowed to launch. It seems to have been working great.

In our allowed list I have:
/Applications/
/System/Library/
/Library/

Just recently we are seeing students getting a message stating that they don't have permissions to use the application "jamfAgent."

I see the jamfAgent is located in /usr/sbin/. I am planning to add that to the allowed list, but why all of sudden did this just happen? Is anyone else seeing this? Not sure if it is coincidence or not, but we are seeing it after the 9.65 update.

ZachB
New Contributor

Does anyone know how to suppress the popups that say "You don't have permission to use the application '<application>'." when an application is run outside of the allowed folders?

mm2270
Legendary Contributor II

I'm not sure I get why you would want to suppress those dialogs. That's part of how the whole function of whitelisted/blacklisted folders works. If you suppressed those somehow (though pretty certain there is no way to anyway) what would happen when the user tries to launch an app from the restricted directory? They would double click it and.... nothing? Sounds like a very confusing and poor user experience to me, and a recipe for getting loads of help desk calls about broken Macs.

Unless I'm misunderstanding what you're referring to here?

ZachB
New Contributor

@mm2270 I found that Chrome is running update daemons in the ~/Library/Google/ location. So when a user opens Chrome they get multiple popup boxes telling them that the Google Software Update applications couldn't run because they don't have permission. But I have since found a way to fix this issue. Originally I was just going to manage Chrome and disable updates but our security team is pushing to get rid of Chrome from our network completely as it is less secure as a browser. We may be using primarily Firefox which solves this issue anyways.

Also, I found that I cannot make an exception for a file in the /Users/ folder if I have black listed that folder, attempting to do so just allows the entire /Users/ folder to run apps again. This makes sense of course from a logical stand point, but would be nice to be able to do this.

Also again, the section that allows users to always run "x" applications is a drop down menu of predetermined applications. Is there a way to add to this list?

ggigliotti
New Contributor II

Kinda off topic but how do you guys avoid students from copying a file from a flash drive into the Applications folder and running it. I can probably make a script that changes the permissions but I was wondering if there was another way in Jamf to do this.

ChrisTech
Contributor

@ZachB How did you fix the issue with Chrome? I am getting that as well.

Chris

jesse_wilson
New Contributor II

@ZachB If you save Login/Password in FireFox be careful. There really is not protection from others finding out what the passwords are unlike Chrome.

jesse_wilson
New Contributor II

I have an account on MacBooks that is created for students to do diploma tests. They have no access to internet and only a handful of apps. When I login to the account to make sure everything is working like it should I get a two pop ups. One is secure websites for Microsoft AU Daemon which I do not care about because they can click OK and it is gone. But I have another one that is giving me problems. It says "You don't have permission to use the application "Acrobat Update Helper" then changes to "JamfAgent". Is there a script I can push out from JAMF Pro so it will allow these and any others that may be blocked that can be ignored so they do not pop up. It would be very time consuming to go to every site and allow them manually on every MacBook.

Edited: BTW the OS is 10.11.6

rhooper
Contributor III

Hey all.
I have two or more questions about allowing & Disallowing certain locations to launch an application from as well as a coding question.

I added several whitelisted items, as seen below:
995ddd69c0ac4ed5960e81c5efbe175a

It seems to be working with an Hey you can't open this message. But then the below image shows up allowing them to select allow, which opens a new popup asking for the admin password.
fbca202e10a34afa83994cf5971a4adb
Well these users are admins of their device, so basically I think I am chasing my tail here as they can approve what they can launch. Is that correct?

Another question I have is some allow/disallow path names are written /Applications/, whereas others are written ~ /Applications/... so as a non-coder what is the difference?

Thanks all,
R

Stevie
Contributor

I have been trying to do this myself after I found that several of our users are running their development environment from within the downloads folder which is also being scanned by the antivirus and slowing down the computer.

I found that it is possible to use either the ~ or $USERNAME to block the downloads path as below

bc2f7847bb7f4ca094b4a9c93aed0704

The issue which I found is ANY application which has been used in the ~/Downloads folder will NOT be blocked once the profile has been installed. Any new application copied into the ~/Downloads folder WILL be blocked. If you copy a working application from the ~/Downloads folder then copy the same application back into the ~/Downloads folder it will NOW be blocked.

So far I have not worked out how to reset the application history. I have already reset the gatekeeper database with

sudo spctl --reset-default

and this had no effect. So I am assuming that I may have to reset the spotlight database to blocked the applications from running after the profile deployment.

msalvaleon
New Contributor II

@rhooper Were you ever able to figure out your issue? I'm trying to stop my users from running applications from the downloads folder and desktop. I copied your allowed folders and disallowed folders path but I'm running in to the same issue every time I launch chrome.

Does anyone have any other paths that should be added so that this error stops occurring? Please let me know. Thanks for your help in advance!

d66acc3d17df4e54b377490153ba2513

vanschip-gerard
Contributor

@rhooper I ran into the exact same issue. Whats the point if a user can just override?

vanschip-gerard
Contributor

Bit puzzled. When I add either:
- /Users/$USERNAME/Library
- ~/Library
I find that users can launch apps from the desktop, when I removed those 2 entries they cant.

Bug?

dec016a7dea54523af2e62c0e3652334

NateES
New Contributor II

@vanschip-gerard

Is it possible your users have iCloud documents enabled? That puts the user's Desktop folder into the actual path /Users/$Username/Library/Mobile Documents/Desktop

Steven_Xu
New Contributor III
New Contributor III

@msalvaleon According the key order of the Managed Preferences com.apple.applicationaccess.new.plist, I think the system check the disallow folder list first when you try to run the apps, that means if you have disallow folder path /A and allow folder /A/B, and try to run /A/B/c.app, the system will kill c.app. So if you have child folders need to be allowed, you shouldn't add the parent folder to the disallow folders list.

in the first screenshot, I have Firefox app in disallow and allow folder, and ~/ in disallow folder, and ~/Library/Google in allow folder list. the result is I don't have permission to run Firefox and Google updated.

dbd8be493cb040e6b9771adbeab2b031

in the second screenshot, I created an Apps folder on Desktop and copy Firefox to Apps folder, add Apps folder to disallow folder list and add parent folder Desktop to allow folder, the result is Firefox is been killed and other apps on Desktop are not.

722bf694099744b69d5a72c78c231a9c

And I tried to change order of the pathBlackList and pathWhiteList use PlistEdit, the key pathBlackList still keep on the top in the plist file.