Help

Restricting Applications In User Folders in 2024

McAwesome
Valued Contributor

Posted on ‎08-15-2024 01:22 PM

I've been tasked with finding a way to prevent users from running applications out of unapproved locations such as their Desktop and Downloads folders.  I found a nearly 10 year old thread talking about doing exactly that, and it doesn't seem like much has changed in the years since.  That said, any decade old device management thread is going to be really out of date.

Are there any major gotchas I should be aware of while building out the test Restrictions here?  Things like needing to whitelist unexpected directories for Microsoft or Google products?  Should I hold off until the Restrictions payload gets updated to match the modern Jamf payload setup?

0 Kudos
Reply
7 REPLIES 7

sdagley
Esteemed Contributor II

Posted on ‎08-15-2024 01:46 PM

Google's Santa tool (https://github.com/google/santa) supports blocking executables via a Path regex: https://santa.dev/concepts/scopes.html

0 Kudos
Reply

AJPinto
Honored Contributor III

Posted on ‎08-15-2024 02:42 PM

Jamf is able to blacklist software, but it is by file name, binary, etc., not execution path. If you block Google Chrome.app it will block it anywhere its run from. What you are asking is more the domain of a Security Tool, and yes there are tools to do this. I would suggest looking into something from Carbon Black or CyberArk.

 

I have used CyberArk EPM specifically for what you are asking with good success in the past. You create policies for what is allowed to run from specifically where. I have had policies that limit where .dmg's can be mounted from for example, if it is not in a specific directory the dmg cannot mount as the process is killed and the user gets an error. This workflow can be adapted to only allow .app extensions to run from /Applications and so on. Use the right tool for the job or have a bad time :).

0 Kudos
Reply

Pioneer
New Contributor III
In response to AJPinto

Posted on ‎08-15-2024 04:43 PM

So, disallowing and allowing app paths in Restrictions payload of Config Profiles doesn't work anymore? 

0 Kudos
Reply

obi-k
Valued Contributor III
In response to Pioneer

Posted on ‎08-16-2024 04:28 AM

Are you doing it here?

Screenshot 2024-08-16 at 7.27.20 AM.png

0 Kudos
Reply

McAwesome
Valued Contributor
In response to obi-k

Posted on ‎08-16-2024 07:37 AM

They're referring to the Restrictions > Applications > Restrict which apps are allowed to launch configuration profile payload I linked to up above.  That method should work, but I was unsure if it was still the recommendation after a decade of Apple and Jamf changing things up.

0 Kudos
Reply

AJPinto
Honored Contributor III
In response to McAwesome

Posted on ‎08-16-2024 12:05 PM

I did not know that was even there. I would not want to use it, because you would pretty much have to specify every folder on the system you want to disallow. With how creative users are, you will be specifying a lot of folders. Either way, that is a very nifty bit of info, thanks for teaching me something.

 

AJPinto_0-1723835056296.png

 

0 Kudos
Reply

McAwesome
Valued Contributor
In response to AJPinto

Posted on ‎08-16-2024 12:20 PM

It's definitely more of a blunt hammer than a scalpel, but in theory if you just want to block the /Users/ folder and then allow list a few other major directories in it like ~/Library/ you can cover most of the bases without needing a massive number of rules.  If your users aren't admin, they're not gonna be able to put things that far outside of their own directories.

0 Kudos
Reply