Jamf Nation Community

@aporlebeke Restricted Software cannot be scoped to an LDAP User Group which is what we need. So that's why I am looking to use a script instead (already tried Configuration Profile Restrictions, Configuration Profile Parental Controls as well, both are no good for the purpose I need).

Gotcha. So these aren't dedicated testing machines then? That's what I was assuming. If only certain users are able to login to those machines in question, you could still go the Restricted Software route and create LDAP user exclusions so the restrictions only applied to the testing account. But I can see how that wouldn't work either ...

Some thoughts:

You could script the killall command for the exact processes you need and make a Policy in the JSS to run at recurring check in for those machines. Granted you would have to lower the check in to 5 minutes to do this, but it wouldn't be running every 30 seconds.

Why can't you just remove Google Chrome and change the permissions of Safari so that only root can use Safari? Is there anything internet based for your exam?

One other thing we do for our exams is that we force the computers to be on a WIFI network that only has access to local printing and blocks all other websites. Hope this helps.

Could make a script killing those apps. Then create a launchdaemon with the keep alive command. This would have it running all the time looking for those processes. LaunchControl is very helpful.

The computers being used for the exams are not dedicated exam machines. Outside of exam times they need to be usable as normal (including internet access and web browsers) via accounts that are not in the Examinees Active Directory group. During exam times they will be used by accounts that are in the Examinees Active Directory group and need to not have Internet access (though they do need network access for storage and printing).

@rhoward we don't have the ability to block Internet access by user/group, and the Internet needs to be available on these computers for non exam users.

@millersc can LaunchDaemons be made specific to a user group? If so that seems like the sort of thing I am looking for.

Okay so I've got part of a script sorted out but I could still use some suggestions on implementing it:

#!/bin/sh

if # insert expression to test if user is NOT in the AD Examinees group
then
    # insert code to stop the LaunchDaemon running, just for this login session (it needs to start back up the next time someone logs in)
    exit
fi

chromerunning=`pgrep -x -- "Google Chrome"`
safarirunning=`pgrep -x -- "Safari"`

if [ $chromerunning ]; then
    kill -9 $chromerunning
    /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/Resources/restrictedSoftware.png -title "Restricted Software" -description "Google Chrome is not permitted during exams." -button1 "OK" -defaultButton 1 &
fi
if [ $safarirunning ]; then
    kill -9 $safarirunning
    /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/Resources/restrictedSoftware.png -title "Restricted Software" -description "Safari is not permitted during exams." -button1 "OK" -defaultButton 1 &
fi

Any idea how I can fill in the blanks? Is there a way to unload a LaunchDaemon just for the current login session?

#!/bin/sh
currentUser=`whoami`

isInTestGroup=`id $currentUser |grep ADExamGroupName`

if [ -z  $isInTestGroup ]; then
    #-z is null, meaning no data in variable, meaning user not in group  
    echo "User not in test group, quitting"
    exit
fi

#run rest of script here

LaunchDaemons start when the computer starts. They run as root user. LaunchAgents run as the user, with user permissions, and start when the user logs in. You may want to run this as a LaunchAgent, but a smart 'exam' user could just unload the launchagent and prevent your script from killing the web browser.

@DanJ_LRSFC It would take some testing, unless someone else more versed in UserName of the LaunchDaemon work. Take a read on this: http://launchd.info

I don't know if an AD group can be passed according to UserName entry.

@thoule thanks, that looks really useful! And you're right, I've read up on LaunchDaemons vs LaunchAgents and it seems that a LaunchAgent would be a better fit. I'll try what you've suggested.

EDIT:

So it seems like what I need is a LaunchAgent plist file called, say, uk.ac.longroad.killbrowsersinexams.plist with content like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>uk.ac.longroad.killbrowsersinexams</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Library/Scripts/killbrowsersinexams.sh</string>
    </array>
    <key>StartInterval</key>
    <integer>10</integer>
</dict>
</plist>

And then to put the script in as /Library/Scripts/killbrowsersinexams.sh with the part at the top that checks the group membership? And then this would run it every 10 seconds.

I would suggest that this really needs to be handled by your network and not by machines. There are ways to circumvent this, e.g. Screen Sharing to another machine that isn't being blocked, Messages, iCloud, etc.

Assuming that there is no one else is in these rooms when an exam is taking place other than those taking the exams, it may be more prudent to block all traffic on these machines, with the exception of your specific requirements, for the duration of the exam. This really needs to be done by at your network layer to ensure control.

Is the printer on the same vlan? What is the storage for? Do they only need to upload, e.g. for submission?

Potentially you could have a machine in the room, controlled by the invigilators, that provides a dropbox share and with the printers on the same vlan all traffic could be limited to that vlan for the exam machines during exam time.

The way to do this if with network control. Any other method would you involve you realising ALL methods of circumvention and successfully blocking/removing all of these methods.

@sean Thanks for your recommendations. However at this stage there is not enough time left before the exams start to research and implement such a solution, and we may not even have the necessary infrastructure in place to do that at this time. VLANs are a thing that is being worked on at a level higher than mine (i.e. Network Manager level) but it will be some time before they are in place.

In a way that is good. Get in now with the guys involved and explain your criteria, so it can be built with that in mind.

As for blocking, you could use parental controls to only allow certain sites. You could have one single site allowed (an internal page explaining that the internet is banned and the attempt has been noted).

You can also use App Control and only allow the apps you wish to allow.

@sean I tried applying Parental Controls from a Configuration Profile. However the Macs in question have hardware such as scanners and tablets which have all kinds of "helper" processes which are then denied. When Parental Controls are applied normally, there is a button on the denial dialog that pops up where you can say to "allow this app" however when it is applied through a Configuration Profile this button does not appear. We need a mode where we can Deny specific apps rather than have to Allow everything else.