Search and destroy apps

milesleacy
Valued Contributor

Hi all,
I have another script to share. In more than one environment I've worked
with, users were not allowed to store or run apps in/from their home
folders. Policies were made clear that any apps in one's home folder were
considered a policy violation, and subject to automatic deletion. I put
together the following script to make sure I never had to go hunt for
someone's hidden apps again.

#!/bin/bash

##### HEADER BEGINS #####
# scr_maint_searchDestroyAppsInHomeFolder.bash
#
# Created 20080729 by Miles A. Leacy IV
# miles.leacy at themacadmin.com
# Modified 20090112 by Miles A. Leacy IV
# Copyright 2009 Miles A. Leacy IV
#
# This script may be copied and distributed freely as long as this header
remains intact.
#
# This script is provided "as is". The author offers no warranty or
guarantee of any kind.
# Use of this script is at your own risk. The author takes no
responsibility for loss of use,
# loss of data, loss of job, loss of socks, the onset of armageddon, or any
other negative effects.
#
# Test thoroughly in a lab environment before use on production systems.
# When you think it's ok, test again. When you're certain it's ok, test
twice more.
#
# This script performs a search & destroy on any apps in the user's home
folder
# This script deletes user data. Be sure of your organization's policies as
they may apply before using.
#
# Again, THIS SCRIPT DELETES USER DATA. Make sure you understand what data
will be deleted and that it is
# permissible to delete that data before using this script.
#
# It is intended to be run as part of a Casper policy triggered by login.
#
# Note: This script can take several minutes to run on very large home
folders.
# It took 5 minutes and 31 seconds on a 146.77 GB home folder on a Mac Pro
in testing.
#
##### HEADER ENDS #####

# Set $isapp to indicate whether an item is an application
# initial value is 0
# a value of 0 = not an application
# a value of 1 = an application
isapp=0

# return the absolute path of each item in the specified directory and act
upon them in the "do" loop.
find /Users/$3 | while read file
do

# skip the contents of .app bundles [[ "$file" = *.app/* ]] && continue

# determine whether $file is an application and change value of $isapp if it
is isapp=mdls -name kMDItemKind "$file"|grep -c Application

# if $file is an application ($isapp contains any nonzero value), act upon
it. if [ $isapp -ne 0 ]; then echo "Deleting" "$file"; fi

# reset $isapp isapp=0

done

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

7 REPLIES 7

milesleacy
Valued Contributor

I received a note about my script from someone at Apple, and I want to make
sure to mention that Leopard's MCX will allow you to prohibit launching apps
from a user's home folder. In fact, you can allow or disallow the launching
of apps from any folder(s).
The script I provided is an option if you:
have Tiger clients
don't have OD
don't want to mess with using MCX in the local directory service
want to delete the app(s) as well as deny launching

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

milesleacy
Valued Contributor

I left out a command in the script in my first message. Here is the
complete script:
#!/bin/bash

##### HEADER BEGINS #####
# scr_maint_searchDestroyAppsInHomeFolder.bash
#
# Created 20090112 by Miles A. Leacy IV
# miles.leacy at themacadmin.com
# Modified 20090112 by Miles A. Leacy IV
# Copyright 2009 Miles A. Leacy IV
#
# This script may be copied and distributed freely as long as this header
remains intact.
#
# This script is provided "as is". The author offers no warranty or
guarantee of any kind.
# Use of this script is at your own risk. The author takes no
responsibility for loss of use,
# loss of data, loss of job, loss of socks, the onset of armageddon, or any
other negative effects.
#
# Test thoroughly in a lab environment before use on production systems.
# When you think it's ok, test again. When you're certain it's ok, test
twice more.
#
# This script performs a search & destroy on any apps in the user's home
folder
# This script deletes user data. Be sure of your organization's policies as
they may apply before using.
#
# Again, THIS SCRIPT DELETES USER DATA. Make sure you understand what data
will be deleted and that it is
# permissible to delete that data before using this script.
#
# It is intended to be run as part of a Casper policy triggered by login.
#
# Note: This script can take several minutes to run on very large home
folders.
# It took 5 minutes and 31 seconds on a 146.77 GB home folder on a Mac Pro
in testing.
#
##### HEADER ENDS #####

# Set $isapp to indicate whether an item is an application
# initial value is 0
# a value of 0 = not an application
# a value of 1 = an application
isapp=0

# return the absolute path of each item in the specified directory and act
upon them in the "do" loop.
find /Users/$3 | while read file
do

# skip the contents of .app bundles [[ "$file" = *.app/* ]] && continue

# determine whether $file is an application and change value of $isapp if it
is isapp=mdls -name kMDItemKind "$file"|grep -c Application

# if $file is an application ($isapp contains any nonzero value), act upon
it. if [ $isapp -ne 0 ]; then echo "Deleting" "$file"; rm -R "$file" fi

# reset $isapp isapp=0

done

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

milesleacy
Valued Contributor

I too have encountered some of the hardships that Thomas describes. Thanks
to Casper, MCX and UNIX, with some tinkering, you may be able to get things
managed despite those developers that refuse to follow Apple's developer
guidelines.
If you have a folder that *must* be writable in a place where you don't want
people writing files, I'd try linking it elsewhere (such as /Users/Shared)
and be sure that apps are not allowed in that directory or (if the developer
was thoughtful) changing the location in the app's preferences. If the app
uses the folder as "scratch space" but there is no persistent data, I'd have
a policy that runs a script which deletes the contents of the folder at
logout.

To have tight control of which apps can run and which can't, disallow
applications within "/" or "/Applications", and then add your allowable apps
to the "Always allow these applications:" list. It could be tedious, but it
would be tightly controlled. If you use Workgroup Manager to administer
your MCX (which most people do and it's a free download from Apple), you can
mitigate the tedium by creating presets. If you handle your MCX via
scripting, you can use Casper smart groups and policies to mitigate the
tedium.

Be sure to test your apps thoroughly, including giving them to live users
toward the end of the testing process. During your testing, you can
determine the most restrictive permissions that still allow the desired
functions.

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

Not applicable

Actually, if you use the "Applications" pane versus the "Folders" pane to assign allowed apps, you are allowing those applications to be dragged/copied anywhere on the user's system and launched. Use the "Folders" (which should really be called "Paths") to set up allowed and disallowed apps/locations(/paths).

johnd
-- John DeTroye Email: johnd at apple.com
Sr. Consulting Engineer Systems Management Specialist
Apple - Education iChat: johnd at mac.com
Systems Management Guide - http://www.apple.com/education/go/sysmgmt/
Tips and Tricks Docs - http://web.me.com/johnd/

milesleacy
Valued Contributor

Thanks for the info!
So, am I correct that an item appearing in the "Applications" pane is
allowed even if its enclosing folder appears in the disallowed folders list?

Thanks again,

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

Not applicable

We've not jumped up to Leopard yet (may skip directly to the whiter cat in fact). Could either of you guys clarify whether the Apps and Folders panes can be used together in conjunction?

Cheers
Dan

Not applicable

Yes. The "Applications" pane is for signing apps and setting up universally allowed apps. Here's an explanation I posted to one of the other lists:
----
The WGM/Prefs settings for Applications often confuses a lot of people. Let me try to explain what the gears and tubes are doing.

The Applications tab is where you digitally sign apps and designate them for use regardless of location. The apps, when signed on an admin system, must then be cloned onto every client machine. This is because the signing affects only that copy of the app. App signing keeps a user from editing the app bundle and trying to fake out the mgmt to think it's something else - think "I'm not Terminal, I'm really Calculator
" The problem with using that tab to set application permissions is that you are allowing users to drag the app into their homedir or anyplace else they want to run it. It also doesn't account for all of the other portions of some applications, such as the support apps they need.

The Folders tab should really be called "Paths" since you designate the location of the allowed, and disallowed, application(s). It works the same as a firewall, with denies overriding allows. It is important to allow locations such as the /Library/Application Support folder, and often, the entire /Library folder when 3rd party apps dump stuff all over the place. This may be the case with SketchUp.

The old "Allow apps to sublaunch" from Tiger is active all the time in Leopard; but in a much more limited way - it allows items inside the same folder that you designated plus any system-owned items (unix apps).

And finally, all of this assumes well-behaved apps.
-----

johnd
-- John DeTroye Email: johnd at apple.com
Sr. Consulting Engineer Systems Management Specialist
Apple - Education iChat: johnd at mac.com
Systems Management Guide - http://www.apple.com/education/go/sysmgmt/
Tips and Tricks Docs - http://web.me.com/johnd/