Help

Setup App Installation Not Allowed

S_Puschel
New Contributor III

Posted on ‎03-05-2020 08:04 AM

Hello everybody, I would like to set up Jamf Pro to prevent employees from installing apps. Only those from the self services are allowed. I have already deactivated the App Store, but not the Apps from the Internet.

Thanks for your help

Labels:
0 Kudos
Reply
8 REPLIES 8

larry_barrett
Valued Contributor

Posted on ‎03-05-2020 08:44 AM

Macs or iPads?

0 Kudos
Reply

wmehilos
Contributor

Posted on ‎03-05-2020 11:08 AM

If it's on a Mac, you can setup Google Santa to block anything not whitelisted from opening/executing.

0 Kudos
Reply

S_Puschel
New Contributor III

Posted on ‎03-06-2020 06:27 AM

Hi, thanks for the answer, this is Mac devices. Is there no other way to do this directly in Jamf Pro?

0 Kudos
Reply

larry_barrett
Valued Contributor

Posted on ‎03-06-2020 06:30 AM

Do your users have admin privileges? What OS are they on?

0 Kudos
Reply

S_Puschel
New Contributor III

Posted on ‎03-06-2020 06:42 AM

hello, yes the users have admin rights and system is Catalina

0 Kudos
Reply

larry_barrett
Valued Contributor

Posted on ‎03-06-2020 06:58 AM

That's pretty specifically what admins can do. Consider making them non-admins if you want to control what they install. Otherwise, see the idea posted above by @wmehilos .

You could try the restricted software route, but that isn't foolproof and you'd have to maintain the list. Think: blocking the executable of the program you don't want them to run. It kinda works for blocking installers, but, again, pretty easy to get around.
ce166f12ea43463d9c8b5dc51bbf22fc

Your environment (and rules) may be unique. I'm at a school so no-one is given admin rights. Easy-Peazy.

on the iPad side they let you setup a configuration profile to now allow 3rd party developer programs to be installed. Since we're talking about Macs, I'd recommend in your prestage enrollment to setup a hidden admin account on your new devices and make everyone a standard user. That way you can control the exceptions to the rule. If everyone is admin, you're trying to create an exception after the fact. Barn door is open, cows are outside.

0 Kudos
Reply

S_Puschel
New Contributor III

Posted on ‎03-09-2020 01:32 AM

Unfortunately the local users have an admin access .
Can I use Jamf to change this user account to a normal standard user? Without problems or data loss

0 Kudos
Reply

amccarty
New Contributor III

Posted on ‎03-09-2020 05:03 AM

@S.Puschel You can demote them to standard users with a script. I use the this:

#!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "administrator" ]  && [ "$user" != "admin" ] && [ "$user" != "jamfadmin" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done

This will basically demote any user from admin to standard apart from whichever account(s) you specify in the following line:

if [ "$user" != "administrator" ]  && [ "$user" != "admin" ] && [ "$user" != "jamfadmin" ]

I've used this a lot and it has never caused any issues, but as always test it first before you push it out.

0 Kudos
Reply