Setup App Installation Not Allowed

S_Puschel
New Contributor III

Hello everybody, I would like to set up Jamf Pro to prevent employees from installing apps. Only those from the self services are allowed. I have already deactivated the App Store, but not the Apps from the Internet.

Thanks for your help

8 REPLIES 8

larry_barrett
Valued Contributor

Macs or iPads?

wmehilos
Contributor

If it's on a Mac, you can setup Google Santa to block anything not whitelisted from opening/executing.

S_Puschel
New Contributor III

Hi, thanks for the answer, this is Mac devices. Is there no other way to do this directly in Jamf Pro?

larry_barrett
Valued Contributor

Do your users have admin privileges? What OS are they on?

S_Puschel
New Contributor III

hello, yes the users have admin rights and system is Catalina

larry_barrett
Valued Contributor

That's pretty specifically what admins can do. Consider making them non-admins if you want to control what they install. Otherwise, see the idea posted above by @wmehilos .

You could try the restricted software route, but that isn't foolproof and you'd have to maintain the list. Think: blocking the executable of the program you don't want them to run. It kinda works for blocking installers, but, again, pretty easy to get around.
ce166f12ea43463d9c8b5dc51bbf22fc

Your environment (and rules) may be unique. I'm at a school so no-one is given admin rights. Easy-Peazy.

on the iPad side they let you setup a configuration profile to now allow 3rd party developer programs to be installed. Since we're talking about Macs, I'd recommend in your prestage enrollment to setup a hidden admin account on your new devices and make everyone a standard user. That way you can control the exceptions to the rule. If everyone is admin, you're trying to create an exception after the fact. Barn door is open, cows are outside.

S_Puschel
New Contributor III

Unfortunately the local users have an admin access .
Can I use Jamf to change this user account to a normal standard user? Without problems or data loss

amccarty
New Contributor III

@S.Puschel You can demote them to standard users with a script. I use the this:

#!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "administrator" ]  && [ "$user" != "admin" ] && [ "$user" != "jamfadmin" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done

This will basically demote any user from admin to standard apart from whichever account(s) you specify in the following line:

if [ "$user" != "administrator" ]  && [ "$user" != "admin" ] && [ "$user" != "jamfadmin" ]

I've used this a lot and it has never caused any issues, but as always test it first before you push it out.