Hello everybody, I would like to set up Jamf Pro to prevent employees from installing apps. Only those from the self services are allowed. I have already deactivated the App Store, but not the Apps from the Internet.
Thanks for your help
That's pretty specifically what admins can do. Consider making them non-admins if you want to control what they install. Otherwise, see the idea posted above by @wmehilos .
You could try the restricted software route, but that isn't foolproof and you'd have to maintain the list. Think: blocking the executable of the program you don't want them to run. It kinda works for blocking installers, but, again, pretty easy to get around.
Your environment (and rules) may be unique. I'm at a school so no-one is given admin rights. Easy-Peazy.
on the iPad side they let you setup a configuration profile to now allow 3rd party developer programs to be installed. Since we're talking about Macs, I'd recommend in your prestage enrollment to setup a hidden admin account on your new devices and make everyone a standard user. That way you can control the exceptions to the rule. If everyone is admin, you're trying to create an exception after the fact. Barn door is open, cows are outside.
@S.Puschel You can demote them to standard users with a script. I use the this:
#!/bin/sh adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-) for user in $adminUsers do if [ "$user" != "administrator" ] && [ "$user" != "admin" ] && [ "$user" != "jamfadmin" ] then dseditgroup -o edit -d $user -t user admin if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi else echo "Admin user $user left alone" fi done
This will basically demote any user from admin to standard apart from whichever account(s) you specify in the following line:
if [ "$user" != "administrator" ] && [ "$user" != "admin" ] && [ "$user" != "jamfadmin" ]
I've used this a lot and it has never caused any issues, but as always test it first before you push it out.