Skip to main content
Question

Setup App Installation Not Allowed

  • March 5, 2020
  • 8 replies
  • 55 views
S
Forum|alt.badge.img+5

Hello everybody, I would like to set up Jamf Pro to prevent employees from installing apps. Only those from the self services are allowed. I have already deactivated the App Store, but not the Apps from the Internet.

Thanks for your help

    8 replies

    L
    Forum|alt.badge.img+13

    Macs or iPads?

    wmehilos
    Forum|alt.badge.img+11
    • wmehilos
    • Valued Contributor
    • March 5, 2020

    If it's on a Mac, you can setup Google Santa to block anything not whitelisted from opening/executing.

    S
    Forum|alt.badge.img+5
    • S_Puschel
    • Author
    • Contributor
    • March 6, 2020

    Hi, thanks for the answer, this is Mac devices. Is there no other way to do this directly in Jamf Pro?

    L
    Forum|alt.badge.img+13

    Do your users have admin privileges? What OS are they on?

    S
    Forum|alt.badge.img+5
    • S_Puschel
    • Author
    • Contributor
    • March 6, 2020

    hello, yes the users have admin rights and system is Catalina

    L
    Forum|alt.badge.img+13

    That's pretty specifically what admins can do. Consider making them non-admins if you want to control what they install. Otherwise, see the idea posted above by @wmehilos .

    You could try the restricted software route, but that isn't foolproof and you'd have to maintain the list. Think: blocking the executable of the program you don't want them to run. It kinda works for blocking installers, but, again, pretty easy to get around.

    Your environment (and rules) may be unique. I'm at a school so no-one is given admin rights. Easy-Peazy.

    on the iPad side they let you setup a configuration profile to now allow 3rd party developer programs to be installed. Since we're talking about Macs, I'd recommend in your prestage enrollment to setup a hidden admin account on your new devices and make everyone a standard user. That way you can control the exceptions to the rule. If everyone is admin, you're trying to create an exception after the fact. Barn door is open, cows are outside.

    S
    Forum|alt.badge.img+5
    • S_Puschel
    • Author
    • Contributor
    • March 9, 2020

    Unfortunately the local users have an admin access .
    Can I use Jamf to change this user account to a normal standard user? Without problems or data loss

    amccarty
    Forum|alt.badge.img+7
    • amccarty
    • Contributor
    • March 9, 2020

    @S.Puschel You can demote them to standard users with a script. I use the this:

    #!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "administrator" ]  && [ "$user" != "admin" ] && [ "$user" != "jamfadmin" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done

    This will basically demote any user from admin to standard apart from whichever account(s) you specify in the following line:

    if [ "$user" != "administrator" ]  && [ "$user" != "admin" ] && [ "$user" != "jamfadmin" ]

    I've used this a lot and it has never caused any issues, but as always test it first before you push it out.

    Terms & ConditionsCookie settingsAccessibility statement