Jamf Nation Community

dnelson2813 · ‎09-24-2019

One of our teachers is using PhET on some MacBook Pros that we have set up as lab computers for the department. Students log into the with their AD account and are not admins on them. She wants them to download some JAR files from a website to run throughout this semester and SIP is requiring an admin password since it's downloaded from a site. Is there a way (in JAMF) to always allow these files to run without disabling SIP? Would this be a kernel extension I need to allow?

TechSpecialist · ‎09-24-2019

Tempering with sip is never a good idea. In fact in Catalina it won't be possible at all as the entire os will be on a read-only partition.

Also It won't be possible to set jamf to allow certain admin privs for non-admin users. Jamf Connect can do that, but that's pretty hefty.

Best solution would be to distribute the required software via a policy with Jamf Pro (maybe make it available in Self Service if you want users to install it themselfs without admin passwords).

dnelson2813 · ‎09-24-2019

I definitely don't want to tamper with SIP. What you're saying is download them and package them up and then distribute them to each computer though right? That was the only thing I could think of as an alternative.

Chris_Hafner · ‎09-24-2019

Yep. We use PhET and a few other demonstartors like that. I just signed them with my own Developer ID. Leave SIP alone ;-) I just tell our departments that #1, We need to find other resources or build our own (I'm thinking Wolfram Alpha) since I'd love to never see a .jar on our user machines agian. Or #2, I tell them that I have to vet them and distribute them via Self-Service or an automated policy. This is where I make sure they aren't total crap and sign them for our own internal distro.

Jamf Nation Community

SIP on lab computers