Software Installation Restriction Workarounds

FueledbyCoffee
New Contributor II

Guys, anybody here done a sustainable software restriction for their environment?

I followed some tips here, from old threads, and it basically rotated around the concept of restricting the "installer" app. I understand that blocking software per title would have been the best course, but I just don't see it being sustainable as there could be non-mainstream software that we haven't heard of and they end up getting installed without resistance. To further, we just don't know how much we can restrict per tenant/account, please correct me if I am mistaken.

With restricting the "installer" app, I noticed that you can still install apps from Self Service without issues, provided that the said apps came from Jamf catalog or Apple store. If you upload a package and have a policy to install it, then add it on Self Service, the restrictions will kick in. This has been the challenge for us since we have software that are not in the built-in catalogs so we have to install them via policy: Sentinel One for example. 

2 REPLIES 2

AJPinto
Esteemed Contributor

Jamf performs what is called Application Blacklisting, as you target a specific file and say it cannon run. What you are looking for is Application Whitelisting, you want to say nothing, but these approved things can run. Application Whitelisting is well into the Security space and outside of the MDM space that Jamf Pro operates in. Application Blacklisting is very high maintenance and should be used as seldomly as possible.

 

You may want to look in to Sentinel Ones capabilities. It should be able to allow, and block processes based on hashing, signature, and parent process. We elected to go with Cyberark EPM, but users can only launch approved applications. Sometimes this does bite is and it blocks something Jamf is doing, but any good security tool needs to be adjusted to move out of the way sometimes.

Pioneer
New Contributor III

We are restricting to run apps from anywhere but /Applications folder (default location for apps to be installed), restricting Terminal, Script Editor, etc, making users Standard (no installation privilege) and either install all required software in advance or give them install from Self Service option for approved apps - works for our institutional owned devices pretty well.