Using chmod to disable access to the mail.app

gerald_fernando
New Contributor

Hi all

Whats the best way to go about restricting access to the mail client, we have over 2000 users, all managed by casper, because of the nature of the business mail is off limits and needs to be locked down, I was looking at a script, i am bit of a novice at this any help appreciated

!#/bin/bash
do shell script "chmod 000 Applications/Mail.app"

end 0

Thanks

7 REPLIES 7

antonio_ong1
New Contributor

How about something easier:

Just add an entry under "Restricted Software", kill the process and post a message that they can't use Mail...

sean
Valued Contributor

If you are running 10.11, you can't due to SIP, it is in the restricted list.

drwxr-xr-x@  3 root        wheel  restricted 102 17 Feb 16:18 Mail.app

Otherwise, since it is owned by root:

chmod -R 700 /Applications/Mail.app

mm2270
Legendary Contributor III

Like @antonio.ong mentioned, use the tools at your disposal. Casper already has Restricted Software, which can shut down the application as soon as its launched, and optionally show a message explaining why, which is far better than changing permissions on it (if even possible to do at all - see @sean's post above about 10.11 and SIP) and the user's not understanding why it won't launch. Unless you like getting support calls about Mail.app being broken.

I would also consider locking down the "Internet Accounts" Preference Pane using a Configuration Profile, so users aren't tempted to try to add a mail account there first, then try launching Mail only to find they can't use it.

sean
Valued Contributor

Yeah, for anything we did this on, we also set a hidden flag on the file so to users it just didn't exist, but again SIP will deny that.

Jappleseed19191
New Contributor

Tried just deleting the mail.app or blocking connections with a proxy?

Look
Valued Contributor III

Not useful for existing machines, but if you are netbooting to image you can probably modify it from within the netboot during the imaging process.
Apple really does annoy me with their protection of a bunch of apps people don't neccesarily need to use that aren't part of the OS! At the very least let people hide them in some manner.

gerald_fernando
New Contributor

Thanks guys, thanks for all your advice

I did try the restrict software option but it never worked for me, couldn't figure out why. But the script from Sean worked.

Going forward, it would be very helpful if there is a way to disable Mac mail entirely from the builds, something i need to look into....