Which method do you use to control which file/folder locations applications can be run from?


Hi fellow Mac admins.

I am facing a paradox/quandry/call it what you will.

On the one hand I manage student labs where the students have to run Xcode which requires building and running applications from within their /Users folder.

On the other hand I don't want open season on running applications from within the /Users folder as that means any application downloaded from the net can be run (including signed applications to negate the benefits of Gatekeeper in this instance).

Controlling application access using configuration profiles is difficult. I can make the entire /Users folder off limits which breaks Xcode. I cannot specify that the Xcode folder within /Users can be made to run applications if I have already ruled out the /Users folder. It doesn't work that way. I have already had to specify that applications can be run from "/" otherwise all kinds of stuff goes wrong (the Finder, the Dock, nothing too important!)

Also any area I make available to run Xcode applications needs to be writeable by the user so they could just copy files to that location anyway if they are savvy enough.

So... am I trying to come up with a solution for an impossible problem? Sounds like a Doctor Who episode..