Posted on 04-25-2020 07:44 PM
Is there a way to whitelist some applications so that standard users can install them without requiring admin rights
Posted on 04-26-2020 12:34 AM
I'm a little unsure of what you mean. By default, Jamf installs programs as administrator. If the app is in Self Service or it is part of a policy, it will install as admin.
Outside of Jamf, some programs that do not require administrator processes to run can be installed in the User's local Applications Folder (ex. ~/Applications/Zoom.app)
Posted on 04-27-2020 07:56 AM
Following - I am not a big fan of taking away admin rights in a UNIX environment, but for those companies that are sticklers on the policy this would be super handy for developers using a Mac W/O ADM rights.
Posted on 04-29-2020 09:09 AM
what i mean is, I have a few standard users who want to install apps like for example Zoom. is there a way I can whitelist Zoom so they can download the zoom pkg file from zoom's website and install it without requiring admin rights? I know I can package zoom using the composer and add it to to the self-service. but I was thinking that just as we can blacklist and prevent certain apps from running on the mac under software restrictions, maybe we can also whitelist an enable users to install certain apps on their own.
Posted on 05-29-2020 11:34 AM
just added feature request you may be interested in if you are trying to whitelist apps.
Posted on 05-29-2020 08:02 PM
@dtekum Beyond Trust sells a product named Privilege Management (it was originally known as Avecto Defendpoint) that, among other privilege related things, will allow you to give non-admin users the ability to install .pkg files from known vendors without being prompted for admin credentials. They also have a mechanism for accommodating drag and drop installers. Be aware that it currently has a major conflict with macOS Catalina 10.15.5. Apple has hardened the sudo
tool with this release, and it will fail to run due to the plugin that Privilege Management installs. No word yet when Beyond Trust is going to release a workaround for that.
Posted on 05-30-2020 10:21 AM
@sdagley wrote:
Apple has hardened the sudo tool with this release
Interesting! Where did you find that nugget? It doesn't show in the Release Notes.
Reading through this thread, guessing if a vendor decided to make their application installable by a non-admin user, their installer would be designed for the user to be able to install into ~/Applications
.
Its a shame that companies like Beyond Trust aren't jumping on Apple's Beta program, to ensure their product is sustainable (able to support these patch releases). Would love to be able to recommend them, but would only do so if they keep up.
Posted on 05-30-2020 10:21 AM
@CasperSally upvoted!
Posted on 05-30-2020 10:24 AM
(nm)
Posted on 05-30-2020 01:31 PM
@donmontalvo The info on sudo hardening came from Beyond Trust support. When we contacted them after running into the problem they reported their dev team did discover the issue during the 10.15.5 AppleSeed period, and opened a ticket with Apple apparently expecting it would change prior to release. Oh to be optimistic.
EDIT: There is a #beyondtrust-priv-man Mac Admins Slack channel, and when asked about a non-kext version the engineer from Beyond Trust who monitors that channel reported their Dev branch has a System Extension running, but no ETA on when that's going to land. I take that as a positive sign they want to be ready for whatever is going to follow macOS Catalina .