Whitelist applications

dtekum
New Contributor III

Is there a way to whitelist some applications so that standard users can install them without requiring admin rights

9 REPLIES 9

shaquir
Contributor III

I'm a little unsure of what you mean. By default, Jamf installs programs as administrator. If the app is in Self Service or it is part of a policy, it will install as admin.

Outside of Jamf, some programs that do not require administrator processes to run can be installed in the User's local Applications Folder (ex. ~/Applications/Zoom.app)

jared_f
Valued Contributor

Following - I am not a big fan of taking away admin rights in a UNIX environment, but for those companies that are sticklers on the policy this would be super handy for developers using a Mac W/O ADM rights.

dtekum
New Contributor III

what i mean is, I have a few standard users who want to install apps like for example Zoom. is there a way I can whitelist Zoom so they can download the zoom pkg file from zoom's website and install it without requiring admin rights? I know I can package zoom using the composer and add it to to the self-service. but I was thinking that just as we can blacklist and prevent certain apps from running on the mac under software restrictions, maybe we can also whitelist an enable users to install certain apps on their own.

CasperSally
Valued Contributor II

just added feature request you may be interested in if you are trying to whitelist apps.

https://www.jamf.com/jamf-nation/feature-requests/9449/add-ability-to-whitelist-apps-by-bundleid-in-...

sdagley
Esteemed Contributor II

@dtekum Beyond Trust sells a product named Privilege Management (it was originally known as Avecto Defendpoint) that, among other privilege related things, will allow you to give non-admin users the ability to install .pkg files from known vendors without being prompted for admin credentials. They also have a mechanism for accommodating drag and drop installers. Be aware that it currently has a major conflict with macOS Catalina 10.15.5. Apple has hardened the sudo tool with this release, and it will fail to run due to the plugin that Privilege Management installs. No word yet when Beyond Trust is going to release a workaround for that.

donmontalvo
Esteemed Contributor III

@sdagley wrote:

Apple has hardened the sudo tool with this release

Interesting! Where did you find that nugget? It doesn't show in the Release Notes.

Reading through this thread, guessing if a vendor decided to make their application installable by a non-admin user, their installer would be designed for the user to be able to install into ~/Applications.

Its a shame that companies like Beyond Trust aren't jumping on Apple's Beta program, to ensure their product is sustainable (able to support these patch releases). Would love to be able to recommend them, but would only do so if they keep up.

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

@CasperSally upvoted!

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

(nm)

--
https://donmontalvo.com

sdagley
Esteemed Contributor II

@donmontalvo The info on sudo hardening came from Beyond Trust support. When we contacted them after running into the problem they reported their dev team did discover the issue during the 10.15.5 AppleSeed period, and opened a ticket with Apple apparently expecting it would change prior to release. Oh to be optimistic.

EDIT: There is a #beyondtrust-priv-man Mac Admins Slack channel, and when asked about a non-kext version the engineer from Beyond Trust who monitors that channel reported their Dev branch has a System Extension running, but no ETA on when that's going to land. I take that as a positive sign they want to be ready for whatever is going to follow macOS Catalina .