Whitelist best practice

kschlatter
New Contributor

Our Associates that are not local admins should not be able to install software. Currently they get around this by installing to their desktop and running from there. We would like to use parental controls to restrict that, which works well, but we keep running into programs that we want to run that are having trouble. I feel like our initial whitelist is a bit restrictive, but I don't know the best locations to open up, yet still keep the policy effective. Here is our current whitelist:

<array>
<string>/Applications/</string>
<string>/Library/Application Support/</string>
<string>/Library/PreferencePanes/</string>
<string>/Applications/Symantec Solutions/</string>
<string>~/Library/LaunchAgents/</string>
</array>

Thanks in advance for any help you can provide!

7 REPLIES 7

acdesigntech
Contributor II

I would add /private and /usr, and /System

And depending if you have them: /Developer and /opt

kschlatter
New Contributor

Thanks for the quick response. Adding those in and off for more testing.

mm2270
Legendary Contributor III

I think generally speaking, locations that are not drag and drop accessible to the end users should be safe to add in, provided you need to. So, any place where they can't drag an application bundle to to launch the app later.
Its been a while since I've used the whitelist and blacklist functions, so my memory is fuzzy with it, but I think it works recursively, so adding in /Applications/ should take care of anything in that path, even several subfolders deep. Same for other locations. However, the blacklist will override anything in whitelist, so,for example, if you wanted to allow Utilities, but specify a folder within it, say, "Adobe Installers" (if you have that) just add that in to your blacklist and it should take effect.

I actually don't know that you have to add in the ~/Library/LaunchAgents folder. Launchd files should not be treated as apps AFAIK, though I could be wrong about that. Reason I mention it is, since that is in the Users home folder, they could actually drag applications into that and have them work. While its unlikely someone would discover that, I never underestimate the craftiness of end users :)

mzago
New Contributor III

Every once in a while you'll discover apps that install into the user space in non-standard locations. For example, I've noticed that WebEx components (Meeting Center, Training Center, and Network Recording Player) create their folders, after their web plug-ins start for the first time, inside ~/Library/Application Support/WebEx Folder which have the .app. You'll be constantly playing whack-a-mole until you figure out all the non-standard .app locations in your environment. Your list is a good start though.

kschlatter
New Contributor

So far so good. I think the setup we have isn't airtight, but we are really just trying to block the obvious. Most of our people that can come up with the more creative workarounds already have local admin access so this is not applying to them. The only popups we are seeing are some auto-updates that try to launch (font explorer, chrome). For those We are looking at killing the auto-update rather than white-listing the location. Then, we'll start managing the updates through Casper. Thanks!

fabian_ulmrich
Contributor
Contributor

Don't know if anyone is still reading here, but a good solution for me if it comes to User Libraries for example the WebEx stuff, I symlink it via `ln -s` command to a folder where the managed user is allowed to run applications from.

jrserapio
Contributor

Just adding my 2 cents. We are in the same boat, trying to restrict users from running applications from their users space. Unfortunately this can get crazy hectic in trying to keep up with different programs and their off the wall stuff. One crazy example is Chrome and its auto updater. Im trying to get this restriction lifted. Too bad you cannot blacklist alone. It would be nice just to blacklist the Users directory and the subfolders, without needing to specify 15+ locations to whitelist. Trying to control developers is kind of difficult ><

Here is what I had so far.
<array> <string>/Applications/</string> <string>/Library/</string> <string>/System/</string> <string>/bin/</string> <string>/usr/bin/</string> <string>/Applications/Utilities/</string> <string>/Applications/Developer/</string> <string>/Library/Printers/</string> <string>~/Library/Application Support/</string> <string>/Library/Application Support/</string> <string>/Library/Google/GoogleSoftwareUpdate/</string> <string>~/Library/Google/</string> <string>/private/temp/</string> <string>/etc/</string> <string>/Library/Preferences/SystemConfiguration/</string> <string>/Library/Tomcat/</string> <string>~/Library/Application Support/WebEx Folder/1324/</string>
<string>/System/Library/Frameworks/JavaVM.framework/Versions/</string> <string>/Library/Printers/Canon/UFR2/Utilities/UFR IIBackGrounder.app/Contents/MacOS/UFR II Backgrounder</string> <string>/usr/local/bin/</string> <string>/usr/local/lib/</string> <string>~/.rvm/</string> <string>/usr/local/apache-tomcat-7.0.39/</string> <string>/usr/local/mysql-5.6.10-osx10.7-x86_64/</string> <string>/opt/local/bin/</string> <string>~/Library/Developer/</string> <string>~/Library/Application Support/iPhone Simulator/6.1/Applications/</string>
</array>