Skip to main content

It seems like using Jamf Protect's Custom Prevention Lists feature is a better way to block/restrict applications than Jamf Pro's 'restricted processes'.

Restricted Processes only goes off of the name, which could be changed to evade the blocks in place.

But with Custom Prevention Lists, you can choose Team ID or bundle/signing ID which is more effective.

The problem is, in my initial testing, it's only blocking 1 of 3 apps. I've tried both Team ID's and Bundle ID's with the same behavior. All three apps download as .dmg's with .app's inside of them.

I'm using codesign -dv /Path/To/.app to get Team and Bundle ID's.

ProtonVPN.app works as expected. I get a 'ProtonVPN Has Been Blocked' Jamf Protect message.

However, mirroring the same exact steps, neither Epic Games Launcher.app or Steam.app get blocked. They're both launching just fine still.

Again I've tried Team ID's and Bundle ID's with the same behavior.

I've ran a sudo protectctl checkin, still same behavior.

Because it is working for one app, but not the others, when all three are setup the same way, I'm not sure what I'm doing wrong. I've recreated the behavior on multiple computers.

There are certain, common apps I'm trying to block by either Team or Bundle ID's. 

I know about Google's Santa app but that looks like a lot more setup compared to this.

I also just tested adding Jamf's 'Sample App.app' by TeamIdentifier - CLQKFNPCCP - and it still opens. So 1/4 apps that are currently added by Team ID, are actually being blocked.

 

Ultimately I'm trying to understand why some apps are getting blocked, but not others.

Hey @whiteb 

I can confirm all of the mentioned apps should be blocked by Threat Prevention if you have added the TeamIDs to one of your Custom Prevent Lists. Tested the mentioned app on a Ventura and Sonoma endpoint.

After adding the TeamIDs make sure that



  • The updated Plan Hash is equelly to the plan hash on the endpoint (run sudo protectctl info -v to verify)

  • The TeamIDs are entered correctly in the Custom Prevent Lists


I am also facing the same issue apps are not getting restricted from jamf protect.

i can see the output of the command custom prevention list 

Custom Prevention  | Blocking    | 1      |

Hey @whiteb 

I can confirm all of the mentioned apps should be blocked by Threat Prevention if you have added the TeamIDs to one of your Custom Prevent Lists. Tested the mentioned app on a Ventura and Sonoma endpoint.

After adding the TeamIDs make sure that



  • The updated Plan Hash is equelly to the plan hash on the endpoint (run sudo protectctl info -v to verify)

  • The TeamIDs are entered correctly in the Custom Prevent Lists



I am also facing the same issue apps are not getting restricted from jamf protect.

i can see the output of the command custom prevention list 

Custom Prevention   Blocking    1     

Hey @whiteb 

I can confirm all of the mentioned apps should be blocked by Threat Prevention if you have added the TeamIDs to one of your Custom Prevent Lists. Tested the mentioned app on a Ventura and Sonoma endpoint.

After adding the TeamIDs make sure that



  • The updated Plan Hash is equelly to the plan hash on the endpoint (run sudo protectctl info -v to verify)

  • The TeamIDs are entered correctly in the Custom Prevent Lists



Hello,

I appreciate you digging into this and assisting. I've been meaning to respond, just been busy.

It turns out I have everything set up correctly, it's just things aren't propagating out to devices as I would expect. Every app in my OP did in fact get blocked, it just took an extra few days for some compared to others.

For example, I add one Team ID, and it gets blocked within a couple minutes. I add a couple other Team ID's, and it can sometimes take days for it to actually go into effect and be blocked on computers.

I've requested the test computers to check-in through the Protect GUI, I've tried doing a protectctl checkin from terminal hoping that would force it to see there are new entries to the Custom Prevention List, but I'm still able to launch the apps just fine. I check back a few days later, and they're blocked.

I'm mostly testing on my computer which is on Somoma. But seems to happen on a Ventura test computer as well.

Is there a command I'm missing that I can speed up the process of Protect seeing that there are new entries to the Prevention List?

Again, ProtonVPN was getting blocked within a few minutes of adding to console. But the others took days.

So technically everything is working, but I'd like to reliably force an update to confirm a newly added entry to my Custom Prevention Lists is working on a test computer instead of waiting a few days (or longer) and checking back in to see if it's blocked yet. Neither of the two ways I'm forcing Protect check-ins appear to be doing that.

Thanks!

Reply


Terms & ConditionsCookie settings