Help

Best way to prevent users from downloading software from Chrome/Safari

Go to solution
acamare10
New Contributor III

Posted on ‎09-01-2023 03:23 PM

Hello, 

What would be the best way to prevent users from downloading software/applications from the internet. We have the appstore blocked in the restricted software section but I am worried they can download some software/apps from Chrome or Safari with DMG files?

What would be the best practice to prevent this?

Thanks 

2 ACCEPTED SOLUTIONS

Go to solution
foobarfoo
Contributor

Posted on ‎09-02-2023 12:56 AM

There may be a method to achieve this, but IMO you're trying to fulfill a use case with devices and OS that are ultimately not designed for this purpose. With that said, you are searching for something similar to kiosk mode if macOS is a required component. I can't help you much more there..

With that said, a more suitable platform for this kind of use case would be either Chromebooks or Windows with forced S mode. Or iOS/iPadOS devices. These are all built to only allow running authorized code and don't allow executing arbitrary code even in the user space.

View solution in original post

Go to solution
AJPinto
Honored Contributor II

Posted on ‎09-05-2023 06:52 AM

This is very much a security task, not a device management task. The "Best Practice", would be to onboard security tools to cover this need. 

  • Network Security tools like NetSkope or Zscaler tool for SSL inspection and redirection to block access to sites where users would usually download things
  • DLP controls and Firewall rules to block file downloads like blocking anything with a .dmg, .pkg or .app file extension (exempt JAMFs distribution point, and internal network shares)
  • App/permissions Control configured with a tool like EPM to prevent users from launching anything that some how made it to the device if its not approved.

From the JAMF Pro side you have the ability to black list apps and services using "Restricted Software". This would force quit the app once the service is detected. This is a very high maintenance and reactive way of doing things but its possible. JAMF Pro cannot block file downloads.

 

Get the right tools for the job, or have a bad time.

 

 

View solution in original post

2 REPLIES 2

Go to solution
foobarfoo
Contributor

Posted on ‎09-02-2023 12:56 AM

There may be a method to achieve this, but IMO you're trying to fulfill a use case with devices and OS that are ultimately not designed for this purpose. With that said, you are searching for something similar to kiosk mode if macOS is a required component. I can't help you much more there..

With that said, a more suitable platform for this kind of use case would be either Chromebooks or Windows with forced S mode. Or iOS/iPadOS devices. These are all built to only allow running authorized code and don't allow executing arbitrary code even in the user space.

Go to solution
AJPinto
Honored Contributor II

Posted on ‎09-05-2023 06:52 AM

This is very much a security task, not a device management task. The "Best Practice", would be to onboard security tools to cover this need. 

  • Network Security tools like NetSkope or Zscaler tool for SSL inspection and redirection to block access to sites where users would usually download things
  • DLP controls and Firewall rules to block file downloads like blocking anything with a .dmg, .pkg or .app file extension (exempt JAMFs distribution point, and internal network shares)
  • App/permissions Control configured with a tool like EPM to prevent users from launching anything that some how made it to the device if its not approved.

From the JAMF Pro side you have the ability to black list apps and services using "Restricted Software". This would force quit the app once the service is detected. This is a very high maintenance and reactive way of doing things but its possible. JAMF Pro cannot block file downloads.

 

Get the right tools for the job, or have a bad time.