Prevent uninstallation of app from macbook

Vinyboy
New Contributor III

Hello,

May I know if we have a way to prevent admin users to uninstall an app from Macbook

Any lead:- Configuration profile from Jamf

Thank you.

 

 

7 REPLIES 7

Ismere
Contributor

Hello,
as far as i can think of, there is no way to stop Adminusers from uninstalling Apps. However you can create a sort ofSelf-Repairing Policy for the App.
For this you need to create a Smart Group that checks if the App is installed.
The Installation Policy of that App then is Set to ongoing and excludes the Smart Group of Computers that have this App installed.
This heavily depends on  how often you are collecting a new Inventory for this Device.

Vinyboy
New Contributor III

Don't we have a way that we can put a kind of Lock mode for an app from Jamf Configure profile.
And when any user try to uninstall, shows restricted/unauthorized. 


Ismere
Contributor

Well there is a key to disallow uninstallation of apps. Even According to Apple:https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf#34
but that is an all or nothing option. You sadly can not stop a User from uninstalling specific App.
I assumed from your text that you wanted to prevent the uninstallation for specific Apps. Which is why i said it is not possible and wrote down the option of using smart groups.

But if you want to disallow uninstallation of all Apps for Users you can try the Configuration Profil

AJPinto
Esteemed Contributor

Without doing drastic measures like flagging the file as immutable there is not much you can do aside of removing admin access.

 

If the app in question is mission critical I would recommend making a smart group to read if the app is installed. Then scope that group to a policy to install the app. If a user removes the App it will reinstall at next check in.

Vinyboy
New Contributor III

I understood this is the way major people suggested. However, I was looking if we can get a way from Jamf Configure we can deploy a payload and that will either restrict the app from uninstallation or ask for a password. :(

 

AJPinto
Esteemed Contributor

What you are wanting is something called privilege management, and this is not within Apples MDM workflows that JAMF uses. There are 3rd party tools you can get to do exactly what you are wanting though.

 

CyberArk Endpoint Privilege Manager for macOS

 

How configuration profiles work, is they basically set a value to a key pair. The key pair needs to already exist for a configuration profile to utilize it, JAMF cannot "magic" a key pair in to existence. Key pairs come in to existence usually one of two ways.

  • Apple creates a management domain for the function in the MDM framework, like with com.apple.applicationaccess.plist. You can use any key pair that plist respects to manage a function of macOS, and all applications must respect what this configuration is telling them to do.
  • Application vendor creates a management domain, like with com.google.chrome.plist. From where you can use any key pair that the vendor has added to the application. You usually need to locate vendor documentation to see what is possible. It is possible a vendor adds a tamper protect to prevent the uninstall, but it is entirely up to the vendor to do this.

 

Not that I recommend this in the slightest, but you can flag a file as immutable. A user can remove the flag if they knew it was there with sudo access, and you need to remove the flag before you could update or do anything to the application but it is an option.

How to Use File Flags to Modify File Behavior in macOS - Make Tech Easier

You also have a solution from beyondtrust that could achieve this!

https://www.beyondtrust.com