But it will allow you to say that only applications in /System/, /Applications/, and /Library/Application\ Support/ for example, can launch, but other locations are blocked. This is a more complex option to use, and often entails a lot of trial and error, and sometimes continuous tweaking, to get it working satisfactorily. Second option is, you can go down the path of using Application folder whitelisting and blacklisting in a Config Profile under the Restrictions payload. That being said, anyone with enough general knowledge can figure out how to mount disk images using Terminal, so it's more of a deterrent than a bullet proof block. If you block it, they won't be able to open the DMGs. This prevents casual double clicking of disk images and mounting them, since when you do this in the Finder it launches the Disk Image Helper app. First, you can add the disk image helper application to the Restricted Software list. If you have to control that, you can do a couple of other things. You'll still need to deal with apps that distribute on a DMG, because most times those can be copied to the user's Desktop and launched without issue. Without local admin rights, all installers using a pkg format will be off limits. Making them standard accounts won't 100% solve the issue, but it will make a serious dent in it. There is a maxim in this industry - as soon as users have admin rights, all bets are off on what you can control. Maybe a silly question, but if your org needs to control these Macs to that degree, why are the users local admins? You should be revoking their admin rights, or just not making them admins from the get-go.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |