How do I restrict Which Apps Are Allowed To Launch successfully?

Question

Level 4

2,640 points

How do I restrict Which Apps Are Allowed To Launch successfully?

I'm trying to lock down the computer, and I'd like to disable applications from launching on external media, network drives & user's local home folders. I'm apply the MCX for com.apple.applicationaccess.new on a fresh test account. if I for instance I add /Applications/ to the pathWhiteList-Raw array, I'd expect that all the applications in /Applications/ to work. But I've found that applications in sub folders of /Applications/ do not open.

For instance iTunes will open, but iTunesHelper will not launch. iTunes helper is located in /Applications/iTunes/Contents/Resources/iTunesHelper ( Technically I guess it's /Applications/iTunes/Contents/Resources/iTunesHelper/Contents/MacOS/iTunesHelpe r.exe )

I've tried a couple of things, for instance /Applications/*. I still have the same issue.

xserve, Mac OS X (10.6.7)

Posted on Apr 27, 2011 7:10 PM

Reply

Answer 1

gracoat

Level 3

673 points

Apr 27, 2011 8:28 PM in response to TeenTitan

You'll need to specify specifically which apps you want to allow by using WGM's Application preference. Doing so ensures that the apps you specify will work properly.

Here's how.

Open up WGM. Select the User or Group you want to apply the changes to.

Click the preferences button at the top of the window.

Click the Applications button. (top left)

Make sure the Applications tab is selected.

Click the 'always' button

Put a check mark in the "Restrict which applications are allowed to launch" box.

Click the plus button on the right side and select the Apps you want users to have access too.

Keep adding until you're satisfied. If your users are currently logged in, they'll need to log out and back in for the changes to take effect.

Reply

Answer 2

blitzteh

Level 2

207 points

Apr 27, 2011 8:35 PM in response to TeenTitan

have you tried setting a guess account with parental controls?

you can set up which apps you want the account to use and how long you are willing to share it

Reply

Answer 3

TeenTitan Author

Level 4

2,640 points

Apr 27, 2011 11:33 PM in response to gracoat

hi gracoat,

should I be able to specify a folder, and have all applications in that , and any of it's sub folders be launch-able?

I have 1155 applications. Specifying each application separately would create a huge MCX record on the OD. Not to mention it would take a huge amount of time to create, and re-transmit the MCX record.

Adding the app specifically doesn't prevent them from dressing up another app to look like an authorized application. And dose not prevent the user from running applications from external media.

If the application is signed, I understand it's harder to fake the application.But if I sign an application, and then I update the application, the signing can break. Or if I singing an application that may break that applications ability to update itself. (cs5)

With about 288 applications being updated per month; That's allot of change.

It would be easer to add each folder. The list of folders would be much smaller. 225 applications work by just adding the /Applications/ If /Applications/ covered it's sub folders, then It would be closer to 500 applications. There are also some folders that also change per computer. For instance, print drivers like to throw applications into /Library/Printers/. having to add each printer app manually would be a huge easter egg hunt.

Reply

Answer 4

gracoat

Level 3

673 points

Apr 28, 2011 9:25 PM in response to TeenTitan

Hmm... I see what you're saying. You need to set your script to look recursively at the folders. Almost like a -R modifier. ...maybe post your com.apple.applicationaccess.new file you spoke of in your original post.

Though, I'm not sure there's a way to do what you want.

The level of control that you're looking for is attainable, but I think it's headed towards unreasonable. Or it's at the limit of what's possible. As they say, complex systems become more unstable as they become more complex.

The school that I work at, for instance, has a content filter on the internet connection. It's pretty good, but occasionally we'll have that student that just HAS to get on facebook. I've spoken with the board and the principal and all the powers that be about solutions to the problem. One of them even suggested that we make a list of sites that are acceptable!

When all along, the real problem is the students. We have to teach our students to be responsible with the internet. It's a bit different I'm sure, when working with adults, but if your employees can't be trusted to work instead of wasting time doing their own thing on the computer, then....... You know where this is going.

If you have a basic set of apps that your users need to be using while at work - ie MS Office, Creative Suite, and the basic default apps that come with os x, then that's easy. When a user can't open a program, I think OS X asks for a password to allow it. ...if it doesn't then it's easy enough to take note of which app it is, and add it to the MCX record. (oh yeah..... I tried the printer apps... they seem to open unobstructed even if they're not in the WGM Allow app list)

This may not be reasonable if you have thousands of employees, but it's simple solution. Weigh your time hunting down apps versus how long you've been looking for this solution.

Hope this helps!

Reply

Answer 5

TeenTitan Author

Level 4

2,640 points

Apr 30, 2011 1:49 AM in response to gracoat

well sense white listings folders is not as simple as i'd expect it to be. I've started working on scripting a solution.

My plan is this:

1) create a list of all .app on the computer.

2) convert the list of applications into a list of folders

3) remove duplicates from list

4) input the list into the OD

1) "find / -name *.app" will give me a list of application paths. IE:

/path/to/file/application.app

/path/to/file/anotherProgram.app

/path/to/folder/program.app

2) I'm hoping I can use some thing like grep to convert the list into paths. IE:

/path/to/file/

/path/to/folder/

3) i'm not sure what command might work well for removing duplicates, worse case scenario I can use excel. IE:

/path/to/file/

/path/to/folder/

4) to input into the list into the OD, i'll probable just use keyboard / mouse emulation.

blocking and adding by path should be more flex-able then adding by specific applications. Witch should give me some of the flex your talking about.

Trusting user sounds great, but just the other day I had a user resetting firmware passwords, and using the terminal to hack into things. Kicking kids out of of labs computers fails miserably. Soon as I leave they're playing games again.

Reply