Help

Blocking portable .app applications located under the /Users/ path**

Go to solution
foreverkan
New Contributor III

3 weeks ago

Our users are downloading applications from the internet to their Desktop or Downloads folders and are able to run them from there. How can I block them from executing these applications?

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
PaulHazelden
Valued Contributor

3 weeks ago

In the Restrictions payload in Configuration Profiles. go to the Applications section. At the bottom is a Restrict which apps are allowed to Launch.
It will give you 3 options
Allow Apps
Allow Folders
Disallow Folders
You should be able to put something like /Users/ in the disallow folders, and no Apps will be able to run from the Users folders.
However!
Users have a ~/Applications folder, that some Apps dump themselves in.
Some other Apps install in /Users/Shared
You can make explicit exceptions by adding the allowed apps in there to the Allow Apps list.

But. Test it and Test it and Test it again. If you block the wrong things you might end up needing to erase the test Mac.

View solution in original post

Reply
3 REPLIES 3

Go to solution
PaulHazelden
Valued Contributor

3 weeks ago

In the Restrictions payload in Configuration Profiles. go to the Applications section. At the bottom is a Restrict which apps are allowed to Launch.
It will give you 3 options
Allow Apps
Allow Folders
Disallow Folders
You should be able to put something like /Users/ in the disallow folders, and no Apps will be able to run from the Users folders.
However!
Users have a ~/Applications folder, that some Apps dump themselves in.
Some other Apps install in /Users/Shared
You can make explicit exceptions by adding the allowed apps in there to the Allow Apps list.

But. Test it and Test it and Test it again. If you block the wrong things you might end up needing to erase the test Mac.

Reply

Go to solution
PaulHazelden
Valued Contributor
In response to PaulHazelden

3 weeks ago

One thing I forgot. Do not make a second Restrictions Profile just to add this in. It really is not reccommended to send out two versions of the same profile.
If you already have a Restrictions profile, you will be editing that and adding to it.

0 Kudos
Reply