So allowing DMG to be installed only through mount disk images using Terminal is totally acceptable for us. We are mainly concerned about non-technical users (marketing, sales, for example) because they are more likely to install malicious software. For example, if the user has already installed package manager for Python, he will be able to install any new python package without asking for permission. But after ISO 27001 certification, one of the minor disconformities was the Watsapp application on the employee's laptop, and MDM was suggested as a solution.Īt this moment, what we have in the plan is to leave admin rights as it is, and just to prevent future installations. Programmers on start are given rights to install whatever they need because there could be differentiates based on role (frontend, backend, python, java, AWS DevOps, and so on). The majority of our laptops are for developing software because we are a SaaS business platform. I definitely confused the term ownership with usage. Wow! A lot of useful answers! Did not expect this much! Thank you guys A LOT for your time trying to help me! I really appreciate it SO MUCH!Īs I can conclude, I misunderstood the term BYOD. I assumed that, if the company bought Macs and gave them to the employees to set it up with admin rights, it is BYOD. It's Disk Image Mounter (DiskImageMounter), not Disk Image Helper as I stated incorrectly before. Just fair warning that this option isn't the easiest to set up and use, and you may need to field a decent amount of complaints of apps that won't work correctly until you add in extra whitelisting paths for example.Įdit: Correction on the above. So even if they manage to download an app and copy it to their desktop, they won't be able to launch it. But it will allow you to say that only applications in /System/, /Applications/, and /Library/Application\ Support/ for example, can launch, but other locations are blocked. This is a more complex option to use, and often entails a lot of trial and error, and sometimes continuous tweaking, to get it working satisfactorily. Second option is, you can go down the path of using Application folder whitelisting and blacklisting in a Config Profile under the Restrictions payload. That being said, anyone with enough general knowledge can figure out how to mount disk images using Terminal, so it's more of a deterrent than a bullet proof block. If you block it, they won't be able to open the DMGs. This prevents casual double clicking of disk images and mounting them, since when you do this in the Finder it launches the Disk Image Helper app. First, you can add the disk image helper application to the Restricted Software list. If you have to control that, you can do a couple of other things. You'll still need to deal with apps that distribute on a DMG, because most times those can be copied to the user's Desktop and launched without issue. Without local admin rights, all installers using a pkg format will be off limits. Making them standard accounts won't 100% solve the issue, but it will make a serious dent in it. There is a maxim in this industry - as soon as users have admin rights, all bets are off on what you can control. Maybe a silly question, but if your org needs to control these Macs to that degree, why are the users local admins? You should be revoking their admin rights, or just not making them admins from the get-go.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |