0

I will preface this, with the truth that I know little about Macs :-)

I am trying to workout a way to block application installations (or executions) on Macs. We have a subset of executive users (meaning they "need" root on the box) who have Macs. However, the are installing applications like Skpe, that break our Corporate Policies. Does anyone know of a software to manage this? Preferably Open Source.

breadly
  • 217
  • 2
  • 12
  • 4
    Enforce the corporate policies if/when they're caught? – Bart Silverstrim Apr 14 '11 at 12:32
  • 1
    with MCX policy you can create a whitelist policy of apps that ARE allowed to run, its an option, but I'd just enforce the corporate policy – SpacemanSpiff Apr 14 '11 at 12:35
  • Well, prevention is worth an ounce cure. And oddly enough my CTO doesn't like me berating the CFO/CEO :-( – breadly Apr 14 '11 at 12:35
  • 1
    I've often found, that CxO types are usually immune to policy, unfortunately. – DanBig Apr 14 '11 at 12:36
  • Here´s a funny way to solve this: create a small application in /Applications named Skype.app that displays an official looking dialog, telling the user that the use of Skype is prohibited. If they should overwrite the .app, you could easily replace it with your pseudo-skype.app on every login ;-) – Asmus Apr 14 '11 at 13:16
  • @Asmus, what an interesting idea. Not sure if it would fly, but nice thinking out of the box! – breadly Apr 14 '11 at 14:36

3 Answers3

5

I really doubt this will be possible if the users have root access on their boxes, as they will easily be able to circumvent anything you put in their way.

Anyway, if you use OpenDirectory (i.e. a MacOS Server), you can easily limit (non-root) users to open only programs they are allowed to open. According to this blogpost, it should be possible even with the local directory, without a server.

A little bit of background: This user restrictions are handled by "User preferences", something like GPOs on Windows, and stored in the OpenDirectory and as MCX files on the local machine, which the blogpost tries to emulate without a server.

Sven
  • 98,649
  • 14
  • 180
  • 226
  • 2
    I would highly recommend getting a Mac Mini with OSX Server on it and joining the computers to the Open Directory domain. I found that it's a huge pain to manage local MCX files (so much so I gave up on it) across more than a few machines if you don't have an excellent software push program like RADMIND. I think the $1000 (or $2000 if you want redundancy) is a small price to pay for how much easier it makes your job. :-) – Scott Keck-Warren Apr 14 '11 at 13:26
1

My limited knowledge of OSX leads me to believe that this is probably not possible, but I would welcome somebody saying otherwise.

Unlike most *nix systems, many apps just sit as a blob and run in user space without files being put anywhere that needs lower level privileges.

Caleb
  • 11,813
  • 4
  • 36
  • 49
  • This is what I was worried about. I have the same thoughts. I am wondering if someone has put a wrapper around it or not. – breadly Apr 14 '11 at 12:22
0

Use false DNS entries. Make www.skype.com point to 127.0.0.1. Or make use of OpenDNS which will also do the same thing, but will send it to a generic "This page has been blocked because it is an X site" where X can be any of a number of categories, such as filesharing, proxy, etc.

Kevin M
  • 2,312
  • 1
  • 16
  • 21