Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

Restrict Access to Certain Folders?

Is there a way to prevent users from accessing certain folders without restricting access to Finder? I have a few users who will delete/modify folders to remove our applied settings and I'd love the ability to restrict access to the Library and the System Library.

Like Comment
Order by:
SOLVED Posted: by Look

Do they have admin rights? You can't really do much without them, but once you have them, if you know what your doing there isn't much you can't do.
Also settings applied with a configuration profile and much harder to get rid of.

SOLVED Posted: by jnice22

Even if they are admins you can monitor the existence of the folder via a luanchdaemon. You can setup a LunchDaemon that monitors the folder and recreates or sends a notification.
Then monitor the existence of the launchdaemon with a periodic check from the jss.
If they removed it re-add and send an automated message to HR, ;D

SOLVED Posted: by Nix4Life

An EA to monitor the folder,CM tool like puppet,chef,ansible or config like @Look mentioned. You could hide the folder with chflags, but if users are admins..well you know how that goes. How you considered company policy or speaking to supervisors/managers?


SOLVED Posted: by duffcalifornia

@Look Yeah, that configuration profile route may be one we will have to go down. We're looking to eventually move to all standard accounts as we leverage JAMF to replace the need for users to be local admins, but that's going to be a very uphill cultural battle. Our org is very fragmented and IT doesn't have the strongest reputation historically, so our input doesn't always carry the sway it should/would in other companies.

SOLVED Posted: by jnice22

It's always an uphill battle to remove admin rights. Yours may be worse than some. Dazzle them with Self service. Make sure it is fully baked with a bunch of apps, user configs, websites, training, etc. Then throw in the security requirements (if you have any) setup policy to require separate accounts for doing admin tasks then slowly migrate some teams who may not scream. Once they are all happy start pushing the other teams over. Baby steps.