Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.
CCT Badge CCA Badge CJA Badge
5

Restrict Access to Certain Folders?

Posted: 3/20/17 at 2:36 PM by duffcalifornia

Is there a way to prevent users from accessing certain folders without restricting access to Finder? I have a few users who will delete/modify folders to remove our applied settings and I'd love the ability to restrict access to the Library and the System Library.

5
CCA Badge CCE Badge

Posted: 3/20/17 at 3:20 PM by Look

Do they have admin rights? You can't really do much without them, but once you have them, if you know what your doing there isn't much you can't do.
Also settings applied with a configuration profile and much harder to get rid of.

CCT Badge CCA Badge CCE Badge

Posted: 3/20/17 at 4:10 PM by jnice22

Even if they are admins you can monitor the existence of the folder via a luanchdaemon. You can setup a LunchDaemon that monitors the folder and recreates or sends a notification.
Then monitor the existence of the launchdaemon with a periodic check from the jss.
If they removed it re-add and send an automated message to HR, ;D

Posted: 3/20/17 at 6:26 PM by LSinNY

An EA to monitor the folder,CM tool like puppet,chef,ansible or config like @Look mentioned. You could hide the folder with chflags, but if users are admins..well you know how that goes. How you considered company policy or speaking to supervisors/managers?

L

CCT Badge CCA Badge CJA Badge

Posted: 3/21/17 at 8:15 AM by duffcalifornia

@Look Yeah, that configuration profile route may be one we will have to go down. We're looking to eventually move to all standard accounts as we leverage JAMF to replace the need for users to be local admins, but that's going to be a very uphill cultural battle. Our org is very fragmented and IT doesn't have the strongest reputation historically, so our input doesn't always carry the sway it should/would in other companies.

CCT Badge CCA Badge CCE Badge

Posted: 3/21/17 at 2:17 PM by jnice22

It's always an uphill battle to remove admin rights. Yours may be worse than some. Dazzle them with Self service. Make sure it is fully baked with a bunch of apps, user configs, websites, training, etc. Then throw in the security requirements (if you have any) setup policy to require separate accounts for doing admin tasks then slowly migrate some teams who may not scream. Once they are all happy start pushing the other teams over. Baby steps.

How can Jamf Nation improve your life as a Mac Admin? Tell us in this short survey.