Jamf Nation Community

thebrucecarter · ‎08-20-2019

Greetings all,

I seem to have a lot of questions this week. This one is short, how do I get rid of Self Service on lab machines? We don't want students fooling with that stuff, although we DO want staff and faculty to be able to use it in their offices. I tried just deleting it, but apparently there is some self-heal mechanism in place and it came right back.

john-hsu · ‎08-20-2019

In our labs, we do not scope the majority of our Self Service policies. Self Service is pretty bare if someone (other than an administrator) logs in from a lab computer. Have you tried scoping exclusions on Self Service policies for lab computers?

mm2270 · ‎08-20-2019

If you have Self Service enabled to install automatically on enrolled Macs in your Jamf Pro setup (Settings > Self Service > macOS > Install Automatically) then yes, deleting it will just reinstall it on another check-in like you already discovered.

Short of turning that setting off and deploying Self Service manually to your Macs, the only other thing that springs to mind is creating a Restricted Software entry for blocking the Self Service.app and then scoping it to Macs in your lab. The app will remain, but trying to launch it will just close it down immediately.

One other possible option, but this is getting a little on the weird side, would be to delete it and create a dummy "Self Service.app" file in it's place, then hide and it lock it using something like the chflags schg command. That way it won't show up in Finder and when the jamf binary attempts to reinstall it (assuming it will even try), it won't be able to since the app will be locked from any changes.

It's probably better to just block it from running using Restricted Software, but the above is an option if you want to go a step further.

Edit: Or you could do what @john-hsu mentioned and just make sure no Self Service policies are scoped to them. Simple and should be effective!

Look · ‎08-20-2019

I'm in the use scoping on Self Service policies camp myself.
Eventually I think you will start finding uses for Self Service for the students as well, we certainly did.

thebrucecarter · ‎08-21-2019

Thank you all for the informative responses! The scoping of Self Service and the apps and so forth happens in another group in central IT support, so that one is out of my hands, but it sounds like the Restricted Software plan might work in the interim. Then I can work with Endpoint Computing (the group here that manages the Jamf Pro service, among other things) on the scoping angle. I can definitely envision ways that it could be used for students (For one thing, it might solve the GarageBand loops issue to have that available as a self-service option. Right now, I do not want to load all of that data to every lab machine when it might only be used by a few people, but if they want to sit and let it load while they wait, I am OK with that).

I actually did think of hiding the app itself, but I did NOT think of putting a dummy app in there. Nice idea, I am going to put that in my Book of Knowledge for possible later use.

Thanks again!

mconners · ‎08-21-2019

We scope our self service to all of our managed Macs. We also don't allow our students to authenticate to use it. If however a lab coordinator needs to take some actions on a lab computer, the software is there for them. We also allow the lab coordinator to use self service to wipe and recovery the OS for re-deploying the applications.

alexjdale · ‎08-21-2019

I'd just use a Restricted Software message/block to kill it if someone launches it.

Jamf Nation Community

Disable Self Service in labs?