[Casper] Prohibit copying from /Applications

Clinton Blackmore clinton.blackmore at westwind.ab.ca
Wed Feb 18 09:28:52 PST 2009 

I started seeing if I could figure out how to do this with crankd  
(which, while it has potential, is still in its infancy and not well  
documented), and, after getting something together that didn't work, I  
posted to the pymacadmin site. The thread is here:  http://groups.google.com/group/pymacadmin/browse_thread/thread/2c077fcd1ed7361f

The last response I got is very worthwhile, so I am sharing it here:


On Feb 17, 2009, at 9:54 PM, Clinton Blackmore wrote:

 > We have some problems when users copy a .app folder to their desktop
 > when trying to put it on their dock; specifically, this prevents
 > network users from logging in.  Also, I'm aware of another system
 > administrator who wants to prevents students from copying .apps to
 > their USB drives.

         Trying to catch this by watching filesystem events is the wrong
approach, you will always be chasing after things. The better
approach, at least for users who aren't going to resort to the command
line, is to prevent the Finder from copying the apps. There is an easy
trick to this: put a folder inside the .app bundles (next to
"Contents") that starts with "A" and don't give users read or execute
permissions on that folder (I would go with root:wheel:0000). When the
Finder enumerates the files it is going to copy it will run into that
and stop.

         This is easy to circumvent by either copying things by opening
the .app bundle, or by working on the command line, but it does put up
a big enough barrier that most users won't be able to cross it.

-- 
                 Karl Kuehn
                         lark... at softhome.net


On 14-Feb-09, at 3:16 PM, Jeff Strauss wrote:

> Thanks for that. I'm going to start work on it after the weekend.
> Expect email asking for help :)
>
> Sent from my iPhone
>
> On Feb 14, 2009, at 2:17 PM, "clinton.blackmore" <clinton.blackmore at westwind.ab.ca
>> wrote:
>
>> Darn.  Here I'd always hoped that some funky set of ACLs could
>> prevent the problem.  We have a problem where students move
>> applications onto their desktops when trying to put it on their Dock
>> (and then we get complains that the app is not installed, or that
>> users (inexplicably) can not log into network accounts with a .app
>> on the desktop.)
>>
>> If you are serious about writing a launchd item, and especially if
>> your running all Leopard, there is a python application called
>> crankd that can install hooks into system events (like filesystem
>> activity, network transitions, and such) and call your code when it
>> happens.  I don't know a lot about it, but http://code.google.com/p/pymacadmin/
>> is a place to start looking.  I think it might be easier to work
>> with than launchd.
>>
>> If you do come up with something, I'd appreciate it if you'd share.
>>
>> Cheers,
>> Clinton Blackmore
>>
>>
>> _______________________________________________
>> Casper mailing list
>> Casper at list.jamfsoftware.com
>> http://list.jamfsoftware.com/mailman/listinfo/casper


This email has been scanned by Barracuda Network's Anti-Virus and Spam Firewall.

More information about the Casper mailing list