[Casper] Prohibit copying from /Applications

Clinton Blackmore clinton.blackmore at westwind.ab.ca
Wed Feb 18 09:57:50 PST 2009 

> Funny you should post that. The same user posted the same solution  
> to my question on the MacNN forums yesterday. I’m testing it out  
> today.

Fascinating.  Please let us know how well it works.  (Did you write a  
script that can be deployed by Casper to do it?)


The author who suggested the technique just added that:

>     Trying to catch this by watching filesystem events is the
> wrong
> approach, you will always be chasing after things. The better
> approach, at least for users who aren't going to resort to the command
> line, is to prevent the Finder from copying the apps. There is an easy
> trick to this: put a folder inside the .app bundles (next to
> "Contents") that starts with "A" and don't give users read or execute
> permissions on that folder (I would go with root:wheel:0000). When the
> Finder enumerates the files it is going to copy it will run into that
> and stop.

	I did forget to mention that there is one dark side to doing this: it
breaks application signing. Apple has only started to use this, so
unless you are using MCX to restrict what applications a user can use
this will have no effect at the moment (this needs to be reviewed when
10.6 comes out). You can still work with it, you just have to make
sure that the application signing happens with your modification in
place. For a lab image this should be very doable.

--
		Karl Kuehn


On 18-Feb-09, at 10:33 AM, Jeff Strauss wrote:

> Funny you should post that. The same user posted the same solution  
> to my question on the MacNN forums yesterday. I’m testing it out  
> today.
>
>
> On 2/18/09 9:28 AM, "Clinton Blackmore" <clinton.blackmore at westwind.ab.ca 
> > wrote:
>
> I started seeing if I could figure out how to do this with crankd
> (which, while it has potential, is still in its infancy and not well
> documented), and, after getting something together that didn't work, I
> posted to the pymacadmin site. The thread is here:  http://groups.google.com/group/pymacadmin/browse_thread/thread/2c077fcd1ed7361f
>
> The last response I got is very worthwhile, so I am sharing it here:
>
>
> On Feb 17, 2009, at 9:54 PM, Clinton Blackmore wrote:
>
>  > We have some problems when users copy a .app folder to their  
> desktop
>  > when trying to put it on their dock; specifically, this prevents
>  > network users from logging in.  Also, I'm aware of another system
>  > administrator who wants to prevents students from copying .apps to
>  > their USB drives.
>
>          Trying to catch this by watching filesystem events is the  
> wrong
> approach, you will always be chasing after things. The better
> approach, at least for users who aren't going to resort to the command
> line, is to prevent the Finder from copying the apps. There is an easy
> trick to this: put a folder inside the .app bundles (next to
> "Contents") that starts with "A" and don't give users read or execute
> permissions on that folder (I would go with root:wheel:0000). When the
> Finder enumerates the files it is going to copy it will run into that
> and stop.
>
>          This is easy to circumvent by either copying things by  
> opening
> the .app bundle, or by working on the command line, but it does put up
> a big enough barrier that most users won't be able to cross it.
>
> --
>                  Karl Kuehn
>                          lark... at softhome.net
>
>
> On 14-Feb-09, at 3:16 PM, Jeff Strauss wrote:
>
> > Thanks for that. I'm going to start work on it after the weekend.
> > Expect email asking for help :)
> >
> > Sent from my iPhone
> >
> > On Feb 14, 2009, at 2:17 PM, "clinton.blackmore" <clinton.blackmore at westwind.ab.ca
> >> wrote:
> >
> >> Darn.  Here I'd always hoped that some funky set of ACLs could
> >> prevent the problem.  We have a problem where students move
> >> applications onto their desktops when trying to put it on their  
> Dock
> >> (and then we get complains that the app is not installed, or that
> >> users (inexplicably) can not log into network accounts with a .app
> >> on the desktop.)
> >>
> >> If you are serious about writing a launchd item, and especially if
> >> your running all Leopard, there is a python application called
> >> crankd that can install hooks into system events (like filesystem
> >> activity, network transitions, and such) and call your code when it
> >> happens.  I don't know a lot about it, but http://code.google.com/p/pymacadmin/
> >> is a place to start looking.  I think it might be easier to work
> >> with than launchd.
> >>
> >> If you do come up with something, I'd appreciate it if you'd share.
> >>
> >> Cheers,
> >> Clinton Blackmore
> >>
> >>
> >> _______________________________________________
> >> Casper mailing list
> >> Casper at list.jamfsoftware.com
> >> http://list.jamfsoftware.com/mailman/listinfo/casper
>
>
> This email has been scanned by Barracuda Network's Anti-Virus and  
> Spam Firewall.
>
>
> Jeffrey A. Strauss
> Department of Educational Technology
> Systems Administrator
> Loyola High School of Los Angeles
> 1901 Venice Blvd.
> Los Angeles, Ca 90006
> (213) 381-5121 x265
>
> Please consider the environment before printing this e-mail.
>


This email has been scanned by Barracuda Network's Anti-Virus and Spam Firewall.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090218/eb0ffcde/attachment.htm

More information about the Casper mailing list