[Casper] Search and destroy apps
Miles Leacy
miles.leacy at themacadmin.com
Mon Jan 12 13:47:19 PST 2009
I too have encountered some of the hardships that Thomas describes. Thanks
to Casper, MCX and UNIX, with some tinkering, you may be able to get things
managed despite those developers that refuse to follow Apple's developer
guidelines.
If you have a folder that *must* be writable in a place where you don't want
people writing files, I'd try linking it elsewhere (such as /Users/Shared)
and be sure that apps are not allowed in that directory or (if the developer
was thoughtful) changing the location in the app's preferences. If the app
uses the folder as "scratch space" but there is no persistent data, I'd have
a policy that runs a script which deletes the contents of the folder at
logout.
To have tight control of which apps can run and which can't, disallow
applications within "/" or "/Applications", and then add your allowable apps
to the "Always allow these applications:" list. It could be tedious, but it
would be tightly controlled. If you use Workgroup Manager to administer
your MCX (which most people do and it's a free download from Apple), you can
mitigate the tedium by creating presets. If you handle your MCX via
scripting, you can use Casper smart groups and policies to mitigate the
tedium.
Be sure to test your apps thoroughly, including giving them to live users
toward the end of the testing process. During your testing, you can
determine the most restrictive permissions that still allow the desired
functions.
----------
Miles A. Leacy IV
Certified System Administrator 10.4
Certified Technical Coordinator 10.5
Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com
On Mon, Jan 12, 2009 at 4:26 PM, Thomas Larkin <tlarki at kckps.org> wrote:
> I would like to add to that as I run a pure Leopard environment since we
> upgraded from Tiger last summer.
>
> Yes, you can restrict access of where applications can run, and we do
> that here at my work. I no longer have an approve/block list of
> applications and MCX does configure this. However, if you have an app that
> requires to have write permissions for everyone, the user can simply drop
> whatever app they want in that directory and it will work, or if you don't
> modify your permissions to give standard users read and execute only access.
> So, when you make your composer packages MAKE SURE you have proper
> permissions or if you have an Application that requires the user to have
> write access to a folder with in the /Applications directory this whole
> point is moot.
>
> Learn from my mistakes people, I copied a package from last years image
> and it had write permissions on it for everyone, in one freaking folder, a
> small over sight. I did not create the image last year though, Apple and a
> contractor did, then I was hired on afterward to take the reigns of the 1:1.
> The students figured out that one folder you could write to and dropped
> every game they could get their hands on into it and it works.
>
> So, if you do decide to use the WGM and MCX managed preferences to
> restrict applications from running from only one folder make sure you do
> your permissions correctly. Also, some developers are ridiculous and like
> to have things run from /Library as well. So, yes it is entirely true you
> can restrict access to a given folder that can or can't run applications
> from, but that doesn't mean you just hit the easy button and its now secure.
> You will have to take the precautions and if you don't you'll end up like
> me with casper policies running ownership and permission scripts fixing the
> issue. I assure that this will not happen in the next image. I was rush to
> get 6,000 macbooks imaged with both OS X and Windows XP and we did the best
> we could in the very limited time we had.
>
> So it is always good to have a back up plan and this is a good one to
> have. Just in case.
>
>
> ___________________________
> Thomas Larkin
> TIS Department
> KCKPS USD500
> tlarki at kckps.org
> blackberry: 913-449-7589
> office: 913-627-0351
>
>
>
>
>
> >>> "Miles Leacy" <miles.leacy at themacadmin.com> 01/12/09 2:30 PM >>>
>
> I received a note about my script from someone at Apple, and I want to make
> sure to mention that Leopard's MCX will allow you to prohibit launching apps
> from a user's home folder
>
> . In fact, you can allow or disallow the launching of apps from any
> folder(s).
>
>
> The script I provided is an option if you:
>
> have Tiger clients
>
> don't have OD
>
> don't want to mess with using MCX in the local directory service
>
> want to delete the app(s) as well as deny launching
>
>
> ----------
> Miles A. Leacy IV
>
> Certified System Administrator 10.4
> Certified Technical Coordinator 10.5
> Certified Trainer
> Certified Casper Administrator
> ----------
> voice: 1-347-277-7321
> miles.leacy at themacadmin.com
> www.themacadmin.com
>
>
>
>
> On Mon, Jan 12, 2009 at 1:17 PM, Miles Leacy
>
> <miles.leacy at themacadmin.com>
>
> wrote:
>
>> I left out a command in the script in my first message. Here is the
>> complete script:
>>
>>
>> #!/bin/bash
>>
>>
>> ##### HEADER BEGINS #####
>>
>> # scr_maint_searchDestroyAppsInHomeFolder.bash
>>
>> #
>>
>> # Created 20090112 by Miles A. Leacy IV
>>
>> # miles.leacy at themacadmin.com
>>
>> # Modified 20090112 by Miles A. Leacy IV
>>
>> # Copyright 2009 Miles A. Leacy IV
>>
>> #
>>
>> # This script may be copied and distributed freely as long as this header
>> remains intact.
>>
>> #
>>
>> # This script is provided "as is". The author offers no warranty or
>> guarantee of any kind.
>>
>> # Use of this script is at your own risk. The author takes no
>> responsibility for loss of use,
>>
>> # loss of data, loss of job, loss of socks, the onset of armageddon, or
>> any other negative effects.
>>
>> #
>>
>> # Test thoroughly in a lab environment before use on production systems.
>>
>> # When you think it's ok, test again. When you're certain it's ok, test
>> twice more.
>>
>> #
>>
>> # This script performs a search & destroy on any apps in the user's home
>> folder
>>
>> # This script deletes user data. Be sure of your organization's policies
>> as they may apply before using.
>>
>> #
>>
>> # Again, THIS SCRIPT DELETES USER DATA. Make sure you understand what
>> data will be deleted and that it is
>>
>> # permissible to delete that data before using this script.
>>
>> #
>>
>> # It is intended to be run as part of a Casper policy triggered by login.
>>
>> #
>>
>> # Note: This script can take several minutes to run on very large home
>> folders.
>>
>> # It took 5 minutes and 31 seconds on a 146.77 GB home folder on a Mac Pro
>> in testing.
>>
>> #
>>
>> ##### HEADER ENDS #####
>>
>>
>> # Set $isapp to indicate whether an item is an application
>>
>> # initial value is 0
>>
>> # a value of 0 = not an application
>>
>> # a value of 1 = an application
>>
>> isapp=0
>>
>>
>> # return the absolute path of each item in the specified directory and
>> act upon them in the "do" loop.
>>
>> find /Users/$3 | while read file
>>
>> do
>>
>>
>> # skip the contents of .app bundles
>>
>> [[ "$file" = *.app/* ]] && continue
>>
>>
>> # determine whether $file is an application and change value of $isapp
>> if it is
>>
>> isapp=`mdls -name kMDItemKind "$file"|grep -c Application`
>>
>>
>> # if $file is an application ($isapp contains any nonzero value), act
>> upon it.
>>
>> if [ $isapp -ne 0 ];
>>
>> then echo "Deleting" "$file"; rm -R "$file"
>>
>> fi
>>
>>
>> # reset $isapp
>>
>> isapp=0
>>
>>
>> done
>>
>>
>>
>> ----------
>> Miles A. Leacy IV
>>
>> Certified System Administrator 10.4
>> Certified Technical Coordinator 10.5
>> Certified Trainer
>> Certified Casper Administrator
>> ----------
>> voice: 1-347-277-7321
>> miles.leacy at themacadmin.com
>> www.themacadmin.com
>>
>>
>>
>>
>>
>> On Mon, Jan 12, 2009 at 12:26 PM, Miles Leacy
>>
>> <miles.leacy at themacadmin.com>
>>
>> wrote:
>>
>>> Hi all,
>>>
>>>
>>> I have another script to share. In more than one environment I've
>>> worked with, users were not allowed to store or run apps in/from their home
>>> folders. Policies were made clear that any apps in one's home folder were
>>> considered a policy violation, and subject to automatic deletion. I put
>>> together the following script to make sure I never had to go hunt for
>>> someone's hidden apps again.
>>>
>>>
>>> #!/bin/bash
>>>
>>>
>>> ##### HEADER BEGINS #####
>>>
>>> # scr_maint_searchDestroyAppsInHomeFolder.bash
>>>
>>> #
>>>
>>> # Created 20080729 by Miles A. Leacy IV
>>>
>>> # miles.leacy at themacadmin.com
>>>
>>> # Modified 20090112 by Miles A. Leacy IV
>>>
>>> # Copyright 2009 Miles A. Leacy IV
>>>
>>> #
>>>
>>> # This script may be copied and distributed freely as long as this header
>>> remains intact.
>>>
>>> #
>>>
>>> # This script is provided "as is". The author offers no warranty or
>>> guarantee of any kind.
>>>
>>> # Use of this script is at your own risk. The author takes no
>>> responsibility for loss of use,
>>>
>>> # loss of data, loss of job, loss of socks, the onset of armageddon, or
>>> any other negative effects.
>>>
>>> #
>>>
>>> # Test thoroughly in a lab environment before use on production systems.
>>>
>>> # When you think it's ok, test again. When you're certain it's ok, test
>>> twice more.
>>>
>>> #
>>>
>>> # This script performs a search & destroy on any apps in the user's home
>>> folder
>>>
>>> # This script deletes user data. Be sure of your organization's policies
>>> as they may apply before using.
>>>
>>> #
>>>
>>> # Again, THIS SCRIPT DELETES USER DATA. Make sure you understand what
>>> data will be deleted and that it is
>>>
>>> # permissible to delete that data before using this script.
>>>
>>> #
>>>
>>> # It is intended to be run as part of a Casper policy triggered by login.
>>>
>>>
>>> #
>>>
>>> # Note: This script can take several minutes to run on very large home
>>> folders.
>>>
>>> # It took 5 minutes and 31 seconds on a 146.77 GB home folder on a Mac
>>> Pro in testing.
>>>
>>> #
>>>
>>> ##### HEADER ENDS #####
>>>
>>>
>>> # Set $isapp to indicate whether an item is an application
>>>
>>> # initial value is 0
>>>
>>> # a value of 0 = not an application
>>>
>>> # a value of 1 = an application
>>>
>>> isapp=0
>>>
>>>
>>> # return the absolute path of each item in the specified directory and
>>> act upon them in the "do" loop.
>>>
>>> find /Users/$3 | while read file
>>>
>>> do
>>>
>>>
>>> # skip the contents of .app bundles
>>>
>>> [[ "$file" = *.app/* ]] && continue
>>>
>>>
>>> # determine whether $file is an application and change value of $isapp
>>> if it is
>>>
>>> isapp=`mdls -name kMDItemKind "$file"|grep -c Application`
>>>
>>>
>>> # if $file is an application ($isapp contains any nonzero value), act
>>> upon it.
>>>
>>> if [ $isapp -ne 0 ];
>>>
>>> then echo "Deleting" "$file";
>>>
>>> fi
>>>
>>>
>>> # reset $isapp
>>>
>>> isapp=0
>>>
>>>
>>> done
>>>
>>>
>>> ----------
>>> Miles A. Leacy IV
>>>
>>> Certified System Administrator 10.4
>>> Certified Technical Coordinator 10.5
>>> Certified Trainer
>>> Certified Casper Administrator
>>> ----------
>>> voice: 1-347-277-7321
>>> miles.leacy at themacadmin.com
>>> www.themacadmin.com
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/8f82013d/attachment.html
More information about the Casper
mailing list