[Casper] Search and destroy apps

Tue Jan 13 06:22:21 PST 2009

Yes. The "Applications" pane is for signing apps and setting up  
universally allowed apps. Here's an explanation I posted to one of the  
other lists:
----
The WGM/Prefs settings for Applications often confuses a lot of  
people. Let me try to explain what the gears and tubes are doing.

The Applications tab is where you digitally sign apps and designate  
them for use regardless of location. The apps, when signed on an admin  
system, must then be cloned onto every client machine. This is because  
the signing affects only that copy of the app. App signing keeps a  
user from editing the app bundle and trying to fake out the mgmt to  
think it's something else - think "I'm not Terminal, I'm really  
Calculator
" The problem with using that tab to set application permissions is  
that you are allowing users to drag the app into their homedir or  
anyplace else they want to run it. It also doesn't account for all of  
the other portions of some applications, such as the support apps they  
need.

The Folders tab should really be called "Paths" since you designate  
the location of the allowed, and disallowed, application(s). It works  
the same as a firewall, with denies overriding allows. It is important  
to allow locations such as the /Library/Application Support folder,  
and often, the entire /Library folder when 3rd party apps dump stuff  
all over the place. This may be the case with SketchUp.

The old "Allow apps to sublaunch" from Tiger is active all the time in  
Leopard; but in a much more limited way - it allows items inside the  
same folder that you designated plus any system-owned items (unix apps).

And finally, all of this assumes well-behaved apps.
-----

johnd
-- 
John DeTroye                        Email: johnd at apple.com
Sr. Consulting Engineer         Systems Management Specialist
Apple - Education                   iChat: johnd at mac.com
Systems Management Guide - http://www.apple.com/education/go/sysmgmt/
Tips and Tricks Docs - http://web.me.com/johnd/
--

On Jan 12, 2009, at 7:23 PM, Miles Leacy wrote:

> Thanks for the info!
>
> So, am I correct that an item appearing in the "Applications" pane  
> is allowed even if its enclosing folder appears in the disallowed  
> folders list?
>
> Thanks again,
>
> ----------
> Miles A. Leacy IV
>
>  Certified System Administrator 10.4
>  Certified Technical Coordinator 10.5
>  Certified Trainer
> Certified Casper Administrator
> ----------
> voice: 1-347-277-7321
> miles.leacy at themacadmin.com
> www.themacadmin.com
>
>
>
>
> On Mon, Jan 12, 2009 at 9:15 PM, John DeTroye <detroye1 at apple.com>  
> wrote:
> Actually, if you use the "Applications" pane versus the "Folders"  
> pane to assign allowed apps, you are allowing those applications to  
> be dragged/copied anywhere on the user's system and launched. Use  
> the "Folders" (which should really be called "Paths") to set up  
> allowed and disallowed apps/locations(/paths).
>
>
> johnd
> -- 
> John DeTroye                        Email: johnd at apple.com
> Sr. Consulting Engineer         Systems Management Specialist
> Apple - Education                   iChat: johnd at mac.com
> Systems Management Guide - http://www.apple.com/education/go/sysmgmt/
> Tips and Tricks Docs - http://web.me.com/johnd/
> --
>
> On Jan 12, 2009, at 2:47 PM, Miles Leacy wrote:
>
> To have tight control of which apps can run and which can't,  
> disallow applications within "/" or "/Applications", and then add  
> your allowable apps to the "Always allow these applications:" list.   
> It could be tedious, but it would be tightly controlled
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090113/e9c28141/attachment.html 