Prohibit execution from /tmp
nihil-admirari opened this issue · comments
Problem to solve
os_user_app_installation_prohibit
prohibits running software from user profile. Unfortunately, users can still install software to /tmp
and run it from there.
Further details
<key>pathBlackList</key>
<array>
<string>/private/tmp/</string>
</array>
doesn't work.
Hello!
This rule has a note regarding the functionality, and that it requires third party tools in order to fully implement. Unfortunately, there isn't a good built-in solution for this. It's also limited to only a couple of baselines, so depending on your organization, you may consider omitting the rule altogether.
Apple has deprecated the use of link:https://github.com/apple/device-management/blob/eb51fb0cb9626cac4717858556912c257a734ce0/mdm/profiles/com.apple.applicationaccess.new.yaml#L67-L70[application restriction controls], using these controls may not work as expected. Third party software may be required to fulfill the compliance requirements.