View Full Version : Prevent removal of menubar application

May 13, 2011, 01:18 PM
At my shop we current have a mac server pointed to our ldap directory for authentication, which also enforces file vault on our users and a handful of other settings. We also make all of the users mobile admins on their workstations because many work remotely. The problem we run into is that our users sometimes uninstall applications that need to be installed all the time. In this case, it's the bomgar menubar application. Is there any way of preventing admin users from uninstalling this application, either on the image we use to image our machines, or through the mac server.

Thank you in advance

May 13, 2011, 05:06 PM
Tell them not to do it or you'll make them non-admins. ;)

May 13, 2011, 06:29 PM
Tell them not to do it or you'll make them non-admins. ;)

:) Then I would get a phone call each time they needed a software update. No thank you.

May 13, 2011, 08:33 PM
It depends on what your problem is.

If the users are actively removing an application because it annoys them, that's a hard problem to solve if you give them admin rights.

What I would suggest is that you create a LaunchDaemon to keep your desired application(s) running at all times. Then, launchd will instantly restart the app if it is terminated. This will help if users accidentally quit an application, or try to quit from it on purpose. Since they can't kill the app, they can't delete it. This method can be circumvented, but it takes a bit more tech savviness to work with launchd, so it will probably solve most of your problems. Depending on how your permissions are set up, you may even be able to prevent your users from deleting the LaunchDaemon file.

May 15, 2011, 05:56 PM
Something approximately like this command should do it:
sudo chflags -R schg /Path/To/TheApp.app

I strongly urge the reading of man-pages for the sudo command, the chflags command, and the chflags(2) system-call. In particular, it will require booting into single-user mode to remove the effects of the schg flag. This is not a trivial undertaking, and may be more onerous to deal with than some other strategies.

As a point of reference, the uchg flag is used for the user-lockable Locked checkbox in the Finder's Get Info window for a file or directory. If you know what dealing with that is like, then imaging that but being irreversible without a reboot and multiple command-line invocations, each of which must be exactly right.

I have used the schg flag on a few occasions, and it is not to be used without due consideration of all the consequences. It's one of those "be careful what you wish for" kinds of things.

Also, I have not tested the above command-line, which is why I call it an approximation. If you're going to test it, I advise doing so on a disk-image or on a USB drive that can be reformatted without losing anything of value.

Finally, I have no idea if schg or any of the other flags works on the server configuration described. Yet another reason for careful testing prior to use.

May 16, 2011, 01:58 PM
LaunchDaemon idea sounds good.

:) Then I would get a phone call each time they needed a software update. No thank you.

Apple Remote Desktop can push updates to massive numbers of Macs.