Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

CNU182

macrumors regular
Original poster
Oct 9, 2003
239
0
At my shop we current have a mac server pointed to our ldap directory for authentication, which also enforces file vault on our users and a handful of other settings. We also make all of the users mobile admins on their workstations because many work remotely. The problem we run into is that our users sometimes uninstall applications that need to be installed all the time. In this case, it's the bomgar menubar application. Is there any way of preventing admin users from uninstalling this application, either on the image we use to image our machines, or through the mac server.



Thank you in advance
 

MacTower

macrumors member
Jan 23, 2011
32
0
Midwest
It depends on what your problem is.

If the users are actively removing an application because it annoys them, that's a hard problem to solve if you give them admin rights.

What I would suggest is that you create a LaunchDaemon to keep your desired application(s) running at all times. Then, launchd will instantly restart the app if it is terminated. This will help if users accidentally quit an application, or try to quit from it on purpose. Since they can't kill the app, they can't delete it. This method can be circumvented, but it takes a bit more tech savviness to work with launchd, so it will probably solve most of your problems. Depending on how your permissions are set up, you may even be able to prevent your users from deleting the LaunchDaemon file.
 

chown33

Moderator
Staff member
Aug 9, 2009
10,679
8,304
A sea of green
Something approximately like this command should do it:
Code:
sudo chflags -R schg /Path/To/TheApp.app
I strongly urge the reading of man-pages for the sudo command, the chflags command, and the chflags(2) system-call. In particular, it will require booting into single-user mode to remove the effects of the schg flag. This is not a trivial undertaking, and may be more onerous to deal with than some other strategies.

As a point of reference, the uchg flag is used for the user-lockable Locked checkbox in the Finder's Get Info window for a file or directory. If you know what dealing with that is like, then imaging that but being irreversible without a reboot and multiple command-line invocations, each of which must be exactly right.

I have used the schg flag on a few occasions, and it is not to be used without due consideration of all the consequences. It's one of those "be careful what you wish for" kinds of things.

Also, I have not tested the above command-line, which is why I call it an approximation. If you're going to test it, I advise doing so on a disk-image or on a USB drive that can be reformatted without losing anything of value.

Finally, I have no idea if schg or any of the other flags works on the server configuration described. Yet another reason for careful testing prior to use.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.