Skip to main content

Restricting macOS App Installation with Jamf Now

Updated over 2 weeks ago

Description

Jamf Now can use the two options below to restrict end users from installing apps on managed Macs:

Restricting End User App Installation

Restricting App Store access

We can deploy a custom profile with the Allow Modifying Account setting allowAccountModification for macOS 14 or later:

  • The system disables modification of accounts such as Apple Accounts and Internet-based accounts such as Mail, Contacts, and Calendar on macOS 14 and later. This restriction prevents users from signing into iCloud accounts which is required to install apps from the App Store.

  • This profile can be created using iMazing Profile Editor under Restrictions > Allow modifying account settings. Reference Deploying Custom Profiles with Jamf Now to learn more.

Restricting app installation outside of the App Store

If you have another administrator account on the Mac, you can manually change Jamf Now-managed macOS accounts from Admin (the default for the initial account created during setup) to Standard. Setting the account to Standard will prevent users from installing non-App Store apps, as admin credentials would be required.

  1. When logged into the second administrator account, navigate to System Settings > Users & Groups.

  2. Click the "i" next to the account name.

  3. Uncheck Allow this user to administer this computer.

Jamf Protect - Custom Prevent Lists

If you need more than what Jamf Now can deploy via MDM, the full Jamf Protect supports Prevent List which allow processes executed with a pre-defined hash or signing information to be blocked on computers.

The full Jamf Protect product can be purchased and deployed using Jamf Now, see https://www.jamf.com/products/jamf-protect/.


Did this answer your question?