Description
Jamf Now can use the two options below to restrict end users from installing apps on managed Macs:
Restricting End User App Installation
Restricting App Store access
We can deploy a custom profile with the Allow Modifying Account setting allowAccountModification for macOS 14 or later:
The system disables modification of accounts such as Apple Accounts and Internet-based accounts such as Mail, Contacts, and Calendar on macOS 14 and later. This restriction prevents users from signing into iCloud accounts which is required to install apps from the App Store.
This profile can be created using iMazing Profile Editor under Restrictions > Allow modifying account settings. Reference Deploying Custom Profiles with Jamf Now to learn more.
Restricting app installation outside of the App Store
If you have another administrator account on the Mac, you can manually change Jamf Now-managed macOS accounts from Admin (the default for the initial account created during setup) to Standard. Setting the account to Standard will prevent users from installing non-App Store apps, as admin credentials would be required.
When logged into the second administrator account, navigate to System Settings > Users & Groups.
Click the "i" next to the account name.
Uncheck Allow this user to administer this computer.
Jamf Protect - Custom Prevent Lists
If you need more than what Jamf Now can deploy via MDM, the full Jamf Protect supports Prevent List which allow processes executed with a pre-defined hash or signing information to be blocked on computers.
The full Jamf Protect product can be purchased and deployed using Jamf Now, see https://www.jamf.com/products/jamf-protect/.