19

Being the evil corporate IT overlords we need to block the new OS X App Store. As you may be aware the 10.6.6 update installs the App Store App which allows users to download and install apps without admin privileges.

Some Suggestions:

  • Don't update to 10.6.6+

  • Use parental controls

  • Presumably some OD policy (if you have an OD server which we don't)

  • Block the App store by DNS or Proxy

Not updating to 10.6.6+ isn't really a long term solution as it contains security fixes and new Macs will come with it anyway. Blocking the App store at a network level doesn't solve laptop users.

Ideally a simple system preference or editing of a plist that can be pushed out by ARD would be the best solution.

Please note the question isn't should we block the App store, it's how we can block the App store.

As a quick update it seems that is you are not using an account with admin privileges, you may need supply admin credentials for the first time you download an app to install it, which may solve some of the problem. Very different behavior to the normal OS X elevation of privileges which ask admins and non admins alike.

Jon Rhoades
  • 4,989
  • 3
  • 30
  • 47
  • 16
    "Being the evil corporate IT overlords" LOL! – l0c0b0x Jan 06 '11 at 22:22
  • I'm interested in this myself. You can of course delete or set permissions on the app store app (it IS just an app when all is said and done) but I don't think that approach will scale. It'll maybe do while cooking up something better. – Rob Moir Jan 06 '11 at 22:27
  • 1
    +1 for the first line :) – Michael Lowman Jan 06 '11 at 22:33
  • If you were truly evil... you wouldn't have this issue. – WernerCD Jan 07 '11 at 03:00
  • If you are using Parental Controls already, then you can already restrict which applications users can launch. – tegbains Jan 07 '11 at 04:01
  • @tegbains Then you can say to your user: "My son, we have to talk." ;) – splattne Jan 07 '11 at 15:09
  • I really dislike what Apple is doing by pushing(forcing) yet another Application with an update. What really burnt my chaps is when I realized the server OS received the same... Why do they push crap like this to their "server" operating system? –  Jan 28 '11 at 20:53

4 Answers4

9

If you don't have these computer attached to an OpenDirectory server (the preferred way to do this is to restrict the launching of the app through Workgroup Manager) you can set the permissions on the App Store application to not allow users to run it:

chmod -R 000 /Applications/AppStore.app

This keep anyone from launching the application. It can be pushed out through ARD, can be added to your base image, and can be set in a startup script.

I have no idea what this will do to other applications running on the system so you should test it first.

Scott Keck-Warren
  • 1,670
  • 1
  • 14
  • 23
  • Note that since OS X Mavericks, `sudo chflags -R nouchg /Applications/App\ Store.app` is required to change the `App Store.app` permissions. – Eric Ly Jun 06 '16 at 08:35
6

The iTunes Store connects on standard HTTP(S) ports, 80 and 443, so I assume that the Mac App Store does the same.

Here is the Apple knowledge base article on blocking the iTunes store by URL: http://support.apple.com/kb/HT3303

It says

To prevent client computers from connecting to the iTunes Store, network administrators can block the Internet host 'itunes.apple.com'.

From a quick tcpdump, it appears that the App Store uses the same URL... for now.

splattne
  • 28,348
  • 19
  • 97
  • 147
hackedtobits
  • 121
  • 3
  • That's rather annoying, typical apple. I want to block the app store. I don't want to block itunes. – Rob Moir Jan 07 '11 at 08:37
3

Run a packet sniffer. Run App Store. Find out what the address(es) are that the Apple App Store uses. Block all incoming/outgoing on that address, on that port, on your perimeter firewall.

Harv
  • 239
  • 1
  • 5
  • As I mentioned, blocking at the network level won't stop laptop users. – Jon Rhoades Jan 06 '11 at 22:51
  • @Jon Rhoades - didn't see that. For them, they would either need to be managed clients (requiring OS X server, OD, etc..) or you'd need to strip them of Admin-level access on their own laptops and edit their /etc/hosts files. – Harv Jan 06 '11 at 22:58
  • Harv, I think you're getting a little tunnel-vision with the network block method. Scott's answer is better, easier to manage, and more scalable. – blueben Jan 06 '11 at 23:58
  • @blueben - sure. I agree! Thought I'd throw my answer out there in case it made more sense from the asker's perspective. – Harv Jan 07 '11 at 00:11
  • Good stuff! – blueben Jan 07 '11 at 00:45
3

You can also edit your Active Directory schema so that it contains extra information that emulates MCX (similar to Group Policies). You can then log into your AD server from Workgroup Manager on a mac, import AD users/groups as augmented records, and block the application. It's a lot of work to block one thing, however in the long run it means you have a ton more control over your macs.

Here's a link to an Apple webinar that walks you through the steps and explains (better and in greater detail) what I was talking about above:

http://seminars.apple.com/seminarsonline/modifying/apple/index.html?s=301

and here's a PDF (not sure if it's recent)

http://www.sticts.ch/MacWindows/Modifying_the_Active_Directory_Schema.pdf

hjd
  • 115
  • 1
  • 7
Jack Lawrence
  • 391
  • 3
  • 9