The Applications Properties settings allow you to control access to specific applications and paths to applications using digital signatures. The "Applications", "Widgets", and "Front Row" tabs apply only to users of Mac OS X 10.5 or later. The "Legacy" tab applies only to users of Mac OS X 10.4.
You can apply application settings in both the Computer Configuration and User Configuration nodes of a Group Policy Object.
To Open the Applications Properties:
1. Start Group Policy Editor.
2. Navigate to and select the "Mac OS X Settings" node in the scope view.
3. Select the "Workgroup Manager Settings" node.
4. Double-click "Applications" in the results pane.
TheApplicationtab settings control which applications are allowed to execute on Mac OS X and support the followingMac OS X Management Modeson page 103 of the Admin. Guide:Never,Always. The Applications settings apply only to Mac OS 10.5 andlater.
Application restrictions are controlled by means of folder paths. QAS group policy does not currently supportapplication management using digital signatures, therefore to allow or prevent users from launching an application,add the application or the path to the application to one of two lists:
•Disallow applications within these folders.
Add folders containing applications that you want to prevent users from opening. All applications in sub-foldersof disallowed applications are also disallowed.
•Allow applications within these folders.
Add folders containing applications that you want users to launch. If an application or path to the applicationappears in both thedisallowand theallowlists, then thedisallowlist takes precedence and the user is not allowedto launch the application.
If an application does not appear in either of these lists, the user can not launch the application.
ClickAdd...to open theNew Application Itemdialog. You can type the absolute Unix path or you can clickRemoteBrowse...to log into a remote Mac OS X machine (by means ofSSH) and browse for the target folder. It displaysrecently specified paths. To reuse a recently specified path, double-click the item in the list.
Front Row is media center software for Mac OS X.Front Rowtab settings allow you to control whether or not FrontRow is allowed to execute and supports the followingMac OS X Management Modeson page 103 of the Admin. Guide:Never,Always.
SelectAllow Front Row, to allow Front Row to execute on Mac OS X.
TheLegacytab settings control which applications are allowed to execute on Mac OS X 10.4 systems and supportsthe followingMac OS X Management Modeson page 103 of the Admin. Guide:Never,Always.
To control application restrictions on newer systems use the settings on theApplicationstab. Legacy Applicationsettings support a single list of Unix paths. Applications residing in a path in the list are allowed to execute if youselect theUser can open only these applicationsoption, or prevented from executing if you select theUser canopen all applications except theseoption. The path list functions as a deny list or an allow list, but not both.
The following options are also supported:
•User can also open all applications on local volumes
Select to allow users to execute all applications on local volumes. When not selected, the application must beallowed through the application path list configuration.
•Allow approved applications to launch unapproved applications
Select to allow approved applications to execute unapproved applications. When not selected, approvedapplications fail if they attempt to launch unapproved applications.
•Allow Unix tools to run
Select to allow users to execute standard Unix command line tools. When not selected, you must explicitly allowUnix tools to run through the path list configuration.
Widgetstab settings allow you to configure which Dashboard widgets are allowed to execute on Mac OS X clients. By default QAS enables a set of common Dashboard widgets for management. If you want to customize the set ofavailable Dashboard widgets you can edit thewidgets.xmlfile which is installed into the QAS installation directory. Widgets settings supports the followingMac OS X Management Modeson page 103:Never,Always.
If you select theAllow only the following Dashboard widgets to run:option, only the listed widgets are allowed. ClickAdd...andRemoveto configure the set of allowed widgets.