Block execution of bash and zsh scripts in MacSolved

Participant
Discussion
2 years ago

Hi everyone,
We are using Hexnode to manage Mac & iOS devices in our organization. Macs are used by most of our employees and though we add restrictions on the device end, they can still run scripts via terminal to access some of the restricted features. Is there any way to block the users from executing bash or zsh scripts in the device?

Replies (4)

Marked SolutionPending Review
Hexnode Expert
2 years ago
Marked SolutionPending Review

Hi @timothy, thanks for reaching out to us.

Regarding your case, blocking the Terminal app in your Mac endpoints will be the ideal solution. You can use the Blacklist/Whitelist policy to block the Terminal app via Hexnode UEM.

Blacklisting enables you to block access to a particular app or a list of apps on the device.

You can Blacklist the Terminal app by heading to Policies > New Policy > New Blank Policy > macOS > App Management > Blacklist/Whitelist.

In the Blacklist/Whitelist policy, you can choose the type as Blacklist and click on Add to search & add the Terminal app to the list. Save & associate the policy with the target devices. This prevents the user from accessing the Terminal app.

Whitelisting enables you to allow only the required apps to be accessible on the device.

To Whitelist all the required work apps other than the Terminal app, choose the type as Whitelist in the Blacklist/Whitelist policy. Click on Add to search and add the apps required for work.

Once you have added all the required apps to the policy, save and associate the policy with the target devices. In this case, the user cannot access any app other than the apps that you have mentioned in the policy.

I hope this resolves your issue.

Darvin Hudson,
Hexnode UEM

 

Marked SolutionPending Review
Participant
2 years ago
Marked SolutionPending Review

Hey @timothy, you can try setting the login shell to an invalid value such as /bin/false in Directory Utility for AD users. This might help you to restrict access to the terminal.

 

Marked SolutionPending Review
Hexnode Expert
2 years ago
Marked SolutionPending Review

Hi @soren,
As you mentioned, setting the login shell to /bin/false can partially resolve the case but the user will still be able to run simple commands in the Terminal app without logging in to a shell at all. Also, this might create login issues.

Hence it is suggested to block the Terminal app by Blacklist/Whitelist policy.

Hope this clarifies your query, please reach out to us in case of any further queries.

Darvin Hudson,
Hexnode UEM

Marked SolutionPending Review
Participant
2 years ago
Marked SolutionPending Review

Thank you Darvin, blocking the terminal via policy actually solves our problem.

Save