Script to remove automatically delete apps owned by mobile users
 

Hi i am a systems admin and i was wondering if any one can help with my problem.

I have a system script which loops and deletes applications in the users directory every hour because they keep downloading and putting applications in their home directory.

The script is launched by a launch daemon and seemed to work fine until i found out a sneaky developer put an application in /tmp/.a/ so the script would not delete it.

Please can i have some help to create a script that will search the root of the hard disk and find any application owned by user say (wildcard) *.example.hq

(my mobile accounts end in this) and if so to automatically delete the application.

I would really really really be grateful for any help that can be given.

Can you give me some info on your environment? Are these clients bound to Open Directory?

I think I may have a few better solutions for you.

Please also explain why you want to (as I'm interpreting what you have said) prevent users from running apps that they have downloaded.

Note that:
- apps do not have to be in an "Applications" folder (as you've seen)
- apps do not have to be executable
- apps do not have to have a .app suffix
- anyone with access to Terminal (or some other terminal program they've downloaded) can change the permissions on an app file to make it executable (or whatever else is needed to make the app run) just before running it
- users could write scripts (either shell scripts or AppleScripts) that execute applications (possibly after modifying them - e.g. changing their name or making them executable)

my environment and why i want to do this
 

The Macintosh machines are bound to Active Directory through a plugin called ADmitMac by Thursby software systems. I am managing my applications through MCX application control on my test machines for a number of months and works great. Internal company politics are preventing me to implement MCX application control for production machines at the moment.:mad:

We have had issues with freelances bringing in applications outside the organization and using things like serial box to enter in an illegal serial.

Again internal politics are preventing me from disabling usb and firewire mass storage.:mad:

So for now i created a launch Daemon using Ligon which runs at startup and runs every hour deleting any apps found up to X folders deep in a users home directory.

As a system administrator it is my job to make sure the company is legally installing software through the proper channels.


See below here is some of it..goes on quite a lot as it goes on for a long long time:

#!/bin/bash

# Loop the Script

while :

do

# remove applications non-admin users have installed in their home directories which are not authorized. This will delete anything ending in .app X folders deep!

sudo rm -rf /Users/*\@example.hq/*.app
sudo rm -rf /Users/*\@example.hq/*/*.app
sudo rm -rf /Users/*\@example.hq/*/*/*.app
sudo rm -rf /Users/*\@example.hq/*/*/*/*.app
sudo rm -rf /Users/*\@example.hq/*/*/*/*/*.app
sudo rm -rf /Users/*\@example.hq/*/*/*/*/*/*.app
sudo rm -rf /Users/*\@example.hq/*/*/*/*/*/*/*.app
sudo rm -rf /Users/*\@example.hq/*/*/*/*/*/*/*/*.app

# Pause for 1 hour
sleep 3600

# When done the script will start again
done

Unfortunately whilst i am waiting for internal politics to actually get some where a sneaky developer downloaded an application and place it in /private/temp/.a/ so the script will never touch it.

I wish to achieve a script which searches the whole disk any any applications i.e ending in .app where the owner of the application is of a mobile account ending in .example.hq to be deleted.

1) Why are you using 'sudo' ?
Presumably the launchd item is running as root so no need for 'sudo'.

2) Why don't you use 'find' instead of wildcarding down to some predetermined level of folders?

3) See my points above about how searching for .app is not sufficient.
Or just try an experiment:
Copy one of your apps (e.g. Acquisition) to the Desktop and then remove its ".app" suffix. You will see it turn into a folder in Finder. Descend into the sub-folder "Contents/MacOS" and then double-click on the executable "Acquisition" there. It will launch as usual, but with text messages appearing in a Terminal window.

true the average user wouldn't think of doing that. I have tried a find command to write its findings out to a log but i am wishing to also get the owner information, date and time etc like a kind of ls -la you would normally do in terminal

This is what i have so far but ls -la is not recognized by find so i'm having problems with that and need to possibly pipe it out some way. I have found out the correct gid for a mobile account is 513.

find / -name *.app -gid 513 > /private/var/log/unauthorized_application.log

My idea now is that if i cannot stop them doing it, i can at least instead of deleting the application which will cause them to try and rename or hide them, i can create a log file. With the log file i can then show management all the apps people are installing and why we need MCX managed application control asap

Just for info, I use this logout script to sweep the student's temporary folder for downloaded applications.

#!/bin/sh

enquote () { /usr/bin/sed 's/^/"/;s/$/"/' ; } # function provided by Hayne

cd /"Student's temporary Folder"
find . -name '*.app' > foo.txt
cat foo.txt | enquote | xargs rm -r
rm foo.txt

Hi kaptagat

can you explain what the script does. I don't think this will work for me because i have a sneaky developer hidding application outside of their home directory now and i want to be able to list them in a log file with ownership information, time etc so i can show management.

not sure what the enquote does but i want to search all users

dont have a "Students temporary Folder"

i dont want to delete the foo.txt because i want the proof of what they are doing

This is what i have so far and the applications get written to the log and they get deleted but i need to try and also get the owner list date times etc in the log as well. I am also having the problem that every time the script runs the previous log gets over written.

#!/bin/sh

cd /
find / -name *.app -gid 513 > /private/var/log/unauthorized_application.log
cat /private/var/log/unauthorized_application.log | xargs rm -rf

The enquote function is used because the find command doesn't seem to properly find names with spaces. I am not at all sure how it works, Hayne posted it to the forum in response to another thread some time ago.

Thanks hayne & kaptagat.

Script works great and added in the loop and runs every hour. Now i don't need to worry about them trying to hide applications outside their home directory. Just need to work out how to list owner etc in the log file and then work out a way to rename the log so it doesn't get over written

MCX could handle this problem with out running any scripts, you should show the people in politics examples of how it works. I use MCX to restrict apps by file path. If the app is not in /Applications, it will not run period. That means no apps from their desktop or their thumb drive or whatever. Since every folder is owned by root:admin in /Applications and denies them write access.

Now there are a few things that make this method a bit of a pain. Any application with shared library files that contain apps, in say /Library will also need their path approved via MCX. This is actually quite easy to do in WorkGroup Manager if you are using OD, if you are doing it via local MCX you just gotta modify the XML property list.

There are a few more caveats, but I find it the most effective way for managing a client and only allowing approved applications. Of course, if your users have admin rights this won't matter.

Thanks tlarkin the day the internal politics gets sorted out and i can apply the MCX application control the better and i will be very happy. I've been testing out the MCX managed apps on my test machines for quite some time with the app signing as well, and all ready to go.

Management and users will never understand the need for these things :(

Might as well let them do what they want, install and launch untested or in some cases dodgey software or even entering in serials not owned or purchased by the company and just bide my time and wait for something serious to happen like a machine crash or the BSA come knocking on the door and then say i told you so.

Some times being a sys admin really sucks

Preaching to the choir my good man. I have to sit through countless meetings where they want my opinion and I say it, and they disregard it anyway.

Like the time someone ordered 6,000 individual licenses for a piece of software, which meant I got 6,000 CDs and 6,000 individual license keys. I was like, what in god's name am I suppose to do with this?

As far as client management goes though I am blessed with OD, MCX, and the Casper Suite. So I am golden there.

blimey you've had it bad. I'm using the Casper Imaging Suite and thats it for the mo but i'm really wanting to get the full suite as it really would save hassle.

casper is priceless, and does so much. Makes package deployment and client management a lot easier

I hate to say it, but what you need here is more social engineering than software engineering. you're the system admin, you set the rules, you can easily determine who's doing what sneaky thing where... If someone is so blatantly trying to circumvent the rules by adding a hidden app down in /tmp, send him a politely worded email asking him not to do it again (because the company can get sued over it), with a P.s. that the second time you have to send such an email it will be CCed to his boss, and your boss, and your bosses' boss. you will have few second offenders, and no third offenders.

Unfortunately sys admins do not set the rules. Executives, directors, and board members do. I have to comply with what they say, and if someone breaks AUP I just report them. Though I never do report them unless they continually break the rules on purpose. Then I just email the person in charge of them and let them handle it.

Yeah, I know, that's the bureaucratic approach. theres a reason why the bureaucratic approach generally fails: all of the people inclined to snark the rules believe they are getting away with it, at least until they get in serious trouble. it's all so very impersonal. it becomes a computer game for them - they see you as a kind of automatic process, and its fun to see whether they can sneak something past that goofy sysadmin bot. if you make it more personal, so that they know that (a) you are a person, (b) you see what they are doing, and (c) there's a reason why they shouldn't be doing it (even if only that it annoys you), you are much more likely to get cooperative responses.

Can't stand bureaucracies - such inherently dehumanizing institutions. I've read more than a handful of social science theories which claim that the worst aspects of the holocaust occurred because of bureaucrats toeing the bureaucratic line.

true i have sent the user an email cc in his boss like suggested prior to all of these posts but they sent me an email back claiming i was spying on them using vnc and i have never done that and also sent me a link pointing to the law about spying on people in the work place and i already know the law

http://www.direct.gov.uk/en/Employme...rk/DG_10026574

His boss came back saying he agrees with licensed software should go through the proper channels but should be able to do this for trial,freeware and open source apps.

I really don't understand why they don't get it. Just because it may be trial, freeware and open source apps doesn't make it okay.

Your right tw i am going to try the personal approach next time but there is this really strange idea because the Windows developers need admin rights to run IIS to create websites locally and they have been given admin rights (not by me no way ... thats the day i'm outta here if i get over ruled on this for the macs) the whole of the development team Windows and Mac have this idea they can do what ever they want regardless of procedures, protecting the company from illegal software, copyright, compliancy with EULA ( just deleting the plist in their preferences when the trial software runs out so they can start again), viruses etc etc

I'm only going to be able to protect the company, users and systems if management are on the same page but i feel sometimes they are slow readers and are still on the first page and then get bored and shut the book of common sense.

back to my current problem does anyone know how to output the owner and date information in to a log. This is what i currently have but i am finding problems trying to include the | xargs ls -l doesn't seem to work.

#!/bin/sh

while :

do

cd /
find / -name *.app -gid 513 > /private/var/log/unauthorized_application.log
cat /private/var/log/unauthorized_application.log | xargs rm -rf

# Pause for 1 hour
sleep 3600

# When done the script will start again
done

The problem you're having is that everyone you're dealing with (management and employees alike) is ignorant, selfish, and/or lazy (which is normal, and perfectly OK - most people are, and the few who aren't are a hell of a lot better then the rest of us). the way to deal with this (following Sun Tzu, and several others) is to tell them:

• yes, you're monitoring them
• yes, you (as sys-admin) have a perfect right to monitor them
• no, you don't want to get them in trouble
• no, you don't want the company to get sued
• yes, you are willing to help them get what they want legally (within your budget and abilities), if only they would be so kind as to tell you what exactly it is they want.

no need to worry about why they don't get it; just accept that they don't get it (and probably won't get it in the near future) and offer them a reasonable but firm compromise. they will work out the moral details on their own time.

Put the company first, employees second, and management third, and everyone will love you. just don't tell the management that they are third (managers are ego-obsessed - they always need to think they are first, but they will be happy if you ignore them and do right by the company).

two points:
there's no need to use sleep if you're running this via launchd. just set launchd's StartInterval key to run the script periodically.
rather than using find, I'd search the metadata using mdfind. with mdfind it's easy to see what files were accessed in the last X amount of time. I'll look into the xargs issue.

good call not to use the sleep and i have changed the StartInterval Key. I haven't used mfind before but from what i can see i cannot search by gid 513 and thats an important part of the script.

thanks for that but i get the following errors

removeapps.sh: line 13: /private/var/unauthorized_application/new: No such file or directory
removeapps.sh: line 16: /private/var/unauthorized_application/new: No such file or directory
removeapps.sh: line 19: /private/var/unauthorized_application/ls.log: No such file or directory
cat: /private/var/unauthorized_application/new: No such file or directory
cat: /private/var/unauthorized_application/new: No such file or directory
rm: /private/var/unauthorized_application/new: No such file or directory

find -0 is showing as an illegal option

Oops. My mistake:

find / -iname '*.app' -group 513 -print0 > "$logdir"/new

You might want to also be sure the log directory exists. Right after the logdir=... line, add:

mkdir -p "$logdir"

wow this is really great thanks a lot ganbustein and thanks to tw & tlarkin this will really really help

much appreciated :)

Just to add one last thing. If you were to get the full blown Casper Suite, built into the Casper framework is the ability to 'blacklist' certain apps. In doing so it gives you options to also notify the user a custom message, and delete the app from the HD.

So for example, we had tons of students running skype from their downloads menu with in Safari or Firefox. Since Safari and Firefox were approved apps, skype could launch from with in the app and get past my MCX settings, since it was being launched from a proper path. I did not use digital signing for management as it was annoying, in the regard that if I approved say garage band, I had to approve every other app manually with in the contents of garageband itself. If I did not, the app would not run. Apple at the time (this was back in 10.5.1) said it wasn't suppose to do that, but it did.

So, I just created a policy that if skype ever ran, it displayed a message to the user that this app was banned from all school property, it will be deleted and that they have been logged as running an illegal app. Of course I didn't maintain log files on who ran skype just put that bit in there.

You should really stress to the powers that be that Casper and OD MCX are two needed tools to help manage systems. I am one guy and I managed 8,000 clients and 35 servers with the Casper suite. I do have some help in my department, but I am the only one who does any of the back end work.

actually, there is: it's the kMDItemFSOwnerGroupID key. you'd use something like mdfind 'kMDItemLastUsedDate >= $time.now(-3600) && kMDItemFSOwnerGroupID == 513'. But if you've got something working with find it might be better, since it precludes potential problems with non-indexed files.

Hi ganbustein

The script seems to work but there is one slight problem. It is searching all network drives as well. Is there any way to change the script to make sure it is just searching the local machine. We use naming conventions an each machine has different names and not just called Mac HD

Just slap a -x immediately after the find:

find -x

...and then add whatever [ / -iname '*.app' -group 513 -print0 > "$logdir"/new ] after the -x

tried putting some apps in /Temp/.a/ directory as a mobile user gid 513 to see if the apps would delete and write to log files. Seems adding the -x then the command doesn't seem to fix this. Its is as through is is trying all the network drives then bombs out.

Possibly need some thing in the script to tell it just to complete this find on the OS volume but i am not sure how to do that.

Well -x is the exact right answer to the previous question as written... but, perhaps those new /home and /net folders are getting in the act.

-x stops find from delving into subdirectories of /Volumes (which is where most external stuff gets mounted), and i would think it should also exclude any other non-local mountpoints... but idunno

From the man page:

An alternative perhaps is to specify a list of folders in which to restrict the search:
But i don't see why -x would fail for you.
Must be something to do with "Server"?
Else, something is amiss.

Thanks guys -x looks like this is needed without my test machines kernel panic.

Hey tlarkin i've seen a great script on your site its this one but i cannot get it working

http://www.tlarkin.com/tech/2-shell-...ing-convention

please can you set me up an account

I turned off auto account creation because of spammers. That script actually has syntax issues because of my syntax highlighter. I have it fixed I think, but have not migrated it to my site yet. Time is scarce these days for web dabbling for me.

email me your user name and I can approve your account

thanks my username is kimpton79 can you authorise my account i really need to try and get this script working and would appreciate your help

I will take a look at it tonight. My powersupply blew up in a storm a week ago and the replacement finally came in the mail last night. So I am going to rebuild my PC which has all my current web work on it and I will upload the changes and hopefully get everything straightened out.

You can send me a PM or start a new thread if you have any questions on a script I wrote as well. The only reason you need an account on my site is to create content or leave a comment.

I have found the script very useful and for getting rid of users apps but with a Launch Daemon running it every hour has an effect on the machine performance.

To get around this problem I have added the script to my /etc/daily.local

The periodic daily jobs runs in the early hours in the morning (03.15am) after that the system recognises there is another job called the daily.local and the machine goes ahead and does that as well.

I just have the schedule settings for the machines to power up at 03.00am and shut down at 06.30am

In my daily.local file I have the following

1. Repair disk permission
2. Anti-virus scan of the system
3.Software update (machines already point to my SUS
4. Runs this remove apps script

See below

# Begin Repair Permissions Script
PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/libexec
export PATH
host=`hostname -s`
echo "Repairing Permissions on System Drive"
diskutil repairPermissions /
# End Repair Permissions Script

# Begin Sophos Sweep
sweep / --quarantine -exclude /Library/Management/Triggers
# End Sophos Sweep

# Begin Software Update
sudo sh /Library/Management/Scripts/Softwareupdate.sh
# End Software Update

# Remove unauthorized apps users have downloaded or brought in
sudo sh /Library/Management/Scripts/removeapps.sh
# End removing unauthorized apps


I have come to the conclusion the only way forward is application control through MCX. Even though the remove apps script works at night, there is nothing stopping a user downloading the application and using it every day or bringing in an application on a usb stick and launching it from there.

It is very tempting to just have the launch daemon for the developers as they can never be trusted. But I don't want to be the one responsible for loss of productivity because the machine is slower to respond to other tasks whilst the machine is running.

The way forward is to bite my lip and do some social engineering as I can see this is the only way to convince management MCX app control is a good thing and convince the users downloading and launching apps is not good for the company.

I hate corporate red tape like anyone but I also dislike social engineering and social events as it makes me vomit seeing people brown nosing to management and directors.

Time to get those sick bags and dive in!

This script is going well but i have noticed one problem. I am running a launch daemon to run the script every hour but i can see through some logs that it is also searching through network volumes as well.

the name of local disks are all different and upper case. I have found scutil --get ComputerName outputs the computer name correctly in the correct upper case but i am unsure how to pass this on to the find command.

If anyone can help this would be great.

got it working
 

I found i have to use the -mount to search the local disk only as i have found that some machines are kernel panicking.

So the command is find -x / -mount -iname '*.app' -group 513
:D

I still don't see why you don't use local MCX?