back to my current problem does anyone know how to output the owner and date information in to a log. This is what i currently have but i am finding problems trying to include the | xargs ls -l doesn't seem to work.

#!/bin/sh

while :

do

cd /
find / -name *.app -gid 513 > /private/var/log/unauthorized_application.log
cat /private/var/log/unauthorized_application.log | xargs rm -rf

# Pause for 1 hour
sleep 3600

# When done the script will start again
done

The problem you're having is that everyone you're dealing with (management and employees alike) is ignorant, selfish, and/or lazy (which is normal, and perfectly OK - most people are, and the few who aren't are a hell of a lot better then the rest of us). the way to deal with this (following Sun Tzu, and several others) is to tell them:

• yes, you're monitoring them
• yes, you (as sys-admin) have a perfect right to monitor them
• no, you don't want to get them in trouble
• no, you don't want the company to get sued
• yes, you are willing to help them get what they want legally (within your budget and abilities), if only they would be so kind as to tell you what exactly it is they want.

no need to worry about why they don't get it; just accept that they don't get it (and probably won't get it in the near future) and offer them a reasonable but firm compromise. they will work out the moral details on their own time.

Put the company first, employees second, and management third, and everyone will love you. just don't tell the management that they are third (managers are ego-obsessed - they always need to think they are first, but they will be happy if you ignore them and do right by the company).

two points:
there's no need to use sleep if you're running this via launchd. just set launchd's StartInterval key to run the script periodically.
rather than using find, I'd search the metadata using mdfind. with mdfind it's easy to see what files were accessed in the last X amount of time. I'll look into the xargs issue.

good call not to use the sleep and i have changed the StartInterval Key. I haven't used mfind before but from what i can see i cannot search by gid 513 and thats an important part of the script.

thanks for that but i get the following errors

removeapps.sh: line 13: /private/var/unauthorized_application/new: No such file or directory
removeapps.sh: line 16: /private/var/unauthorized_application/new: No such file or directory
removeapps.sh: line 19: /private/var/unauthorized_application/ls.log: No such file or directory
cat: /private/var/unauthorized_application/new: No such file or directory
cat: /private/var/unauthorized_application/new: No such file or directory
rm: /private/var/unauthorized_application/new: No such file or directory

find -0 is showing as an illegal option

Oops. My mistake:

find / -iname '*.app' -group 513 -print0 > "$logdir"/new

You might want to also be sure the log directory exists. Right after the logdir=... line, add:

mkdir -p "$logdir"

wow this is really great thanks a lot ganbustein and thanks to tw & tlarkin this will really really help

much appreciated :)

Just to add one last thing. If you were to get the full blown Casper Suite, built into the Casper framework is the ability to 'blacklist' certain apps. In doing so it gives you options to also notify the user a custom message, and delete the app from the HD.

So for example, we had tons of students running skype from their downloads menu with in Safari or Firefox. Since Safari and Firefox were approved apps, skype could launch from with in the app and get past my MCX settings, since it was being launched from a proper path. I did not use digital signing for management as it was annoying, in the regard that if I approved say garage band, I had to approve every other app manually with in the contents of garageband itself. If I did not, the app would not run. Apple at the time (this was back in 10.5.1) said it wasn't suppose to do that, but it did.

So, I just created a policy that if skype ever ran, it displayed a message to the user that this app was banned from all school property, it will be deleted and that they have been logged as running an illegal app. Of course I didn't maintain log files on who ran skype just put that bit in there.

You should really stress to the powers that be that Casper and OD MCX are two needed tools to help manage systems. I am one guy and I managed 8,000 clients and 35 servers with the Casper suite. I do have some help in my department, but I am the only one who does any of the back end work.

actually, there is: it's the kMDItemFSOwnerGroupID key. you'd use something like mdfind 'kMDItemLastUsedDate >= $time.now(-3600) && kMDItemFSOwnerGroupID == 513'. But if you've got something working with find it might be better, since it precludes potential problems with non-indexed files.

Hi ganbustein

The script seems to work but there is one slight problem. It is searching all network drives as well. Is there any way to change the script to make sure it is just searching the local machine. We use naming conventions an each machine has different names and not just called Mac HD

Just slap a -x immediately after the find:

find -x

...and then add whatever [ / -iname '*.app' -group 513 -print0 > "$logdir"/new ] after the -x

tried putting some apps in /Temp/.a/ directory as a mobile user gid 513 to see if the apps would delete and write to log files. Seems adding the -x then the command doesn't seem to fix this. Its is as through is is trying all the network drives then bombs out.

Possibly need some thing in the script to tell it just to complete this find on the OS volume but i am not sure how to do that.

Well -x is the exact right answer to the previous question as written... but, perhaps those new /home and /net folders are getting in the act.

-x stops find from delving into subdirectories of /Volumes (which is where most external stuff gets mounted), and i would think it should also exclude any other non-local mountpoints... but idunno

From the man page:

An alternative perhaps is to specify a list of folders in which to restrict the search:
But i don't see why -x would fail for you.
Must be something to do with "Server"?
Else, something is amiss.

Thanks guys -x looks like this is needed without my test machines kernel panic.

Hey tlarkin i've seen a great script on your site its this one but i cannot get it working

http://www.tlarkin.com/tech/2-shell-...ing-convention

please can you set me up an account

I turned off auto account creation because of spammers. That script actually has syntax issues because of my syntax highlighter. I have it fixed I think, but have not migrated it to my site yet. Time is scarce these days for web dabbling for me.

email me your user name and I can approve your account

thanks my username is kimpton79 can you authorise my account i really need to try and get this script working and would appreciate your help

I will take a look at it tonight. My powersupply blew up in a storm a week ago and the replacement finally came in the mail last night. So I am going to rebuild my PC which has all my current web work on it and I will upload the changes and hopefully get everything straightened out.

You can send me a PM or start a new thread if you have any questions on a script I wrote as well. The only reason you need an account on my site is to create content or leave a comment.

I have found the script very useful and for getting rid of users apps but with a Launch Daemon running it every hour has an effect on the machine performance.

To get around this problem I have added the script to my /etc/daily.local

The periodic daily jobs runs in the early hours in the morning (03.15am) after that the system recognises there is another job called the daily.local and the machine goes ahead and does that as well.

I just have the schedule settings for the machines to power up at 03.00am and shut down at 06.30am

In my daily.local file I have the following

1. Repair disk permission
2. Anti-virus scan of the system
3.Software update (machines already point to my SUS
4. Runs this remove apps script

See below

# Begin Repair Permissions Script
PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/libexec
export PATH
host=`hostname -s`
echo "Repairing Permissions on System Drive"
diskutil repairPermissions /
# End Repair Permissions Script

# Begin Sophos Sweep
sweep / --quarantine -exclude /Library/Management/Triggers
# End Sophos Sweep

# Begin Software Update
sudo sh /Library/Management/Scripts/Softwareupdate.sh
# End Software Update

# Remove unauthorized apps users have downloaded or brought in
sudo sh /Library/Management/Scripts/removeapps.sh
# End removing unauthorized apps


I have come to the conclusion the only way forward is application control through MCX. Even though the remove apps script works at night, there is nothing stopping a user downloading the application and using it every day or bringing in an application on a usb stick and launching it from there.

It is very tempting to just have the launch daemon for the developers as they can never be trusted. But I don't want to be the one responsible for loss of productivity because the machine is slower to respond to other tasks whilst the machine is running.

The way forward is to bite my lip and do some social engineering as I can see this is the only way to convince management MCX app control is a good thing and convince the users downloading and launching apps is not good for the company.

I hate corporate red tape like anyone but I also dislike social engineering and social events as it makes me vomit seeing people brown nosing to management and directors.

Time to get those sick bags and dive in!