Block access to MacOS Migration Assistant

Revilo
Conversationalist

Block access to MacOS Migration Assistant

Hi,

 

At my place of work, we've recenty run into a problem with users migrating data from their old laptops, using Apples utility Migration Assistant.

 

This results in the profiles being transferred as well, which blocks the "correct" enrollment of the new device, rendering me unable to remove the profiles from their machines, as it is in a sort of "limbo".

 

My solution so far is, that I'd like to block the program Migration Assistant, as it's required for migration of data.

(I know it is possible for the user to uncheck "Network settings", but I don't trust that they'll read the documentation for a correct migration, which I'd have to make)

 

The idea is to add restrictions to the profile, utilizing "Show or hide apps".

Problem is, that Migration Assistant isn't showing up on the drop-down menu.

 

I've tried to manually add "com.apple.MigrateAssistant" which should be the correct name for the process, but this unfortunately did not work.

 

So if any of you have had succes with this, or something similar, help is much appreciated!

 

Best regards,

Oliver

2 REPLIES 2
Hamish_Deas
Conversationalist

Hopefully you've figured this one out by now, but if not I think you should be able to restrict just based on the application name "Migration Assistant" or "Migration Assistant.app".

 

I use a different MDM at my organisation, so can't test this, but I noticed that the Meraki documentation states that using an application identifier only works for iOS + Android, so I'd imagine that may be what's causing this issue.

 

See: App allowing/denying list in security policies - Cisco Meraki

 

Application Name: This is the friendly display name of the app, and can be used across both desktop and mobile devices. Ex. "Google Chrome", "Facebook", "*SMS*".

 

Application Identifier: This can be the unique app ID or bundle ID for an app, and can only be used with iOS and Android. Ex. "com.meraki.sm", "com.google.*", "472572194".

Green_Ghost
Meraki Employee
Meraki Employee

It looks like you're trying to block the app using "Show or hide apps" from the restrictions payload. This setting adds a config within the profile called "blacklistedAppBundleIDs" but it is only supported on iOS, and not MacOS (documentation).

 

MacOS has Migration Assistant protected by SIP (system integrity protection), so it cannot be removed via "Systems Manager -> Software" or by any script.

 

Although SM can detect installed and running programs (via security policies, or fetch process list live tool), it does not have the ability to automatically kill those processes if they are running.

 

I would recommend that you submit a "make a wish" for the ability to prevent applications from being run, I don't see any simple way to prevent users from launching Migration assistant.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels