Objective
Define the criteria for any application agent to be deployed and installed on a Digital Mac endpoint. This will help provide a framework for decision making of a new application that will not impede the velocity of our users and negatively impact deployed hardware.
Requirements
Mac applications must fulfill the following requirements to be considered:
- Must be compatible with the latest macOS
- Must have demonstrated a record of day-zero, or near day-zero support for new macOS operating systems.
- Applications that would impede our ability to adopt the newest operating system will not be accepted.
- Must not significantly impact performance
- Must be deployable from Jamf Pro
- Must be 64-bit and sandboxed
- Must be digitally signed and notarized with a valid Apple Developer Certificate
- Must be packaged with Apple’s technology (e.g. Installer or drag-n-drop)
- Must be self-contained, single application bundle and cannot install code or resources in shared locations not approved by Apple (shared Containers for sandboxed Apps is OK for example)
- Must not install kernel extensions (kexts)
- Must not use deprecated or optionally installed technologies
- Must not add to Login or startup without the user’s consent
- Must not request elevation to root privileges or use setuid attributes (e.g. it must run within the user’s space as standard user)
- Must only use public API’s for macOS and approved API’s for accessing or modifying user data for other Apps
- Must comply with macOS File System
- Must not modify, change or disable the build in Quarantine, firewall or Gatekeeper
- Security applications or applications that will be audited must provide secure logging capabilities.
- Must not negatively impact operational overhead - Does this negatively impact our ability to support end users (can we retain quick turnaround times for issues?)
| Published Date |
|---|
| 02-22-24 |