Manage Folder Access
  • 29 Sep 2023
  • 3 Minutes to read
  • PDF

Manage Folder Access

  • PDF

Article summary

The following Script helps IT Admins control the user's access to the Desktop, Document, and Download folder on the managed Mac device(s).

  1. Create a file on your desktop, for example, manage_folder_access.sh and open it in a text editor like notepad++
  2. Copy the contents below to the file or click hereto download the file.
    Shell
    #!/bin/bash
    
    #Enter account name for which the action should be performed. 
    #You can check the username by running "dscl . -list /Users" command in the terminal
    USER_NAME="username"
    #Set the value to true if you want to block desktop folder access, else set as false
    SHOULD_BLOCK_DESKTOP="true"
    #Set the value to true if you want to block document folder access, else set as false
    SHOULD_BLOCK_DOCUMENT="true"
    #Set the value to true if you want to block download folder access, else set as false
    SHOULD_BLOCK_DOWNLOAD="true"
    
    ###### DO NOT EDIT CODE BELOW THIS ##########
    
    ## Check if user exists
    if id "$USER_NAME" &>/dev/null; then
        echo "User '$USER_NAME' exists."
    else
        echo "User '$USER_NAME' does not exist."
        exit 1
    fi
    
    DESKTOP_FOLDER="/Users/$USER_NAME/Desktop/"
    if [[ "$SHOULD_BLOCK_DESKTOP" = "true" ]]; then
        echo "Should block $USER_NAME's desktop folder access at $DESKTOP_FOLDER"
        chown -R root:wheel "$DESKTOP_FOLDER"
    else
        echo "Should unblock $USER_NAME's desktop folder access at $DESKTOP_FOLDER"
        chown -R $USER_NAME:staff "$DESKTOP_FOLDER"
    fi
    
    DOCUMENT_FOLDER="/Users/$USER_NAME/Documents/"
    if [[ "$SHOULD_BLOCK_DOCUMENT" = "true" ]]; then
        echo "Should block $USER_NAME's document folder access at $DOCUMENT_FOLDER"
        chown -R root:wheel "$DOCUMENT_FOLDER"
    else
        echo "Should unblock $USER_NAME's document folder access at $DOCUMENT_FOLDER"
        chown -R $USER_NAME:staff "$DOCUMENT_FOLDER"
    fi
    
    DOWNLOAD_FOLDER="/Users/$USER_NAME/Downloads/"
    if [[ "$SHOULD_BLOCK_DOWNLOAD" = "true" ]]; then
        echo "Should block $USER_NAME's document folder access at $DOWNLOAD_FOLDER"
        chown -R root:wheel "$DOWNLOAD_FOLDER"
    else
        echo "Should unblock $USER_NAME's document folder access at $DOWNLOAD_FOLDER"
        chown -R $USER_NAME:staff "$DOWNLOAD_FOLDER"
    fi
    
    killall Finder
    1. While uploading the script, please select No for the option "Run script as signed-in user," as shown in the image below. 
  3. You can also execute the above script as a Dynamic Script with Custom Propertiesfeature on different devices having different user accounts.
    1. Create a file on your desktop, for example, manage_folder_access_custom_properties.sh and open it in a text editor like Notepad++
    2. Copy the contents below to the file or click hereto download the file.
      Shell
      #!/bin/bash
      
      #Configure the user_account_name for the device via custom property
      USER_NAME="%$device.user_account_name%"
      #Configure the block_desktop_folder for the device via custom property
      SHOULD_BLOCK_DESKTOP="%$device.block_desktop_folder%"
      #Configure the block_document_folder for the device via custom property
      SHOULD_BLOCK_DOCUMENT="%$device.block_document_folder%"
      #Configure the block_download_folder for the device via custom property
      SHOULD_BLOCK_DOWNLOAD="%$device.block_download_folder%"
      
      ###### DO NOT EDIT CODE BELOW THIS ##########
      
      
      ## Check if user exists
      if id "$USER_NAME" &>/dev/null; then
          echo "User '$USER_NAME' exists."
      else
          echo "User '$USER_NAME' does not exist."
          exit 1
      fi
      
      DESKTOP_FOLDER="/Users/$USER_NAME/Desktop/"
      if [[ "$SHOULD_BLOCK_DESKTOP" = "true" ]]; then
          echo "Should block $USER_NAME's desktop folder access at $DESKTOP_FOLDER"
          chown -R root:wheel "$DESKTOP_FOLDER"
      else
          echo "Should unblock $USER_NAME's desktop folder access at $DESKTOP_FOLDER"
          chown -R $USER_NAME:staff "$DESKTOP_FOLDER"
      fi
      
      DOCUMENT_FOLDER="/Users/$USER_NAME/Documents/"
      if [[ "$SHOULD_BLOCK_DOCUMENT" = "true" ]]; then
          echo "Should block $USER_NAME's document folder access at $DOCUMENT_FOLDER"
          chown -R root:wheel "$DOCUMENT_FOLDER"
      else
          echo "Should unblock $USER_NAME's document folder access at $DOCUMENT_FOLDER"
          chown -R $USER_NAME:staff "$DOCUMENT_FOLDER"
      fi
      
      DOWNLOAD_FOLDER="/Users/$USER_NAME/Downloads/"
      if [[ "$SHOULD_BLOCK_DOWNLOAD" = "true" ]]; then
          echo "Should block $USER_NAME's document folder access at $DOWNLOAD_FOLDER"
          chown -R root:wheel "$DOWNLOAD_FOLDER"
      else
          echo "Should unblock $USER_NAME's document folder access at $DOWNLOAD_FOLDER"
          chown -R $USER_NAME:staff "$DOWNLOAD_FOLDER"
      fi
      
      killall Finder
    3. Note you will need to first create Custom Properties on the dashboard to use this script:
      1. Configure the custom property with the name user_account_name for the device.
      2. Configure the customer property with the name block_desktop_folder for the device.
      3. Configure the customer property with the name block_document_folder for the device.
      4. Configure the customer property with the name block_download_folder for the device.
  4. Follow our guide to upload & publish the Shell script using Scalefusion Dashboard.
Please note that to use the Shell scripts, the Scalefusion MDM Client Application must be installed on the device(s). Please follow our guide to publish and install the Scalefusion MDM Agent Application.

Notes:

1. The scripts and their contents are sourced from various albeit authenticated Apple Developer communities and forums.

2. Please validate the scripts on a test machine before deploying them on all your managed devices.

3. Scalefusion has tested these scripts, however, Scalefusion will not be responsible for any data loss or system malfunction that may arise due to the incorrect usage of these scripts.


Was this article helpful?