0

I am trying to set user-specific access to certain apps and folders on a mac, and I found this answer to be extremely helpful. (Thanks @Gordon Davisson!)

However, I can't seem to run the chmod commands on applications inside the /System/Applications folders, even when I use sudo:

sudo chmod +a \ 
     "user:some_user deny list,search,readattr,readextattr,readsecurity" \
     /System/Applications/Mail.app

chmod: Failed to set ACL on file '/System/Applications/Mail.app': Operation not permitted

Is there a workaround?

Update

At the moment I would be happy to even have a specific solution that...

  • Worked on Catalina, even if it doesn't work on more recent versions
  • Only works to add and remove custom-deny rules access (i.e. restrict permissions) rather than extending additional permissions
brahn
  • 101
  • 1
  • 1
    In recent versions of macOS, system files (including /System/Applications) are protected against modification by System Integrity Protection (SIP) and being stored on a separate, read-only, cryptographically sealed system volume. See this Eclectic Light Co article. It is possible to bypass all these protections (see this question), but I would strongly recommend against it. – Gordon Davisson Jun 23 '22 at 20:14
  • Thanks for the pointers! Fwiw, in the short term I'd be happy to have a solution that worked on Catalina. (Just added an update to reflect this.) – brahn Jun 23 '22 at 21:47
  • 2
    Would app restrictions in parental controls work for what you're trying to do? (I haven't tested, so I don't know if you can set a limit to zero.) – Gordon Davisson Jun 23 '22 at 22:28
  • What is your ultimate purpose in doing this? Might there be a different method of achieving it? (E.g. as Gordon points out, by using parental controls) – benwiggy Jun 25 '22 at 13:54
  • @GordonDavisson The parental controls were replaced by screen time limits. However, you can't set screen time limits to zero -- the minimum is one minute. (And I believe the user can ask for an extra minute per app per day, so the real limit is two minutes). And while it's not as if two minutes of app usage is a real problem for my use case (this is about parental controls, not a traditional security/permissions issue), I'd like to remove the temptation. – brahn Jun 25 '22 at 21:10
  • @benwiggy Fair question! My goal is to implement better parental controls than mac has provided (see previous comment). – brahn Jun 25 '22 at 21:12

0 Answers0