(This is just experimenting for educational purposes.)
I'm the admin of the computer and I have SIP disabled. I wish to imitate iOS restrictions on macOS by prohibiting access (to one other specific user account, not me) to all directories except for 'Downloads' of their equivalent 'Users' folder.
Yes, the apps they launch can freely read/write from/to 'Library' and other system-related files as they normally would, but the user just never gets to access those directories (pretty much like iOS minus the sandboxed app-data)
When using Finder (or any other file browser) they can only access their Downloads folder.
Managing their system (installing/uninstalling apps etc.) is of lesser importance as I, the admin, can do it for them when asked.
I think I can implement this by applying a 'No Access' rule to their user account for all directories, which attaches a red flag icon to the folder and does not allow one to access it when clicked.
Instead of going through every single folder to do this with cmd+I
, can I do this with Terminal for all directories minus 'Downloads'?
Best Answer
Any access on macOS is running with the credentials of the user owning a process, so you can't prohibit user access to e.g.
~/Documents
or~/Library
while still allowing applications started by the same user from accessing content stored there. I've never tried but removing user access from~/Library
most likely will even prevent the user from logging in (in a probably unpleasant way).This is vastly different from sandboxing on iOS where each app basically has it's own sandboxed space within the filesystem (which ensures that app A can't access data of app B unless both are coded specifically to support this) and where app-specific preferences etc are stored within the sandbox itself.