I can open Disk Utility and permanently erase any highlighted, internal APFS disk volume not being used to boot the currently running operating system, just by clicking the delete or – (minus) button, and without getting any prompts for an administrator password.
The same goes even when Disk Utility observes and warns me that the volume contains another installation of macOS and macOS user data and any user can carry out the operation.
Is it possible to lock down these actions for certain APFS volumes?
That is, how can I disable / grey out the delete button for those volumes, so the button can't be pressed? Or, how can I make Disk Utility prompt for an administrator password when performing these operations, either globally or on certain volumes?
Is it possible to achieve one or the other possibly using Terminal, diskutil and/or APFS verbs or otherwise?
Best Answer
The answer is Parental Controls.
Below users axj and rpj both have Standard accounts. However, rpj has parental control turned on, therefore the account is labeled as Managed.
By default under Parental Controls, the Disk Utility is not an allowed App, as shown below.
The same is true for the Terminal application.
This does not prevent user rpj from using the Disk Utility, but user rpj would first have to enter the username and password of the Admin user dma. For example, if user rpj tried to open the Disk Utility application, then the following popups would appear.
If the buttons
Always Allow...orAllow Once...are pressed, then the following popup appears.If the proper username and password are entered, then the Disk Utility application will open. If
Always Allow...was pressed, then the Disk Utility will be checked off in Parental Controls, as shown below.