Permanently Disabling Timemachine

Time machine is great for HOME use. In the enterprise it does not have a place. When I first started with my current job, we did use time machine and provided everyone a 1 tb external (while this worked while we were alot smaller, it was not scalable, secure or maintainable). Since then we’ve gone to using CrashPlan to enable our workforce to back up remotely and securely.

Now, with time machine no longer being used or needed, we needed a way to fully disable it within our environment.

Disabling time machine is trivial as it’s built into osx macOS.

There’s a few things we can do to disable it.

First we’ll create a config profile disabling access to time machine in System Preferences  jamfPro (or whatever managed platform you use). Through jamfPro you can do this by:

  1. Create a new Configuration Profile
    1. Name your Configuration Profile
    2. Install Computer Level
    3. Click the Restrictions Tab
    4. Check “Restrict items in System Preferences”
    5. Check “Time Machine”
    6. Click Save
    7. Deploy to your fleet

Alternatively you can use this Mobile config

The above disables it from the low hanging fruit. “I clicked on time machine within the system preferences and set it up”. It also disables current setup instances from re-configuring running time machine instances… It does Not disable current running time machine instances, and as a result anytime that current running time machine instance has problems it notifies the user. With the PrefPane disabled the user is unable to fix their issue.

To Disable current running time machine instances we can run this command:

sudo tmutil disable

While this stops backups, how do we do we go about making sure that this command can’t be run by our user to configure time machine?

Unfortunately /usr/bin/tmutil is sip protected so we can’t change the file (we could delete it through recovery but that is NOT a prefered or scalable solution)

 

While jamfPro does block applications from running it does not block applications run via shell.

To further block this you’re going to have to use your malware or antivirus protection. The easiest way is to block the SHA256.

In CarbonBlack or Santa, you’d simply add, the following SHA256 to your black list.

SHA256(/usr/bin/tmutil)= bde6379ac52dcc4aab557810d69f9cd39a192db11c111cf20cf9ce4f59b4ba5d

This was SHA256 calculated with the following command:

openssl sha -sha256 /usr/bin/tmutil

The command above will work for any app, replacing /usr/bin/tmutil with the location of the app you want to calculate the SHA256.

Once this is done, the user is no longer able to Configure time machine by the PrefPane, or terminal.

No Comments

Leave a Comment