Move to Trash Bin Policy

When a standard user deletes an application bundle via ⌘-delete or drag-n-drop from /Applications, the following actions are taken based on policy evaluation:

  • Allow - Is allowed without prompting user for credentials

  • Present appropriate Advanced Message Dialog:

    • Approval - Approval process is invoked before it is allowed to complete
      • Cancelled - It is denied.
    • Denied - Denied dialog is invoked and user can not delete the application bundle
    • Justification - Justification process is invoked before it is allowed to complete
      • Cancelled - It is denied.
    • Offline-Approval - Offline-approval process is invoked before it is allowed to complete
      • Cancelled - It is denied.
    • Warning - Warning dialog is invoked before it is allowed to complete
      • Cancelled - It is denied.

To allow a standard user to delete application bundles from the /Applications directory, create an elevation policy that uses the Copy Install Application filter under Inclusions. We recommend to also add a justification message action. If used on endpoints running the KEXT agent, the policy needs to target an application to work correctly. For this example we are starting with an empty policy.

  1. Navigate to your macOS Computer Group and select Application Policies.

  2. Click Create Policy.

  3. Click Skip the wizard, take me to a blank policy.

  4. Enter a Name and description for your policy, click Create Policy.

  5. Click Add Inclusions.

  6. Search for and add the Copy Install Application filter.

  7. Click Update.

  8. Click Add Actions.

  9. Search for and add the Application Justification Message Action.

  10. Click Update.

  11. Click Save Changes.

  12. Set the Inactive switch to Active for policy updates at the endpoint.

    generic

A policy configured in this way will also allow a user to update or replace an App Bundle by drag-n-drop via Finder to the /Applications folder.