ceez Posted February 24, 2007 Share Posted February 24, 2007 hello fellow msfn-ers!as most IT people, i hate itunes, specially when the users install it on their workstations as if they were working on their home pc's...I am looking for a 'silver bullet' on blocking the installation of itunes. I know i am asking for a lot, but i can give it a try.I know that I can create a hash rule for the itunes .exe installer, but with new and different versions of itunes so does a new hash. I could also use path rules, but some 'smart' users can figure out that by changing the install path they can install the darnned thing.so I was wondering if you have another alternative, maybe downloaded an adm or you probably created your own adm file that you can share with me (and anyone else trying to kill itunes from their corporate workstations)!thank you for your time,ceez Link to comment Share on other sites More sharing options...
cluberti Posted February 24, 2007 Share Posted February 24, 2007 Short of removing users from doing anything other than "read only" in \Program Files (and any other folders they shouldn't be writing to), I'm not sure you have many options short of using Group Policy. Of course, marking the whole drive read only usually breaks applications... I'd always dealt with it by having a corporate policy for users - if you install something, it's OK, but it's not supported. If your machine breaks for any reason, it'll be replaced or reimaged and we'll make no attempts at all to save any data from said program. Profiles were roaming, and the documents folder was redirected to a home server minus the music and videos folders - worked great. We had a few users who lost all of their music too, and that pretty much killed it after some months, and we heard nothing more of it. It's low-tech, but it worked overall, and we didn't have to be the IT scrooges either (nice come bonus time ). Link to comment Share on other sites More sharing options...
fdv Posted February 24, 2007 Share Posted February 24, 2007 (edited) Adopt a written policy with the CEO's sign-off that it's inappropriate misuse of the company's computers. Issue warning when it's installed. Tell supervisors that iPods can act as USB drives, and that can be a security risk (maybe not where you are though). Tell people that bringing MP3's to work is no problem, listening at work is no problem, but iTunes is going over the line -- managing your music collection at work? Grabbing bandwidth and downloading music from the iTunes store? No f-ing way!Another practical solution. Obviously you are in an org where people get admin rights to their machines for whatever reason. Which can boost morale, and can create IT headaches. I don't let my users have admin rights (though I do liberally allow all sorts of apps if they ask) but perhaps try this. Try replacing a critical DLL with an earlier version. Or resedit one and just muck it up... a little bit. Make the software crash. A Lot. If your boss is going to insist that all users have root on their boxes and you have to be the grown up in Romper Room policing after n00bs who load their machines with malware (or worse, don't, because they are advanced home users and do more "sophisticated" stuff like run VPNs that they don't tell you about or pull port forwarding tricks to keep you from seeing their pr0n downloads when they hit Usenet) then you have no choice. This is a game where the odds are against you. Wanna win?All you have is subterfuge, and I'd recommend making an INF and running it on startup that removes iTunes registry data by deleting iTunes keys so even reinstalls don't work for them. Put a shortcut in startup...%SystemRoot%\system32\rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 %SYSTEMROOT%\system32\youritunesregistrykiller.inf...and call it something innocent and have it do nothing at all for a few weeks so they aren't suspicious. Here are some keys for you to kill to get you started. Note that no names of DLLs appear, nor do any searchable strings, so clever users can't easily pick out what this file is [Version]signature="$Windows NT$"ClassGUID={00000000-0000-0000-0000-000000000000}SetupClass=BaseLayoutFile=layout.inf[DefaultInstall]AddReg = keys.addDelReg = keys.del[keys.add][keys.del]HKCR,"AppID\{3AA2E692-0A50-496B-A91B-9F7AF63B3511}"HKCR,"AppID\{5011B6DE-E9FA-4518-B5E5-45DE9DD2CDC6}"HKCR,"CLSID\{063D34A4-BF84-4B8D-B699-E8CA06504DDE}"HKCR,"CLSID\{08A6AF6A-8FF2-4a3b-BECF-C2FAC8630BBF}"HKCR,"CLSID\{0A25C695-3765-4B37-9455-4B1C113C2C04}"HKCR,"CLSID\{20ADDA11-8287-44D0-8C63-27CDA87ACC46}"HKCR,"CLSID\{368F81BC-9439-41A8-B532-39C8D7E7D147}"HKCR,"CLSID\{5bdb98cc-b3f5-4d33-9a91-cbc986bea087}"HKCR,"CLSID\{62A560B8-09DB-4cc6-AE1B-9D8F7ADDB8F3}"HKCR,"CLSID\{6C2589C3-96F8-4863-A511-9C33EB2C7E2A}"HKCR,"CLSID\{7312c0a0-a397-4a19-b432-9ac90c4466af}"HKCR,"CLSID\{80EE9910-D470-4AED-AC5D-987046FDB574}"HKCR,"CLSID\{8bb882d5-de37-4630-84e9-cc4bd7c44cb1}"HKCR,"CLSID\{aa9c1a1e-b91a-424e-9e27-3f1967b707f1}"HKCR,"CLSID\{aef7e664-dc9b-48b2-8b35-5422d3f08c77}"HKCR,"CLSID\{B33927D0-89E6-45D8-87C7-27F3DE3EFDE6}"HKCR,"CLSID\{B8DF592B-DE05-49f5-BB21-084F548F12A9}"HKCR,"CLSID\{d4704c9e-adbf-411a-9ef2-87feb99ccf69}"HKCR,"CLSID\{D719897A-B07A-4C0C-AEA9-9B663A28DFCB}"HKCR,"CLSID\{e73e119c-be36-4693-8a47-88c16829008c}"HKCR,"CLSID\{F7A782D3-2DDD-4327-BB70-0D1D0F1E38B0}"As an IT guy I don't advocate killing morale but iTunes seems over the top to me. An iPod is one thing. But buying music and managing your collection is another. Edited February 24, 2007 by fdv Link to comment Share on other sites More sharing options...
ceez Posted February 24, 2007 Author Share Posted February 24, 2007 thanks for the input guys....i personally dont have an ipod (other mp3 player) but i assume that you dont need the itune s/w to even charge your ipod. All i know is that they can view their library and even share it with others.Yes our users need to have admin rights since it's an architectural firm and autocad requires that the users have full admin rights to their machines. It doesnt matter how many policies are written in stone some users will just install it, and for the most part, their superiors also have ipods and install it on their workstations or laptops. So killing it or 'crashing' it will eventually trigger issues with the 'higher' users. Unless we get their support then we will continue to see itunes installed on workstations....that's another story.I'll look over that inf idea and shoot it around with the IT director to see how we can apply thisthanks guys,ceezps- btw, cad technicians apparently are useless without music while they work! good excuse!ps2- apple should come up with and be held responsible for creating adm's or software for corporations that do not want their itunes software running on enterprise systems! darn you ipod! Link to comment Share on other sites More sharing options...
cluberti Posted February 25, 2007 Share Posted February 25, 2007 LOL Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now