Enhancing Linux Endpoint Security: Blocking Unwanted Applications Using Scalefusion

In today's enterprise environments, maintaining control over the applications that can run on Linux devices is essential for security and productivity. One effective way to achieve this is by blocking non-essential applications on devices. Scalefusion Unified Endpoint Management (UEM) offers a streamlined approach to enforce such controls. This guide provides detailed technical steps to block specific applications from executing on Linux devices using Scalefusion UEM.

Step 1: Prepare a Linux Shell Script to Block Applications

To prevent certain applications from running, you'll create a shell script that monitors and terminates these applications if they attempt to execute.

Identify the Applications to Block:
- Determine which applications you want to block. You can use commands like ps aux | grep <application_name> or pgrep <application_name> to find the process names of these applications.
Create the Shell Script:
- Open a UTF-8 compatible text editor such as Notepad++ on windows or gedit on linux machine and create a new file, e.g., block_apps.sh.
- Add the following lines to block specific applications:

#!/bin/bash 
 
# Set the paths and other configurations 
monitoring_script_path="/usr/local/bin/application_monitor.sh" 
service_file="/etc/systemd/system/application_monitor.service" 
log_file="/var/log/application_monitor.log" 
 
# Note Make sure to enter correct process name of Application 
 
# Set the process names of the applications 
process1_name="APPLICATION_ProcessNAME1" 
process2_name="APPLICATION_ProcessNAME2" 
 
# Fetch the paths to the executables 
process1_path=$(which APPLICATION_ProcessNAME1) 
process2_path=$(which APPLICATION_ProcessNAME2) 
 
# Write the monitoring script content to the file 
cat <<EOF > "$monitoring_script_path" 
#!/bin/bash 
 
# Set the process names of the applications 
process1_name="$process1_name" 
process2_name="$process2_name" 
 
# Fetch the paths to the executables 
process1_path="$process1_path" 
process2_path="$process2_path" 
 
# Delay before starting monitoring loop (in seconds) 
initial_delay=10 
 
# Initial delay 
sleep \$initial_delay 
 
# Start monitoring loop 
while true; do 
    # Check if process1 is running and terminate it if it is 
    if pgrep "\$process1_name" > /dev/null; then 
        echo "\$(date +"%Y-%m-%d %H:%M:%S") - \$process1_name is running. Terminating..." >> "$log_file" 
        # Terminate process1 
        pkill "\$process1_name" 
    fi 
 
    # Check if process2 is running and terminate it if it is 
    if pgrep "\$process2_name" > /dev/null; then 
        echo "\$(date +"%Y-%m-%d %H:%M:%S") - \$process2_name is running. Terminating..." >> "$log_file" 
        # Terminate process2 
        pkill "\$process2_name" 
    fi 
 
    # Block execution of process1 executable 
    chmod -x "\$process1_path" 
 
    # Block execution of process2 executable 
    chmod -x "\$process2_path" 
 
    # Sleep for 24 hours 
    sleep \$((24 * 60 * 60)) 
 
    # Restore execution permission for process1 executable 
    chmod +x "\$process1_path" 
 
    # Restore execution permission for process2 executable 
    chmod +x "\$process2_path" 
done 
EOF 
 
# Set execute permissions for the monitoring script 
chmod +x "$monitoring_script_path" 
 
# Write the service unit file 
cat <<EOF > "$service_file" 
[Unit] 
Description=Application Monitor Service 
After=network.target 
 
[Service] 
Type=simple 
ExecStart="$monitoring_script_path" 
Restart=always 
 
[Install] 
WantedBy=multi-user.target 
EOF 
 
# Reload systemd 
systemctl daemon-reload 
 
# Enable and start the service 
systemctl enable application_monitor.service 
systemctl start application_monitor.service 
 
# Check the status of the service 
systemctl status application_monitor.service

Replace APPLICATION_ProcessNAME1 and APPLICATION_ProcessNAME2 in the above script with the actual process names of the applications you want to block.
If creating script on windows device using Notepad++ then save the script in UNIX Format as shown in the image below:

Step 2: Deploy the Script Using Scalefusion UEM

With the script prepared, the next step is to deploy it across your Linux devices using Scalefusion UEM.

Upload the Script:

Log in to the Scalefusion dashboard.
Navigate to Application Management > Enterprise Store , click on Upload New App and select Upload Linux Script.

In the Upload Shell Scripts wizard:
- Enter a Script Name for identification.
- Upload the previousely created Shell Script file.
- Choose the Execution Level:
  - Device: Executes for all users on the device.
  - User: Executes for the logged-in user.
- Configure the Schedule:
  - Run Once On Publish: Executes the script once upon publishing.
  - Run At Every Login: Executes the script at each user login.
  - Run On Schedule: Executes the script on specified days and times.

2. Publish the Script:

After configuring, click Save.
In the subsequent dialog, select the Device Profiles to which you want to deploy the script.
Click Publish to deploy the script.

Once published, the script will execute on the targeted devices based on the configured schedule, effectively blocking the specified applications from running.

Conclusion

Blocking non-essential applications on Linux devices can significantly enhance productivity and security. By leveraging Scalefusion UEM to deploy custom shell scripts, organizations can easily manage and restrict access to unwanted apps across their fleet of devices. This approach not only helps in maintaining focus but also ensures that devices are used in compliance with organizational policies.