The Mac App Store launched yesterday along with the Mac OS X 10.6.6 update.
Some of the questions raised here are now answered.
- Users need to have administrative credentials to use the App Store.
- Because of #1, apps are installed in /Applications, like most other apps.
- #1 and #2 mean that apps from the App Store are usable by all users of the machine, and can be updated or removed by any other user of the machine, provided the user has admin credentials.
- The App Store keeps track of purchases made under a given AppleID, so you as an IT administrator need not worry about preserving a user’s purchased App Store apps when migrating a user to another machine.
In reality, the advent of the Mac App Store does not change things much for enterprise administrators.
If your users are admins, they’ve always been able to purchase, download and install software to company computers. If you have policy is place against this practice, that policy will be just as effective (or not) now as it was last week. So there is no change with the addition of a Mac App Store.
Non-admins can’t purchase or install software from the App Store.
Bottom line: the App Store doesn’t give users any new capabilities that they didn’t already have.
All that said: if you really want to block access to the Mac App Store, there’s a really simple solution: delete the App Store application.
There are other less draconian options, such as:
- Using MCX to limit access to the App Store application.
- Moving the App Store application to a location accessible only by a certain user or group — for example, moving it to the Applications folder of a local admin account.
- Changing the group and mode so only members of a certain group can run it.
If you decide to limit access, MCX is a good approach because it should continue to work even across Apple updates. Many of the other solutions may need to be reimplemented after an Apple update, which may put a new, updated copy of the App Store application back in the /Applications folder with the default owner, group and mode, potentially undoing your modifications.