Issue when dragging applications like Chrome and PaperCut into application folder while in admin and teacher can't access it from their user
67 views
Skip to first unread message
Vern Dempster- Mahu
Aug 5, 2025, 6:29:44 PMAug 5
to Techies for schools
This is a feedback I have given to apple about an annoying new feature in Sequoia and Tahoe
In macOS Sequoia 15.5, (on teachers laptop ) and on mine (tahoe beta) when an application is dragged into the /Applications folder, it is given ownership by the installing user (username:staff) instead of the correct system-wide ownership (root:wheel). This breaks expected multi-user access to the app.
We have encountered this issue with multiple apps, including:
• Google Chrome, when dragged from a .dmg into /Applications
• PaperCut, when dragged manually instead of using the .pkg installer
In contrast, apps installed via proper .pkg installers do retain correct root:wheel ownership.
⸻
💥 Real-world impact:
We manage a school environment where:
• We set up staff MacBooks under an admin user account
• The teacher logs in with their own user account afterwards
• Apps like Google Chrome or PaperCut, manually dragged into /Applications, are not usable by the teacher
• The app either fails to launch or presents permission issues
• This disrupts onboarding and day-to-day usability
This did not occur in previous versions of macOS — it appears to be a new issue in Sequoia 15.5, possibly introduced by changes in Finder, Gatekeeper, or installation behavior. We’ve been deploying Macs for decades and have never encountered this.
✅ Steps to Reproduce:
1. Download Google Chrome or PaperCut from the vendor website.
2. Mount the .dmg and drag the app into /Applications while logged in as an admin user.
3. Run: ls -l /Applications/Google\ Chrome.app
4. Observe incorrect ownership: drwxr-xr-x+ 3 adminuser staff ...
5. Log in as a different standard user (e.g. a teacher).
6. Attempt to launch the app — it may fail or throw a permission error.
7. As comparison: install PaperCut using its .pkg installer — it correctly applies root:wheel ownership.
📸 Expected Result:
Any application placed in /Applications should be owned by: root wheel
so it is accessible to all users on the system.
🚫 Actual Result:
Apps dragged into /Applications are owned by the user that dragged them in (e.g. adminuser:staff), not root:wheel. This breaks cross-user access.
⸻
💻 System Configuration:
• macOS 15.5 Sequoia (build 24F204)
• MacBook Air and MacBook Pro (Apple Silicon)
• SIP: Enabled
• Admin user installs apps, standard users cannot access them
• Chrome version tested: 126.0.6478.127
• PaperCut version tested: 23.0.1
⸻
📎 Suggested Fix:
Restore standard behavior where any app moved to /Applications, regardless of installation method, receives root:wheel ownership. This is expected and required in shared and multi-user setups such as schools, offices, and managed environments.
We have encountered this issue with multiple apps, including:
• Google Chrome, when dragged from a .dmg into /Applications
• PaperCut, when dragged manually instead of using the .pkg installer
In contrast, apps installed via proper .pkg installers do retain correct root:wheel ownership.
⸻
💥 Real-world impact:
We manage a school environment where:
• We set up staff MacBooks under an admin user account
• The teacher logs in with their own user account afterwards
• Apps like Google Chrome or PaperCut, manually dragged into /Applications, are not usable by the teacher
• The app either fails to launch or presents permission issues
• This disrupts onboarding and day-to-day usability
This did not occur in previous versions of macOS — it appears to be a new issue in Sequoia 15.5, possibly introduced by changes in Finder, Gatekeeper, or installation behavior. We’ve been deploying Macs for decades and have never encountered this.
✅ Steps to Reproduce:
1. Download Google Chrome or PaperCut from the vendor website.
2. Mount the .dmg and drag the app into /Applications while logged in as an admin user.
3. Run: ls -l /Applications/Google\ Chrome.app
4. Observe incorrect ownership: drwxr-xr-x+ 3 adminuser staff ...
5. Log in as a different standard user (e.g. a teacher).
6. Attempt to launch the app — it may fail or throw a permission error.
7. As comparison: install PaperCut using its .pkg installer — it correctly applies root:wheel ownership.
📸 Expected Result:
Any application placed in /Applications should be owned by: root wheel
so it is accessible to all users on the system.
🚫 Actual Result:
Apps dragged into /Applications are owned by the user that dragged them in (e.g. adminuser:staff), not root:wheel. This breaks cross-user access.
⸻
💻 System Configuration:
• macOS 15.5 Sequoia (build 24F204)
• MacBook Air and MacBook Pro (Apple Silicon)
• SIP: Enabled
• Admin user installs apps, standard users cannot access them
• Chrome version tested: 126.0.6478.127
• PaperCut version tested: 23.0.1
⸻
📎 Suggested Fix:
Restore standard behavior where any app moved to /Applications, regardless of installation method, receives root:wheel ownership. This is expected and required in shared and multi-user setups such as schools, offices, and managed environments.
Dion McGovern-Allen
Aug 10, 2025, 6:09:22 PMAug 10
to Techies for schools
Good Morning Vern,
Otherwise, there are free alternatives that may take some learning to make the packages with.
eg Munki has Munkipkg and theres autopkg.
From memory these are command line based.
I tend to use it to make an installer for Filemaker that slaps the Kamar license file into the correct location.
Also removes old versions while its at it, assuming its a major version upgrade.
As for windows, Intune and MSI's perhaps look into visual studio + wix installers.
You can use it to wrap up exe files into an MSI which Intune will happily install.
This is expected and required in shared and multi-user setups such as schools, offices, and managed environments. ~ also personal devices! 😉
We'll have to wait for Apple to release a fix for the behavior, unless they are thinking of 1 to 1 devices are the future!
I feel like I've experienced this earlier than those two OS releases too as the permissions get messed with.
Might I recommend the use of JAMF's composer to package up apps as pkg files?
Its a paid for program but it simplifies making packages and is just a really helpful tool.
You need not have to pay for JAMF Pro to get it as its available separately.
Might I recommend the use of JAMF's composer to package up apps as pkg files?
Its a paid for program but it simplifies making packages and is just a really helpful tool.
You need not have to pay for JAMF Pro to get it as its available separately.
I am quite partial to using composer 😊
Otherwise, there are free alternatives that may take some learning to make the packages with.
eg Munki has Munkipkg and theres autopkg.
From memory these are command line based.
I tend to use it to make an installer for Filemaker that slaps the Kamar license file into the correct location.
Also removes old versions while its at it, assuming its a major version upgrade.
As for windows, Intune and MSI's perhaps look into visual studio + wix installers.
You can use it to wrap up exe files into an MSI which Intune will happily install.
This is expected and required in shared and multi-user setups such as schools, offices, and managed environments. ~ also personal devices! 😉
We'll have to wait for Apple to release a fix for the behavior, unless they are thinking of 1 to 1 devices are the future!
Thanks,
Dion McGovern-Allen.
Vern Dempster
Aug 10, 2025, 6:20:16 PMAug 10
to techies-f...@googlegroups.com
HI Dion
Thanks
Much food for thought
Appreciate the help
Ngā mihi nui
Vern
Vern Dempster | Te Kura Tuarua o Mahurangi - Manager Information Services and L3Web Teacher | Ph. +64 9 425 8039 ext 721 | 021 769 314
--
You received this message because you are subscribed to a topic in the Google Groups "Techies for schools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/techies-for-schools/fr19DYvPF2w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to techies-for-sch...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/c8791a49-28dc-4ec1-bea8-6fe2e09f997en%40googlegroups.com.
Mike Etheridge
Aug 11, 2025, 4:30:10 PMAug 11
to techies-f...@googlegroups.com
I had success with Munki. It’s free (both senses), well maintained and does have a GUI, called MunkiAdmin, which does work. I did still so some command line work but mostly used MunkiAdmin
Mike E
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
Vern Dempster
Aug 11, 2025, 5:47:15 PMAug 11
to techies-f...@googlegroups.com
Thanks Mike
Interesting that chatGPT had just got to making me think about Munki to sort the issues
Using your input, chatGPT has now packaged up a ready to use Munki + MunkiAdmin rollout kit for our teacher laptops so we will have an explore
My assistant and I have survived with our simple approach but in these more complex multiuser times……..
appreciate your input
Ngā mihi nui
Vern
Vern Dempster | Te Kura Tuarua o Mahurangi - Manager Information Services and L3Web Teacher | Ph. +64 9 425 8039 ext 721 | 021 769 314
You received this message because you are subscribed to a topic in the Google Groups "Techies for schools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/techies-for-schools/fr19DYvPF2w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to techies-for-sch...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAMEu3YXUt6%3D_TCgffdN2EwTQcrvpASTXrYc%2BXpFPLTf_efuD3Q%40mail.gmail.com.
Pete Mundy
Aug 11, 2025, 5:55:38 PMAug 11
to techies-f...@googlegroups.com
+1 for Munki!
Good luck Vern :)
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/6FC0B409-DEDB-4614-A032-E343CE0D89CB%40mahurangi.school.nz.
Reply all
Reply to author
Forward
0 new messages