Create a non-privileged account (eg blfsuser) and make that the owner of the files.
Then put in a line like:
Replace w/ your actual appserver ips.
Take out anything in users and users.local and never push acls to this agent.
Note – you won’t be able to manage the box like a normal agent now. if you have a unix file server, you can install 2 agents on there and be able to manage the os as well.
Thanks Bill, I remembered that it was similiar to this but couldn't find the details to be sure.