Home > Mac administration, macOS > Application blacklisting using management profiles

Application blacklisting using management profiles

When deploying Macs for use in classrooms or for training, there is occasionally a requirement that certain applications must be blocked from running. Usually, this is to make sure that the student or test taker using the Mac is not able to use the blocked applications because it would distract them or otherwise cause problems.

On iOS, there is a way to do this via the blacklistedAppBundleIDs key available in the Restrictions payload. However, this key is not available on macOS and Macs will ignore the blacklist.

On macOS, there is the ability to set an application whitelist via Profile Manager but not a blacklist.

Screen Shot 2017 05 20 at 2 45 31 PM

However, the profile specification does include the ability to configure an application blacklist using the pathBlackList key in the settings managed by the com.apple.applicationaccess.new payload.

Screen Shot 2017 05 20 at 2 28 46 PM

For more details, see below the jump.

Since the ability to set an application blacklist for macOS is currently missing from Profile Manager, a profile to blacklist application may need to be manually created. See below for an example profile which blacklists the following applications:


Screen Shot 2017 05 20 at 3 11 56 PM

Note: In addition to setting the application blacklist, a correctly-built profile will need to include whitelist entries that explicitly allow all other applications other than the ones being blacklisted.

Screen Shot 2017 05 20 at 3 14 26 PM

When setting an application blacklist using the profile, one thing to be aware of is that the blacklist can be overridden by an administrator account.

Screen Shot 2017 05 20 at 3 19 00 PM

If an administrator chooses, they can set the application block to be overridden once or permanently.

Screen Shot 2017 05 20 at 3 22 32 PM

Screen Shot 2017 05 20 at 3 23 23 PM

For those who want to block applications using a management profile, I’ve created an example .mobileconfig file and posted it here on Github:


Categories: Mac administration, macOS
  1. Todd Ness
    May 22, 2017 at 3:03 pm

    I see you say that a whitelist needs to be provided but your example does not have a whitelist in it. Just a bit confused if it is required or not. I will play with this, thanks as always for posting your findings.

    • May 22, 2017 at 3:06 pm

      The pathWhiteList key whitelists all applications in “/”, which whitelists all applications on the Mac from the top-level down.

  2. Thomas Knudsen
    June 7, 2017 at 12:07 pm

    Coould this be used to block an OS-X update? Let’s say you don’t want macOSUpd10.12.5.pkg or similar to run?

  3. OJ
    November 21, 2017 at 12:41 pm

    Hi Rich, great post. Thank you for this.

    However, if I block Mail.app, the user gets an error message “You don’t have permissions to use the application “MailCacheDelete””. This message refers to MailCacheDelete.appex which is inside the Mail bundle. Since the folder is SIP-protected, I cannot delete the plugin.

    Any ideas how to get rid of the message? Thanks.

  4. November 30, 2017 at 2:00 pm

    Hi Rich, if a user copies the app on his desktop, the app, unfortunately, works (the profile points to a absolute path. We have probably to find another way I think…

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: