Home > Mac administration, macOS > Application blacklisting using management profiles

Application blacklisting using management profiles

When deploying Macs for use in classrooms or for training, there is occasionally a requirement that certain applications must be blocked from running. Usually, this is to make sure that the student or test taker using the Mac is not able to use the blocked applications because it would distract them or otherwise cause problems.

On iOS, there is a way to do this via the blacklistedAppBundleIDs key available in the Restrictions payload. However, this key is not available on macOS and Macs will ignore the blacklist.

On macOS, there is the ability to set an application whitelist via Profile Manager but not a blacklist.

Screen Shot 2017 05 20 at 2 45 31 PM

However, the profile specification does include the ability to configure an application blacklist using the pathBlackList key in the settings managed by the com.apple.applicationaccess.new payload.

Screen Shot 2017 05 20 at 2 28 46 PM

For more details, see below the jump.

Since the ability to set an application blacklist for macOS is currently missing from Profile Manager, a profile to blacklist application may need to be manually created. See below for an example profile which blacklists the following applications:

/Applications/Chess.app
/Applications/FaceTime.app
/Applications/Mail.app
/Applications/Messages.app

Screen Shot 2017 05 20 at 3 11 56 PM

Note: In addition to setting the application blacklist, a correctly-built profile will need to include whitelist entries that explicitly allow all other applications other than the ones being blacklisted.

Screen Shot 2017 05 20 at 3 14 26 PM

When setting an application blacklist using the profile, one thing to be aware of is that the blacklist can be overridden by an administrator account.

Screen Shot 2017 05 20 at 3 19 00 PM

If an administrator chooses, they can set the application block to be overridden once or permanently.

Screen Shot 2017 05 20 at 3 22 32 PM

Screen Shot 2017 05 20 at 3 23 23 PM

For those who want to block applications using a management profile, I’ve created an example .mobileconfig file and posted it here on Github:

https://github.com/rtrouton/profiles/tree/master/BlacklistApplications

Categories: Mac administration, macOS
  1. Todd Ness
    May 22, 2017 at 3:03 pm

    I see you say that a whitelist needs to be provided but your example does not have a whitelist in it. Just a bit confused if it is required or not. I will play with this, thanks as always for posting your findings.

    • May 22, 2017 at 3:06 pm

      The pathWhiteList key whitelists all applications in “/”, which whitelists all applications on the Mac from the top-level down.

  2. Thomas Knudsen
    June 7, 2017 at 12:07 pm

    Coould this be used to block an OS-X update? Let’s say you don’t want macOSUpd10.12.5.pkg or similar to run?

  3. OJ
    November 21, 2017 at 12:41 pm

    Hi Rich, great post. Thank you for this.

    However, if I block Mail.app, the user gets an error message “You don’t have permissions to use the application “MailCacheDelete””. This message refers to MailCacheDelete.appex which is inside the Mail bundle. Since the folder is SIP-protected, I cannot delete the plugin.

    Any ideas how to get rid of the message? Thanks.

    • March 6, 2018 at 11:49 pm

      I know this is late, but here is how I got around the MailCacheDelete issue and a scad of others like it: Instead of blocking /Applications/Mail.app (a directory!) I block the binary itself: /Applications/Mail.app/Contents/MacOS/Mail. Hope that helps someone.

  4. November 30, 2017 at 2:00 pm

    Hi Rich, if a user copies the app on his desktop, the app, unfortunately, works (the profile points to a absolute path. We have probably to find another way I think…

  5. Todd Ness
    March 23, 2018 at 2:17 pm

    New bit of information I have found for AirWatch users. If you are using the built in Restrictions profile, which by the way has no place to put in a black list, you have to create the Restrictions profile the way you want it. export the XML from that profile and paste it into custom profile sections by each part, and then add the blacklist section properly formatted like Rich’s example. If you do not the “unexpected results” that apple documents by having multiple profiles trying to manage the same settings prevents the blacklist from happening. Also, using the username in the profile as a variable does not quite work properly for me, because the variable puts in the user name with mixed case instead of all lower case, which does not match even though the file system is not case sensitive.

  6. Blong Xiong
    April 27, 2018 at 3:35 pm

    Is it possible by using the “custom settings” in profile manager to just use this part or do I need the whole thing for it to block those app?:

    pathBlackList

    /Applications/Chess.app/
    /Applications/FaceTime.app/
    /Applications/Mail.app/
    /Applications/Messages.app/

  7. Reggie Santos
    May 17, 2018 at 9:58 pm

    The Override by an Administrator is very helpful actually. But it doesn’t seem to work with Network Accounts. It just completely block the application and no prompt to override. I hope I’m just missing something.

  8. Dheeraj Oswal
    May 18, 2018 at 6:41 am

    HI Rich, could you let me know how can I block access to keychain and USB

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: