Application blacklisting using management profiles
When deploying Macs for use in classrooms or for training, there is occasionally a requirement that certain applications must be blocked from running. Usually, this is to make sure that the student or test taker using the Mac is not able to use the blocked applications because it would distract them or otherwise cause problems.
On iOS, there is a way to do this via the blacklistedAppBundleIDs key available in the Restrictions payload. However, this key is not available on macOS and Macs will ignore the blacklist.
On macOS, there is the ability to set an application whitelist via Profile Manager but not a blacklist.
However, the profile specification does include the ability to configure an application blacklist using the pathBlackList key in the settings managed by the com.apple.applicationaccess.new payload.
For more details, see below the jump.
Since the ability to set an application blacklist for macOS is currently missing from Profile Manager, a profile to blacklist application may need to be manually created. See below for an example profile which blacklists the following applications:
/Applications/Chess.app
/Applications/FaceTime.app
/Applications/Mail.app
/Applications/Messages.app
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>PayloadIdentifier</key> | |
<string>com.company.mcx.blockapps</string> | |
<key>PayloadRemovalDisallowed</key> | |
<true/> | |
<key>PayloadScope</key> | |
<string>System</string> | |
<key>PayloadType</key> | |
<string>Configuration</string> | |
<key>PayloadUUID</key> | |
<string>9c24d6b3-6233-4a08-a48d-9068f4f76cf0</string> | |
<key>PayloadOrganization</key> | |
<string>Company Name</string> | |
<key>PayloadVersion</key> | |
<integer>1</integer> | |
<key>PayloadDisplayName</key> | |
<string>Application Restrictions</string> | |
<key>PayloadContent</key> | |
<array> | |
<dict> | |
<key>PayloadType</key> | |
<string>com.apple.applicationaccess.new</string> | |
<key>PayloadVersion</key> | |
<integer>1</integer> | |
<key>PayloadIdentifier</key> | |
<string>MCXToProfile.9c24d6b3-6233-4a08-a48d-9068f4f76cf0.alacarte.customsettings.2476221c-1870-4f3e-8c52-52386029c4cf</string> | |
<key>PayloadEnabled</key> | |
<true/> | |
<key>PayloadUUID</key> | |
<string>2476221c-1870-4f3e-8c52-52386029c4cf</string> | |
<key>PayloadDisplayName</key> | |
<string>Block Specified Applications From Launching</string> | |
<key>familyControlsEnabled</key> | |
<true/> | |
<key>pathBlackList</key> | |
<array> | |
<string>/Applications/Chess.app/</string> | |
<string>/Applications/FaceTime.app/</string> | |
<string>/Applications/Mail.app/</string> | |
<string>/Applications/Messages.app/</string> | |
</array> | |
<key>pathWhiteList</key> | |
<array> | |
<string>/</string> | |
</array> | |
<key>whiteList</key> | |
<array> | |
</array> | |
</dict> | |
</array> | |
</dict> | |
</plist> |
Note: In addition to setting the application blacklist, a correctly-built profile will need to include whitelist entries that explicitly allow all other applications other than the ones being blacklisted.
When setting an application blacklist using the profile, one thing to be aware of is that the blacklist can be overridden by an administrator account.
If an administrator chooses, they can set the application block to be overridden once or permanently.
For those who want to block applications using a management profile, I’ve created an example .mobileconfig file and posted it here on Github:
https://github.com/rtrouton/profiles/tree/master/BlacklistApplications
I see you say that a whitelist needs to be provided but your example does not have a whitelist in it. Just a bit confused if it is required or not. I will play with this, thanks as always for posting your findings.
The pathWhiteList key whitelists all applications in “/”, which whitelists all applications on the Mac from the top-level down.
Coould this be used to block an OS-X update? Let’s say you don’t want macOSUpd10.12.5.pkg or similar to run?
Hi Rich, great post. Thank you for this.
However, if I block Mail.app, the user gets an error message “You don’t have permissions to use the application “MailCacheDelete””. This message refers to MailCacheDelete.appex which is inside the Mail bundle. Since the folder is SIP-protected, I cannot delete the plugin.
Any ideas how to get rid of the message? Thanks.
I know this is late, but here is how I got around the MailCacheDelete issue and a scad of others like it: Instead of blocking /Applications/Mail.app (a directory!) I block the binary itself: /Applications/Mail.app/Contents/MacOS/Mail. Hope that helps someone.
Helped me!
Hi Rich, if a user copies the app on his desktop, the app, unfortunately, works (the profile points to a absolute path. We have probably to find another way I think…
I’m starting to look at Santa (https://github.com/google/santa) for this purpose
New bit of information I have found for AirWatch users. If you are using the built in Restrictions profile, which by the way has no place to put in a black list, you have to create the Restrictions profile the way you want it. export the XML from that profile and paste it into custom profile sections by each part, and then add the blacklist section properly formatted like Rich’s example. If you do not the “unexpected results” that apple documents by having multiple profiles trying to manage the same settings prevents the blacklist from happening. Also, using the username in the profile as a variable does not quite work properly for me, because the variable puts in the user name with mixed case instead of all lower case, which does not match even though the file system is not case sensitive.
Hi, I was unable to get this working via UEM (airwatch). It seems the XML looks ok when exporting the restrictions profile as it contains the blacklisted applications. What happens is that all applications are blacklisted if I don’t add allowed applications? Trying to follow Todd’s solution, I removed restrictions profile completely and created a custom settings profile to push just the blacklist, and it doesn’t seem to block any applications? Am I missing something?
Also working on this. Attempting to pull together XML language that allows everything BUT what I want blocked. Anyone have some known good code?
Is it possible by using the “custom settings” in profile manager to just use this part or do I need the whole thing for it to block those app?:
pathBlackList
/Applications/Chess.app/
/Applications/FaceTime.app/
/Applications/Mail.app/
/Applications/Messages.app/
The Override by an Administrator is very helpful actually. But it doesn’t seem to work with Network Accounts. It just completely block the application and no prompt to override. I hope I’m just missing something.
HI Rich, could you let me know how can I block access to keychain and USB
I applied the blacklist as noted and, shortly after doing so, started to get popups from random services asking permission to run. Those services were nowhere in the blacklist paths so I wouldn’t expect them to be blocked and they should have been permitted through the whitelist ‘/’. I couldn’t get rid of those errors until I rebooted.
Has anyone seen these types of errors.
This Property is deprecated from macOS Catalina 10.15 . Have anybody figured out alternative through configuration profile ?
https://developer.apple.com/documentation/devicemanagement/parentalcontrolsapplicationrestrictions?language=objc
You have given me a mild heart attack but after some googling you seem to be wrong? The Relevant Property is the “applicationaccess” payload as opposed to the deprecated Dashboard Widget restrictions you linked to.
Thank you for this post as it has a great starting point for managing our classroom Big Sur machines. Testing this mobileconfig it works great for blocking FaceTime, Messages and Mail but when I add more applications that I would like to block it then stops the whole config from working. If there any reason for this? Or am i doing something wrong?
Hi David, i got exactly the same issue, also with Big Sur, if i try to add an built in app it will stop blocking at all ! Did you find a wayout/solution ?
Actually it seem to work fine after a reboot ! But some app will still open like TV.app
The application of these policies is inconsistent, even after a reboot and Apple no longer provide support for the use of these properties as they have been marked as Deprecated.
A recent Apple support case suggested the use of a third party tool while a feature request is assessed by product teams.