Home > Mac administration, macOS > Application blacklisting using management profiles

Application blacklisting using management profiles

When deploying Macs for use in classrooms or for training, there is occasionally a requirement that certain applications must be blocked from running. Usually, this is to make sure that the student or test taker using the Mac is not able to use the blocked applications because it would distract them or otherwise cause problems.

On iOS, there is a way to do this via the blacklistedAppBundleIDs key available in the Restrictions payload. However, this key is not available on macOS and Macs will ignore the blacklist.

On macOS, there is the ability to set an application whitelist via Profile Manager but not a blacklist.

Screen Shot 2017 05 20 at 2 45 31 PM

However, the profile specification does include the ability to configure an application blacklist using the pathBlackList key in the settings managed by the com.apple.applicationaccess.new payload.

Screen Shot 2017 05 20 at 2 28 46 PM

For more details, see below the jump.

Since the ability to set an application blacklist for macOS is currently missing from Profile Manager, a profile to blacklist application may need to be manually created. See below for an example profile which blacklists the following applications:


Screen Shot 2017 05 20 at 3 11 56 PM

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;
<plist version="1.0">
<string>Company Name</string>
<string>Application Restrictions</string>
<string>Block Specified Applications From Launching</string>

Note: In addition to setting the application blacklist, a correctly-built profile will need to include whitelist entries that explicitly allow all other applications other than the ones being blacklisted.

Screen Shot 2017 05 20 at 3 14 26 PM

When setting an application blacklist using the profile, one thing to be aware of is that the blacklist can be overridden by an administrator account.

Screen Shot 2017 05 20 at 3 19 00 PM

If an administrator chooses, they can set the application block to be overridden once or permanently.

Screen Shot 2017 05 20 at 3 22 32 PM

Screen Shot 2017 05 20 at 3 23 23 PM

For those who want to block applications using a management profile, I’ve created an example .mobileconfig file and posted it here on Github:


Categories: Mac administration, macOS
  1. Todd Ness
    May 22, 2017 at 3:03 pm

    I see you say that a whitelist needs to be provided but your example does not have a whitelist in it. Just a bit confused if it is required or not. I will play with this, thanks as always for posting your findings.

    • May 22, 2017 at 3:06 pm

      The pathWhiteList key whitelists all applications in “/”, which whitelists all applications on the Mac from the top-level down.

  2. Thomas Knudsen
    June 7, 2017 at 12:07 pm

    Coould this be used to block an OS-X update? Let’s say you don’t want macOSUpd10.12.5.pkg or similar to run?

  3. OJ
    November 21, 2017 at 12:41 pm

    Hi Rich, great post. Thank you for this.

    However, if I block Mail.app, the user gets an error message “You don’t have permissions to use the application “MailCacheDelete””. This message refers to MailCacheDelete.appex which is inside the Mail bundle. Since the folder is SIP-protected, I cannot delete the plugin.

    Any ideas how to get rid of the message? Thanks.

    • March 6, 2018 at 11:49 pm

      I know this is late, but here is how I got around the MailCacheDelete issue and a scad of others like it: Instead of blocking /Applications/Mail.app (a directory!) I block the binary itself: /Applications/Mail.app/Contents/MacOS/Mail. Hope that helps someone.

  4. November 30, 2017 at 2:00 pm

    Hi Rich, if a user copies the app on his desktop, the app, unfortunately, works (the profile points to a absolute path. We have probably to find another way I think…

  5. Todd Ness
    March 23, 2018 at 2:17 pm

    New bit of information I have found for AirWatch users. If you are using the built in Restrictions profile, which by the way has no place to put in a black list, you have to create the Restrictions profile the way you want it. export the XML from that profile and paste it into custom profile sections by each part, and then add the blacklist section properly formatted like Rich’s example. If you do not the “unexpected results” that apple documents by having multiple profiles trying to manage the same settings prevents the blacklist from happening. Also, using the username in the profile as a variable does not quite work properly for me, because the variable puts in the user name with mixed case instead of all lower case, which does not match even though the file system is not case sensitive.

    • Bailey Ith
      November 29, 2018 at 12:06 am

      Hi, I was unable to get this working via UEM (airwatch). It seems the XML looks ok when exporting the restrictions profile as it contains the blacklisted applications. What happens is that all applications are blacklisted if I don’t add allowed applications? Trying to follow Todd’s solution, I removed restrictions profile completely and created a custom settings profile to push just the blacklist, and it doesn’t seem to block any applications? Am I missing something?

    • John hart
      December 3, 2018 at 9:43 pm

      Also working on this. Attempting to pull together XML language that allows everything BUT what I want blocked. Anyone have some known good code?

  6. Blong Xiong
    April 27, 2018 at 3:35 pm

    Is it possible by using the “custom settings” in profile manager to just use this part or do I need the whole thing for it to block those app?:



  7. Reggie Santos
    May 17, 2018 at 9:58 pm

    The Override by an Administrator is very helpful actually. But it doesn’t seem to work with Network Accounts. It just completely block the application and no prompt to override. I hope I’m just missing something.

  8. Dheeraj Oswal
    May 18, 2018 at 6:41 am

    HI Rich, could you let me know how can I block access to keychain and USB

  9. Chris DeMattio
    May 1, 2020 at 7:02 pm

    I applied the blacklist as noted and, shortly after doing so, started to get popups from random services asking permission to run. Those services were nowhere in the blacklist paths so I wouldn’t expect them to be blocked and they should have been permitted through the whitelist ‘/’. I couldn’t get rid of those errors until I rebooted.

    Has anyone seen these types of errors.

  10. May 10, 2020 at 8:43 pm

    This Property is deprecated from macOS Catalina 10.15 . Have anybody figured out alternative through configuration profile ?


    • DocWeirdo
      September 17, 2020 at 7:17 pm

      You have given me a mild heart attack but after some googling you seem to be wrong? The Relevant Property is the “applicationaccess” payload as opposed to the deprecated Dashboard Widget restrictions you linked to.

  11. David
    May 7, 2021 at 8:01 am

    Thank you for this post as it has a great starting point for managing our classroom Big Sur machines. Testing this mobileconfig it works great for blocking FaceTime, Messages and Mail but when I add more applications that I would like to block it then stops the whole config from working. If there any reason for this? Or am i doing something wrong?

    • June 11, 2021 at 8:43 am

      Hi David, i got exactly the same issue, also with Big Sur, if i try to add an built in app it will stop blocking at all ! Did you find a wayout/solution ?

      • June 16, 2021 at 6:35 am

        Actually it seem to work fine after a reboot ! But some app will still open like TV.app

      • Jimmy Swings
        August 22, 2022 at 2:14 am

        The application of these policies is inconsistent, even after a reboot and Apple no longer provide support for the use of these properties as they have been marked as Deprecated.

        A recent Apple support case suggested the use of a third party tool while a feature request is assessed by product teams.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: