Blocking Specific Apps on macOS

Addigy | 12/01/2021

As an admin, you’ll often need to block certain apps from being run on your end-user devices. We’ve put together some information that we recommend to our customers.

Deploy a configuration profile to your fleet of Macs

Addigy supports dozens of configuration profiles that can be easily created and deployed to your Macs with just a few clicks. Here are three that might do the job for you.

The Restrictions profile

Addigy’s built-in Restrictions profile has a few basic settings for macOS, iOS, tvOS, and iPadOS. This is a simple and easy method for restricting things like Game Center, Music (iTunes), etc. For iOS-based devices, it also lets you select to block (or allow) Apple’s own default apps like FaceTime, Messages, Movies, TV, and many more.

Custom configuration profile

For other things, Addigy will deploy any custom configuration profile that can be created using Apple’s own Apple Configurator or iMazing’s Profile Editor (both Mac and Windows). Once you’ve created your .mobileconfig file with all the blocked or allowed apps listed, deploying to any set of devices is easy with Addigy.

The Application Access profile

Another great method for blocking apps on Apple devices is the Parental Controls: Application Access profile (aka Screen Time). This method doesn’t block the installation, but it allows admins to list directories in which apps are blocked from running. 

Alternatively, you can list directories that are allowed, and also allow specific apps by their bundle IDs. 

One thing to keep in mind is that because this is really meant as a parental control tool, this method doesn’t prevent an admin-level user on the device to override the block. But depending on your stance, that can be a good balance between IT control and user preference. 

Santa

Santa is a binary created and managed by a group at Google that they describe as a “binary authorization system for macOS.” It is essentially a kernel extension that listens for any installation processes and determines whether it has been listed as either allowed or blocked. A blocked event results in a notification to the user. Santa is configured and kept in sync using Apple’s configuration profiles. 

One of Santa’s additional benefits is that it can be used to block macOS updates too, which is especially useful for administrators who need to temporarily block Apple’s major annual OS release to allow time to test it against their other software.

We have instructions about how to deploy Santa with Addigy.

Which is best?

Like so many other decisions for supporting your organization’s devices, it depends. Our support team considers customers’ needs before recommending and helping them through the process if needed. Apple’s own configuration profiles will always be supported of course, and have the advantage of working for not just Macs, but iPhones, iPads, and even Apple TVs as well.

This blog post was written by Jorge Pinon, Lead UI/UX Engineer.

Related Posts

Here’s our monthly wrap-up of articles you don’t want to miss!   Using Parallels Desktop to Simplify macOS Testing – Parallels Blog If you’re a developer or IT admin, testing new software can be a time-consuming and tedious process. But […]
Sponsored Blog Post – Written by Augmentt Very much like Addigy, Augmentt is investing in the lucrative future unfolding for managed service providers (MSPs) in the new cloud-based era of IT, be it on PC or Mac platforms. Today’s MSPs […]
What Apple's Discontinuation of Fleetsmith Means for Companies
The clock is ticking for MSPs and IT teams that use Apple’s Fleetsmith Mobile Device Management (MDM). Apple announced early this year that it will discontinue the service in October, which means companies that rely on it will need to […]