Blocking Specific Apps on macOS

Addigy | 12/01/2021

As an admin, you’ll often need to block certain apps from being run on your end-user devices. We’ve put together some information that we recommend to our customers.

Deploy a configuration profile to your fleet of Macs

Addigy supports dozens of configuration profiles that can be easily created and deployed to your Macs with just a few clicks. Here are three that might do the job for you.

The Restrictions profile

Addigy’s built-in Restrictions profile has a few basic settings for macOS, iOS, tvOS, and iPadOS. This is a simple and easy method for restricting things like Game Center, Music (iTunes), etc. For iOS-based devices, it also lets you select to block (or allow) Apple’s own default apps like FaceTime, Messages, Movies, TV, and many more.

Custom configuration profile

For other things, Addigy will deploy any custom configuration profile that can be created using Apple’s own Apple Configurator or iMazing’s Profile Editor (both Mac and Windows). Once you’ve created your .mobileconfig file with all the blocked or allowed apps listed, deploying to any set of devices is easy with Addigy.

The Application Access profile

Another great method for blocking apps on Apple devices is the Parental Controls: Application Access profile (aka Screen Time). This method doesn’t block the installation, but it allows admins to list directories in which apps are blocked from running. 

Alternatively, you can list directories that are allowed, and also allow specific apps by their bundle IDs. 

One thing to keep in mind is that because this is really meant as a parental control tool, this method doesn’t prevent an admin-level user on the device to override the block. But depending on your stance, that can be a good balance between IT control and user preference. 

Santa

Santa is a binary created and managed by a group at Google that they describe as a “binary authorization system for macOS.” It is essentially a kernel extension that listens for any installation processes and determines whether it has been listed as either allowed or blocked. A blocked event results in a notification to the user. Santa is configured and kept in sync using Apple’s configuration profiles. 

One of Santa’s additional benefits is that it can be used to block macOS updates too, which is especially useful for administrators who need to temporarily block Apple’s major annual OS release to allow time to test it against their other software.

We have instructions about how to deploy Santa with Addigy.

Which is best?

Like so many other decisions for supporting your organization’s devices, it depends. Our support team considers customers’ needs before recommending and helping them through the process if needed. Apple’s own configuration profiles will always be supported of course, and have the advantage of working for not just Macs, but iPhones, iPads, and even Apple TVs as well.

This blog post was written by Jorge Pinon, Lead UI/UX Engineer.

Related Posts

Securing endpoints is more critical today than ever before, as every IT professional knows. According to Check Point Research, cyberattacks increased globally by 28 percent in Q3 2022 compared to the same period in 2021. Keeping Apple devices up to […]
Growing organizations and businesses must overcome numerous challenges associated with scaling their needs. This process includes regularly recruiting and hiring new employees, in addition to keeping up with the technology requirements of those new staff members. Whether you want to […]
Today’s IT managers and admins have a lot of boxes to check if they want to help an organization grow and scale. Managing devices, employee credentials and identification, and security processes are top priorities for enterprise business. With Apple ID […]