Blocking Specific Apps on macOS

Addigy | 12/01/2021

As an admin, you’ll often need to block certain apps from being run on your end-user devices. We’ve put together some information that we recommend to our customers.

Deploy a configuration profile to your fleet of Macs

Addigy supports dozens of configuration profiles that can be easily created and deployed to your Macs with just a few clicks. Here are three that might do the job for you.

The Restrictions profile

Addigy’s built-in Restrictions profile has a few basic settings for macOS, iOS, tvOS, and iPadOS. This is a simple and easy method for restricting things like Game Center, Music (iTunes), etc. For iOS-based devices, it also lets you select to block (or allow) Apple’s own default apps like FaceTime, Messages, Movies, TV, and many more.

Custom configuration profile

For other things, Addigy will deploy any custom configuration profile that can be created using Apple’s own Apple Configurator or iMazing’s Profile Editor (both Mac and Windows). Once you’ve created your .mobileconfig file with all the blocked or allowed apps listed, deploying to any set of devices is easy with Addigy.

The Application Access profile

Another great method for blocking apps on Apple devices is the Parental Controls: Application Access profile (aka Screen Time). This method doesn’t block the installation, but it allows admins to list directories in which apps are blocked from running. 

Alternatively, you can list directories that are allowed, and also allow specific apps by their bundle IDs. 

One thing to keep in mind is that because this is really meant as a parental control tool, this method doesn’t prevent an admin-level user on the device to override the block. But depending on your stance, that can be a good balance between IT control and user preference. 

Santa

Santa is a binary created and managed by a group at Google that they describe as a “binary authorization system for macOS.” It is essentially a kernel extension that listens for any installation processes and determines whether it has been listed as either allowed or blocked. A blocked event results in a notification to the user. Santa is configured and kept in sync using Apple’s configuration profiles. 

One of Santa’s additional benefits is that it can be used to block macOS updates too, which is especially useful for administrators who need to temporarily block Apple’s major annual OS release to allow time to test it against their other software.

We have instructions about how to deploy Santa with Addigy.

Which is best?

Like so many other decisions for supporting your organization’s devices, it depends. Our support team considers customers’ needs before recommending and helping them through the process if needed. Apple’s own configuration profiles will always be supported of course, and have the advantage of working for not just Macs, but iPhones, iPads, and even Apple TVs as well.

This blog post was written by Jorge Pinon, Lead UI/UX Engineer.

Related Posts

As boring and complex as contracts can be, they are also the foundation of healthy, long-term relationships with customers. By clearly defining expectations and responsibilities, both parties agree on an acceptable level of risk, which helps prevent conflicts down the road.
Here’s our monthly wrap-up of Apple news you don’t want to miss!   Apple’s top gun Q2 earnings fly past global economic fears – CRN Apple proves once again why innovation and product diversity is paramount. In spite of supply […]
Nothing can damage work efficiency quite like gridlock. This is because workplace bottlenecks (especially as they relate to IT requests) can interrupt communication, become a hassle for management, and significantly reduce the productivity of any team. Removing IT-related roadblocks is […]