Category filter

How to blocklist/allowlist apps on macOS devices?

Application blocklisting is a prohibitive mechanism that prevents users from accessing specific applications on the devices. As determined by the organization, apps that hinder productivity or appear to be malicious in a workplace environment can be blocklisted. The app blocklisting policy enables you to restrict specific apps on macOS devices from the Hexnode UEM console. It raises a blocked-access prompt on the devices as the user tries to open the blocklisted applications.

Allowlisting allows users to access only those applications that are explicitly defined by the organization. The users can install/access them conveniently without any restrictions. All other apps, except the allowlisted ones will be blocked on the device. Based on the requirement, you can define the applications to be denied or allowed access on macOS devices.

Notes:

  • Supported only on macOS 10.11+.
  • Blocklist/Allowlist policy requires the latest version of the Hexnode agent app installed on the devices.
  • The Hexnode UEM agent present on the device is responsible for sending the app paths (app identifiers or bundle identifiers) to the portal. Apps can be selected from the policy for blocklisting/allowlisting only after a macOS device is enrolled, the device scan is completed, and the agent updates the app paths with the portal.

Blocklist apps on macOS devices

To block apps on macOS devices:

  1. Login to your Hexnode UEM portal.
  2. Navigate to Policies > New Policy > macOS > App Management > Blocklist/Allowlist. Click on Configure.
  3. Enter the policy name and description.
    • Policy name – Enter an appropriate name for the policy. This is a mandatory field.
    • Description – Add a brief description of the policy.
  4. Click on the Blocklist button.
  5. Click on +Add to add either an app or a group of apps to be blocklisted. You can blocklist Enterprise app, Store app, or VPP apps on macOS devices.
  6. After selecting the desired apps, click Done.
  7. Next, associate the policy with the target devices by clicking on Policy Targets.
  8. Select the Devices/Device Groups/User/User Groups/Domains with which the policy is to be attached.
  9. Click Save.



Exception:


Certain system apps like Finder, Siri, etc., relaunch themselves every time and always remain open on macOS. As these system apps try to open automatically, blocklisting them generates infinite blocked-access pop-ups on the device.

Allowlist apps on macOS devices

To limit access to a specific set of applications:

  1. Login to your Hexnode UEM portal.
  2. Navigate to Policies > New Policy > macOS > App Management > Blocklist/Allowlist. Click on Configure.
  3. Enter the policy name and description.
    • Policy name – Enter an appropriate name for the policy. This is a mandatory field.
    • Description – Add a brief description of the policy.
  4. Click on the Allowlist button.
  5. Click on +Add to add either an app or a group of apps to be allowlisted. Selecting a single application limits the device usage only to the given application, and all other apps remain inaccessible on the device. Enterprise apps, Store apps, and VPP apps can be allowlisted on the devices.
  6. Note:


    Ensure that each app within the app group is installed on at least one macOS device enrolled in the Hexnode console before adding an app group to the allowlist. If not, the app group will remain greyed out and unselectable.

  7. After selecting the desired apps, click Done.
  8. Next, associate the policy with the target devices by clicking on Policy Targets.
  9. Select the Devices/Device Groups/User/User Groups/Domains to apply the policy.
  10. Choose the device and click Save. The policy will be pushed to the device.


Allowlist an app present on the macOS device

  1. Click on the +Add button and select the Choose an app from the device option.
  2. Enter the name of the app you want to allowlist under the App name.
  3. Enter the path of the app on the device under Specify the file path to the app on the device. You can use a custom script to get the path to the desired app.
  4. Click Add.
  5. Next, associate the policy with the target devices by clicking on Policy Targets.
  6. Select the Devices/Device Groups/User/User Groups/Domains to apply the policy.
  7. Choose the device and click Save. The policy will be pushed to the device.
  8. Note:

    • Blocklisting an application that is not currently installed on the device will not prevent its installation, however, once installed, the app will be inaccessible.
    • Allowlisting and Blocklisting the same app will blocklist the app on the device.
    • To allowlist the Safari app, you should also specify the following path using the Choose an app from the device option for the Safari app: /System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/MacOS/Safari
    • If you specify the location of a folder that contains a number of apps inside it in the Choose an app from the device option, all the apps inside that folder will be allowlisted. For example, specifying the ‘/Application/’ folder in the Choose an app from the device option will allowlist all the apps inside the folder ‘Applications’.

    Exception:

    • Enterprise apps uploaded using DMG files cannot be blocklisted/allowlisted. Since the app identifier or bundle identifier cannot be fetched for DMGs, they will not be listed among the apps, and the user cannot add them to the policy.
    • Application allowlisting is limited to user accounts that are managed by UEM, specifically those used for device enrollment. Allowlisting apps, irrespective of the user account type can be achieved using custom profiles. You can deploy such custom profiles using Hexnode’s Deploy Custom Configuration policy.
  • Deploying and Managing Apps