Category filter

How to Blocklist / Allowlist apps on Windows devices

Some situations demand organizations to keep track of the apps used by the endpoints to determine that no insecure apps are present on corporate devices. Hexnode UEM lets you either blocklist or allowlist apps, which helps restrict unwanted apps and allows only company-approved apps on the device. In addition, it enables the administrators to take remedial actions so that the users do not access any untrusted apps from corporate devices.

Notes:

  • The Blocklist/Allowlist policy is supported on all editions of Windows 10 and Windows 11, except Home.
  • The following Hexnode apps are automatically allowlisted in the background:
    • Hexnode Remote Assist
    • Hexnode UEM

App Blocklisting/Allowlisting

  1. Log in to your Hexnode UEM portal.
  2. Navigate to Policies > New Policy. Click on New Policy to create a new one or select an existing one to make edits. Then, enter the Policy Name and Description in the provided fields.
  3. Go to Windows > App Management > Blocklist/Allowlist. Click on Configure.
  4. You can configure the blocklist/allowlist settings in two ways,
    • Add Apps: You can select the apps to be blocklisted or allowlisted from a list of store apps.
    • Add Rules: You can create rules to block or allow apps based on their publisher or file path.

    Add Apps

    • Choose Blocklist/Allowlist.
    • Click on +Add App.
    • Select the store apps to be blocklisted or allowlisted. Then, click on Done.

    Add Rules


    The following fields are to be configured for adding a rule,

    • Action: Choose the action (Block/Allow) associated with the rule.
    • Rule Name: Enter a name for the identification of the rule.
    • App Type: Choose the type of apps to which the rule will apply. You can choose between two types of apps,
      • Packaged Apps/Packaged Apps Installers (.appx)
      • Executables (.exe)
    • Rule Condition: Select the criteria based on which the applications will be blocked/allowed:
      • Publisher: If this option is selected, the app(s) will be blocked/allowed by the name of the application(s) publisher.
      • File Path: If this option is selected, the app will be blocked by specifying the file path of the application.
    • Publisher Name: If the rule condition is chosen as Publisher, specify the name of the application(s) publisher.
    • App Name: Specify the name of the application.
    • File Path: If the rule condition is chosen as File Path, specify the location of the application on the user’s device.
  5. Click on Save.
Notes:

  • When creating block rules for a specific app type, ensure that you also create allow rules explicitly for the required apps within that type. If not, all apps of that type will be blocked by default.
  • When the rule condition is set to Publisher, you can block or allow all applications of a specific application type on the device by entering the asterisk symbol (*) in both the Publisher Name and App Name fields. Likewise, to block or allow all applications from a particular publisher, enter the asterisk symbol (*) in the App Name field while specifying the corresponding Publisher Name.
  • All inbox applications on the device will be allowed by default. If you wish to block inbox apps, you need to create block rules for the individual inbox apps in the Add Rules section.

Associate the policy with target entities

If you haven’t saved the policy,

  1. Navigate to Policy Targets.
  2. Select the required Devices, Users, Device Groups, User Groups or Domains.
  3. Click on Save.

If you have already saved the policy,

  1. Navigate to Policies > My Policies and select the required policy.
  2. Click on Manage > Associate Targets.
  3. Select the required Devices, Users, Device Groups, User Groups or Domains.
  4. Click on Associate.
  • Deploying and Managing Apps