Skip to main content
  1. Addigy
  2. Policies & Catalog
  3. MDM Configurations

Blocking Applications using MDM Configurations

Updated:

There may be scenarios where you would benefit from blocking applications on an end-users mac. This is possible using Addigy's MDM Configurations.

Here is a quick overview of what we will be doing to apply Application Blocking:

1. Generating the necessary .mobileconfig file.   

2. Applying the .mobileconfig using MDM Configurations.

3. Deploying the MDM Configuration.     

Generating the necessary .mobileconfig file

 Let's begin by editing this plist/mobileconfig file to suit our needs.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadIdentifier</key>
  <string>com.company.mcx.blockapps</string>
  <key>PayloadRemovalDisallowed</key>
  <true/>
  <key>PayloadScope</key>
  <string>System</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>9c24d6b3-6233-4a08-a48d-9068f4f76cf0</string>
  <key>PayloadOrganization</key>
  <string>Company Name</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadDisplayName</key>
  <string>Application Restrictions</string>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadType</key>
      <string>com.apple.applicationaccess.new</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>PayloadIdentifier</key>
      <string>MCXToProfile.9c24d6b3-6233-4a08-a48d-9068f4f76cf0.alacarte.customsettings.2476221c-1870-4f3e-8c52-52386029c4cf</string>
      <key>PayloadEnabled</key>
      <true/>
      <key>PayloadUUID</key>
      <string>2476221c-1870-4f3e-8c52-52386029c4cf</string>
      <key>PayloadDisplayName</key>
      <string>Block Specified Applications From Launching</string>
      <key>familyControlsEnabled</key>
      <true/>
      <key>pathBlackList</key>
      <array>
        <string>/Applications/Chess.app/</string>
      </array>
      <key>pathWhiteList</key>
      <array>
        <string>/</string>
      </array>
      <key>whiteList</key>
      <array>
      </array>
    </dict>
  </array>
</dict>
</plist>

Currently, this mobileconfig blocks the Chess application. We can see this on the line of code that looks like this, (Line 40)

<string>/Applications/Chess.app/</string>

To add more applications, add more string tags with the path to the applications you would like to block. Here's an example of a .mobileconfig that blocks Chess, Facetime, Mail, and Messages.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadIdentifier</key>
  <string>com.company.mcx.blockapps</string>
  <key>PayloadRemovalDisallowed</key>
  <true/>
  <key>PayloadScope</key>
  <string>System</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>9c24d6b3-6233-4a08-a48d-9068f4f76cf0</string>
  <key>PayloadOrganization</key>
  <string>Company Name</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadDisplayName</key>
  <string>Application Restrictions</string>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadType</key>
      <string>com.apple.applicationaccess.new</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>PayloadIdentifier</key>
      <string>MCXToProfile.9c24d6b3-6233-4a08-a48d-9068f4f76cf0.alacarte.customsettings.2476221c-1870-4f3e-8c52-52386029c4cf</string>
      <key>PayloadEnabled</key>
      <true/>
      <key>PayloadUUID</key>
      <string>2476221c-1870-4f3e-8c52-52386029c4cf</string>
      <key>PayloadDisplayName</key>
      <string>Block Specified Applications From Launching</string>
      <key>familyControlsEnabled</key>
      <true/>
      <key>pathBlackList</key>
      <array>
        <string>/Applications/Chess.app/</string>
        <string>/Applications/FaceTime.app/</string>
        <string>/Applications/Mail.app/</string>
        <string>/Applications/Messages.app/</string>
      </array>
      <key>pathWhiteList</key>
      <array>
        <string>/</string>
      </array>
      <key>whiteList</key>
      <array>
      </array>
    </dict>
  </array>
</dict>
</plist>

Once you finish configuring the mobileconfig file to suit your needs, save it under ANY_NAME.mobileconfig, and it's time to create a Custom Profile using this file.

Applying the .mobileconfig using MDM Configurations

Head over to Policies -> MDM Configurations -> Add Configuration

blobid0.png

Click macOS, then Custom Configuration

Next, select your mobileconfig file

Finally, click Create Configuration.

Deploying the MDM Configuration

Now that we have configured and uploaded our mobileconfig to an MDM Configuration, its time to deploy!

You can deploy this at a policy level by adding it to the relevant policy or on an individual basis using the Go-Live Device window.

Once deployed and the end-user attempts to open up one of the blocked applications, they will receive a screen such as this one.

Note: Much of this article was based on an article by Rich Trouton on his blog, Der Flounder. You can read his full article here: Application blacklisting using management profiles

Was this article helpful?
1 out of 3 found this helpful
Return to top

Didn’t find what you’re looking for?

Contact our Support Team