There may be scenarios where you would benefit from blocking applications on an end users mac. This is possible using Addigy's MDM Configurations.


A quick overview on what we will be doing to apply Application Blocking.

1. Generating the necessary .mobileconfig file.   

2. Applying the .mobileconfig using MDM Configurations.

3. Deploying the MDM Configuration.     




1. 

(A.) Let's begin by editing this plist/mobileconfig file to suit our needs, 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadIdentifier</key>
  <string>com.company.mcx.blockapps</string>
  <key>PayloadRemovalDisallowed</key>
  <true/>
  <key>PayloadScope</key>
  <string>System</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>9c24d6b3-6233-4a08-a48d-9068f4f76cf0</string>
  <key>PayloadOrganization</key>
  <string>Company Name</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadDisplayName</key>
  <string>Application Restrictions</string>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadType</key>
      <string>com.apple.applicationaccess.new</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>PayloadIdentifier</key>
      <string>MCXToProfile.9c24d6b3-6233-4a08-a48d-9068f4f76cf0.alacarte.customsettings.2476221c-1870-4f3e-8c52-52386029c4cf</string>
      <key>PayloadEnabled</key>
      <true/>
      <key>PayloadUUID</key>
      <string>2476221c-1870-4f3e-8c52-52386029c4cf</string>
      <key>PayloadDisplayName</key>
      <string>Block Specified Applications From Launching</string>
      <key>familyControlsEnabled</key>
      <true/>
      <key>pathBlackList</key>
      <array>
        <string>/Applications/Chess.app/</string>
      </array>
      <key>pathWhiteList</key>
      <array>
        <string>/</string>
      </array>
      <key>whiteList</key>
      <array>
      </array>
    </dict>
  </array>
</dict>
</plist>


(B.) Currently, this mobileconfig blocks the Chess application. We can see this on the line of code that looks like this, (Line 40)

<string>/Applications/Chess.app/</string>


To add more applications, simply add more string tags with the path to the applications you would like to block, Here's an example of a mobileconfig that blocks Chess, Facetime, Mail, and Messages.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadIdentifier</key>
  <string>com.company.mcx.blockapps</string>
  <key>PayloadRemovalDisallowed</key>
  <true/>
  <key>PayloadScope</key>
  <string>System</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>9c24d6b3-6233-4a08-a48d-9068f4f76cf0</string>
  <key>PayloadOrganization</key>
  <string>Company Name</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadDisplayName</key>
  <string>Application Restrictions</string>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadType</key>
      <string>com.apple.applicationaccess.new</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>PayloadIdentifier</key>
      <string>MCXToProfile.9c24d6b3-6233-4a08-a48d-9068f4f76cf0.alacarte.customsettings.2476221c-1870-4f3e-8c52-52386029c4cf</string>
      <key>PayloadEnabled</key>
      <true/>
      <key>PayloadUUID</key>
      <string>2476221c-1870-4f3e-8c52-52386029c4cf</string>
      <key>PayloadDisplayName</key>
      <string>Block Specified Applications From Launching</string>
      <key>familyControlsEnabled</key>
      <true/>
      <key>pathBlackList</key>
      <array>
        <string>/Applications/Chess.app/</string>
        <string>/Applications/FaceTime.app/</string>
        <string>/Applications/Mail.app/</string>
        <string>/Applications/Messages.app/</string>
      </array>
      <key>pathWhiteList</key>
      <array>
        <string>/</string>
      </array>
      <key>whiteList</key>
      <array>
      </array>
    </dict>
  </array>
</dict>
</plist>


Once you finish configuring the mobileconfig file to suit your needs, save it under ANY_NAME.mobileconfig and its time to create a Custom Profile using this file.



2.

(A.) Head over to Policies -> MDM Configurations -> Add Configuration



(B.) Click macOS, then Custom Configuration




  (C.) Next, select your mobileconfig file


   


(D.) Finally, click Create Configuration.



3. Now that we have configured and uploaded our mobileconfig to an MDM Configuration, its time to deploy!

You can deploy this at a policy level by adding it to the relevant policy or on an individual basis using the Go-Live Device window.



Once deployed and the end user attempts to open up one of the blocked applications, they will receive a screen such as this one.



Much of this article was based on an article by Rich Trouton on his blog, Der Flounder. You can read his full article here: Application blacklisting using management profiles