There may be scenarios where you would benefit from blocking applications on an end users mac. This is possible using Addigy's Custom Profiles.


A quick overview on what we will be doing to apply Application Blocking.

1. Generating the necessary .mobileconfig file.   

2. Applying the .mobileconfig using Custom Profiles.

3. Deploying the Profile.     




1. 

(A.) Let's begin by editing this plist/mobileconfig file to suit our needs, 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadIdentifier</key>
  <string>com.company.mcx.blockapps</string>
  <key>PayloadRemovalDisallowed</key>
  <true/>
  <key>PayloadScope</key>
  <string>System</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>9c24d6b3-6233-4a08-a48d-9068f4f76cf0</string>
  <key>PayloadOrganization</key>
  <string>Company Name</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadDisplayName</key>
  <string>Application Restrictions</string>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadType</key>
      <string>com.apple.applicationaccess.new</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>PayloadIdentifier</key>
      <string>MCXToProfile.9c24d6b3-6233-4a08-a48d-9068f4f76cf0.alacarte.customsettings.2476221c-1870-4f3e-8c52-52386029c4cf</string>
      <key>PayloadEnabled</key>
      <true/>
      <key>PayloadUUID</key>
      <string>2476221c-1870-4f3e-8c52-52386029c4cf</string>
      <key>PayloadDisplayName</key>
      <string>Block Specified Applications From Launching</string>
      <key>familyControlsEnabled</key>
      <true/>
      <key>pathBlackList</key>
      <array>
        <string>/Applications/Chess.app/</string>
      </array>
      <key>pathWhiteList</key>
      <array>
        <string>/</string>
      </array>
      <key>whiteList</key>
      <array>
      </array>
    </dict>
  </array>
</dict>
</plist>


(B.) Currently, this mobileconfig blocks the Chess application. We can see this on the line of code that looks like this, (Line 40)

<string>/Applications/Chess.app/</string>


To add more applications, simply add more string tags with the path to the applications you would like to block, Here's an example of a mobileconfig that blocks Chess, Facetime, Mail, and Messages.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadIdentifier</key>
  <string>com.company.mcx.blockapps</string>
  <key>PayloadRemovalDisallowed</key>
  <true/>
  <key>PayloadScope</key>
  <string>System</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>9c24d6b3-6233-4a08-a48d-9068f4f76cf0</string>
  <key>PayloadOrganization</key>
  <string>Company Name</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadDisplayName</key>
  <string>Application Restrictions</string>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadType</key>
      <string>com.apple.applicationaccess.new</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>PayloadIdentifier</key>
      <string>MCXToProfile.9c24d6b3-6233-4a08-a48d-9068f4f76cf0.alacarte.customsettings.2476221c-1870-4f3e-8c52-52386029c4cf</string>
      <key>PayloadEnabled</key>
      <true/>
      <key>PayloadUUID</key>
      <string>2476221c-1870-4f3e-8c52-52386029c4cf</string>
      <key>PayloadDisplayName</key>
      <string>Block Specified Applications From Launching</string>
      <key>familyControlsEnabled</key>
      <true/>
      <key>pathBlackList</key>
      <array>
        <string>/Applications/Chess.app/</string>
        <string>/Applications/FaceTime.app/</string>
        <string>/Applications/Mail.app/</string>
        <string>/Applications/Messages.app/</string>
      </array>
      <key>pathWhiteList</key>
      <array>
        <string>/</string>
      </array>
      <key>whiteList</key>
      <array>
      </array>
    </dict>
  </array>
</dict>
</plist>


Once you finish configuring the mobileconfig file to suit your needs, save it under ANY_NAME.mobileconfig and its time to create a Custom Profile using this file.



2.

(A.) Head over to your Catalog on the Policies page. And add a new Custom Profile



(B.) First, upload your newly configured mobileconfig file

      Second, click the command line icon to generate your instruction sequence.

      Third, add a remove script. (You can copy the instruction sequence and replace the "-IF" with "-RF" )

      Fourth, Review and save changes.     



3. Now that we have configured and uploaded our mobileconfig to a Custom Profile, its time to deploy!

You can deploy this at a policy level by adding it to the relevant policy or on an individual basis using the Go-Live Device window.



Once deployed and the end user attempts to open up one of the blocked applications, they will receive a screen such as this one.



Much of this article was based on an article by Rich Trouton on his blog, Der Flounder. You can read his full article here: Application blacklisting using management profiles