When deploying Macs for use in classrooms or for training, there is occasionally a requirement that certain applications must be blocked from running. Usually, this is to make sure that the student or test taker using the Mac is not able to use the blocked applications because it would distract them or otherwise cause problems.
On iOS, there is a way to do this via the blacklistedAppBundleIDs key available in the Restrictions payload. However, this key is not available on macOS and Macs will ignore the blacklist.
On macOS, there is the ability to set an application whitelist via Profile Manager but not a blacklist.
However, the profile specification does include the ability to configure an application blacklist using the pathBlackList key in the settings managed by the com.apple.applicationaccess.new payload.
For more details, see below the jump.
Since the ability to set an application blacklist for macOS is currently missing from Profile Manager, a profile to blacklist application may need to be manually created. See below for an example profile which blacklists the following applications:
/Applications/Chess.app
/Applications/FaceTime.app
/Applications/Mail.app
/Applications/Messages.app
Note: In addition to setting the application blacklist, a correctly-built profile will need to include whitelist entries that explicitly allow all other applications other than the ones being blacklisted.
When setting an application blacklist using the profile, one thing to be aware of is that the blacklist can be overridden by an administrator account.
If an administrator chooses, they can set the application block to be overridden once or permanently.
For those who want to block applications using a management profile, I’ve created an example .mobileconfig file and posted it here on Github:
https://github.com/rtrouton/profiles/tree/master/BlacklistApplications
