Skip to main content

Linux Tracking Policy (App Blocking Tracking)

Updated this week

The Linux Tracking Policy in Swif.ai enables visibility into key security and operational events occurring on Linux devices. In addition to USB and lock/unlock tracking, this policy can also be used together with the Linux Application Block Policy to track when users attempt to open blocked applications, and whether those blocked applications remain installed on devices.

This policy supports both BYOD and company-owned Linux devices.

For the base tracking behavior (USB, lock/unlock, and location), see the existing Linux Tracking Policy help:
https://help.swif.ai/en/articles/12846793-linux-tracking-policy

What This Policy Does for App Blocking

When used together with a Linux Application Block Policy, the Linux Tracking Policy allows Swif.ai to collect two additional types of data related to application blocking:

  1. Blocked app open attempts (real‑time agent callback)

    • When a user tries to launch an application that has been blocked via the Linux Application Block Policy, the Linux agent:

      • Detects the blocked process

      • Kills the running process (enforces the block)

      • Sends a callback event indicating:
        “You blocked this, but the user still opened it.”

    • This provides visibility into attempted policy violations and user behavior.

  2. Blocked app still installed (daily server‑side check)

    • Independently of real-time attempts, Swif’s MDM service checks whether the blocked application is still installed on the device.

    • Once per day, if the application is still present, the server sends a tracking event indicating:
      “You blocked this, but the application still exists on the device, just so you know.”

    • This helps you confirm whether remediation (uninstallation) is complete or if further action is required.

These events are reported through the same tracking/event pipeline used by other Linux tracking fields, and are visible in Swif.ai’s Event Logs and related reports.

How App Blocking Works on Linux

On Linux, Swif’s basic application blocking operation is:

  1. Swif agent inspects running processes on the device.

  2. If a process matches an app name defined in a Linux Application Block Policy, the agent:

    • Terminates the process (kills the application).

    • Sends a tracking callback if app blocking tracking is enabled:

      • When a blocked app process is found and closed.

  3. Separately, during scheduled inventory checks, the server:

    • Reviews the application inventory reported from the device.

    • If a blocked application is still installed and app blocking tracking is enabled, it sends a daily tracking event.

This gives you both enforcement (the app is killed when run) and observability (you can see attempts and installation status), without requiring a separate sync server or additional local configuration.

Requirements

  • OS: Linux (any Swif-supported distribution)

  • Policies required:

    1. A Linux Tracking Policy with application-block tracking enabled.

    2. A Linux Application Block Policy defining which app names to block.

Example JSON definitions (for API / advanced configuration):

  • Linux Tracking Policy

    • Enable "Application Block Tracking"

  • Linux Application Block Policy

Policy Settings (App Blocking–Related)

Note: The base Linux Tracking Policy fields (USB Connection Tracking, Device Lock Tracking, Location Tracking) remain unchanged and are documented at:
https://help.swif.ai/en/articles/12846793-linux-tracking-policy

In addition, the Linux Tracking Policy includes the following app blocking tracking field:

Field Name

Description

Value Options

Events Report

Minimum OS Requirement

Application Block Tracking

Controls whether Swif logs tracking events related to blocked applications on Linux devices. This includes: (1) when a blocked app is opened and terminated by the agent, and (2) daily checks that the blocked app is still installed.

True – Enables tracking of blocked app open attempts and “still installed” status. False – Disables app blocking tracking events.

View reports at Device Management > Event Logs and relevant security/endpoint reports.

Linux

Behavior when enabled (true):

  • Agent-side event: Whenever the agent detects and kills a blocked app process, it sends a tracking event indicating that a user attempted to open a blocked app.

  • Server-side daily event: Once a day, Swif checks if any blocked application from your policy is still installed on the device and sends a tracking event if it is.

Behavior when disabled (false):

  • The application may still be blocked by the Linux Application Block Policy, but:

    • No additional tracking events are generated when the app is opened and killed.

    • No daily “still installed” tracking events are sent.

Where to View App Blocking Tracking Events

Once both policies are applied and Application Block Tracking is enabled, you can review events in:

  • Reports → Event Logs → Device Events

You will see events such as:

  • Blocked application opened
    Indicates that a user tried to run an application that is blocked by policy, and the agent terminated it.

  • Blocked application still installed (daily)
    Indicates that the blocked application remains installed on the device despite being blocked.

These events can be filtered by:

  • Device

  • Application name

  • Event type

  • Time range

This gives Security and IT teams a centralized view of attempted policy violations and the current state of blocked software across the fleet.

Example Use Cases

Enforce high-risk software bans
Block tools like remote access software, certain browsers, or unauthorized collaboration apps, and track every time users try to open them.

Verify remediation
After you block and request removal of a risky app, use the daily “still installed” tracking events to confirm which machines still have the app present.

Investigate suspicious behavior
Correlate blocked app attempts with other events (e.g., USB usage, lock/unlock patterns) to better understand risky user actions.

Compliance & audit evidence
Demonstrate that high-risk apps are both blocked and actively monitored, supporting SOC 2, ISO 27001, HIPAA, and internal controls.

How to Configure App Blocking Tracking

  1. Create or update your Linux Tracking Policy

    • Go to Policies → Linux → Tracking Policy.

    • Enable Application Block Tracking.

    • (Optionally) also configure USB, Lock/Unlock, and Location Tracking as needed for your organization.

    • Assign the policy to the target Linux devices or groups.

  2. Create your Linux Application Block Policy

    • Go to Policies → Linux → Application Block Policy.

    • Add the application names you want to block under appNames (e.g. firefox, teamviewer, etc.).

    • Assign this policy to the same device groups that have the Linux Tracking Policy applied.

  3. Verify on a test device

    • Ensure the Swif agent is installed and running.

    • Attempt to open a blocked application.

    • Confirm:

      • The app is terminated.

      • A “blocked app opened” event appears in Reports → Event Logs.

  4. Monitor daily installation status

    • After the next scheduled inventory/agent cycle, check Event Logs for:

      • “Blocked app still installed” events on devices where the app has not yet been removed.

Verification & Troubleshooting

If app blocking tracking events are not appearing:

  1. Confirm policies are assigned

    • Verify that:

      • A Linux Tracking Policy with applicationBlockTracking = true is applied.

      • A Linux Application Block Policy with the expected appNames is assigned to the same devices.

  2. Check the Swif agent

    • Ensure the agent is installed and running on the Linux device.

    • Restart the device if necessary.

  3. Check Event Logs filters

    • Go to Reports → Event Logs → Device Events.

    • Clear or adjust filters (time range, event type, device) to ensure events are not being hidden.

  4. Confirm the app name

    • Make sure the appNames values in your Linux Application Block Policy match the actual process/application names on the device.

Best Practices

  • Always pair policies
    Use Linux Tracking Policy + Linux Application Block Policy together for both enforcement and visibility.

  • Start with a pilot group
    Test with a small set of devices before rolling out app blocking and tracking to your entire Linux fleet.

  • Monitor trends
    Use Event Logs to identify:

    • Which blocked apps are most frequently attempted.

    • Which devices or users repeatedly try to use blocked software.

  • Automate alerts
    Configure automations or external integrations to:

    • Notify Security when specific high-risk applications are attempted.

    • Open tickets when blocked apps remain installed beyond a defined SLA.

  • Review regularly
    Periodically review your blocked application list and tracking data to keep your controls aligned with current risk and business needs.

Related Articles
Linux-specific MDM policies available in Swif
Linux Tracking Policy
Linux Application Block Policy
Linux Firefox Extension Policy
Linux User Authorization Policy
Did this answer your question?