Skip to main content

Apple Application Block Policy

The Apple Application Block Policy allows administrators to block specific applications, scripts, and binaries on macOS devices based on developer identity, application identifiers, file paths, names, or even window titles. This provides fine-grained control to prevent the use of unauthorized or risky software, including command-line tools and scripting runtimes.

This policy supports BYOD macOS devices.

What's New — Script & Binary Blocking

With new authorization from Apple, the Apple Application Block Policy has expanded its blocking scope. Previously, this policy only blocked GUI-based applications. Now, scripts and binaries are also blocked. This means you can enforce security policies against command-line tools, scripting runtimes, and background services — not just apps with a graphical interface.

No new policy fields were added. The existing configuration settings (Team ID, Identifier, Path, Name, and Window Title) now apply to a broader range of executables.

Requirements

  • Platform: macOS

  • Minimum version: macOS 10.7+

What This Policy Does

With the Apple Application Block Policy, you can:

  • Block applications from specific Apple developers

  • Block apps by bundle identifier

  • Block apps located in specific paths

  • Block apps based on name patterns

  • Block apps by detecting window titles (advanced use cases)

  • Block scripts and scripting runtimes (e.g., Node.js)

  • Block command-line binaries and background services

  • Block LLM CLI agents and unauthorized automation tools (e.g., Openclaw, other npm/npx-based tools)

When a blocked application, script, or binary is launched, macOS will immediately prevent it from running.

How to Create the Policy

Navigate to:

Device Management → Policy → Create New Policy → Apple Application Block Policy

Policy Settings Explained

Team ID List

Blocks applications signed by specific Apple developer Team IDs.

  • Each Team ID represents a unique Apple developer account.

  • Any application signed by the specified developer will be blocked.

Example use case:
Block all software published by a known vendor.

💡 You can find a Team ID using:

codesign -dv --verbose=4 /Applications/YourApp.app

Identifier List

Blocks applications and binaries using their bundle identifier or code signing identifier.

Example (applications):

com.spotify.client 
com.google.Chrome

💡 Tip for scripts and binaries: Many scripts run through an interpreter (e.g., Openclaw runs via node). You can find the signing identifier of the parent process using:

pgrep -i <process_name> 
codesign -dv --display --entitlements - <PID>

For example, blocking node by its signing identifier will also prevent any Node.js-based tools (such as Openclaw or other npm/npx packages) from executing.

This method is precise and recommended for blocking well-known applications and runtimes.

Application Path List

Blocks applications and binaries located at specific file paths.

Example (applications):

/Applications/Zoom.us.app 
/Applications/Utilities

Example (scripts and binaries):

/Users/<username>/.nvm/versions/node/v24.11.1/bin/node 
/usr/bin/ruby

⚠️ Blocking a directory path will block all applications and binaries inside that directory.

Application Name Contains

Blocks applications and processes whose names contain a specific string.

Example:

Zoom 
Chrome
node

This is useful when application names vary by version, or when you want to broadly block a scripting runtime by name.

Check App Window Titles

Blocks applications by detecting specific window titles.

This is an advanced option, useful when:

  • You need to block a specific feature or workflow

  • The application name or identifier is not sufficient

How to Find a Window Title:

If you don't know the window title:

  1. Run the application in verbose mode

  2. Capture logs when the window opens

Example:

/Applications/SwifAppManagement.app/Contents/MacOS/SwifAppManagement --verbose

In the logs, you will see entries like:

Window: Add Printer

Enter Add Printer into the Check App Window Titles field. When the window opens, it will be automatically closed.

Blocking Scripts & LLM CLI Agents — Examples

Block Node.js (and npm/npx tools like Openclaw)

Tools installed via npm/npx (such as Openclaw and other LLM CLI agents) run through the node binary. Blocking node will prevent all Node.js-based tools from executing.

  • Application Path List: /Users/<username>/.nvm/versions/node/v24.11.1/bin/node (adjust for your environment)

  • Application Name Contains: node

Note, please test this on test devices before distributing it. Because things that will be blocked might have different side effects. For example, if Python is blocked, Swif's software package won't work because Swif uses Python for app management.

Block Other CLI Tools

Use the same approach for any scripting runtime or CLI binary:

  • Ruby: Identifier ruby or path /usr/bin/ruby

  • Perl: Identifier perl or path /usr/bin/perl

  • Custom binaries: Use the full file path in the Application Path List

Tracking Blocked Events

When used together with the Apple Tracking Policy (App Blocking Tracking), blocked script and binary execution attempts are reported as tracking events. This gives you visibility into:

  • Which blocked scripts or binaries users attempted to run

  • How frequently policy violations occur

  • Which devices are affected

Events are visible in Device Management → Event Logs → Device Events.

Best Practices

  • Prefer Identifier List or Team ID List for long-term reliability

  • Use Application Path List carefully to avoid over-blocking — especially with scripting runtimes, as blocking a runtime blocks all scripts that depend on it

  • Use Window Title blocking only for advanced scenarios

  • Test policies on a small device group before wide deployment

  • When blocking scripting runtimes (Node.js, Ruby), communicate to end users which tools are restricted and why

  • Pair with the Apple Tracking Policy to get visibility into blocked execution attempts

Common Use Cases

  • Block unapproved browsers or file-sharing tools

  • Prevent installation of personal productivity apps on BYOD devices

  • Restrict system utilities like Terminal or System Settings

  • Enforce software compliance policies

  • Block LLM CLI agents (e.g., Openclaw) and other unauthorized AI/automation tools

  • Prevent execution of unauthorized scripts (Node.js, Ruby, Perl)

  • Block background services and daemons that are not approved by IT

Notes

  • This policy applies only to macOS

  • The block is enforced immediately after policy sync

  • Multiple criteria can be combined for stronger enforcement

  • Scripts and binaries are now blocked in addition to GUI applications — no additional configuration is needed beyond existing policy settings

If you need help identifying application identifiers, Team IDs, script runtime paths, or window titles, contact Swif Support or use Live Terminal for inspection.


Did this answer your question?