The Apple Application Block Policy allows administrators to block specific applications, scripts, and binaries on macOS devices based on developer identity, application identifiers, file paths, names, or even window titles. This provides fine-grained control to prevent the use of unauthorized or risky software, including command-line tools and scripting runtimes.
This policy supports BYOD macOS devices.
What's New — Script & Binary Blocking
With new authorization from Apple, the Apple Application Block Policy has expanded its blocking scope. Previously, this policy only blocked GUI-based applications. Now, scripts and binaries are also blocked. This means you can enforce security policies against command-line tools, scripting runtimes, and background services — not just apps with a graphical interface.
No new policy fields were added. The existing configuration settings (Team ID, Identifier, Path, Name, and Window Title) now apply to a broader range of executables.
Requirements
Platform: macOS
Minimum version: macOS 10.7+
What This Policy Does
With the Apple Application Block Policy, you can:
Block applications from specific Apple developers
Block apps by bundle identifier
Block apps located in specific paths
Block apps based on name patterns
Block apps by detecting window titles (advanced use cases)
Block scripts and scripting runtimes (e.g., Node.js)
Block command-line binaries and background services
Block LLM CLI agents and unauthorized automation tools (e.g., Openclaw, other npm/npx-based tools)
When a blocked application, script, or binary is launched, macOS will immediately prevent it from running.
How to Create the Policy
Navigate to:
Device Management → Policy → Create New Policy → Apple Application Block Policy
Policy Settings Explained
Team ID List
Blocks applications signed by specific Apple developer Team IDs.
Each Team ID represents a unique Apple developer account.
Any application signed by the specified developer will be blocked.
Example use case:
Block all software published by a known vendor.
💡 You can find a Team ID using:
codesign -dv --verbose=4 /Applications/YourApp.app
Identifier List
Blocks applications and binaries using their bundle identifier or code signing identifier.
Example (applications):
com.spotify.client
com.google.Chrome
💡 Tip for scripts and binaries: Many scripts run through an interpreter (e.g., Openclaw runs via node). You can find the signing identifier of the parent process using:
pgrep -i <process_name>
codesign -dv --display --entitlements - <PID>
For example, blocking node by its signing identifier will also prevent any Node.js-based tools (such as Openclaw or other npm/npx packages) from executing.
This method is precise and recommended for blocking well-known applications and runtimes.
Application Path List
Blocks applications and binaries located at specific file paths.
Example (applications):
/Applications/Zoom.us.app
/Applications/Utilities
Example (scripts and binaries):
/Users/<username>/.nvm/versions/node/v24.11.1/bin/node
/usr/bin/ruby
⚠️ Blocking a directory path will block all applications and binaries inside that directory.
Application Name Contains
Blocks applications and processes whose names contain a specific string.
Example:
Zoom
Chrome
node
This is useful when application names vary by version, or when you want to broadly block a scripting runtime by name.
Check App Window Titles
Blocks applications by detecting specific window titles.
This is an advanced option, useful when:
You need to block a specific feature or workflow
The application name or identifier is not sufficient
How to Find a Window Title:
If you don't know the window title:
Run the application in verbose mode
Capture logs when the window opens
Example:
/Applications/SwifAppManagement.app/Contents/MacOS/SwifAppManagement --verbose
In the logs, you will see entries like:
Window: Add Printer
Enter Add Printer into the Check App Window Titles field. When the window opens, it will be automatically closed.
Blocking Scripts & LLM CLI Agents — Examples
Block Node.js (and npm/npx tools like Openclaw)
Tools installed via npm/npx (such as Openclaw and other LLM CLI agents) run through the node binary. Blocking node will prevent all Node.js-based tools from executing.
Application Path List:
/Users/<username>/.nvm/versions/node/v24.11.1/bin/node(adjust for your environment)Application Name Contains:
node
Note, please test this on test devices before distributing it. Because things that will be blocked might have different side effects. For example, if Python is blocked, Swif's software package won't work because Swif uses Python for app management.
Block Other CLI Tools
Use the same approach for any scripting runtime or CLI binary:
Ruby: Identifier
rubyor path/usr/bin/rubyPerl: Identifier
perlor path/usr/bin/perlCustom binaries: Use the full file path in the Application Path List
Tracking Blocked Events
When used together with the Apple Tracking Policy (App Blocking Tracking), blocked script and binary execution attempts are reported as tracking events. This gives you visibility into:
Which blocked scripts or binaries users attempted to run
How frequently policy violations occur
Which devices are affected
Events are visible in Device Management → Event Logs → Device Events.
Best Practices
Prefer Identifier List or Team ID List for long-term reliability
Use Application Path List carefully to avoid over-blocking — especially with scripting runtimes, as blocking a runtime blocks all scripts that depend on it
Use Window Title blocking only for advanced scenarios
Test policies on a small device group before wide deployment
When blocking scripting runtimes (Node.js, Ruby), communicate to end users which tools are restricted and why
Pair with the Apple Tracking Policy to get visibility into blocked execution attempts
Common Use Cases
Block unapproved browsers or file-sharing tools
Prevent installation of personal productivity apps on BYOD devices
Restrict system utilities like Terminal or System Settings
Enforce software compliance policies
Block LLM CLI agents (e.g., Openclaw) and other unauthorized AI/automation tools
Prevent execution of unauthorized scripts (Node.js, Ruby, Perl)
Block background services and daemons that are not approved by IT
Notes
This policy applies only to macOS
The block is enforced immediately after policy sync
Multiple criteria can be combined for stronger enforcement
Scripts and binaries are now blocked in addition to GUI applications — no additional configuration is needed beyond existing policy settings
If you need help identifying application identifiers, Team IDs, script runtime paths, or window titles, contact Swif Support or use Live Terminal for inspection.
