Swif provides an Application Block Policy to block App installations and updates or OS updates. This policy is important for your ISO 27001 audit.
โ
For example, to block a macOS update (Settings -> Software Update page) on a macOS 12 machine, you can give a Signing ID value: platform:com.apple.preferences.softwareupdate.remoteservice.
To block a macOS update (Settings -> Software Update page) on a macOS 13 or 14 machine, you can give a signing ID value: platform:com.apple.Software-Update-Settings.extension.
Signing ID is a combination of team identifier and package identifier. You can find a team ID by querying:
$ codesign -dvvv /System/Library/ExtensionKit/Extensions/SoftwareUpdateSettingsExtension.appex
If the response is Team Identifier=not set, you can use the keyword "platform" as the team ID.
For the package identifier, you can query by
$ mdls /System/Library/ExtensionKit/Extensions/SoftwareUpdateSettingsExtension.appex | grep kMDItemCFBundleIdentifier
kMDItemCFBundleIdentifier = "com.apple.Software-Update-Settings.extension"
Additionally, you can also block by application names, eg. Adobe.
It will partially match the application name. When you try to open Acrobat Reader, you will receive a message like this:
