Control which apps can (and can’t) launch on managed Macs, straight from the Swif Admin console.
1 | What the policy does
Blocks or allow-lists apps at launch time by matching one or more code-signing attributes.
Works on macOS 10.7 + (Intel & Apple Silicon).
Delivered as a configuration-profile payload (
swif.application-block-<UUID>.mobileconfig
) by Swif MDM.Evaluated before the user sees the app’s first window; no kernel extensions required.
This policy is important for your ISO 27001 audit.
2 | Supported matching keys
Match key | Example value | Typical use-case | Notes |
Team ID |
| Block every app signed by a developer | Fastest method. “Allow” by Team ID overrides any later Block on that dev. |
Signing ID / Bundle ID |
| Block or allow a single app | macOS matches the CFBundleIdentifier inside the app. |
Binary SHA-256 |
| Pin or ban one exact build | Compute with |
Certificate SHA-256 |
| Ban all code signed with a leaked/disallowed cert | Paste the leaf-cert’s SHA-256 fingerprint. |
File path |
| Block apps in known bad locations | Supports wildcards ( |
Name contains |
| Catch shady variants | Case-insensitive substring; 3 + chars. |
Evaluation order (first match wins): Team ID → Signing ID → SHA-256 → Cert → Path → Name
3 | Block-list vs Allow-list modes
Mode | Behaviour |
Block (default) | Only the listed apps/devs are blocked; everything else may run. |
Allow | Only the listed items are allowed; all others are blocked. Ideal for kiosk / lab Macs. |
If a rule is listed in both modes, Allow wins (Apple rule precedence). |
|
Switch modes from Basic Configurations → Policy Options → Allow / Block in the wizard.
4 | Field limits & platform caps
Item | Limit |
Values per field (Team ID, Bundle ID, SHA-256, etc.) | 1,024 each |
Distinct Application Block / Allow payloads per Mac | 64 (OS limit) |
Profile size Swif pushes | < 300 KB (payload only; fits MDM spec) |
5 | User experience
Launch of a matched app shows the macOS alert:
“<App>” is restricted — contact your administrator.
Nothing appears if the app is allowed.
Log entries:
/Library/Application Support/Swif/logs/application_block.log
(easy view)macOS
/var/log/system.log
for low-level details.
6 | Collecting IDs quickly
Goal | Quick method |
Team ID & Signing ID | `codesign -dv --verbose=4 /path/App.app |
SHA-256 (binary) |
|
Certificate hash |
|
Path wildcards | Use |
7 | Examples
For example, to block a macOS update (Settings -> Software Update page) on a macOS 12 machine, you can give a Signing ID value: platform:com.apple.preferences.softwareupdate.remoteservice
.
To block a macOS update (Settings -> Software Update page) on a macOS 13 or 14 machine, you can give a signing ID value: platform:com.apple.Software-Update-Settings.extension
.
Signing ID is a combination of team identifier and package identifier. You can find a team ID by querying:
$ codesign -dvvv /System/Library/ExtensionKit/Extensions/SoftwareUpdateSettingsExtension.appex
If the response is Team Identifier = not set, you can use the keyword "platform" as the team ID. For the package identifier, you can query by
$ mdls /System/Library/ExtensionKit/Extensions/SoftwareUpdateSettingsExtension.appex | grep kMDItemCFBundleIdentifier
kMDItemCFBundleIdentifier = "com.apple.Software-Update-Settings.extension"
Additionally, you can also block by application names, eg. Adobe.
It will partially match the application name. When you try to open Acrobat Reader, you will receive a message like this:
8 | Deploying via Swif
Device Management → Policies → New Policy
Choose Apple Application Block Policy.
Fill the Basic Configurations & paste IDs (press Enter after each).
Pick target devices / groups → Review → Create.
Swif pushes the profile within minutes; macOS applies it live.
Some apps cache code-sign info — reboot if a block doesn’t take immediately.
9 | Troubleshooting checklist
Symptom | Fix |
Nothing blocked | Verify profile in System Settings → Privacy & Security → Profiles. |
Wrong app blocked | Check rule order; remember Team ID beats Path. |
Rule ignored | Path typos, malformed bundle ID, or over 64 payloads on Mac. |
Still launches after rule added | App was already running; quit & relaunch or reboot. |
10 | Best-practice tips
Pilot first on a test group before going global.
Prefer Team ID whenever you trust the vendor; fastest to evaluate.
Combine Allow-list mode + Path rules for locked-down kiosks.
Document overrides in Swif notes so future admins know why blocks exist.
11 | Related reading
Original in-depth guide – Swif Help #8802443
*Apple Platform Deployment → Endpoint Security & App Blocking (Apple Docs)
Swif Policy glossary – see All Apple policies article for context.
That’s it! Your Macs now refuse to launch anything you haven’t blessed, giving auditors and security teams immediate peace of mind.