Skip to main content

macOS Application Blocking Policy

Updated over a month ago

Control which apps can (and can’t) launch on managed Macs, straight from the Swif Admin console.


1 | What the policy does

  • Blocks or allow-lists apps at launch time by matching one or more code-signing attributes.

  • Works on macOS 10.7 + (Intel & Apple Silicon).

  • Delivered as a configuration-profile payload (swif.application-block-<UUID>.mobileconfig) by Swif MDM.

  • Evaluated before the user sees the app’s first window; no kernel extensions required.

  • This policy is important for your ISO 27001 audit.


2 | Supported matching keys

Match key

Example value

Typical use-case

Notes

Team ID

7AGZNQ2S2T

Block every app signed by a developer

Fastest method. “Allow” by Team ID overrides any later Block on that dev.

Signing ID / Bundle ID

com.spotify.client

Block or allow a single app

macOS matches the CFBundleIdentifier inside the app.

Binary SHA-256

f4b6…9c4d

Pin or ban one exact build

Compute with shasum -a 256 /path/App.

Certificate SHA-256

74a6…3ef2

Ban all code signed with a leaked/disallowed cert

Paste the leaf-cert’s SHA-256 fingerprint.

File path

/Applications/BadStuff.app/Users/*/Downloads/**

Block apps in known bad locations

Supports wildcards (*, **).

Name contains

cryptominer

Catch shady variants

Case-insensitive substring; 3 + chars.

Evaluation order (first match wins): Team ID → Signing ID → SHA-256 → Cert → Path → Name


3 | Block-list vs Allow-list modes

Mode

Behaviour

Block (default)

Only the listed apps/devs are blocked; everything else may run.

Allow

Only the listed items are allowed; all others are blocked. Ideal for kiosk / lab Macs.

If a rule is listed in both modes, Allow wins (Apple rule precedence).

Switch modes from Basic Configurations → Policy Options → Allow / Block in the wizard.


4 | Field limits & platform caps

Item

Limit

Values per field (Team ID, Bundle ID, SHA-256, etc.)

1,024 each

Distinct Application Block / Allow payloads per Mac

64 (OS limit)

Profile size Swif pushes

< 300 KB (payload only; fits MDM spec)


5 | User experience

  • Launch of a matched app shows the macOS alert:
    “<App>” is restricted — contact your administrator.

  • Nothing appears if the app is allowed.

  • Log entries:

    • /Library/Application Support/Swif/logs/application_block.log (easy view)

    • macOS /var/log/system.log for low-level details.


6 | Collecting IDs quickly

Goal

Quick method

Team ID & Signing ID

`codesign -dv --verbose=4 /path/App.app

SHA-256 (binary)

shasum -a 256 /path/App.app/Contents/MacOS/<binary>

Certificate hash

security find-certificate -c "Developer ID Application: …" -Z

Path wildcards

Use * for one path segment, ** for recursive.


7 | Examples

For example, to block a macOS update (Settings -> Software Update page) on a macOS 12 machine, you can give a Signing ID value: platform:com.apple.preferences.softwareupdate.remoteservice.

To block a macOS update (Settings -> Software Update page) on a macOS 13 or 14 machine, you can give a signing ID value: platform:com.apple.Software-Update-Settings.extension.

Signing ID is a combination of team identifier and package identifier. You can find a team ID by querying:

$ codesign -dvvv /System/Library/ExtensionKit/Extensions/SoftwareUpdateSettingsExtension.appex

If the response is Team Identifier = not set, you can use the keyword "platform" as the team ID. For the package identifier, you can query by

$ mdls /System/Library/ExtensionKit/Extensions/SoftwareUpdateSettingsExtension.appex | grep kMDItemCFBundleIdentifier

kMDItemCFBundleIdentifier = "com.apple.Software-Update-Settings.extension"

Additionally, you can also block by application names, eg. Adobe.

It will partially match the application name. When you try to open Acrobat Reader, you will receive a message like this:


8 | Deploying via Swif

  1. Device Management → Policies → New Policy

  2. Choose Apple Application Block Policy.

  3. Fill the Basic Configurations & paste IDs (press Enter after each).

  4. Pick target devices / groups → Review → Create.

  5. Swif pushes the profile within minutes; macOS applies it live.

    • Some apps cache code-sign info — reboot if a block doesn’t take immediately.


9 | Troubleshooting checklist

Symptom

Fix

Nothing blocked

Verify profile in System Settings → Privacy & Security → Profiles.

Wrong app blocked

Check rule order; remember Team ID beats Path.

Rule ignored

Path typos, malformed bundle ID, or over 64 payloads on Mac.

Still launches after rule added

App was already running; quit & relaunch or reboot.


10 | Best-practice tips

  • Pilot first on a test group before going global.

  • Prefer Team ID whenever you trust the vendor; fastest to evaluate.

  • Combine Allow-list mode + Path rules for locked-down kiosks.

  • Document overrides in Swif notes so future admins know why blocks exist.


11 | Related reading

  • Original in-depth guideSwif Help #8802443

  • *Apple Platform Deployment → Endpoint Security & App Blocking (Apple Docs)

  • Swif Policy glossary – see All Apple policies article for context.


That’s it! Your Macs now refuse to launch anything you haven’t blessed, giving auditors and security teams immediate peace of mind.

Did this answer your question?