Is there a way to block a list of specific apps on macOS?
I have looked up solutions such as Cisdem, but there are some holes in the way it works that I don't like.
- Unless you also block Activity Monitor, Terminal, and System Preferences, you can simply quit the Cisdem process or create a new user to get around it.
- You have to block Activity Monitor, Terminal, and System Preferences to make it work well.
I want to block an app from running or even being installed on my Mac. The app can be installed via the App Store and the web. Not sure how to go about this. Enabling Parental Controls won't work as Administrator privileges are needed.
The specific app I want to block is Apple Configurator.
Any ideas?
Best Answer
Use Gatekeeper to control access to Applications
You can use
spctl
(Gatekeeper) to create lists of approved and unapproved apps.For example, suppose you want to allow Mail but block Chrome.
The above command will will "label" Mail and Chrome as "Approved" and "Denied" respectively (you can use your own descriptors).
Now, to enable/disable apps, you issue the commands:
The advantage this has is that to add another app to either list, you just have to add the appropriate label:
Additionally, you can forbid code from the Mac App Store from running (found in the
spctl
man page -man spctl
).This will prevent anyone from downloading an App from the App store and installing/running it.
Dealing with Admins/
sudoers
As stated in the comments, anything an Admin can do, another Admin can undo. Using
spctl
requires root, but editing the sudoers file to restict access to a particular command can prevent other users/admins from undoing your changes.See How to prevent sudo users from running specific commands? for details on how to configure a "whitelist with exception" in your
sudoers
file.For example, to allow user Sam access to all commands except
spctl
, you would put in the sudoers file:Now, this a "quick and dirty" way of preventing access to
spctl
but ultimately, it's not effective because if the other admin gets wise to your strategy, all he/she has to do is rename the command and they have access.From the
sudoers
man page:To really lock it down, you would need to either force the other user to
su
as a different user (i.e. operator) or create a whitelist of allowed commands defaulting to blocking everything else. However, that is time consuming and quite dangerous as you can lock people out of critical functions.