MacOS – Block Specific Apps on macOS

apple-configuratormacosparental-controls

Is there a way to block a list of specific apps on macOS?

I have looked up solutions such as Cisdem, but there are some holes in the way it works that I don't like.

  1. Unless you also block Activity Monitor, Terminal, and System Preferences, you can simply quit the Cisdem process or create a new user to get around it.
  2. You have to block Activity Monitor, Terminal, and System Preferences to make it work well.

I want to block an app from running or even being installed on my Mac. The app can be installed via the App Store and the web. Not sure how to go about this. Enabling Parental Controls won't work as Administrator privileges are needed.

The specific app I want to block is Apple Configurator.

Any ideas?

Best Answer

Use Gatekeeper to control access to Applications

You can use spctl (Gatekeeper) to create lists of approved and unapproved apps.

For example, suppose you want to allow Mail but block Chrome.

sudo spctl --add --label "ApprovedApps" /Applications/Mail.app 
sudo spctl --add --label "DeniedApps" /Applications/Chrome.app

The above command will will "label" Mail and Chrome as "Approved" and "Denied" respectively (you can use your own descriptors).

Now, to enable/disable apps, you issue the commands:

sudo spctl --enable --label "ApprovedApps" 
sudo spctl --disable --label "DeniedApps"

The advantage this has is that to add another app to either list, you just have to add the appropriate label:

sudo spctl --add --label "ApprovedApps" /Applications/Another.app

Additionally, you can forbid code from the Mac App Store from running (found in the spctl man page - man spctl).

spctl --disable --label "Mac App Store"

This will prevent anyone from downloading an App from the App store and installing/running it.

Dealing with Admins/sudoers

As stated in the comments, anything an Admin can do, another Admin can undo. Using spctl requires root, but editing the sudoers file to restict access to a particular command can prevent other users/admins from undoing your changes.

See How to prevent sudo users from running specific commands? for details on how to configure a "whitelist with exception" in your sudoers file.

For example, to allow user Sam access to all commands except spctl, you would put in the sudoers file:

sam ALL = ALL, !/usr/sbin/spctl

Now, this a "quick and dirty" way of preventing access to spctl but ultimately, it's not effective because if the other admin gets wise to your strategy, all he/she has to do is rename the command and they have access.

From the sudoers man page:

In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any `!' elements in the user specification.

To really lock it down, you would need to either force the other user to su as a different user (i.e. operator) or create a whitelist of allowed commands defaulting to blocking everything else. However, that is time consuming and quite dangerous as you can lock people out of critical functions.

Related Question