Learn more about Application Blocking on Enrolled Mac Computers
Kandji allows you to block specific applications from being opened on enrolled Mac computers. If a user tries to open a blocked app, it will immediately close, and they’ll see a message explaining the block. To block apps on iOS or iPadOS devices, use a Restrictions Library Item instead.
- Blocking an Application using the App Blocking Library Item
- Blocking an Application from Device Record
- How to find a BundleID
- Application Blocking Considerations
- User Experience
As of January 8 2025, Application Blocking is configured using a Library Item for macOS. This Library Item replaces the previous Application Blocking parameter. Classic Blueprints that already include the Application Blocking Parameter can still be edited, but this Parameter cannot be added to Blueprints that don’t already have it configured.
Blocking an Application using the App Blocking Library Item
- Navigate to Library in the left-hand navigation bar.
- Click Add New on the top-right, and choose Application Blocking.
- Click Add & Configure.
- Give the new Application Blocking Library Item a Name.
- Assign to your desired Assignment Maps or Classic Blueprints.
- Configure the processes, paths, developer IDs or bundle IDs you'd like to block.
- Optionally, customize the message, button title, and button URL users will be presented with when an application is blocked.
- Click Save.
Blocking an Application from Device Record
Adding an item to the Block list from an individual device record only allows it to be added to a Blueprint. It is recommended to manually add items directly to a Library Item rather than from the device record.- Login to Kandji and open a computer record with the Application you wish to block installed.
- Click the Applications tab and locate the Application in question.
- Click the More (...) button to the right of the Application and click "Block Application".
- Select the desired Blueprint that should receive the Blocking Rule, and customize the identifiers as needed.
- Click Create.
How to find a BundleID
To find the bundle ID of a macOS app, you can use the codesign command in Terminal, replacing /path/to/yourapp.app with the path to your desired application:
codesign -dr - /path/to/yourapp.app
The output of this command will include information about the app, including the Team ID, Bundle ID, and Code Requirement which can be helpful when creating PPPC Profiles. The Bundle ID will usually be at the end of the output, after the word "identifier". In the example output below, the Bundle ID for Keynote is com.apple.iWork.Keynote.
Application Blocking Considerations
- You can import settings from the existing Application Blocking parameter in a Blueprint into the new Library Item.
- Multiple Library Items can be added to an Assignment Map, with the one furthest to the right taking priority (similar to other conflicting items on a Map). This allows you to block apps for all devices while creating exceptions for specific groups.
- Only one Library Item is allowed per Classic Blueprint.
- Classic Blueprints that already include the Application Blocking Parameter can still be edited, but this Parameter cannot be added to Blueprints that don’t already have it configured.
- When both a Library Item and a Parameter exist in a Blueprint, Kandji will prioritize the Library Item’s settings.
- Blocked actions are logged in both the device and Blueprint activity streams.
User Experience
Users attempting to open a Blocked Application receive a popup with the customizable block message. Users who click Learn More will be directed to the URL specified in the Block Message.