This Library Item is available for macOS, Windows, and Android devices
As of January 8, 2025, App Blocking is configured using a Library Item. This replaces the previous App Blocking Parameter. Classic Blueprints that already include the Parameter can still be edited, but it cannot be newly added.
Create an App Blocking Library Item
To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.1
Navigate to Library
Navigate to the Library and select Add Library Item.
2
Select App Blocking
Search for and select App Blocking.
3
Name the Library Item
Give the Library Item a Name.
4
Select Platforms
Under Install on, select one or more platforms (Apple, Windows, Android).
5
Assign to Blueprints
Assign the Library Item to one or more Blueprints.
Platform-Specific Configuration
- macOS
- Windows
- Android
macOS Settings
Under Apple only settings, you can block apps based on process identifiers.1
Configure blocking identifiers
Configure the processes, paths, developer IDs or bundle IDs you’d like to block.
2
Select match type
Select the desired Match type:
- Contains: Matches that contain the string.
- Exact: Matches the exact string provided.
- Regex: Matches based on regular expression using Swift regex syntax.
3
Regex is a very powerful tool that should be used with caution. Ensure that you test the implementation before broadly deploying it.
4
Customize block message (optional)
Optionally, customize the message, button title, and button URL users will be presented with when an application is blocked.
5
Save configuration
Click Save.
Blocking an Application from Device Record
Adding an item to the Block list can also be performed from an individual device record. These updates can either be added to an existing App Blocking Library Item or you can create a new one.1
Open device record
Log in to Iru Endpoint and open a device record with the Application you wish to block installed.
2
Navigate to Apps tab
Click the Apps tab and locate the Application in question.
3
Block the application
Click the More (…) button to the right of the Application and click “Block Application”.
4
Select Library Item
Select the Add rule to the following Library Item(s) drop-down and select a Library Item or type to create new one.
5
Configure Blueprint and identifiers
Select the desired Blueprint that should receive the Blocking Rule, and customize the identifiers as needed.
6
Create blocking rule
Click Create.
Example: Find a macOS App Bundle ID
To find the bundle ID of a macOS app, you can use the codesign command in Terminal, replacing/path/to/yourapp.app with the path to your desired application:codesign-command.sh
codesign-output.txt
Considerations
- You can import settings from the legacy App Blocking Parameter into the new Library Item.
- Multiple App Blocking Library Items can be assigned to the same Blueprint; all block rules will be combined.
- When both a Library Item and Parameter exist in a Blueprint, the Library Item takes precedence.
- Blocked actions are logged in both the device and Blueprint activity streams.
User Experience
- On macOS, users attempting to open a blocked app will see the configured block message.
- If you configure a Learn More button, users can click it to be directed to your specified URL. You can read more about this in our User Experience with Application Blocking article.
Best Practices
1
Test blocking rules
Test application blocking rules on a small group of devices before deploying to your entire fleet.
2
Document blocked applications
Maintain documentation of which applications are blocked and why for audit and troubleshooting purposes.
3
Communicate with users
Inform users about application blocking policies to set proper expectations.
4
Monitor blocking activity
Regularly review blocking activity logs to ensure policies are working as intended.
Troubleshooting
Application still launches after blocking
Application still launches after blocking
Possible causes:
- Block configuration not yet deployed to device
- Application not in the blocked applications list
- Device not enrolled or agent not installed
- Verify the App Blocking Library Item is assigned to the device’s Blueprint
- Check that the application is correctly identified in the blocked list
- Ensure device is properly enrolled and agent is running
Block dialog not appearing on macOS
Block dialog not appearing on macOS
Possible causes:
- No custom message configured
- Agent not installed or not running
- Application not properly identified
- Configure a custom message in the App Blocking Library Item
- Verify Kandji Agent is installed and running on the device
- Check application identification in the blocked applications list
Windows AppLocker not working
Windows AppLocker not working
Possible causes:
- AppLocker service not running
- Group Policy not applied
- Device not domain-joined (for some features)
- Check that AppLocker service is running
- Verify Group Policy is applied correctly
- Ensure device meets AppLocker requirements
Android app not uninstalling
Android app not uninstalling
Possible causes:
- App not in personal profile
- Device not properly enrolled
- Package name incorrect
- Verify the app is installed in the personal profile
- Check device enrollment status
- Confirm the package name is correct
Security Considerations
Regular Review
Regularly review blocked applications to ensure they remain appropriate for your security policies.
Exception Management
Establish a process for managing exceptions to blocking rules when business needs require it.
Audit Logging
Monitor blocking activity logs to detect potential security issues or policy violations.
User Education
Educate users about application blocking policies and approved alternatives.