Configure the App Blocking Library Item

This Library Item is available for macOS, Windows, and Android devices

The App Blocking Library Item lets you block applications from running on macOS, Windows, and Android devices. When a user attempts to open a blocked application, it will be prevented from launching. On macOS, the app will immediately close and display a block message. On Windows, blocking is powered by AppLocker. With Android work profile enrollment, App Blocking applies to the personal profile only: Android removes blocked package names from that profile if they are installed. The managed work profile is handled separately—deploy and update work apps through managed Google Play, not through App Blocking. To block apps on iOS or iPadOS devices, use a Restrictions Library Item instead.

As of January 8, 2025, App Blocking is configured using the App Blocking Library Item. This replaces the previous Application Blocking Parameter for macOS. Blueprints that already include the Parameter can still be edited, but the Parameter cannot be added to Blueprints that do not already have it.

Create an App Blocking Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.

Navigate to Library

Navigate to the Library and select Add Library Item.

Select App Blocking

Search for and select App Blocking.

Name the Library Item

Give the Library Item a Name.

Select Platforms

Under Install on, select one or more platforms (Apple, Windows, Android).

Assign to Blueprints

Assign the Library Item to one or more Blueprints.

Iru Endpoint web application showing App Blocking Library Item Install on and Blueprint assignment

In the Library Item, blocking is split into Apple only settings, Windows only settings, and Android only settings sections, so you configure each platform in its own area.

Platform-Specific Configuration

Mac
Windows
Android

Mac Settings

On macOS, App Blocking evaluates running applications against the identifiers you configure. When a launch matches a block rule, the app stops immediately and the user sees the block message (and optional Learn More link) from the Library Item.Expand Apple only settings, then open the nested Mac only settings section to configure process identifiers, match types, and optional block notifications.

Configure blocking identifiers

Configure the processes, paths, developer IDs or bundle IDs you’d like to block.

Select match type

Select the desired Match type:

Contains: Matches that contain the string.
Exact: Matches the exact string provided.
Regex: Matches based on regular expression using Swift regex syntax.

Iru Endpoint web application showing App Blocking Apple only settings with Mac only settings expanded, block rules, and notification fields

Regex is a very powerful tool that should be used with caution. Ensure that you test the implementation before broadly deploying it.

Customize block message (optional)

Optionally, customize the message, button title, and button URL users will be presented with when an application is blocked.

Save configuration

Click Save.

Blocking an Application from Device Record (macOS)

Adding an item to the block list can also be performed from an individual macOS device record. These updates can either be added to an existing App Blocking Library Item or you can create a new one.

Open device record

Navigate to Apps tab

Click the Apps tab and locate the application in question.

Block the application

Click the More (…) button to the right of the application and click “Block Application”.

Select Library Item

Select the Add rule to the following Library Item(s) drop-down and select a Library Item or type to create new one.

Configure Blueprint and identifiers

Select the desired Blueprint that should receive the Blocking Rule, and customize the identifiers as needed.

Create blocking rule

Click Create.

Example: Find a macOS App Bundle ID

To find the bundle ID of a macOS app, you can use the codesign command in Terminal, replacing /path/to/yourapp.app with the path to your desired application:

codesign -dr - /path/to/yourapp.app

The output of this command will include information about the app, including the Team ID, Bundle ID, and Code Requirement which can be helpful when creating PPPC Profiles. The Bundle ID will usually be at the end of the output, after the word identifier. In the example output below, the Bundle ID for Keynote is com.apple.iWork.Keynote.

identifier=com.apple.iWork.Keynote

User Experience

On Mac, users attempting to open a blocked app will see the configured block message.
If you configure a Learn More button, users can click it to be directed to your specified URL. You can read more about this in our User Experience with Application Blocking article.

Windows Settings

On Windows, App Blocking uses AppLocker to enforce your rules. When an executable matches a block rule, it cannot start; behavior follows AppLocker for the rule types you configure.Under Windows only settings, you can configure application blocks using AppLocker.

Block all unsigned apps Prevents all unsigned applications from running. You can add exceptions if necessary.
Configure apps to block Add specific apps to block by name, file path, or publisher.
- App name: Friendly name for reference.
- Block: Choose which file types to block:
  - EXEs
  - Scripts
  - MSIs
  - Store apps
  - All types
- Block method: Define how Iru Endpoint should evaluate the rule (publisher, path, or SHA256 file hash).

For detailed information about AppLocker, refer to Microsoft’s AppLocker documentation.

Gather File Details for Block Rules

When you add rules under Configure apps to block, the Publisher, Path, and SHA256 file hash block methods need values that match what AppLocker expects. The most reliable approach is to run the PowerShell cmdlet on a reference computer where the application is already installed, using the full path to the executable you intend to block.Open PowerShell and run:

get-applocker-file-information.ps1

Get-AppLockerFileInformation -Path "C:\Full\Path\To\application.exe" | Format-List

Replace the path in quotes with the full path to the file you want to inspect.The command returns the Path (often expressed with environment variables such as %PROGRAMFILES%), Publisher, Hash (SHA256), and AppX (True or False for Microsoft Store style packages).For example, to inspect a fictional app installed at C:\Program Files\FooDev\Foo\Application\foo.exe:

get-applocker-file-information-foo.ps1

Get-AppLockerFileInformation -Path "C:\Program Files\FooDev\Foo\Application\foo.exe" | Format-List

Example output:

applocker-file-information-foo.txt

Path : %PROGRAMFILES%\FOODEV\FOO\APPLICATION\FOO.EXE
Publisher : O=FOO DEV, L=MIAMI, S=FLORIDA, C=US\FOO\FOO.EXE,1.2.3.4
Hash : SHA256 0x637694332FEA4D87154635D02D7EE525F734D2B20AA1DB686B357A2511C2D4CE
AppX : False

Block Applications Using the Publisher Block Method

To build a Publisher rule in the App Blocking Library Item, copy the Publisher value from the cmdlet output, then trim it so AppLocker matches the certificate’s subject and location fields only (everything before the first backslash).

Run Get-AppLockerFileInformation with the full path to the executable, piped to Format-List, as in Gather File Details for Block Rules.
Locate the Publisher line in the output. Copy the string from the start through the character before the first backslash (\).
In Iru Endpoint, open your App Blocking Library Item.
Expand Windows only settings and enable Configure apps to block.
Add or edit a rule, set Block method to Publisher, and paste the trimmed value into Publisher.

For the sample Publisher value above:

O=FOO DEV, L=MIAMI, S=FLORIDA, C=US\FOO\FOO.EXE,1.2.3.4

use only the portion before the first backslash:

O=FOO DEV, L=MIAMI, S=FLORIDA, C=US

Enter that trimmed string in the rule’s Publisher field (for example, a rule that blocks All types when Publisher matches that value).

A Publisher rule blocks every application that presents the same publisher information, not only the executable you inspected. For example, blocking one product from publisher Foo Dev can also block another product from the same publisher, such as a companion sync client, if it shares that publisher string.

User Experience

On Windows, blocked apps will fail to launch, following AppLocker behavior.

Android Settings

Under Android only settings, you can block applications by package name.

Blocked app name: Optional display name for reference.
Package Name: The required unique identifier of the Android app. If the app is already installed in the personal profile, Android removes it when the policy applies.

Android Enterprise allows certain personal usage controls on company-owned devices with a work profile—including blocking listed apps in the personal profile while most policies stay scoped to the work profile (personal usage policies). The App Blocking Library Item uses that pattern: it targets the personal profile, not the work profile. Work apps are installed, updated, and removed through managed Google Play.

To find an Android app’s package name (for example, com.android.chrome for Google Chrome):

Search the web for [app name] package name
Use the Google Play Store URL for the app (the package name is the id query parameter)
Check app details on the device record Apps tab in Iru Endpoint
Run adb shell pm list packages on a connected Android device

User Experience

On Android, blocked apps are removed from the personal profile when installed there; the work profile is unchanged by App Blocking.

Considerations

Cross-platform: The App Blocking Library Item works across macOS, Windows, and Android. Choose which platforms to target under Install on.
Import from Parameter: On macOS, you can import settings from the legacy Application Blocking Parameter in a Blueprint into the App Blocking Library Item.
Multiple Library Items: You can assign more than one App Blocking Library Item to the same Blueprint; all block rules are combined.
Assignment maps: You can add multiple App Blocking Library Items to an Assignment Map; all App Blocking rules are combined when evaluated.
Parameter vs Library Item: When both exist in a Blueprint, Iru Endpoint uses the Library Item settings.
Activity: Blocked actions are logged in both the device and Blueprint activity streams.

Best Practices

Test blocking rules

Test application blocking rules on a small group of devices before deploying to your entire fleet.

Document blocked applications

Maintain documentation of which applications are blocked and why for audit and troubleshooting purposes.

Communicate with users

Inform users about application blocking policies to set proper expectations.

Monitor blocking activity

Regularly review blocking activity logs to ensure policies are working as intended.

Troubleshooting

Application still launches after blocking

Possible causes:

Block configuration not yet deployed to device
Application not in the blocked applications list
Device not enrolled or agent not installed Solutions:
Verify the App Blocking Library Item is assigned to the device’s Blueprint
Check that the application is correctly identified in the blocked list
Ensure device is properly enrolled and agent is running

Block dialog not appearing on macOS

Possible causes:

No custom message configured
Agent not installed or not running
Application not properly identified Solutions:
Configure a custom message in the App Blocking Library Item
Verify Iru Agent is installed and running on the device
Check application identification in the blocked applications list

Windows AppLocker not working

Possible causes:

AppLocker service not running
Group Policy not applied
Device not domain-joined (for some features)
Publisher, Path, or SHA256 file hash values do not match what AppLocker expects for the executable Solutions:
Check that AppLocker service is running
Verify Group Policy is applied correctly
Ensure device meets AppLocker requirements
For each block rule, confirm the Publisher, Path, or SHA256 file hash you configured matches the executable and what AppLocker expects; use Gather File Details for Block Rules to validate values

Android app not uninstalling

Possible causes:

App not in personal profile
Device not properly enrolled
Package name incorrect Solutions:
Verify the app is installed in the personal profile
Check device enrollment status
Confirm the package name is correct

Security Considerations

Regular Review

Regularly review blocked applications to ensure they remain appropriate for your security policies.

Exception Management

Establish a process for managing exceptions to blocking rules when business needs require it.

Audit Logging

Monitor blocking activity logs to detect potential security issues or policy violations.

User Education

Educate users about application blocking policies and approved alternatives.

General

Devices

Agent

Blueprints

Enrollment

Library

Deployment Guides

Settings

Integrations

Endpoint Detection & Response

Vulnerability Management

API

Configure the App Blocking Library Item

Create an App Blocking Library Item

Platform-Specific Configuration

Mac Settings

Blocking an Application from Device Record (macOS)

Example: Find a macOS App Bundle ID

User Experience

Windows Settings

Gather File Details for Block Rules

Block Applications Using the Publisher Block Method

User Experience

Android Settings

User Experience

Considerations

Best Practices

Troubleshooting

Security Considerations

Regular Review

Exception Management

Audit Logging

User Education

General

Devices

Agent

Blueprints

Enrollment

Library

Deployment Guides

Settings

Integrations

Endpoint Detection & Response

Vulnerability Management

API

Documentation Index

​Create an App Blocking Library Item

​Platform-Specific Configuration

​Mac Settings

​Blocking an Application from Device Record (macOS)

​Example: Find a macOS App Bundle ID

​User Experience

​Windows Settings

​Gather File Details for Block Rules

​Block Applications Using the Publisher Block Method

​User Experience

​Android Settings

​User Experience

​Considerations

​Best Practices

​Troubleshooting

​Security Considerations

Regular Review

Exception Management

Audit Logging

User Education

Create an App Blocking Library Item

Platform-Specific Configuration

Mac Settings

Blocking an Application from Device Record (macOS)

Example: Find a macOS App Bundle ID

User Experience

Windows Settings

Gather File Details for Block Rules

Block Applications Using the Publisher Block Method

User Experience

Android Settings

User Experience

Considerations

Best Practices

Troubleshooting

Security Considerations