Intended Use Cases
- Anti-tamper system intended to restrict access to cmdReporter and device management tool binaries.
- Prevent users from running administrative or otherwise powerful applications on the device.
- Blocking common unwanted software from running on devices.
- An example would be blocking Box from running when the organization uses Google Drive.
- While possible, we do not recommend using this feature as an anti-virus control
Why some LaunchDaemons are exempted
Exempting LaunchDaemons with certain properties allows device management tools access to all applications on a device while still preventing end users access to those same applications.
Conditions when LaunchDaemons are exempt
LaunchDaemons are exempt from prohibited application blocking when they originate the execution request, are not impersonating another user, and may not show a graphical element to the user.
In technical terms all of the following must be true:
- an audit_id of 0
- an effective_user_id of 0