General Information
Preference Documentation
Log Data Documentation
- Log Data Examples
- Interesting Types of Events
  - SSH Logins and Activity
Related Tech and Configurations
- macOS
Compliance
- cmdReporter and US Govt Standards Details
  - How cmdReporter Meets CMMC, DFARS, and NIST 800-171 Requirements
  - NIST 800-53r4 (high) controls met by using cmdReporter
- Security Baseline Reporting Preferences
  - Security Benchmark Reporting Logs

Block Prohibited Applications from Running

Daniel Griggs

Modified on: Mon, 13 Jul, 2020 at 2:59 PM

Intended Use Cases

Anti-tamper system intended to restrict access to cmdReporter and device management tool binaries.
Prevent users from running administrative or otherwise powerful applications on the device.
Blocking common unwanted software from running on devices.
- An example would be blocking Box from running when the organization uses Google Drive.
While possible, we do not recommend using this feature as an anti-virus control

Why some LaunchDaemons are exempted

Exempting LaunchDaemons with certain properties allows device management tools access to all applications on a device while still preventing end users access to those same applications.

Conditions when LaunchDaemons are exempt

LaunchDaemons are exempt from prohibited application blocking when they originate the execution request, are not impersonating another user, and may not show a graphical element to the user.

In technical terms all of the following must be true:

an audit_id of 0
an effective_user_id of 0