Apps and Process Restrictions for macOS

macOS Intelligent Hub uses Apple's Endpoint Security System Extension framework to monitor system events to help administrators block specific software from running on a managed device. While security tools should still be used for malware, viruses, or other malicious software, this functionality helps with basic restrictions such as games, CLI tools, messaging apps, or even OS update installers.

Currently there is no UI available for configuration in the Workspace ONE UEM console. To create the restriction policies you can use custom settings XML.

Prerequisites

  1. The enrolled device is running macOS 10.15 or later.

  2. Workspace ONE Intelligent Hub 21.04 or later is installed.

  3. System Extension profile for Intelligent Hub installed.

  4. Privacy Preferences for Intelligent Hub installed.

    Note:

    If you are using Workspace ONE UEM console version 2105, you do not need to manually create the System Extension and Privacy Preferences profiles. The 2105 console automatically seeds and installs these profiles with the existing Intelligent Hub Privacy Preferences seeded payload.

    If you are using Workspace ONE UEM console version 2102 or below, you must configure these profiles manually, as instructed below. Once you have updated to Workspace ONE console 2105, you can remove these profiles as they will be automatically installed.

Create a System Extension Profile

Use the System Extension profile in the Workspace UEM console to automatically approve the Intelligent Hub extension.

Note: If you are using Workspace ONE UEM console version 2105 or higher, you need not configure System Extension profile.

  1. Create a System Extension profile with the following settings in the Allowed System Extensions:
    • Team Identifier - S2ZMFGQM93
    • Bundle Identifier - com.vmware.hub.EndpointSecurity
  2. Save and assign the profile to your devices.

Create a Privacy Preferences Profile for System Extension

Apple's Endpoint Security System Extension currently invokes some privacy restrictions on macOS 10.15 and later such as Full Disk Access. However, you can use the Privacy Preferences profile in the UEM Console to automatically approve the Intelligent Hub extension.

Note: If you are using Workspace ONE UEM console version 2105 or higher, you need not configure Privacy Preferences profile.

To create a privacy preferences profile, perform the following steps:

  1. Create a Privacy Preferences profile.
  2. Click Add App and create a new entry with the following settings:
    • Identifier - com.vmware.hub.EndpointSecurity
    • Identifier Type - Bundle ID
    • Code Requirement - anchor apple generic and identifier "com.vmware.hub.EndpointSecurity" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)
  3. Save and assign the profile to your devices.

Use a Custom Settings Profile to Create a Restriction Policy

Currently, there is no UI in the UEM Console to create the restriction policy configuration. Use the Custom Settings profile to configure the restrictions.

The following table describes the parameters for a custom profile with the payload type com.vmware.hub.mac.restrictions:

Key Type Value
Restrictions Array of Dictionaries Required. An array of apps or processes that must be blocked from running.

Each dictionary in the Restrictions array must contain the following keys and values:

Key Type Value
Attributes Dictionary Required. A dictionary containing information to identify the app or process to be blocked.
Actions Array of Integers Required. A list, mapped by integers, of actions to take if the item is found to be running.In Intelligent Hub, only one action is currently supported:
1 - Block process and display dialogue window to the user containing a message (defined below)
Message String Required. A message to display to the user in a dialogue box if the process is found running and blocked.A maximum of 250 characters is allowed.
IsSilentNotify Boolean Optional. Select to silently block the process with no message dialogue to the user. If this option is selected, the Message key is not required.

The Attributes dictionary must contain at least one of the following keys and values *

* Multiple unique keys can be used. If a process matching any one or more of the attributes is found to be running, it will be blocked.

Key Type Value
bundleId String or Array of Strings The bundle identifier of the app or executable. Examples of how to get the BundleID:
Check Info.plist of .app bundle in *.app/Contents/Info.plist for key CFBundleIdentifier
In terminal, use /usr/bin/mdls
/usr/bin/mdls /Applications/zoom.us.app | grep kMDItemCFBundleIdentifier
In terminal, use /usr/bin/otool
/usr/bin/otool -P /usr/bin/ssh
Find the CFBundleIdentifier key
cdhash String or Array of Strings The CDHash of the item
In terminal, use:
/usr/bin/codesign -dvvv /path/to/app/or/executable
/usr/bin/codesign -dv --verbose=4 /path/to/app/or/executable
Look for CDHash key
name String or Array of Strings Name of the .app bundle or process.
For example:
WhatsApp
CCleaner
Messages
path String or Array of Strings Actual binary path of the application.
For example:
/Applications/WhatsApp.app/Contents/MacOS/WhatsApp
/Applications/Messages.app/Contents/MacOS/Messages
/System/Applications/Utilities/Bluetooth File Exchange.app/Contents/MacOS/Bluetooth File Exchange
sha256 String or Array of Strings The SHA 256 hash of the item:
In terminal, use shasum or openssl cli
/usr/bin/shasum -a 256 /System/Applications/TextEdit.app/Contents/MacOS/TextEdit
/usr/bin/openssl dgst -sha256/System/Applications/TextEdit.app/Contents/MacOS

Example of custom settings XML for blocking WhatsApp.

<dict>
	<key>Restrictions</key>
	<array>
		<dict>
			<key>Attributes</key>
			<dict>
				<key>cdhash</key>
				<string>fd02694e8489e59664d568a546e41681d2f53bd2</string>
				<key>name</key>
				<array>
					<string>WhatsApp</string>
					<string>WhatsApp Helper (GPU)</string>
					<string>WhatsApp Helper (Plugin)</string>
					<string>WhatsApp Helper (Renderer)</string>
				</array>
				<key>path</key>
				<string>/Applications/WhatsApp.app/Contents/MacOS/WhatsApp</string>
				<key>bundleId</key>
				<array>
					<string>WhatsApp</string>
					<string>WhatsApp-Helper</string>
				</array>
				<key>sha256</key>
				<string>a3a459093d5660bd37493c91e90f95445dae031cf6374a06e87a7d792498166b</string>
			</dict>
			<key>Actions</key>
			<array>
			<integer>1</integer>
			</array>
			<key>Message</key>
			<string>You are not permitted to use WhatsApp</string>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>Restricted Software Policy</string>
	<key>PayloadIdentifier</key>
	<string>HubSettings.93f1655a-59fb-42dc-bc31-9571275cb12b</string>
	<key>PayloadOrganization</key>
	<string>VMware</string>
	<key>PayloadType</key>
	<string>com.vmware.hub.mac.restrictions</string>
	<key>PayloadUUID</key>
	<string>1D7F0D17-369B-4766-9CA0-D2B4537657C1</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>

Once the user tries to launch WhatsApp, Intelligent Hub displays a message that the application is not permitted to run.

View event logs

You can view event logs related to the configuration, detection, and remediation of restricted software in the console.

  1. In the UEM Console, navigate to Device Details > Troubleshooting.
  2. Navigate to events displayed under the Intelligent Hub Module and Security Category.
check-circle-line exclamation-circle-line close-line
Scroll to top icon