Default Intune Mac OS App Control
Restricted apps Settings apply to: All enrollment types
- Type of restricted apps list: Create a list of apps that users aren’t allowed to install or use. Your options:
- Not configured (default): Intune doesn’t change or update this setting. By default, users might have access to apps you assign, and built-in apps.
- Approved apps: List the apps that users are allowed to install. Users must not install other apps. If users install apps that aren’t allowed, then it’s reported in Intune. Apps that are managed by Intune are automatically allowed, including the Company Portal app. Users aren’t prevented from installing an app that isn’t on the approved list.
- Prohibited apps: List the apps (not managed by Intune) that users aren’t allowed to install and run. Users aren’t prevented from installing a prohibited app. If a user installs an app from this list, it’s reported in Intune.
Google’s Tools Santa
https://github.com/google/santa ( https://support.addigy.com/hc/en-us/articles/4403720154387-Deploying-Google-Santa-Using-Addigy#Applying-a-Rule )
Upvote (whitelist server for Santa)
JAMF Pro
JAMF Pro has the ability Blacklist applications. JAMF Pro is the closest any MDM will get to App Control. JAMF does this with the JAMF Binary which gives control options over the Mac that are outside of Apples MDM framework. To be clear, JAMF Pro is not a security tool. It is just another MDM (far better than intune for Macs) that can do some extra tricks.
Set Gatekeeper to App Store only
Set Gatekeeper to App Store only and use managed apple ids – OK and use MDM to deploy apps that are not in the App Store, which I see in the documentation bypasses GateKeeper.
Intune:
- Allow apps downloaded from these locations Limit the apps a device can launch, depending on where the apps were downloaded from. The intent is to protect devices from malware, and allow apps from only the sources you trust.
- Not configured (default)
- Mac App Store
- Mac App Store and identified developers
- Anywhere
- Do not allow user to override GatekeeperPrevents users from overriding the Gatekeeper setting, and prevents users from Control-clicking to install an app. When enabled, users can’t Control-click any app to install it.
- Not configured (default) – Users can Control-click to install apps.
- Yes – Prevents users from using Control-click to install apps.