Files
apple_device-management/mdm/profiles/com.apple.applicationaccess.new.yaml
Cyrus Daboo 97a11a861f Seed2
2026-06-22 15:55:19 -04:00

156 lines
5.1 KiB
YAML

title: 'Parental Controls: Application Restrictions'
description: The payload that configures parental controls for apps.
payload:
payloadtype: com.apple.applicationaccess.new
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.7'
deprecated: '27.0'
multiple: true
devicechannel: true
userchannel: true
supervised: false
requiresdep: false
userapprovedmdm: false
allowmanualinstall: true
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
content: |-
Parental controls application restrictions.
Order of evaluation:
(1) Certain system applications and utilities are always allowed to run
(2) The "allowList" is searched to see if a matching entry is found by bundleID. If a match is found, the "appID" and "detachedSignature"
(if present) are used to verify the signature of the application being launched. If the signature is valid and matches the designated
requirement (in the "appID" key), the application is allowed to launch.
(3) (deprecated) If the path to the binary being launched matches (or is in a subdirectory) of a path in "pathDenyList", the binary is denied.
(4) (deprecated) If the path to the binary being launched matches (or is a subdirectory) of a path in "pathAllowList", the binary is allowed to launch.
(5) The binary is denied permission to launch.
payloadkeys:
- key: familyControlsEnabled
type: <boolean>
presence: required
content: If `true`, enables app access restrictions.
- key: allowList
supportedOS:
macOS:
introduced: '10.15'
type: <array>
presence: optional
content: The allow list of app item dictionaries.
subkeytype: ApplicationItem
subkeys: &id001
- key: allowListItem
type: <dictionary>
content: A dictionary defining an app for parental control.
subkeys:
- key: bundleID
type: <string>
presence: required
content: The bundle ID of the app.
- key: appID
type: <data>
presence: required
content: The identifier of the app. Obtain this value from the Security framework
using `SecCodeCopyDesignatedRequirement`.
- key: detachedSignature
type: <data>
presence: optional
content: The signature for an unsigned binary.
- key: disabled
type: <boolean>
presence: optional
default: false
content: If `true`, this app isn't added to the allow list.
- key: subApps
type: <array>
presence: optional
content: An array of nested helper applications.
subkeytype: ApplicationItem
subkeys: *id001
- key: displayName
type: <string>
presence: optional
content: The name used for display purposes.
- key: whiteList
supportedOS:
macOS:
deprecated: '10.15'
type: <array>
presence: optional
content: The allow list of app item dictionaries. This property is deprecated in
macOS 10.15 and later - use `allowList` instead.
subkeytype: ApplicationItem
subkeys: *id001
- key: pathDenyList
supportedOS:
macOS:
introduced: '10.15'
type: <array>
presence: optional
content: The paths to apps in the deny list.
subkeys:
- key: pathDenyListItem
type: <string>
presence: required
content: A path.
- key: pathBlackList
supportedOS:
macOS:
deprecated: '10.15'
type: <array>
presence: optional
content: The paths to apps in the deny list. This property is deprecated in macOS
10.15 and later - use `pathDenyList` instead.
subkeys:
- key: pathBlackListItem
type: <string>
presence: required
content: A path.
- key: pathAllowList
supportedOS:
macOS:
introduced: '10.15'
type: <array>
presence: optional
content: The paths to apps in the allow list.
subkeys:
- key: pathAllowListItem
type: <string>
presence: required
content: A path.
- key: pathWhiteList
supportedOS:
macOS:
deprecated: '10.15'
type: <array>
presence: optional
content: The paths to apps in the allow list. This property is deprecated in macOS
10.15 and later - use `pathAllowList` instead.
subkeys:
- key: pathWhiteListItem
type: <string>
presence: required
content: A path.
notes:
- title: ''
content: |-
To determine if an app can be launched, the app is evaluated with these rules:
- Certain system app and utilities are always allowed to run.
- The allow list is searched to see if the `bundleID` has a matching entry. If a match is found, `appID` and `detachedSignature` (if present) are used to verify the signature of the app being launched. If the signature is valid and matches the designated requirement (in the appID key), the app is allowed to launch.
- If the path to the binary being launched matches or is in a subdirectory of a path in the deny list, the binary is denied.
- If the path to the binary being launched matches or is a subdirectory of a path in the allow list, the binary is allowed to launch.
- The binary is denied permission to launch.
examples:
- title: Profile example
files:
- file: examples/mdm/profiles/com.apple.applicationaccess.new/example1.plist