Application Control

Scalefusion Veltar's Application Control for macOS leverages Apple's Endpoint Security framework to provide granular control over application access on your managed devices. IT administrators can block or allow applications based on various criteria, ensuring compliance and security.

Application Control empowers IT administrators to precisely manage application access on their managed macOS devices. By blocking or allowing applications based on Team ID, Bundle ID, Signing Certificate, or Version Hash, you can effectively control which applications are permitted to run. Additionally, you can configure blocking behavior (silent or with a message), restrict access to specific users or devices, and implement conditional blocking based on time and IP address. Detailed logging provides valuable insights into blocked app access, enabling you to monitor and analyze application usage.

The document explains what configurations you need to do on Scalefusion Dashboard to enable allowing or blocking of applications on managed macOS devices.

Platforms Supported: macOS

Pre-Requisites

1. Scalefusion MDM Client’s (agent app for macOS) v4.1.1 or above should be installed on device

2. macOS Device Profile should be created on Scalefusion Dashboard

3. Your account should have access to Application Control feature

4. Supported OS: OS 10.15 or above

How it Works

1. Define Rules: Create rules specifying which applications to block or allow based on the chosen criteria.

2. Enforcement: Scalefusion Veltar will monitor application launches and enforce the defined rules.

3. Logging: Detailed logs are recorded for blocked app access, providing valuable insights into device usage.

Steps

Step 1: Create Configuration

1. On Scalefusion Dashboard, navigate to Veltar > Application Control and click on Create Configuration
   

2. In the new window, enter Configuration Name

3. On the left you will find the configurable settings under these heads. Navigate to each link:

   1. Application Policy

   2. Settings

   3. Access Restrictions
      

4. Once you have configured all the above, click on Create button on top right.

5. The configuration will get created and displayed under Configuration tab with other related details

Application Policy

From this section, you can define the rules to determine the applications that will be allowed/blocked. To do so, Choose one of the following:

Note: Apple System Apps and Scalefusion apps cannot be blocked with this policy

1. Configure Allowlist: Select this if you want to define the rules that determine which applications will be allowed

2. Configure Blocklist: Select this if you want to define the rules that determine which applications will be blocked
   

3. Next, click on the button Add New Rule
   

4. This will open the Add New Rule wizard. Enter the following details:

   1. Name: Give a unique name for the rule

   2. Type: The application can be allowed/blocked based on the following identifiers. Select any one and provide its value in the next field:

      1. Bundle ID

      2. Team Identifier

      3. Certificate  

      4. Version Hash

   3. Value: Provide value for the type you have selected. For example, if you have select Bundle ID as the Type then provide the Bundle ID of the app for which you are creating a rule.
      

5. Note: You can fetch the values by running scalefusion -fileinfo <app_path> on a managed device. To do so, open the terminal window on the device and run the above command with the app name. Notice the information like Bundle Id, Team Id, Certificate etc. for the app being displayed.
   

6. Click Save

7. The rule will be created and displayed.
   

To apply a rule, you need to enable the toggle under Enable All

Settings

Configure app blocking behavior through these settings:

1. Configure Blocking Behavior: Select whether to block applications silently or display an alert to the end user.

   1. Alert Message (Enabled if Blocking Behavior is set to Display an Alert): Configure the alert message that will be shown to the user when a blocked application is accessed.

   2. Display More Info Button: Enables or disables the More Info button in the alert. When enabled, clicking the button will direct the user to the specified URL.

      1. More Info URL: Enter the URL that will be displayed when the "More Info" button is clicked.

      The alert message and Display More Info button become configurable only if the blocking behavior is set to Display an alert

2. Select User Scope: Select the scope for the blocking policy by choosing one of the following:

   1. Enrolled User

   2. All Accounts

   3. Administrator Accounts

   4. Standard Accounts

   5. Specific User Accounts: On selecting this option, a text field will be displayed where you need to enter Local user short names which are present on the device. You can search for a particular user which will populate list of users created. To add more than one user, click on New User link.
      

Access Restrictions

IT admins can configure specific conditions from the Scalefusion Dashboard which determine the users' ability to access the applications on the device. To conditionally access, following parameters can be enforced:

1. Day & Time: Configure the Time schedule in which user account is allowed to access the applications. Select the following:

   1. Start Time & End Time

   2. Timezone: You can either choose to use device's local timezone or select it manually from the drop-down.

   3. Select Days: Select particular day(s) from Sunday to Saturday
      
      

2. IP Address: Enter the IP ranges and the user(s) will be allowed to access the applications within those specified ranges. To give range, click on Add Range link. This will add a new row below. Here, select Type from IPv4 and IPv6, give start and End IP address. The IT admins can click on the delete icon under Actions if any particular IP range has to be removed. Click on Add range to configure multiple IP ranges. Note: The IP addresses should be valid.
   

Once you have configured all the above, click on Create button on top right. The configuration will get created and displayed under Configuration tab with other related details.

Step 2: Publish Configuration

To Publish,

1. Click on publish icon in front of the configuration

2. In the new window, select the device profile(s) on which you want to publish the configuration.

3. Click Publish
   

User Experience on Device

On publishing the configuration,

1. Notice Veltar icon on the top bar. Clicking on it will reflect Application Control Policy as Configured
   
   

2. If you open Scalefusion MDM Client, it will reflect Application Control Policy as Configured, under Settings
   
   

3. If you try to access an app (for which you have created a rule in the configuration) it will show up the alert message you have configured. Below screenshot is an example when user tries to access zoom app which has app block policy applied to it and the user is not allowed to use the application.
   

Event Logs

From this section you can get detailed logs which are recorded for blocked app access, providing valuable insights into device usage. Click on Event Logs tab under Application Control

Summary View

This section displays a summary of blocked instances within the Scalefusion platform. This provides a quick overview of the blocked instances and their distribution across different criteria, allowing administrators to easily identify and address potential issues.

1. Blocked Instances: Shows the total number of blocked events / instances on all the devices and a bifurcation further:

   1. By Bundle ID: Displays the number of blocked instances due to violations of the Bundle ID rule.

   2. By Team ID: Displays the number of blocked instances due to violations of the Team ID rule.

   3. By Version Hash: Displays the number of blocked instances due to violations of the Version Hash rule.

   4. By Certificate: Displays the number of blocked instances due to violations of the Certificate rule.

   5. By Whitelist Policy: Displays the number of blocked instances that are not included in the whitelist rules.
      

Events Info

This section shows detailed information on the events, under following heads

1. Endpoint: The name assigned to the device.

2. Serial Number: The unique serial number of the device.

3. Username: The name of the user account that accessed the blocked application.

4. App Name: The name of the blocked application.

5. Timestamp: Indicates when the blocked application was accessed by the user.

6. Actions:

   1. View App Information: Clicking this option displays a pop-up with detailed information about the blocked application. This information helps administrators understand the context of blocked application access and identify the specific reasons for the blocks.:

      1. Bundle ID: The unique identifier for the application.

      2. Version: The version of the application.

      3. Build: The build number of the application.

      4. Team ID: The team ID associated with the application.

      5. Path: The path of the application on the device.

      6. Certificate: The certificate used to sign the application.

      7. Version Hash: The hash value of the application's version.

      8. Blocking Reason: The reason why the application was blocked (e.g., violated a rule).

   2. Edit Configuration: With this, you can update the configuration
      

   

Additional Features

Filters

There are filtering options available for viewing activity logs. You can filter them by:

1. Timestamp:

   1. Timestamp

   2. App Name

   3. Username

2. Configurations:

   1. All Configurations

   2. List of available configurations. Choose a specific configuration

3. Date Picker:

   1. Start Date: It can be from Current Date to 7 days. You cannot select a date more than 30 days in the past.

   2. End Date

   Note: Logs older than 30 days get automatically deleted.

4. Page Size: Select the number of records to be displayed on one page

5. Search Using Device Name, Serial No, or App Name

   

Download Report

Clicking the button downloads a CSV report containing the filtered activity data. Please note the report can be downloaded for a duration of 7 days at the maximum.