Skip to main content
Cisco Meraki Documentation

App allowing/denying list in security policies

Security policies can be used to restrict the deployment of profiles to devices based on the apps installed or running on those devices. This article will describe how those options within Security Policies can be used. 

For more information about security policies, and how to create/use them, please read the article on Security Policies for Devices in Systems Manager.

 

App Name Formats

In each of these fields, the names of apps can be entered in multiple ways. Matches can also make use of a the wildcard '*' character.

 

Application Name: This is the friendly display name of the app, and can be used across both desktop and mobile devices. Ex. "Google Chrome", "Facebook", "*SMS*".

Note: An application may have a slightly different name dependent on the platform it is on, so the wildcard can be useful for matching across multiple device types.

 

Application Identifier: This can be the unique app ID or bundle ID for an app, and can only be used with iOS and Android. Ex. "com.meraki.sm", "com.google.*", "472572194".

Note: Using the wildcard with the bundle ID (ex. com.meraki.*) can be used to easily block all apps from a particular vendor.

 

 

Bundle ID can be found for apps in the Google Play store and will appear in the URL as shown below. If known, the bundle ID can also be used for iOS apps.

2017-07-26 09_55_12-Facebook - Android Apps on Google Play_1.png

App ID can be found for apps in iTunes and will appear in the URL as shown below.

2017-07-26 09_55_34-Facebook on the App Store.png

 

To add an app or pattern, click in the box provided and begin to type. Once the desired app or pattern has been entered, click Add option. The app or pattern will then appear as its own bubble.

2017-07-21 16_08_42-Clients - Meraki Dashboard.png

Installed Apps Deny/Allow list

The options under All devices for Application deny / allow and Mandatory applications can be used to track which devices have installed restricted apps, or are missing required apps.

Application Deny / Allow list

Behavior of this option will depend on whether deny or allow list is chosen.

Application 'deny list' will mark a device as violating the policy if it has any apps installed that ARE listed. It indicates apps that are not allowed.

Application 'allow list' will mark a device as violating the policy if it has any apps installed that AREN'T listed. It indicates apps that are allowed.

 

The next two examples will illustrate using the list of apps/patterns shown below.

2017-07-21 16_09_47-Apps - Meraki Dashboard.png

These entries would match on the following:

 

  • Apps containing the word "Chrome".
  • An app called "Facebook".
  • Apps from Google on a mobile device.

 

A deny list means these apps are NOT allowed, but others are. The apps in red are not permitted, while those in green are.

1.png

A allow list means ONLY these apps are allowed, and others aren't. The apps in red are not permitted, while those in green are.

2.png

Mandatory Applications

Mandatory applications operate similarly to application allow / deny list above, but indicates apps that MUST be installed. This list is compared to the managed apps assigned to a device on the MDM > Apps page, and if an app matches in both places, it is checked on the device. If it is not present, the device is considered to be violating.

 

As an example if the app Meraki is listed as a mandatory app AND is assigned to a device on the Systems Manager > Manage > Apps page, it MUST be present on the device. However, if the Meraki app is listed as a mandatory app but is NOT assigned to the device on the Systems Manager > Manage > Apps page, it is NOT required.

e3788eff-4c0a-4a9a-a7ba-f970a110d9d3

Running Apps

Requirements can also be created around which applications are currently running on desktop devices. These are evaluated based on whether the application is running as a service or active program. Formatting of these entries is done similarly to the Application deny / allow list functions above.

Running Apps Deny list

The Running apps deny list will consider a device to be violating the policy if ANY of the apps listed are currently running.

Mandatory Running Apps

ALL apps listed under Mandatory running apps MUST be running, otherwise the device will be considered violating the policy.

  • Was this article helpful?