Home > Enterprise Mobility Management > Tags and Policies > App white/blacklisting in security policies

App white/blacklisting in security policies

Security policies can be used to restrict the deployment of profiles to devices based on the apps installed or running on those devices. This article will describe how those options within Security Policies can be used. 

For more information about security policies, and how to create/use them, please read the article on Security Policies for Devices in Systems Manager.

 

App Name Formats

In each of these fields, the names of apps can be entered in multiple ways. Matches can also make use of a the wildcard '*' character.

 

Application Name: This is the friendly display name of the app, and can be used across both desktop and mobile devices. Ex. "Google Chrome", "Facebook", "*SMS*".

Note: An application may have a slightly different name dependent on the platform it is on, so the wildcard can be useful for matching across multiple device types.

 

Application Identifier: This can be the unique app ID or bundle ID for an app, and can only be used with iOS and Android. Ex. "com.meraki.sm", "com.google.*", "472572194".

Note: Using the wildcard with the bundle ID (ex. com.meraki.*) can be used to easily block all apps from a particular vendor.

 

 

Bundle ID can be found for apps in the Google Play store and will appear in the URL as shown below. If known, the bundle ID can also be used for iOS apps.


App ID can be found for apps in iTunes and will appear in the URL as shown below.


 

To add an app or pattern, click in the box provided and begin to type. Once the desired app or pattern has been entered, click Add option. The app or pattern will then appear as its own bubble.


Installed Apps Black/Whitelist

The options under All devices for Application blacklist / whitelist and Mandatory applications can be used to track which devices have installed restricted apps, or are missing required apps.

Application Blacklist / Whitelist

Behavior of this option will depend on whether blacklist or whitelist is chosen.

Application 'blacklist' will mark a device as violating the policy if it has any apps installed that ARE listed. It indicates apps that are not allowed.

Application 'whitelist' will mark a device as violating the policy if it has any apps installed that AREN'T listed. It indicates apps that are allowed.

 

The next two examples will illustrate using the list of apps/patterns shown below.


These entries would match on the following:

 

  • Apps containing the word "Chrome".
  • An app called "Facebook".
  • Apps from Google on a mobile device.
 

A blacklist means these apps are NOT allowed, but others are. The apps in red are not permitted, while those in green are.


A whitelist means ONLY these apps are allowed, and others aren't. The apps in red are not permitted, while those in green are.


Mandatory Applications

Mandatory applications operate similarly to application whitelist / blacklist above, but indicates apps that MUST be installed. This list is compared to the managed apps assigned to a device on the MDM > Apps page, and if an app matches in both places, it is checked on the device. If it is not present, the device is considered to be violating.

 

As an example if the app Meraki is listed as a mandatory app AND is assigned to a device on the MDM > Apps page, it MUST be present on the device. However, if the Meraki app is listed as a mandatory app but is NOT assigned to the device on the MDM > Apps page, it is NOT required.


Running Apps

Requirements can also be created around which applications are currently running on desktop devices. These are evaluated based on whether the application is running as a service or active program. Formatting of these entries is done similarly to the Application blacklist / whitelist functions above.

Running Apps Blacklist

The Running apps blacklist will consider a device to be violating the policy if ANY of the apps listed are currently running.

Mandatory Running Apps

ALL apps listed under Mandatory running apps MUST be running, otherwise the device will be considered violating the policy.

You must to post a comment.
Last modified
20:35, 2 Feb 2015

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1224

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case