On macOS, /Applications and /System/Applications are protected paths — wildcard file access policies are intentionally bypassed for executables in these directories. This is by design, not a limitation.
A blanket wildcard policy targeting {applications}/*.app or {applications}/*.app/Contents/MacOS/* would catch every application in /Applications indiscriminately, including software legitimately deployed through an MDM solution such as Jamf. Protecting these directories ensures that managed, approved applications are never inadvertently blocked or gated behind an approval workflow they should not require.
Additionally, a standard user cannot install software into /Applications without administrator credentials. The threat model for unsanctioned software installs does not live in /Applications — it lives in the user's home directory, where a user can freely download and run applications without elevated privileges.
Wildcard file access policies are the right tool for the user's home directory and downloads — this is where unmanaged software installs actually occur. Use patterns like {home}/*.dmg, {downloads}/*.app, or {downloads}/*.pkg to enforce that users can only run approved software and to require approval or block anything downloaded outside of managed channels.
For applications in /Applications or /System/Applications, use explicit paths. This is intentional — it gives administrators precise control over specific applications without risking disruption to the broader managed application estate.
{downloads}/*.app
Block or require approval for any app downloaded directly by the user
{downloads}/*.dmg
Block or require approval for disk images in the user's Downloads folder
{downloads}/*.pkg
Block or require approval for installer packages downloaded by the user
{home}/*.app
Block or require approval for any app run directly from the user's home directory
{applications}/Google Chrome.app/Contents/MacOS/Google Chrome
Require approval to launch Chrome
{system}/Applications/Calculator.app/Contents/MacOS/Calculator
Last updated
