With macOS 10.6.6+ introducing the App Store's non-admin installation capability, IT administrators face legitimate management concerns. The fundamental issue stems from these technical behaviors:
- App Store bundles install to
/Applicationswithout admin rights - Receipt validation occurs via
apple.comanditunes.apple.comendpoints - No native GUI toggle exists in System Preferences
Deploy this mobileconfig profile via MDM or ARD:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Disables App Store access</string>
<key>PayloadDisplayName</key>
<string>Restrict App Store</string>
<key>PayloadIdentifier</key>
<string>com.company.restrictions.appstore</string>
<key>PayloadOrganization</key>
<string>YourOrganization</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadUUID</key>
<string>C5F60C6D-3D9F-4D5B-9521-3E1C5C9E7D2F</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>restrict-store-softwareupdate-only</key>
<true/>
<key>restrict-store-disable-app-adoption</key>
<true/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>App Store Restrictions</string>
<key>PayloadIdentifier</key>
<string>com.company.restrictions</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>D5C60C6D-3D9F-4D5B-9521-3E1C5C9E7D2F</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
For network filtering (pfSense example):
# Apple App Store domains to block
app-store-domains = "apple.com itunes.apple.com apps.apple.com"
block drop in quick on $ext_if proto { tcp udp } from any to $app-store-domains
block drop in quick on $ext_if proto { tcp udp } from $app-store-domains to any
Add this launchd job to periodically verify restrictions:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.company.appstore.check</string>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/defaults</string>
<string>write</string>
<string>/Library/Preferences/com.apple.appstore.plist</string>
<string>restrict-store-require-admin-to-install</string>
<string>-bool</string>
<string>YES</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StartInterval</key>
<integer>3600</integer>
</dict>
</plist>
To test your restrictions:
# Check profile application
profiles show -type configuration
# Verify network connectivity
nc -vz itunes.apple.com 443
ping -c 1 apps.apple.com
# Validate preference enforcement
defaults read /Library/Preferences/com.apple.appstore.plist
Since macOS 10.6.6, Apple introduced a significant security paradigm shift where standard users could install applications from the App Store without administrative privileges. While convenient for consumers, this creates enterprise management headaches. Here's a deep dive into technical solutions:
The most elegant solution involves deploying a configuration profile that disables the App Store system-wide. Create a .mobileconfig file with these contents:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Disables App Store access</string>
<key>PayloadDisplayName</key>
<string>Restrict App Store</string>
<key>PayloadIdentifier</key>
<string>com.company.restrictions.appstore</string>
<key>PayloadOrganization</key>
<string>YourOrganization</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadUUID</key>
<string>C5F60F6A-354B-4D91-BFD8-F92A4B1F7104</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>restrict-store-softwareupdate-only</key>
<true/>
<key>restrict-store-disable-app-adoption</key>
<true/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>App Store Restrictions</string>
<key>PayloadIdentifier</key>
<string>com.company.restrictions</string>
<key>PayloadOrganization</key>
<string>YourOrganization</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>A5F60F6A-354B-4D91-BFD8-F92A4B1F7104</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
For environments where you control the network infrastructure, these hostnames should be blocked at firewall/proxy level:
- itunes.apple.com
- apps.apple.com
- buy.itunes.apple.com
- suconfig.apple.com
Example iptables rules:
iptables -A OUTPUT -p tcp -m tcp --dport 443 -d itunes.apple.com -j DROP iptables -A OUTPUT -p tcp -m tcp --dport 80 -d apps.apple.com -j DROP
For mass deployment via Apple Remote Desktop, use this shell script to modify system preferences:
#!/bin/bash # Disable App Store access defaults write /Library/Preferences/com.apple.commerce.plist AutoUpdateRestrictionRequired -bool true defaults write /Library/Preferences/com.apple.commerce.plist restrict-store-require-admin-to-install -bool true # Refresh cfprefsd killall cfprefsd
For modern macOS management through MDM solutions like Jamf or Mosyle, use these restriction keys in your configuration:
<key>allowAppRemoval</key> <false/> <key>allowAssistant</key> <false/> <key>allowDiagnosticSubmission</key> <false/> <key>forceLimitAdTracking</key> <true/> <key>allowITunes</key> <false/>
After implementation, verify restrictions with these terminal commands:
# Check configuration profile application profiles list -verbose # Verify firewall rules sudo pfctl -sr | grep apple # Test App Store connectivity nc -zv itunes.apple.com 443