Advanced App Compliance settings

The Advanced App Compliance feature uses blocklists or allowlists to deny or allow universal and desktops apps for Windows desktops, laptops, and tablets.

The Advanced App Compliance setting can block or allow apps based on their publisher, file path, or file hash. You can manage numerous blocklist and allowlist entries from this feature.

Table 1. Application Compliance settings for universal apps
Policy setting	Description	Supported devices
Blocklist (Deny) Native Apps	Adds the application name to the list of apps that are restricted on managed devices. Native apps are a list of apps that are required for Windows OS to function normally. Enabling this option can affect basic functions of Windows. For a list of Windows native apps that are enabled by default, see Windows native apps that are enabled by default for Advanced App Compliance.	Windows Professional, Education, Enterprise
Configure App Blocklist and Allowlist	Adds the app name and/or the publisher name for packaged apps (.appx) that are restricted on managed devices. All other packaged apps are allowed. For steps on how to obtain the app name and the publisher name, see Using the Windows App Management Admin Tool to obtain Windows app IDs. Note: Use `*` in the app name to block all apps for a publisher.	Windows Professional, Education, Enterprise
Blocklist/Allowlist Name	The type of blocklist or allowlist action that is taken on the app.	Windows Professional, Education, Enterprise
Publisher Name	Provide the publisher name of the app that is blocked or allowed. For steps on how to obtain the app name and the publisher name, see Obtaining the app ID for Universal Windows Packages (UWP). Note: Use `*` in the app name to block all apps for a publisher.	Windows Professional, Education, Enterprise
App Name	Allows all apps with the name that is provided. All other apps are blocked. You can also specify that certain apps from this publisher are blocked by using the exception app names. Note: The value added for the name of the app to be blocklisted or allowlisted is the packageidentityname.	Windows Professional, Education, Enterprise
Exceptions	Enable this option to exclude apps from the blocklist or allowlist.	Windows Professional, Education, Enterprise
Associated Blocklist/Allowlist Name	The universal app blocklist or allowlist name that applies to the exception.	Windows Professional, Education, Enterprise

Table 2. MaaS360 universal applications that are always allowed
Application	Publisher name	App name
IBM MaaS360 App	CN=IBM, O=IBM, L=Armonk, S=New York, C=US	d8ef93cc-03f9-45ef-ba13-b6546ce79792
IBM MaaS360 VPN	CN=4035BB11-B01C-481D-AEE1-46989E741C61	FiberlinkCommunicationsCo.ibm.maas360.vpn
IBM MaaS360 Browser	CN=IBM, O=IBM, L=Armonk, S=New York, C=US	7c67e744-3118-4529-899a-705f29604e06

Table 3. Application Compliance settings for desktop apps
Policy setting	Description	Windows Professional, Education, Enterprise
Blocklist (Deny) essential Windows binaries	Adds the binary to the list of denied Windows binaries. All other packaged apps are allowed. For steps on how to obtain the app name and the publisher name, see Using the Windows App Management Admin Tool to obtain Windows app IDs. Note: Use `*` in the app name to block all desktop apps.	Windows Professional, Education, Enterprise
Configure App Blocklist and Allowlist	Adds the app name and/or the publisher name for executable files (.exe) or Windows installer files (.msi), or scripts that are restricted on managed devices.	Windows Professional, Education, Enterprise
Blocklist/Allowlist Name	Provide a unique name to identify this blocklist or allowlist.	Windows Professional, Education, Enterprise
App Type	Specifies the type of application/binary (.exe, .msi, or scripts).	Windows Professional, Education, Enterprise
Action	The type of blocklist or allowlist action that is taken on the app.	Windows Professional, Education, Enterprise
Based On	Specifies the category of the blocklist or allowlist based on the publisher, file path, or file hash of the app.	Windows Professional, Education, Enterprise
Exceptions	Enable this option to exclude apps from the blocklist or the allowlist.	Windows Professional, Education, Enterprise
Associated Blocklist/Allowlist Name	The universal app blocklist or allowlist name that applies to the exception.	Windows Professional, Education, Enterprise

Table 4. Paths to binary files that are always allowed
Directory
Path="%PROGRAMFILES%\IBM MaaS360\*"
Path="%PROGRAMFILES%\BigFix\*"
Path="%PROGRAMFILES%\BigFix Enterprise\*"