Advanced App Compliance settings

The Advanced App Compliance feature uses blocklists or allowlists to deny or allow universal and desktops apps for Windows 10+ desktops, laptops, and tablets.

The Advanced App Compliance setting can block or allow apps based on their publisher, file path, or file hash. You can manage numerous blocklist and allowlist entries from this feature.

Table 1. Application Compliance settings for universal apps
Policy setting Description Supported devices
Blocklist (Deny) Native Apps Adds the application name to the list of apps that are restricted on managed devices.

Native apps are a list of apps that are required for Windows OS to function normally. Enabling this option can affect basic functions of Windows.

For a list of Windows native apps that are enabled by default, see Windows native apps that are enabled by default for Advanced App Compliance.

Windows 10+ Professional, Education, Enterprise
Configure App Blocklist and Allowlist Adds the app name and/or the publisher name for packaged apps (.appx) that are restricted on managed devices. All other packaged apps are allowed. For steps on how to obtain the app name and the publisher name, see Using the Windows App Management Admin Tool to obtain Windows app IDs.
Note: Use * in the app name to block all apps for a publisher.
Windows 10+ Professional, Education, Enterprise
Blocklist/Allowlist Name The type of blocklist or allowlist action that is taken on the app. Windows 10+ Professional, Education, Enterprise
Publisher Name Provide the publisher name of the app that is blocked or allowed. For steps on how to obtain the app name and the publisher name, see Obtaining the app ID for Universal Windows Packages (UWP).
Note: Use * in the app name to block all apps for a publisher.
Windows 10+ Professional, Education, Enterprise
App Name Allows all apps with the name that is provided. All other apps are blocked. You can also specify that certain apps from this publisher are blocked by using the exception app names.
Note: The value added for the name of the app to be blocklisted or allowlisted is the packageidentityname.
Windows 10+ Professional, Education, Enterprise
Exceptions Enable this option to exclude apps from the blocklist or allowlist. Windows 10+ Professional, Education, Enterprise
Associated Blocklist/Allowlist Name The universal app blocklist or allowlist name that applies to the exception. Windows 10+ Professional, Education, Enterprise
Table 2. MaaS360 universal applications that are always allowed
Application Publisher name App name
MaaS360 App CN=IBM, O=IBM, L=Armonk, S=New York, C=US d8ef93cc-03f9-45ef-ba13-b6546ce79792
MaaS360 VPN CN=4035BB11-B01C-481D-AEE1-46989E741C61 FiberlinkCommunicationsCo.ibm.maas360.vpn
MaaS360 Secure Browser CN=IBM, O=IBM, L=Armonk, S=New York, C=US 7c67e744-3118-4529-899a-705f29604e06
Table 3. Application Compliance settings for desktop apps
Policy setting Description Supported devices
Blocklist (Deny) essential Windows binaries Adds the binary to the list of denied Windows binaries. All other packaged apps are allowed. For steps on how to obtain the app name and the publisher name, see Using the Windows App Management Admin Tool to obtain Windows app IDs.
Note: Use * in the app name to block all desktop apps.
Windows 10+ Professional, Education, Enterprise
Configure App Blocklist and Allowlist Adds the app name and/or the publisher name for executable files (.exe) or Windows installer files (.msi), or scripts that are restricted on managed devices. Windows 10+ Professional, Education, Enterprise
Blocklist/Allowlist Name Provide a unique name to identify this blocklist or allowlist. Windows 10+ Professional, Education, Enterprise
App Type Specifies the type of application/binary (.exe, .msi, or scripts). Windows 10+ Professional, Education, Enterprise
Action The type of blocklist or allowlist action that is taken on the app. Windows 10+ Professional, Education, Enterprise
Based On Specifies the category of the blocklist or allowlist based on the publisher, file path, or file hash of the app. Windows 10+ Professional, Education, Enterprise
Exceptions Enable this option to exclude apps from the blocklist or the allowlist. Windows 10+ Professional, Education, Enterprise
Associated Blocklist/Allowlist Name The universal app blocklist or allowlist name that applies to the exception. Windows 10+ Professional, Education, Enterprise
Table 4. Paths to binary files that are always allowed
Directory
Path="%PROGRAMFILES%\IBM MaaS360\*"
Path="%PROGRAMFILES%\BigFix\*"
Path="%PROGRAMFILES%\BigFix Enterprise\*"