Blocking the Apple OS X App Store

Being the evil corporate IT overlords we need to block the new OS X App Store. As you may be aware the 10.6.6 update installs the App Store App which allows users to download and install apps without admin privileges.

Some Suggestions:

  • Don't update to 10.6.6+

  • Use parental controls

  • Presumably some OD policy (if you have an OD server which we don't)

  • Block the App store by DNS or Proxy

Not updating to 10.6.6+ isn't really a long term solution as it contains security fixes and new Macs will come with it anyway. Blocking the App store at a network level doesn't solve laptop users.

Ideally a simple system preference or editing of a plist that can be pushed out by ARD would be the best solution.

Please note the question isn't should we block the App store, it's how we can block the App store.


As a quick update it seems that is you are not using an account with admin privileges, you may need supply admin credentials for the first time you download an app to install it, which may solve some of the problem. Very different behavior to the normal OS X elevation of privileges which ask admins and non admins alike.


If you don't have these computer attached to an OpenDirectory server (the preferred way to do this is to restrict the launching of the app through Workgroup Manager) you can set the permissions on the App Store application to not allow users to run it:

chmod -R 000 /Applications/AppStore.app 

This keep anyone from launching the application. It can be pushed out through ARD, can be added to your base image, and can be set in a startup script.

I have no idea what this will do to other applications running on the system so you should test it first.


The iTunes Store connects on standard HTTP(S) ports, 80 and 443, so I assume that the Mac App Store does the same.

Here is the Apple knowledge base article on blocking the iTunes store by URL: http://support.apple.com/kb/HT3303

It says

To prevent client computers from connecting to the iTunes Store, network administrators can block the Internet host 'itunes.apple.com'.

From a quick tcpdump, it appears that the App Store uses the same URL... for now.


Run a packet sniffer. Run App Store. Find out what the address(es) are that the Apple App Store uses. Block all incoming/outgoing on that address, on that port, on your perimeter firewall.