Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

LernSings

macrumors newbie
Original poster
Mar 14, 2020
3
1
I followed the guidance in this Stack Exchange answer.

Ran the following commands:

sudo spctl --add --label "DeniedApps" /System/Applications/News.app

sudo spctl --disable --label "DeniedApps"
News app (to be sure, this is the native Apple "News" app) can still be launched from the administrator account and from a regular user account.

As I understand it, the above commands should have been sufficient to stop the app from running.

Also tried a restart. No go.

Mac OS 10.15.3
 

bogdanw

macrumors 603
Mar 10, 2009
6,144
3,042
I think the labels and paths have been deprecated.
If you run sudo spctl --list you can see that is based on hashes.
For example, I have this
2721[UNLABELED] P0 allow execute [/Applications/Valley.app]
cdhash H"4f5e156199171b6683d724ba0c1d2f85cf3327c9"
Running sudo sqlite3 /private/var/db/SystemPolicy "select * from authority where remarks='/Applications/Valley.app'"
gives the full database record for that app
2721|1|1|cdhash H"4f5e156199171b6683d724ba0c1d2f85cf3327c9"|1|0|5000000.0|0.0||Ie4bb469bc12c26a3e1af65030184aaad7aef118a|24576|2458893.86192666|2458893.86192666||/Applications/Valley.app
I guess you would have to replicate all that for an app, changing the 1 after the hash into a 0 and the 0 after that into 1.
It's probably easier to just delete the News app.
 
  • Like
Reactions: LernSings

LernSings

macrumors newbie
Original poster
Mar 14, 2020
3
1
I think the labels and paths have been deprecated.
If you run sudo spctl --list you can see that is based on hashes.
For example, I have this
2721[UNLABELED] P0 allow execute [/Applications/Valley.app]
cdhash H"4f5e156199171b6683d724ba0c1d2f85cf3327c9"
Running sudo sqlite3 /private/var/db/SystemPolicy "select * from authority where remarks='/Applications/Valley.app'"
gives the full database record for that app
2721|1|1|cdhash H"4f5e156199171b6683d724ba0c1d2f85cf3327c9"|1|0|5000000.0|0.0||Ie4bb469bc12c26a3e1af65030184aaad7aef118a|24576|2458893.86192666|2458893.86192666||/Applications/Valley.app
I guess you would have to replicate all that for an app, changing the 1 after the hash into a 0 and the 0 after that into 1.
It's probably easier to just delete the News app.

Thanks much. This is super helpful. I agree deleting the app would be easier. And of course what you had suggested is maybe prone to not being a good long term solution and perhaps is a bit more hacky even than what I tried above. Unfortunately the native News app can't be deleted. --> '"News" can't be modified or deleted because it's required by macOS.'

All the above said, does anyone know of another approach to make the News app not run?

Long story short, I want to block this app (and maybe some others) for certain users in my family. Believe it or not, Apple's Screen Time facility is a little buggy and isn't effective to stop the News app from running for some users. I can start a separate thread on those issues, but I've already gone so far as to call Apple and disappointingly (I am a fan boy to be sure) they were of little help. I created a Feedback case.
 

bogdanw

macrumors 603
Mar 10, 2009
6,144
3,042
Unfortunately the native News app can't be deleted. --> '"News" can't be modified or deleted because it's required by macOS.'
All the above said, does anyone know of another approach to make the News app not run?
News is not supported in my country and Apple just hid the app. It's still in /System/Applications/ but is not normally visible in Finder and doesn't appear in Spotlight.
Unfortunatelly, with SIP enabled, you can't use chflags hidden. You can hide it from Terminal in Recovery using
Code:
chflags hidden /Volumes/Macintosh\ HD/System/Applications/News.app
For easy access, you can make an alias for yourself before that.
From Terminal in Recovery, the app can also be deleted.
 
  • Like
Reactions: LernSings

LernSings

macrumors newbie
Original poster
Mar 14, 2020
3
1
News is not supported in my country and Apple just hid the app. It's still in /System/Applications/ but is not normally visible in Finder and doesn't appear in Spotlight.
Unfortunatelly, with SIP enabled, you can't use chflags hidden. You can hide it from Terminal in Recovery using
Code:
chflags hidden /Volumes/Macintosh\ HD/System/Applications/News.app
For easy access, you can make an alias for yourself before that.
From Terminal in Recovery, the app can also be deleted.

Thanks!!!! I was able to make these files hidden using the method you suggested!

Also, creating the alias first worked great too!

I did this for a number of apps. Here are the exact steps I took:

  1. Created shell script with the syntax you specified and each of the apps (and application-related dirs) I wanted to make hidden.
    1. Note that some of these apps weren't native ones, so I specified /Applications/ for those instead of /System/Applications
    2. One file per line (probably could have used some kind of for loop)
  2. While still logged in to admin account, made aliases as you suggested.
    1. Some of these aliases were to the first dir noted in 1.1 and others were to the second dir noted in 1.1. But they of course can all be made from the usual Applications directory.
    2. I put all of these aliases in a separate directory on the admin account's desktop so the aliases would not be accessible to other users after the apps/dirs are marked as hidden.
  3. Started in recovery mode
  4. Used terminal in recovery mode to run the shell script
  5. Restarted
  6. Logged into admin account
  7. Made sure that all files and dirs (both native and non-native) were not viewable in the admin's Applications directory
  8. Tested that the admin's aliases worked
  9. Checked a regular user's login and all worked as intended - apps did not show up in the Applications directory
    1. However, note that I needed to remove the given apps from the dock as those effective aliases would work unless removed
When I install and add another app, I can just add it to the shell script and rerun the shell script in recovery mode.

Note also that if you want to undo the chflags, you can simply use "chflags nohidden"
 
  • Like
Reactions: bogdanw

bogdanw

macrumors 603
Mar 10, 2009
6,144
3,042
Checked a regular user's login and all worked as intended - apps did not show up in the Applications directory
Glad it worked, let's hope certain users in your family don't read this forum :)
Or press Command + Shift + . That's how I discovered I had the News app installed.
 

rcprador

macrumors newbie
Jun 12, 2019
16
6
Hi, there is the good, old and functional: Unix style to do it, and it will make it impossible to execute News.app or any other executable you may wish to block.

Changing hidden flags is somehow an workaround which will not always work. The app can still be executed if the user is an advanced user.


There is the right way to do it, the Unix way:

Change the "execution" flag of the executable. If the executable is protected on ReadOnly Catalina partition, use the Recovery mode to change it, otherwise, change it using admin account, and protect the file from the user permission to change it. And it will be done, App will never execute anymore, even by command-line or even by root user! (unless the execution flag is re-enabled again)


Considering the News.app for the example:
Every MacOS app is a directory, or package as they reference it.
So, inside each app, there is an structure of directories, and one of them contains the "real" executable file.
That directory is always inside: "appname.app/Contents/Macos/app_executable"

Following the OP example,
The real executable file of News.app is located at:

/Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News


Here is how to prevent/disable/block it from executing:

On Terminal, we change the Unix Executable Flag of it:

sudo chmod -x /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News

The command above will remove the executable flag of the binary executable file, making it impossible even for the root (or any other kind of user or external loader) to execute that file.


And it is done, guaranteed, to never execute again.


To revert it, if needed, just put the "x" flag back again, and it will be executable again.

sudo chmod +x /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News


You can also protect it from changes, accidental changes, or by intention, by locking that file (once locked, even an MacOS SystemUpdate will not be able to change it, or revert it to executable, nor overwrite it with some newer version).. nobody can.. unless you un-protected it before trying to change.

to do it, execute:

sudo chflags schg /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News


"schg" means: set the system immutable flag (super-user only)

To verify it, use ls command on terminal, with option -leahO

ls -lea@O /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News

the output will show the flag is active, and file is imuttable

-rw-r--r-- 1 prado staff schg 1135163 Dec 16 04:53

Notice the flag on bold below:

-rw-r--r-- 1 prado staff schg 1135163 Dec 16 04:53


------

To unprotect the file, if needed, (to make it possible to change the executable flag again, to make the file executable [as it originally was]),
1) remove the imuttable flag:
sudo chflags noschg /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News

2) and set the executable flag again:
sudo chmod +x /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News


Verify using the ls command: ls -lea@O


278 -rwxr-xr-x 1 prado staff - 1135163 Dec 16 04:53:30

Notice that the "schg" flag has gone, meaning the file is not immutable anymore (it is normal again [changeable, editable, etc] )


and also notice the "x" flags on the begining of the line re-appeared, meaning the file is now executable:
278 -rwxr-xr-x 1 prado staff - 1135163 Dec 16 04:53:30

-rwxr-xr-x containing the "x" flag, the executable flags.


The instructions above is sufficient to make a full file protection.
but more details about the immutable flag can be found on terminal manual: man chflags


This is valid for any Unix, Linux, Solaris, BSD and MacOS systems.
It is the right way to do it, and you don't have to worry about some expert-user trying to hack/bypass it.. Because the kernel will never execute that executable file without the executable flag, never.


-----

Additional techincal info, about executable permission levels/groups/users:

There exists 3 executable flags on every file, as can be seen above on bold output of the ls command.
They mean 3 types of execution level permission:
  1. The file owner execution permission to execute the file
  2. The group execution permission of which the owner belongs to, to execute the file
  3. The other users permissions (not the owner/creator of the file) nor the users of another system group

This way you could even explorer more that options, for example:

  • By allowing only admin users to execute the News.app (or any other app/executable) and disable executions for normal users.
  • Or by allowing only the file creator (or the user who downloaded it, or has explicit permission to execute) and block/ prevent every other user to execute the app.
  • Or create different groups on System Preferences and put users on them, considering some group allows users belonging to it to have execution permission to execute, and other group on which users on that other group cannot execute the same app, or any other app, etc..

Creativity is the limit, and MacOS System give us this plenty of flexible options.
Although rarely used by most of the Mac users, they are rock-solid option and strong tied to the kernel since long time ago. Also they are a Unix Standard, which is a proven way to do what you need.

More information/instructions about how to change each individual "x" [creator/group/others] executable flags can be read on terminal manual:
man chmod


I will not extend the answer here because it is already long. Lol.. But if needed, just reply and ask for more details or questions, and I can provide and help anyone here.


----


I hope you like my technical topic contribution here, and I hope it can extend your options, to choose among them, the one which better fits your needs.

Regards!
Prado
 

cookiesfordinos

macrumors newbie
Dec 20, 2020
1
0
Hi, there is the good, old and functional: Unix style to do it, and it will make it impossible to execute News.app or any other executable you may wish to block.

Changing hidden flags is somehow an workaround which will not always work. The app can still be executed if the user is an advanced user.


There is the right way to do it, the Unix way:

Change the "execution" flag of the executable. If the executable is protected on ReadOnly Catalina partition, use the Recovery mode to change it, otherwise, change it using admin account, and protect the file from the user permission to change it. And it will be done, App will never execute anymore, even by command-line or even by root user! (unless the execution flag is re-enabled again)


Considering the News.app for the example:
Every MacOS app is a directory, or package as they reference it.
So, inside each app, there is an structure of directories, and one of them contains the "real" executable file.
That directory is always inside: "appname.app/Contents/Macos/app_executable"

Following the OP example,
The real executable file of News.app is located at:

/Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News


Here is how to prevent/disable/block it from executing:

On Terminal, we change the Unix Executable Flag of it:

sudo chmod -x /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News

The command above will remove the executable flag of the binary executable file, making it impossible even for the root (or any other kind of user or external loader) to execute that file.


And it is done, guaranteed, to never execute again.


To revert it, if needed, just put the "x" flag back again, and it will be executable again.

sudo chmod +x /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News


You can also protect it from changes, accidental changes, or by intention, by locking that file (once locked, even an MacOS SystemUpdate will not be able to change it, or revert it to executable, nor overwrite it with some newer version).. nobody can.. unless you un-protected it before trying to change.

to do it, execute:

sudo chflags schg /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News


"schg" means: set the system immutable flag (super-user only)

To verify it, use ls command on terminal, with option -leahO

ls -lea@O /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News

the output will show the flag is active, and file is imuttable

-rw-r--r-- 1 prado staff schg 1135163 Dec 16 04:53

Notice the flag on bold below:

-rw-r--r-- 1 prado staff schg 1135163 Dec 16 04:53


------

To unprotect the file, if needed, (to make it possible to change the executable flag again, to make the file executable [as it originally was]),
1) remove the imuttable flag:
sudo chflags noschg /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News

2) and set the executable flag again:
sudo chmod +x /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News


Verify using the ls command: ls -lea@O


278 -rwxr-xr-x 1 prado staff - 1135163 Dec 16 04:53:30

Notice that the "schg" flag has gone, meaning the file is not immutable anymore (it is normal again [changeable, editable, etc] )


and also notice the "x" flags on the begining of the line re-appeared, meaning the file is now executable:
278 -rwxr-xr-x 1 prado staff - 1135163 Dec 16 04:53:30

-rwxr-xr-x containing the "x" flag, the executable flags.


The instructions above is sufficient to make a full file protection.
but more details about the immutable flag can be found on terminal manual: man chflags


This is valid for any Unix, Linux, Solaris, BSD and MacOS systems.
It is the right way to do it, and you don't have to worry about some expert-user trying to hack/bypass it.. Because the kernel will never execute that executable file without the executable flag, never.


-----

Additional techincal info, about executable permission levels/groups/users:

There exists 3 executable flags on every file, as can be seen above on bold output of the ls command.
They mean 3 types of execution level permission:
  1. The file owner execution permission to execute the file
  2. The group execution permission of which the owner belongs to, to execute the file
  3. The other users permissions (not the owner/creator of the file) nor the users of another system group

This way you could even explorer more that options, for example:

  • By allowing only admin users to execute the News.app (or any other app/executable) and disable executions for normal users.
  • Or by allowing only the file creator (or the user who downloaded it, or has explicit permission to execute) and block/ prevent every other user to execute the app.
  • Or create different groups on System Preferences and put users on them, considering some group allows users belonging to it to have execution permission to execute, and other group on which users on that other group cannot execute the same app, or any other app, etc..

Creativity is the limit, and MacOS System give us this plenty of flexible options.
Although rarely used by most of the Mac users, they are rock-solid option and strong tied to the kernel since long time ago. Also they are a Unix Standard, which is a proven way to do what you need.

More information/instructions about how to change each individual "x" [creator/group/others] executable flags can be read on terminal manual:
man chmod


I will not extend the answer here because it is already long. Lol.. But if needed, just reply and ask for more details or questions, and I can provide and help anyone here.


----


I hope you like my technical topic contribution here, and I hope it can extend your options, to choose among them, the one which better fits your needs.

Regards!
Prado

Prado,

I have been trying to figure out how to block application access/execution for awhile, and I've been having trouble making any suggestions work. When I try the first (chflags from recovery mode) solution, I get a "read-only file system" error. And when I try your solution of removing -x while logged in as an administrator, it again tells me the operation is not permitted. Any ideas? I have an M1 Air, although it doesn't work on my newer Intel Air either. Both machines are running 11.1.

Thank you :)
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.