Can Hexnode notify or block users downloading unauthorized app installers on macOS?Solved

Participant
Discussion
6 months ago Jan 09, 2026

Is there a way to get notified whenever a user downloads an app installer from a browser, such as a .pkg or .dmg on macOS? We have some macOS users with local admin rights, and we’re trying to prevent unauthorized apps from being downloaded and run. I tried an allowlist before, but since the user was a local admin, they still got a prompt that let them continue anyway and the app opened. So I’m not sure the allowlist alone solves it for admins.

Replies (3)

Marked SolutionPending Review
Hexnode Expert
6 months ago Jan 09, 2026
Marked SolutionPending Review

Hello,

Thanks for reaching out to Hexnode Connect.

Hexnode does not provide real-time notifications when a user downloads a file through a web browser, nor can it directly prevent a .pkg or .dmg from being downloaded. MDM solutions monitor device inventory and policy compliance rather than live web traffic.

For this scenario, Hexnode functions as a post-download control layer. While you cannot stop the download itself (unless you block the web browser entirely), you can control execution:

  • App Allowlist: Only apps explicitly added to the allowlist are permitted to run.
  • App Blocklist: Specific known apps are blocked from launching.
  • Application Compliance: If an unapproved app is installed, Hexnode detects it during the next device scan.

For local admins, app control is more challenging, but an MDM-enforced allowlist will still prevent the execution of unapproved applications, even if the user successfully downloads the installer.

I hope this helps! If you find any more issues or need further assistance, feel free to reach out.

Best regards,
George,
Hexnode UEM

Marked SolutionPending Review
Participant
6 months ago Jan 11, 2026
Marked SolutionPending Review

Got it. Blocking the browser won’t work for us, so the allowlist seems like the best path. If I go with an allowlist on macOS, do I need to add all the background helpers too? For example, browser updaters, helper apps, daemons, and similar components? That seems like it could get huge.

Marked SolutionPending Review
Hexnode Expert
6 months ago Jan 11, 2026
Marked SolutionPending Review

Hello,

Yes, allowlisting on macOS requires adding both the primary applications and their required dependencies.

If an approved application relies on background helpers, updater components, or daemons to function correctly, those specific processes must also be explicitly added to the allowlist.

Because dependency lists can grow quickly, we highly recommend a phased rollout:

  • Apply the allowlist to a small test group of devices.
  • Add your required primary business apps.
  • Monitor the test devices to observe which helper components fail to run.
  • Add those necessary dependencies to the allowlist before deploying the policy broadly to your entire fleet.

If you need further assistance, feel free to reach out.

Best regards,
George,
Hexnode UEM

Save