is macos application allowlisting just an impossible loop?Solved

You are definitely overthinking it, but your logic makes sense based on the name of the feature. The App allowlist policy does not actually prevent the installation of the software packages. It only restricts the user from executing or opening the application. 

When an unapproved app is launched, macOS simply throws a prompt denying access. This means you can safely push or allow the installation of any approved third party app onto the device while the strict policy is active, grab the path, and then update your Hexnode configuration. 

Okay, that clarifies things perfectly. The policy prevents running, not installing. But that brings up another major annoyance for me. 

To allowlist these existing third party apps, I need the specific path for each one. The Hexnode application inventory report shows me the app name and the version, but it completely leaves out the absolute installation path. Do I seriously have to manually remote into every single machine to find out where an app decided to install itself just to type it into the policy? 

No, you definitely do not have to hunt them down manually on every machine.

First off, for the vast majority of standard Mac applications, the installation path is highly predictable. If a user installs it normally, it will almost always reside in the main directory formatted as /Applications/AppName.app. You can usually just type that standard path directly into your policy without ever checking the endpoint.

For apps installed in non standard or hidden directories, you can find their paths remotely in bulk using a quick terminal command via the Hexnode execute custom script action. Just send this bash command:

To run it, go to Manage, click devices, select the target Mac, open actions, and click Execute custom script. Once executed, check the Action History tab for that device and click Show output next to the script to see the exact location waiting for you to copy and paste.