Windows and macOS app allowlist/blocklist vs Application Compliance in HexnodeSolved

Participant
Discussion
6 months ago Jan 14, 2026

Hi everyone. I’m trying to understand the best way to set up application allowlisting across Windows and macOS devices in Hexnode.

I have a few specific questions about how this works:

  1. Compliance vs. Blocking: Does Application Compliance only mark devices as non-compliant, or does it actively block apps too? Are allowlist and blocklist modes mutually exclusive?
  2. App Picker Differences: On macOS, the allowlist/blocklist picker shows a huge list of local apps. On Windows, it doesn’t show the same local app inventory. Is that expected?
  3. Store Apps: What exactly does “Store Apps” mean in the app picker? Does it mean all apps detected on our devices?
  4. Bulk Upload: For Windows Application Compliance, is there a bulk selection or CSV upload option?
  5. Versioning: If a report shows multiple versions of an app (like Slack 4.46, 4.47, 4.48), and I only allow the newest entry, will older versions stop working?

Replies (1)

Marked SolutionPending Review
Hexnode Expert
6 months ago Jan 14, 2026
Marked SolutionPending Review

Hello,

Thanks for reaching out to Hexnode Connect.

To answer your questions, Application Compliance and active app blocking are two separate workflows in Hexnode:

  • Compliance vs. Blocking: Application Compliance is strictly for monitoring and reporting; it marks a device as non-compliant if unapproved apps are detected, but it does not block them from launching. For active enforcement, you must use platform-specific allowlist or blocklist restrictions. These two modes are mutually exclusive enforcement strategies: blocklist mode allows everything except explicitly blocked apps, while allowlist mode blocks everything except explicitly allowed apps.
  • App Picker Differences: This behavior is expected. macOS natively allows Hexnode to discover and report installed applications (including built-in utilities), populating them in the picker. Windows handles app inventory differently, meaning applications usually need to be defined explicitly using rules (Store app, File path, App ID, or Publisher).
  • Store Apps: This does not mean a combined list of all apps installed across your managed devices. It specifically refers to public store apps that have been added to your Hexnode App Repository.
  • Bulk Upload: Currently, bulk selection and CSV uploads are not available in the Windows Application Compliance selection grid; apps must be selected manually. If active restriction is your goal, using Publisher-based rules in an enforcement policy is much more manageable for large deployments.
  • Versioning: Allowlisting is based on the application’s unique identifier (like Bundle ID or package name), not the display version. If you allow an app, all versions sharing that exact identifier are permitted, so older versions will not suddenly stop working.

I hope this helps or resolves your issue. Feel free to reach out if you have any more doubts or need further assistance.

Best regards,
George,
Hexnode UEM

Save