Skip to main content

Understanding Blocking Behavior on macOS

Starting with macOS Sensor version 25.07, Cyberhaven has updated how it enforces blocking policies. This change focuses on enhancing system performance and ensuring precise protection by targeting file activity only for a defined set of approved applications.

Previous Blocking Behavior

Previously, Cyberhaven's block policies on macOS evaluated all applications by default. You would explicitly exclude ("mute") specific applications if you did not want policies to apply to them.

New Blocking Behavior: Inverted Muting Approach

Cyberhaven now uses an inverted muting approach for macOS blocking. This means:

Only applications on a defined list are evaluated by the policy engine.

All other applications not on this list are automatically ignored by blocking policies.

This approach aims to optimize system performance by reducing unnecessary overhead. Performance impact may depend on the applications approved for blocking in your environment.

Approved Application Lists

Cyberhaven manages two types of approved application lists for macOS blocking. These lists are in addition to specific applications with built-in blocking support, as detailed in Additional Supported Blocking Applications below.

Performance List

  • Included for all customers by default.
  • Covers commonly used applications such as web browsers and communication tools that are known for risky data movement.
  • Blocking is enabled out-of-the-box for applications on this list.

This list ensures immediate and continued blocking coverage for your most critical applications with optimized performance.

Coverage List

  • A broader set of applications that you can enable upon request.
  • This list includes all apps in the Performance List plus additional high-throughput or resource-intensive applications. Available upon request.
  • Enabling the Coverage List ensures continued blocking coverage for a wider range of applications.
info

NOTE To enable the Coverage List, please contact . Enabling this list may have performance implications due to the inclusion of more resource-intensive applications (e.g., developer tools) or high-throughput applications.

For a detailed breakdown of the applications included in the Performance and Coverage lists, see: macOS Blocking Approved Application Lists

Additional Blocking Support

Beyond the Performance and Coverage lists, the macOS sensor also supports blocking policies for specific applications with built-in coverage. These applications include:

  • Messaging & Communication: Slack, Signal, Telegram, WhatsApp, Messages
  • Browsers: Chrome (including Beta and Canary), Edge, Safari, Firefox, Chromium
  • File Transfer: AirDrop
  • Collaboration: Teams

:::info NOTE

These applications are also included in the Performance and Coverage lists to enable expanded blocking coverage. :::

For details about macOS Sensor application coverage and blocking user actions, see Endpoint Sensor Coverage

What This Means for You

This update has direct implications for your macOS blocking policies.

  • Focused Blocking: Blocking is now scoped only to applications included in an approved list (Performance or Coverage) in addition to the default built-in coverage (“Additional Supported Blocking Applications”).
  • Ignored Applications: Any application not on your organization's active approved list (and not one of the applications under “Additional Supported Blocking Applications”) will not be evaluated or blocked by policy.
  • Performance Optimization: This update reduces monitoring overhead for applications ignored by default for blocking. The degree of performance improvement will depend on your organization's active approved application lists.
  • Event Tracing Unaffected: This change does not impact event tracing. Cyberhaven continues to provide full visibility into activity across all applications, regardless of their blocking status.

Need Broader Coverage?

If your organization requires blocking for applications not currently covered by your default configuration,

:::info NOTE

Blocking policies for apps outside the approved lists will not be enforced unless those apps are explicitly added to your organization’s blocking configuration by Cyberhaven Support. :::