Application Blocking

Application blocking prevents chosen apps from running on managed PCs. This guide explains how it works and why the policy-only approach matters.

How blocking works

CtrlOne blocks application launch through Windows policy mechanisms. When a blocked app is started, Windows prevents it from running. Because the control is policy-based, the app's files, install path, and binary are left untouched.

Choosing what to block

Block the apps that don't belong in a device's role - games and media on a kiosk, unmanaged browsers, or tools that bypass your controls. Add them to a policy and assign it to the relevant group.

Keeping it maintainable

Application blocking pairs naturally with browser restrictions and desktop lockdown. Pilot a blocking policy before wide rollout so you don't accidentally stop something a workflow depends on, and use policy versioning to track changes over time.

Frequently asked questions

Does blocking an app uninstall it?

No. The app stays installed; it's just prevented from launching. Removing the restriction re-enables it.

Can a user rename an app to get around the block?

CtrlOne's enforcement is designed to resist trivial bypass, and it pairs with tamper-resistance on the agent. Combine controls for defence in depth.

Control the browser too

See browser restrictions for URL blocklists and managed browser policy that complement application blocking.