sudo defaults write /Library/Preferences/com.apple.installer allowednonadminpackagefamilynamerules -array "com.microsoft.*" "com.google.*"
The input should be a string of package family names or regex patterns. Why This Policy Matters
: You can keep most users restricted, preventing "shadow IT" or accidental malware from unverified packages. allowednonadminpackagefamilynamerules
This specific setting solves the classic "Least Privilege" dilemma:
The AllowedNonAdminPackageFamilyNameRules policy setting controls which packaged apps can be installed by non-administrator users on a managed device. By default, standard users are often restricted from installing software that requires elevated privileges or affects system-wide settings. This specific policy provides a mechanism for administrators to delegate installation rights for specific, approved applications without granting the user full local administrative access. sudo defaults write /Library/Preferences/com
Here’s a concise post suitable for a tech changelog, internal dev notice, or macOS management update:
: You aren't limited to exact names; the policy supports Regular Expressions (regex) . For example, entering ^Contoso.*_8wekyb3d8bbwe$ would allow all apps from that specific developer family. How IT Admins "Tell the Story" (Configuration) By default, standard users are often restricted from
Historically, administrators used the BlockNonAdminUserInstall policy to prevent standard users from installing Windows app packages. While effective for security, this often created a "brick wall" for essential software that requires frequent per-user updates, such as in virtual environments like Azure Virtual Desktop (AVD).
Use specific, narrow rules (e.g., com.company.appname ) instead of broad wildcards like com.* to limit risk.
./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowedNonAdminPackageFamilyNameRules .