Skip to main content

Good morning.  We don’t allow the use of mail.app on our enterprise devices so we’ve put a block on it.  No big deal - it was working exactly how we intended.  Now, however, after upgrading to Sequoia, we’re seeing 

MailCacheDelete.appex

auto-launching to delete the cache and EPM is seeing mail.app being opened, causing a block.  While this, generally, isn’t bad, it does cause a bad user experience.  Now, the user gets, seemingly, random blocks for mail.app when they didn’t even launch it.

I’d like to block and suppress the message for just this deletion process.  I’d also like to have it continue to provide a blocked message when a user tries to open it manually.

Any thoughts on how best to accomplish this?

 

Sample logs:

com.beyondtrust.endpointsecurity: ucom.beyondtrust.endpointsecurity:EndpointSecurity] Blocking 23252 /System/Applications/Mail.app/Contents/PlugIns/MailCacheDelete.appex/Contents/MacOS/MailCacheDelete
2025-01-06 13:53:50.286695-0600 0x699701   Default     0x0                  23243  0    storagekitd: (CacheDelete) gcom.apple.cache_delete:client] com.apple.MailCacheDelete : 0
2025-01-06 13:53:50.287260-0600 0x699701   Default     0x0                  23243  0    storagekitd: (CacheDelete) gcom.apple.cache_delete:client] com.apple.TV.TVCacheExtension : 0
2025-01-06 13:53:50.287293-0600 0x699701   Default     0x0                  23243  0    storagekitd: (CacheDelete) gcom.apple.cache_delete:client] com.apple.appstoreagent.CacheDelete : 0
2025-01-06 13:53:50.287316-0600 0x699701   Default     0x0                  23243  0    storagekitd: (CacheDelete) gcom.apple.cache_delete:client] com.apple.aneuserd.CacheDelete : 0
2025-01-06 13:53:50.287335-0600 0x699701   Default     0x0                  23243  0    storagekitd: (CacheDelete) gcom.apple.cache_delete:client] com.apple.replayd-cache-delete : 64
2025-01-06 13:53:50.287353-0600 0x699701   Default     0x0                  23243  0    storagekitd: (CacheDelete) gcom.apple.cache_delete:client] com.apple.MOVIE : 0
2025-01-06 13:53:50.287372-0600 0x699701   Default     0x0                  23243  0    storagekitd: (CacheDelete) gcom.apple.cache_delete:client] com.apple.wallpaper.CacheDelete : 0

 

It sounds like your block rule is using “contains” for the filename of Mail.app, which is why it’s being triggered whenever the MailCacheDelete process runs. You may want to try setting your Mail.app block rule to an “exact match” (to capture when a user launches Mail.app directly), but then test with an additional binary rule targeting specifically MailCacheDelete.

 

To have one block rule trigger a message and the other one block silently, you’ll likely want to break these out into two different Application Groups -- one with a message configured on it, the other without.

** EDITED TO ADD :  it looks like I didn’t set that filename.app to ‘exact match’ as originally indicated (I thought I had) so I am going to test that now and will update with results.  If there are any other thoughts or ideas, I’m open to them as well. **

 

Didn’t seem to work.   

I have this application set up in a ‘suppress message’ application group.

this group is placed above the application group that is also blocking mail.app:

 

i’ve also tried blocking mail.app by publisher and URI but that wasn’t successful either. 

In both cases, mailcachedelete.appex was not getting blocked.

I really don’t want to suppress the messaging for mail.app -- I want users to know it’s blocked if they try to open it manually.

Any other advice you can provide would be greatly appreciated!

Reply


Badge Earners

  • BCSE: Privileged Remote Access
    Kragballehas earned the badge BCSE: Privileged Remote Access
  • BCA: Password Safe
    kgujashas earned the badge BCA: Password Safe
  • BCIE: Password Safe
    kgujashas earned the badge BCIE: Password Safe
  • BCIE: Password Safe
    Vinoth Rajahas earned the badge BCIE: Password Safe
  • BCA: Remote Support
    Pablo Salashas earned the badge BCA: Remote Support
Show all badges
Terms & ConditionsCookie settings