sudo defaults write /Library/Preferences/com.apple.installer allowednonadminpackagefamilynamerules -array "com.microsoft.*" "com.google.*"
: If an app's family name is on this list, a standard user can install it even if the general block-policy is active. allowednonadminpackagefamilynamerules
: Computer Configuration \ Administrative Templates \ Windows Components \ App Package Deployment . sudo defaults write /Library/Preferences/com
: It allows you to specify a whitelist of "Package Family Names". narrow rules (e.g.
Use specific, narrow rules (e.g., com.company.appname ) instead of broad wildcards like com.* to limit risk.
Rules are treated as ECMA Script regular expressions . For example: Contoso.ContosoApp_8wekyb3d8bbwe matches a specific app.