Is there a functional equivalent?
On the Windows side of the house, we're setting up AppLocker to only allow applications from trusted publishers to run. Applications that aren't code signed will be reviewed and code signed using our internal CA. This is proving to be a great solution as it's easy to manage and doesn't rely on file system paths. As long as the code signing certificate is allowed, software can run.
On the Apple side of the house, we can turn on Gatekeeper to only allow Apple developers as a start. I haven't found a way to take that a step further and only allow software from approved developers. Removing trust for Apple's Certificate Authority and then adding individual code signing certificates back in seems like a recipe for disaster...
Short of creating a white list for each individual application path, is there a way I haven't found to allow only approved applications from running?
@azbikowski There's nothing similar that I know of. Applocker is great once you get it set up.
For OSX, we whitelist/blacklist app paths to try to only allow paths where users don't have write access to. It was tedious to get set up the first time but now we only have to tweak it when doing new image builds usually.