Yes for the MAC the applications need to be deny for all devices.
That's pretty much what I was seeing. Another case where the Mac agent doesn't have the same support as the Windows version. :-(
This feature has been added in 9.5. Create a custom group and edit the scan and repair settings to point to the custom group with the desired blocked app definitions.