Hopefully you've figured this one out by now, but if not I think you should be able to restrict just based on the application name "Migration Assistant" or "Migration Assistant.app".   I use a different MDM at my organisation, so can't test this, but I noticed that the Meraki documentation states that using an application identifier only works for iOS + Android, so I'd imagine that may be what's causing this issue.   See: App allowing/denying list in security policies - Cisco Meraki   Application Name: This is the friendly display name of the app, and can be used across both desktop and mobile devices. Ex. "Google Chrome", "Facebook", "*SMS*".   Application Identifier: This can be the unique app ID or bundle ID for an app, and can only be used with iOS and Android. Ex. "com.meraki.sm", "com.google.*", "472572194". ... View more