macOS settings

Ivanti EPMM allows you to define a number of macOS restrictions.

All restrictions are available to devices running macOS 10.12 or supported newer versions. Some restrictions are available on other versions of macOS. These are usually indicated by an information icon in the user interface.

macOS Kernel Extension settings

Starting from macOS High Sierra 10.13.2, Apple introduced the concept of “User Approved” MDM Enrollment. This optional enrollment type allows MDM management of certain security-sensitive settings. Using the macOS Kernel Extension loading enables the device user to one of the following:

  • Device user manually installs an MDM enrollment profile using System Preferences
  • All Device-enrolled Macs are considered user-approved enrollment.

The Kernel Extension Policy payload is designated by specifying com.apple.syspolicy.kernel-extension-policy as the PayloadType. This payload controls restrictions and settings for User Approved Kernel Extension Loading on macOS v10.13.2 and later. The profile containing the payload must be delivered via a User Approved MDM server, and it must be installed as a device profile.

In addition to the settings common to all payloads, this payload defines the following keys.

Procedure 

  1. Go to Policies & Configs > Configurations.
  2. Select Add New > Apple > macOS Only > macOS Kernel Extensions. The New macOS Kernel Extension Setting dialog box opens.
  3. Select Add+ and configure the settings as described in the table below.

    Item

    Description

    Example

    Name

    Enter the name of the kernel extension policy. This will display in the Configurations page.

    Test_kext

    Description

    Enter an optional description for the policy.

    Kernel Ext Policy Name

    Allow User Overrides

    Select this check box to allow device users to approve additional kernel extensions not explicitly allowed by this configuration.

    N/A

    Allowed Team Identifiers

    Enter the name of team identifiers that all validly-signed kernel extensions are allowed to load. The type used should be string.

    PXPZ95SK77

    (for Application: Global Protect VPN)

    Allowed Kernel Extensions

    Enter a dictionary that represents a set of validly-signed kernel extensions that will always be allowed to load on the user's device.

    com.paloaltonetworks.kext.pangpd

    This corresponds to Allowed Team Identifier example PXPZ95SK77

  4. Repeat step 3 for any additional team identifiers and kernel extensions.
  5. Select Save. The kernel extension displays in the Configurations page.

macOS restrictions

The macOS restrictions setting can be configured for the user or device channel. For devices running macOS 10.12 or supported newer versions, the default is user channel. If you want to apply the restrictions setting to macOS devices regardless of what user is logged in, select Device channel. If you want the restrictions setting to apply to a specific user, select User channel.

A macOS device should only have a single managed user. However, a macOS device may also have an administrator user. If you want the restrictions setting to apply to the whole device regardless of whatever user logs in, select Device channel.

Procedure 

  1. Go to Policies & Configs > Configurations.
  2. Select Add New > Apple > macOS Only > macOS Restrictions to specify lockdown capabilities for macOS.
  3. Configure the settings as described in macOS restrictions settings .
  4. Select Save
  5. If Notes for Audit Logs is enabled, a text dialog box opens. Enter the reason for the change and then select Confirm. For more information, see Best practices: label management.

macOS restrictions settings

The following table describes the macOS restrictions settings.

Table 114.  macOS restrictions settings

Item

 

 

 

Description

 

 

 

Enabled by Default

 

 

Name

Enter a name for the macOS restriction setting.

N/A

Description

Enter a description for the macOS restriction setting.

N/A

Restrictions channel

User: Select to apply restrictions to the user signed in to the macOS device.

Device: Select to apply restrictions to the macOS device, regardless of the user currently signed in.

User

Allow use of camera

allowCamera

Deselect to disable the camera and remove its icon from the Home screen. Users will be unable to take photographs.

Available for macOS 10.11 or supported newer versions.

Yes

Allow document and key-value sync to iCloud

allowCloudDocumentSync

When deselected, disables document and key-value syncing to iCloud.

Available for macOS 10.11 or supported newer versions.

Yes

Allow iCloud Photo Library

allowCloudPhotoLibrary

If deselected, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device will be removed from local storage.

Yes

Allow definition lookup

allowDefinitionLookup

If deselected, disables definition look-up.

Available for macOS 10.11.2 or supported newer versions.

Yes

Allow Back to My Mac iCloud service

allowCloudBTMM

When deselected, disables macOS Back to My Mac iCloud service.

Yes

Allow Find My Mac iCloud service

allowCloudFMM

When deselected, disables macOS Find My Mac iCloud service.

Yes

Allow iCloud Bookmark sync

allowCloudBookmarks

When deselected, disables macOS iCloud Bookmark sync.

Yes

Allow iCloud Mail service

allowCloudMail

When deselected, disables macOS Mail iCloud services.

Yes

Allow iCloud Calendar service

allowCloudCalendar

When deselected, disables macOS iCloud Calendar services.

Yes

Allow iCloud Reminder service

allowCloudReminders

When deselected, disables iCloud Reminder services.

Yes

Allow iCloud Address Book service

allowCloudAddressBook

When deselected, disables macOS iCloud Address Book services.

Yes

Allow iCloud Notes service

(supervised only)

allowCloudNotes

When deselected, disables macOS iCloud Notes services.

Yes

Allow iCloud Keychain synchronization

allowCloudKeychainSync

When deselected, disables Cloud keychain synchronization.

Yes

Allow Music service

allowMusicService

If disabled, Music service is disabled and Music app reverts to classic mode.

Yes

Allow Spotlight Internet search results

allowSpotlightInternetResults

If deselected, Spotlight will not return Internet search results.

Available for macOS 10.11 or supported newer versions.

Yes

Allow Touch ID to unlock a device

allowFingerprintForUnlock

If selected, allows Touch ID to unlock a device.

Available for macOS 10.12.4 or supported newer versions.

Yes

Allow macOS auto unlock

allowAutoUnlock

If deselected, disables macOS auto unlock.

Yes

Allow iTunes File Sharing

allowiTunesFileSharing

If deselected, disables iTunes application file sharing services.

Available for macOS 10.13 or supported newer versions.

Yes

Allow Content Caching

allowContentCaching

Allow content caching to reduce bandwidth usage and speed up installation by storing software updates, apps, and other content on the device.

Available for macOS 10.13 or supported newer versions.

Yes

Allow iCloud desktop and documents service

allowCloudDesktopAndDocuments

If deselected, disables macOS iCloud desktop and document services. Defaults to true.

Available for macOS 10.12.4 or supported newer versions.

Yes

Allow Air Print

allowAirPrint

When deselected, disables Air Print feature.

Available for macOS 10.13 or supported newer versions.

Yes

Disallow AirPrint to destinations with untrusted certificates

forceAirPrintTrustedTLSRequirement

When selected, requires trusted certificates for TLS printing communication.

Available for macOS 10.13 or supported newer versions.

No

Allow discovery of AirPrint printers using iBeacons

allowAirPrintiBeaconDiscovery

When selected, disables iBeacon discovery of AirPrint printers, preventing spurious AirPrint Bluetooth beacons from phishing for network traffic.

Available for macOS 10.13 or supported newer versions.

Yes

Delay OS Software Update

forceDelayedSoftwareUpdates

When selected, two additional options become available:

  • Enforced Software Update Delay

    forceDelayedMajorSoftwareUpdates

    Sets the delay of a software update on the device. Select between 1-90 days. The device user will not see a software update until the set number of days after the software release date. Available in macOS 11.3.0.0 and later.

  • Enforced Software Update MinorOS Delay

    enforcedSoftwareUpdateMinorOSDeferredInstallDelay

    Sets the delay of minor software updates to the device. Select between 1-90 days to delay a minor OS software update on the device. The device user will not see a software update until the set number of days after the software release date. Available in macOS 11.3.0.0 and later.

No

Delay App Software Update

forceDelayedAppSoftwareUpdates

When selected, two additional options become available:

  • Enforced Software Update Delay

    forceDelayedMajorSoftwareUpdates

    Sets the delay of a software upgrade on the device. Select between 1-90 days. The device user will not see a software update until the set number of days after the software release date. Available in macOS 11.3.0.0 and later.

  • Enforced Software Update NonOS Delay

    enforcedSoftwareUpdateNonOSDeferredInstallDelay

    Sets the delay of non-OS software updates to the device. Select between 1-90 days to delay a non-OS software update on the device. The device user will not see a software update until the set number of days after the software release date. Available in macOS 11.3.0.0 and later.

No

Delay Major Software Upgrade

forceDelayedMajorSoftwareUpdates

When selected, an additional option becomes available:

  • Enforced Software Upgrade MajorOS Delay

    enforcedSoftwareUpdateMajorOSDeferredInstallDelay

    Sets the delay of the device user visibility of major software upgrade on the device. Select between 1-90 days. The device user will not see a major software upgrade until the set number of days after the software release date. Available in macOS 11.3.0.0 and later.

No

Allow modifying passcode

(supervised devices)

allowPasscodeModification

If deselected, prevents device passcode from being added, changed, or removed.

Yes

Allow password AutoFill

allowPasswordAutoFill

Select to allow password autofill.

Available for macOS 10.14 or supported newer versions.

Yes

Allow proximity based password sharing requests

allowPasswordProximityRequests

Select to allow nearby devices to request device passwords.

Available for macOS 10.14 or supported newer versions.

Yes

Allow password sharing

allowPasswordSharing

Select to allow users to share their device passwords using Airdrop Passwords feature.

Available for macOS 10.14 or supported newer versions.

Yes

Allow screenshots and screen recording

allowScreenShot

When deselected, users are unable to save screenshots or record video of the display.

When deselected, this restriction also prevents the Classroom app from observing remote screens.

Available for macOS 10.14.4 or supported newer versions.

Yes

Allow remote screen observation

allowRemoteScreenObservation

If this is de-selected, remote screen observation by the Classroom app is disabled. Available for macOS 10.14.4 or supported newer versions.

Yes

Automatically join Classroom classes without prompting (supervised only)

forceClassroomAutomaticallyJoinClasses

When selected, automatically gives permission to the teacher's requests without prompting the student. Available for macOS 10.14.4 or supported newer versions.

No

Require teacher permission to leave Classroom unmanaged classes (supervised only)

forceClassroomRequestPermissionToLeaveClasses

When selected, a student enrolled in an unmanaged course via Classroom will request permission from the teacher when attempting to leave the course. Available for macOS 10.14.4 or supported newer versions.

No

Allow Classroom to lock an app and lock the device without prompting (supervised only)

forceClassroomUnpromptedAppAndDeviceLock

When selected, alls the teacher to lock apps or the device without prompting the student. Available for macOS 10.14.4 or supported newer versions.

No

Allow Classroom to perform AirPlay and View Screen without prompting (supervised only)

forceClassroomUnpromptedScreenObservation

If selected, and the Apple Education > Screen Observation Modification Control field is also selected, a student enrolled in a managed course via the Classroom app will automatically give permission to that courseʼs teacherʼs requests to observe the studentʼs screen without prompting the student.

Available for macOS 10.14.4 or supported newer versions.

No

Allow Handoff

allowActivityContinuation

Select to enable the Handoff feature, which allows users to seamlessly continue working where they left off using any Apple device on which they are logged in with their Apple ID. Available for macOS 10.15 or supported newer versions.

Yes

Allow use of Game Center

(supervised devices only)

allowGameCenter

When deselected, Game Center is disabled and its icon is removed from the Home screen. Available for macOS 10.13 or supported newer versions.

Yes

Allow adding Game Center friends (supervised device)

allowAddingGameCenterFriends

When deselected, prohibits adding friends to Game Center. Disabled when Allow use of Game Center is deselected. Available for macOS 10.13 or supported newer versions.

Yes

Allow multiplayer gaming (supervised device)

allowMultiplayerGaming

When deselected, prohibits multiplayer gaming. Disabled when Allow use of Game Center is deselected. Available for macOS 10.13 or supported newer versions.

Yes

Allow AirDrop (supervised device)

allowAirDrop

If deselected, AirDrop is disabled. Available for macOS 10.13 or supported newer versions.

Yes

Allow sending diagnostic and usage data to Apple

allowDiagnosticSubmission

When deselected, this prevents the device from automatically submitting diagnostic reports to Apple. Available for macOS 10.13 or supported newer versions.

Yes

Allow dictation

(supervised device)

allowDictation

When deselected, disables dictation input method. Disabled automatically when using Advanced Audio Coding (AAC) mode. Available for macOS 10.13 or supported newer versions.

Yes

Allow modifying Wallpaper (supervised device)

allowWallpaperModification

If deselected, prevents wallpaper from being changed. Available for macOS 10.13 or supported newer versions.

Yes

Allow Safari AutoFill

(supervised device)

allowSafari

Deselect to disable the Safari web browser, remove its icon from the Home screen, and prevent users from opening web clips.

Available for macOS 10.13 or supported newer versions.

Yes

Allow Erase All Content and Settings (supervised devices only)

allowEraseContentAndSettings

Deselect to disable the “Erase All Content and Settings” option in the Reset section of iOS devices.

Applicable to iOS 8 and later, and macOS 12 and later.

Yes

macOS Apple App Store restrictions

The macOS Apple App Store restrictions setting allows you to restrict user or device interactions with the Apple App Store. For example, you can restrict app installations and updates to administrator users only, or to MDM-installed apps in updates only.

Procedure 

  1. Go to Policies & Configs > Configurations.
  2. Select Add New > Apple > macOS Only > macOS App Store Restrictions to specify App Store lockdown capabilities for macOS .
  3. Configure the settings as described in macOS App Store Restrictions options .
  4. Select Save.
  5. Select the setting you just created.
  6. Go to Actions > Apply to label.
  7. Select the labels you want to apply.
  8. Select Apply.

macOS AppStore restriction options

The following table describes the macOS App Store restrictions.

Table 115.  macOS App Store Restrictions options

Item

 

 

 

Description

 

 

 

Selected by Default

 

 

Name

com.apple.app.appstore

Enter a name for the macOS App Store Restrictions setting.

N/A

Description

Enter a description for the setting.

N/A

Restrictions Channel

Select one of the following:

User: Select to apply restrictions to the user signed in to the macOS device.

Device: Select to apply restrictions to the macOS device, regardless of the user currently signed in.

For devices running macOS 10.12 or supported newer versions, the default is user channel. If an you want the restrictions setting to apply to macOS devices regardless of what user is logged in, select Device channel. If you want the restrictions setting to apply to a specific user, select User channel.

User

Restrict app installations to admin users only

restrict-store-require-admin-to-install

Select to restrict the installation of apps to admins only.

Available on macOS devices running macOS 10.9 or supported newer versions.

Yes

Restrict app installations to software updates only

restrict-store-softwareupdate-only

Select to restrict updates to apps already installed to managed macOS devices.

Available on macOS devices running macOS 10.10 or supported newer versions.

Yes

Disable app adoption

restrict-store-disable-app-adoption

Select to prevent users from managing apps through the Apple App Store that were not originally purchased through the Apple App Store.

Available on macOS devices running macOS 10.10 or supported newer versions.

Yes

Disable software updates notifications

DisableSoftwareUpdateNotifications

Select to prevent app update notifications from appearing on managed macOS devices.

Available on macOS devices running macOS 10.10 or supported newer versions.

Yes

Restrict app installations to MDM-installed apps and software updates (macOS 10.11 and later)

restrict-store-mdm-install-softwareupdate-only

Select to restrict app installations and updates to MDM-installed apps only.

Available on macOS devices running macOS 10.11 or supported newer versions.

Yes

Allow Universal Control

Prohibits the control of multiple Apple devices - including an iMac, MacBook, and iPad - all with the same keyboard and mouse.

Yes

Allow UI Configuration Profile Installation

Prohibits the user from installing configuration profiles and certificates interactively. Requires a supervised device. Available in iOS 6 and later and macOS 13 and later.

Yes

Allow USB Restricted Mode

If disabled, allows the device to always connect to USB accessories while locked. On macOS, allows new USB accessories to connect without authorization.

Available in macOS 11.3.0.0 and later.

Yes

The new restrictions are not automatically pushed to the devices when you upgrade. Instead, to force-push the restriction to all devices, open it and save it.

Disc settings for macOS

You can use the Finder and Disc Burning restriction settings to restrict the ability of managed macOS devices to burn data to disc. You must configure both settings to control the burning of data to disc on managed macOS devices.

Configuring Finder disc burning settings for macOS

The Finder restriction for macOS devices allow you to disable disc burning capabilities using macOS Finder on managed macOS devices. Disabling disc burning through Finder using this restriction setting will also disable disc burning regardless of the disc burning restriction setting described in Configuring the Disc Burning setting for macOS.

Procedure 

  1. Go to Policies & Configs > Configurations.
  2. Select Add New > Apple > macOS Only > Disc > Finder.
  3. Enter a name for the Finder restriction setting.
  4. Select Disable Finder's Disc Burning Support to disable the disc burning capability on managed macOS devices. If you want to enable support for burning to disc using Finder, leave this option unchecked.
  5. Select Save.
  6. Select the setting you just created.
  7. Go to Actions > Apply to label.
  8. Select the labels you want to apply.
  9. Select Apply.

Configuring the Disc Burning setting for macOS

The Disc Burning restriction allows you to control whether users can burn data to disc on managed macOS devices. You can enable or disable disc burning, or allow the burning of data to disc only after users have gone through an authentication process. You must also create a Finder restriction in addition to the Disc Burning restriction to control disc burning on managed macOS devices.

Procedure 

  1. Go to Policies & Configs > Configurations.
  2. Select Add New > Apple > macOS Only > Disc > Disc Burning.
    The New Disc Burning dialog box opens.
  3. Configure the settings as described in Disc Burning settings (macOS) .
  4. Select Save.
  5. Select the setting you just created.
  6. Go to Actions > Apply to label.
  7. Select the labels you want to apply.
  8. Select Apply.

Disc burning settings (macOS)

The following table describes the settings for disc buning.

Table 116.  Disc Burning settings (macOS)

Item

Description

Name

Enter a name for the disc burning setting.

Description

Enter a description for the disc burning setting (optional).

Burn Support

Select one of the following:

Off: Select to disable support for burning data to disc on a managed macOS device. You must also disable disc burning in the Finder setting to disable disc burning on managed macOS devices.

On: Select to enable support for burning data to disc on a managed macOS device. You must also enable disc burning in the Finder setting to enable disc burning on managed macOS devices.

Authenticate: Select to require managed macOS device users to enter their login information before burning data to disc.

Media Control setting for macOS

The Media Control setting allows you to permit or forbid users to mount, unmount, and eject on logout a variety of media, such as DVDs, network disks, and external drives. This setting enables you to fine-tune your control over media use on macOS devices, for example, you can configure all blank DVDs to be rejected by the macOS media drive, or require user authentication when connecting to a network drive.

The Supported media types are:

  • BD
  • Blank BD
  • Blank CD
  • Blank DVD
  • CD
  • Disk Image
  • DVD
  • Hard Disk External
  • Hard Disk Internal
  • Network Disk

Procedure 

  1. Go to Policies & Configs > Configurations.
  2. Select Add New > Apple > macOS Only > Media Control.
    The New Media Control Setting dialog box opens.
  3. Configure the settings as described in Media Control Setting (macOS) .
  4. Select Save.
  5. Select the setting you just created.
  6. Go to Actions > Apply to label.
  7. Select the labels you want to apply.
  8. Select Apply.
Table 117.  Media Control Setting (macOS)

Item

Description

Name

Enter a name for the Media Control setting.

Description

Enter a description for the Media Control setting.

Logout Eject

Logout Eject rules cause the selected medium to be ejected when the macOS user logs out.

  1. Select Add to select a medium from the drop-down list and configure settings for that medium.
  2. For the rule you are creating, select any of the following:
    • Authenticate: Requires macOS device users to authenticate before interacting with the medium.
    • Read only: Makes the medium read-only.
    • Deny: Denies access to the medium.
    • Eject: Causes the medium to eject when macOS users attempt to access it.
  3. Repeat for any other media for which you would like to create a rule.

Mount Controls

Creating rules for Mount Controls allows you to govern the media that can be mounted on managed macOS devices.

  1. Select Add to select a medium from the drop-down list and configure settings for that medium.
  2. For the rule you are creating, select any of the following:
    • Authenticate: Requires macOS device users to authenticate before interacting with the medium.
    • Read only: Makes the medium read-only.
    • Deny: Denies access to the medium.
    • Eject: Causes the medium to eject when macOS users attempt to access it.
  3. Repeat for any other media for which you would like to create a rule.

Unmount Controls

Creating rules for Unmount Controls allows you to govern the media that can be unmounted from managed macOS devices.

  1. Select Add to select a medium from the drop-down list and configure settings for that medium.
  2. For the rule you are creating, select any of the following:
    • Authenticate: Requires macOS device users to authenticate before interacting with the medium.
    • Deny: Denies access to the medium.
  3. Repeat for any other media for which you would like to create a rule.