macOS settings

• macOS Kernel Extension settings
• macOS restrictions
• macOS Apple App Store restrictions
• Disc settings for macOS
• Media Control setting for macOS

• Accessibility Settings Restrictions

• Associated Domains for macOS

• Login Items for macOS

macOS Kernel Extension settings

Starting from macOS High Sierra 10.13.2, Apple introduced the concept of “User Approved” MDM Enrollment. This optional enrollment type allows MDM management of certain security-sensitive settings. Using the macOS Kernel Extension loading enables the device user to one of the following:

• Device user manually installs an MDM enrollment profile using System Preferences
• All Device-enrolled Macs are considered user-approved enrollment.

The Kernel Extension Policy payload is designated by specifying com.apple.syspolicy.kernel-extension-policy as the PayloadType. This payload controls restrictions and settings for User Approved Kernel Extension Loading on macOS v10.13.2 and later. The profile containing the payload must be delivered via a User Approved MDM server, and it must be installed as a device profile.

In addition to the settings common to all payloads, this payload defines the following keys.

Procedure 

1. Go to Policies & Configs > Configurations.
2. Select Add New > Apple > macOS Only > macOS Kernel Extensions. The New macOS Kernel Extension Setting dialog box opens.

3. Select Add+ and configure the settings as described in the table below.

   Item	Description	Example
   Name	Enter the name of the kernel extension policy. This will display in the Configurations page.	Test_kext
   Description	Enter an optional description for the policy.	Kernel Ext Policy Name
   Allow User Overrides	Select this check box to allow device users to approve additional kernel extensions not explicitly allowed by this configuration.	N/A
   Allowed Team Identifiers	Enter the name of team identifiers that all validly-signed kernel extensions are allowed to load. The type used should be string.	PXPZ95SK77 (for Application: Global Protect VPN)
   Allowed Kernel Extensions	Enter a dictionary that represents a set of validly-signed kernel extensions that will always be allowed to load on the user's device.	com.paloaltonetworks.kext.pangpd This corresponds to Allowed Team Identifier example PXPZ95SK77

4. Repeat step 3 for any additional team identifiers and kernel extensions.
5. Select Save. The kernel extension displays in the Configurations page.

macOS restrictions

The macOS restrictions setting can be configured for the user or device channel. For devices running macOS 10.12 or supported newer versions, the default is user channel. If you want to apply the restrictions setting to macOS devices regardless of what user is logged in, select Device channel. If you want the restrictions setting to apply to a specific user, select User channel.

A macOS device should only have a single managed user. However, a macOS device may also have an administrator user. If you want the restrictions setting to apply to the whole device regardless of whatever user logs in, select Device channel.

Procedure 

1. Go to Policies & Configs > Configurations.
2. Select Add New > Apple > macOS Only > macOS Restrictions to specify lockdown capabilities for macOS.
3. Configure the settings as described in macOS restrictions settings .
4. Select Save. 
5. If Notes for Audit Logs is enabled, a text dialog box opens. Enter the reason for the change and then select Confirm. For more information, see Best practices: label management.

macOS restrictions settings

The following table describes the macOS restrictions settings.

Table 126.  macOS restrictions settings

Item	Description	Enabled by Default
Name	Enter a name for the macOS restriction setting.	N/A
Description	Enter a description for the macOS restriction setting.	N/A
Restrictions channel	•User: Select to apply restrictions to the user signed in to the macOS device. •Device: Select to apply restrictions to the macOS device, regardless of the user currently signed in.	User
Allow use of camera	allowCamera Deselect to disable the camera and remove its icon from the Home screen. Users will be unable to take photographs. Available for macOS 10.11 or supported newer versions.	Yes
Allow document and key-value sync to iCloud	allowCloudDocumentSync When deselected, disables document and key-value syncing to iCloud. Available for macOS 10.11 or supported newer versions.	Yes
Allow iCloud Photo Library	allowCloudPhotoLibrary If deselected, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device will be removed from local storage.	Yes
Allow definition lookup	allowDefinitionLookup If deselected, disables definition look-up. Available for macOS 10.11.2 or supported newer versions.	Yes
Allow Back to My Mac iCloud service	allowCloudBTMM When deselected, disables macOS Back to My Mac iCloud service.	Yes
Allow Find My Mac iCloud service	allowCloudFMM When deselected, disables macOS Find My Mac iCloud service.	Yes
Allow iCloud Bookmark sync	allowCloudBookmarks When deselected, disables macOS iCloud Bookmark sync.	Yes
Allow iCloud Mail service	allowCloudMail When deselected, disables macOS Mail iCloud services.	Yes
Allow iCloud Calendar service	allowCloudCalendar When deselected, disables macOS iCloud Calendar services.	Yes
Allow iCloud Reminder service	allowCloudReminders When deselected, disables iCloud Reminder services.	Yes
Allow iCloud Address Book service	allowCloudAddressBook When deselected, disables macOS iCloud Address Book services.	Yes
Allow iCloud Notes service (supervised only)	allowCloudNotes When deselected, disables macOS iCloud Notes services.	Yes
Allow iCloud Keychain synchronization	allowCloudKeychainSync When deselected, disables Cloud keychain synchronization.	Yes
Allow Music service	allowMusicService If disabled, Music service is disabled and Music app reverts to classic mode.	Yes
Allow Spotlight Internet search results	allowSpotlightInternetResults If deselected, Spotlight will not return Internet search results. Available for macOS 10.11 or supported newer versions.	Yes
Allow Touch ID to unlock a device	allowFingerprintForUnlock If selected, allows Touch ID to unlock a device. Available for macOS 10.12.4 or supported newer versions.	Yes
Allow macOS auto unlock	allowAutoUnlock If deselected, disables macOS auto unlock.	Yes
Allow iTunes File Sharing	allowiTunesFileSharing If deselected, disables iTunes application file sharing services. Available for macOS 10.13 or supported newer versions.	Yes
Allow Content Caching	allowContentCaching Allow content caching to reduce bandwidth usage and speed up installation by storing software updates, apps, and other content on the device. Available for macOS 10.13 or supported newer versions.	Yes
Allow iCloud desktop and documents service	allowCloudDesktopAndDocuments If deselected, disables macOS iCloud desktop and document services. Defaults to true. Available for macOS 10.12.4 or supported newer versions.	Yes
Allow Air Print	allowAirPrint When deselected, disables Air Print feature. Available for macOS 10.13 or supported newer versions.	Yes
Disallow AirPrint to destinations with untrusted certificates	forceAirPrintTrustedTLSRequirement When selected, requires trusted certificates for TLS printing communication. Available for macOS 10.13 or supported newer versions.	No
Allow discovery of AirPrint printers using iBeacons	allowAirPrintiBeaconDiscovery When selected, disables iBeacon discovery of AirPrint printers, preventing spurious AirPrint Bluetooth beacons from phishing for network traffic. Available for macOS 10.13 or supported newer versions.	Yes
Delay OS Software Update	forceDelayedSoftwareUpdates When selected, two additional options become available: Enforced Software Update Delay forceDelayedMajorSoftwareUpdates Sets the delay of a software update on the device. Select between 1-90 days. The device user will not see a software update until the set number of days after the software release date. Available in macOS 11.3.0.0 and later. Enforced Software Update MinorOS Delay enforcedSoftwareUpdateMinorOSDeferredInstallDelay Sets the delay of minor software updates to the device. Select between 1-90 days to delay a minor OS software update on the device. The device user will not see a software update until the set number of days after the software release date. Available in macOS 11.3.0.0 and later.	No
Delay App Software Update	forceDelayedAppSoftwareUpdates When selected, two additional options become available: Enforced Software Update Delay forceDelayedMajorSoftwareUpdates Sets the delay of a software upgrade on the device. Select between 1-90 days. The device user will not see a software update until the set number of days after the software release date. Available in macOS 11.3.0.0 and later. Enforced Software Update NonOS Delay enforcedSoftwareUpdateNonOSDeferredInstallDelay Sets the delay of non-OS software updates to the device. Select between 1-90 days to delay a non-OS software update on the device. The device user will not see a software update until the set number of days after the software release date. Available in macOS 11.3.0.0 and later.	No
Delay Major Software Upgrade	forceDelayedMajorSoftwareUpdates When selected, an additional option becomes available: Enforced Software Upgrade MajorOS Delay enforcedSoftwareUpdateMajorOSDeferredInstallDelay Sets the delay of the device user visibility of major software upgrade on the device. Select between 1-90 days. The device user will not see a major software upgrade until the set number of days after the software release date. Available in macOS 11.3.0.0 and later.	No
Allow ARD Remote Management Modification (Boolean)	If false, prevents modifying the Remote Management Sharing setting in System Settings. Available in macOS 14 and later.	Yes
Allow Bluetooth Sharing Modification (Boolean)	If false, prevents modifying Bluetooth setting in System Settings. Available in macOS 14 and later.	Yes
Allow Cloud Freeform (Boolean)	If false, disallows iCloud Freeform services. Available in macOS 14 and later.	Yes
Allow File Sharing Modification (Boolean)	If false, prevents modifying File Sharing setting in System Settings. Available in macOS 14 and later.	Yes
Allow Internet Sharing Modification (Boolean)	If false, prevents modifying Internet Sharing setting in System Settings. Available in macOS 14 and later.	Yes
Allow Local User Creation (Boolean)	If false, prevents creating new users in System Settings. Available in macOS 14 and later.	Yes
Allow Printer Sharing Modification (Boolean)	If false, prevents modifying Printer Sharing setting in System Settings. Available in macOS 14 and later.	Yes
Allow Remote Apple Events Modification (Boolean)	If false, prevents modifying Remote Apple Events Sharing setting in System Settings. Available in macOS 14 and later.	Yes
Allow Startup Disk Modification (Boolean)	If false, prevents modification of Startup Disk setting in System Settings. Available in macOS 14 and later.	Yes
Allow Time Machine Backup (Boolean)	If false, prevents modification of Time Machine settings in System Settings. Available in macOS 14 and later.	Yes
Allow modifying passcode (supervised devices)	allowPasscodeModification If deselected, prevents device passcode from being added, changed, or removed.	Yes
Allow password AutoFill	allowPasswordAutoFill Select to allow password autofill. Available for macOS 10.14 or supported newer versions.	Yes
Allow proximity based password sharing requests	allowPasswordProximityRequests Select to allow nearby devices to request device passwords. Available for macOS 10.14 or supported newer versions.	Yes
Allow password sharing	allowPasswordSharing Select to allow users to share their device passwords using Airdrop Passwords feature. Available for macOS 10.14 or supported newer versions.	Yes
Allow screenshots and screen recording	allowScreenShot When deselected, users are unable to save screenshots or record video of the display. When deselected, this restriction also prevents the Classroom app from observing remote screens. Available for macOS 10.14.4 or supported newer versions.	Yes
Allow remote screen observation	allowRemoteScreenObservation If this is de-selected, remote screen observation by the Classroom app is disabled. Available for macOS 10.14.4 or supported newer versions.	Yes
Automatically join Classroom classes without prompting (supervised only)	forceClassroomAutomaticallyJoinClasses When selected, automatically gives permission to the teacher's requests without prompting the student. Available for macOS 10.14.4 or supported newer versions.	No
Require teacher permission to leave Classroom unmanaged classes (supervised only)	forceClassroomRequestPermissionToLeaveClasses When selected, a student enrolled in an unmanaged course via Classroom will request permission from the teacher when attempting to leave the course. Available for macOS 10.14.4 or supported newer versions.	No
Allow Classroom to lock an app and lock the device without prompting (supervised only)	forceClassroomUnpromptedAppAndDeviceLock When selected, alls the teacher to lock apps or the device without prompting the student. Available for macOS 10.14.4 or supported newer versions.	No
Allow Classroom to perform AirPlay and View Screen without prompting (supervised only)	forceClassroomUnpromptedScreenObservation If selected, and the Apple Education > Screen Observation Modification Control field is also selected, a student enrolled in a managed course via the Classroom app will automatically give permission to that courseʼs teacherʼs requests to observe the studentʼs screen without prompting the student. Available for macOS 10.14.4 or supported newer versions.	No
Allow Handoff	allowActivityContinuation Select to enable the Handoff feature, which allows users to seamlessly continue working where they left off using any Apple device on which they are logged in with their Apple ID. Available for macOS 10.15 or supported newer versions.	Yes
Allow use of Game Center (supervised devices only)	allowGameCenter When deselected, Game Center is disabled and its icon is removed from the Home screen. Available for macOS 10.13 or supported newer versions.	Yes
Allow adding Game Center friends (supervised device)	allowAddingGameCenterFriends When deselected, prohibits adding friends to Game Center. Disabled when Allow use of Game Center is deselected. Available for macOS 10.13 or supported newer versions.	Yes
Allow multiplayer gaming (supervised device)	allowMultiplayerGaming When deselected, prohibits multiplayer gaming. Disabled when Allow use of Game Center is deselected. Available for macOS 10.13 or supported newer versions.	Yes
Allow AirDrop (supervised device)	allowAirDrop If deselected, AirDrop is disabled. Available for macOS 10.13 or supported newer versions.	Yes
Allow sending diagnostic and usage data to Apple	allowDiagnosticSubmission When deselected, this prevents the device from automatically submitting diagnostic reports to Apple. Available for macOS 10.13 or supported newer versions.	Yes
Allow dictation (supervised device)	allowDictation When deselected, disables dictation input method. Disabled automatically when using Advanced Audio Coding (AAC) mode. Available for macOS 10.13 or supported newer versions.	Yes
Allow modifying Wallpaper (supervised device)	allowWallpaperModification If deselected, prevents wallpaper from being changed. Available for macOS 10.13 or supported newer versions.	Yes
Allow Safari AutoFill (supervised device)	allowSafari Deselect to disable the Safari web browser, remove its icon from the Home screen, and prevent users from opening web clips. Available for macOS 10.13 or supported newer versions.	Yes
Allow Erase All Content and Settings (supervised devices only)	allowEraseContentAndSettings Deselect to disable the “Erase All Content and Settings” option in the Reset section of iOS devices. Applicable to iOS 8 and later, and macOS 12 and later.	Yes

macOS Apple App Store restrictions

The macOS Apple App Store restrictions setting allows you to restrict user or device interactions with the Apple App Store. For example, you can restrict app installations and updates to administrator users only, or to MDM-installed apps in updates only.

Procedure 

1. Configure the settings as described in macOS App Store Restrictions options .
2. Select Save.

macOS AppStore restriction options

The following table describes the macOS App Store restrictions.

Table 127.  macOS App Store Restrictions options

Item	Description	Selected by Default
Name	com.apple.app.appstore Enter a name for the macOS App Store Restrictions setting.	N/A
Description	Enter a description for the setting.	N/A
Restrictions Channel	Select one of the following: •User: Select to apply restrictions to the user signed in to the macOS device. •Device: Select to apply restrictions to the macOS device, regardless of the user currently signed in. For devices running macOS 10.12 or supported newer versions, the default is user channel. If an you want the restrictions setting to apply to macOS devices regardless of what user is logged in, select Device channel. If you want the restrictions setting to apply to a specific user, select User channel.	User
Restrict app installations to admin users only	restrict-store-require-admin-to-install Select to restrict the installation of apps to admins only. Available on macOS devices running macOS 10.9 or supported newer versions.	Yes
Restrict app installations to software updates only	restrict-store-softwareupdate-only Select to restrict updates to apps already installed to managed macOS devices. Available on macOS devices running macOS 10.10 or supported newer versions.	Yes
Disable app adoption	restrict-store-disable-app-adoption Select to prevent users from managing apps through the Apple App Store that were not originally purchased through the Apple App Store. Available on macOS devices running macOS 10.10 or supported newer versions.	Yes
Disable software updates notifications	DisableSoftwareUpdateNotifications Select to prevent app update notifications from appearing on managed macOS devices. Available on macOS devices running macOS 10.10 or supported newer versions.	Yes
Restrict app installations to MDM-installed apps and software updates (macOS 10.11 and later)	restrict-store-mdm-install-softwareupdate-only Select to restrict app installations and updates to MDM-installed apps only. Available on macOS devices running macOS 10.11 or supported newer versions.	Yes
Allow Universal Control	Prohibits the control of multiple Apple devices - including an iMac, MacBook, and iPad - all with the same keyboard and mouse.	Yes
Allow UI Configuration Profile Installation	Prohibits the user from installing configuration profiles and certificates interactively. Requires a supervised device. Available in iOS 6 and later and macOS 13 and later.	Yes
Allow USB Restricted Mode	If disabled, allows the device to always connect to USB accessories while locked. On macOS, allows new USB accessories to connect without authorization. Available in macOS 11.3.0.0 and later.	Yes

The new restrictions are not automatically pushed to the devices when you upgrade. Instead, to force-push the restriction to all devices, open it and save it.

Disc settings for macOS

You can use the Finder and Disc Burning restriction settings to restrict the ability of managed macOS devices to burn data to disc. You must configure both settings to control the burning of data to disc on managed macOS devices.

Configuring Finder disc burning settings for macOS

The Finder restriction for macOS devices allow you to disable disc burning capabilities using macOS Finder on managed macOS devices. Disabling disc burning through Finder using this restriction setting will also disable disc burning regardless of the disc burning restriction setting described in Configuring the Disc Burning setting for macOS.

Procedure 

1. Go to Policies & Configs > Configurations.
2. Select Add New > Apple > macOS Only > Disc > Finder.
3. Enter a name for the Finder restriction setting.
4. Select Disable Finder's Disc Burning Support to disable the disc burning capability on managed macOS devices. If you want to enable support for burning to disc using Finder, leave this option unchecked.
5. Select Save.
6. Select the setting you just created.
7. Go to Actions > Apply to label.
8. Select the labels you want to apply.
9. Select Apply.

Configuring the Disc Burning setting for macOS

The Disc Burning restriction allows you to control whether users can burn data to disc on managed macOS devices. You can enable or disable disc burning, or allow the burning of data to disc only after users have gone through an authentication process. You must also create a Finder restriction in addition to the Disc Burning restriction to control disc burning on managed macOS devices.

Procedure 

1. Go to Policies & Configs > Configurations.
2. Select Add New > Apple > macOS Only > Disc > Disc Burning.
   The New Disc Burning dialog box opens.
3. Configure the settings as described in Disc Burning settings (macOS) .
4. Select Save.
5. Select the setting you just created.
6. Go to Actions > Apply to label.
7. Select the labels you want to apply.
8. Select Apply.

Disc burning settings (macOS)

The following table describes the settings for disc buning.

Table 128.  Disc Burning settings (macOS)

Item	Description
Name	Enter a name for the disc burning setting.
Description	Enter a description for the disc burning setting (optional).
Burn Support	Select one of the following: •Off: Select to disable support for burning data to disc on a managed macOS device. You must also disable disc burning in the Finder setting to disable disc burning on managed macOS devices. •On: Select to enable support for burning data to disc on a managed macOS device. You must also enable disc burning in the Finder setting to enable disc burning on managed macOS devices. •Authenticate: Select to require managed macOS device users to enter their login information before burning data to disc.

Media Control setting for macOS

The Media Control setting allows you to permit or forbid users to mount, unmount, and eject on logout a variety of media, such as DVDs, network disks, and external drives. This setting enables you to fine-tune your control over media use on macOS devices, for example, you can configure all blank DVDs to be rejected by the macOS media drive, or require user authentication when connecting to a network drive.

The Supported media types are:

• BD
• Blank BD
• Blank CD
• Blank DVD
• CD
• Disk Image
• DVD
• Hard Disk External
• Hard Disk Internal
• Network Disk

Procedure 

1. Go to Policies & Configs > Configurations.
2. Select Add New > Apple > macOS Only > Media Control.
   The New Media Control Setting dialog box opens.
3. Configure the settings as described in Media Control Setting (macOS) .
4. Select Save.
5. Select the setting you just created.
6. Go to Actions > Apply to label.
7. Select the labels you want to apply.
8. Select Apply.

Table 129.  Media Control Setting (macOS)

Item	Description
Name	Enter a name for the Media Control setting.
Description	Enter a description for the Media Control setting.
Logout Eject	Logout Eject rules cause the selected medium to be ejected when the macOS user logs out. Select Add to select a medium from the drop-down list and configure settings for that medium. For the rule you are creating, select any of the following: Authenticate: Requires macOS device users to authenticate before interacting with the medium. Read only: Makes the medium read-only. Deny: Denies access to the medium. Eject: Causes the medium to eject when macOS users attempt to access it. Repeat for any other media for which you would like to create a rule.
Mount Controls	Creating rules for Mount Controls allows you to govern the media that can be mounted on managed macOS devices. Select Add to select a medium from the drop-down list and configure settings for that medium. For the rule you are creating, select any of the following: Authenticate: Requires macOS device users to authenticate before interacting with the medium. Read only: Makes the medium read-only. Deny: Denies access to the medium. Eject: Causes the medium to eject when macOS users attempt to access it. Repeat for any other media for which you would like to create a rule.
Unmount Controls	Creating rules for Unmount Controls allows you to govern the media that can be unmounted from managed macOS devices. Select Add to select a medium from the drop-down list and configure settings for that medium. For the rule you are creating, select any of the following: Authenticate: Requires macOS device users to authenticate before interacting with the medium. Deny: Denies access to the medium. Repeat for any other media for which you would like to create a rule.

Accessibility Settings Restrictions

A new Accessibility Settings Restrictions is added, which will provide the administrator to control the Mac device accessibility settings.

• Bold Text Enabled (Boolean): If true, enables bold text.
• Increase Contrast Enabled (Boolean): If true, enables increase contrast.
• Reduced Motion Enabled (Boolean): If true, enables reduced motion.
• Reduce Transparency Enabled (Boolean): If true, enables reduced transparency.
• Text Size: The accessibility text size apps that support dynamic text use. 0 is the smallest value, and 11 is the largest value available. Default 4 possible values.
• Touch Accommodations Enabled (Boolean): If true, enables touch accommodations.
• Voice Over Enabled (Boolean): If true, enables voice over.
• Zoom Enabled (Boolean): If true, enables zoom.

Associated Domains for macOS

Associated domains help to build a secure connection between the website and the application. Associated Domain allows you to share credentials or add functionality to your app from your website.

Procedure 

To configure associated domains:

1. Go to Policies & Configs > Configurations.
2. Select Add New > Apple > macOS Only > Associated Domains.
   The new Associated Domain dialog box opens.
3. Configure the settings as described in Associated Domain Setting (macOS) .
4. Select Save to add the configuration.
5. Once the configuration is added to the Configurations page, select the added configuration.
6. Go to Actions > Apply to label.
7. Select the labels you want to apply.
8. Select Apply.

Associated domains settings (macOS)

Table 130.  Associated Domain Setting (macOS)

Item	Description
Name	Enter the name of the configuration.
Description	Enter the description of the configuration.
Application Identifier	Enter the bundle ID of the app for which you want to publish the feature.
Channel	Select the User channel or the Device channel to push the configuration.
Enable Direct Download	This checkbox is optional. If you select it, data for this domain should be downloaded directly instead of through a CDN. The entitlement value for this domain must be set to 'service:domain?mode=managed'.
SERVICE	Select Add+ to add any services from the drop down. Ivanti implicitly supports four types of services, and apart from these four types of services, you can enter the text as well. The four service are: Activity Continuation- Use this service for Handoff. App Clips- Use this service for an App Clip. App Links- Use this service for universal links. Web Credentials- Use this service for shared web credentials.
DOMAIN	Enter the domains for each enabled service.

Login Items for macOS

This configuration helps to disallow the user from enabling or disabling the correct login item in MDM.

Procedure 

To configure Login Items:

1. Go to Policies & Configs > Configurations.
2. Select Add New > Apple > macOS Only > Login Items.
   The new Login Items dialog box opens.
3. Configure the settings as described in Login Items Setting (macOS)
4. Select Save to add the configuration.
5. Once the configuration is added to the Configurations page, select the added configuration.
6. Go to Actions > Apply to label.
7. Select the labels you want to apply.
8. Select Apply.

Login Items settings (macOS)

Table 131.  Login Items Setting (macOS)

Item	Description
Name	Enter the name of the configuration.
Description	Enter the description of the configuration.
Rules	Select Add+ to add the rules in the Rules section. It supports more than one type of rule. Rule type- Select the rule type from the dropdown. This field is mandatory for the configuration. Rule value- Enter the rule value for the configuration. This field is also mandatory for the configuration. Team Identifier- Enter the team identifier number. This number must match with the rule value. Comment- This field is optional; you can enter any comments for the configuration.