macOS Guest Account restriction shows applied but Guest user can still be enabledSolved

Hi @haniel,

For macOS, the Guest Account restriction should be delivered through the MDM configuration profile associated with the device. If the policy is already associated and other payloads are applying correctly, this is usually not caused by a separate enrollment requirement.

A useful check is to confirm whether the restriction is visible on the Mac under the installed management profile:

1. On the Mac, open System Settings.
2. Go to General > Device Management.
3. Select the Hexnode management profile or the relevant policy profile.
4. Check whether the Guest User Profile restriction is listed there.

If the restriction is present in the profile but Users & Groups still allows the Guest user to be enabled, refresh the policy association from Hexnode:

1. Open the policy in Hexnode.
2. Click Manage.
3. Choose Modify.
4. Save the policy without making changes.
5. Confirm that the Associate Policy action completes successfully in Action History.

This pushes the existing policy configuration to the Mac again and can refresh restrictions that were acknowledged but not fully reflected in System Settings.

Best Regards,
Isabel Lora
Hexnode UEM

I tried saving the same policy again without changing anything. After the policy was pushed again, the Mac now shows that the Guest Account setting is configured by the management profile. I didn’t change the restriction itself.

Does that mean the policy has to be applied twice for this setting to work?

No, the policy does not normally need to be applied twice.

What likely happened here was a temporary sync or macOS processing delay. Hexnode may send the configuration successfully and the Mac may acknowledge it, but macOS can sometimes take additional time to fully enforce or display a specific restriction in System Settings.

Re-saving the unmodified policy reassociates the existing configuration and prompts the device to process the restriction again. This can resolve cases where the policy appears applied in Hexnode but a specific macOS setting has not yet updated visibly on the device.

Best Regards,
Isabel Lora
Hexnode UEM

That makes sense, but Hexnode showed the policy as Successfully Applied before I refreshed it. How do I know whether the restriction is actually configured correctly on the Mac?

In Hexnode, Successfully Applied means the MDM command was sent to the Mac and the Mac acknowledged receipt of the configuration. It does not always mean every related macOS interface has already updated visually at that exact moment.

To verify the Guest Account restriction on the Mac, check the local device status after the policy is applied:

• In System Settings > General > Device Management, confirm that the management profile contains the Guest User Profile restriction.
• In System Settings > Users & Groups, check whether the Guest user setting shows that it is managed or configured by the profile.
• If the setting still appears editable after the policy shows as applied, sync the device or reassociate the same policy by saving it again without changes.

Once macOS shows the Guest Account option as managed by the profile, the restriction has been enforced on the device.

Best Regards,
Isabel Lora
Hexnode UEM