Category Filter

How to set up macOS MDM Restrictions using Hexnode MDM?

A restriction policy is pushed to the devices to block several apps and device features in one go. Restrictions are important to protect the corporate data on the device from being leaked in any possible ways. The device restrictions that can be configured depends on the plan which you’ve subscribed and the macOS version.

To set restriction up for the end-users,

  1. Select Policies tab from the MDM console.
  2. Click on New Policy to create a new policy, or continue with a policy that was created before.
  3. Provide a name, head on to macOS and choose Restrictions / Advanced Restrictions.

Users are allowed access to every feature listed here by default and are not forced to activate anything.

Basic Restrictions

Restrictions on Device Functionality

Device Functionality
Restrictions Description
Auto-unlock with Apple Watch in proximity
(macOS 10.12+)
When a worn Apple Watch comes near a Mac of the same user, then the Mac will unlock automatically without requiring to enter a passcode. However, the first time the device is turned on, a passcode is required to unlock the device.
Touch ID
(macOS 10.12.4+)
Users can use their fingerprint to unlock their device.
Definition lookup
(macOS 10.11.2+)
Use definition lookup feature to display the definition of a highlighted word with the help of a built-in dictionary. New dictionaries can be downloaded to the device.

Restrictions on App Settings

App Settings
Restrictions Description
Stream using Music app
(macOS 10.12+)
Allow Music app to stream music on the user’s device.
(macOS 10.11+)
Disabling will deny access to the camera either directly or from another app. The camera app’s icon will be hidden as well.
Game Center When this option is checked, game center is enabled.

When Game Center is allowed

Restrictions Description
Add friends in Game Center When this option is unchecked, users of Game Center can’t invite friends.
Game Center account modifications When this option is unchecked, users of game center can’t change their user name or password.
Multiplayer gaming Uncheck this option to disable multiplayer gaming.

Restriction on App Store

App Store
Restrictions Description
Allow software update notifications only Software update notifications are disabled on the device when this option is unchecked. Supported on macOS 10.10 and later.

Restriction on MDM Administration

MDM Administration
Restrictions Description
Ask for password when removing policy (macOS 10.11+) When enabled users are prompted to enter a password while removing a policy from the device settings (System Preferences > Profiles). A 6-digit password is already set but the user can reset the password if needed.

Restrictions on iCloud Services

iCloud Options
Restrictions Description
Back to My Mac
(below macOS 10.14)
Back to My Mac is a service that can create a network of Mac computers with the same iCloud account. Back to My Mac allow users to use a remote Mac as if they were using it locally. Also, files can be dragged between the local and remote Macs.
Find My Mac
(macOS 10.12+)
If a Mac is stolen or lost, Find My Mac services can find it for you, by locating it using location services, playing sound on the Mac even it is muted, or lock or wipe the device remotely from Find My Mac portal.
iCloud Mail
(macOS 10.12+)
iCloud Mail service creates an email account for Apple Account holders. But, you need to set up an email address with domain.
(macOS 10.12+)
Create or delete a calendar event on your device and iCloud updates it across every device you have. You can access it even from a Windows PC.
(macOS 10.12+)
Allow reminders to sync between devices. A reminder that is created, modified or deleted are updated on all devices.
Address Book
(macOS 10.12+)
Sync contacts between devices. A new contact on your Mac is added to your iPhone as well.
(macOS 10.12+)
Changes to a note are reflected to all the devices via the iCloud server.
Auto-upload files in Desktop and Documents
(macOS 10.12.4+)
Automatically upload all files in the Desktop and Documents folders to iCloud.
Sync bookmarks with iCloud
(macOS 10.12+)
A new bookmark created with Safari device is stored on iCloud server as well as all the devices you own. Same with the case of deleting one.
Document and key-value sync
(macOS 10.11+)
Changing the app configuration on a device will change its configuration on the other devices you own.
Sync passwords across devices
(macOS 10.12+)
Passwords used on your Apple devices are stored on the iCloud and synced across all those devices.
Photo library
(macOS 10.12+)
Store all photos across all your devices on the iCloud server and make it available wherever you log in with your iCloud credentials.

Advanced Restrictions

Restrictions on App Store

App Store
Restrictions Description
Restrict app installation to admin users
(macOS 10.9+)
When checked only admin users can install apps from App store.
Restrict App Store to Software Updates only
(macOS 10.10+)
When this option is checked, the user can access the Updates tab only in the App Store. A list of available updates will be displayed. Users can either install all the updates at once or install individual updates.

On macOS 10.14+, software updates are not pushed through the App Store. Head onto System Preferences > Software Update to download the macOS software updates.

Disable App Store app adoption
(macOS 10.10+)
Check this option to prevent users from adopting free store apps like iLife and iWork.
Restrict App Store to apps installed via MDM and software updates only
(macOS 10.11+)
When this option is checked, the App Store can be used to update only those apps which are installed via MDM and Apple software updates.

Restrictions on Security and Privacy Settings

Security and Privacy Settings
Restrictions Description
Autofill Passwords (macOS 10.14+) Disable this option to prevent users from using saved passwords in Safari or in apps. Automatic Strong Passwords will also be disabled, and strong password suggestions will be blocked. Enabled by default.
Request passwords from nearby devices (macOS 10.14+) Enabling this option would allow devices in close proximity to request password.
Share passwords via Airdrop Passwords feature (macOS 10.14+) Check this option to enable password sharing via the Airdrop Passwords feature.
App installation from Choose which apps can be accessed by the user. When Mac App Store and identified developers option is selected, apps downloaded from App store and identified developers are allowed. Otherwise, only Mac App Store apps could be accessed.

This restriction applies only to users without admin privileges. An admin user can override this restriction and install apps from any source. A standard user may be able to do so only if the user knows the administrator password to authenticate successfully.

How to Associate the Policies to Device/Groups?

There are two ways by which you can associate restrictions to the devices in bulk. The first option is from within the policy configuration page. Click on Policy Targets+ Add Devices and select the devices to which the current policy is to be associated with. Save the policy afterward.

From the same tab, it is possible to associate the restrictions to device groups, users, user groups and domains.

To associate devices after you saved the restriction policy, check the policy you need to get associated with the devices, select Associate Targets from Manage drop-down, and add all those devices which are applicable.