Category Filter

How to set up macOS MDM Restrictions?

A restriction policy is pushed to the devices to restrict specific device and app features for efficiently controlling your macOS devices. Restrictions are essential to protect the corporate data on the device from being leaked in any possible ways. The device restrictions that can be configured depends on the license plan which you’ve subscribed and the macOS version.

To set restriction up for the end-users,

  1. Select Policies tab from the MDM console.
  2. Click on New Policy to create a new policy, or continue with an existing policy. Provide a suitable policy name and description if you are creating a new policy.
  3. Head on to macOS and choose Restrictions / Advanced Restrictions.

Basic Restrictions

Restrictions on Device Functionality

Device Functionality
Restrictions Description
Auto-unlock with Apple Watch in proximity
(macOS 10.12+)
When a worn Apple Watch comes near a Mac of the same user, then the Mac will unlock automatically without requiring to enter a passcode. However, the first time the device is turned on, a passcode is required to unlock the device.

By default, users are allowed to unlock their Mac device with their Apple Watch.

Touch ID
(macOS 10.12.4+)
If unchecked, users cannot use their fingerprint to unlock their device.
Definition lookup
(macOS 10.11.2+)
Use definition lookup feature to display the definition of a highlighted word with the help of a built-in dictionary.

Uncheck the option to disable definition lookup.

Restrictions on App Settings

App Settings
Restrictions Description
Stream using Music app
(macOS 10.12+)
Check this option to allow Music app to stream music on the user’s device.

Unchecking this option reverts the app to classic mode and disables music services.

Camera
(macOS 10.11+)
Disabling will deny access to the camera either directly or from another app. The camera app’s icon will be hidden as well.
Game Center When this option is checked, game center is enabled.

When Game Center is allowed

Restrictions Description
Add friends in Game Center When this option is unchecked, users of Game Center can’t invite friends.
Game Center account modifications When this option is unchecked, users of game center can’t change their user name or password.
Multiplayer gaming Uncheck this option to disable multiplayer gaming.

Restriction on App Store

App Store
Restrictions Description
Allow software update notifications only (macOS 10.10+) Software update notifications are disabled on the device when this option is unchecked.

Restriction on Security Settings

Security
Restrictions Description
Ask for password when removing policy (macOS 10.11+) When enabled users are prompted to enter a password while removing a policy from the device settings (System Preferences > Profiles). A 6-digit password is already set but you can reset the password if needed. Users will be asked to enter this password while removing the policy.

Restrictions on iCloud Services

iCloud Options
Restrictions Description
Back to My Mac
(below macOS 10.14)
Back to My Mac is a service that can create a network of Mac computers with the same iCloud account. Back to My Mac allow users to use a remote Mac as if they were using it locally. Also, files can be dragged between the local and remote Macs.
Find My Mac
(macOS 10.12 to macOS 10.14.6)
If a Mac is stolen or lost, Find My Mac services can find it for you, by locating it using location services, playing sound on the Mac even it is muted, or lock or wipe the device remotely from Find My Mac portal.
iCloud Mail
(macOS 10.12+)
iCloud Mail service creates an email account for Apple Account holders. But you need to set up an email address with icloud.com domain.

If disabled, the macOS Mail app will not sync with iCloud.

Calendar
(macOS 10.12+)
Create or delete a calendar event on your device and iCloud updates it across every device you have. You can access it even from a Windows PC.

If disabled, the macOS Calendar app will not sync with iCloud.

Reminder
(macOS 10.12+)
If checked, allow reminders to sync between devices. A reminder that is created, modified or deleted are updated on all devices.

Uncheck this option to prevent the macOS Reminders app from syncing with iCloud.

Address Book
(macOS 10.12+)
Sync contacts between devices. A new contact on your Mac is added to your iPhone as well.

Uncheck this option to prevent the macOS Contacts app from syncing with iCloud.

Notes
(macOS 10.12+)
Changes to a note are reflected to all the devices via the iCloud server.

If disabled, the macOS device notes will not sync with iCloud.

Auto-upload files in Desktop and Documents
(macOS 10.12.4+)
Automatically upload all files in the Desktop and Documents folders to iCloud.

If disabled, the documents and data in the Desktop and Documents folder will not sync with iCloud.

Sync bookmarks with iCloud
(macOS 10.12+)
A new bookmark created with Safari device is stored on iCloud server as well as all the devices you own. Same with the case of deleting one.

If disabled, the macOS device bookmarks will not sync with iCloud.

Document and key-value sync
(macOS 10.11+)
Changing the app configuration on a device will change its configuration on the other devices you own.

If disabled, documents and key-values will not sync with iCloud.

Sync passwords across devices
(macOS 10.12+)
Passwords used on your Apple devices are stored on the iCloud and synced across all those devices.

If disabled, passwords on Apple device will not sync with iCloud.

Photo library
(macOS 10.12+)
Store all photos across all your devices on the iCloud server and make it available wherever you log in with your iCloud credentials.

If unchecked, disables photo library and prevents iCloud from syncing the device photos.

Advanced Restrictions

Restrictions on App Store

App Store
Restrictions Description
Restrict app installation to admin users
(macOS 10.9+)
When checked only admin users can install apps from App store.
Restrict App Store to Software Updates only
(macOS 10.10+)
When this option is checked, the user can only access the Updates tab in the App Store. A list of available updates will be displayed. Users can either install all the updates at once or install individual updates.
Note:

On macOS 10.14+, software updates are not pushed through the App Store. Head onto System Preferences > Software Update to download the macOS software updates.

Disable App Store app adoption
(macOS 10.10+)
Check this option to prevent users from adopting free store apps like iLife and iWork.
Restrict App Store to apps installed via MDM and software updates only
(macOS 10.11+)
When this option is checked, the App Store can be used to update only those apps which are installed via MDM and Apple software updates.

Restrictions on Security and Privacy Settings

Security and Privacy Settings
Restrictions Description
Autofill Passwords (macOS 10.14+) Disable this option to prevent users from using saved passwords in Safari or in apps. Automatic Strong Passwords will also be disabled, and strong password suggestions will be blocked. Enabled by default.
Request passwords from nearby devices (macOS 10.14+) Disable this option to prevent devices in close proximity to request password.
Share passwords via Airdrop Passwords feature (macOS 10.14+) Uncheck the option to disable password sharing via the Airdrop Passwords feature.
App installation from Choose which apps can be installed by the user. When Mac App Store and identified developers option is selected, apps downloaded from App store and identified developers are allowed. Otherwise, only Mac App Store apps could be accessed.
Note:

This restriction applies only to users without admin privileges. An admin user can override this restriction and install apps from any source. A standard user may be able to do so only if the user knows the administrator password to authenticate successfully.

How to Associate the Policies with Device/Groups?

There are two ways by which you can associate restrictions with the devices in bulk. The first option is from within the policy configuration page.

This method is recommended if the policy is yet to be saved.

  1. Navigate to Policy Targets.
  2. Select the devices, device groups, users, user groups and domains you wish to associate the policy with.
  3. Click Save.

If you have saved your policy,

  1. Navigate to Policies.
  2. Search and select the policy.
  3. Click Manage > Associate Targets.
  4. Select the devices, device groups, users, user groups and domains you wish to associate the policy with.
  5. Click on Associate.