Category filter

How to set up macOS MDM Restrictions?

This article will guide you through enforcing MDM restrictions to control and manage macOS devices effectively.

An administrator can enforce several basic and advanced restrictions on the device, app, security, privacy, and many other settings. An ideal restriction policy ensures that corporate data and resources are protected from device misuse and other security threats. The device restrictions that can be configured depend on the license plan you’ve subscribed to and the macOS version.


macOS basic restrictions are available from the Ultimate pricing plan and the advanced restrictions are available only on the Ultra pricing plan.

To set up restrictions for the end-users,

  1. Select the Policies tab from the MDM console.
  2. Click on New Policy to create a new policy or continue with an existing policy. Provide a suitable policy name and description if you are creating a new policy.
  3. Head on to macOS and choose Restrictions/Advanced Restrictions.

Basic Restrictions

Enforce basic UEM restrictions on macOS devices

The basic restrictions have been grouped and divided into the following sections:

Restrictions on Device Functionality

Device Functionality
Restrictions Description
Auto-unlock with Apple Watch in proximity

(macOS 10.12+)

When a worn Apple Watch comes near a Mac of the same user, then the Mac will unlock automatically without requiring to enter a passcode. However, the first time the device is turned on, a passcode is required to unlock the device.

By default, users are allowed to unlock their Mac device with their Apple Watch.

Touch ID

(macOS 10.12.4+)

If unchecked, users cannot use their fingerprint to unlock their device.
Definition lookup

(macOS 10.11.2+)

Use the definition lookup feature to display the definition of a highlighted word with the help of a built-in dictionary.

Uncheck the option to disable definition lookup.

Restrictions on App Settings

App Settings
Restrictions Description
Stream using Music app

(macOS 10.12+)

Check this option to allow the Music app to stream music on the user’s device.

Unchecking this option reverts the app to classic mode and disables music services.


(macOS 10.11+)

Disabling will deny access to the camera either directly or from another app. The camera app’s icon will be hidden, as well.
Game Center When this option is checked, the game center is enabled.

When Game Center is allowed,

Restrictions Description
Add friends in Game Center When this option is unchecked, users of Game Center can’t invite friends.
Game Center account modifications When this option is unchecked, users of game center can’t change their user name or password.
Multiplayer gaming Uncheck this option to disable multiplayer gaming.

Restriction on App Store

App Store
Restrictions Description
Allow software update notifications only

(macOS 10.10+)

Software update notifications are disabled on the device when this option is unchecked.

Restriction on Security Settings

Restrictions Description
Ask for password when removing policy

(macOS 10.11+)

When enabled, users are prompted to enter a password while removing a policy from the device settings (System Preferences > Profiles). A 6-digit password is already set, but you can reset the password if needed. Users will be asked to enter this password while removing the policy.
Send diagnostics

(macOS 10.13+)

If unchecked, the device is prevented from automatically sending diagnostic reports to Apple.

Restrictions on iCloud Services

iCloud Options
Restrictions Description
Back to My Mac

(below macOS 10.14)

Back to My Mac is a service that can create a network of Mac computers with the same iCloud account. Back to My Mac allow users to use a remote Mac as if they were using it locally. Also, files can be dragged between the local and remote Macs.
Find My Mac

(macOS 10.12 to macOS 10.14.6)

If a Mac is stolen or lost, Find My Mac services can find it for you by locating it using location services, playing sound on the Mac even it is muted, or lock or wipe the device remotely from the Find My Mac portal.
iCloud Mail

(macOS 10.12+)

iCloud Mail service creates an email account for Apple Account holders. But you need to set up an email address with the domain.

If disabled, the macOS Mail app will not sync with iCloud.


(macOS 10.12+)

Create or delete a calendar event on your device, and iCloud updates it across every device you have. You can access it even from a Windows PC.

If disabled, the macOS Calendar app will not sync with iCloud.


(macOS 10.12+)

If checked, allow reminders to sync between devices. A reminder that is created, modified, or deleted is updated on all devices.

Uncheck this option to prevent the macOS Reminders app from syncing with iCloud.

Address Book

(macOS 10.12+)

Sync contacts between devices. A new contact on your Mac is added to your iPhone as well.

Uncheck this option to prevent the macOS Contacts app from syncing with iCloud.


(macOS 10.12+)

Changes to a note are reflected on all the devices via the iCloud server.

If disabled, the macOS device notes will not sync with iCloud.

Auto-upload files in Desktop and Documents

(macOS 10.12.4+)

Automatically upload all files in the Desktop and Documents folders to iCloud.

If disabled, the documents and data in the Desktop and Documents folder will not sync with iCloud.

Sync bookmarks with iCloud

(macOS 10.12+)

A new bookmark created with Safari is stored on the iCloud server as well as all the devices you own. Same with the case of deleting one.

If disabled, the macOS device bookmarks will not sync with iCloud.

Document and key-value sync

(macOS 10.11+)

Changing the app configuration on a device will change its configuration on the other devices you own.

If disabled, documents and key-values will not sync with iCloud.

Sync passwords across devices

(macOS 10.12+)

Passwords used on your Apple devices are stored on the iCloud and synced across all those devices.

If disabled, passwords on Apple devices will not sync with iCloud.

Photo library

(macOS 10.12+)

Store all photos across all your devices on the iCloud server and make them available wherever you log in with your iCloud credentials.

Unchecking this option will disable the photo library and prevents iCloud from syncing the device photos.

Advanced Mac Restrictions

Enforce advanced UEM restrictions on macOS devices

The advanced macOS restrictions include:

Restrictions on Device Functionality and Personalization Settings

Device Functionality and Personalization
Restrictions Description
Screen Capture

(macOS 10.14.4+)

Unchecking the option prevents users from taking screenshots or recording their device screens. This also disables the remote screen access in the Classroom app.

(macOS 10.13+ and Supervised macOS 10.14.4+)

AirDrop allows users to share files between their Mac and Apple devices using Wi-Fi and Bluetooth. Unchecking the option disables AirDrop on your devices.

Devices might require a restart for the restriction to take effect.

Wallpaper Modification

(macOS 10.13+ and Supervised macOS 10.14.4+)

Unchecking the option prevents users from changing their device wallpapers manually. This also prevents any wallpaper policy applied through Hexnode from taking effect.

The device may need to be restarted for the restriction to take effect.


(macOS 10.13+ and Supervised macOS 10.14.4+)

Dictation allows users to use voice inputs to enter text. Unchecking the option prevents the users from using Dictation.

You might need to restart the device for the restriction to take effect.


(macOS 10.15+)

Using Handoff, users can start something on a macOS device and continue it on another Apple device right from where one left off. Unchecking the option disables the use of Handoff on your macOS devices.

Device restart might be required for the restriction to take effect.

iTunes or Finder File Sharing

(macOS 10.13+)

Unchecking the option prevents file sharing to iOS devices via iTunes or Finder apps.
Show Web Results in Spotlight search

(macOS 10.11+)

Uncheck the option to block any web results from appearing while using Spotlight search, I.e., only the results available on the device will be listed.

Restrictions on App Store

App Store
Restrictions Description
Restrict app installation to admin users

(macOS 10.9+)

When checked, only admin users can install apps from the App store.
Restrict App Store to Software Updates only

(macOS 10.10+)

When this option is checked, the user can only access the Updates tab in the App Store. A list of available updates will be displayed. Users can either install all the updates at once or install individual updates.

On macOS 10.14+, software updates are not pushed through the App Store. Head onto System Preferences > Software Update to download the macOS software updates.

Disable App Store app adoption

(macOS 10.10+)

Check this option to prevent users from adopting iLife and iWork apps, such as iMovie, Numbers, Keynote, Pages, and GarageBand, that come free with their Macs.
Restrict App Store to apps installed via MDM and software updates only

(macOS 10.11+)

When this option is checked, the App Store can be used to update only those apps which are installed via MDM and Apple software updates.

Restrictions on Security and Privacy Settings

Security and Privacy Settings
Restrictions Description
Activation Lock

(macOS 10.15+ with Apple T2 security chip and enrolled via ABM/ASM)

Check this option to enable Activation Lock on the device. Activation Lock is a feature to lock your device from activating if it’s been lost, stolen, or reset. To enable Activation Lock, disable Find My Mac manually and enable it again for the restriction to take effect on the device.
Ensure that two-factor authentication is enabled for your Apple ID and leave Secure Boot enabled on its default setting, Full Security, with “Disallow booting from external media” selected under the External Boot section.
Passcode Modification

(macOS 10.13+ and Supervised macOS 10.14.4+)

Unchecking the option prevents adding, modifying or removing the device passcode.
Autofill Passwords

(macOS 10.14+)

Disable this option to prevent users from using saved passwords in Safari or apps. Automatic Strong Passwords will also be disabled, and strong password suggestions will be blocked. Enabled by default.
Request passwords from nearby devices

(macOS 10.14+)

Disable this option to prevent devices in close proximity from requesting passwords.
Share passwords via Airdrop Passwords feature

(macOS 10.14+)

Uncheck the option to disable password sharing via the Airdrop Passwords feature.
App installation from You can select the source from which a standard user can install apps on a Mac device. When the option ‘Mac App Store and identified developers’ is selected, apps from the App Store and identified developers could be installed. On the other hand, choosing the option ‘Mac App Store’ limits the app installation to store apps alone.

This restriction applies only to users without admin privileges. An admin user can override this restriction and install apps from any source. A standard user may be able to do so only if the user knows the administrator password to authenticate successfully.

Associate the Policies with Device/Groups?

There are two ways by which you can associate restrictions with the devices in bulk. The first option is from within the policy configuration page.

This method is recommended if the policy is yet to be saved.

  1. Navigate to Policy Targets.
  2. Select the devices, device groups, users, user groups, and domains you wish to associate the policy with.
  3. Click Save.

If you have saved your policy,

  1. Navigate to Policies.
  2. Search and select the policy.
  3. Click Manage > Associate Targets.
  4. Choose the target Devices/Users/Device Groups/User Groups/Domains with which you wish to associate the policy.
  5. Click on Associate.
  • Managing Mac Devices