Category filter

How to set up macOS MDM Restrictions?

This article will guide you through enforcing MDM restrictions to control and manage macOS devices effectively.

An administrator can enforce several basic and advanced restrictions on the device, app, security, privacy, and many other settings. An ideal restriction policy ensures that corporate data and resources are protected from device misuse and other security threats. The device restrictions that can be configured depend on the license plan you’ve subscribed to and the macOS version.

Note:


macOS basic restrictions are available from the Ultimate pricing plan and the advanced restrictions are available only on the Ultra pricing plan.

To set up restrictions for the end-users,

  1. Select the Policies tab from the UEM console.
  2. Click on New Policy to create a new policy or continue with an existing policy. Provide a suitable policy name and description if you are creating a new policy.
  3. Head on to macOS and choose Restrictions/Advanced Restrictions.

Basic Restrictions

Enforce basic UEM restrictions on macOS devices

The basic restrictions have been grouped and divided into the following sections:

Restrictions on Device Functionality

Device Functionality
Restrictions Description
Auto-unlock with Apple Watch in proximity

(macOS 10.12+)

When a worn Apple Watch comes near a Mac of the same user, then the Mac will unlock automatically without requiring to enter a passcode. However, the first time the device is turned on, a passcode is required to unlock the device.

By default, users are allowed to unlock their Mac device with their Apple Watch.

Touch ID

(macOS 10.12.4+)

If unchecked, users cannot use their fingerprint to unlock their device.
Definition lookup

(macOS 10.11.2+)

Use the definition lookup feature to display the definition of a highlighted word with the help of a built-in dictionary.

Uncheck the option to disable definition lookup.

Universal control

(macOS 13.0+)

Universal control allows users to seamlessly operate multiple Macs and iPads using a single keyboard, mouse, or trackpad. Unchecking this option restricts the specified Mac from using the peripherals connected on other macOS and iPad devices, and it also prevents other macOS and iPad devices from using the peripherals connected to the specified Mac.
USB restricted mode

(Supervised macOS 13.0+)

When this option is unchecked, new USB, Thunderbolt accessories, and SD cards can connect without authorization.
Incoming AirPlay requests

(Supervised macOS 12.3+)

AirPlay enables users to stream media across Apple devices within the same network. Unchecking this option will prevent incoming AirPlay requests on the macOS device.
Allow personalized ads from Apple

(macOS 12.0+)

This option is enabled by default. Unchecking this option will restrict personalized ads from Apple on the device.
Install configuration profiles

(Supervised macOS 13.0+)

When this option is unchecked, it prevents users from interactively installing configuration profiles and certificates on the device.
Enforce device only dictation

(macOS 14.0+)

This option is unchecked by default. Checking this option prevents the dictated content from being sent to Siri servers for processing.

Restrictions on App Settings

App Settings
Restrictions Description
Stream using Music app

(macOS 10.12+)

Check this option to allow the Music app to stream music on the user’s device.

Unchecking this option reverts the app to classic mode and disables music services.

Camera

(macOS 10.11+)

Disabling will deny access to the camera either directly or from another app. The camera app’s icon will be hidden, as well.
Game Center When this option is checked, the game center is enabled.

When Game Center is allowed,

Restrictions Description
Add friends in Game Center When this option is unchecked, users of Game Center can’t invite friends.
Game Center account modifications When this option is unchecked, users of the game center can’t change their user name or password.
Multiplayer gaming Uncheck this option to disable multiplayer gaming.

Restriction on App Store

App Store
Restrictions Description
Allow software update notifications only

(macOS 10.10+)

Software update notifications are disabled on the device when this option is unchecked.

Restriction on Security Settings

Security
Restrictions Description
Ask for password when removing policy

(macOS 10.11+)

When enabled, users are prompted to enter a password while removing a policy from the device settings (System Preferences > Profiles). A 6-digit password is already set, but you can reset the password if needed. Users will be asked to enter this password while removing the policy.
Send diagnostics

(macOS 10.13+)

If unchecked, the device is prevented from automatically sending diagnostic reports to Apple.
Timeout for fingerprint unlock

(macOS 12.0+)

After a specified time, users will be prompted to authenticate with their passcode before being able to use fingerprint unlock. The duration for this authentication interval can be configured in either minutes or hours.

Restrictions on iCloud Services

iCloud Options
Restrictions Description
Back to My Mac

(below macOS 10.14)

Back to My Mac is a service that can create a network of Mac computers with the same iCloud account. Back to My Mac allows users to use a remote Mac as if they were using it locally. Also, files can be dragged between the local and remote Macs.
Find My Mac

(macOS 10.12 to macOS 10.14.6)

If a Mac is stolen or lost, Find My Mac services can find it for you by locating it using location services, playing sound on the Mac even if it is muted, or lock or wipe the device remotely from the Find My Mac portal.
iCloud Mail

(macOS 10.12+)

iCloud Mail service creates an email account for Apple Account holders. But you need to set up an email address with the icloud.com domain.

If disabled, the macOS Mail app will not sync with iCloud.

Calendar

(macOS 10.12+)

Create or delete a calendar event on your device, and iCloud updates it across every device you have. You can access it even from a Windows PC.

If disabled, the macOS Calendar app will not sync with iCloud.

Reminder

(macOS 10.12+)

If checked, allow reminders to sync between devices. A reminder that is created, modified, or deleted is updated on all devices.

Uncheck this option to prevent the macOS Reminders app from syncing with iCloud.

Address Book

(macOS 10.12+)

Sync contacts between devices. A new contact on your Mac is added to your iPhone as well.

Uncheck this option to prevent the macOS Contacts app from syncing with iCloud.

Notes

(macOS 10.12+)

Changes to a note are reflected on all the devices via the iCloud server.

If disabled, the macOS device notes will not sync with iCloud.

Auto-upload files in Desktop and Documents

(macOS 10.12.4+)

Automatically upload all files in the Desktop and Documents folders to iCloud.

If disabled, the documents and data in the Desktop and Documents folder will not sync with iCloud.

Sync bookmarks with iCloud

(macOS 10.12+)

A new bookmark created with Safari is stored on the iCloud server as well as all the devices you own. Same with the case of deleting one.

If disabled, the macOS device bookmarks will not sync with iCloud.

Document and key-value sync

(macOS 10.11+)

Changing the app configuration on a device will change its configuration on the other devices you own.

If disabled, documents and key-values will not sync with iCloud.

Sync passwords across devices

(macOS 10.12+)

Passwords used on your Apple devices are stored on the iCloud and synced across all those devices.

If disabled, passwords on Apple devices will not sync with iCloud.

Photo library

(macOS 10.12+)

Store all photos across all your devices on the iCloud server and make them available wherever you log in with your iCloud credentials.

Unchecking this option will disable the photo library and prevent iCloud from syncing the device photos.

Freeform services

(macOS 14.0+)

Freeform app along with iCloud allows users to create, edit, and collaborate on shared canvases. This option is enabled by default. Unchecking this option will disallow iCloud Freeform services on the device.

Restrictions on Finder Settings

Finder Options
Restrictions Description
Burn data to disk

(macOS 10.7+)

If enabled, the user can write/copy information to a CD/DVD. It is enabled by default.

If disabled, it prevents users from writing information to a CD/DVD.

Connect to local servers or on the internet

(macOS 10.7+)

If enabled, the user can view, select or manually connect to servers on the local network/over the internet. It is enabled by default.

If disabled, it prevents viewing, selecting or manually connecting to servers on the local network or on the internet and the Connect to Server option is removed from the Go menu.

Eject mounted volumes

(macOS 10.7+)

If enabled, users can safely disconnect any mounted volumes (external hard drives, USB flash drives, SD cards, network drives) or media attached to the Mac.

Enabled by default.
If disabled, the Eject option in the File menu will be removed.

Go to Folder

(macOS 10.7+)

Enabling it allows a user to open a folder or file by typing the path to that item in the Go to Folder option under the Go menu. Useful for finding hidden directories, system folders or deeply nested files.

Enabled by default.
If disabled, the Go to Folder option will be removed.

Show external hard disks on desktop

(macOS 10.7+)

Generally, whenever an external hard disk is connected to the device, its icon appears on the desktop.

When the option is disabled, the icon will not be displayed on the desktop and the user will not be able to enable the External disks option under the General settings of Finder preferences/settings from the device end.
Enabled by default.

Show hard disk on desktop

(macOS 10.7+)

If enabled, display the main internal hard drive as an icon on the desktop for quick and easy access to the entire file system of Mac and the user cannot disable the Hard disk option under the General settings of Finder preferences/settings.
Disabled by default.
Show mounted file servers on desktop

(macOS 10.7+)

If enabled, icons of connected network file servers appear on the desktop. The user is not allowed to disable the Connected servers option under the General settings of Finder preferences/settings.

Disabled by default.

Show removable media items on desktop

(macOS 10.7+)

When enabled, it displays icons of removable storage devices like USB drives, external hard drives, CDs / DVDs on the desktop when connected to the system.

If disabled, icon will not be displayed, and the user is not permitted to enable the CDs, DVDs, and iPods option under the General settings of Finder preferences/settings.
Enabled by default.

Warn the user before emptying the trash

(macOS 10.7+)

To prevent unintentional deletion of files, a confirmation dialog prompt will appear while permanently removing items from the trash.

If disabled, the dialog prompt will not appear, and the user can’t enable the Show warning before emptying the trash under the Advanced settings of Finder preferences/settings.
Enabled by default.

Note:


Burn data to disk, Connect to local servers or on the internet, Eject mounted volumes and Go to Folder restrictions will take into effect only after the user log out from the user account and log in again or when the system restarts.


Advanced Mac Restrictions

Policy for macOS advanced restrictions

The advanced macOS restrictions include:

Restrictions on Device Functionality and Personalization Settings

Device Functionality and Personalization
Restrictions Description
Screen Capture

(macOS 10.14.4+)

Unchecking the option prevents users from taking screenshots or recording their device screens. This also disables the remote screen access in the Classroom app.
Remote Screen Observation

(macOS 10.15+ and Supervised macOS 10.14.4+)

This option is enabled by default. Unchecking this option prevents remote screen observation from the Classroom app.
AirDrop

(macOS 10.13+ and Supervised macOS 10.14.4+)

AirDrop allows users to share files between their Mac and Apple devices using Wi-Fi and Bluetooth. Unchecking the option disables AirDrop on your devices.
Note:

Devices might require a restart for the restriction to take effect.

Wallpaper Modification

(macOS 10.13+ and Supervised macOS 10.14.4+)

Unchecking the option prevents users from changing their device wallpapers manually. This also prevents any wallpaper policy applied through Hexnode from taking effect.
Note:

The device may need to be restarted for the restriction to take effect.

Dictation

(macOS 10.13+ and Supervised macOS 10.14.4+)

Dictation allows users to use voice inputs to enter text. Unchecking the option prevents the users from using Dictation.
Note:

You might need to restart the device for the restriction to take effect.

Handoff

(macOS 10.15+)

Using Handoff, users can start something on a macOS device and continue it on another Apple device right from where one left off. Unchecking the option disables the use of Handoff on your macOS devices.
Note:

Device restart might be required for the restriction to take effect.

iTunes or Finder File Sharing

(macOS 10.13+)

Unchecking the option prevents file sharing to iOS devices via iTunes or Finder apps.
Show Web Results in Spotlight search

(macOS 10.11+)

Uncheck the option to block any web results from appearing while using Spotlight search, I.e., only the results available on the device will be listed.

Restrictions on App Store

App Store
Restrictions Description
Restrict app installation to admin users

(macOS 10.9+)

When checked, only admin users can install apps from the App store.
Restrict App Store to Software Updates only

(macOS 10.10+)

When this option is checked, the user can only access the Updates tab in the App Store. A list of available updates will be displayed. Users can either install all the updates at once or install individual updates.
Note:

On macOS 10.14+, software updates are not pushed through the App Store. Head onto System Preferences > Software Update to download the macOS software updates.

Disable App Store app adoption

(macOS 10.10+)

Check this option to prevent users from adopting iLife and iWork apps, such as iMovie, Numbers, Keynote, Pages, and GarageBand, that come free with their Macs.
Restrict App Store to apps installed via MDM and software updates only

(macOS 10.11+)

When this option is checked, the App Store can be used to update only those apps which are installed via MDM and Apple software updates.

Restrictions on Security and Privacy Settings

Security and Privacy Settings
Restrictions Description
Activation Lock

(macOS 10.15+ with Apple T2 security chip and enrolled via ABM/ASM)

Check this option to enable Activation Lock on the device. Activation Lock is a feature to lock your device from activating if it’s been lost, stolen, or reset. To enable Activation Lock, disable Find My Mac manually and enable it again for the restriction to take effect on the device.
Ensure that two-factor authentication is enabled for your Apple ID and leave Secure Boot enabled on its default setting, Full Security, with “Disallow booting from external media” selected under the External Boot section.
Content caching

(macOS 10.13+)

Content caching stores frequently used data locally, reducing data usage and speeding up software installation on the device. If unchecked, the content caching service will be disabled.
Erase all content and settings

(macOS 12+)

If this option is disabled, users won’t be able to erase their device and reset it to its factory defaults, and the “Erase All Content and Settings” option in General > Transfer or Reset will be disabled.
Passcode Modification

(macOS 10.13+ and Supervised macOS 10.14.4+)

Unchecking the option prevents adding, modifying or removing the device passcode.
Autofill Passwords

(macOS 10.14+)

Disable this option to prevent users from using saved passwords in Safari or apps. Automatic Strong Passwords will also be disabled, and strong password suggestions will be blocked. Enabled by default.
Safari AutoFill

(macOS 10.13+)

If the option is left unchecked, Safari will not automatically fill in passwords, contact information, and credit card details. This setting also disallows the use of Keychain for auto-filling passwords.
Request passwords from nearby devices

(macOS 10.14+)

Disable this option to prevent devices in close proximity from requesting passwords.
Share passwords via Airdrop Passwords feature

(macOS 10.14+)

Uncheck the option to disable password sharing via the Airdrop Passwords feature.
Users can modify File Sharing settings

(macOS 14+)

Disabling this option prevents users from altering file sharing settings.
Users can modify Bluetooth Sharing settings

(macOS 14+)

Disabling this option restricts users from changing Bluetooth settings.
Users can modify Printer Sharing settings

(macOS 14+)

Disabling this option restricts users from modifying printer sharing settings.
Users can modify Internet Sharing settings

(macOS 14+)

Disabling this option restricts users from modifying Internet sharing settings.
Users can modify Remote Management Sharing settings

(macOS 14+)

Disabling this option restricts users from modifying Remote Desktop management settings.
Users can modify Remote Apple Events Sharing settings

(macOS 14+)

Disabling this option restricts users from modifying remote Apple events settings.
Users can modify an account

(macOS 14+)

Unchecking this option prohibits users from creating new accounts or modifying their username, password, or other associated account settings.
Users can modify Device Name

(macOS 14+)

Unchecking this option prevents users from altering the device name displayed in Settings > General > About.
Users can create local user accounts

(macOS 14+)

Disabling this option prevents administrators from creating new users in Users & Groups. However, new local user accounts can still be created directly from the Hexnode console.
Users can add or remove Touch ID/Face ID

(macOS 14+)

Unchecking this option prevents users from adding or removing existing Touch ID/Face ID information.
Users can modify Time Machine settings

(macOS 14+)

Disabling this option prevents users from setting up and using a Time Machine backup.
Users can modify Startup Disk settings

(macOS 14+)

Disabling this option restricts users from selecting a different startup disk.
App installation from You can select the source from which a standard user can install apps on a Mac device. When the option ‘Mac App Store and identified developers’ is selected, apps from the App Store and identified developers could be installed. On the other hand, choosing the option ‘Mac App Store’ limits the app installation to store apps alone.
Note:

This restriction applies only to users without admin privileges. An admin user can override this restriction and install apps from any source. A standard user may be able to do so only if the user knows the administrator password to authenticate successfully.

Restrictions on Wi-Fi Settings

Secure Wi-Fi Settings
Restrictions Description
Enforce admin authorization when switching between Wi-Fi networks (macOS 10.9+) Enabling this option requires users to have administrative privileges to switch between Wi-Fi networks. Without admin authorization, users cannot change networks, even if the current connection is weak.
Enforce admin authorization to enable IBSS (macOS 10.9+) Checking this option mandates administrative approval to enable IBSS (Independent Basic Service Set), which allows direct communication between devices without needing an access point.
Enforce admin authorization to turn Wi-Fi on/off (macOS 10.9+) Checking this option restricts users from toggling Wi-Fi on or off without admin permission.

Associate the Policies with Device/Groups?

There are two ways by which you can associate restrictions with the devices in bulk. The first option is from within the policy configuration page.

This method is recommended if the policy is yet to be saved.

  1. Navigate to Policy Targets.
  2. Select the devices, device groups, users, user groups, and domains you wish to associate the policy with.
  3. Click Save.

If you have saved your policy,

  1. Navigate to Policies.
  2. Search and select the policy.
  3. Click Manage > Associate Targets.
  4. Choose the target Devices/Users/Device Groups/User Groups/Domains with which you wish to associate the policy.
  5. Click on Associate.
  • Managing Mac Devices