Configuring Restrictions for Mac (macOS) Devices
- 29 Aug 2024
- 4 Minutes to read
- Print
- PDF
Configuring Restrictions for Mac (macOS) Devices
- Updated on 29 Aug 2024
- 4 Minutes to read
- Print
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Restrictions are a part of the Mac Device Profile that lets you control various settings and access controls on a managed macOS device. At a broader level, Scalefusion offers the following restrictions,
- Functionality: Control a variety of iCloud, passwords, and other functional features.
- Apps: Control the Application installation settings and choose an application policy to allow selected apps.
- Preferences (!): Enable or Restrict users access to the options in the System Preferences app.
- Media (!): Control the Media sharing options and Disk usage options.
- Sharing (!): Choose the sharing options that are allowed for the user.
Deprecated features
Following features have been deprecated and and cannot be controlled via MDM policies. As a result, they are denoted with a red icon in front of them:
Restriction Type | OS version |
Preferences | macOS 13 and later |
Media | macOS 11.0 and later |
Sharing | macOS 10.13 and later In case you have already configured these settings and want to revert to the original form of the Sharing menu on the device(s), please uncheck Enable Sharing Restrictions at the top of the page. |
Follow the steps below to configure these Restrictions,
- From the Device Profiles & Policies > Device Profiles section, Create a new profile or Edit an existing profile.
- Click on the Restrictions option to expand it.
- After configuring restrictions, click SAVE on the top right to save the changes to the device profile.
Functionality
This allows control of various features of a Mac device. The options are,Setting | Description |
Lock desktop picture | Enable if the user should be prevented from changing the desktop wallpaper. If Branding is set on the profile, then this setting will not work |
Desktop picture path | Works if the Lock desktop picture is enabled. Specify a local path on the Mac device. |
Allow use of Camera | Control if the user is allowed to use the integrated camera. |
Allow Apple Music | Control if the user is allowed to use the Apple Music services. |
Allow Spotlight Suggestions | Control if the Spotlight suggestions should be enabled or disabled. This will filter out the Search results from Spotlight. |
Allow Look Up | Enable or Disable Look Up-based suggestions in Safari. |
Allow Touch ID to unlock the device | Enable or Disable Touch ID to unlock the device. |
Allow password sharing | Control if password sharing needs to be disabled for all the applications, including Safari. |
Allow password Autofill | Control if password autofill needs to be disabled for all the applications, including Safari. |
Allow proximity based password sharing requests | Control if the password-sharing requests based on nearby devices should be allowed or not. |
Control if the password-sharing requests based on nearby devices should be allowed or not. | |
Allow iCloud Drive | Control if the users can use iCloud Drive and sync files. |
Allow iCloud Desktop & Documents | Control if the iCloud Desktop & Documents are allowed to sync. |
Allow iCloud Keychain | Control Keychain syncing to iCloud. |
Allow iCloud Mail | Allow iCloud Mail sync features. |
Allow iCloud Contacts | Control iCloud Contacts sync. |
Control iCloud Contacts sync. | Control iCloud Calendar sync feature. |
Allow iCloud reminders | Control iCloud Reminders sync feature. |
Allow iCloud bookmarks | Control if the iCloud bookmarks should be synced to Safari. |
Allow iCloud Notes | Control of iCloud Notes should be synced to the local Notes application. |
Activation Lock Settings | IT Admins can use these settings to manage Activation Lock (whether users can turn on Activation Lock or not) on the managed macOS devices. To know more about these settings please visit our guide here. |
Apps
This section offers controls on the applications and also allows applications. The options are,
- Basic Settings: This tab offers the following controls
Setting Description Allow use of Game Center Controls if the users are allowed to use the Game Center feature. Allow Software update Notifications Controls if the software update notifications should be shown or not. Allow App Store Adoption Enable/Disable App Store adoption by users. Require Admin Password to Install Apps Restricts App installation to admin users, and non-admin users need an admin password. This setting is deprecated as of macOS 10.14.Restrict App Store to MDM-installed apps and software updates Restricts App installation to the ones pushed via Scalefusion. Blocks the App Store completely. Allow Safari Autofill Enable/Disable the Safari Autofill feature. - Select Apps: This tab allows you to enable a list of allowed applications from a set of pre-installed applications. To configure the application policy, enable Select Applications, which are allowed to launch and select the applications from the list below.Application Policy or Blocking of apps works only for non-admin users. Excluding the applications that are allowed, all system and third-party applications, including the ones pushed from Scalefusion MDM, will be blocked.
Preferences
- The options are,The preferences restrictions have been deprecated starting macOS 13, and cannot be controlled via MDM policies.
- Restrict Items in System Preferences: Enable this if you want to control the items that the user can access in the System Preferences (Settings) app on the Mac device.
- Enable selected items: Choose this option if you want to enable the selected items from the list below.
- Disable selected items: Choose this option if you want to disable the selected items from the list below.
- System Preference Panes: Select the items that you want to control.Disabling the "Profiles" pane will not allow the user to remove the MDM management from the device. The only way to remove the management would be to delete the device from Scalefusion Dashboard, assuming that the device has internet.
Media
- This section allows you to control Media and Disk sharing options. The options are,
- Network Access: Control network sharing access options.
- AirDrop: Choose if AirDrop should be enabled for network media sharing
- Hard Disk Media Access: Access settings for hard disk media.
- External Hard Disks: Choose to Allow mounting of external HDD and enforce Read-Only mode.
- Disk Images: Choose to Allow mounting of a disk image and enforce Read-Only mode.
- DVD-RAM: Choose to Allow mounting of a DVD-RAM and enforce Read-Only mode.
- Disk Media Access: Select which media peripherals are allowed.
- Eject at Logout: Enforce the Eject of mounted media devices when the user logs out.
- Allow iTunes File Sharing: Enable/Disable iTunes-based file sharing.For the Media changes to take effect, the Media Drives need to be remounted, or the changes take effect on the next login.
- Network Access: Control network sharing access options.
Sharing
From this section, you can choose the options that should be available to the user in the Share menu. To do so,
- Put a check on Enable Sharing Restrictions
- Select services that should be available in the share menu from the following:
- Airdrop
- Mail
- Messages
- Notes
- Reminders
- Add to Reading List
- Add to Photos
- Add to Aperture
- Twitter
- Facebook
- LinkedIn
- Video Services - Flickr, Vimeo, Tudou and Youku
- Sina Weibo
- Airdrop
Was this article helpful?