Tags Guide Part V: macOS
Profile
Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When any Profiles are changed, ensure the settings are correct as these will be applied immediately to all applicable devices. Please ensure you click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.
Exchange ActiveSync
Setting | Options | Description |
---|---|---|
Exchange ActiveSync Settings | Enabled or Disable | Enables Profile |
Label | e.g. Imagoverum Exchange or e.g. {firstname} | The Label for the Email Account as it appears on the device. |
Server Name | e.g. outlook.office365.com | External Exchange Active Sync address |
Past Days of Mail to Sync |
|
Period of mail to synchronize to the device |
Use SSL | Enabled or Disabled | If the URL for the External Mail Server is protected by an SSL Certificate then use SSL. |
Use oAuth | Enabled or Disabled | Enables and uses oAuth Authentication for Identity Providers on native mail client |
Use Custom Username Variable | e.g. {CustLdapVar0} or support@imagoverum.com | Define a Custom Variable Attribute for the Username for the EAS Profile. |
Use Custom Email Variable | e.g. {CustLdapVar0} or tim.tober@imagoverum.com | Define a Custom Variable Attribute for the Email Address for the EAS Profile. |
Use Custom Password Variable | e.g. {UserPassword} or Pa$$w0rd | Define a Custom Variable Attribute for the Email Password for the EAS Profile. |
Enterprise Certificate | Choose File | Upload a certificate for certificate based authentication with one certificate |
Certificate Password | e.g. Pa$$w0rd | Password for the certificate |
Path | Specifies a different path for the Exchange client to connect | |
Port | Specifies a different port for the Exchange client to connect to | |
External Host | If the external network address is different, you can specify this. This ensures the user will sync mail in the office and at home when the URLs are different | |
External SSL | Determines if the external connection should use SSL | |
External Port | Sets the external TCP port the Exchange Client should use | |
External Path | Sets the external path for the Exchange client |
Setting | Options | Description |
---|---|---|
Email Settings | Enabled or Disabled | Enables Email Settings |
Email Address | e.g. {UserEmail} or support@imagoverum.com | Defines Email Address of the Account |
User Display Name | e.g. {UserName} or Tim Tober | Defines Display Name of the User for this Email Account |
Account Description | e.g. Imagoverum Mail | Defines Friendly Name of this Email Account |
Account Type |
|
Toggles between IMAP and POP Account Types |
IMAP Path Prefix | e.g. INBOX | Defines where to look for mail |
Incoming Mail | ||
Incoming Mail Server | e.g. imap-mail.outlook.com or pop-mail.outlook.com | |
Incoming Mail Port | e.g. 995 | |
Incoming Mail Username | ||
Authentication |
|
|
Embed User Password | Enabled or Disabled | |
Use SSL | Enabled or Disabled | |
Outgoing Mail | ||
Outgoing Mail Server | e.g. imap-mail.outlook.com or pop-mail.outlook.com | |
Outgoing Mail Port | e.g. 995 | |
Outgoing Mail Username | ||
Authentication |
|
|
Embed User Password | Enabled or Disabled | |
Use SSL | Enabled or Disabled |
Passcode
Setting | Options | Description |
---|---|---|
Passcode Settings | Enabled or Disabled | Enables Passcode Settings |
Allow Simple | Enabled or Disabled | Permit the use of repeating, ascending or descending characters |
Require Alpha Numeric | Enabled or Disabled | Require passcode to contain at least one letter |
Minimum Length | 4-19 | The smallest number of passcode characters allowed |
Minimum Complex characters | 1-4 | Smallest number of non-alphanumeric characters allowed. If ‘Allow Simple’ is checked, then this configuration is disabled. |
Maximum Passcode Age - 1-730 days or none | 1-730 or empty | How often passcode must be changed |
Auto-lock (minutes) | 2,5 | Device automatically locks due to inactivity after this time period |
Passcode history (1-50 passcodes, or none) | 1-50 or empty | Number of unique passcodes required before reuse |
Grace Period for Device Lock |
|
Amount of time device screen can sleep before device locks |
Maximum Failed Attempts | 4-16 | Number of passcode entry attempts allowed before the device is reset to factory settings |
Screen Saver
This feature sets controls if a password is required when the Screen Saver is unlocked or stopped, the delay of passwords can be defined and the idle time, before the screen saver starts.
Screen Saver Module Path might work only on older devices, even if the setting is not officially deprecated by Apple.
Setting | Options | Description |
---|---|---|
Require Password | Enabled or disabled |
Defines if the user is prompted for a password when the screen saver is unlocked or stopped. When you use this prompt, you must also provide Password Delay (in sec). Available in macOS 10.13 and later. |
Password Delay (in secs) | 1-2147483647 |
Defines the number of seconds to delay before the password will be required to unlock or stop the screen saver (the grace period). To use this option Require Passwords must be enabled. A value of 2147483647 can be used to disable this requirement. Available in macOS 10.13 and later. |
Login Window Screen Saver Idle Time (in secs) | e.g. 0 |
The number of seconds of inactivity before the screen saver activates. If nothing is presented the default of 300 seconds (5 Minutes) will take effect. (0 = Never activate). |
Screen Saver Module Path | e.g /System/Library/Screen Savers/Flurry.saver | The full path to the screen-saver module to use. Note that not all screen savers will work before login. These may include any feed\, random\, shuffle or non-Apple codesigned screensavers. |
Restrictions
Setting | Options | Requirement | Description |
---|---|---|---|
App Store & iTunes | |||
Allow App Store App adoption |
|
|
If true, disables app adoption by users. Available in macOS 10.10 and later. |
Allow iTunes File Sharing Services |
|
|
If false, disables iTunes file sharing services. Available in macOS 10.13 and later. |
Require admin password to install or update apps |
|
|
If true, an administrator password is required in order to update any apps. Deprecated in macOS 10.14. Please use Software Updates Configuration |
Restrict App Store to software updates only |
|
|
If true, restricts app installations to software updates only. Available in macOS 10.10 and later. |
Classroom | |||
Force Classroom Automatically Join Classes |
|
|
If true, automatically gives permission to the teacher's requests without prompting the student. Requires a supervised device. Available in macOS 10.14.4 and later. |
Force Classroom Requests Permission to Leave Classes |
|
|
If true, a student enrolled in an unmanaged course through Classroom requests permission from the teacher when attempting to leave the course. Requires a supervised device. Available in macOS 10.14.4 and later. |
Force Classroom Unprompted Apps and Device Lock |
|
|
If true, allows the teacher to lock apps or the device without prompting the student. Requires a supervised device. Available in macOS 10.14.4 and later. |
Force Classroom Unprompted Screen Observation |
|
|
If true and Allow Remote Screen Observation is also true, a student enrolled in a managed course via the Classroom app automatically gives permission to that course teacher's requests to observe the student's screen without prompting the student. Requires a supervised device. Available in macOS 10.14.4 and later. |
Game Center | |||
Allow Game Center |
|
|
If false, disables Game Center, and its icon is removed from the Home screen. Available in macOS 10.13 and later. |
Allow Game Center Account modification |
|
|
If false, users of Game Center can’t modify their user name or password. |
Allow Game Center Friends |
|
|
If false, prohibits adding friends to Game Center. Available in macOS 10.13 and later. |
Allow Multiplayer Gaming |
|
|
If false, prohibits multiplayer gaming. Available in macOS 10.13 and later. |
iCloud | |||
Allow iCloud Address Book |
|
|
If false, disables iCloud Address Book services. Available in macOS 10.12 and later. |
Allow iCloud Bookmarks |
|
|
If false, disables iCloud Bookmark sync. Available in macOS 10.12 and later. |
Allow iCloud Calendar |
|
|
If false, disables iCloud Calendar services. Available in macOS 10.12 and later. |
Allow iCloud Desktop and Documents |
|
|
If false, disables cloud desktop and document services. Available in macOS 10.12.4 and later. |
Allow iCloud Document Sync |
|
|
If false, disables document and key-value syncing to iCloud. Available in macOS 10.11 and later. |
Allow iCloud Keychain Sync |
|
|
If false, disables iCloud keychain synchronization. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in and macOS 10.12 and later. |
Allow iCloud Mail Services |
|
|
If false, disables iCloud Mail services. Available in macOS 10.12 and later. |
Allow iCloud Notes Services |
|
|
If false, disables iCloud Notes services. Available in macOS 10.12 and later. |
Allow iCloud Photo Library |
|
|
If false, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device are removed from local storage. Available in macOS 10.12 and later. |
Allow iCloud Reminder Services |
|
|
If false, disables iCloud Reminder services. Available in macOS 10.12 and later. |
Security & Privacy | |||
Allow Auto Unlock |
|
|
If false, disallows auto unlock. Available in macOS 10.12 and later. |
Allow Diagnostic Data to be Sent to Apple |
|
|
If false, prevents the device from automatically submitting diagnostic reports to Apple. Available in macOS 10.13 and later. Also available for user enrollment. |
Allow Fingerprint For Unlock |
|
|
If false, prevents Touch ID or Face ID from unlocking a device. Available in macOS 10.12.4 and later. |
Allow Passcode Modification |
|
|
If false, prevents the device passcode from being added, changed, or removed. Requires a supervised device. Available in macOS 10.13 and later. |
Allow Password AutoFill |
|
|
If false, disables the AutoFill Passwords feature in iOS (with Keychain and third-party password managers) and the user isn't prompted to use a saved password in Safari or in apps. This restriction also disables Automatic Strong Passwords, and strong passwords are no longer suggested to users. It does not prevent AutoFill for contact info and credit cards in Safari. Requires a supervised device. Available in macOS 10.14 and later. |
Allow Password Proximity Requests |
|
|
If false, disables requesting passwords from nearby devices. Requires a supervised device. Available in macOS 10.14 and later. |
Allow Password Sharing |
|
|
If false, disables sharing passwords with the Airdrop Passwords feature. Requires a supervised device. Available in macOS 10.14 and later. |
Allow Spotlight Internet Results |
|
|
If false, disables Spotlight Internet search results in Siri Suggestions. Available in macOS 10.11 and later. |
Allow Safari Autofill |
|
|
If false, disables Safari AutoFill for passwords, contact info, and credit cards and also prevents the Keychain from being used for AutoFill. Though third-party password managers are allowed and apps can use AutoFill. Available in macOS 10.13 and later. |
Sharing | |||
Allow AirDrop Sharing |
|
|
If false, AirDrop Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
Allow Aperture Sharing |
|
|
If false, Aperture Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
Allow Content Caching |
|
|
If false, disables content caching. Available in macOS 10.13 and later. |
Allow Facebook Sharing |
|
|
If false, Facebook Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
Allow Mail Sharing |
|
|
If false, Mail Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
Allow Messages Sharing |
|
|
If false, Messages Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
Allow Sina Weibo Sharing |
|
|
If false, Sina Weibo Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
Allow Twitter Sharing |
|
|
If false, Twitter Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
Allow Video Sharing |
|
|
If false, Video Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
System Preferences | |||
Allow Appstore Preference |
|
|
If false, App Store Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Backup Preference |
|
|
If false, Backup Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Bluetooth Preference |
|
|
If false, Bluetooth Preference in System Preferences won't be accessible for the User. Available in macOS 10.7 and later |
Allow CDs & DVDs Preference |
|
|
If false, CDs & DVDs Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Configuration Profiles Preference |
|
|
If false, Profiles Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Datetime Preference |
|
|
If false, Date & Time Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Desktop and Screen Saver Preference |
|
|
If false, Desktop & Screen Saver Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Displays Preference |
|
|
If false, Displays Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Dock Preference |
|
|
If false, Dock Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Energy Saver Preference |
|
|
If false, Enegery Saver Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Extensions Preference |
|
|
If false, Extensions Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Fibrechannel Preference |
|
|
If false, Fibre Channel Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow General Preference |
|
|
If false, General Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow iCloud Preference |
|
|
If false, iCLoud Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Ink Preference |
|
|
If false, Ink Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Internet Accounts Preference |
|
|
If false, Internet Accounts Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Keyboard Preference |
|
|
If false, Keyboard Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Language and Text Preference |
|
|
If false, Language & Region Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Mission Control Preference |
|
|
If false, Mission Control Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Mouse Preference |
|
|
If false, Mouse Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Network Preference |
|
|
If false, Network Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Notifications Preference |
|
|
If false, User Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Parental Controls Preference |
|
|
If false, User Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Printers and Scanners Preference |
|
|
If false, Printers & Scanners Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Security and Privacy Preference |
|
|
If false, Security and Privacy Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Sharing Preference |
|
|
If false, Sharing Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Software Update Preference |
|
|
If false, Software Update Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Sound Preference |
|
|
If false, Sound Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Speech Preference |
|
|
If false, Speech Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Spotlight Preference |
|
|
If false, Spotlight Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Startup Disk Preference |
|
|
If false, Startup Disk Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Trackpad Preference |
|
|
If false, Trackpad Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Universal Access Preference |
|
|
If false, Universal Access Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Users Preference |
|
|
If false, User Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
Allow Xsan Preference |
|
|
If false, Xsan Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later |
System Settings | |||
Allow Activity Continuation |
|
|
If false, disables activity continuation. Available in macOS 10.15 and later. |
Allow AirDrop |
|
|
If false, disables AirDrop. Available in macOS 10.13 and later. |
Allow Camera |
|
|
If false, disables the camera, and its icon is removed from the Home screen. Users are unable to take photographs. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in macOS 10.11 and later. |
Allow Dictation |
|
|
If false, disallows dictation input. Requires a supervised device. Available in macOS 10.13 and later. |
Allow Music Service |
|
|
If false, disables the Music service, and the Music app reverts to classic mode. Requires a supervised device. Available in macOS 10.12 and later. |
Allow Screen Capture |
|
|
If false, disables saving a screenshot of the display and capturing a screen recording. It also disables the Classroom app from observing remote screens. Available in macOS 10.14.4 and later. Also available for user enrollment. |
Allow Remote Screen Observation |
|
|
If false, disables remote screen observation by the Classroom app. If Allow Screen Capture is set to false, the Classroom app doesn't observe remote screens. Required a supervised device until macOS 10.15. Available macOS 10.14.4 and later. |
Allow Wallpaper Modification |
|
|
If false, prevents wallpaper from being changed. Requires a supervised device. Available macOS 10.13 and later. |
Virtual Private Network
General
Setting | Options | Description |
---|---|---|
VPN Settings | Enabled or Disabled | Enables VPN Settings |
VPN Type |
|
Type of connection enabled by this policy. Application(s) needs to be installed on the device. |
Connection Name | e.g. Imagoverum VPN | Display name of the connection displayed on the device |
Server Address | e.g. vpn.imagoverum.com | Host name or IP address for Server |
Authentication Type |
|
Authentication type for connection. Certificate as selections requires a Certification Authority Integration |
Cache user password |
Enabled or Disabled |
Silverback will take the captured user password from the enrollment for authentication |
App specific settings
Setting | Options | Description |
---|---|---|
Cisco AnyConnect | ||
Group | e.g. Mobile Device Users | Group for authenticating the connection |
Juniper SSL | ||
Realm | e.g. Mobile Users | Realm for authentication the connection |
Role | e.g. Mobile Device Users | Role for authentication the connection |
Custom SSL | ||
Identifier | e.g. com.imagoverum.intranet | Identifier for the custom SSL VPN in reverse DNS format |
SonicWall Mobile Connect | ||
Login Group or Domain | e.g. CORP | Login Group or Domain for authenticating the connection. |
IPSec (Cisco) with Certificate | ||
Include User PIN | Enabled or Disabled |
Request PIN during connection and send with authentication. *Only available if Certificate is selected as Authentication Type |
Group Name
|
e.g. mygroup1 |
Group Identifier for the connection Only available if Certificate is selected as Authentication Type |
Shared Secret | e.g. v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL |
Shared secret for the connection Only available if Certificate is selected as Authentication Type |
Use Hybrid Authentication | Enabled or Disabled |
Authenticate using secret, name, and server-side certificate Only available if Certificate is selected as Authentication Type |
Prompt for Password | Enabled or Disabled* | Prompt user for password on the device |
Custom SSL | ||
Custom Data |
|
Keys and string values for custom data |
VPN specific settings
Setting | Options | Description |
---|---|---|
VPN On Demand | ||
Enable VPN on Demand |
Enabled or Disabled |
Add Domain and host names that will establish a VPN |
Match Domain or Host |
|
Define matching domains or host names to use VPN on Demand |
On Demand Action |
|
Defines the VPN behavior for the specified domains or host names. Always establish: The specified domains will trigger a VPN connection Established if needed: The specified domains should trigger a VPN connection attempt Never establish: The specified domains will not trigger a VPN connection nor be accessible through an existing VPN connection |
Wi-Fi
Silverback has the ability to pre-populate multiple Wi-Fi settings on your devices, so the user does not need to know the password for these networks themselves.
- Click New WiFi profile
Setting | Options | Description |
---|---|---|
Wi-Fi Settings | Enabled or Disabled | Enables the sending of Wi-Fi settings |
SSID | e.g. Corporate Wi-Fi | Service Set Identifier of the wireless network |
Security Type |
|
Defines the used Wireless network encryption |
Hidden Network | Enabled or Disabled | Enable if the target network is not open or hidden |
Automatically Join | Enabled or Disabled | The device will automatically join the Wi-Fi network |
Password | e.g. Pa$$w0rd | Password for authenticating to the wireless network |
Proxy (WEP Enterprise & WPA2 Enterprise & Any Enterprise Only) | ||
Protocols |
|
Defines the protocol utilized by encryption type and the PAC configuration |
Authentication |
|
Defines the used authentication mechanism |
Trust |
|
Defines Trusted certificates |
Proxy |
|
Ensures the device talks to the necessary Proxy |
Firewall
macOS Firewall can be set up to prevent unauthorized applications, programs and services from accepting incoming connections. The configuration is supported from macOS Siera and newer (10.12+).
Setting | Options | Description |
---|---|---|
Firewall Settings | Firewall Settings | Enables the firewall profile configuration. If no other values will be defined, it will prevent the user to do manual changes in the firewall settings on the device. |
Enable Firewall | Enabled or disabled | Specify, whether the firewall should be enabled or not. If true, the firewall will be enabled. Signed software and system services will receive incoming connections by default unless explicitly blocked through Application Access |
Block All Incoming Connections | Enabled or disabled | If enabled, the firewall will be configured to block all incoming connections by default. |
Enable Stealth Mode | Enabled or disabled | If you’re concerned about security, you can use “stealth mode” to make it more difficult for hackers and malware to find your Mac. When stealth mode is turned on, your Mac does not respond to “ping” requests and does not answer connection attempts from a closed TCP or UDP network. |
Applications Access | ||
Bundle Identifier | e.g. com.shazam.mac.Shazam |
With application access you can determine the list of apps with connections controlled by the firewall. Add a list of applications with the unique Bundle ID. |
Incoming Connection | Enabled or disabled | If enabled, incoming connections for the specified application will be received. If disabled incoming connections will be denied. |
FileVault
FileVault full-disk encryption uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk. When FileVault is turned on, macOS devices always require log in with an account password. The encryption occurs in the background and only while the device is awake and plugged in to AC power. Users or Administrators can check the progress in the FileVault section of Security & Privacy preferences. Any new files that are created are automatically encrypted as they are saved to the startup disk. In case users will lose or forget their account password, the devices can be recovered by an reset using the Reset Password assistant with the Recovery Key from the users. Administrators will see the corresponding Recovery Key in the device information under the Security Information sections. Due to the possibility of changed personal recovery keys in the device cycle for the users, a Recovery History will be saved and can be revealed by Administrators. Each reveal action will create an entry in the Audit Logs.
Setting | Options | Description |
---|---|---|
Enable FileVault | Enabled or Disabled | Forces the users to encrypt assigned devices |
Profile Name | e.g. Silverback FileVault | Display Name for the Profile on the assigned device. |
Location | e.g. The Key will be represented to your Administrator in case you will forget your macOS Password. | The description of the location where the recovery key will be escrowed. This text will be inserted into the message the user sees when enabling FileVault manually. You can use this |
Bypassed allowed |
|
The maximum number of times users can bypass enabling FileVault before being required to enable it to log in. |
Request encryption during logout | Enabled or Disabled | If disabled, prevents additional requests for enabling FileVault at user logout time. |
Show recovery key to user | Enabled or Disabled | If disabled, prevents display of the personal recovery key to the user after FileVault is enabled. |
If the profile is applied and the user wants to manually enable FileVault, the process will run into a failure. (The operation couldn't be completed. com.apple.OpenDirectory error 5103)
System Extensions
Apple did with macOS Catalina a step in modernizing and improving the security and reliability of macOS to provide a better architecture for kernel extensions and drivers. The outcome is a separation between System Extensions (macOS 10.15+) and Kernel Extensions . System extensions on macOS Catalina and later allow software like network extensions and endpoint security solutions to extend the functionality of macOS without requiring kernel-level access. System extensions are divided into Driver, Network, and Endpoint Security Extensions. They run in user space, where they can’t compromise the security or stability of macOS. Once installed, an extension is available to all users on the system and can perform tasks previously reserved for kernel extensions.
How to configure
- Enable System Extensions
- Enter a Profile name, e.g. Silverback System Extensions
- Enable Allow users to approve System Extensions (optional)
- Right Click System Extensions
- Select + Add Team ID
- Enter the display name for the Team ID
- Enter the Team ID
- Select allowed System Extensions type
- Click OK
Please note that for specified Team ID not containing the Bundle ID nodes, all the validly signed kernel extensions will be allowed to load on the device.
- Right click the newly added Team ID
- Select +Add BundleID
- Enter the display name for the System Extension
- Enter the Bundle ID of the System Extension
- Press OK
How to obtain
- To start, you can obtain a list of system extensions that are present on the machine via Terminal
- On you macOS device, open Terminal
- Run the following command
systemextensionsctl list
- The outcome provides the following information
enabled active teamID bundleID (version) name [state]
Kernel Extensions
In general, applications like antivirus software, firewalls, VPN clients, USB driver etc, install kernel or system extensions to extend native capabilities of the macOS operating system. The applications gain features access that are of the OS that applications without extensions can't access. Apple announced the plans to deprecate macOS Kernel Extensions and replace them with the macOS System extensions to modernize the platform, improve security and reliability, and enable more user-friendly distribution methods. The first step from Apple towards that was the introduction of system extensions for macOS Catalina.
Future OS releases will no longer load kernel extensions that use deprecated KPIs by default.
How to configure
- Enable Kernel Extensions
- Enter a Profile name, e.g. Silverback Kernel Extensions
- Enable Allow users to approve Kernel Extensions (optional)
- Right Click Kernel Extensions
- Select + Add Team ID
- Enter the display name for the Team ID
- Enter the Team ID
- Press OK
Please note that for specified Team ID not containing the Bundle ID nodes, all the validly signed kernel extensions will be allowed to load on the device.
- Right click the newly added Team ID
- Select +Add BundleID
- Enter the display name for the Bundle ID
- Enter the Bundle ID
- Press OK
How to obtain
- On you macOS device, open Terminal
- To obtain the Team ID, proceed with the following
sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
- Once done, type:
SELECT * FROM kext_policy;
You will see the Team ID, the bundle ID for each individual extension and the display name of the developer. Note down the Team ID (the first item) - you will need all the IDs for the extensions you wish to whitelist.
- To list all Kernel Extensions, enter the following
kextstat
- To list all installed third party extensions
kextstat | grep -v com.apple
- To find the Kernel Extensions Folder
cd /System/Library/Extensions/
Privacy Preference
Privacy Preference settings allows Administrator to predefine approvals or denials for device feature requests from applications. On macOS devices, apps and processes often prompt users to allow or deny access to camera, microphone, files, calendars and address books. Use the ability to manage data access consent on behalf of your users and to overrule previous decisions made from the users. Privacy Preferences are supported in macOS Mojave (10.14+) and later.
Click New Privacy Preference Profile to control data access on an app level basis.
Setting | Options | Description |
---|---|---|
Name | e.g. Skype | Application Name |
Identifier Type |
|
Select her either BundleID or Path depending on if it is an app bundle or the binary |
Identifier |
e.g. com.skype.skype |
The bundle ID or installation path of the binary. |
Code Requirement | e.g. identifier "com.skype.skype" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AL798K98FX | Provide here the Code Requirement of the application. This is obtained via the command codesign. Open Terminals on your Mac and run codesign -dr - /Applications/Skype.app for getting the Code Requirement for Skype |
Static Code Validation | Enabled or Disabled | Optional and if enabled , statically validates the code requirement of the app or service on-disk. Used only if the process invalidates its dynamic code signature. |
Access Permissions | ||
Accessibility |
|
Controls the access permissions for the app via the Accessibility subsystem. |
Address Book |
|
Controls the access permissions for contact information managed by the Contacts.app |
Calendar |
|
Specifies the policies for calendar information managed by the Calendar.app. |
Camera |
|
Controls the access permissions to the system camera. Access to the camera can only be denied. |
File Provider Presence |
|
Controls the access permissions to File Provider Presence. This allows a File Provider application to know when the user is using files managed by the File Provider. |
Listen Event |
|
Controls the permissions to allow the application to use Core Graphics and HID APIs to listen /receive to CGEvents and HID events from all processes. Access to these events can only be denied. |
Media Library |
|
Controls the permissions to allow the application to access Apple Music, music and video activity, and the media library. |
Microphone |
|
Controls the access permissions to the system microphone. Access to the microphone can only be denied. |
Photos |
|
Controls the access permissions to the pictures managed by the Photos app in ~/Pictures/.photoslibrary. |
Post Event |
|
Specifies the access permissions for the application to use Core Graphics APIs to send CGEvents to the system event stream. |
Reminders |
|
Specifies the policies for reminders information managed by the Reminders app. |
Screen Capture |
|
Controls the access permissions to the application to capture the contents of the system display. Access to the contents can only be denied. |
Speech Recognition |
|
Controls the access permission to the application to use the system Speech Recognition facility and to send speech data to Apple. |
System Policy All Files |
|
Controls the application access to all protected files, including system administration files. |
System Policy Desktop Folder |
|
Controls the application to access files in the user's Desktop folder. |
System Policy Documents Folder |
|
Controls the application to access files in the user's Documents folder. |
System Policy Download Folder |
|
Controls the application to access files in the user's Downloads folder. |
System Policy Network Volumes |
|
Controls the application to access files on network volumes. |
System Policy Removable Volumes |
|
Controls the application to access files on removable volumes. |
System Policy Sys Admin Files |
|
Controls the application access to some files used in system administration. |
Apple Events | ||
Identifier Type |
|
Depending on the application, workflows may need to be approved by the application to communicate with built-in applications and services using the Apple Event service. Select her either BundleID or Path for the control of the desired Apple Event |
Identifier | e.g. com.apple.systemevents | Provide here the bundle ID or installation path of the Apple Event. The example shows the Identifier for System Events |
Code Requirement | e.g. identifier "com.apple.systemevents" and anchor apple | Provide here the Code Requirement of the application. This is obtained via the command codesign. The example shows the Identifier for System Events |
Process Access | Enabled or Disabled | Define if the access is granted or prohibited to the Apple Event from the Privacy Preference controlled application |
Software Updates
Provides the capability to control Software Updates settings on macOS devices.
To check if the settings have been applied, navigate either System Preferences > Software Update > Software Update> Advanced or to System Preferences > Profiles > Device Profiles and review your applied profile.
Setting | Options | Description |
---|---|---|
Software Update | Enabled or Disabled | Enables the configuration of the Software Update Policy and installs a profile to associated devices |
Profile Name | e.g. Silverback Software Update | Display Name of the Software Update Device Profile. |
Catalog URL | e.g. http://swscan.apple.com/content/cata...ndex.sucatalog |
The URL of the software update catalog. An internal software update server allows to reduce the amount of bandwidth used when distributing software updates from Apple. Instead of each computer downloading updates from Apple’s Software Update server, updates are only downloaded from Apple once per server. An internal software update server also allows you also to control and approve updates before you make them available. This setting is reflected in the System Preferences > Profiles section on the Mac. |
Check for updates | Enabled or Disabled | If disabled, deselects the Check for updates option and disables the automatic check for updates. |
Download new updates when available | Enabled or Disabled | If disabled, deselects the Download new updates when available option and prevents the user from changing the option. If enabled the Mac will download updates without asking the user |
Install macOS updates | Enabled or Disabled | If disabled, restricts the Install macOS Updates option and prevents the user from changing the option. If enabled the Mac will install macOS Updates automatically. This setting is reflected in the System Preferences > Profiles section on the Mac and will enable the Automatically keep my Mac up to date Software Update option. |
Install app updates from the App Store | Enabled or Disabled | If disabled, deselects the Install app updates from the App Store option and prevents the user from changing the option If enabled, the Mac will install app updates from the App Store automatically. This setting is reflected in the System Preferences > Profiles section on the Mac and under Advanced |
Install system data files and security updates | Enabled or Disabled | If disabled, disables the automatic installation of critical updates and prevents the user from changing the Install system data files and security updates. If enabled the Mac will install system files and security updates automatically |
Allow prerelease software installation | Enabled or Disabled | If enabled, prerelease software can be installed on this computer. |
Automatic installation of configuration data | Enabled or Disabled | If disabled, its restrict the automatic installation of security-configuration updates, such as XProtectPlistConfigData which prevents known malware from running |
Restrict app installations to admin users | Enabled or Disabled | If enabled, restrict app installations to admin users. This setting is reflected in the System Preferences > Profiles section on the Mac |
Custom Profiles
Custom Profiles can be created with the Apple Configurator 2 on a MacOS device and imported into Silverback.
Use Custom Profiles if you miss a setting or a configuration that Silverback does not covers, but has an availability in Apple Configurator 2.
- Click New Custom Profile
Setting | Options | Description |
---|---|---|
Name | e.g. CalDAV Profile | Display Name for the Custom Profile |
Description | e.g. Custom CalDAV Profile | Description for the Custom Profile |
Mobileconfig File | Choose File | Uploads the *.mobileconfig file |
Web Clips
Silverback allows administrators to push down Internet shortcuts to their Managed Devices, giving users easy access to the websites the administrator wants.
- Click New Web Clip
Setting | Options | Description |
---|---|---|
Web Clip Name | e.g. Matrix42 | Web Clip Display Name |
Link | e.g. https://www.matrix42.com | Target URL for the Web Clip |
Icon File | Choose File | A button for uploading a Custom Icon. Support File Type: *.png |
Policy
With Policy or Policies Administrators have the ability to enforce rules with Silverback, such as enforcing what Apps are installed on the devices, what Cellular Networks the device is on through to enforcing the Serial Numbers of the devices as they are enrolled into the system. These are the environmental conditions that Silverback will continue to monitor for and ‘police’ for any devices that are associated with the Tag.
OS Version Compliance
Administrators have the ability to control which OS versions are allowed within their environment. To allow an OS version, simply ensure the checkbox next to the respective OS version is ticked. Enrolling a device with a disabled OS version will result in the device automatically being blocked.
- Alert Administrators: When the checkbox is checked, all administrators will receive an email when a device that violates OS compliance is detected, or when a new OS version is discovered.
- Automatically Approve New OS Versions: When an OS platform is enrolled to Silverback for the first time, the OS is automatically added to the list. By default, unknown OS platforms are disabled and relevant devices will be blocked. To automatically authorize new OS versions as they are discovered, ensure the checkbox is ticked.
Use this feature where you do not want devices to be automatically blocked when a user upgrades their device to a new future OS version that is released by their software vendor.
OS Updates
A common question that you may face is how can we prevent our devices from updating updating to the latest version of macOS and how can we test the new macOS update before all of our users will install it? Often, organizations wish to check the latest macOS release, verifying that the business-related apps they use will continue to function properly on the devices used by their organization. For that Apple offers the possibility to specify a number of days to delay software updates, with a maximum of 90 days. With this option enabled, the user of the device will not see a software update until the specified number of days has passed since the release.
Setting | Options | Description |
---|---|---|
Defer Operating System updates for X | Enabled or Disabled | Enables the deferral of operating system updates |
Days | 1-90 | Defines the time period of how long updates will be deferred |
Create different Tags with different values to allow new OS updates in waves. Here is an example how it could look like:
- Do not use the feature for the internal IT or MDM department.
- Enable and restrict set the policy for Pilot Users to 14 days
- Enable and restrict set the policy for non-critical departments to 30 days
- For critical department use the maximum value of 90 days.
Hardware Compliance
Administrators have the ability to enforce a hardware compliance policy through Silverback. Simply uncheck the boxes for hardware types that should not be supported and any devices that match the hardware type and are managed by Silverback will be blocked. The list of hardware types is managed via the Device Types option in the Admin Tab of the Silverback Console. If a mapping from device type to hardware type exists, the hardware type will be displayed in the hardware compliance list. When a Device Manufacturer release a new version of their hardware the model numbers may not be known by Silverback, in this case Silverback will ‘learn’ them and store them as ‘Unknown’ in the Device Types section under the Admin Tab where the Administrator can update them manually. To allow these devices into your system you enable the ‘Unknown’ checkbox option. This will allow the device into your Silverback Environment and you can later re-classify this device type in the Admin > Device Types section.
- Alert Administrators: When the checkbox is checked it will ensure that administrators receive an email when a device that violates hardware compliance is detected.
Lockdown
The Lockdown screen allows you to determine what device compliance policies are enabled and what action should automatically occur when a violation is detected. Each policy is enabled/disabled through their associated checkbox. Enabling a lockdown policy ensures that the device is inspected to ensure it is compliant with that policy during the initial enrollment as well as at regular intervals as defined by the ‘Perform check every’ drop down.
Lockdown Actions
Action | Description |
---|---|
No action | No action is performed on the device; however alerting administrators may be performed if configured. |
Lock | A lock command is sent to the device which will lock the screen of the device. |
Block | The device is blocked, and the device is moved to the blocked devices table. |
Wipe | The device is hard reset to factory default settings. |
Alert administrator | Emails are sent to all administrators notifying them of the policy violation when it is detected. |
Lockdown Policies
Policy | General | Options | Description |
---|---|---|---|
Enforce Hardware Authentication | Enabled or Disabled |
|
Hardware authentication can be enabled or disabled from this screen. See the hardware authentication for more information on this configuration. |
Require Full Disk Encryption | Enabled or Disabled |
|
Determines if OS X devices require Full Disk Encryption or not. |
Apps
The Apps Feature Section is how Administrators can automate the distribution of Device Apps for specific groups of users. Before you can begin assigning Apps to the Tag you first need to have the uploaded into the Silverback App Portal. Once you have Apps in the Silverback App Portal, they can be distributed using the Apps Feature associated with your Tag.
App Types
Three different App Types are available for macOS devices:
Type | Description |
---|---|
Enterprise | Applications owned by an Organization with *.pkg file |
VPP | Applications bought via Volume Purchase Program |
Assign Apps
Once Apps are uploaded into the Silverback App Portal Tab, they can be distributed to devices via a Tag they have been associated with.
- Navigate to Apps
- Click Assign More Apps
- Select any applications from the shown Assign Applications page
- Click Add Selected Apps
Overview
Already assigned applications are displayed in the Apps section of any Tag with the following columns:
Column | Description |
---|---|
Type | Displays the app type, either Enterprise or VPP |
Name | Displays the application name |
Version | Displays the application version for Enterprise Apps |
Description | Displays the application description given in App Portal |
Remaining VPP | The remaining number of VPP licenses for this app |
Total VPP | The total amount of VPP licenses for this app |
Manage Config | Click edit to change deployment options |
Remove | Removes the App from the Tag |
Change Deployment Options
By default configurations will be inherit from the App Portal. To customize the settings perform the following steps for each application.
- Click the Edit button in the Manage Config column
- Update Deployment Options
- Click Save
Content
Content Management functionalities are not supported on OSX devices