Skip to main content
Matrix42 Self-Service Help Center

Tags Guide Part V: macOS

Profile

Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When any Profiles are changed, ensure the settings are correct as these will be applied immediately to all applicable devices. Please ensure you click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.

Exchange ActiveSync

Setting Options Description
Exchange ActiveSync Settings Enabled or Disable Enables Profile
Label e.g. Imagoverum Exchange or  e.g. {firstname} The Label for the Email Account as it appears on the device.
Server Name e.g. outlook.office365.com  External Exchange Active Sync address 
Past Days of Mail to Sync
  • Unlimited
  • One Day
  • Three days
  • One week
  • Two weeks
  • One Month
Period of mail to synchronize to the device
Use SSL Enabled or Disabled If the URL for the External Mail Server is protected by an SSL Certificate then use SSL.
Use oAuth Enabled or Disabled Enables and uses oAuth Authentication for Identity Providers on native mail client
Use Custom Username Variable e.g. {CustLdapVar0} or support@imagoverum.com Define a Custom Variable Attribute for the Username for the EAS Profile.
Use Custom Email Variable e.g. {CustLdapVar0} or tim.tober@imagoverum.com Define a Custom Variable Attribute for the Email Address for the EAS Profile.
Use Custom Password Variable e.g. {UserPassword} or Pa$$w0rd  Define a Custom Variable Attribute for the Email Password for the EAS Profile.
Enterprise Certificate Choose File Upload a certificate for certificate based authentication with one certificate
Certificate Password e.g. Pa$$w0rd Password for the certificate
Path   Specifies a different path for the Exchange client to connect
Port   Specifies a different port for the Exchange client to connect to
External Host   If the external network address is different, you can specify this. This ensures the user will sync mail in the office and at home when the URLs are different
External SSL   Determines if the external connection should use SSL
External Port   Sets the external TCP port the Exchange Client should use
External Path   Sets the external path for the Exchange client

Email

Setting Options Description
Email Settings Enabled or Disabled Enables Email Settings
Email Address e.g. {UserEmail} or support@imagoverum.com Defines Email Address of the Account
User Display Name e.g. {UserName} or Tim Tober Defines  Display Name of the User for this Email Account
Account Description e.g. Imagoverum Mail Defines Friendly Name of this Email Account
Account Type
  • IMAP
  • POP
Toggles between IMAP and POP Account Types
IMAP Path Prefix e.g. INBOX Defines where to look for mail 
Incoming Mail
Incoming Mail Server e.g. imap-mail.outlook.com or pop-mail.outlook.com  
Incoming Mail Port e.g. 995  
Incoming Mail Username    
Authentication
  • None
  • Password
  • MD5 Challenge-Response
  • NTLM
  • NTTP MD5 Digest
 
Embed User Password Enabled or Disabled  
Use SSL Enabled or Disabled  
Outgoing Mail
Outgoing Mail Server e.g. imap-mail.outlook.com or pop-mail.outlook.com  
Outgoing Mail Port e.g. 995  
Outgoing Mail Username    
Authentication
  • None
  • Password
  • MD5 Challenge-Response
  • NTLM
  • NTTP MD5 Digest
 
Embed User Password Enabled or Disabled  
Use SSL Enabled or Disabled  

Passcode

Setting Options Description
Passcode Settings Enabled or Disabled Enables Passcode Settings
Allow Simple Enabled or Disabled Permit the use of repeating, ascending or descending characters
Require Alpha Numeric Enabled or Disabled Require passcode to contain at least one letter
Minimum Length 4-19 The smallest number of passcode characters allowed
Minimum Complex characters 1-4 Smallest number of non-alphanumeric characters allowed. If ‘Allow Simple’ is checked, then this configuration is disabled.
Maximum Passcode Age - 1-730 days or none 1-730 or empty How often passcode must be changed
Auto-lock (minutes) 2,5 Device automatically locks due to inactivity after this time period
Passcode history (1-50 passcodes, or none) 1-50 or empty Number of unique passcodes required before reuse
Grace Period for Device Lock
  • Immediately
  • 1 Minute
  • 5 Minutes
  • 15 Minutes
Amount of time device screen can sleep before device locks
Maximum Failed Attempts 4-16 Number of passcode entry attempts allowed before the device is reset to factory settings

Screen Saver

This feature sets controls if a password is required when the Screen Saver is unlocked or stopped, the delay of passwords can be defined and the idle time, before the screen saver starts.

Screen Saver Module Path might work only on older devices, even if the setting is not officially deprecated by Apple.

Setting Options Description
Require Password Enabled or disabled

Defines if the user is prompted for a password when the screen saver is unlocked or stopped. When you use this prompt, you must also provide Password Delay (in sec).

Available in macOS 10.13 and later.

Password Delay (in secs) 1-2147483647

Defines the number of seconds to delay before the password will be required to unlock or stop the screen saver (the grace period). To use this option Require Passwords must be enabled. A value of 2147483647 can be used to disable this requirement.

 Available in macOS 10.13 and later.

Login Window Screen Saver Idle Time (in secs) e.g. 0

The number of seconds of inactivity before the screen saver activates. If nothing is presented the default of 300 seconds (5 Minutes) will take effect. 

(0 = Never activate). 

Screen Saver Module Path e.g /System/Library/Screen Savers/Flurry.saver The full path to the screen-saver module to use. Note that not all screen savers will work before login. These may include any feed\, random\, shuffle or non-Apple codesigned screensavers.

Restrictions

Setting Options Requirement Description
App Store & iTunes
Allow App Store App adoption
  • Enabled or Disabled
  • macOS 10.10
If  true, disables app adoption by users. Available in macOS 10.10 and later.
Allow iTunes File Sharing Services
  • Enabled or Disabled
  • macOS 10.13
If false, disables iTunes file sharing services. Available in macOS 10.13 and later.
Require admin password to install or update apps
  • Enabled or Disabled
  • macOS 10.9
If true, an administrator password is required in order to update any apps. Deprecated in macOS 10.14. Please use Software Updates Configuration
Restrict App Store to software updates only
  • Enabled or Disabled
  • macOS 10.010
If true, restricts app installations to software updates only. Available in macOS 10.10 and later.
Classroom
Force Classroom Automatically Join Classes
  • Enabled or Disabled
  • macOS 10.4.4
If true, automatically gives permission to the teacher's requests without prompting the student. Requires a supervised device. Available in macOS 10.14.4 and later.
Force Classroom Requests Permission to Leave Classes
  • Enabled or Disabled
  • macOS 10.4.4
If true, a student enrolled in an unmanaged course through Classroom requests permission from the teacher when attempting to leave the course. Requires a supervised device. Available in macOS 10.14.4 and later.
Force Classroom Unprompted Apps and Device Lock
  • Enabled or Disabled
  • macOS 10.4.4
If true, allows the teacher to lock apps or the device without prompting the student. Requires a supervised device. Available in macOS 10.14.4 and later.
Force Classroom Unprompted Screen Observation
  • Enabled or Disabled
  • macOS 10.4.4
If true and Allow Remote Screen Observation is also true, a student enrolled in a managed course via the Classroom app automatically gives permission to that course teacher's requests to observe the student's screen without prompting the student. Requires a supervised device. Available in macOS 10.14.4 and later.
Game Center
Allow Game Center
  • Enabled or Disabled
  • macOS 10.13
If false, disables Game Center, and its icon is removed from the Home screen. Available in macOS 10.13 and later.
Allow Game Center Account modification
  • Enabled or Disabled

 

If false, users of Game Center can’t modify their user name or password.
Allow Game Center Friends
  • Enabled or Disabled
  • macOS 10.13
If false, prohibits adding friends to Game Center. Available in macOS 10.13 and later.
Allow Multiplayer Gaming
  • Enabled or Disabled
  • macOS 10.13
If false, prohibits multiplayer gaming. Available in macOS 10.13 and later.
iCloud
Allow iCloud Address Book
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Address Book services. Available in macOS 10.12 and later.
Allow iCloud Bookmarks
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Bookmark sync. Available in macOS 10.12 and later.
Allow iCloud Calendar
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Calendar services. Available in macOS 10.12 and later.
Allow iCloud Desktop and Documents
  • Enabled or Disabled
  • macOS 10.12.4
If false, disables cloud desktop and document services. Available in macOS 10.12.4 and later.
Allow iCloud Document Sync
  • Enabled or Disabled
  • macOS 10.11
If false, disables document and key-value syncing to iCloud. Available in macOS 10.11 and later.
Allow iCloud Keychain Sync
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud keychain synchronization. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in and macOS 10.12 and later.
Allow iCloud Mail Services
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Mail services. Available in macOS 10.12 and later.
Allow iCloud Notes Services
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Notes services. Available in macOS 10.12 and later.
Allow iCloud Photo Library
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device are removed from local storage. Available in macOS 10.12 and later.
Allow iCloud Reminder Services
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Reminder services. Available in macOS 10.12 and later.
Security & Privacy
Allow Auto Unlock
  • Enabled or Disabled
  • macOS 10.12
If false, disallows auto unlock. Available in macOS 10.12 and later.
Allow Diagnostic Data to be Sent to Apple
  • Enabled or Disabled
  • macOS 10.13
If false, prevents the device from automatically submitting diagnostic reports to Apple. Available in macOS 10.13 and later. Also available for user enrollment.
Allow Fingerprint For Unlock
  • Enabled or Disabled
  • macOS 10.12.4
If false, prevents Touch ID or Face ID from unlocking a device. Available in macOS 10.12.4 and later.
Allow  Passcode Modification
  • Enabled or Disabled
  • macOS 10.13
If false, prevents the device passcode from being added, changed, or removed. Requires a supervised device. Available in macOS 10.13 and later.
Allow Password AutoFill
  • Enabled or Disabled
  • macOS 10.14
If false, disables the AutoFill Passwords feature in iOS (with Keychain and third-party password managers) and the user isn't prompted to use a saved password in Safari or in apps. This restriction also disables Automatic Strong Passwords, and strong passwords are no longer suggested to users. It does not prevent AutoFill for contact info and credit cards in Safari. Requires a supervised device. Available in macOS 10.14 and later.
Allow Password Proximity Requests
  • Enabled or Disabled
  • macOS 10.14
If false, disables requesting passwords from nearby devices. Requires a supervised device. Available in macOS 10.14 and later.
Allow Password Sharing
  • Enabled or Disabled
  • macOS 10.14
If false, disables sharing passwords with the Airdrop Passwords feature. Requires a supervised device. Available in macOS 10.14 and later.
Allow Spotlight Internet Results
  • Enabled or Disabled
  • macOS 10.11
If false, disables Spotlight Internet search results in Siri Suggestions. Available in macOS 10.11 and later.
Allow Safari Autofill
  • Enabled or Disabled
  • macOS 10.13
If false, disables Safari AutoFill for passwords, contact info, and credit cards and also prevents the Keychain from being used for AutoFill. Though third-party password managers are allowed and apps can use AutoFill. Available in macOS 10.13 and later.
Sharing
Allow AirDrop Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, AirDrop Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Aperture Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Aperture Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Content Caching
  • Enabled or Disabled
  • macOS 10.13
If false, disables content caching. Available in macOS 10.13 and later.
Allow Facebook Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Facebook Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Mail Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Mail Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Messages Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Messages Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Sina Weibo Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Sina Weibo Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Twitter Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Twitter Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Video Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Video Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
System Preferences
Allow Appstore Preference
  • Enabled or Disabled
  • macOS 10.7
If false, App Store Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Backup Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Backup Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Bluetooth Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Bluetooth Preference in System Preferences won't be accessible for the User. Available in macOS 10.7 and later
Allow CDs & DVDs Preference
  • Enabled or Disabled
  • macOS 10.7
If false, CDs & DVDs Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Configuration Profiles Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Profiles Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Datetime Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Date & Time Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Desktop and Screen Saver Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Desktop & Screen Saver Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Displays Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Displays Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Dock Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Dock Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Energy Saver Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Enegery Saver Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Extensions Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Extensions Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Fibrechannel Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Fibre Channel Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow General Preference
  • Enabled or Disabled
  • macOS 10.7
If false, General Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow iCloud Preference
  • Enabled or Disabled
  • macOS 10.7
If false, iCLoud Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Ink Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Ink Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Internet Accounts Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Internet Accounts Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Keyboard Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Keyboard Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Language and Text Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Language & Region Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Mission Control Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Mission Control Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Mouse Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Mouse Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Network Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Network Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Notifications Preference
  • Enabled or Disabled
  • macOS 10.7
If false, User Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Parental Controls Preference
  • Enabled or Disabled
  • macOS 10.7
If false, User Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Printers and Scanners Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Printers & Scanners Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Security and Privacy Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Security and Privacy Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Sharing Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Sharing Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Software Update Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Software Update Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Sound Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Sound Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Speech Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Speech Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Spotlight Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Spotlight Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Startup Disk Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Startup Disk Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Trackpad Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Trackpad Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Universal Access Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Universal Access Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Users Preference
  • Enabled or Disabled
  • macOS 10.7
If false, User Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Xsan Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Xsan Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
System Settings
Allow Activity Continuation
  • Enabled or Disabled
  • macOS 10.15
If false, disables activity continuation. Available in macOS 10.15 and later.
Allow AirDrop
  • Enabled or Disabled
  • macOS 10.13
If false, disables AirDrop.  Available in macOS 10.13 and later.
Allow Camera
  • Enabled or Disabled
  • macOS 10.11
If false, disables the camera, and its icon is removed from the Home screen. Users are unable to take photographs. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in macOS 10.11 and later.
Allow Dictation
  • Enabled or Disabled
  • macOS 10.13
If false, disallows dictation input. Requires a supervised device. Available in macOS 10.13 and later.
Allow Music Service
  • Enabled or Disabled
  • macOS 10.12
If false, disables the Music service, and the Music app reverts to classic mode. Requires a supervised device. Available in macOS 10.12 and later.
Allow Screen Capture
  • Enabled or Disabled
  • macOS 10.14.4
If false, disables saving a screenshot of the display and capturing a screen recording. It also disables the Classroom app from observing remote screens. Available in macOS 10.14.4 and later. Also available for user enrollment.

Allow Remote Screen Observation

  • Enabled or Disabled
  • macOS 10.14.4
If false, disables remote screen observation by the Classroom app. If Allow Screen Capture is set to false, the Classroom app doesn't observe remote screens. Required a supervised device until macOS 10.15. Available macOS 10.14.4 and later.
Allow Wallpaper Modification
  • Enabled or Disabled
  • macOS 10.14
If false, prevents wallpaper from being changed. Requires a supervised device. Available macOS 10.13 and later.

Virtual Private Network

General

Setting Options Description
VPN Settings Enabled or Disabled Enables VPN Settings
VPN Type 
  • Cisco (IPSec)
  • Cisco AnyConnect
  • Pulse Secure
  • F5 Access Legacy
  • F5 Access
  • Custom SSL
  • IPSec (Cisco)
  • SonicWall Mobile Connect
  • Check Point Mobile VPN
Type of connection enabled by this policy. Application(s) needs to be installed on the device. 
Connection Name e.g. Imagoverum VPN Display name of the connection displayed on the device
Server Address e.g. vpn.imagoverum.com  Host name or IP address for Server
Authentication Type
  • Certificate
  • Password
  • Shared Secret/Group Name (Cisco IPSec only)

Authentication type for connection. Certificate as selections requires a Certification Authority Integration

Cache user password

Enabled or Disabled

Silverback will take the captured user password from the enrollment for authentication

App specific settings

Setting Options Description
Cisco AnyConnect
Group e.g. Mobile Device Users Group for authenticating the connection
Juniper SSL
Realm e.g. Mobile Users Realm for authentication the connection
Role e.g. Mobile Device Users Role for authentication the connection
Custom SSL
Identifier e.g. com.imagoverum.intranet Identifier for the custom SSL VPN in reverse DNS format
SonicWall Mobile Connect
Login Group or Domain e.g. CORP Login Group or Domain for authenticating the connection. 
IPSec (Cisco) with Certificate
Include User PIN Enabled or Disabled

Request PIN during connection and send with authentication.

*Only available if Certificate is selected as Authentication Type

Group Name 

 

e.g. mygroup1

Group Identifier for the connection

Only available if Certificate is selected as Authentication Type

Shared Secret e.g. v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL

Shared secret for the connection

Only available if Certificate is selected as Authentication Type

Use Hybrid Authentication Enabled or Disabled

Authenticate using secret, name, and server-side certificate

Only available if Certificate is selected as Authentication Type

Prompt for Password Enabled or Disabled* Prompt user for password on the device
Custom SSL 
Custom Data
  • Key
  • Value
Keys and string values for custom data

VPN specific settings

Setting Options Description
VPN On Demand
Enable VPN on Demand

Enabled or Disabled

Add Domain and host names that will establish a VPN
Match Domain or Host
  • e.g. int.imagoverum.com
Define matching domains or host names to use VPN on Demand
On Demand Action
  • Always establish
  • Never establish
  • Established if needed 

Defines the VPN behavior for the specified domains or host names.

Always establish: The specified domains will trigger a VPN connection

Established if needed: The specified domains should trigger a VPN connection attempt

Never establish: The specified domains will not trigger a VPN connection nor be accessible through an existing VPN connection

Wi-Fi 

Silverback has the ability to pre-populate multiple Wi-Fi settings on your devices, so the user does not need to know the password for these networks themselves.

  • Click New WiFi profile
Setting Options Description
Wi-Fi Settings Enabled or Disabled Enables the sending of Wi-Fi settings
SSID e.g. Corporate Wi-Fi Service Set Identifier of the wireless network
Security Type
  • WEP
  • WPA2
  • Any Personal
  • WEP Enterprise
  • WPA2 Enterprise
  • Any Enterprise
Defines the used Wireless network encryption
Hidden Network Enabled or Disabled Enable if the target network is not open or hidden
Automatically Join Enabled or Disabled The device will automatically join the Wi-Fi network
Password e.g. Pa$$w0rd Password for authenticating to the wireless network
Proxy (WEP Enterprise & WPA2 Enterprise & Any Enterprise Only)
Protocols
  • TLS
  • LEAP
  • TTLS
  • PEAP
  • EAP-FAST
  • EAP-SIM

 

  • Use Pac
  • Provision PAC
  • Provision PAC Anonymously
Defines the protocol utilized by encryption type and the PAC configuration
Authentication
  • Use Per-connection Password
  • Use Individual Username
    • Use User Password
  • Use Individual Client Certificates
    • Individual Client Certificate subject
    • Populate into Active Directory
  • Add Certificate
Defines the used authentication mechanism
Trust
  • Allow Trust Exceptions
  • Add or Remove Server
  • Add Certificate
  • Remove Certificates
Defines Trusted certificates
Proxy
  • Proxy Type (None, Auto, Manual)
  • Server
  • Port
  • Individual Usernames or pre-defined Username
  • Individual Passwords or pre-defined Password
  • PAC URL
Ensures the device talks to the necessary Proxy

Firewall

macOS Firewall can be set up to prevent unauthorized applications, programs and services from accepting incoming connections. The configuration is supported from macOS Siera and newer (10.12+). 

Setting Options Description
Firewall Settings Firewall Settings Enables the firewall profile configuration. If no other values will be defined, it will prevent the user to do manual changes in the firewall settings on the device. 
Enable Firewall Enabled or disabled Specify, whether the firewall should be enabled or not. If true, the firewall will be enabled. Signed software and system services will receive incoming connections by default unless explicitly blocked through Application Access
Block All Incoming Connections Enabled or disabled If enabled, the firewall will be configured to block all incoming connections by default. 
Enable Stealth Mode Enabled or disabled If you’re concerned about security, you can use “stealth mode” to make it more difficult for hackers and malware to find your Mac. When stealth mode is turned on, your Mac does not respond to “ping” requests and does not answer connection attempts from a closed TCP or UDP network.
Applications Access
Bundle Identifier e.g. com.shazam.mac.Shazam

With application access you can determine the list of apps with connections controlled by the firewall.  Add a list of applications with the unique Bundle ID.

Incoming Connection Enabled or disabled If enabled, incoming connections for the specified application will be received. If disabled incoming connections will be denied. 

FileVault

FileVault full-disk encryption uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk. When FileVault is turned on, macOS devices always require log in with an account password.  The encryption occurs in the background and only while the device is awake and plugged in to AC power. Users or Administrators can check the progress in the FileVault section of Security & Privacy preferences. Any new files that are created are automatically encrypted as they are saved to the startup disk. In case users will lose or forget their account password, the devices can be recovered by an reset using the Reset Password assistant with the Recovery Key from the users. Administrators will see the corresponding Recovery Key in the device information under the Security Information sections. Due to the possibility of changed personal recovery keys in the device cycle for the users, a Recovery History will be saved and can be revealed by Administrators. Each reveal action will create an entry in the Audit Logs.

Setting Options Description
Enable FileVault Enabled or Disabled Forces the users to encrypt assigned devices
Profile Name e.g. Silverback FileVault Display Name for the Profile on the assigned device.
Location e.g. The Key will be represented to your Administrator in case you will forget your macOS Password.  The description of the location where the recovery key will be escrowed. This text will be inserted into the message the user sees when enabling FileVault manually. You can use this 
Bypassed allowed
  • Do not encrypt at login
  • Force encryption at login
  • 1
  • 2
  • 3
  • 5
  • 10
  • Unlimited
The maximum number of times users can bypass enabling FileVault before being required to enable it to log in.
Request encryption during logout Enabled or Disabled If disabled, prevents additional requests for enabling FileVault at user logout time. 
Show recovery key to user Enabled or Disabled If disabled, prevents display of the personal recovery key to the user after FileVault is enabled.

If the profile is applied and the user wants to manually enable FileVault, the process will run into a failure. (The operation couldn't be completed. com.apple.OpenDirectory error 5103)

System Extensions

Apple did with macOS Catalina a step in modernizing and improving the security and reliability of macOS to provide a better architecture for kernel extensions and drivers. The outcome is a separation between System Extensions (macOS 10.15+) and Kernel Extensions . System extensions on macOS Catalina and later allow software like network extensions and endpoint security solutions to extend the functionality of macOS without requiring kernel-level access. System extensions are divided into Driver, Network, and Endpoint Security Extensions. They run in user space, where they can’t compromise the security or stability of macOS. Once installed, an extension is available to all users on the system and can perform tasks previously reserved for kernel extensions. 

How to configure

  • Enable System Extensions
  • Enter a Profile name, e.g. Silverback System Extensions
  • Enable Allow users to approve System Extensions (optional)
  • Right Click System Extensions
  • Select + Add Team ID
    • Enter the display name for the Team ID
    • Enter the Team ID
    • Select allowed System Extensions type
    • Click OK

Please note that for specified Team ID not containing the Bundle ID nodes, all the validly signed kernel extensions will be allowed to load on the device.

  • Right click the newly added Team ID
  • Select +Add BundleID
    • Enter the display name for the System Extension
    • Enter the Bundle ID of the System Extension
    • Press OK

How to obtain

  • To start, you can obtain a list of system extensions that are present on the machine via Terminal
  • On you macOS device, open Terminal
  • Run the following command
systemextensionsctl list
  • The outcome provides the following information
enabled active  teamID  bundleID (version)  name    [state]

Kernel Extensions

In general, applications like antivirus software, firewalls,  VPN clients, USB driver etc, install kernel or system extensions to extend native capabilities of the macOS operating system. The applications gain features access that are of the OS that applications without extensions can't access.  Apple announced the plans to deprecate macOS Kernel Extensions and replace them with the macOS System extensions to modernize the platform, improve security and reliability, and enable more user-friendly distribution methods. The first step from Apple towards that was the introduction of system extensions for macOS Catalina. 

Future OS releases will no longer load kernel extensions that use deprecated KPIs by default.

How to configure

  • Enable Kernel Extensions
  • Enter a Profile name, e.g. Silverback Kernel Extensions
  • Enable Allow users to approve Kernel Extensions (optional)
  • Right Click Kernel Extensions
  • Select + Add Team ID
    • Enter the display name for the Team ID
    • Enter the Team ID
    • Press OK

Please note that for specified Team ID not containing the Bundle ID nodes, all the validly signed kernel extensions will be allowed to load on the device.

  • Right click the newly added Team ID
  • Select +Add BundleID
    • Enter the display name for the Bundle ID
    • Enter the Bundle ID
    • Press OK

How to obtain

  • On you macOS device, open Terminal
  • To obtain the Team ID, proceed with the following 
sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
  • Once done, type:
SELECT * FROM kext_policy;

You will see the Team ID, the bundle ID for each individual extension and the display name of the developer. Note down the Team ID (the first item) - you will need all the IDs for the extensions you wish to whitelist.

  • To list all Kernel Extensions, enter the following
kextstat
  • To list all installed third party extensions
kextstat | grep -v com.apple
  • To find the Kernel Extensions Folder
cd /System/Library/Extensions/

Privacy Preference

Privacy Preference settings allows Administrator to predefine approvals or denials for device feature requests from applications. On macOS devices, apps and processes often prompt users to allow or deny access to camera, microphone, files, calendars and address books. Use the ability to manage data access consent on behalf of your users and to overrule previous decisions made from the users. Privacy Preferences are supported in macOS Mojave (10.14+) and later. 

Click New Privacy Preference Profile to control data access on an app level basis. 

Setting Options Description
Name e.g. Skype Application Name
Identifier Type
  • BundleID
  • Path

Select her either BundleID or Path depending on if it is an app bundle or the binary

Identifier

e.g. com.skype.skype

The bundle ID or installation path of the binary.
Code Requirement e.g. identifier "com.skype.skype" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AL798K98FX Provide here the Code Requirement of the application. This is obtained via the command codesign. Open Terminals on your Mac and run codesign -dr - /Applications/Skype.app for getting the Code Requirement for Skype
Static Code Validation Enabled or Disabled Optional and if enabled , statically validates the code requirement of the app or service on-disk. Used only if the process invalidates its dynamic code signature.
Access Permissions
Accessibility
  • Not Set
  • Block
  • Allow
Controls the access permissions for the app via the Accessibility subsystem.
Address Book
  • Not Set
  • Block
  • Allow
Controls the access permissions for contact information managed by the Contacts.app
Calendar
  • Not Set
  • Block
  • Allow
Specifies the policies for calendar information managed by the Calendar.app.
Camera
  • Not Set
  • Block
Controls the access permissions to the system camera. Access to the camera can only be denied.
File Provider Presence
  • Not Set
  • Block
  • Allow
Controls the access permissions to File Provider Presence. This allows a File Provider application to know when the user is using files managed by the File Provider.
Listen Event
  • Not Set
  • Block
Controls the permissions to allow the application to use Core Graphics and HID APIs to listen /receive to CGEvents and HID events from all processes. Access to these events can only be denied.
Media Library
  • Not Set
  • Block
Controls the permissions to allow the application to access Apple Music, music and video activity, and the media library.
Microphone
  • Not Set
  • Block
Controls the access permissions to the system microphone. Access to the microphone can only be denied.
Photos
  • Not Set
  • Block
  • Allow
Controls the access permissions to the pictures managed by the Photos app in  ~/Pictures/.photoslibrary.
Post Event
  • Not Set
  • Block
  • Allow
Specifies the access permissions for the application to use Core Graphics APIs to send CGEvents to the system event stream.
Reminders
  • Not Set
  • Block
  • Allow
Specifies the policies for reminders information managed by the Reminders app.
Screen Capture
  • Not Set
  • Block
  • Allow
Controls the access permissions to the application to capture the contents of the system display. Access to the contents can only be denied.
Speech Recognition
  • Not Set
  • Block
  • Allow
Controls the access permission to the application to use the system Speech Recognition facility and to send speech data to Apple.
System Policy All Files
  • Not Set
  • Block
  • Allow
Controls the application access to all protected files, including system administration files.
System Policy Desktop Folder
  • Not Set
  • Block
  • Allow
Controls the application to access files in the user's Desktop folder.
System Policy Documents Folder
  • Not Set
  • Block
  • Allow
Controls the application to access files in the user's Documents folder.
System Policy Download Folder
  • Not Set
  • Block
  • Allow
Controls the application to access files in the user's Downloads folder.
System Policy Network Volumes
  • Not Set
  • Block
  • Allow
Controls the application to access files on network volumes.
System Policy Removable Volumes
  • Not Set
  • Block
  • Allow
Controls the application to access files on removable volumes.
System Policy Sys Admin Files
  • Not Set
  • Block
  • Allow
Controls the application access to some files used in system administration.
Apple Events
Identifier Type
  • BundleID
  • Path
Depending on the application, workflows may need to be approved by the application to communicate with built-in applications and services using the Apple Event service. Select her either BundleID or Path for the control of the desired Apple Event
Identifier e.g. com.apple.systemevents Provide here the bundle ID or installation path of the Apple Event. The example shows the Identifier for System Events
Code Requirement e.g. identifier "com.apple.systemevents" and anchor apple Provide here the Code Requirement of the application. This is obtained via the command codesign. The example shows the Identifier for System Events
Process Access Enabled or Disabled Define if the access is granted or prohibited to the Apple Event from the Privacy Preference controlled application

Software Updates 

Provides the capability to control Software Updates settings on macOS devices. 

To check if the settings have been applied, navigate either System Preferences > Software Update > Software Update> Advanced or to System Preferences > Profiles > Device Profiles and review your applied profile. 

Setting Options Description
Software Update Enabled or Disabled Enables the configuration of the Software Update Policy and installs a profile to associated devices
Profile Name e.g. Silverback Software Update Display Name of the Software Update Device Profile. 
Catalog URL e.g. http://swscan.apple.com/content/cata...ndex.sucatalog

The URL of the software update catalog. An internal software update server allows to reduce the amount of bandwidth used when distributing software updates from Apple. Instead of each computer downloading updates from Apple’s Software Update server, updates are only downloaded from Apple once per server. An internal software update server also allows you also to control and approve updates before you make them available. This setting is reflected in the System Preferences > Profiles section on the Mac.

Check for updates Enabled or Disabled If disabled, deselects the Check for updates option and disables the automatic check for updates. 
Download new updates when available Enabled or Disabled If disabled, deselects the Download new updates when available option and prevents the user from changing the option. If enabled the Mac will download updates without asking the user
Install macOS updates Enabled or Disabled If disabled, restricts the Install macOS Updates option and prevents the user from changing the option. If enabled the Mac will install macOS Updates automatically. This setting is reflected in the System Preferences > Profiles section on the Mac and will enable the Automatically keep my Mac up to date Software Update option. 
Install app updates from the App Store Enabled or Disabled If disabled, deselects the Install app updates from the App Store option and prevents the user from changing the option If enabled, the Mac will install app updates from the App Store automatically. This setting is reflected in the System Preferences > Profiles section on the Mac and under Advanced
Install system data files and security updates Enabled or Disabled If disabled, disables the automatic installation of critical updates and prevents the user from changing the Install system data files and security updates. If enabled the Mac will install system files and security updates automatically
Allow prerelease software installation Enabled or Disabled If enabled, prerelease software can be installed on this computer.
Automatic installation of configuration data Enabled or Disabled If disabled, its restrict the automatic installation of security-configuration updates, such as XProtectPlistConfigData which prevents known malware from running 
Restrict app installations to admin users Enabled or Disabled If enabled, restrict app installations to admin users.  This setting is reflected in the System Preferences > Profiles section on the Mac

Custom Profiles

Custom Profiles can be created with the Apple Configurator 2 on a MacOS device and imported into Silverback.

Use Custom Profiles if you miss a setting or a configuration that Silverback does not covers, but has an availability in Apple Configurator 2. 

  • Click New Custom Profile
Setting Options Description
Name   e.g. CalDAV Profile Display Name for the Custom Profile
Description e.g. Custom CalDAV Profile Description for the Custom Profile
Mobileconfig File Choose File Uploads the *.mobileconfig file

Web Clips

Silverback allows administrators to push down Internet shortcuts to their Managed Devices, giving users easy access to the websites the administrator wants.

  • Click New Web Clip
Setting Options Description
Web Clip Name   e.g. Matrix42 Web Clip Display Name 
Link e.g. https://www.matrix42.com Target URL for the Web Clip
Icon File Choose File A button for uploading a Custom Icon. Support File Type: *.png

Policy

With Policy or Policies Administrators have the ability to enforce rules with Silverback, such as enforcing what Apps are installed on the devices, what Cellular Networks the device is on through to enforcing the Serial Numbers of the devices as they are enrolled into the system. These are the environmental conditions that Silverback will continue to monitor for and ‘police’ for any devices that are associated with the Tag.

OS Version Compliance 

Administrators have the ability to control which OS versions are allowed within their environment. To allow an OS version, simply ensure the checkbox next to the respective OS version is ticked. Enrolling a device with a disabled OS version will result in the device automatically being blocked.

  • Alert Administrators: When the checkbox is checked, all administrators will receive an email when a device that violates OS compliance is detected, or when a new OS version is discovered.
  • Automatically Approve New OS Versions: When an OS platform is enrolled to Silverback for the first time, the OS is automatically added to the list. By default, unknown OS platforms are disabled and relevant devices will be blocked. To automatically authorize new OS versions as they are discovered, ensure the checkbox is ticked.

Use this feature where you do not want devices to be automatically blocked when a user upgrades their device to a new future OS version that is released by their software vendor.

OS Updates

A common question that you may face is how can we prevent our devices from updating updating to the latest version of macOS and how can we test the new macOS update before all of our users will install it?  Often, organizations wish to check the latest macOS release, verifying that the business-related apps they use will continue to function properly on the devices used by their organization. For that Apple offers the possibility to specify a number of days to delay software updates, with a maximum of 90 days. With this option enabled, the user of the device will not see a software update until the specified number of days has passed since the release.

Setting Options Description
Defer Operating System updates for X Enabled or Disabled Enables the deferral of operating system updates
Days 1-90 Defines the time period of how long updates will be deferred

Create different Tags with different values to allow new OS updates in waves.  Here is an example how it could look like: 

  • Do not use the feature for the internal IT or MDM department.
  • Enable and restrict set the policy for Pilot Users to 14 days
  • Enable and restrict set the policy for non-critical departments to 30 days
  • For critical department use the maximum value of 90 days.  

Hardware Compliance 

Administrators have the ability to enforce a hardware compliance policy through Silverback. Simply uncheck the boxes for hardware types that should not be supported and any devices that match the hardware type and are managed by Silverback will be blocked. The list of hardware types is managed via the Device Types option in the Admin Tab of the Silverback Console. If a mapping from device type to hardware type exists, the hardware type will be displayed in the hardware compliance list. When a Device Manufacturer release a new version of their hardware the model numbers may not be known by Silverback, in this case Silverback will ‘learn’ them and store them as ‘Unknown’ in the Device Types section under the Admin Tab where the Administrator can update them manually. To allow these devices into your system you enable the ‘Unknown’ checkbox option. This will allow the device into your Silverback Environment and you can later re-classify this device type in the Admin > Device Types section.

  • Alert Administrators:  When the  checkbox is checked it will ensure that administrators receive an email when a device that violates hardware compliance is detected.

Lockdown

The Lockdown screen allows you to determine what device compliance policies are enabled and what action should automatically occur when a violation is detected. Each policy is enabled/disabled through their associated checkbox. Enabling a lockdown policy ensures that the device is inspected to ensure it is compliant with that policy during the initial enrollment as well as at regular intervals as defined by the ‘Perform check every’ drop down.

Lockdown Actions

Action Description
No action No action is performed on the device; however alerting administrators may be performed if configured.
Lock A lock command is sent to the device which will lock the screen of the device. 
Block The device is blocked, and the device is moved to the blocked devices table. 
Wipe The device is hard reset to factory default settings.
Alert administrator Emails are sent to all administrators notifying them of the policy violation when it is detected. 

Lockdown Policies

Policy  General Options Description
Enforce Hardware Authentication Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Wipe
Hardware authentication can be enabled or disabled from this screen. See the hardware authentication for more information on this configuration.
Require Full Disk Encryption Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Wipe
Determines if OS X devices require Full Disk Encryption or not.

Apps 

The Apps Feature Section is how Administrators can automate the distribution of Device Apps for specific groups of users. Before you can begin assigning Apps to the Tag you first need to have the uploaded into the Silverback App Portal. Once you have Apps in the Silverback App Portal, they can be distributed using the Apps Feature associated with your Tag.

App Types

Three different App Types are available for macOS devices:

Type Description
Enterprise Applications owned by an Organization with *.pkg file
VPP Applications bought via Volume Purchase Program

Assign Apps 

Once Apps are uploaded into the Silverback App Portal Tab, they can be distributed to devices via a Tag they have been associated with.

  • Navigate to Apps
  • Click Assign More Apps
  • Select any applications from the shown Assign Applications page 
  • Click Add Selected Apps 

Overview

Already assigned applications are displayed in the Apps section of any Tag with the following columns: 

Column Description
Type Displays the app type, either Enterprise or VPP
Name Displays the application name
Version Displays the application version for Enterprise Apps
Description Displays the application description given in App Portal
Remaining VPP The remaining number of VPP licenses for this app
Total VPP The total amount of VPP licenses for this app
Manage Config Click edit to change deployment options
Remove Removes the App from the Tag

Change Deployment Options 

By default configurations will be inherit from the App Portal. To customize the settings perform the following steps for each application.

  • Click the Edit button in the Manage Config column
  • Update Deployment Options
  • Click Save

Content 

Content Management functionalities are not supported on OSX devices 

  • Was this article helpful?