Tags Guide Part V: macOS
Profile
Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When any Profiles are changed, ensure the settings are correct as these will be applied immediately to all applicable devices. Please ensure you click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.
Exchange ActiveSync
| Setting | Options | Description |
|---|---|---|
| Exchange ActiveSync Settings | Enabled or Disabled | Enables the ActiveSync Profile. |
| Label | e.g. Imagoverum Exchange or e.g. {firstname} | The Label for the Email Account as it appears on the device. |
| Server Name | e.g. outlook.office365.com | External Exchange Active Sync address. |
| Past Days of Mail to Sync |
|
Period of mail to synchronize to the device. |
| Use SSL | Enabled or Disabled | If the URL for the External Mail Server is protected by an SSL Certificate then use SSL. |
| Use oAuth | Enabled or Disabled | Enables and uses oAuth Authentication for Identity Providers on native mail client. |
| Use Custom Username Variable | e.g. {CustLdapVar0} or support@imagoverum.com | Define a Custom Variable Attribute for the Username for the EAS Profile. |
| Use Custom Email Variable | e.g. {CustLdapVar0} or tim.tober@imagoverum.com | Define a Custom Variable Attribute for the Email Address for the EAS Profile. |
| Use Custom Password Variable | e.g. {UserPassword} or Pa$$w0rd | Define a Custom Variable Attribute for the Email Password for the EAS Profile. |
| Enterprise Certificate | Choose File | Upload a certificate for certificate based authentication with one certificate. |
| Certificate Password | e.g. Pa$$w0rd | Password for the certificate. |
| Path | Specifies a different path for the Exchange client to connect. | |
| Port | Specifies a different port for the Exchange client to connect to. | |
| External Host | If the external network address is different, you can specify this. This ensures the user will sync mail in the office and at home when the URLs are different. | |
| External SSL | Determines if the external connection should use SSL. | |
| External Port | Sets the external TCP port the Exchange Client should use. | |
| External Path | Sets the external path for the Exchange client. |
| Setting | Options | Description |
|---|---|---|
| Email Settings | Enabled or Disabled | Enables Email Settings. |
| Email Address | e.g. {UserEmail} or support@imagoverum.com | Defines Email Address of the Account. |
| User Display Name | e.g. {UserName} or Tim Tober | Defines Display Name of the User for this Email Account. |
| Account Description | e.g. Imagoverum Mail | Defines Friendly Name of this Email Account. |
| Account Type |
|
Toggles between IMAP and POP Account Types. |
| IMAP Path Prefix | e.g. INBOX | Defines where to look for mail . |
| Incoming Mail | ||
| Incoming Mail Server | e.g. imap-mail.outlook.com or pop-mail.outlook.com | |
| Incoming Mail Port | e.g. 995 | |
| Incoming Mail Username | ||
| Authentication |
|
|
| Embed User Password | Enabled or Disabled | |
| Use SSL | Enabled or Disabled | |
| Outgoing Mail | ||
| Outgoing Mail Server | e.g. imap-mail.outlook.com or pop-mail.outlook.com | |
| Outgoing Mail Port | e.g. 995 | |
| Outgoing Mail Username | ||
| Authentication |
|
|
| Embed User Password | Enabled or Disabled | |
| Use SSL | Enabled or Disabled | |
Passcode
With passcode settings, you can ensure that your users' managed devices are protected from unauthorized third-party access by requiring a passcode, for example. You can also set other security-related settings associated with the passcode configuration, such as the length and complexity of required passwords, or resetting the device to factory defaults after a certain number of failed attempts.
| Setting | Options | Description |
|---|---|---|
| Passcode Settings | Enabled or Disabled | Enables Passcode Settings. |
| Allow Simple | Enabled or Disabled | Permit the use of repeating, ascending or descending characters. |
| Change at next Auth | Enabled or Disabled | By enabling, the system causes a password reset to occur the next time the user tries to authenticate. If this key is set in a device profile, the setting takes effect for all users, and admin authentications may fail until the admin user password is also reset. In the current design, user approved enrollments will receive the profile in the user scope. Devices enrolled via DEP will received the profile in the device scope. In addition, please note that if this setting is enabled and the profile is installed on the device, any subsequent change within the profile will result in a reset of the profile on the device, which by protocol design is considered a new installation and will force users to change their password. Thus, any change to a passcode profile that has Change on next Auth enabled will result in users being prompted to change their passwords, so please choose your settings carefully before enabling this option. |
| Require Alpha Numeric | Enabled or Disabled | Require passcode to contain at least one letter. |
| Minimum Length | 4-19 | The smallest number of passcode characters allowed. |
| Minimum Complex characters | 1-4 | Smallest number of non-alphanumeric characters allowed. If ‘Allow Simple’ is checked, then this configuration is disabled. |
| Maximum Passcode Age - 1-730 days or none | 1-730 or empty | How often passcode must be changed. |
| Auto-lock (minutes) | 2,5 | Device automatically locks due to inactivity after this time period. |
| Passcode history (1-50 passcodes, or none) | 1-50 or empty | Number of unique passcodes required before reuse. |
| Grace Period for Device Lock |
|
Amount of time device screen can sleep before device locks. |
| Maximum Failed Attempts | 2-11 | The number of allowed failed attempts to enter the passcode at the device’s lock screen. After six failed attempts, the system imposes a time delay before a passcode can be entered again. The delay increases with each attempt. With Minutes Until Failed Login Reset you can define a delay before the next passcode can be entered. When the number of failed attempts is exceeded, the system locks the device. The default value for Maximum Failed Attemps is 11. |
| Minutes Until Failed Login Reset | 0- 2147483647 minutes, or none. | Defines the number of minutes before the system resets the login after the maximum number of unsuccessful login attempts is reached. |
Screen Saver
This feature sets controls if a password is required when the Screen Saver is unlocked or stopped, the delay of passwords can be defined and the idle time, before the screen saver starts.
Screen Saver Module Path might work only on older devices, even if the setting is not officially deprecated by Apple.
| Setting | Options | Description |
|---|---|---|
| Require Password | Enabled or disabled |
Defines if the user is prompted for a password when the screen saver is unlocked or stopped. When you use this prompt, you must also provide Password Delay (in sec). Available in macOS 10.13 and later. |
| Password Delay (in secs) | 1-2147483647 |
Defines the number of seconds to delay before the password will be required to unlock or stop the screen saver (the grace period). To use this option Require Passwords must be enabled. A value of 2147483647 can be used to disable this requirement. Available in macOS 10.13 and later. |
| Login Window Screen Saver Idle Time (in secs) | e.g. 0 |
The number of seconds of inactivity before the screen saver activates. If nothing is presented the default of 300 seconds (5 Minutes) will take effect. (0 = Never activate). |
| Screen Saver Module Path | e.g /System/Library/Screen Savers/Flurry.saver | The full path to the screen-saver module to use. Note that not all screen savers will work before login. These may include any feed\, random\, shuffle or non-Apple codesigned screensavers. |
Restrictions
Restrictions are usually simple on/off settings that extend the configuration options of your managed devices and increase the security options. By enabling or disabling them, users are either authorized or explicitly prohibited from configuring certain settings on the device.
| Setting | Options | Requirement | Description |
|---|---|---|---|
| App Store & iTunes | |||
| Allow App Store App adoption |
|
|
If true, disables app adoption by users. Available in macOS 10.10 and later. |
| Allow iTunes File Sharing Services |
|
|
If false, disables iTunes file sharing services. Available in macOS 10.13 and later. |
| Require admin password to install or update apps |
|
|
If true, an administrator password is required in order to update any apps. Deprecated in macOS 10.14. Please use Software Updates Configuration. |
| Restrict App Store to software updates only |
|
|
If true, prevents App Store from launching. Available in macOS 10.14 and later. Restricts installations to software updates only in macOS 10.10 - 10.13. |
| Apple Intelligence | |||
| Allow External Intelligence Integrations |
|
|
If disabled, prevents the use of external, cloud-based intelligence services with Siri. On iOS, this restriction is temporarily allowed on unsupervised and user enrollments. In a future release, this restriction will require supervision, and will be ignored on non-supervised devices. Available in iOS 18.2 and later. |
| Allow External Intelligence Integrations Sign In |
|
|
If disabled, forces external intelligence providers into anonymous mode. If a user is already signed in to an external intelligence provider, applying this restriction will cause them to be signed out when the next request is attempted. Available in iOS 18.2 and later. |
| Allow Image Generation |
|
|
If disabled, prevents the use of image generation. Available in macOS 15 and later. |
| Allow Mail Summary |
|
|
If disabled, prevents the ability to create summaries of email messages manually. This doesn't affect automatic summary generation. Available in macOS 15 and later. |
| Allow Writing Tools |
|
|
If disabled, prevents the use of Apple Intelligence writing tools. Available in macOS 15 and later. |
| Classroom | |||
| Force Classroom Automatically Join Classes |
|
|
If true, automatically gives permission to the teacher's requests without prompting the student. Requires a supervised device. Available in macOS 10.14.4 and later. |
| Force Classroom Requests Permission to Leave Classes |
|
|
If true, a student enrolled in an unmanaged course through Classroom requests permission from the teacher when attempting to leave the course. Requires a supervised device. Available in macOS 10.14.4 and later. |
| Force Classroom Unprompted Apps and Device Lock |
|
|
If true, allows the teacher to lock apps or the device without prompting the student. Requires a supervised device. Available in macOS 10.14.4 and later. |
| Force Classroom Unprompted Screen Observation |
|
|
If true and Allow Remote Screen Observation is also true, a student enrolled in a managed course via the Classroom app automatically gives permission to that course teacher's requests to observe the student's screen without prompting the student. Requires a supervised device. Available in macOS 10.14.4 and later. |
| Game Center | |||
| Allow Game Center |
|
|
If false, disables Game Center, and its icon is removed from the Home screen. Available in macOS 10.13 and later. |
| Allow Game Center Account modification |
|
|
If false, users of Game Center can’t modify their user name or password. |
| Allow Game Center Friends |
|
|
If false, prohibits adding friends to Game Center. Available in macOS 10.13 and later. |
| Allow Multiplayer Gaming |
|
|
If false, prohibits multiplayer gaming. Available in macOS 10.13 and later. |
| iCloud | |||
| Allow iCloud Address Book |
|
|
If false, disables iCloud Address Book services. Available in macOS 10.12 and later. |
| Allow iCloud Bookmarks |
|
|
If false, disables iCloud Bookmark sync. Available in macOS 10.12 and later. |
| Allow iCloud Calendar |
|
|
If false, disables iCloud Calendar services. Available in macOS 10.12 and later. |
| Allow iCloud Desktop and Documents |
|
|
If false, disables cloud desktop and document services. Available in macOS 10.12.4 and later. |
| Allow iCloud Document Sync |
|
|
If false, disables document and key-value syncing to iCloud. Available in macOS 10.11 and later. |
| Allow iCloud Freeform Services |
|
|
Disallows iCloud Freeform services. |
| Allow iCloud Keychain Sync |
|
|
If false, disables iCloud keychain synchronization. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in and macOS 10.12 and later. |
| Allow iCloud Mail Services |
|
|
If false, disables iCloud Mail services. Available in macOS 10.12 and later. |
| Allow iCloud Notes Services |
|
|
If false, disables iCloud Notes services. Available in macOS 10.12 and later. |
| Allow iCloud Photo Library |
|
|
If false, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device are removed from local storage. Available in macOS 10.12 and later. |
| Allow iCloud Private Relay |
|
|
iCloud Private Relay is an internet privacy service offered as a part of an iCloud+ subscription that allows users connect to and browse the web more privately and securely. If false, prevents user from using private iCloud Relay. |
| Allow iCloud Reminder Services |
|
|
If false, disables iCloud Reminder services. Available in macOS 10.12 and later. |
| Network & Connection | |||
| Allow Universal Control |
|
|
If disabled, this setting will prevent to use the Mac's trackpad and keyboard to control additional Macs and/or iPadOS devices nearby. |
| Allow USB Restricted Mode |
|
|
Controls the authorization for new USB accessories. If disabled, allows the device to always connect to USB accessories while locked. |
| Security & Privacy | |||
| Allow Activation Lock |
|
|
Allows or disallows the device to enable the activation lock. Changing the Activation Lock restriction will only take affect before the Apple ID has been added to the device. Please refer to Activation Lock and Bypassing for additional information. |
| Allow Auto Unlock |
|
|
If false, disallows auto unlock. Available in macOS 10.12 and later. |
| Allow Diagnostic Data to be Sent to Apple |
|
|
If false, prevents the device from automatically submitting diagnostic reports to Apple. Available in macOS 10.13 and later. Also available for user enrollment. |
| Allow Fingerprint For Unlock |
|
|
If false, prevents Touch ID or Face ID from unlocking a device. Available in macOS 10.12.4 and later. |
| Allow Fingerprint Modification |
|
|
Prevents the user from modifying Touch ID or Face ID. |
| Allow iPhone Mirroring |
|
|
If disabled, prevents the iPhone from mirroring to any mac or the Mac from mirroring to any iPhone. |
| Allow Passcode Modification |
|
|
If false, prevents the device passcode from being added, changed, or removed. Requires a supervised device. Available in macOS 10.13 and later. |
| Allow Password AutoFill |
|
|
If false, disables the AutoFill Passwords feature in iOS (with Keychain and third-party password managers) and the user isn't prompted to use a saved password in Safari or in apps. This restriction also disables Automatic Strong Passwords, and strong passwords are no longer suggested to users. It does not prevent AutoFill for contact info and credit cards in Safari. Requires a supervised device. Available in macOS 10.14 and later. |
| Allow Password Proximity Requests |
|
|
If false, disables requesting passwords from nearby devices. Requires a supervised device. Available in macOS 10.14 and later. |
| Allow Password Sharing |
|
|
If false, disables sharing passwords with the Airdrop Passwords feature. Requires a supervised device. Available in macOS 10.14 and later. |
| Allow Rapid Security Response Installation |
|
|
Allows to disable the Rapid Security Response mechanism. |
| Allow Rapid Security Response Removal |
|
|
Blocks the end-user from being able to remove the Rapid Security Response mechanism. |
| Allow Safari Autofill |
|
|
If false, disables Safari AutoFill for passwords, contact info, and credit cards and also prevents the Keychain from being used for AutoFill. Though third-party password managers are allowed and apps can use AutoFill. Available in macOS 10.13 and later. |
| Allow Spotlight Internet Results |
|
|
If false, disables Spotlight Internet search results in Siri Suggestions. Available in macOS 10.11 and later. |
| Allow Startup Disk Modification |
|
|
Prevents modification of Startup Disk setting in System Settings. |
| Allow Time Machine Backup |
|
|
Prevents modification of Time Machine settings in System Settings. |
| Sharing | |||
| Allow AirDrop Sharing |
|
|
If false, AirDrop Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
| Allow Aperture Sharing |
|
|
If false, Aperture Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
| Allow Content Caching |
|
|
If false, disables content caching. Available in macOS 10.13 and later. |
| Allow Facebook Sharing |
|
|
If false, Facebook Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
| Allow Mail Sharing |
|
|
If false, Mail Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
| Allow Messages Sharing |
|
|
If false, Messages Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
| Allow Sina Weibo Sharing |
|
|
If false, Sina Weibo Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
| Allow Twitter Sharing |
|
|
If false, Twitter Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
| Allow Video Sharing |
|
|
If false, Video Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12. |
| Siri | |||
| Allow Siri |
|
|
Disables Siri. |
| Force On-Device Only Dictation |
|
|
Disables connections to Siri servers for the purposes of dictation. Also available for user enrollment. |
| System Preferences (*deprecated with macOS 13) | |||
| Allow Appstore Preference |
|
|
If false, App Store Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Backup Preference |
|
|
If false, Backup Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Bluetooth Preference |
|
|
If false, Bluetooth Preference in System Preferences won't be accessible for the User. Available in macOS 10.7 and later. |
| Allow CDs & DVDs Preference |
|
|
If false, CDs & DVDs Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Configuration Profiles Preference |
|
|
If false, Profiles Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Datetime Preference |
|
|
If false, Date & Time Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Desktop and Screen Saver Preference |
|
|
If false, Desktop & Screen Saver Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Displays Preference |
|
|
If false, Displays Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Dock Preference |
|
|
If false, Dock Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Energy Saver Preference |
|
|
If false, Enegery Saver Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Extensions Preference |
|
|
If false, Extensions Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Fibrechannel Preference |
|
|
If false, Fibre Channel Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow General Preference |
|
|
If false, General Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow iCloud Preference |
|
|
If false, iCLoud Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Ink Preference |
|
|
If false, Ink Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Internet Accounts Preference |
|
|
If false, Internet Accounts Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Keyboard Preference |
|
|
If false, Keyboard Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Language and Text Preference |
|
|
If false, Language & Region Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Mission Control Preference |
|
|
If false, Mission Control Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Mouse Preference |
|
|
If false, Mouse Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Network Preference |
|
|
If false, Network Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Notifications Preference |
|
|
If false, User Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Parental Controls Preference |
|
|
If false, User Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Printers and Scanners Preference |
|
|
If false, Printers & Scanners Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Security and Privacy Preference |
|
|
If false, Security and Privacy Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Sharing Preference |
|
|
If false, Sharing Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Software Update Preference |
|
|
If false, Software Update Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Sound Preference |
|
|
If false, Sound Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Speech Preference |
|
|
If false, Speech Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Spotlight Preference |
|
|
If false, Spotlight Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Startup Disk Preference |
|
|
If false, Startup Disk Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Trackpad Preference |
|
|
If false, Trackpad Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Universal Access Preference |
|
|
If false, Universal Access Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Users Preference |
|
|
If false, User Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| Allow Xsan Preference |
|
|
If false, Xsan Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later. |
| System Settings | |||
| Allow Account Modification |
|
|
Disables account modification. Requires a supervised device. |
| Allow Activity Continuation |
|
|
If false, disables activity continuation. Available in macOS 10.15 and later. |
| Allow AirDrop |
|
|
If false, disables AirDrop. Available in macOS 10.13 and later. |
| Allow Bluetooth Sharing Modification |
|
|
Prevents modifying Bluetooth setting in System Settings. |
| Allow Camera |
|
|
If false, disables the camera, and its icon is removed from the Home screen. Users are unable to take photographs. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in macOS 10.11 and later. |
| Allow Changing Device Name |
|
|
Prevents the user from changing the device name. |
| Allow Dictation |
|
|
If false, disallows dictation input. Requires a supervised device. Available in macOS 10.13 and later. |
| Allow Erase Content And Settings |
|
|
Disables the Erase All Content and Settings option in the Reset UI |
| Allow File Sharing Modification |
|
|
Prevents modifying File Sharing setting in System Settings. |
| Allow Internet Sharing Modification |
|
|
Prevents modifying Internet Sharing setting in System Settings. |
| Allow Local User Creation |
|
|
Prevents creating new users in System Settings. |
| Allow Media Sharing Modifications |
|
|
If disabled, prevents modification of Media Sharing settings. Available in macOS 15.1 and later. |
| Allow Music Service |
|
|
If false, disables the Music service, and the Music app reverts to classic mode. Requires a supervised device. Available in macOS 10.12 and later. |
| Allow Printer Sharing Modification |
|
|
Prevents modifying Printer Sharing setting in System Settings. |
| Allow Remote Apple Events Modification |
|
|
Prevents modifying Remote Apple Events Sharing setting in System Settings. |
| Allow Remote Management Sharing |
|
|
Prevents modifying the Remote Management Sharing setting in System Settings. |
| Allow Screen Capture |
|
|
If false, disables saving a screenshot of the display and capturing a screen recording. It also disables the Classroom app from observing remote screens. Available in macOS 10.14.4 and later. Also available for user enrollment. |
|
Allow Remote Screen Observation |
|
|
If false, disables remote screen observation by the Classroom app. If Allow Screen Capture is set to false, the Classroom app doesn't observe remote screens. Required a supervised device until macOS 10.15. Available macOS 10.14.4 and later. |
| Allow Wallpaper Modification |
|
|
If false, prevents wallpaper from being changed. Requires a supervised device. Available macOS 10.13 and later. |
| Force Bypass Screen Capture Alert |
|
|
If enabled, the system bypasses the presentation of a screen capture alert. Available in macOS 15.1 and later. |
Virtual Private Network
General
| Setting | Options | Description |
|---|---|---|
| VPN Settings | Enabled or Disabled | Enables VPN Settings. |
| VPN Type |
|
Type of connection enabled by this policy. Application(s) needs to be installed on the device. |
| Connection Name | e.g. Imagoverum VPN | Display name of the connection displayed on the device. |
| Server Address | e.g. vpn.imagoverum.com | Host name or IP address for the server. |
| Authentication Type |
|
Authentication type for connection. Certificate as selections requires a Certification Authority Integration. |
| Cache user password |
Enabled or Disabled |
Silverback will take the captured user password from the enrollment for authentication. |
App specific settings
| Setting | Options | Description |
|---|---|---|
| Cisco AnyConnect | ||
| Group | e.g. Mobile Device Users | Group for authenticating the connection. |
| Juniper SSL | ||
| Realm | e.g. Mobile Users | Realm for authentication the connection. |
| Role | e.g. Mobile Device Users | Role for authentication the connection. |
| Custom SSL | ||
| Identifier | e.g. com.imagoverum.intranet | Identifier for the custom SSL VPN in reverse DNS format. |
| SonicWall Mobile Connect | ||
| Login Group or Domain | e.g. CORP | Login Group or Domain for authenticating the connection. |
| IPSec (Cisco) with Certificate | ||
| Include User PIN | Enabled or Disabled |
Request PIN during connection and send with authentication. *Only available if Certificate is selected as Authentication Type |
|
Group Name
|
e.g. mygroup1 |
Group Identifier for the connection. Only available if Certificate is selected as Authentication Type |
| Shared Secret | e.g. v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL |
Shared secret for the connection. Only available if Certificate is selected as Authentication Type |
| Use Hybrid Authentication | Enabled or Disabled |
Authenticate using secret, name, and server-side certificate. Only available if Certificate is selected as Authentication Type |
| Prompt for Password | Enabled or Disabled* | Prompt user for password on the device. |
| Custom SSL | ||
| Custom Data |
|
Keys and string values for custom data. |
VPN specific settings
| Setting | Options | Description |
|---|---|---|
| VPN On Demand | ||
| Enable VPN on Demand |
Enabled or Disabled |
Add Domain and host names that will establish a VPN. |
| Match Domain or Host |
|
Define matching domains or host names to use VPN on Demand. |
| On Demand Action |
|
Defines the VPN behavior for the specified domains or host names.
|
Wi-Fi
Silverback offers the ability to pre-populate multiple Wi-Fi Profile and settings on your devices, so the user does not need to know the password for these networks. If you having a WPA Enterprise protected network (e.g. with a RADIUS Server), please refer to WPA Enterprise Settings for additional information.
| Setting | Options | Description |
|---|---|---|
| General Settings | ||
| Wi-Fi Settings | Enabled or Disabled | Enables the sending of Wi-Fi settings. |
| SSID | e.g. Corporate Wi-Fi | Service Set Identifier of the wireless network. |
| Security Type |
|
Defines the used Wireless network encryption. |
| Hidden Network | Enabled or Disabled | Enable if the target network is not open or hidden. |
| Automatically Join | Enabled or Disabled | The device will automatically join the Wi-Fi network. |
| Password | e.g. Pa$$w0rd | Password for authenticating to the wireless network. |
| Proxy Settings | ||
| Proxy |
|
Ensures the device talks to the necessary Proxy. Review WPA Enterprise Settings for additional information. |
| Protocol Settings (only Enterprise) | ||
| Accepted EAP Types |
|
Defines the protocol utilized by encryption type. Review WPA Enterprise Settings for additional information. |
| Protected Access Credentials |
|
Defines the PAC configuration. Review WPA Enterprise Settings for additional information. |
| Authentication Settings (only Enterprise) | ||
| Username and Password |
|
Defines the used authentication mechanism. Review WPA Enterprise Settings for additional information.
|
| Certificate-based authentication |
|
Defines the used authentication mechanism. Please refer to: Certification Authority Integration Guide for Certificate Based Authentication |
| Allow Two Rands | Enabled or Disabled | Allow authenticating to server providing only two RAND values (EAP-SIM). |
| Trust Settings (only Enterprise) | ||
| Trust |
|
Defines the chain of trust. Review WPA Enterprise Settings for additional information. |
Firewall
macOS Firewall can be set up to prevent unauthorized applications, programs and services from accepting incoming connections. The configuration is supported from macOS Sierra and newer (10.12+).
| Setting | Options | Description |
|---|---|---|
| Firewall Settings | Firewall Settings | Enables the firewall profile configuration. If no other values will be defined, it will prevent the user to do manual changes in the firewall settings on the device. |
| Enable Firewall | Enabled or disabled | Specify, whether the firewall should be enabled or not. If true, the firewall will be enabled. Signed software and system services will receive incoming connections by default unless explicitly blocked through Application Access. |
| Block All Incoming Connections | Enabled or disabled | If enabled, the firewall will be configured to block all incoming connections by default. |
| Enable Stealth Mode | Enabled or disabled | If you’re concerned about security, you can use “stealth mode” to make it more difficult for hackers and malware to find your Mac. When stealth mode is turned on, your Mac does not respond to “ping” requests and does not answer connection attempts from a closed TCP or UDP network. |
| Applications Access | ||
| Bundle Identifier | e.g. com.shazam.mac.Shazam |
With application access you can determine the list of apps with connections controlled by the firewall. Add a list of applications with the unique Bundle ID. |
| Incoming Connection | Enabled or disabled | If enabled, incoming connections for the specified application will be received. If disabled incoming connections will be denied. |
FileVault
FileVault full-disk encryption uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk. When FileVault is turned on, macOS devices always require log in with an account password. The encryption occurs in the background and only while the device is awake and plugged in to AC power. Users or Administrators can check the progress in the FileVault section of Security & Privacy preferences. Any new files that are created are automatically encrypted as they are saved to the startup disk. In case users will lose or forget their account password, the devices can be recovered by an reset using the Reset Password assistant with the Recovery Key from the users. Administrators will see the corresponding Recovery Key in the device information under the Security Information sections. Due to the possibility of changed personal recovery keys in the device cycle for the users, a Recovery History will be saved and can be revealed by Administrators. Each reveal action will create an entry in the Audit Logs.
| Setting | Options | Description |
|---|---|---|
| Enable FileVault | Enabled or Disabled | Forces the users to encrypt assigned devices. |
| Profile Name | e.g. Silverback FileVault | Display Name for the Profile on the assigned device. |
| Location | e.g. The Key will be represented to your Administrator in case you will forget your macOS Password. | The description of the location where the recovery key will be escrowed. This text will be inserted into the message the user sees when enabling FileVault manually. |
| Bypassed allowed |
|
The maximum number of times users can bypass enabling FileVault before being required to enable it to log in. |
| Request encryption during logout | Enabled or Disabled | If disabled, prevents additional requests for enabling FileVault at user logout time. |
| Show recovery key to user | Enabled or Disabled | If disabled, prevents display of the personal recovery key to the user after FileVault is enabled. |
If the profile is applied and the user wants to manually enable FileVault, the process will run into a failure. (The operation couldn't be completed. com.apple.OpenDirectory error 5103)
System Extensions
Apple did with macOS Catalina a step in modernizing and improving the security and reliability of macOS to provide a better architecture for kernel extensions and drivers. The outcome is a separation between System Extensions (macOS 10.15+) and Kernel Extensions . System extensions on macOS Catalina and later allow software like network extensions and endpoint security solutions to extend the functionality of macOS without requiring kernel-level access. System extensions are divided into Driver, Network, and Endpoint Security Extensions. They run in user space, where they can’t compromise the security or stability of macOS. Once installed, an extension is available to all users on the system and can perform tasks previously reserved for kernel extensions.
How to configure
- Enable System Extensions
- Enter a Profile name, e.g. Silverback System Extensions
- Enable Allow users to approve System Extensions (optional)
- Right Click System Extensions
- Select + Add Team ID
- Enter the display name for the Team ID
- Enter the Team ID
- Select allowed System Extensions type
- Click OK
Please note that for specified Team ID not containing the Bundle ID nodes, all the validly signed kernel extensions will be allowed to load on the device.
- Right click the newly added Team ID
- Select +Add BundleID
- Enter the display name for the System Extension
- Enter the Bundle ID of the System Extension
- Press OK
How to obtain
- To start, you can obtain a list of system extensions that are present on the machine via Terminal
- On you macOS device, open Terminal
- Run the following command
systemextensionsctl list
- The outcome provides the following information
enabled active teamID bundleID (version) name [state]
Kernel Extensions
In general, applications like antivirus software, firewalls, VPN clients, USB driver etc, install kernel or system extensions to extend native capabilities of the macOS operating system. The applications gain features access that are of the OS that applications without extensions can't access. Apple announced the plans to deprecate macOS Kernel Extensions and replace them with the macOS System extensions to modernize the platform, improve security and reliability, and enable more user-friendly distribution methods. The first step from Apple towards that was the introduction of system extensions for macOS Catalina.
Future OS releases will no longer load kernel extensions that use deprecated KPIs by default.
How to configure
- Enable Kernel Extensions
- Enter a Profile name, e.g. Silverback Kernel Extensions
- Enable Allow users to approve Kernel Extensions (optional)
- Enable Allow nonadministrative users to approve Kernel Extensions (optional)
- Right Click Kernel Extensions
- Select + Add Team ID
- Enter the display name for the Team ID
- Enter the Team ID
- Press OK
Please note that for specified Team ID not containing the Bundle ID nodes, all the validly signed kernel extensions will be allowed to load on the device.
- Right click the newly added Team ID
- Select +Add BundleID
- Enter the display name for the Bundle ID
- Enter the Bundle ID
- Press OK
How to obtain
- On you macOS device, open Terminal
- To obtain the Team ID, proceed with the following
sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
- Once done, type:
SELECT * FROM kext_policy;
You will see the Team ID, the bundle ID for each individual extension and the display name of the developer. Note down the Team ID (the first item) - you will need all the IDs for the extensions you wish to whitelist.
- To list all Kernel Extensions, enter the following
kextstat
- To list all installed third party extensions
kextstat | grep -v com.apple
- To find the Kernel Extensions Folder
cd /System/Library/Extensions/
Privacy Preference
Privacy Preference settings allows Administrator to predefine approvals or denials for device feature requests from applications. On macOS devices, apps and processes often prompt users to allow or deny access to camera, microphone, files, calendars and address books. Use the ability to manage data access consent on behalf of your users and to overrule previous decisions made from the users. Privacy Preferences are supported in macOS Mojave (10.14+) and later. Press New Privacy Preference Profile to control data access on an app level basis.
| Setting | Options | Description |
|---|---|---|
| Name | e.g. Skype | Application Name. |
| Identifier Type |
|
Select her either BundleID or Path depending on if it is an app bundle or the binary. |
| Identifier |
e.g. com.skype.skype |
The bundle ID or installation path of the binary. If you don't know your bundle identifier yet, install the app manually and run Terminal and execute osascript -e 'id of app "Finder"' for receiving the bundle ID as an example for Finder. |
| Code Requirement | e.g. identifier "com.skype.skype" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AL798K98FX | Provide here the Code Requirement of the application. This is obtained via the command codesign. Open Terminal. on your Mac and run codesign -dr - /Applications/Skype.app for getting the Code Requirement for Skype. |
| Static Code Validation | Enabled or Disabled | Optional and if enabled , statically validates the code requirement of the app or service on-disk. Used only if the process invalidates its dynamic code signature. |
| Access Permissions | ||
| Accessibility |
|
Controls the access permissions for the app via the Accessibility subsystem. |
| Address Book |
|
Controls the access permissions for contact information managed by the Contacts.app. |
| Calendar |
|
Specifies the policies for calendar information managed by the Calendar.app. |
| Camera |
|
Controls the access permissions to the system camera. Access to the camera can only be denied. |
| File Provider Presence |
|
Controls the access permissions to File Provider Presence. This allows a File Provider application to know when the user is using files managed by the File Provider. |
| Listen Event |
|
Controls the permissions to allow the application to use Core Graphics and HID APIs to listen /receive to CGEvents and HID events from all processes. If allow standard user to set system service is configured, it allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization. |
| Media Library |
|
Controls the permissions to allow the application to access Apple Music, music and video activity, and the media library. |
| Microphone |
|
Controls the access permissions to the system microphone. Access to the microphone can only be denied. |
| Photos |
|
Controls the access permissions to the pictures managed by the Photos app in ~/Pictures/.photoslibrary. |
| Post Event |
|
Specifies the access permissions for the application to use Core Graphics APIs to send CGEvents to the system event stream. |
| Reminders |
|
Specifies the policies for reminders information managed by the Reminders app. |
| Screen Capture |
|
Controls the access permissions to the application to capture the contents of the system display. Access to the contents can only be denied. If allow standard user to set system service is configured, it allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization. |
| Speech Recognition |
|
Controls the access permission to the application to use the system Speech Recognition facility and to send speech data to Apple. |
| System Policy All Files |
|
Controls the application access to all protected files, including system administration files. |
| System Policy Desktop Folder |
|
Controls the application to access files in the user's Desktop folder. |
| System Policy Documents Folder |
|
Controls the application to access files in the user's Documents folder. |
| System Policy Download Folder |
|
Controls the application to access files in the user's Downloads folder. |
| System Policy Network Volumes |
|
Controls the application to access files on network volumes. |
| System Policy Removable Volumes |
|
Controls the application to access files on removable volumes. |
| System Policy Sys Admin Files |
|
Controls the application access to some files used in system administration. |
| Apple Events | ||
| Identifier Type |
|
Depending on the application, workflows may need to be approved by the application to communicate with built-in applications and services using the Apple Event service. Select her either BundleID or Path for the control of the desired Apple Event. |
| Identifier | e.g. com.apple.systemevents | Provide here the bundle ID or installation path of the Apple Event. The example shows the Identifier for System Events. |
| Code Requirement | e.g. identifier "com.apple.systemevents" and anchor apple | Provide here the Code Requirement of the application. This is obtained via the command codesign. The example shows the Identifier for System Events. |
| Process Access | Enabled or Disabled | Define if the access is granted or prohibited to the Apple Event from the Privacy Preference controlled application. |
Notification Settings
Notification settings offers Administrators the capability to define specific per app notifications, using their bundle identifiers. Notification settings are supported for devices running macOS 10.15+ and later. Notifications can be disabled at all or can be permitted to options like Show in Notification Center or Show on Lock Screen. This profile helps to ensure that users don't accidentally disable notifications for important applications. To configure the new Notification Settings, press New Notification Setting and select the App Store Country and start with a search for the app. After entering an app name, you receive the choice to select your application. After that, configure the following notification controls to your needs:
Custom Bundle IDs are also supported.
| Notification Setting | Options | Description |
|---|---|---|
| Allow Notifications | Enabled or Disabled | Allows or disallows notifications for this app. |
| Show in Notification Center | Enabled or Disabled | Allows or disallows notifications to be shown in notification center. |
| Sounds | Enabled or Disabled | Allows or disallows sounds for this app. |
| Badge App Icon | Enabled or Disabled | Allows or disallows badges for this app. |
| Show on Lock Screen | Enabled or Disabled | Allows or disallows notifications shown in the lock screen. |
| Banner Style |
|
Type of alert for notifications for this app. |
Software Updates
Provides the capability to control Software Updates settings on macOS devices.
To check if the settings have been applied, navigate either System Preferences > Software Update > Software Update> Advanced or to System Preferences > Profiles > Device Profiles and review your applied profile.
| Setting | Options | Description |
|---|---|---|
| Software Update | Enabled or Disabled | Enables the configuration of the Software Update Policy and installs a profile to associated devices. |
| Profile Name | e.g. Silverback Software Update | Display Name of the Software Update Device Profile. |
| Catalog URL | e.g. http://swscan.apple.com/content/cata...ndex.sucatalog | The URL of the software update catalog. An internal software update server allows to reduce the amount of bandwidth used when distributing software updates from Apple. Instead of each computer downloading updates from Apple’s Software Update server, updates are only downloaded from Apple once per server. An internal software update server also allows you also to control and approve updates before you make them available. This setting is reflected in the System Preferences > Profiles section on the Mac. |
| Check for updates | Enabled or Disabled | If disabled, deselects the Check for updates option and disables the automatic check for updates. |
| Download new updates when available | Enabled or Disabled | If disabled, deselects the Download new updates when available option and prevents the user from changing the option. If enabled the Mac will download updates without asking the user. |
| Install macOS updates | Enabled or Disabled | If disabled, restricts the Install macOS Updates option and prevents the user from changing the option. If enabled the Mac will install macOS Updates automatically. This setting is reflected in the System Preferences > Profiles section on the Mac and will enable the Automatically keep my Mac up to date Software Update option. |
| Install app updates from the App Store | Enabled or Disabled | If disabled, deselects the Install app updates from the App Store option and prevents the user from changing the option If enabled, the Mac will install app updates from the App Store automatically. This setting is reflected in the System Preferences > Profiles section on the Mac and under Advanced. |
| Install system data files and security updates | Enabled or Disabled | If disabled, disables the automatic installation of critical updates and prevents the user from changing the Install system data files and security updates. If enabled the Mac will install system files and security updates automatically. |
| Allow prerelease software installation | Enabled or Disabled | If enabled, prerelease software can be installed on this computer. |
| Automatic installation of configuration data | Enabled or Disabled | If disabled, its restrict the automatic installation of security-configuration updates, such as XProtectPlistConfigData which prevents known malware from running . |
| Restrict app installations to admin users | Enabled or Disabled | If enabled, restrict app installations to admin users. This setting is reflected in the System Preferences > Profiles section on the Mac. |
Global HTTP Proxy
Enabling the Global HTTP Proxy will force all Network Traffic through a designated proxy server.
| Setting | Options | Description |
|---|---|---|
| Global HTTP Proxy | Enabled or Disabled | Enables the Global HTTP proxy. |
| Proxy Type |
|
Allows the administrator to select a proxy type. |
| Server | e.g. http:// proxy.imagoverum.com or 192.168.0.101 | The FQDN or IP address of the proxy server. |
| Port | e.g. 80 or 443 | The port of the proxy server. |
| Individual Usernames | Enabled or Disabled | Controls the user ability to enter their own credentials. |
| Username | e.g. Proxyuser | Allows the administrator to define the group username. |
| Password | e.g. Pa$$w0rd | Allows the administrator to define the group password. |
| PAC URL | e.g. http:// proxy.imagoverum.com/proxy.pac or 192.168.0.101/proxy.pac | Allows the administrator to specify the location of the PAC script. |
| Allow Proxy PAC Fallback | Enabled or Disabled | If enabled, allows connecting directly to the destination if the proxy auto configuration (PAC) file is unreachable. |
| Allow Proxy Captive Login | Enabled or Disabled | If enabled, allows the device to bypass the proxy server to display the login page for captive networks. |
Time Server
This profile is used to define a time server on a managed device and a desired time zone. Upon activation of the profile, the default setting is the Apple time server (time.apple.com). However, this can be changed to an alternative time server such as (time.windows.com). It is also possible to set the desired time zone for the device using the drop-down menu. For additional information, please refer to Set and configure Time Zones for Apple devices.
| Setting | Options | Description |
|---|---|---|
| Time Server Settings |
|
Enables the Time Server Profile within the Tag. |
| Time Server |
|
Defines the NTP server to connect to. In macOS 10.13 and earlier, you can use commas to separate multiple time servers. |
| Time Zone | e.g. Europe/Berlin | Defines the configured Time Zone on the device. |
Extensible Single Sign-On
Extensible Single Sign-On streamlines and secures user authentication across apps and services by allowing customized, centralized login experiences. You can use the Extensible Single Sign-On profile to define extensions for multifactor user authentication on your enrolled iPhone, iPad, or Mac devices. This extension is for use by identity providers to deliver a seamless experience as users sign in to apps and websites. When properly configured, the user authenticates once then gains access to subsequent native apps and websites automatically. This should result in an enhanced user experience and reduced login friction, while improving security and reducing support costs while having consistent authentication policies. Please refer to Streamline User Authentication with Extensible Single Sign-On for additional information.
| Setting | Options | Description |
|---|---|---|
| Profile Name | e.g. Microsoft Enterprise SSO | The Profile name used in Silverback and and shown as description in the profiles on the device. |
| Extension Identifier | e.g. com.microsoft.CompanyPortalMac.ssoextension | The unique bundle identifier of the app extension that performs SSO for the specified URLs. |
| Team identifier | e.g. UBF8T346G9 | The unique team ID for the app. |
| Type |
|
Defines the Sign-on type. Available options are Credential and Redirect. When Credential is select, the URLs section will be switched to Hosts and Realm configuration. |
| URLs | e.g. | A list of Identity Provider URL prefixes where the application extension performs SSO. Required for Redirect type and ignored for Credential. The URLs must begin with http:// or https://, the scheme and hostname are matched case-sensitively, query parameters and URL fragments aren't allowed and the URLs of all installed Extensible SSO Profiles must be unique |
| Hosts | e.g. .imagoverum.com or sts.imagoverum.com |
A list of host or domain names that apps can authenticate through the app extension. The hosts can either be individual host names or suffixes, such as .example.com. Host names that begin with a “.” are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match. The system:
|
| Realm | e.g. IMAGOVERUM.COM | Defines the realm name when Credential type is used. Use proper capitalization for this value. |
| Screen locked behavior |
|
Cancel: The system cancels authentication requests when the screen is locked. Do not handle: The request continues without SSO instead. This doesn’t apply to requests where userInterfaceEnabled is false, or for background URLSession requests. Available in iOS and iPadOS 15 and later. |
| Denied bundle identifiers |
|
Adds bundle identifiers for applications that don't use the SSO provided by this extension. Available in iOS and iPadOS 15 and later. |
| Extension Data |
Example: <key>AllowList</key> <string>com.imagoverum.com</string> <key>Enabled</key> <integer>1</integer> |
A dictionary of arbitrary data passed through to the app extension. Silverback expects exactly only keys and values like in the example. Please do not add any additional <dict> or something similar like <plist>. |
App Portal
The Application portal is where devices can access Enterprise applications and recommended Third Party applications via a web clip icon. To enable access to the Application portal for end users and push the app portal web clip icon to devices, ensure App Portal Enabled box is ticked.
| Setting | Options | Description |
|---|---|---|
| App Portal | Enabled or Disabled | Enables and pushes the App Portal Icon to enrolled devices. |
To customize the App Portal navigate to Admin > App Portal
Custom Profiles
Custom Profiles are a very helpful option to configure additional payloads for your managed devices. You can utilize the Apple Configurator 2 to create custom profiles in a *.mobileconfig format. Additionally, you might create or receive a custom XML from a third-party vendor, like for the Cisco Security Connector Umbrella Setup for iOS and iPadOS. Depending on the format or the way how you create or receive the profile, you can either upload the *.mobileconfig to Silverback or add the XML content into the provided section inside the profile. Created profiles with the Apple Configurator 2 can easily be adjusted by replacing the file type to *.txt (e.g., on Windows 10) or opening these files directly with the Text Editor (e.g., on macOS devices). System Variables are supported in the Use XML option or by uploading a *.mobileconfig file that contains a System Variable. Silverback will adjust the XML or the mobileconfig on the fly and convert the System Variables to the individual values and install this payload with the desired content on your devices.
- Click New Custom Profile
| Setting | Options | Description |
|---|---|---|
| Name | e.g. CalDAV Profile | Display Name for the Custom Profile. |
| Description | e.g. Custom CalDAV Profile | Description for the Custom Profile. |
| Scope |
|
Define the target scope for the profile installation. Apple generally offers the option to install configuration profiles and applications in the device or user scope. Profiles installed in the device scope are valid for all users on the device, while user profiles are only active for the user or the account with which the device was logged in to the system. According to the MDM protocol, some profiles can be installed in both scopes, some require the user scope, and some require the device scope. |
| Use XML | Enabled or Disabled | Use this option if have a profile that is not saved as a *.mobileconfig file. |
| XML Text |
e.g.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>allowRapidSecurityResponseInstallation</key>
<false/>
<key>allowRapidSecurityResponseRemoval</key>
<false/>
<key>allowUSBRestrictedMode</key>
<false/>
<key>allowUniversalControl</key>
<false/>
<key>PayloadIdentifier</key>
<string>com.example.myrestrictionspayload</string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadUUID</key>
<string>53bec1be-ffec-4f88-acbd-b02aee8f04a9</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Restrictions</string>
<key>PayloadIdentifier</key>
<string>com.example.myprofile</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>6020206c-12c2-4ada-987a-dd4c560ca73a</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
|
Enter in the section your custom profile content in case it is not saved as a*.mobileconfig file. |
| Mobileconfig File | Choose File | Uploads the *.mobileconfig file. |
Web Clips
Silverback allows administrators to push down Internet shortcuts to their Managed Devices, giving users easy access to the websites the administrator wants.
- Click New Web Clip
| Setting | Options | Description |
|---|---|---|
| Web Clip Name | e.g. Matrix42 | Web Clip Display Name. |
| Link | e.g. https://www.matrix42.com | Target URL for the Web Clip. |
| Icon File | Choose File | A button for uploading a Custom Icon. Supported File Type: *.png. |
Policy
With Policy or Policies Administrators have the ability to enforce rules with Silverback, such as enforcing what Apps are installed on the devices, what Cellular Networks the device is on through to enforcing the Serial Numbers of the devices as they are enrolled into the system. These are the environmental conditions that Silverback will continue to monitor for and ‘police’ for any devices that are associated with the Tag.
OS Version Compliance
Administrators have the ability to control which OS versions are allowed within their environment. To allow an OS version, simply ensure the checkbox next to the respective OS version is ticked. Enrolling a device with a disabled OS version will result in the device automatically being blocked.
- Alert Administrators: When the checkbox is checked, all administrators will receive an email when a device that violates OS compliance is detected, or when a new OS version is discovered.
- Automatically Approve New OS Versions: When an OS platform is enrolled to Silverback for the first time, the OS is automatically added to the list. By default, unknown OS platforms are disabled and relevant devices will be blocked. To automatically authorize new OS versions as they are discovered, ensure the checkbox is ticked.
Use this feature where you do not want devices to be automatically blocked when a user upgrades their device to a new future OS version that is released by their software vendor.
OS Updates
A common question that you may face is how can we prevent our devices from updating updating to the latest version of macOS and how can we test the new macOS update before all of our users will install it? Often, organizations wish to check the latest macOS release, verifying that the business-related apps they use will continue to function properly on the devices used by their organization. For that Apple offers the possibility to specify a number of days to delay software updates, with a maximum of 90 days. With this option enabled, the user of the device will not see a software update until the specified number of days has passed since the release.
| Setting | Options | Requirement | Description |
|---|---|---|---|
| macOS 11.3 and newer | |||
| Defer Major System Updates | Enabled or Disabled | macOS 11.3 | Enables the deferral for major system updates. |
| Defer Updates For | 1-90 | macOS 11.3 | Defines the specified delay after the release of the software update. |
| Defer Minor System Updates | Enabled or Disabled | macOS 11.3 | Enables the deferral for minor system updates. |
| Defer Updates For | 1-90 | macOS 11.3 | Defines the specified delay after the release of the software update. |
| Defer Non-Operating System Updates | Enabled or Disabled | macOS 11.3 | Enables the deferral for non-operating system updates. |
| Defer Update for | 1-90 | macOS 11.3 | Defines the specified delay after the release of the software update. |
| macOS 10.13 until 11.3 | |||
| Defer Operating System updates | Enabled or Disabled | macOS 10.13 | Enables the deferral for operating system updates. |
| Defer Non-Operating System Updates | Enabled or Disabled | macOS 11 | Enables the deferral for non-operating system updates. |
| Defer Updates for Days | 1-90 | macOS 10.13.4 | Defines the time period of how long updates will be deferred. |
Create different Tags with different values to allow new OS updates in waves. Here is an example how it could look like:
- Do not use the feature for the internal IT or MDM department.
- Enable and restrict set the policy for Pilot Users to 14 days
- Enable and restrict set the policy for non-critical departments to 30 days
- For critical department use the maximum value of 90 days.
Hardware Compliance
Administrators have the ability to enforce a hardware compliance policy through Silverback. Simply uncheck the boxes for hardware types that should not be supported and any devices that match the hardware type and are managed by Silverback will be blocked. The list of hardware types is managed via the Device Types option in the Admin Tab of the Silverback Console. If a mapping from device type to hardware type exists, the hardware type will be displayed in the hardware compliance list. When a Device Manufacturer release a new version of their hardware the model numbers may not be known by Silverback, in this case Silverback will ‘learn’ them and store them as ‘Unknown’ in the Device Types section under the Admin Tab where the Administrator can update them manually. To allow these devices into your system you enable the ‘Unknown’ checkbox option. This will allow the device into your Silverback Environment and you can later re-classify this device type in the Admin > Device Types section.
- Alert Administrators: When the checkbox is checked it will ensure that administrators receive an email when a device that violates hardware compliance is detected.
Lockdown
The Lockdown screen allows you to determine what device compliance policies are enabled and what action should automatically occur when a violation is detected. Each policy is enabled/disabled through their associated checkbox. Enabling a lockdown policy ensures that the device is inspected to ensure it is compliant with that policy during the initial enrollment as well as at regular intervals as defined by the ‘Perform check every’ drop down.
Lockdown Actions
| Action | Description |
|---|---|
| No action | No action is performed on the device; however alerting administrators may be performed if configured. |
| Lock | A lock command is sent to the device which will lock the screen of the device. |
| Block | The device is blocked, and the device is moved to the blocked devices table. |
| Delete Business Data | Deletes the device and removes all corporate data. |
| Factory Wipe | The device is hard reset to factory default settings. |
| Alert administrator | Emails are sent to all administrators notifying them of the policy violation when it is detected. |
Lockdown Policies
| Policy | General | Options | Description |
|---|---|---|---|
| Enforce Hardware Authentication | Enabled or Disabled |
|
Hardware authentication can be enabled or disabled from this screen. See the hardware authentication for more information on this configuration. |
| Require Full Disk Encryption | Enabled or Disabled |
|
Determines if macOS devices require Full Disk Encryption or not. |
Apps
The Apps Feature Section is how Administrators can automate the distribution of Device Apps for specific groups of users. Before you can begin assigning Apps to the Tag you first need to have the uploaded into the Silverback App Portal. Once you have Apps in the Silverback App Portal, they can be distributed using the Apps Feature associated with your Tag.
App Types
Three different App Types are available for macOS devices:
| Type | Description |
|---|---|
| Enterprise | Applications owned by an Organization with *.pkg file. |
| VPP | Applications bought via Volume Purchase Program. |
Assign Apps
Once Apps are uploaded into the Silverback App Portal Tab, they can be distributed to devices via a Tag they have been associated with.
- Navigate to Apps
- Click Assign More Apps
- Select any applications from the shown Assign Applications page
- Click Add Selected Apps
Change Deployment Options
By default configurations will be inherit from the App Portal. To customize the settings perform the following steps for each application:
- Click the Edit button in the Manage Config column
- Update Deployment Options
- Click Save
When you add an application to a Tag that has an enabled Auto Population, be aware that the changes affects immediately after adding the application to the Tag. So, if your application has enabled as an example the App Management option Automatically push to managed devices, and you add this application into an Auto Population enabled Tag, devices will get instant a push with the application configuration that is inherit from the App Portal, as it is the default configuration. In this scenario you might run into an accidental automatic installation of applications. When you want to add applications to a Tag with enabled Auto Population tag, either disable temporary the Auto Population or ensure as an example that the Application has a not set the Automatically push to managed devices option in the App Portal.
Overview
Already assigned applications are displayed in the Apps section of any Tag with the following columns:
| Column | Description |
|---|---|
| Type | Displays the app type, either Enterprise or VPP. |
| Name | Displays the application name. |
| Version | Displays the application version for Enterprise Apps. |
| Description | Displays the application description given in App Portal. |
| Remaining VPP | The remaining number of VPP licenses for this app. |
| Total VPP | The total amount of VPP licenses for this app. |
| Manage Config | Click edit to change deployment options. |
| Remove | Removes the App from the Tag. |
Change Deployment Options
By default configurations will be inherit from the App Portal. To customize the settings perform the following steps for each application.
- Click the Edit button in the Manage Config column
- Update Deployment Options
- Click Save
Content
Content Management functionalities are not supported on macOS devices .