Skip to main content
Matrix42 Self-Service Help Center

Tags Guide Part V: macOS

Profile

Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When any Profiles are changed, ensure the settings are correct as these will be applied immediately to all applicable devices. Please ensure you click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.

Exchange ActiveSync

Setting Options Description
Exchange ActiveSync Settings Enabled or Disabled Enables the ActiveSync Profile.
Label e.g. Imagoverum Exchange or  e.g. {firstname} The Label for the Email Account as it appears on the device.
Server Name e.g. outlook.office365.com  External Exchange Active Sync address.
Past Days of Mail to Sync
  • Unlimited
  • One Day
  • Three days
  • One week
  • Two weeks
  • One Month
Period of mail to synchronize to the device.
Use SSL Enabled or Disabled If the URL for the External Mail Server is protected by an SSL Certificate then use SSL.
Use oAuth Enabled or Disabled Enables and uses oAuth Authentication for Identity Providers on native mail client.
Use Custom Username Variable e.g. {CustLdapVar0} or support@imagoverum.com Define a Custom Variable Attribute for the Username for the EAS Profile.
Use Custom Email Variable e.g. {CustLdapVar0} or tim.tober@imagoverum.com Define a Custom Variable Attribute for the Email Address for the EAS Profile.
Use Custom Password Variable e.g. {UserPassword} or Pa$$w0rd  Define a Custom Variable Attribute for the Email Password for the EAS Profile.
Enterprise Certificate Choose File Upload a certificate for certificate based authentication with one certificate.
Certificate Password e.g. Pa$$w0rd Password for the certificate.
Path   Specifies a different path for the Exchange client to connect.
Port   Specifies a different port for the Exchange client to connect to.
External Host   If the external network address is different, you can specify this. This ensures the user will sync mail in the office and at home when the URLs are different.
External SSL   Determines if the external connection should use SSL.
External Port   Sets the external TCP port the Exchange Client should use.
External Path   Sets the external path for the Exchange client.

Email

Setting Options Description
Email Settings Enabled or Disabled Enables Email Settings.
Email Address e.g. {UserEmail} or support@imagoverum.com Defines Email Address of the Account.
User Display Name e.g. {UserName} or Tim Tober Defines  Display Name of the User for this Email Account.
Account Description e.g. Imagoverum Mail Defines Friendly Name of this Email Account.
Account Type
  • IMAP
  • POP
Toggles between IMAP and POP Account Types.
IMAP Path Prefix e.g. INBOX Defines where to look for mail .
Incoming Mail
Incoming Mail Server e.g. imap-mail.outlook.com or pop-mail.outlook.com  
Incoming Mail Port e.g. 995  
Incoming Mail Username    
Authentication
  • None
  • Password
  • MD5 Challenge-Response
  • NTLM
  • NTTP MD5 Digest
 
Embed User Password Enabled or Disabled  
Use SSL Enabled or Disabled  
Outgoing Mail
Outgoing Mail Server e.g. imap-mail.outlook.com or pop-mail.outlook.com  
Outgoing Mail Port e.g. 995  
Outgoing Mail Username    
Authentication
  • None
  • Password
  • MD5 Challenge-Response
  • NTLM
  • NTTP MD5 Digest
 
Embed User Password Enabled or Disabled  
Use SSL Enabled or Disabled  

Passcode

With passcode settings, you can ensure that your users' managed devices are protected from unauthorized third-party access by requiring a passcode, for example. You can also set other security-related settings associated with the passcode configuration, such as the length and complexity of required passwords, or resetting the device to factory defaults after a certain number of failed attempts. 

Setting Options Description
Passcode Settings Enabled or Disabled Enables Passcode Settings.
Allow Simple Enabled or Disabled Permit the use of repeating, ascending or descending characters.
Change at next Auth Enabled or Disabled By enabling, the system causes a password reset to occur the next time the user tries to authenticate.

If this key is set in a device profile, the setting takes effect for all users, and admin authentications may fail until the admin user password is also reset. In the current design, user approved enrollments will receive the profile in the user scope. Devices enrolled via DEP will received the profile in the device scope.

In addition, please note that if this setting is enabled and the profile is installed on the device, any subsequent change within the profile will result in a reset of the profile on the device, which by protocol design is considered a new installation and will force users to change their password. Thus, any change to a passcode profile that has Change on next Auth enabled will result in users being prompted to change their passwords, so please choose your settings carefully before enabling this option.
Require Alpha Numeric Enabled or Disabled Require passcode to contain at least one letter.
Minimum Length 4-19 The smallest number of passcode characters allowed.
Minimum Complex characters 1-4 Smallest number of non-alphanumeric characters allowed. If ‘Allow Simple’ is checked, then this configuration is disabled.
Maximum Passcode Age - 1-730 days or none 1-730 or empty How often passcode must be changed.
Auto-lock (minutes) 2,5 Device automatically locks due to inactivity after this time period.
Passcode history (1-50 passcodes, or none) 1-50 or empty Number of unique passcodes required before reuse.
Grace Period for Device Lock
  • Immediately
  • 1 Minute
  • 5 Minutes
  • 15 Minutes
Amount of time device screen can sleep before device locks.
Maximum Failed Attempts 2-11 The number of allowed failed attempts to enter the passcode at the device’s lock screen. After six failed attempts, the system imposes a time delay before a passcode can be entered again. The delay increases with each attempt. With Minutes Until Failed Login Reset you can define a delay before the next passcode can be entered. When the number of failed attempts is exceeded, the system locks the device. The default value for Maximum Failed Attemps is 11.
Minutes Until Failed Login Reset 0- 2147483647 minutes, or none. Defines the number of minutes before the system resets the login after the maximum number of unsuccessful login attempts is reached.

Screen Saver

This feature sets controls if a password is required when the Screen Saver is unlocked or stopped, the delay of passwords can be defined and the idle time, before the screen saver starts.

Screen Saver Module Path might work only on older devices, even if the setting is not officially deprecated by Apple.

Setting Options Description
Require Password Enabled or disabled

Defines if the user is prompted for a password when the screen saver is unlocked or stopped. When you use this prompt, you must also provide Password Delay (in sec).

Available in macOS 10.13 and later.

Password Delay (in secs) 1-2147483647

Defines the number of seconds to delay before the password will be required to unlock or stop the screen saver (the grace period). To use this option Require Passwords must be enabled. A value of 2147483647 can be used to disable this requirement.

 Available in macOS 10.13 and later.

Login Window Screen Saver Idle Time (in secs) e.g. 0

The number of seconds of inactivity before the screen saver activates. If nothing is presented the default of 300 seconds (5 Minutes) will take effect. 

(0 = Never activate). 

Screen Saver Module Path e.g /System/Library/Screen Savers/Flurry.saver The full path to the screen-saver module to use. Note that not all screen savers will work before login. These may include any feed\, random\, shuffle or non-Apple codesigned screensavers.

Restrictions

Restrictions are usually simple on/off settings that extend the configuration options of your managed devices and increase the security options. By enabling or disabling them, users are either authorized or explicitly prohibited from configuring certain settings on the device.

Setting Options Requirement Description
App Store & iTunes
Allow App Store App adoption
  • Enabled or Disabled
  • macOS 10.10
If true, disables app adoption by users. Available in macOS 10.10 and later.
Allow iTunes File Sharing Services
  • Enabled or Disabled
  • macOS 10.13
If false, disables iTunes file sharing services. Available in macOS 10.13 and later.
Require admin password to install or update apps
  • Enabled or Disabled
  • macOS 10.9
If true, an administrator password is required in order to update any apps. Deprecated in macOS 10.14. Please use Software Updates Configuration.
Restrict App Store to software updates only
  • Enabled or Disabled
  • macOS 10.10
If true, prevents App Store from launching. Available in macOS 10.14 and later. Restricts installations to software updates only in macOS 10.10 - 10.13.
Classroom
Force Classroom Automatically Join Classes
  • Enabled or Disabled
  • macOS 10.4.4
If true, automatically gives permission to the teacher's requests without prompting the student. Requires a supervised device. Available in macOS 10.14.4 and later.
Force Classroom Requests Permission to Leave Classes
  • Enabled or Disabled
  • macOS 10.4.4
If true, a student enrolled in an unmanaged course through Classroom requests permission from the teacher when attempting to leave the course. Requires a supervised device. Available in macOS 10.14.4 and later.
Force Classroom Unprompted Apps and Device Lock
  • Enabled or Disabled
  • macOS 10.4.4
If true, allows the teacher to lock apps or the device without prompting the student. Requires a supervised device. Available in macOS 10.14.4 and later.
Force Classroom Unprompted Screen Observation
  • Enabled or Disabled
  • macOS 10.4.4
If true and Allow Remote Screen Observation is also true, a student enrolled in a managed course via the Classroom app automatically gives permission to that course teacher's requests to observe the student's screen without prompting the student. Requires a supervised device. Available in macOS 10.14.4 and later.
Game Center
Allow Game Center
  • Enabled or Disabled
  • macOS 10.13
If false, disables Game Center, and its icon is removed from the Home screen. Available in macOS 10.13 and later.
Allow Game Center Account modification
  • Enabled or Disabled

 

If false, users of Game Center can’t modify their user name or password.
Allow Game Center Friends
  • Enabled or Disabled
  • macOS 10.13
If false, prohibits adding friends to Game Center. Available in macOS 10.13 and later.
Allow Multiplayer Gaming
  • Enabled or Disabled
  • macOS 10.13
If false, prohibits multiplayer gaming. Available in macOS 10.13 and later.
iCloud
Allow iCloud Address Book
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Address Book services. Available in macOS 10.12 and later.
Allow iCloud Bookmarks
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Bookmark sync. Available in macOS 10.12 and later.
Allow iCloud Calendar
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Calendar services. Available in macOS 10.12 and later.
Allow iCloud Desktop and Documents
  • Enabled or Disabled
  • macOS 10.12.4
If false, disables cloud desktop and document services. Available in macOS 10.12.4 and later.
Allow iCloud Document Sync
  • Enabled or Disabled
  • macOS 10.11
If false, disables document and key-value syncing to iCloud. Available in macOS 10.11 and later.
Allow iCloud Freeform Services
  • Enabled or Disabled
  • macOS 14
Disallows iCloud Freeform services. 
Allow iCloud Keychain Sync
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud keychain synchronization. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in and macOS 10.12 and later.
Allow iCloud Mail Services
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Mail services. Available in macOS 10.12 and later.
Allow iCloud Notes Services
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Notes services. Available in macOS 10.12 and later.
Allow iCloud Photo Library
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device are removed from local storage. Available in macOS 10.12 and later.
Allow iCloud Private Relay
  • Enabled or Disabled
  • macOS 12
iCloud Private Relay is an internet privacy service offered as a part of an iCloud+ subscription that allows users connect to and browse the web more privately and securely. If false, prevents user from using private iCloud Relay.
Allow iCloud Reminder Services
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Reminder services. Available in macOS 10.12 and later.
Network & Connection
Allow Universal Control
  • Enabled or Disabled
  • macOS 13
If disabled, this setting will prevent to use the Mac's trackpad and keyboard to control additional Macs and/or iPadOS devices nearby.
Allow USB Restricted Mode
  • Enabled or Disabled
  • macOS 13
Controls the authorization for new USB accessories. If disabled, allows the device to always connect to USB accessories while locked.
Security & Privacy
Allow Activation Lock
  • Enabled or Disabled
  • macOS 10.16
Allows or disallows the device to enable the activation lock. Changing the Activation Lock restriction will only take affect before the Apple ID has been added to the device. Please refer to Activation Lock and Bypassing for additional information.
Allow Auto Unlock
  • Enabled or Disabled
  • macOS 10.12
If false, disallows auto unlock. Available in macOS 10.12 and later.
Allow Diagnostic Data to be Sent to Apple
  • Enabled or Disabled
  • macOS 10.13
If false, prevents the device from automatically submitting diagnostic reports to Apple. Available in macOS 10.13 and later. Also available for user enrollment.
Allow Fingerprint For Unlock
  • Enabled or Disabled
  • macOS 10.12.4
If false, prevents Touch ID or Face ID from unlocking a device. Available in macOS 10.12.4 and later.
Allow Fingerprint Modification
  • Enabled or Disabled
  • macOS 14
Prevents the user from modifying Touch ID or Face ID.
Allow Passcode Modification
  • Enabled or Disabled
  • macOS 10.13
If false, prevents the device passcode from being added, changed, or removed. Requires a supervised device. Available in macOS 10.13 and later.
Allow Password AutoFill
  • Enabled or Disabled
  • macOS 10.14
If false, disables the AutoFill Passwords feature in iOS (with Keychain and third-party password managers) and the user isn't prompted to use a saved password in Safari or in apps. This restriction also disables Automatic Strong Passwords, and strong passwords are no longer suggested to users. It does not prevent AutoFill for contact info and credit cards in Safari. Requires a supervised device. Available in macOS 10.14 and later.
Allow Password Proximity Requests
  • Enabled or Disabled
  • macOS 10.14
If false, disables requesting passwords from nearby devices. Requires a supervised device. Available in macOS 10.14 and later.
Allow Password Sharing
  • Enabled or Disabled
  • macOS 10.14
If false, disables sharing passwords with the Airdrop Passwords feature. Requires a supervised device. Available in macOS 10.14 and later.
Allow Rapid Security Response Installation
  • Enabled or Disabled
  • macOS 13
Allows to disable the Rapid Security Response mechanism.
Allow Rapid Security Response Removal
  • Enabled or Disabled
  • macOS 13
Blocks the end-user from being able to remove the Rapid Security Response mechanism.
Allow Safari Autofill
  • Enabled or Disabled
  • macOS 10.13
If false, disables Safari AutoFill for passwords, contact info, and credit cards and also prevents the Keychain from being used for AutoFill. Though third-party password managers are allowed and apps can use AutoFill. Available in macOS 10.13 and later.
Allow Spotlight Internet Results
  • Enabled or Disabled
  • macOS 10.11
If false, disables Spotlight Internet search results in Siri Suggestions. Available in macOS 10.11 and later.
Allow Startup Disk Modification
  • Enabled or Disabled
  • macOS 14
Prevents modification of Startup Disk setting in System Settings. 
Allow Time Machine Backup
  • Enabled or Disabled
  • macOS 14
Prevents modification of Time Machine settings in System Settings. 
Sharing
Allow AirDrop Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, AirDrop Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Aperture Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Aperture Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Content Caching
  • Enabled or Disabled
  • macOS 10.13
If false, disables content caching. Available in macOS 10.13 and later.
Allow Facebook Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Facebook Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Mail Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Mail Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Messages Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Messages Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Sina Weibo Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Sina Weibo Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Twitter Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Twitter Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Video Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Video Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Siri
Allow Siri
  • Enabled or Disabled
  • macOS 14
Disables Siri.
Force On-Device Only Dictation
  • Enabled or Disabled
  • macOS 14
Disables connections to Siri servers for the purposes of dictation. Also available for user enrollment.
System Preferences (*deprecated with macOS 13)
Allow Appstore Preference
  • Enabled or Disabled
  • macOS 10.7
If false, App Store Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Backup Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Backup Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Bluetooth Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Bluetooth Preference in System Preferences won't be accessible for the User. Available in macOS 10.7 and later.
Allow CDs & DVDs Preference
  • Enabled or Disabled
  • macOS 10.7
If false, CDs & DVDs Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Configuration Profiles Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Profiles Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Datetime Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Date & Time Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Desktop and Screen Saver Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Desktop & Screen Saver Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Displays Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Displays Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Dock Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Dock Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Energy Saver Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Enegery Saver Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Extensions Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Extensions Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Fibrechannel Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Fibre Channel Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow General Preference
  • Enabled or Disabled
  • macOS 10.7
If false, General Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow iCloud Preference
  • Enabled or Disabled
  • macOS 10.7
If false, iCLoud Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Ink Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Ink Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Internet Accounts Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Internet Accounts Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Keyboard Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Keyboard Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Language and Text Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Language & Region Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Mission Control Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Mission Control Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Mouse Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Mouse Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Network Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Network Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Notifications Preference
  • Enabled or Disabled
  • macOS 10.7
If false, User Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Parental Controls Preference
  • Enabled or Disabled
  • macOS 10.7
If false, User Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Printers and Scanners Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Printers & Scanners Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Security and Privacy Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Security and Privacy Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Sharing Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Sharing Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Software Update Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Software Update Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Sound Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Sound Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Speech Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Speech Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Spotlight Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Spotlight Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Startup Disk Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Startup Disk Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Trackpad Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Trackpad Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Universal Access Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Universal Access Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Users Preference
  • Enabled or Disabled
  • macOS 10.7
If false, User Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
Allow Xsan Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Xsan Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later.
System Settings
Allow Account Modification
  • Enabled or Disabled
  • macOS 14
Disables account modification. Requires a supervised device.
Allow Activity Continuation
  • Enabled or Disabled
  • macOS 10.15
If false, disables activity continuation. Available in macOS 10.15 and later.
Allow AirDrop
  • Enabled or Disabled
  • macOS 10.13
If false, disables AirDrop.  Available in macOS 10.13 and later.
Allow Bluetooth Sharing Modification
  • Enabled or Disabled
  • macOS 14
Prevents modifying Bluetooth setting in System Settings. 
Allow Camera
  • Enabled or Disabled
  • macOS 10.11
If false, disables the camera, and its icon is removed from the Home screen. Users are unable to take photographs. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in macOS 10.11 and later.
Allow Changing Device Name
  • Enabled or Disabled
  • macOS 14
Prevents the user from changing the device name.
Allow Dictation
  • Enabled or Disabled
  • macOS 10.13
If false, disallows dictation input. Requires a supervised device. Available in macOS 10.13 and later.
Allow Erase Content And Settings
  • Enabled or Disabled
  • macOS 11.3
Disables the Erase All Content and Settings option in the Reset UI
Allow File Sharing Modification
  • Enabled or Disabled
  • macOS 14
Prevents modifying File Sharing setting in System Settings. 
Allow Internet Sharing Modification
  • Enabled or Disabled
  • macOS 14
Prevents modifying Internet Sharing setting in System Settings. 
Allow Local User Creation
  • Enabled or Disabled
  • macOS 14
Prevents creating new users in System Settings. 
Allow Music Service
  • Enabled or Disabled
  • macOS 10.12
If false, disables the Music service, and the Music app reverts to classic mode. Requires a supervised device. Available in macOS 10.12 and later.
Allow Printer Sharing Modification
  • Enabled or Disabled
  • macOS 14
Prevents modifying Printer Sharing setting in System Settings.
Allow Remote Apple Events Modification
  • Enabled or Disabled
  • macOS 14
Prevents modifying Remote Apple Events Sharing setting in System Settings.
Allow Remote Management Sharing
  • Enabled or Disabled
  • macOS 14
Prevents modifying the Remote Management Sharing setting in System Settings. 
Allow Screen Capture
  • Enabled or Disabled
  • macOS 10.14.4
If false, disables saving a screenshot of the display and capturing a screen recording. It also disables the Classroom app from observing remote screens. Available in macOS 10.14.4 and later. Also available for user enrollment.

Allow Remote Screen Observation

  • Enabled or Disabled
  • macOS 10.14.4
If false, disables remote screen observation by the Classroom app. If Allow Screen Capture is set to false, the Classroom app doesn't observe remote screens. Required a supervised device until macOS 10.15. Available macOS 10.14.4 and later.
Allow Wallpaper Modification
  • Enabled or Disabled
  • macOS 10.14
If false, prevents wallpaper from being changed. Requires a supervised device. Available macOS 10.13 and later.

Virtual Private Network

General

Setting Options Description
VPN Settings Enabled or Disabled Enables VPN Settings.
VPN Type 
  • Cisco (IPSec)
  • Cisco AnyConnect
  • Pulse Secure
  • F5 Access Legacy
  • F5 Access
  • Custom SSL
  • IPSec (Cisco)
  • SonicWall Mobile Connect
  • Check Point Mobile VPN
Type of connection enabled by this policy. Application(s) needs to be installed on the device. 
Connection Name e.g. Imagoverum VPN Display name of the connection displayed on the device.
Server Address e.g. vpn.imagoverum.com  Host name or IP address for the server.
Authentication Type
  • Certificate
  • Password
  • Shared Secret/Group Name (Cisco IPSec only)

Authentication type for connection. Certificate as selections requires a Certification Authority Integration.

Cache user password

Enabled or Disabled

Silverback will take the captured user password from the enrollment for authentication.

App specific settings

Setting Options Description
Cisco AnyConnect
Group e.g. Mobile Device Users Group for authenticating the connection.
Juniper SSL
Realm e.g. Mobile Users Realm for authentication the connection.
Role e.g. Mobile Device Users Role for authentication the connection.
Custom SSL
Identifier e.g. com.imagoverum.intranet Identifier for the custom SSL VPN in reverse DNS format.
SonicWall Mobile Connect
Login Group or Domain e.g. CORP Login Group or Domain for authenticating the connection. 
IPSec (Cisco) with Certificate
Include User PIN Enabled or Disabled

Request PIN during connection and send with authentication.

*Only available if Certificate is selected as Authentication Type

Group Name 

 

e.g. mygroup1

Group Identifier for the connection.

Only available if Certificate is selected as Authentication Type

Shared Secret e.g. v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL

Shared secret for the connection.

Only available if Certificate is selected as Authentication Type

Use Hybrid Authentication Enabled or Disabled

Authenticate using secret, name, and server-side certificate.

Only available if Certificate is selected as Authentication Type

Prompt for Password Enabled or Disabled* Prompt user for password on the device.
Custom SSL 
Custom Data
  • Key
  • Value
Keys and string values for custom data.

VPN specific settings

Setting Options Description
VPN On Demand
Enable VPN on Demand

Enabled or Disabled

Add Domain and host names that will establish a VPN.
Match Domain or Host
  • e.g. int.imagoverum.com
Define matching domains or host names to use VPN on Demand.
On Demand Action
  • Always establish
  • Never establish
  • Established if needed 

Defines the VPN behavior for the specified domains or host names.

  • Always establish: The specified domains will trigger a VPN connection.
  • Established if needed: The specified domains should trigger a VPN connection attempt.
  • Never establish: The specified domains will not trigger a VPN connection nor be accessible through an existing VPN connection.

Wi-Fi 

Silverback offers the ability to pre-populate multiple Wi-Fi Profile and settings on your devices, so the user does not need to know the password for these networks. If you having a WPA Enterprise protected network (e.g. with a RADIUS Server), please refer to WPA Enterprise Settings  for additional information. 

Setting Options Description
General Settings
Wi-Fi Settings Enabled or Disabled Enables the sending of Wi-Fi settings.
SSID e.g. Corporate Wi-Fi Service Set Identifier of the wireless network.
Security Type
  • WEP
  • WPA2
  • Any Personal
  • Any Enterprise
Defines the used Wireless network encryption.
Hidden Network Enabled or Disabled Enable if the target network is not open or hidden.
Automatically Join Enabled or Disabled The device will automatically join the Wi-Fi network.
Password e.g. Pa$$w0rd Password for authenticating to the wireless network.
Proxy Settings
Proxy
  • Proxy Type (None, Auto, Manual)
  • Server
  • Port
  • Individual Usernames or pre-defined Username
  • Individual Passwords or pre-defined Password
  • PAC URL
  • Allow Direct Connection if PAC is Unreachable

Ensures the device talks to the necessary Proxy.

Review WPA Enterprise Settings for additional information. 

Protocol Settings (only Enterprise)
Accepted EAP Types
  • TLS
  • LEAP
  • TTLS
  • PEAP
  • EAP-FAST
  • EAP-SIM
  • EAP-AKA

Defines the protocol utilized by encryption type.

Review WPA Enterprise Settings for additional information. 

Protected Access Credentials
  • Use Pac
  • Provision PAC
  • Provision PAC Anonymously

Defines the PAC configuration.

Review WPA Enterprise Settings for additional information. 

Authentication Settings (only Enterprise)
Username and Password
  • Use Individual Username
  • Use Per-Connection Password
  • Use User Password

Defines the used authentication mechanism.

Review WPA Enterprise Settings for additional information. 

 

Certificate-based authentication
  • Certificate Type
    • Enterprise Certificate
      • Upload Certificate
    • Individual Client Certificate
      • Individual Client Certificate subject
      • Populate Into Active Directory
        • Certificate Template Name
        • Requester Name LDAP Attribute
        • Agent Certificate 
  • Outer Identity (TTLS,PEAP EAP-Fast)
  • Inner Authentication (TTLS)

Defines the used authentication mechanism.

Please refer to: Certification Authority Integration Guide for Certificate Based Authentication

Allow Two Rands Enabled or Disabled Allow authenticating to server providing only two RAND values (EAP-SIM).
Trust Settings (only Enterprise)
Trust
  • Allow Trust Exceptions
  • Server (Add or Remove)
  • Upload Certificate (Add or Remove)

Defines the chain of trust.

Review WPA Enterprise Settings for additional information. 

Firewall

macOS Firewall can be set up to prevent unauthorized applications, programs and services from accepting incoming connections. The configuration is supported from macOS Sierra and newer (10.12+). 

Setting Options Description
Firewall Settings Firewall Settings Enables the firewall profile configuration. If no other values will be defined, it will prevent the user to do manual changes in the firewall settings on the device. 
Enable Firewall Enabled or disabled Specify, whether the firewall should be enabled or not. If true, the firewall will be enabled. Signed software and system services will receive incoming connections by default unless explicitly blocked through Application Access.
Block All Incoming Connections Enabled or disabled If enabled, the firewall will be configured to block all incoming connections by default. 
Enable Stealth Mode Enabled or disabled If you’re concerned about security, you can use “stealth mode” to make it more difficult for hackers and malware to find your Mac. When stealth mode is turned on, your Mac does not respond to “ping” requests and does not answer connection attempts from a closed TCP or UDP network.
Applications Access
Bundle Identifier e.g. com.shazam.mac.Shazam

With application access you can determine the list of apps with connections controlled by the firewall.  Add a list of applications with the unique Bundle ID.

Incoming Connection Enabled or disabled If enabled, incoming connections for the specified application will be received. If disabled incoming connections will be denied. 

FileVault

FileVault full-disk encryption uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk. When FileVault is turned on, macOS devices always require log in with an account password.  The encryption occurs in the background and only while the device is awake and plugged in to AC power. Users or Administrators can check the progress in the FileVault section of Security & Privacy preferences. Any new files that are created are automatically encrypted as they are saved to the startup disk. In case users will lose or forget their account password, the devices can be recovered by an reset using the Reset Password assistant with the Recovery Key from the users. Administrators will see the corresponding Recovery Key in the device information under the Security Information sections. Due to the possibility of changed personal recovery keys in the device cycle for the users, a Recovery History will be saved and can be revealed by Administrators. Each reveal action will create an entry in the Audit Logs.

Setting Options Description
Enable FileVault Enabled or Disabled Forces the users to encrypt assigned devices.
Profile Name e.g. Silverback FileVault Display Name for the Profile on the assigned device.
Location e.g. The Key will be represented to your Administrator in case you will forget your macOS Password.  The description of the location where the recovery key will be escrowed. This text will be inserted into the message the user sees when enabling FileVault manually. 
Bypassed allowed
  • Do not encrypt at login
  • Force encryption at login
  • 1
  • 2
  • 3
  • 5
  • 10
  • Unlimited
The maximum number of times users can bypass enabling FileVault before being required to enable it to log in.
Request encryption during logout Enabled or Disabled If disabled, prevents additional requests for enabling FileVault at user logout time. 
Show recovery key to user Enabled or Disabled If disabled, prevents display of the personal recovery key to the user after FileVault is enabled.

If the profile is applied and the user wants to manually enable FileVault, the process will run into a failure. (The operation couldn't be completed. com.apple.OpenDirectory error 5103)

System Extensions

Apple did with macOS Catalina a step in modernizing and improving the security and reliability of macOS to provide a better architecture for kernel extensions and drivers. The outcome is a separation between System Extensions (macOS 10.15+) and Kernel Extensions . System extensions on macOS Catalina and later allow software like network extensions and endpoint security solutions to extend the functionality of macOS without requiring kernel-level access. System extensions are divided into Driver, Network, and Endpoint Security Extensions. They run in user space, where they can’t compromise the security or stability of macOS. Once installed, an extension is available to all users on the system and can perform tasks previously reserved for kernel extensions. 

How to configure

  • Enable System Extensions
  • Enter a Profile name, e.g. Silverback System Extensions
  • Enable Allow users to approve System Extensions (optional)
  • Right Click System Extensions
  • Select + Add Team ID
    • Enter the display name for the Team ID
    • Enter the Team ID
    • Select allowed System Extensions type
    • Click OK

Please note that for specified Team ID not containing the Bundle ID nodes, all the validly signed kernel extensions will be allowed to load on the device.

  • Right click the newly added Team ID
  • Select +Add BundleID
    • Enter the display name for the System Extension
    • Enter the Bundle ID of the System Extension
    • Press OK

How to obtain

  • To start, you can obtain a list of system extensions that are present on the machine via Terminal
  • On you macOS device, open Terminal
  • Run the following command
systemextensionsctl list
  • The outcome provides the following information
enabled active  teamID  bundleID (version)  name    [state]

Kernel Extensions

In general, applications like antivirus software, firewalls,  VPN clients, USB driver etc, install kernel or system extensions to extend native capabilities of the macOS operating system. The applications gain features access that are of the OS that applications without extensions can't access.  Apple announced the plans to deprecate macOS Kernel Extensions and replace them with the macOS System extensions to modernize the platform, improve security and reliability, and enable more user-friendly distribution methods. The first step from Apple towards that was the introduction of system extensions for macOS Catalina. 

Future OS releases will no longer load kernel extensions that use deprecated KPIs by default.

How to configure

  • Enable Kernel Extensions
  • Enter a Profile name, e.g. Silverback Kernel Extensions
  • Enable Allow users to approve Kernel Extensions (optional)
  • Enable Allow nonadministrative users to approve Kernel Extensions (optional)
  • Right Click Kernel Extensions
  • Select + Add Team ID
    • Enter the display name for the Team ID
    • Enter the Team ID
    • Press OK

Please note that for specified Team ID not containing the Bundle ID nodes, all the validly signed kernel extensions will be allowed to load on the device.

  • Right click the newly added Team ID
  • Select +Add BundleID
    • Enter the display name for the Bundle ID
    • Enter the Bundle ID
    • Press OK

How to obtain

  • On you macOS device, open Terminal
  • To obtain the Team ID, proceed with the following 
sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
  • Once done, type:
SELECT * FROM kext_policy;

You will see the Team ID, the bundle ID for each individual extension and the display name of the developer. Note down the Team ID (the first item) - you will need all the IDs for the extensions you wish to whitelist.

  • To list all Kernel Extensions, enter the following
kextstat
  • To list all installed third party extensions
kextstat | grep -v com.apple
  • To find the Kernel Extensions Folder
cd /System/Library/Extensions/

Privacy Preference

Privacy Preference settings allows Administrator to predefine approvals or denials for device feature requests from applications. On macOS devices, apps and processes often prompt users to allow or deny access to camera, microphone, files, calendars and address books. Use the ability to manage data access consent on behalf of your users and to overrule previous decisions made from the users. Privacy Preferences are supported in macOS Mojave (10.14+) and later. Press New Privacy Preference Profile to control data access on an app level basis. 

Setting Options Description
Name e.g. Skype Application Name.
Identifier Type
  • BundleID
  • Path

Select her either BundleID or Path depending on if it is an app bundle or the binary.

Identifier

e.g. com.skype.skype

The bundle ID or installation path of the binary. If you don't know your bundle identifier yet, install the app manually and run Terminal and execute osascript -e 'id of app "Finder"' for receiving the bundle ID as an example for Finder.
Code Requirement e.g. identifier "com.skype.skype" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AL798K98FX Provide here the Code Requirement of the application. This is obtained via the command codesign. Open Terminal. on your Mac and run codesign -dr - /Applications/Skype.app for getting the Code Requirement for Skype.
Static Code Validation Enabled or Disabled Optional and if enabled , statically validates the code requirement of the app or service on-disk. Used only if the process invalidates its dynamic code signature.
Access Permissions
Accessibility
  • Not Set
  • Block
  • Allow
Controls the access permissions for the app via the Accessibility subsystem.
Address Book
  • Not Set
  • Block
  • Allow
Controls the access permissions for contact information managed by the Contacts.app.
Calendar
  • Not Set
  • Block
  • Allow
Specifies the policies for calendar information managed by the Calendar.app.
Camera
  • Not Set
  • Block
Controls the access permissions to the system camera. Access to the camera can only be denied.
File Provider Presence
  • Not Set
  • Block
  • Allow
Controls the access permissions to File Provider Presence. This allows a File Provider application to know when the user is using files managed by the File Provider.
Listen Event
  • Not Set
  • Block
  • Allow standard user to set system service
Controls the permissions to allow the application to use Core Graphics and HID APIs to listen /receive to CGEvents and HID events from all processes. If allow standard user to set system service is configured, it allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization.
Media Library
  • Not Set
  • Block
Controls the permissions to allow the application to access Apple Music, music and video activity, and the media library.
Microphone
  • Not Set
  • Block
Controls the access permissions to the system microphone. Access to the microphone can only be denied.
Photos
  • Not Set
  • Block
  • Allow
Controls the access permissions to the pictures managed by the Photos app in  ~/Pictures/.photoslibrary.
Post Event
  • Not Set
  • Block
  • Allow
Specifies the access permissions for the application to use Core Graphics APIs to send CGEvents to the system event stream.
Reminders
  • Not Set
  • Block
  • Allow
Specifies the policies for reminders information managed by the Reminders app.
Screen Capture
  • Not Set
  • Block
  • Allow standard user to set system service
Controls the access permissions to the application to capture the contents of the system display. Access to the contents can only be denied. If allow standard user to set system service is configured, it allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization.
Speech Recognition
  • Not Set
  • Block
  • Allow
Controls the access permission to the application to use the system Speech Recognition facility and to send speech data to Apple.
System Policy All Files
  • Not Set
  • Block
  • Allow
Controls the application access to all protected files, including system administration files.
System Policy Desktop Folder
  • Not Set
  • Block
  • Allow
Controls the application to access files in the user's Desktop folder.
System Policy Documents Folder
  • Not Set
  • Block
  • Allow
Controls the application to access files in the user's Documents folder.
System Policy Download Folder
  • Not Set
  • Block
  • Allow
Controls the application to access files in the user's Downloads folder.
System Policy Network Volumes
  • Not Set
  • Block
  • Allow
Controls the application to access files on network volumes.
System Policy Removable Volumes
  • Not Set
  • Block
  • Allow
Controls the application to access files on removable volumes.
System Policy Sys Admin Files
  • Not Set
  • Block
  • Allow
Controls the application access to some files used in system administration.
Apple Events
Identifier Type
  • BundleID
  • Path
Depending on the application, workflows may need to be approved by the application to communicate with built-in applications and services using the Apple Event service. Select her either BundleID or Path for the control of the desired Apple Event.
Identifier e.g. com.apple.systemevents Provide here the bundle ID or installation path of the Apple Event. The example shows the Identifier for System Events.
Code Requirement e.g. identifier "com.apple.systemevents" and anchor apple Provide here the Code Requirement of the application. This is obtained via the command codesign. The example shows the Identifier for System Events.
Process Access Enabled or Disabled Define if the access is granted or prohibited to the Apple Event from the Privacy Preference controlled application.

Notification Settings

Notification settings offers Administrators the capability to define specific per app notifications, using their bundle identifiers. Notification settings are supported for devices running macOS 10.15+ and later. Notifications can be disabled at all or can be permitted to options like Show in Notification Center or Show on Lock Screen. This profile helps to ensure that users don't accidentally disable notifications for important applications. To configure the new Notification Settings, press New Notification Setting and select the App Store Country and start with a search for the app. After entering an app name, you receive the choice to select your application. After that, configure the following notification controls to your needs:

Custom Bundle IDs are also supported.

Notification Setting Options Description
Allow Notifications Enabled or Disabled Allows or disallows notifications for this app.
Show in Notification Center Enabled or Disabled Allows or disallows notifications to be shown in notification center.
Sounds Enabled or Disabled Allows or disallows sounds for this app.
Badge App Icon Enabled or Disabled Allows or disallows badges for this app.
Show on Lock Screen Enabled or Disabled Allows or disallows notifications shown in the lock screen.
Banner Style
  • None
  • Temporary Banner
  • Persistent Banner 
Type of alert for notifications for this app.

Software Updates 

Provides the capability to control Software Updates settings on macOS devices. 

To check if the settings have been applied, navigate either System Preferences > Software Update > Software Update> Advanced or to System Preferences > Profiles > Device Profiles and review your applied profile. 

Setting Options Description
Software Update Enabled or Disabled Enables the configuration of the Software Update Policy and installs a profile to associated devices.
Profile Name e.g. Silverback Software Update Display Name of the Software Update Device Profile. 
Catalog URL e.g. http://swscan.apple.com/content/cata...ndex.sucatalog The URL of the software update catalog. An internal software update server allows to reduce the amount of bandwidth used when distributing software updates from Apple. Instead of each computer downloading updates from Apple’s Software Update server, updates are only downloaded from Apple once per server. An internal software update server also allows you also to control and approve updates before you make them available. This setting is reflected in the System Preferences > Profiles section on the Mac.
Check for updates Enabled or Disabled If disabled, deselects the Check for updates option and disables the automatic check for updates. 
Download new updates when available Enabled or Disabled If disabled, deselects the Download new updates when available option and prevents the user from changing the option. If enabled the Mac will download updates without asking the user.
Install macOS updates Enabled or Disabled If disabled, restricts the Install macOS Updates option and prevents the user from changing the option. If enabled the Mac will install macOS Updates automatically. This setting is reflected in the System Preferences > Profiles section on the Mac and will enable the Automatically keep my Mac up to date Software Update option. 
Install app updates from the App Store Enabled or Disabled If disabled, deselects the Install app updates from the App Store option and prevents the user from changing the option If enabled, the Mac will install app updates from the App Store automatically. This setting is reflected in the System Preferences > Profiles section on the Mac and under Advanced.
Install system data files and security updates Enabled or Disabled If disabled, disables the automatic installation of critical updates and prevents the user from changing the Install system data files and security updates. If enabled the Mac will install system files and security updates automatically.
Allow prerelease software installation Enabled or Disabled If enabled, prerelease software can be installed on this computer.
Automatic installation of configuration data Enabled or Disabled If disabled, its restrict the automatic installation of security-configuration updates, such as XProtectPlistConfigData which prevents known malware from running .
Restrict app installations to admin users Enabled or Disabled If enabled, restrict app installations to admin users.  This setting is reflected in the System Preferences > Profiles section on the Mac.

Time Server

This profile is used to define a time server on a managed device and a desired time zone. Upon activation of the profile, the default setting is the Apple time server (time.apple.com). However, this can be changed to an alternative time server such as (time.windows.com). It is also possible to set the desired time zone for the device using the drop-down menu. For additional information, please refer to Set and configure Time Zones for Apple devices.

Setting Options Description
Time Server Settings
  • Enabled or Disabled 
Enables the Time Server Profile within the Tag.
Time Server
  • e.g. time.apple.com
Defines the NTP server to connect to. In macOS 10.13 and earlier, you can use commas to separate multiple time servers.
Time Zone e.g. Europe/Berlin Defines the configured Time Zone on the device. 

App Portal

The Application portal is where devices can access Enterprise applications and recommended Third Party applications via a web clip icon. To enable access to the Application portal for end users and push the app portal web clip icon to devices, ensure App Portal Enabled box is ticked.

Setting Options Description
App Portal   Enabled or Disabled Enables and pushes the App Portal Icon to enrolled devices.

To customize the App Portal navigate to Admin > App Portal  

Custom Profiles

Custom Profiles are a very helpful option to configure additional payloads for your managed devices. You can utilize the Apple Configurator 2 to create custom profiles in a *.mobileconfig format. Additionally, you might create or receive a custom XML from a third-party vendor, like for the Cisco Security Connector Umbrella Setup for iOS and iPadOS. Depending on the format or the way how you create or receive the profile, you can either upload the *.mobileconfig to Silverback or add the XML content into the provided section inside the profile. Created profiles with the Apple Configurator 2 can easily be adjusted by replacing the file type to *.txt (e.g., on Windows 10) or opening these files directly with the Text Editor (e.g., on macOS devices). System Variables are supported in the Use XML option or by uploading a *.mobileconfig file that contains a System Variable. Silverback will adjust the XML or the mobileconfig on the fly and convert the System Variables to the individual values and install this payload with the desired content on your devices.

  • Click New Custom Profile
Setting Options Description
Name   e.g. CalDAV Profile Display Name for the Custom Profile.
Description e.g. Custom CalDAV Profile Description for the Custom Profile.
Scope
  • User Scope
  • Device Scope
Define the target scope for the profile installation. Apple generally offers the option to install configuration profiles and applications in the device or user scope. Profiles installed in the device scope are valid for all users on the device, while user profiles are only active for the user or the account with which the device was logged in to the system. According to the MDM protocol, some profiles can be installed in both scopes, some require the user scope, and some require the device scope. 
Use XML Enabled or Disabled Use this option if have a profile that is not saved as a *.mobileconfig file.
XML Text

e.g. 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>allowRapidSecurityResponseInstallation</key>
            <false/>
            <key>allowRapidSecurityResponseRemoval</key>
            <false/>
            <key>allowUSBRestrictedMode</key>
            <false/>
            <key>allowUniversalControl</key>
            <false/>
            <key>PayloadIdentifier</key>
            <string>com.example.myrestrictionspayload</string>
            <key>PayloadType</key>
            <string>com.apple.applicationaccess</string>
            <key>PayloadUUID</key>
            <string>53bec1be-ffec-4f88-acbd-b02aee8f04a9</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Restrictions</string>
    <key>PayloadIdentifier</key>
    <string>com.example.myprofile</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>6020206c-12c2-4ada-987a-dd4c560ca73a</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>
Enter in the section your custom profile content in case it is not saved as a*.mobileconfig file.
Mobileconfig File Choose File Uploads the *.mobileconfig file.

Web Clips

Silverback allows administrators to push down Internet shortcuts to their Managed Devices, giving users easy access to the websites the administrator wants.

  • Click New Web Clip
Setting Options Description
Web Clip Name   e.g. Matrix42 Web Clip Display Name.
Link e.g. https://www.matrix42.com Target URL for the Web Clip.
Icon File Choose File A button for uploading a Custom Icon. Supported File Type: *.png.

Policy

With Policy or Policies Administrators have the ability to enforce rules with Silverback, such as enforcing what Apps are installed on the devices, what Cellular Networks the device is on through to enforcing the Serial Numbers of the devices as they are enrolled into the system. These are the environmental conditions that Silverback will continue to monitor for and ‘police’ for any devices that are associated with the Tag.

OS Version Compliance 

Administrators have the ability to control which OS versions are allowed within their environment. To allow an OS version, simply ensure the checkbox next to the respective OS version is ticked. Enrolling a device with a disabled OS version will result in the device automatically being blocked.

  • Alert Administrators: When the checkbox is checked, all administrators will receive an email when a device that violates OS compliance is detected, or when a new OS version is discovered.
  • Automatically Approve New OS Versions: When an OS platform is enrolled to Silverback for the first time, the OS is automatically added to the list. By default, unknown OS platforms are disabled and relevant devices will be blocked. To automatically authorize new OS versions as they are discovered, ensure the checkbox is ticked.

Use this feature where you do not want devices to be automatically blocked when a user upgrades their device to a new future OS version that is released by their software vendor.

OS Updates

A common question that you may face is how can we prevent our devices from updating updating to the latest version of macOS and how can we test the new macOS update before all of our users will install it?  Often, organizations wish to check the latest macOS release, verifying that the business-related apps they use will continue to function properly on the devices used by their organization. For that Apple offers the possibility to specify a number of days to delay software updates, with a maximum of 90 days. With this option enabled, the user of the device will not see a software update until the specified number of days has passed since the release.

Setting Options Requirement Description
macOS 11.3 and newer
Defer Major System Updates Enabled or Disabled macOS 11.3 Enables the deferral for major system updates.
Defer Updates For  1-90 macOS 11.3 Defines the specified delay after the release of the software update.
Defer Minor System Updates Enabled or Disabled macOS 11.3 Enables the deferral for minor system updates.
Defer Updates For 1-90 macOS 11.3 Defines the specified delay after the release of the software update.
Defer Non-Operating System Updates Enabled or Disabled macOS 11.3 Enables the deferral for non-operating system updates.
Defer Update for  1-90 macOS 11.3 Defines the specified delay after the release of the software update.
macOS 10.13 until 11.3
Defer Operating System updates Enabled or Disabled macOS 10.13 Enables the deferral for operating system updates.
Defer Non-Operating System Updates Enabled or Disabled macOS 11 Enables the deferral for non-operating system updates.
Defer Updates for Days 1-90 macOS 10.13.4 Defines the time period of how long updates will be deferred.

Create different Tags with different values to allow new OS updates in waves.  Here is an example how it could look like: 

  • Do not use the feature for the internal IT or MDM department.
  • Enable and restrict set the policy for Pilot Users to 14 days
  • Enable and restrict set the policy for non-critical departments to 30 days
  • For critical department use the maximum value of 90 days.  

Hardware Compliance 

Administrators have the ability to enforce a hardware compliance policy through Silverback. Simply uncheck the boxes for hardware types that should not be supported and any devices that match the hardware type and are managed by Silverback will be blocked. The list of hardware types is managed via the Device Types option in the Admin Tab of the Silverback Console. If a mapping from device type to hardware type exists, the hardware type will be displayed in the hardware compliance list. When a Device Manufacturer release a new version of their hardware the model numbers may not be known by Silverback, in this case Silverback will ‘learn’ them and store them as ‘Unknown’ in the Device Types section under the Admin Tab where the Administrator can update them manually. To allow these devices into your system you enable the ‘Unknown’ checkbox option. This will allow the device into your Silverback Environment and you can later re-classify this device type in the Admin > Device Types section.

  • Alert Administrators:  When the  checkbox is checked it will ensure that administrators receive an email when a device that violates hardware compliance is detected.

Lockdown

The Lockdown screen allows you to determine what device compliance policies are enabled and what action should automatically occur when a violation is detected. Each policy is enabled/disabled through their associated checkbox. Enabling a lockdown policy ensures that the device is inspected to ensure it is compliant with that policy during the initial enrollment as well as at regular intervals as defined by the ‘Perform check every’ drop down.

Lockdown Actions

Action Description
No action No action is performed on the device; however alerting administrators may be performed if configured.
Lock A lock command is sent to the device which will lock the screen of the device. 
Block The device is blocked, and the device is moved to the blocked devices table. 
Delete Business Data Deletes the device and removes all corporate data.
Factory Wipe The device is hard reset to factory default settings.
Alert administrator Emails are sent to all administrators notifying them of the policy violation when it is detected. 

Lockdown Policies

Policy  General Options Description
Enforce Hardware Authentication Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Wipe
Hardware authentication can be enabled or disabled from this screen. See the hardware authentication for more information on this configuration.
Require Full Disk Encryption Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Wipe
Determines if macOS devices require Full Disk Encryption or not.

Apps 

The Apps Feature Section is how Administrators can automate the distribution of Device Apps for specific groups of users. Before you can begin assigning Apps to the Tag you first need to have the uploaded into the Silverback App Portal. Once you have Apps in the Silverback App Portal, they can be distributed using the Apps Feature associated with your Tag.

App Types

Three different App Types are available for macOS devices:

Type Description
Enterprise Applications owned by an Organization with *.pkg file.
VPP Applications bought via Volume Purchase Program.

Assign Apps 

Once Apps are uploaded into the Silverback App Portal Tab, they can be distributed to devices via a Tag they have been associated with.

  • Navigate to Apps
  • Click Assign More Apps
  • Select any applications from the shown Assign Applications page 
  • Click Add Selected Apps 

Change Deployment Options

By default configurations will be inherit from the App Portal. To customize the settings perform the following steps for each application:

  • Click the Edit button in the Manage Config column
  • Update Deployment Options
  • Click Save

When you add an application to a Tag that has an enabled Auto Population, be aware that the changes affects immediately after adding the application to the Tag. So, if your application has enabled as an example the App Management option Automatically push to managed devices, and you add this application into an Auto Population enabled Tag, devices will get instant a push with the application configuration that is inherit from the App Portal, as it is the default configuration. In this scenario you might run into an accidental automatic installation of applications. When you want to add applications to a Tag with enabled Auto Population tag, either disable temporary the Auto Population or ensure as an example that the Application has a not set the Automatically push to managed devices option in the App Portal.

Overview

Already assigned applications are displayed in the Apps section of any Tag with the following columns: 

Column Description
Type Displays the app type, either Enterprise or VPP.
Name Displays the application name.
Version Displays the application version for Enterprise Apps.
Description Displays the application description given in App Portal.
Remaining VPP The remaining number of VPP licenses for this app.
Total VPP The total amount of VPP licenses for this app.
Manage Config Click edit to change deployment options.
Remove Removes the App from the Tag.

Change Deployment Options 

By default configurations will be inherit from the App Portal. To customize the settings perform the following steps for each application.

  • Click the Edit button in the Manage Config column
  • Update Deployment Options
  • Click Save

Content 

Content Management functionalities are not supported on macOS devices .

  • Was this article helpful?