Skip to main content
Matrix42 Self-Service Help Center

Tags Guide Part V: macOS

Profile

Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When any Profiles are changed, ensure the settings are correct as these will be applied immediately to all applicable devices. Please ensure you click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.

Exchange ActiveSync

Setting Options Description
Exchange ActiveSync Settings Enabled or Disabled Enables the ActiveSync Profile
Label e.g. Imagoverum Exchange or  e.g. {firstname} The Label for the Email Account as it appears on the device.
Server Name e.g. outlook.office365.com  External Exchange Active Sync address 
Past Days of Mail to Sync
  • Unlimited
  • One Day
  • Three days
  • One week
  • Two weeks
  • One Month
Period of mail to synchronize to the device
Use SSL Enabled or Disabled If the URL for the External Mail Server is protected by an SSL Certificate then use SSL.
Use oAuth Enabled or Disabled Enables and uses oAuth Authentication for Identity Providers on native mail client
Use Custom Username Variable e.g. {CustLdapVar0} or support@imagoverum.com Define a Custom Variable Attribute for the Username for the EAS Profile.
Use Custom Email Variable e.g. {CustLdapVar0} or tim.tober@imagoverum.com Define a Custom Variable Attribute for the Email Address for the EAS Profile.
Use Custom Password Variable e.g. {UserPassword} or Pa$$w0rd  Define a Custom Variable Attribute for the Email Password for the EAS Profile.
Enterprise Certificate Choose File Upload a certificate for certificate based authentication with one certificate
Certificate Password e.g. Pa$$w0rd Password for the certificate
Path   Specifies a different path for the Exchange client to connect
Port   Specifies a different port for the Exchange client to connect to
External Host   If the external network address is different, you can specify this. This ensures the user will sync mail in the office and at home when the URLs are different
External SSL   Determines if the external connection should use SSL
External Port   Sets the external TCP port the Exchange Client should use
External Path   Sets the external path for the Exchange client

Email

Setting Options Description
Email Settings Enabled or Disabled Enables Email Settings
Email Address e.g. {UserEmail} or support@imagoverum.com Defines Email Address of the Account
User Display Name e.g. {UserName} or Tim Tober Defines  Display Name of the User for this Email Account
Account Description e.g. Imagoverum Mail Defines Friendly Name of this Email Account
Account Type
  • IMAP
  • POP
Toggles between IMAP and POP Account Types
IMAP Path Prefix e.g. INBOX Defines where to look for mail 
Incoming Mail
Incoming Mail Server e.g. imap-mail.outlook.com or pop-mail.outlook.com  
Incoming Mail Port e.g. 995  
Incoming Mail Username    
Authentication
  • None
  • Password
  • MD5 Challenge-Response
  • NTLM
  • NTTP MD5 Digest
 
Embed User Password Enabled or Disabled  
Use SSL Enabled or Disabled  
Outgoing Mail
Outgoing Mail Server e.g. imap-mail.outlook.com or pop-mail.outlook.com  
Outgoing Mail Port e.g. 995  
Outgoing Mail Username    
Authentication
  • None
  • Password
  • MD5 Challenge-Response
  • NTLM
  • NTTP MD5 Digest
 
Embed User Password Enabled or Disabled  
Use SSL Enabled or Disabled  

Passcode

With passcode settings, you can ensure that your users' managed devices are protected from unauthorized third-party access by requiring a passcode, for example. You can also set other security-related settings associated with the passcode configuration, such as the length and complexity of required passwords, or resetting the device to factory defaults after a certain number of failed attempts. 

Setting Options Description
Passcode Settings Enabled or Disabled Enables Passcode Settings
Allow Simple Enabled or Disabled Permit the use of repeating, ascending or descending characters
Require Alpha Numeric Enabled or Disabled Require passcode to contain at least one letter
Minimum Length 4-19 The smallest number of passcode characters allowed
Minimum Complex characters 1-4 Smallest number of non-alphanumeric characters allowed. If ‘Allow Simple’ is checked, then this configuration is disabled.
Maximum Passcode Age - 1-730 days or none 1-730 or empty How often passcode must be changed
Auto-lock (minutes) 2,5 Device automatically locks due to inactivity after this time period
Passcode history (1-50 passcodes, or none) 1-50 or empty Number of unique passcodes required before reuse
Grace Period for Device Lock
  • Immediately
  • 1 Minute
  • 5 Minutes
  • 15 Minutes
Amount of time device screen can sleep before device locks
Maximum Failed Attempts 4-16 Number of passcode entry attempts allowed before the device is reset to factory settings

Screen Saver

This feature sets controls if a password is required when the Screen Saver is unlocked or stopped, the delay of passwords can be defined and the idle time, before the screen saver starts.

Screen Saver Module Path might work only on older devices, even if the setting is not officially deprecated by Apple.

Setting Options Description
Require Password Enabled or disabled

Defines if the user is prompted for a password when the screen saver is unlocked or stopped. When you use this prompt, you must also provide Password Delay (in sec).

Available in macOS 10.13 and later.

Password Delay (in secs) 1-2147483647

Defines the number of seconds to delay before the password will be required to unlock or stop the screen saver (the grace period). To use this option Require Passwords must be enabled. A value of 2147483647 can be used to disable this requirement.

 Available in macOS 10.13 and later.

Login Window Screen Saver Idle Time (in secs) e.g. 0

The number of seconds of inactivity before the screen saver activates. If nothing is presented the default of 300 seconds (5 Minutes) will take effect. 

(0 = Never activate). 

Screen Saver Module Path e.g /System/Library/Screen Savers/Flurry.saver The full path to the screen-saver module to use. Note that not all screen savers will work before login. These may include any feed\, random\, shuffle or non-Apple codesigned screensavers.

Restrictions

Restrictions are usually simple on/off settings that extend the configuration options of your managed devices and increase the security options. By enabling or disabling them, users are either authorized or explicitly prohibited from configuring certain settings on the device.

Setting Options Requirement Description
App Store & iTunes
Allow App Store App adoption
  • Enabled or Disabled
  • macOS 10.10
If true, disables app adoption by users. Available in macOS 10.10 and later.
Allow iTunes File Sharing Services
  • Enabled or Disabled
  • macOS 10.13
If false, disables iTunes file sharing services. Available in macOS 10.13 and later.
Require admin password to install or update apps
  • Enabled or Disabled
  • macOS 10.9
If true, an administrator password is required in order to update any apps. Deprecated in macOS 10.14. Please use Software Updates Configuration
Restrict App Store to software updates only
  • Enabled or Disabled
  • macOS 10.10
If true, prevents App Store from launching. Available in macOS 10.14 and later. Restricts installations to software updates only in macOS 10.10 - 10.13.
Classroom
Force Classroom Automatically Join Classes
  • Enabled or Disabled
  • macOS 10.4.4
If true, automatically gives permission to the teacher's requests without prompting the student. Requires a supervised device. Available in macOS 10.14.4 and later.
Force Classroom Requests Permission to Leave Classes
  • Enabled or Disabled
  • macOS 10.4.4
If true, a student enrolled in an unmanaged course through Classroom requests permission from the teacher when attempting to leave the course. Requires a supervised device. Available in macOS 10.14.4 and later.
Force Classroom Unprompted Apps and Device Lock
  • Enabled or Disabled
  • macOS 10.4.4
If true, allows the teacher to lock apps or the device without prompting the student. Requires a supervised device. Available in macOS 10.14.4 and later.
Force Classroom Unprompted Screen Observation
  • Enabled or Disabled
  • macOS 10.4.4
If true and Allow Remote Screen Observation is also true, a student enrolled in a managed course via the Classroom app automatically gives permission to that course teacher's requests to observe the student's screen without prompting the student. Requires a supervised device. Available in macOS 10.14.4 and later.
Game Center
Allow Game Center
  • Enabled or Disabled
  • macOS 10.13
If false, disables Game Center, and its icon is removed from the Home screen. Available in macOS 10.13 and later.
Allow Game Center Account modification
  • Enabled or Disabled

 

If false, users of Game Center can’t modify their user name or password.
Allow Game Center Friends
  • Enabled or Disabled
  • macOS 10.13
If false, prohibits adding friends to Game Center. Available in macOS 10.13 and later.
Allow Multiplayer Gaming
  • Enabled or Disabled
  • macOS 10.13
If false, prohibits multiplayer gaming. Available in macOS 10.13 and later.
iCloud
Allow iCloud Address Book
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Address Book services. Available in macOS 10.12 and later.
Allow iCloud Bookmarks
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Bookmark sync. Available in macOS 10.12 and later.
Allow iCloud Calendar
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Calendar services. Available in macOS 10.12 and later.
Allow iCloud Desktop and Documents
  • Enabled or Disabled
  • macOS 10.12.4
If false, disables cloud desktop and document services. Available in macOS 10.12.4 and later.
Allow iCloud Document Sync
  • Enabled or Disabled
  • macOS 10.11
If false, disables document and key-value syncing to iCloud. Available in macOS 10.11 and later.
Allow iCloud Freeform Services
  • Enabled or Disabled
  • macOS 14
Disallows iCloud Freeform services. 
Allow iCloud Keychain Sync
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud keychain synchronization. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in and macOS 10.12 and later.
Allow iCloud Mail Services
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Mail services. Available in macOS 10.12 and later.
Allow iCloud Notes Services
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Notes services. Available in macOS 10.12 and later.
Allow iCloud Photo Library
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device are removed from local storage. Available in macOS 10.12 and later.
Allow iCloud Private Relay
  • Enabled or Disabled
  • macOS 12
iCloud Private Relay is an internet privacy service offered as a part of an iCloud+ subscription that allows users connect to and browse the web more privately and securely. If false, prevents user from using private iCloud Relay.
Allow iCloud Reminder Services
  • Enabled or Disabled
  • macOS 10.12
If false, disables iCloud Reminder services. Available in macOS 10.12 and later.
Network & Connection
Allow Universal Control
  • Enabled or Disabled
  • macOS 13
If disabled, this setting will prevent to use the Mac's trackpad and keyboard to control additional Macs and/or iPadOS devices nearby
Allow USB Restricted Mode
  • Enabled or Disabled
  • macOS 13
Controls the authorization for new USB accessories. If disabled, allows the device to always connect to USB accessories while locked.
Security & Privacy
Allow Activation Lock
  • Enabled or Disabled
  • macOS 10.16
Allows or disallows the device to enable the activation lock. Changing the Activation Lock restriction will only take affect before the Apple ID has been added to the device. Please refer to Activation Lock and Bypassing for additional information.
Allow Auto Unlock
  • Enabled or Disabled
  • macOS 10.12
If false, disallows auto unlock. Available in macOS 10.12 and later.
Allow Diagnostic Data to be Sent to Apple
  • Enabled or Disabled
  • macOS 10.13
If false, prevents the device from automatically submitting diagnostic reports to Apple. Available in macOS 10.13 and later. Also available for user enrollment.
Allow Fingerprint For Unlock
  • Enabled or Disabled
  • macOS 10.12.4
If false, prevents Touch ID or Face ID from unlocking a device. Available in macOS 10.12.4 and later.
Allow Fingerprint Modification
  • Enabled or Disabled
  • macOS 14
Prevents the user from modifying Touch ID or Face ID.
Allow Passcode Modification
  • Enabled or Disabled
  • macOS 10.13
If false, prevents the device passcode from being added, changed, or removed. Requires a supervised device. Available in macOS 10.13 and later.
Allow Password AutoFill
  • Enabled or Disabled
  • macOS 10.14
If false, disables the AutoFill Passwords feature in iOS (with Keychain and third-party password managers) and the user isn't prompted to use a saved password in Safari or in apps. This restriction also disables Automatic Strong Passwords, and strong passwords are no longer suggested to users. It does not prevent AutoFill for contact info and credit cards in Safari. Requires a supervised device. Available in macOS 10.14 and later.
Allow Password Proximity Requests
  • Enabled or Disabled
  • macOS 10.14
If false, disables requesting passwords from nearby devices. Requires a supervised device. Available in macOS 10.14 and later.
Allow Password Sharing
  • Enabled or Disabled
  • macOS 10.14
If false, disables sharing passwords with the Airdrop Passwords feature. Requires a supervised device. Available in macOS 10.14 and later.
Allow Rapid Security Response Installation
  • Enabled or Disabled
  • macOS 13
Allows to disable the Rapid Security Response mechanism
Allow Rapid Security Response Removal
  • Enabled or Disabled
  • macOS 13
Blocks the end-user from being able to remove the Rapid Security Response mechanism
Allow Safari Autofill
  • Enabled or Disabled
  • macOS 10.13
If false, disables Safari AutoFill for passwords, contact info, and credit cards and also prevents the Keychain from being used for AutoFill. Though third-party password managers are allowed and apps can use AutoFill. Available in macOS 10.13 and later.
Allow Spotlight Internet Results
  • Enabled or Disabled
  • macOS 10.11
If false, disables Spotlight Internet search results in Siri Suggestions. Available in macOS 10.11 and later.
Allow Startup Disk Modification
  • Enabled or Disabled
  • macOS 14
Prevents modification of Startup Disk setting in System Settings. 
Allow Time Machine Backup
  • Enabled or Disabled
  • macOS 14
Prevents modification of Time Machine settings in System Settings. 
Sharing
Allow AirDrop Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, AirDrop Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Aperture Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Aperture Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Bluetooth Sharing Modification
  • Enabled or Disabled
  • macOS 14
Prevents modifying Bluetooth setting in System Settings. 
Allow Content Caching
  • Enabled or Disabled
  • macOS 10.13
If false, disables content caching. Available in macOS 10.13 and later.
Allow Facebook Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Facebook Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Internet Sharing Modification
  • Enabled or Disabled
  • macOS 14
Prevents modifying Internet Sharing setting in System Settings. 
Allow Mail Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Mail Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Messages Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Messages Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Remote Apple Events Modification
  • Enabled or Disabled
  • macOS 14
Prevents modifying Remote Apple Events Sharing setting in System Settings.
Allow Sina Weibo Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Sina Weibo Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Twitter Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Twitter Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Allow Video Sharing
  • Enabled or Disabled
  • macOS 10.9
If false, Video Sharing won't show up in the user's Share menu. Available in macOS 10.9 and later deprecated in macOS 10.12.
Siri
Allow Siri
  • Enabled or Disabled
  • macOS 14
Disables Siri.
Force On-Device Only Dictation
  • Enabled or Disabled
  • macOS 14
Disables connections to Siri servers for the purposes of dictation. Also available for user enrollment.
System Preferences (*deprecated with macOS 13)
Allow Appstore Preference
  • Enabled or Disabled
  • macOS 10.7
If false, App Store Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Backup Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Backup Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Bluetooth Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Bluetooth Preference in System Preferences won't be accessible for the User. Available in macOS 10.7 and later
Allow CDs & DVDs Preference
  • Enabled or Disabled
  • macOS 10.7
If false, CDs & DVDs Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Configuration Profiles Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Profiles Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Datetime Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Date & Time Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Desktop and Screen Saver Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Desktop & Screen Saver Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Displays Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Displays Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Dock Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Dock Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Energy Saver Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Enegery Saver Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Extensions Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Extensions Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Fibrechannel Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Fibre Channel Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow General Preference
  • Enabled or Disabled
  • macOS 10.7
If false, General Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow iCloud Preference
  • Enabled or Disabled
  • macOS 10.7
If false, iCLoud Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Ink Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Ink Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Internet Accounts Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Internet Accounts Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Keyboard Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Keyboard Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Language and Text Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Language & Region Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Mission Control Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Mission Control Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Mouse Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Mouse Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Network Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Network Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Notifications Preference
  • Enabled or Disabled
  • macOS 10.7
If false, User Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Parental Controls Preference
  • Enabled or Disabled
  • macOS 10.7
If false, User Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Printers and Scanners Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Printers & Scanners Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Security and Privacy Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Security and Privacy Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Sharing Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Sharing Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Software Update Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Software Update Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Sound Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Sound Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Speech Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Speech Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Spotlight Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Spotlight Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Startup Disk Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Startup Disk Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Trackpad Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Trackpad Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Universal Access Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Universal Access Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Users Preference
  • Enabled or Disabled
  • macOS 10.7
If false, User Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
Allow Xsan Preference
  • Enabled or Disabled
  • macOS 10.7
If false, Xsan Preference in System Preferences won't be accessible for the user. Available in macOS 10.7 and later
System Settings
Allow Account Modification
  • Enabled or Disabled
  • macOS 14
Disables account modification. Requires a supervised device.
Allow Activity Continuation
  • Enabled or Disabled
  • macOS 10.15
If false, disables activity continuation. Available in macOS 10.15 and later.
Allow AirDrop
  • Enabled or Disabled
  • macOS 10.13
If false, disables AirDrop.  Available in macOS 10.13 and later.
Allow Camera
  • Enabled or Disabled
  • macOS 10.11
If false, disables the camera, and its icon is removed from the Home screen. Users are unable to take photographs. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in macOS 10.11 and later.
Allow Changing Device Name
  • Enabled or Disabled
  • macOS 14
Prevents the user from changing the device name.
Allow Dictation
  • Enabled or Disabled
  • macOS 10.13
If false, disallows dictation input. Requires a supervised device. Available in macOS 10.13 and later.
Allow Erase Content And Settings
  • Enabled or Disabled
  • macOS 11.3
Disables the Erase All Content and Settings option in the Reset UI
Allow File Sharing Modification
  • Enabled or Disabled
  • macOS 14
Prevents modifying File Sharing setting in System Settings. 
Allow Local User Creation
  • Enabled or Disabled
  • macOS 14
Prevents creating new users in System Settings. 
Allow Music Service
  • Enabled or Disabled
  • macOS 10.12
If false, disables the Music service, and the Music app reverts to classic mode. Requires a supervised device. Available in macOS 10.12 and later.
Allow Printer Sharing Modification
  • Enabled or Disabled
  • macOS 14
Prevents modifying Printer Sharing setting in System Settings.
Allow Remote Management Sharing
  • Enabled or Disabled
  • macOS 14
Prevents modifying the Remote Management Sharing setting in System Settings. 
Allow Screen Capture
  • Enabled or Disabled
  • macOS 10.14.4
If false, disables saving a screenshot of the display and capturing a screen recording. It also disables the Classroom app from observing remote screens. Available in macOS 10.14.4 and later. Also available for user enrollment.

Allow Remote Screen Observation

  • Enabled or Disabled
  • macOS 10.14.4
If false, disables remote screen observation by the Classroom app. If Allow Screen Capture is set to false, the Classroom app doesn't observe remote screens. Required a supervised device until macOS 10.15. Available macOS 10.14.4 and later.
Allow Wallpaper Modification
  • Enabled or Disabled
  • macOS 10.14
If false, prevents wallpaper from being changed. Requires a supervised device. Available macOS 10.13 and later.

Virtual Private Network

General

Setting Options Description
VPN Settings Enabled or Disabled Enables VPN Settings.
VPN Type 
  • Cisco (IPSec)
  • Cisco AnyConnect
  • Pulse Secure
  • F5 Access Legacy
  • F5 Access
  • Custom SSL
  • IPSec (Cisco)
  • SonicWall Mobile Connect
  • Check Point Mobile VPN
Type of connection enabled by this policy. Application(s) needs to be installed on the device. 
Connection Name e.g. Imagoverum VPN Display name of the connection displayed on the device
Server Address e.g. vpn.imagoverum.com  Host name or IP address for Server
Authentication Type
  • Certificate
  • Password
  • Shared Secret/Group Name (Cisco IPSec only)

Authentication type for connection. Certificate as selections requires a Certification Authority Integration

Cache user password

Enabled or Disabled

Silverback will take the captured user password from the enrollment for authentication

App specific settings

Setting Options Description
Cisco AnyConnect
Group e.g. Mobile Device Users Group for authenticating the connection
Juniper SSL
Realm e.g. Mobile Users Realm for authentication the connection
Role e.g. Mobile Device Users Role for authentication the connection
Custom SSL
Identifier e.g. com.imagoverum.intranet Identifier for the custom SSL VPN in reverse DNS format
SonicWall Mobile Connect
Login Group or Domain e.g. CORP Login Group or Domain for authenticating the connection. 
IPSec (Cisco) with Certificate
Include User PIN Enabled or Disabled

Request PIN during connection and send with authentication.

*Only available if Certificate is selected as Authentication Type

Group Name 

 

e.g. mygroup1

Group Identifier for the connection

Only available if Certificate is selected as Authentication Type

Shared Secret e.g. v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL

Shared secret for the connection

Only available if Certificate is selected as Authentication Type

Use Hybrid Authentication Enabled or Disabled

Authenticate using secret, name, and server-side certificate

Only available if Certificate is selected as Authentication Type

Prompt for Password Enabled or Disabled* Prompt user for password on the device
Custom SSL 
Custom Data
  • Key
  • Value
Keys and string values for custom data

VPN specific settings

Setting Options Description
VPN On Demand
Enable VPN on Demand

Enabled or Disabled

Add Domain and host names that will establish a VPN
Match Domain or Host
  • e.g. int.imagoverum.com
Define matching domains or host names to use VPN on Demand
On Demand Action
  • Always establish
  • Never establish
  • Established if needed 

Defines the VPN behavior for the specified domains or host names.

  • Always establish: The specified domains will trigger a VPN connection
  • Established if needed: The specified domains should trigger a VPN connection attempt
  • Never establish: The specified domains will not trigger a VPN connection nor be accessible through an existing VPN connection

Wi-Fi 

Silverback offers the ability to pre-populate multiple Wi-Fi Profile and settings on your devices, so the user does not need to know the password for these networks. If you having a WPA Enterprise protected network (e.g. with a RADIUS Server), please refer to WPA Enterprise Settings  for additional information. 

Setting Options Description
General Settings
Wi-Fi Settings Enabled or Disabled Enables the sending of Wi-Fi settings
SSID e.g. Corporate Wi-Fi Service Set Identifier of the wireless network
Security Type
  • WEP
  • WPA2
  • Any Personal
  • Any Enterprise
Defines the used Wireless network encryption
Hidden Network Enabled or Disabled Enable if the target network is not open or hidden
Automatically Join Enabled or Disabled The device will automatically join the Wi-Fi network
Password e.g. Pa$$w0rd Password for authenticating to the wireless network
Proxy Settings
Proxy
  • Proxy Type (None, Auto, Manual)
  • Server
  • Port
  • Individual Usernames or pre-defined Username
  • Individual Passwords or pre-defined Password
  • PAC URL
  • Allow Direct Connection if PAC is Unreachable

Ensures the device talks to the necessary Proxy

Review WPA Enterprise Settings for additional information. 

Protocol Settings (only Enterprise)
Accepted EAP Types
  • TLS
  • LEAP
  • TTLS
  • PEAP
  • EAP-FAST
  • EAP-SIM
  • EAP-AKA

Defines the protocol utilized by encryption type

Review WPA Enterprise Settings for additional information. 

Protected Access Credentials
  • Use Pac
  • Provision PAC
  • Provision PAC Anonymously

Defines the PAC configuration

Review WPA Enterprise Settings for additional information. 

Authentication Settings (only Enterprise)
Username and Password
  • Use Individual Username
  • Use Per-Connection Password
  • Use User Password

Defines the used authentication mechanism

Review WPA Enterprise Settings for additional information. 

 

Certificate-based authentication
  • Certificate Type
    • Enterprise Certificate
      • Upload Certificate
    • Individual Client Certificate
      • Individual Client Certificate subject
      • Populate Into Active Directory
        • Certificate Template Name
        • Requester Name LDAP Attribute
        • Agent Certificate 
  • Outer Identity (TTLS,PEAP EAP-Fast)
  • Inner Authentication (TTLS)

Defines the used authentication mechanism

Please refer to: Certification Authority Integration Guide for Certificate Based Authentication

Allow Two Rands Enabled or Disabled Allow authenticating to server providing only two RAND values (EAP-SIM)
Trust Settings (only Enterprise)
Trust
  • Allow Trust Exceptions
  • Server (Add or Remove)
  • Upload Certificate (Add or Remove)

Defines the chain of trust

Review WPA Enterprise Settings for additional information. 

Firewall

macOS Firewall can be set up to prevent unauthorized applications, programs and services from accepting incoming connections. The configuration is supported from macOS Sierra and newer (10.12+). 

Setting Options Description
Firewall Settings Firewall Settings Enables the firewall profile configuration. If no other values will be defined, it will prevent the user to do manual changes in the firewall settings on the device. 
Enable Firewall Enabled or disabled Specify, whether the firewall should be enabled or not. If true, the firewall will be enabled. Signed software and system services will receive incoming connections by default unless explicitly blocked through Application Access
Block All Incoming Connections Enabled or disabled If enabled, the firewall will be configured to block all incoming connections by default. 
Enable Stealth Mode Enabled or disabled If you’re concerned about security, you can use “stealth mode” to make it more difficult for hackers and malware to find your Mac. When stealth mode is turned on, your Mac does not respond to “ping” requests and does not answer connection attempts from a closed TCP or UDP network.
Applications Access
Bundle Identifier e.g. com.shazam.mac.Shazam

With application access you can determine the list of apps with connections controlled by the firewall.  Add a list of applications with the unique Bundle ID.

Incoming Connection Enabled or disabled If enabled, incoming connections for the specified application will be received. If disabled incoming connections will be denied. 

FileVault

FileVault full-disk encryption uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk. When FileVault is turned on, macOS devices always require log in with an account password.  The encryption occurs in the background and only while the device is awake and plugged in to AC power. Users or Administrators can check the progress in the FileVault section of Security & Privacy preferences. Any new files that are created are automatically encrypted as they are saved to the startup disk. In case users will lose or forget their account password, the devices can be recovered by an reset using the Reset Password assistant with the Recovery Key from the users. Administrators will see the corresponding Recovery Key in the device information under the Security Information sections. Due to the possibility of changed personal recovery keys in the device cycle for the users, a Recovery History will be saved and can be revealed by Administrators. Each reveal action will create an entry in the Audit Logs.

Setting Options Description
Enable FileVault Enabled or Disabled Forces the users to encrypt assigned devices
Profile Name e.g. Silverback FileVault Display Name for the Profile on the assigned device.
Location e.g. The Key will be represented to your Administrator in case you will forget your macOS Password.  The description of the location where the recovery key will be escrowed. This text will be inserted into the message the user sees when enabling FileVault manually. You can use this 
Bypassed allowed
  • Do not encrypt at login
  • Force encryption at login
  • 1
  • 2
  • 3
  • 5
  • 10
  • Unlimited
The maximum number of times users can bypass enabling FileVault before being required to enable it to log in.
Request encryption during logout Enabled or Disabled If disabled, prevents additional requests for enabling FileVault at user logout time. 
Show recovery key to user Enabled or Disabled If disabled, prevents display of the personal recovery key to the user after FileVault is enabled.

If the profile is applied and the user wants to manually enable FileVault, the process will run into a failure. (The operation couldn't be completed. com.apple.OpenDirectory error 5103)

System Extensions

Apple did with macOS Catalina a step in modernizing and improving the security and reliability of macOS to provide a better architecture for kernel extensions and drivers. The outcome is a separation between System Extensions (macOS 10.15+) and Kernel Extensions . System extensions on macOS Catalina and later allow software like network extensions and endpoint security solutions to extend the functionality of macOS without requiring kernel-level access. System extensions are divided into Driver, Network, and Endpoint Security Extensions. They run in user space, where they can’t compromise the security or stability of macOS. Once installed, an extension is available to all users on the system and can perform tasks previously reserved for kernel extensions. 

How to configure

  • Enable System Extensions
  • Enter a Profile name, e.g. Silverback System Extensions
  • Enable Allow users to approve System Extensions (optional)
  • Right Click System Extensions
  • Select + Add Team ID
    • Enter the display name for the Team ID
    • Enter the Team ID
    • Select allowed System Extensions type
    • Click OK

Please note that for specified Team ID not containing the Bundle ID nodes, all the validly signed kernel extensions will be allowed to load on the device.

  • Right click the newly added Team ID
  • Select +Add BundleID
    • Enter the display name for the System Extension
    • Enter the Bundle ID of the System Extension
    • Press OK

How to obtain

  • To start, you can obtain a list of system extensions that are present on the machine via Terminal
  • On you macOS device, open Terminal
  • Run the following command
systemextensionsctl list
  • The outcome provides the following information
enabled active  teamID  bundleID (version)  name    [state]

Kernel Extensions

In general, applications like antivirus software, firewalls,  VPN clients, USB driver etc, install kernel or system extensions to extend native capabilities of the macOS operating system. The applications gain features access that are of the OS that applications without extensions can't access.  Apple announced the plans to deprecate macOS Kernel Extensions and replace them with the macOS System extensions to modernize the platform, improve security and reliability, and enable more user-friendly distribution methods. The first step from Apple towards that was the introduction of system extensions for macOS Catalina. 

Future OS releases will no longer load kernel extensions that use deprecated KPIs by default.

How to configure

  • Enable Kernel Extensions
  • Enter a Profile name, e.g. Silverback Kernel Extensions
  • Enable Allow users to approve Kernel Extensions (optional)
  • Enable Allow nonadministrative users to approve Kernel Extensions (optional)
  • Right Click Kernel Extensions
  • Select + Add Team ID
    • Enter the display name for the Team ID
    • Enter the Team ID
    • Press OK

Please note that for specified Team ID not containing the Bundle ID nodes, all the validly signed kernel extensions will be allowed to load on the device.

  • Right click the newly added Team ID
  • Select +Add BundleID
    • Enter the display name for the Bundle ID
    • Enter the Bundle ID
    • Press OK

How to obtain

  • On you macOS device, open Terminal
  • To obtain the Team ID, proceed with the following 
sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
  • Once done, type:
SELECT * FROM kext_policy;

You will see the Team ID, the bundle ID for each individual extension and the display name of the developer. Note down the Team ID (the first item) - you will need all the IDs for the extensions you wish to whitelist.

  • To list all Kernel Extensions, enter the following
kextstat
  • To list all installed third party extensions
kextstat | grep -v com.apple
  • To find the Kernel Extensions Folder
cd /System/Library/Extensions/

Privacy Preference

Privacy Preference settings allows Administrator to predefine approvals or denials for device feature requests from applications. On macOS devices, apps and processes often prompt users to allow or deny access to camera, microphone, files, calendars and address books. Use the ability to manage data access consent on behalf of your users and to overrule previous decisions made from the users. Privacy Preferences are supported in macOS Mojave (10.14+) and later. 

Click New Privacy Preference Profile to control data access on an app level basis. 

Setting Options Description
Name e.g. Skype Application Name
Identifier Type
  • BundleID
  • Path

Select her either BundleID or Path depending on if it is an app bundle or the binary

Identifier

e.g. com.skype.skype

The bundle ID or installation path of the binary.
Code Requirement e.g. identifier "com.skype.skype" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AL798K98FX Provide here the Code Requirement of the application. This is obtained via the command codesign. Open Terminals on your Mac and run codesign -dr - /Applications/Skype.app for getting the Code Requirement for Skype
Static Code Validation Enabled or Disabled Optional and if enabled , statically validates the code requirement of the app or service on-disk. Used only if the process invalidates its dynamic code signature.
Access Permissions
Accessibility
  • Not Set
  • Block
  • Allow
Controls the access permissions for the app via the Accessibility subsystem.
Address Book
  • Not Set
  • Block
  • Allow
Controls the access permissions for contact information managed by the Contacts.app
Calendar
  • Not Set
  • Block
  • Allow
Specifies the policies for calendar information managed by the Calendar.app.
Camera
  • Not Set
  • Block
Controls the access permissions to the system camera. Access to the camera can only be denied.
File Provider Presence
  • Not Set
  • Block
  • Allow
Controls the access permissions to File Provider Presence. This allows a File Provider application to know when the user is using files managed by the File Provider.
Listen Event
  • Not Set
  • Block
Controls the permissions to allow the application to use Core Graphics and HID APIs to listen /receive to CGEvents and HID events from all processes. Access to these events can only be denied.
Media Library
  • Not Set
  • Block
Controls the permissions to allow the application to access Apple Music, music and video activity, and the media library.
Microphone
  • Not Set
  • Block
Controls the access permissions to the system microphone. Access to the microphone can only be denied.
Photos
  • Not Set
  • Block
  • Allow
Controls the access permissions to the pictures managed by the Photos app in  ~/Pictures/.photoslibrary.
Post Event
  • Not Set
  • Block
  • Allow
Specifies the access permissions for the application to use Core Graphics APIs to send CGEvents to the system event stream.
Reminders
  • Not Set
  • Block
  • Allow
Specifies the policies for reminders information managed by the Reminders app.
Screen Capture
  • Not Set
  • Block
Controls the access permissions to the application to capture the contents of the system display. Access to the contents can only be denied.
Speech Recognition
  • Not Set
  • Block
  • Allow
Controls the access permission to the application to use the system Speech Recognition facility and to send speech data to Apple.
System Policy All Files
  • Not Set
  • Block
  • Allow
Controls the application access to all protected files, including system administration files.
System Policy Desktop Folder
  • Not Set
  • Block
  • Allow
Controls the application to access files in the user's Desktop folder.
System Policy Documents Folder
  • Not Set
  • Block
  • Allow
Controls the application to access files in the user's Documents folder.
System Policy Download Folder
  • Not Set
  • Block
  • Allow
Controls the application to access files in the user's Downloads folder.
System Policy Network Volumes
  • Not Set
  • Block
  • Allow
Controls the application to access files on network volumes.
System Policy Removable Volumes
  • Not Set
  • Block
  • Allow
Controls the application to access files on removable volumes.
System Policy Sys Admin Files
  • Not Set
  • Block
  • Allow
Controls the application access to some files used in system administration.
Apple Events
Identifier Type
  • BundleID
  • Path
Depending on the application, workflows may need to be approved by the application to communicate with built-in applications and services using the Apple Event service. Select her either BundleID or Path for the control of the desired Apple Event
Identifier e.g. com.apple.systemevents Provide here the bundle ID or installation path of the Apple Event. The example shows the Identifier for System Events
Code Requirement e.g. identifier "com.apple.systemevents" and anchor apple Provide here the Code Requirement of the application. This is obtained via the command codesign. The example shows the Identifier for System Events
Process Access Enabled or Disabled Define if the access is granted or prohibited to the Apple Event from the Privacy Preference controlled application

Notification Settings

Notification settings offers Administrators the capability to define specific per app notifications, using their bundle identifiers. Notification settings are supported for devices running macOS 10.15+ and later. Notifications can be disabled at all or can be permitted to options like Show in Notification Center or Show on Lock Screen. This profile helps to ensure that users don't accidentally disable notifications for important applications. To configure the new Notification Settings, press New Notification Setting and select the App Store Country and start with a search for the app. After entering an app name, you receive the choice to select your application. After that, configure the following notification controls to your needs:

Custom Bundle IDs are also supported.

Notification Setting Options Description
Allow Notifications Enabled or Disabled Allows or disallows notifications for this app
Show in Notification Center Enabled or Disabled Allows or disallows notifications to be shown in notification center
Sounds Enabled or Disabled Allows or disallows sounds for this app
Badge App Icon Enabled or Disabled Allows or disallows badges for this app
Show on Lock Screen Enabled or Disabled Allows or disallows notifications shown in the lock screen
Banner Style
  • None
  • Temporary Banner
  • Persistent Banner 
Type of alert for notifications for this app

Software Updates 

Provides the capability to control Software Updates settings on macOS devices. 

To check if the settings have been applied, navigate either System Preferences > Software Update > Software Update> Advanced or to System Preferences > Profiles > Device Profiles and review your applied profile. 

Setting Options Description
Software Update Enabled or Disabled Enables the configuration of the Software Update Policy and installs a profile to associated devices
Profile Name e.g. Silverback Software Update Display Name of the Software Update Device Profile. 
Catalog URL e.g. http://swscan.apple.com/content/cata...ndex.sucatalog The URL of the software update catalog. An internal software update server allows to reduce the amount of bandwidth used when distributing software updates from Apple. Instead of each computer downloading updates from Apple’s Software Update server, updates are only downloaded from Apple once per server. An internal software update server also allows you also to control and approve updates before you make them available. This setting is reflected in the System Preferences > Profiles section on the Mac.
Check for updates Enabled or Disabled If disabled, deselects the Check for updates option and disables the automatic check for updates. 
Download new updates when available Enabled or Disabled If disabled, deselects the Download new updates when available option and prevents the user from changing the option. If enabled the Mac will download updates without asking the user
Install macOS updates Enabled or Disabled If disabled, restricts the Install macOS Updates option and prevents the user from changing the option. If enabled the Mac will install macOS Updates automatically. This setting is reflected in the System Preferences > Profiles section on the Mac and will enable the Automatically keep my Mac up to date Software Update option. 
Install app updates from the App Store Enabled or Disabled If disabled, deselects the Install app updates from the App Store option and prevents the user from changing the option If enabled, the Mac will install app updates from the App Store automatically. This setting is reflected in the System Preferences > Profiles section on the Mac and under Advanced
Install system data files and security updates Enabled or Disabled If disabled, disables the automatic installation of critical updates and prevents the user from changing the Install system data files and security updates. If enabled the Mac will install system files and security updates automatically
Allow prerelease software installation Enabled or Disabled If enabled, prerelease software can be installed on this computer.
Automatic installation of configuration data Enabled or Disabled If disabled, its restrict the automatic installation of security-configuration updates, such as XProtectPlistConfigData which prevents known malware from running 
Restrict app installations to admin users Enabled or Disabled If enabled, restrict app installations to admin users.  This setting is reflected in the System Preferences > Profiles section on the Mac

Custom Profiles

Custom Profiles are a very helpful option to configure additional payloads for your managed devices. You can utilize the Apple Configurator 2 to create custom profiles in a *.mobileconfig format. Additionally, you might create or receive a custom XML from a third-party vendor, like for the Cisco Security Connector Umbrella Setup for iOS and iPadOS. Depending on the format or the way how you create or receive the profile, you can either upload the *.mobileconfig to Silverback or add the XML content into the provided section inside the profile. Created profiles with the Apple Configurator 2 can easily be adjusted by replacing the file type to *.txt (e.g., on Windows 10) or opening these files directly with the Text Editor (e.g., on macOS devices). System Variables are supported in the Use XML option or by uploading a *.mobileconfig file that contains a System Variable. Silverback will adjust the XML or the mobileconfig on the fly and convert the System Variables to the individual values and install this payload with the desired content on your devices.

  • Click New Custom Profile
Setting Options Description
Name   e.g. CalDAV Profile Display Name for the Custom Profile
Description e.g. Custom CalDAV Profile Description for the Custom Profile
Use XML Enabled or Disabled Use this option if have a profile that is not saved as a *.mobileconfig file
XML Text

Your XML custom profile content

Enter in the section your custom profile content in case it is not saved as a*.mobileconfig file
Mobileconfig File Choose File Uploads the *.mobileconfig file

Web Clips

Silverback allows administrators to push down Internet shortcuts to their Managed Devices, giving users easy access to the websites the administrator wants.

  • Click New Web Clip
Setting Options Description
Web Clip Name   e.g. Matrix42 Web Clip Display Name 
Link e.g. https://www.matrix42.com Target URL for the Web Clip
Icon File Choose File A button for uploading a Custom Icon. Support File Type: *.png

Policy

With Policy or Policies Administrators have the ability to enforce rules with Silverback, such as enforcing what Apps are installed on the devices, what Cellular Networks the device is on through to enforcing the Serial Numbers of the devices as they are enrolled into the system. These are the environmental conditions that Silverback will continue to monitor for and ‘police’ for any devices that are associated with the Tag.

OS Version Compliance 

Administrators have the ability to control which OS versions are allowed within their environment. To allow an OS version, simply ensure the checkbox next to the respective OS version is ticked. Enrolling a device with a disabled OS version will result in the device automatically being blocked.

  • Alert Administrators: When the checkbox is checked, all administrators will receive an email when a device that violates OS compliance is detected, or when a new OS version is discovered.
  • Automatically Approve New OS Versions: When an OS platform is enrolled to Silverback for the first time, the OS is automatically added to the list. By default, unknown OS platforms are disabled and relevant devices will be blocked. To automatically authorize new OS versions as they are discovered, ensure the checkbox is ticked.

Use this feature where you do not want devices to be automatically blocked when a user upgrades their device to a new future OS version that is released by their software vendor.

OS Updates

A common question that you may face is how can we prevent our devices from updating updating to the latest version of macOS and how can we test the new macOS update before all of our users will install it?  Often, organizations wish to check the latest macOS release, verifying that the business-related apps they use will continue to function properly on the devices used by their organization. For that Apple offers the possibility to specify a number of days to delay software updates, with a maximum of 90 days. With this option enabled, the user of the device will not see a software update until the specified number of days has passed since the release.

Setting Options Requirement Description
macOS 11.3 and newer
Defer Major System Updates Enabled or Disabled macOS 11.3 Enables the deferral for major system updates
Defer Updates For  1-90 macOS 11.3 Defines the specified delay after the release of the software update
Defer Minor System Updates Enabled or Disabled macOS 11.3 Enables the deferral for minor system updates
Defer Updates For 1-90 macOS 11.3 Defines the specified delay after the release of the software update
Defer Non-Operating System Updates Enabled or Disabled macOS 11.3 Enables the deferral for non-operating system updates
Defer Update for  1-90 macOS 11.3 Defines the specified delay after the release of the software update
macOS 10.13 until 11.3
Defer Operating System updates Enabled or Disabled macOS 10.13 Enables the deferral for operating system updates
Defer Non-Operating System Updates Enabled or Disabled macOS 11 Enables the deferral for non-operating system updates
Defer Updates for Days 1-90 macOS 10.13.4 Defines the time period of how long updates will be deferred

Create different Tags with different values to allow new OS updates in waves.  Here is an example how it could look like: 

  • Do not use the feature for the internal IT or MDM department.
  • Enable and restrict set the policy for Pilot Users to 14 days
  • Enable and restrict set the policy for non-critical departments to 30 days
  • For critical department use the maximum value of 90 days.  

Hardware Compliance 

Administrators have the ability to enforce a hardware compliance policy through Silverback. Simply uncheck the boxes for hardware types that should not be supported and any devices that match the hardware type and are managed by Silverback will be blocked. The list of hardware types is managed via the Device Types option in the Admin Tab of the Silverback Console. If a mapping from device type to hardware type exists, the hardware type will be displayed in the hardware compliance list. When a Device Manufacturer release a new version of their hardware the model numbers may not be known by Silverback, in this case Silverback will ‘learn’ them and store them as ‘Unknown’ in the Device Types section under the Admin Tab where the Administrator can update them manually. To allow these devices into your system you enable the ‘Unknown’ checkbox option. This will allow the device into your Silverback Environment and you can later re-classify this device type in the Admin > Device Types section.

  • Alert Administrators:  When the  checkbox is checked it will ensure that administrators receive an email when a device that violates hardware compliance is detected.

Lockdown

The Lockdown screen allows you to determine what device compliance policies are enabled and what action should automatically occur when a violation is detected. Each policy is enabled/disabled through their associated checkbox. Enabling a lockdown policy ensures that the device is inspected to ensure it is compliant with that policy during the initial enrollment as well as at regular intervals as defined by the ‘Perform check every’ drop down.

Lockdown Actions

Action Description
No action No action is performed on the device; however alerting administrators may be performed if configured.
Lock A lock command is sent to the device which will lock the screen of the device. 
Block The device is blocked, and the device is moved to the blocked devices table. 
Delete Business Data Deletes the device and removes all corporate data.
Factory Wipe The device is hard reset to factory default settings.
Alert administrator Emails are sent to all administrators notifying them of the policy violation when it is detected. 

Lockdown Policies

Policy  General Options Description
Enforce Hardware Authentication Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Wipe
Hardware authentication can be enabled or disabled from this screen. See the hardware authentication for more information on this configuration.
Require Full Disk Encryption Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Wipe
Determines if OS X devices require Full Disk Encryption or not.

Apps 

The Apps Feature Section is how Administrators can automate the distribution of Device Apps for specific groups of users. Before you can begin assigning Apps to the Tag you first need to have the uploaded into the Silverback App Portal. Once you have Apps in the Silverback App Portal, they can be distributed using the Apps Feature associated with your Tag.

App Types

Three different App Types are available for macOS devices:

Type Description
Enterprise Applications owned by an Organization with *.pkg file
VPP Applications bought via Volume Purchase Program

Assign Apps 

Once Apps are uploaded into the Silverback App Portal Tab, they can be distributed to devices via a Tag they have been associated with.

  • Navigate to Apps
  • Click Assign More Apps
  • Select any applications from the shown Assign Applications page 
  • Click Add Selected Apps 

Change Deployment Options

By default configurations will be inherit from the App Portal. To customize the settings perform the following steps for each application:

  • Click the Edit button in the Manage Config column
  • Update Deployment Options
  • Click Save

When you add an application to a Tag that has an enabled Auto Population, be aware that the changes affects immediately after adding the application to the Tag. So, if your application has enabled as an example the App Management option Automatically push to managed devices, and you add this application into an Auto Population enabled Tag, devices will get instant a push with the application configuration that is inherit from the App Portal, as it is the default configuration. In this scenario you might run into an accidental automatic installation of applications. When you want to add applications to a Tag with enabled Auto Population tag, either disable temporary the Auto Population or ensure as an example that the Application has a not set the Automatically push to managed devices option in the App Portal.

Overview

Already assigned applications are displayed in the Apps section of any Tag with the following columns: 

Column Description
Type Displays the app type, either Enterprise or VPP
Name Displays the application name
Version Displays the application version for Enterprise Apps
Description Displays the application description given in App Portal
Remaining VPP The remaining number of VPP licenses for this app
Total VPP The total amount of VPP licenses for this app
Manage Config Click edit to change deployment options
Remove Removes the App from the Tag

Change Deployment Options 

By default configurations will be inherit from the App Portal. To customize the settings perform the following steps for each application.

  • Click the Edit button in the Manage Config column
  • Update Deployment Options
  • Click Save

Content 

Content Management functionalities are not supported on OSX devices 

  • Was this article helpful?