Mac Restrictions
Restrictions lets you force enable/disable essential device functionality settings, security settings, iCloud settings, and Classroom settings on managed mac machines, according to your organization's requirements. This is to achieve higher productivity, without compromising on data security.
The status of restrictions imposed using MDM will be shown under 'Device Details' view. When no restrictions are set on a mobile device using MDM, then by default, the status will be displayed as 'Allowed'.
Profile Description
| Profile Settings | Supported macOS Version | Description |
|---|---|---|
| DEVICE FUNCTIONALITY | ||
| Camera | 10.11 and above | Camera can be completely restricted along with FaceTime. |
| Screenshot and Screen Recording | 10.14.4 and above | Allowing users to capture the screenshot of the display. |
| Spotlight Internet Search | 10.11 and above | Allowing users to use Spotlight Search to find content directly from internet. |
| Airdrop | 10.13 and above | Allow/Restrict sharing of documents, media etc., using AirDrop to other devices. If Bluetooth is disabled via restrictions, AirDrop gets automatically disabled as well. |
| Content caching | 10.13 and above | Allow content caching to be setup for downloading the content from the nearest machines instead of the Apple Services |
| Dictionary word lookup | 10.11.2 and above | Allowing the built-in mac dictionary to retrieve words. |
| Music | 10.12 and above | Disabling Apple Music on user's Mac |
| Auto unlock devices with Apple Watch | 10.12 and above | Prevent users from using their paired Apple Watch to automatically unlock their Mac. |
| Handoff | 10.12 and above | Enabling this option will allow you to resume an existing work/access a content from any device which is logged in using the same iCloud account. |
| Siri | 11 and above | Allow/Restrict the usage of Siri. |
| Allow user to modify wallpaper | 10.13 and above | Allow/Restrict the user from modifying the wallpaper of the device. |
| Universal Control | 13 and above | By Restricting Universal Control, users cannot work with the same accessories like keyboard, mouse etc. for multiple devices. |
| Modify the device name | Available from macOS 14 | Allows or restricts users from changing the name of the device. |
| Enforce the Siri Profanity Filter | Available from macOS 10.13 | Enables a filter to block profane content in Siri responses. This is permitted only if Siri is allowed on the device. |
| iPhone Mirroring | Available from macOS 15 | "iPhone Mirroring" app will be restricted from opening. This macOS device can't mirror nearby iPhone devices. |
| SECURITY | ||
| Use bio-metric methods such as TouchID and/or FaceID to unlock devices | 10.12.4 and above | Allowing user to unlock the device using fingerprints/facial recognition |
| iTunes File Sharing | 10.13 and above | Prevent users from using iTunes to share content between their Apple devices. |
| Autofill passwords in Safari and apps | 10.14 and above | Prevent autofill in browsers and apps. |
| Share passwords with devices in proximity | 10.14 and above | Restricting this setting will ensure that the device is not notified to share its passwords with devices in proximity. |
| Request passwords from devices in proximity | 10.14 and above | Restricting this setting will ensure that the device cannot request devices in proximity to share their passwords. |
| Configure Gatekeeper to allow downloads only from | 10.8 and above | Gatekeeper is a security feature that verifies downloaded apps before running them on Mac machines. Admin can select the type of apps that should be allowed to run on the Mac. Admins can choose from App Store, App Store and identified developer, or even unidentified sources. |
| Allow users to override Gatekeeper settings | 10.8 and above | Restricting this setting will ensure the users do not override Gatekeeper settings configured by the admin. |
| Allow users to wipe device by erasing all content and settings (supported only on devices with Apple Silicon or T2 security chip) | 12 and above | Restricting this will prevent users from resetting the devices. |
| Install configuration profiles and certificates interactively | 13 and above | Restricting this prevents users from installing or modifying configuration profiles and certificates. |
| Allow USB connections when device is locked | 13 and above | When a Mac is locked, all the USB accessories connected to it will become untrusted after 3 days. By restricting this setting, users can connect the USB accessories while the Mac is locked. |
| Add or modify Touch ID/Face ID | Available from macOS 14 | Allows or restricts adding or modifying Touch ID or Face ID settings. To configure this, the option "Use biometric methods such as Touch ID and/or Face ID to unlock devices" must be enabled. |
| Set the Login Window Fingerprint unlock Timeout | Available starting with macOS 12.0 | This setting lets you define how long your Mac accepts fingerprint authentication before requiring a password. Note: The Fingerprint Timeout restriction persists even after removing the profile. To reset it, apply a new profile with a timeout of 172000 seconds, then remove it. |
| Restrict users from changing the passcode | Available from macOS 10.13 | Prevents users from changing the device password. |
| iCLOUD | ||
| Sync data & documents from managed apps | 10.11 and above | Enabling the syncing of all managed apps. |
| Sync Keychain | 10.12 and above | Enabling Keychain data such as accounts, passwords and credit card information on a device to be synced and kept up-to-date. |
| Sync Desktop & Documents | 10.12.4 and above | Allowing users to sync the files on their Desktops and Documents folders |
| Sync Bookmarks | 10.12 and above | Allowing users to sync their browser Bookmarks with iCloud |
| Sync Mail | 10.12 and above | Allowing users to sync their mails with iCloud |
| Sync Notes | 10.12 and above | Allowing users to sync their notes with iCloud |
| Sync Calender | 10.12 and above | Allowing users to sync their calender with iCloud |
| Sync Reminders | 10.12 and above | Allowing users to sync their reminders with iCloud |
| Sync Contacts | 10.12 and above | Allowing users to sync their contacts with iCloud |
| Sync Photo Library | 10.12 and above | Allow users to sync their photos with iCloud |
| Sync iCloud Free-form | Available from macOS 14 | Allows or restricts syncing of Free-form content with iCloud. |
| Allow iCloud in Private Relay | 12 and above | Allowing Private relay hides IP address and Safari browsing activity of users from websites, network providers, and Apple. |
| CLASSROOM (Applicable if Classroom 2.0 app is installed on the Teacher devices) | ||
| Automatically join classes without prompting | 10.14.4 and above | Enabling this ensures the student devices mandatorily auto-join the classes, without any notification/prompt on the device. |
| Allow teachers device to lock apps and devices without prompting | 10.14.4 and above | Enabling this ensures the teacher can either fully lock the student device or lock specific apps on the device, without any notification/prompt on the device. |
| Allow AirPlay and screen viewing by teachers device | 10.14.4 and above | Enabling this allows the teacher to view the student device screen, after notifying/requesting permission to do the same from the user. |
| Allow teachers device to AirPlay and view screen without prompting | 10.14.4 and above | Enabling this allows the teacher to view the student device screen, without any notification/prompt on the device. |
| Teacher's permission required before leaving a classroom | 10.14.4 and above | A student must request permission from the teacher before leaving a classroom. |
| APPLICATIONS | ||
| Game Center | 10.13 and above | Allow/Restrict the usage of Game Center. |
| Download iBooks Content | 11 and above | Allow/Restrict users from downloading content from iBooks Store. |
| Erotic Content | 11 and above | Allow/Restrict users from downloading media which is tagged as erotic from iBooks. To configure this, Download iBooks content should be enabled. |
| Multiplayer Gaming | Available from macOS 10.13 | Allows or restricts the ability to participate in multiplayer gaming sessions. This is permitted only if Game Center is allowed on the device. |
| Time Machine Backup | Available from macOS 14 | Allows or restricts the ability to configure and use Time Machine backups. |
| NETWORK AND ROAMING | ||
| Modify Bluetooth | - | Allow/Restrict users from modifying Bluetooth. If Bluetooth is disabled via restrictions, AirDrop gets automatically disabled as well. |
| Set Bluetooth on Devices | 10.13.4 and above | Bluetooth can be restricted to always On/Off state. To configure this, Modify Bluetooth should be enabled. |
| PRIVACY | ||
| Find my friends | 11 and above | Allow/Restrict users from configuring Find My Friends in the Find My app. |
| Find my device | 11 and above | Allow/Restrict users from configuring Find My Device in the Find My app. |
| Sending diagnostics data to Apple | Available from macOS 10.13 | Allow or restrict your Mac from sending crash reports and usage data to Apple (for example, when an app crashes and prompts you). |
| Personalised Advertisement | Available from macOS 12.0 | Allow or restrict the display of personalized advertisements based on user activity. |
| CONTENT RATINGS | ||
| Enable ratings by region | - | Enable/Disable ratings by region. |
| KEYBOARD SETTINGS | ||
| Dictation | 10.13 and above | Allow/Restrict use of Dictation from the keyboard(s). |
| ARTIFICIAL INTELLIGENCE | ||
| Image Playground | Available from macOS 15 | Enables or restricts the use of Image Playground, a newly introduced AI feature. |
| Writing Tools | Available from macOS 15 | Enables or restricts the use of AI-powered writing tools. |
| Extension of Apple Intelligence and Siri | Available from macOS 15.2 | Allows or restricts the extension of Apple Intelligence and Siri functionalities. |
| ADVANCED SECURITY | ||
| Modify Remote Application Scripting settings | Available from macOS 14 | Allows or restricts changes to the remote application scripting settings on the device. |
| Modify the Startup Disk | Available from macOS 14 | Allows or restricts changes to the startup disk configuration on the device. |
| Modify Remote Management Settings | Available from macOS 14 | This setting prevents local macOS user accounts from modifying Remote Management settings. Users cannot enable, disable, or change access privileges manually or via the kickstart tool. |
| Add or modify iCloud, Mail, and other user accounts | Available from macOS 14 | Allows or restricts adding or modifying iCloud, Mail, and other user accounts on the device. |
| Manage AirPlay requests | Available from macOS 12.3 | Allows or restricts the ability to manage incoming AirPlay requests on the device. |
| USER AND GROUPS | ||
| Create New Accounts | Available from macOS 14 | Allows or restricts users from creating new accounts on the device. |
| SHARING | ||
| Modify Printer Sharing Settings | Available from macOS 14 | Permits or restricts changes to printer sharing settings. |
| Modify Internet Sharing Settings | Available from macOS 14 | Permits or restricts changes to internet sharing settings. |
| Modify Bluetooth Sharing Settings | Available from macOS 14 | Permits or restricts changes to Bluetooth sharing settings. |
| Modify File Sharing Settings | Available from macOS 14 | Permits or restricts changes to file sharing settings. |
Jump To