Use restrictions to secure the native functionality on macOS devices, protect the corporate information, and enforce the data-loss prevention. Restriction profiles limit how employees can use their macOS devices and provide the control needed for the effective lock down of a device if necessary.


  1. Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select User Profile or Device Profile to apply the profile only to the device's enrollment user or to the entire device.
  2. Configure the profile's General settings.
  3. Select the Restrictions payload.
  4. Configure Preferences restrictions.
    Setting Description
    Restrict System panes Select to view and edit the system preference restrictions options (such as Accessibility, App store, Bluetooth, CDs and DVDs, Date & Time, Desktop & Screen Saver, Dictation & Speech, Displays, Dock, Energy Saver, Extensions, Fibre Channel, Flash Player, iCloud, Ink, Internet Accounts, Keyboard, Language & Region, Mission Control, MobileMe, Mouse, Network, Notifications, Parent Controls, Printers & Scanners, Profiles, Security & Privacy, Sharing, Software Update, Sound, Spotlight, Startup Disk, Time Machine, Trackpad, Users and Groups, and Xscan).
    Enable selected items Select to restrict the functionality. Then, make restriction selections for the available items.
    Disable selected items Select to allow the preferences. Then, make the selections for the available items.
  5. Configure Application restrictions.
    Setting Description
    Game Center To restrict or allow the use of Game Center, select the option.
    Safari To prevent autofilling web forms, storing login information, or iCloud Keychain details, restrict or allow the use of AutoFill when using Safari.
    App Store To install updates, restrict or allow the use of the App Store, app store adoption, and use of passwords. When the Restrict App Store to Software Updates is enabled, prevents third-party app updates from the App Store.
    Apple Music To permit users to stream music from Apple Music to their devices, select Allow Music Service.
    Launch Restrictions Choose to restrict applications from launching. Use the Add buttons to specify allowed applications, allowed folders and disallowed folders.
    Note: Use the absolute path of the application for the restriction to work. Relative path of the application (with ~ symbol ) does not work.
  6. Configure Widgets restrictions.
    Setting Description
    Allow only configured widgets Select to allow widgets. To specify the allowed device widgets, click the Add button.
  7. Configure Media restrictions.
    Setting Description
    Network Access Allow or restrict the network access for AirDrop.
    Hard Disk Media Access

    Determine what media formats are allowed, require authentication and read-only access for the end user. You can also force to auto-eject media at log out.

  8. Configure Sharing restrictions.
    Setting Description
    Restrict which sharing services are enabled Select which Sharing services, such as AirDrop, Facebook, and Twitter, are enabled on the device. You can also select the Automatically enable new sharing services check box as a restriction.
  9. Configure Functionality restrictions.
    Setting Description
    Lock desktop picture Select to prevent changing of the desktop picture.
    Desktop picture path Enter the path for the desktop picture. Leaving the path blank locks the current desktop picture and prevents it from being changed.
    Allow screen capture Restrict or allow capturing of screen recordings and saving screenshots of the display. It also prevents the Classroom application from observing remote screens.
    Camera - Allow Use of Built-in Camera Restrict or allow the use of the built-in camera. When restricted, all applications whether the native or the enterprise are unable to access the camera.

    Restrict or allow the use of the iCloud functions.

    • Allow iCloud documents and data
    • Allow use of iCloud password for local accounts
    • Allow backup to My macOS iCloud service
    • Allow Find My Mac iCloud service
    • Allow iCloud Bookmark sync
    • Allow iCloud Mail services
    • Allow iCloud Calendar services
    • Allow iCloud Reminder services
    • Allow iCloud Address Book services
    • Allow iCloud Notes services
    • Allow iCloud Keychain sync
    • Allow iCloud Desktop & Documents Services
    Continuity - Allow Handoff Restrict or allow users to have the capability of Handoff when switching between multiple devices that are all signed in with the same Apple iCloud account (macOS 10.15 and later).
    Content Caching - Allow Content Caching Select to allow end users to enable Content Caching on their devices (macOS 10.13 and later).
    Spotlight - Allow Spotlight Suggestions Restrict or allow the use of Spotlight suggestions when using Spotlight for searching.
    AirPrint Restrict or allow the use of the AirPrint functions:
    • Force AirPrint to use trusted certificates for the TLS printing communication (macOS 10.13 and higher).
    • Allow the iBeacon discovery of AirPrint printers. Enabling iBeacon discovery prevents spurious AirPrint Bluetooth beacons from phishing for the network traffic (macOS 10.13 and higher).
    Passwords Restrict auto filling of passwords on the devices and sharing of Wi-Fi passwords to the nearby devices.
  10. To push the profile to the devices, select Save & Publish. The addition or removal of some Restrictions profile payloads might not take effect until the target application or utility is restarted on the device.