macOS Device Profiles
Profiles are the primary means to manage devices. Configure profiles so your macOS devices remain secure and configured to your preferred settings.
You can think of profiles as the settings and rules that, when combined with compliance policies, help you enforce corporate rules and procedures. They contain the settings, configurations, and restrictions that you want to enforce on devices.
A profile consists of the general profile settings and a specific payload. Profiles work best when they contain only a single payload.
macOS profiles apply to a device at either the user level or the device level. When creating macOS profiles, you select the level the profile applies to. Some profiles can only be applied to the user level or device level.
Device Access
Some device profiles configure the settings for accessing a macOS device. Use these profiles to ensure that access to a device is limited only to authorized users.
Some examples of device access profiles include:
- Secure a device with a Passcode profile. For more information, see Configure a Passcode Policy Profile
- Configure Apple's Gatekeeper functionality, which secures application downloads and controls specific settings related to user passwords. For more information, see Configure a Security and Privacy Settings Profile.
- Configure accessibility options to accommodate end users' needs. For more information, see Configure an Accessibility Profile.
Device Security
Ensure that your macOS devices remain secure through device profiles. These profiles configure the native macOS security features or configure corporate security settings on a device through Workspace ONE UEM.
Some examples of device security profiles include:
- Use a Wi-Fi profile to connect enrolled devices to your corporate Wi-Fi without sending the network credentials to users. For more information, see Configure a Network Profile for macOS Devices.
- Implement digital certificates to protect corporate assets. For more information, see Configure a Credentials/SCEP Profile
- Ensure access to internal resources for your devices with the VPN profile. For more information, see Create a VPN Profile and Create a VPN On Demand Profile.
Device Configuration
Configure the various settings of your macOS devices with the configuration profiles. These profiles configure the device settings to meet your business needs.
Some examples of device configuration profiles include:
- Set up access to Microsoft Outlook and corporate files with an Exchange Web Services profile. For more information, see Configure an Exchange Web Services Profile for macOS Devices.
- Ensure that the devices remain up to date with the macOS Updates profile. For more information, see Configure a Software Update Profile for macOS Devices.
Configure an Accessibility Profile
Configure accessibility options for end users by creating an Accessibility profile.
Procedure
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device User Profile, or the entire device Device Profile.
Configure the profile's General settings.
Select the Accessibility payload.
Configure options for Seeing, including:
Setting Description Zoom Options Enable zoom function using scroll wheel and keyboard, set max/min zoom, smooth images and show preview rectangle when zoomed out. Display Options Invert colors, use grayscale, enhance contrast and set cursor size to normal, medium, large or extra large. Voiceover Options Enable voiceover for the device. Configure options for Hearing, including:
Setting Description Flash the screen when an alert occurs Enable flashing for alerts. Play stereo audio as mono Allow stereo to play as mono. Configure options for Interaction, including:
Setting Description Sticky Keys Enable Sticky Keys, beep when a modifier is set and display pressed keys on screen. Slow Keys Enable Slow Keys, use click key sounds and set key acceptance delay. Mouse Keys Enable Mouse Keys, set initial delay and max speed, and ignore device's built-in trackpad. Select Save & Publish when you are finished to push the profile to devices.
Configure an AirPlay Mirroring Profile
Configuring the AirPlay payload allows you to accept a specific set of devices to receive broadcast privileges according to a device ID.
Additionally, if the display access to a device is password-protected, you can pre-enter the password to create a successful connection without revealing the PIN to unauthorized parties.
Note: AirPlay Mirroring currently only pertains to macOS Yosemite devices.
Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device (User Profile), or the entire device (Device Profile).
Configure the profile's General settings.
Select the AirPlay Mirroring payload tab.
Select Add under Allowed AirPlay Destinations.
Enter the destinations and device information, including:
Setting Description Destination Name This is the name of the destination display. The name must match the device name and is case-sensitive. The device name can be found on the device. Allowed Destination Device ID This is the device ID for the destination display. Device IDs include the BonjourID. Password This is the password that shows on the user's device when attempting to mirror to the destination. This password is only required if a password is required to mirror to the device. Click Save & Publish when you are done configuring AirPlay settings.
Configure an AirPrint Profile
Configure an AirPrint payload for an Apple device to enable computers to automatically detect an AirPrint printer even if the device is on a different subnet than the AirPrint printer.
Navigate to Resources > Profiles & Baselines > Profiles > Add and then Add the appropriate platform. If you select Apple macOS, then select whether this profile will apply to only the enrollment user on the device (User Profile), or the entire device (Device Profile).
Configure the profile's General settings.
Select the AirPrint payload tab.
Setting Description IP address Enter the IP address (XXX.XXX.XXX.XXX). Resource Path Enter the Resource Path associated with the AirPrint printer (ipp/printer or printers/Canon_MG5300_series). To find the Resource Path and IP address information of a printer, see the Retrieve AirPrint Printer Information section. Select Save & Publish.
Configure an Associated Domains Profile
To establish a connection between your domain (website) and your application, to share data or credentials or for the features of the application that are based on your website, configure an Associated Domains profile. Associated Domains can be used with features such as Extensible AppSSO, universal links, and Password AutoFill.
Prerequisites
Before you configure an Associated Domains profile, you need to have an apple-app-site-association file on your website and an entitlement in your application. An associated domain matches the associated domains entitlement with an apple-app-site-association file. For more information, see Apple Documentation
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS and then select User Profile or Device Profile.
Select the Associated Domains payload.
Configure Associated Domains settings including:
Setting Description App Identifier Enter the identifier of the application to associate with the domains. The application identifier or the bundle ID should be in the following format <Team Identifier>.<Bundle Identifier>Associated Domains Each string should be in the form of <service>:<fully qualified domain>[:port number].
To match all subdomains of an associated domain, specify a wildcard with the prefix *. before the beginning of a specific domain (the period is required).Enable direct download (macOS 11 and later) If enabled, date for this domain should be downloaded directly instead of through a CDN. Select Save & Publish when you are finished to push the profile to the devices.
Configure a CalDAV or CardDAV Profile
Configure a CalDAV or CardDAV profile to allow end users to sync corporate calendar items and contacts.The ability to use CalDav or CardDAV applies to User Profiles only.
Navigate to Resources> Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select User Profile, since email settings can only apply to a single user.
Configure the profile's General settings.
Select the CalDAV or CardDAV payload.
Configure CalDAV or CardDAV settings, including:
Settings Description Account Description Enter a brief description of the account. Account Hostname Enter/view the name of the server for CalDAV use. Port Enter the number of the port assigned for communication with the CalDAV server. Principal URL Enter the web location of the CalDAV server. Account Username Enter the username for the Active Directory account. Account Password Enter the password for the Active Directory account. Use SSL Select this check box to enable Secure Socket Layer usage. Select Save & Publish when you are finished to push the profile to devices.
Configure Certificate Transparency Profile
Use this profile to configure the certificate transparency options.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile.
Select the Certificate Transparency payload and click ADD.
Setting Description Disabled Domains Each entry should contain a domain that is excluded from certificate transparency enforcement. Wildcards can be used to capture subdomains such as ".example.com". Wildcards cannot be used to capture top level domains such as ".com". Disabled Certificates Each entry should contain the hash of a server certificate's subjectPublicKeyInfo that is excluded from certificate transparency enforcement. The only available hash algorithm currently supported is SHA-256.
Configure a Content Filter Profile
This payload allows you to configure settings and authentication with third-party web content filters.
Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device (User Profile), or the entire device (Device Profile).
Select the Content Filter payload.
In the Filter Type, see that Plug-in is enabled.
Complete the required Content Filter information including:
Setting Description Filter Name Enter the name of the filter that displays in the app and on the device. Identifier Enter the bundle ID of the identifier of the plug-in that provides filtering service. Service Address Enter the hostname, IP address or URL for service. Organization Choose the organization string that is passed to the 3rd party plug-in. Filter WebKit Traffic Select this check box to choose whether to filter WebKit traffic. Filter Socket Traffic Select this check box to choose whether to filter Socket traffic.Note: Either WebKit or Socket traffic needs to be enabled in order for the payload to work. Socket Filter Bundle ID (macOS 10.15 and later) Enter the bundle ID of the filter data provider system extension. Socket Requirement (macOS 10.15 and later) Enter the designated requirement of the filter data provider system extension. This can be found by running the following command: codesign --display -r - /path/to/app/binaryFilter Network Packets (macOS 10.15 and later) Enable this option to filter the network packets. Packet Bundle ID (macOS 10.15 and later) Enter the bundle ID of the filter packet provider system extension. Packet Requirement (macOS 10.15 and later) Enter the designated requirement of the filter packet provider system extension. This can be found by running the following command: codesign --display -r - /path/to/app/binaryFilter Grade (macOS 10.15 and later) The filter grade determines the order if multiple content filters are used. Filters specified as Firewall will see network traffic before those specified as Inspector. Configure the Authentication information including:
Setting Description User Name Use look-up values to pull directly from the user account record. Ensure your Workspace ONE UEM user accounts have an email address and email username defined. Password Enter the password for this account. Payload Certificate Choose the authentication certificate. Add Custom Data which includes keys required by the third-party filtering service. This information goes into the vendor config dictionary.
Select Save & Publish.
Configure a Credentials/SCEP Profile
Even if you protect your corporate email with Wi-Fi and VPN with strong passcodes and other restrictions, your infrastructure remains vulnerable to brute force and dictionary attacks or employee error. For greater security, you can implement digital certificates to protect corporate assets.
Prerequisites
To do this, you must first define a certificate authority. Then configure a Credentials payload alongside your Exchange Web Service, Wi-Fi, or VPN payload. Each of these payloads has settings for associating the certificate authority defined in the Credentials payload.
To push down certificates to devices, you must configure a Credentials or SCEP payload as part of the profiles you created for EAS, Wi-Fi, and VPN settings. Use the following instructions to create a credentials payload:
Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device (User Profile), or the entire device (Device Profile).
Configure the profile's General settings.
Select either the Exchange Web Services, Wi-Fi, or VPN payload to configure. Configure the payload you selected.
Select the Credentials (or SCEP) payload and Upload a certificate or select Defined Certificate Authority from the Credential Source drop-down menu.
Note: Certificate Preference and Identity Preference options are available only if you have selected User Profile in Step 1.
Select the Credential Source as Upload. Enter the Credential Name and Certificate. The Certificate Preference option is available only if you have selected Credential Source as Upload.
Note: If you have multiple servers or emails that use the same certificate, you can create a Certificate Preference to define the URLs or email which automatically use this certificate.
A Certificate Preference specifies which certificate to be automatically used when users access specified URLs, emails, or domains through Safari or other applications that use WebKit or native macOS URL APIs. When the profile gets installed, the certificate and corresponding Certificate Preference are installed in the user’s keychain. In a profile, you can add multiple Certificate Preference payloads as needed.
Certificate Preference payload is available for macOS 10.12 and later.
Select Credential Source as Defined Certificate Authority and enter Certificate Authority and Certificate Template.
The Identity Preference option is available only if you have selected Credential Source as Defined Certificate Authority.
Note: If you use multiple client identity certificates, you can create an Identity Preference to define the URLs which must automatically use this preference.
An Identity Preference specifies which SSL client certificate to be automatically used when users access specified URLs, emails, or domains through Safari or other applications that use WebKit or native macOS URL APIs. When the profile gets installed, the certificate and corresponding Identity Preference are installed in the user’s keychain. In a profile, you can add multiple Identity Preference payloads as needed.
Identity Preference payload is available for macOS 10.12 and later.
Navigate back to the previous payload for Exchange Web Services, Wi-Fi, or VPN. Specify the Identity Certificate in the payload:
- Exchange Web Service – Select the Payload Certificate under Login Information.
- Wi-Fi – Select a compatible Security Type (WEP Enterprise, WPA/WPA2 Enterprise or Any (Enterprise)) and select the Identity Certificate under Authentication.
- VPN – Select a compatible Connection Type (for example, CISCO AnyConnect, F5 SSL) and select Certificate from the machine/User Authentication drop-down. Select the Identity Certificate.
Return to the Credentials payload and choose the following allowances:
- Allow access to all applications – Select to allow or prevent applications to access the certificate in the Keychain. When this option is enabled, it is not required for the end users to explicitly select the 'allow access to all applications' to access the installed SCEP Certificate and enter credentials to grant access.
- Allow export of private key from Keychain – Select whether to allow or prevent users from exporting the private key from the installed certificate.
Select Save and Publish.
Configure a Custom Attributes Profile
Write a command or script and report it as a custom attribute using the Workspace ONE Intelligent Hub for macOS v.2.3 and higher. Choose when to run the command or script on hourly intervals or during an event.
Custom Attributes can also be used in Assignment Rules for Products. For more information about Products, see Product Provisioning for macOS.
Navigate to Resources > Profiles & Baselines > Profiles and select Add then Add Profile. Select Apple macOS, and then select Device Profile, since this profile is only applicable to the entire device.
Scroll down the menu bar on the left and select Custom Attributes followed by Configure.
Enter the Attribute Name.
Enter the Script/Command to run. Expand the text box as needed.
Choose an Execution Interval to allow for scheduling to report either in hours or as an event occurs.
Use the + and - buttons at the bottom of the payload to create multiple scripts.
Select Save & Publish when you are finished to push the profile to devices.
Note: Custom Attribute values cannot return the following special characters: / \ " * : ; < > ? |. If a script returns a value which contains these characters, the value is not reported on the console. Trim these characters from the script's output.
Configure a Custom Settings Profile
The Custom Settings payload can be used when Apple releases new functionality or features that Workspace ONE UEM does not currently support through its native payloads.
If you do not want to wait for the newest release of Workspace ONE UEM to be able to control these settings, you can use the Custom Settings payload and XML code to manually activate or deactivate certain settings.
You can create a "test" organization group to avoid affecting users before you are ready to save and publish the new settings.
Do not assign a profile to any smart group as it might give an encrypted value when viewing XML.
Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile. Select Apple macOS > macOS.
Configure the profile's General settings.
Configure the appropriate payload (for example, Restrictions or Passcode).
Select Save and Publish.
Note: Ensure that the profile created in Steps 1–4 is not assigned to any smart group. Otherwise, the data might be encrypted when viewing xml.
Navigate back to the Profiles page and select a profile using the radio button next to the profile name. Menu options appear above the list.
Select </> XML from the menu choices. A View Profile XML window appears.
To download the metadata (Plist) file after the initial upload or save, click Export. Edit the file to add advanced or custom configurations.
Find and copy the section of text starting with <dict>...</dict> that you configured previously, for example, Restrictions or Passcode. This text contains a configuration type identifying its purpose, for example, restrictions. You must copy a single dictionary content inside the Payload Content as shown in the example.
<plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>safariAcceptCookies</key> <real>2</real> <key>safariAllowAutoFill</key> <true /> <key>PayloadDisplayName</key> <string>Restrictions</string> <key>PayloadDescription</key> <string>RestrictionSettings</string> <key>PayloadIdentifier</key> <string>745714ad-e006-463d-8bc1-495fc99809d5.Restrictions</string> <key>PayloadOrganization</key> <string></string> <key>PayloadType</key> <string>com.apple.applicationaccess</string> <key>PayloadUUID</key> <string>9dd56416-dc94-4904-b60a-5518ae05ccde</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string></string> <key>PayloadDisplayName</key> <string>Block Camera/V_1</string> <key>PayloadIdentifier</key> <string>745714ad-e006-463d-8bc1-495fc99809d5</string> <key>PayloadOrganization</key> <string></string> <key>PayloadRemovalDisallowed</key> <false /> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>86a02489-58ff-44ff-8cd0-faad7942f64a</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>For more examples and information on the XML code, refer to the KB article: https://support.workspaceone.com/articles/115005038288.
If you see encrypted text between dict tags in the XML window, you can generate the decrypted text by modifying the settings in the profiles page. To do this:
- Navigate to Groups & Settings > All Settings > Devices > Users > Apple > Profiles.
- Override the custom settings option.
- Deactivate Encrypt Profiles option and then Save.
Navigate back to Custom Settings profile and paste the XML you copied in the text box. The XML code you paste should contain the complete block of code, from <dict> to </dict>.
Select Save and Publish.
Configure a Directory Profile
By binding a device to the directory service, the device comply with any domain policies and password security settings. You may bind a single device to multiple directories by sending multiple directory service profiles.
Procedure
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile, since this profile is only applicable to the entire device.
Configure the profile's General settings.
Select the Directory payload. Then, choose the Directory Type, Open Directory or Active Directory.
If multiple profiles enforce separate policies on a single device, the most restrictive policy is enforced. If your password policy is being managed by your directory for network users logging into the devices, Workspace ONE UEM does not recommend a passcode policy.
Choose Authentication settings including:
Setting Description Directory Type Choose Active Directory or Open Directory or LDAP from the drop-down menu. Server Hostname Enter the directory server name. Username and Password Enter the credentials of the administrator used to authenticate and bind the device to the server. Administrator credentials should not include the domain. Use "administrator" only, do not use "domain\administrator." Client ID Enter the identifier associated with the device in the directory. Enter the Client ID in a format that is allowed by the directory you're attempting to bind. Workspace ONE UEM recommends using {SerialNumber}. Other lookup values (device asset number, etc.) may not generate computer names that comply with Netbios Naming Conventions. Choose User Experience settings for Active Directory Accounts:
Setting Description Configure a mobile account at login Select this option to create a mobile account. When this option is selected, the users' data is stored locally and they are automatically logged into a mobile account. Require confirmation Send a confirmation message to the end user. Use UNC path Select to determine the UNC specified in the Active Directory when mounting the network home. Mount Choose either the AFP or SMB protocols. Default user shell Specify the default shell for the user after logging into the computer. Select the Mappings tab to specify an attribute to be used for equivalent acronym (GID). By default these are derived from the domain server.
Select Administrative tab and configure settings including:
Setting Description Group Names Specify groups to determine who has local administrative privileges on the computer. Preferred domain server Enter the name of the domain server. Namespace Select the primary account naming convention based on forest or domain. Packet signing Choose how to ensure data is secure. Packet Encryption Choose to encrypt data. Password trust interval Set to determine how often the computer trust is updated. Restricts DDNS Add interfaces to specify updates. Use the format: en0, en1, en2 etc. Select Save & Publish to push the profile to the device.
Configure a Disk Encryption Profile
If you are using macOS 10.9 and later versions, configure the disk encryption profile and push the profile to the device, whether the Workspace ONE Intelligent Hub is installed or not. Other Workspace ONE UEM enhancements with 10.9 and later versions include the role-based access for recovery keys and the ability to audit who views recovery keys and when.
Procedure
Navigate toResources > Profiles & Baselines > Profiles and select Add.
Select Apple macOS and then select Device Profile. This profile is only applicable to the entire device.
Configure the profile's General settings.
Select the Disk Encryption payload and configure the following settings.
Native Device Management (FileVault 2 Encryption Settings) Description Recovery Key Type Select the type of recovery key required to decrypt the disk. The available options are Personal, Institutional, and Personal and Institutional. FileVault Enterprise Certificate This option appears only when you select Institutional or Personal and Institutional recovery key type. Select the FileVaultMaster.cer for the disk encryption that was uploaded into the Credentials payload. For information about using certificates with the disk encryption profile, see the Institutional Recovery for macOS devices section. Display Personal Recovery Key Enable the option to display the personal recovery key to the user when the key is generated. Escrow Personal Recovery Key to UEM Server Enable the option to retain the recovery key on the UEM server so that it is always accessible in the Device Details page. For information about recovery keys, see the configuration profile reference guide in the Apple Developer portal. FileVault User Select the type of user to enable for FileVault. The available user types are:
Current or Next Login User - Enables FileVault for the user who is logged in when the profile is installed. If no user is logged in, then the next local or mobile user account is prompted to enable FileVault.
Specific User - Enables FileVault only to a specifically defined user.Username If Specific User is selected as the FileVault user type, enter the user name for the account. When to prompt user To prompt the user to enter the password to enable FileVault at different stages, select one of the following options:
Both Login and Logout
Logout Only
Login OnlyBypass Login(s) Enter the number of times a user can bypass the FileVault prompt during login. Min number of times is 0 and max number of times is 10. Require user to unlock FileVault after hibernation Enable the option to require a password to unlock the FileVault after hibernation and to restore the state of the FileVault when it was last saved. Intelligent Hub Device Management Settings Description Use Intelligent Hub for enforcement Activate or deactivate the Intelligent Hub enforcement of disk encryption. If deactivated, no Hub notifications are prompted to the user. Only the native device management settings that are defined are applied. Encryption disabled notification Enable the option to display the notification to the user to log out allowing the operating system to prompt users for their password to start encryption. Notification title Enter the title for the encryption notification. Min length is 1 char and max length is 29 char. Allowed characters are:
a–z, A–Z
0–9
Special characters - #,;:'"?.!@{}+_-Notification Message Enter the message for the encryption notification stating the user to log out and log back in when prompted. Min length is 1 char. Keeping the message under 135 characters avoids truncating the notification in the Notification pane. However, message with 63 characters is the max for keeping the notification preview from being truncated. Allowed characters are:
a–z, A–Z
0–9
Special characters - #,;:'"?.!@+_-Notification dismissal Enter the number of times for the user to close logout notifications. Min number of attempts is 0 and max number of attempts is 100. Dismissal interval Enter the time interval between dismissed notifications. Min interval is 1 hour, and max interval is 168 hours. Action after last dismissal Select the action type that must take place after the last allowed notification dismissal.
Force Logout - Automatically sends notifications to the users after the last allowed dismissal prompting to save their work before the system automatically logs them out.
Do Nothing - No action is taken.Prompt for password if encrypted Enable the option for the Hub to prompt users for their password to rotate the recovery key to escrow if the device has already been encrypted. Notification title Enter the title for notification requesting for the password that allows Hub to rotate the recovery key. Min length is 1 char and max length is 29 char.
Allowed characters are:
a–z, A–Z
0–9
Special characters - #,;:'"?.!@{}+_-Notification message Enter the message for notification requesting for the password that allows Hub to the rotate recovery key. Min length is 1 char. Keeping the message under 135 characters avoids truncating the notification in the Notification pane. However, message with 63 characters is the max for keeping the notification preview from being truncated. Allowed characters are:
a–z, A–Z
0–9
Special characters - #,;:'"?.!@{}+_-Dismissal interval Enter the time interval between dismissed notifications. Min interval is 1 hour, and max interval is 168 hours. Prompt title Enter the title for the password prompt to rotate the FileVault recovery key. Min length is 1 char and max length is 50 char. Allowed characters are:
a–z, A–Z
0–9
Special characters - #,;:'"?.!@{}+_-Prompt message Enter the message for the password prompt to rotate the FileVault recovery key. Min length is 1 char and max length is 50 char. Allowed characters are:
a–z, A–Z
0–9
Special characters - #,;:'"?.!@{}+_-Success title Enter the title for the notification when the recovery key validation is successful. Min length is 1 char and max length is 50 char. Allowed characters are:
a–z, A–Z
0–9
Special characters - #,;:'"?.!@{}+_-Success Message Enter the message for the notification when the device is compliant with the organization's disk encryption policy after successful password entry. Min length is 1 char and max length is 150 char. Allowed characters are:
a–z, A–Z
0–9
Special characters - #,;:'"?.!@{}+_-Error title Enter the title for the error notification when the recovery key rotation fails. Min length is 1 char and max length is 50 char. Allowed characters are:
a–z, A–Z
0–9
Special characters - #,;:'"?.!@{}+_-Error Message Enter the error message stating the user to contact the IT administrator when the recovery key rotation fails. Min length is 1 char and max length is 150 char. Allowed characters are:
a–z, A–Z
0–9
Special characters - #,;:'"?.!@{}+_-Retries before error message Enter the maximum number of passwords retry attempts before displaying an error notification that asks end user to contact the IT administrator. As an admin, you can view the corresponding error event logs in the HubEventLogs.log file and take the necessary troubleshooting steps.Once the error is fixed, use the following hubcli command to reset the Hub to prompt for password retry attempts. sudo hubcli reset-recoverykeySelect Save & Publish to push the profile to the devices.
Note: If no CoreStorage logical volume groups are found, the Disk encryption fails and errors out. Disk encryption can be determined by running the following command on devices (10.12.6 or lower) without FileVault 2. If no CoreStorage Volumes are found, the drive must be reformatted using FileVault 2.
diskutil cs list
Configure a DNSSetting Profile
Use the DNSSetting profile to add DNS settings to your end user devices.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select macOS, and then select Device Profile.
Select the DNSSetting payload and click ADD. Enter the server configuration settings
Setting Description DNS Protocol Specify if devices will use HTTPS or TLS to communicate with the DNS server. Server Addresses Specify the list of DNS server IP addresses. Server Name If you select TLS as the DNS protocol, specify the hostname of the DNS server used to validate the server certificate. Server URL If you select HTTPS as the DNS protocol, specify the hostname or address used to validate the server certificate. Supplemental domains Enter all domains that will use the DNS server. If this is empty, all domains will use the DNS server. Action if network matches Specify when the DNS Settings will take effect:
Connect: Apply DNS Settings when a match occurs
Disconnect: Do not apply DNS Settings when a match occurs
Evaluate Connection: Apple DNS Settings with per-domain exceptions when the dictionary matches.Action Used when the Action is set to Evaluate Connection.
NeverConnect: Do not use the DNS Settings for the specified domains
ConnectIfNeeded: Allow the DNS Settings for the specified domainsDomains Enter the list of domains for which to take the previously defined Action. DNS domain matching If enabled, the rule will match if any of the domains specified in the DNS Domains list match any domain in the device's search domains list. DNS server matching If enabled, the rule will match if any of the domains specified in the DNS Server Addresses list match any of the network's specified DNS servers. SSID matching If enabled, the rule will match if any of the SSIDs specified in the Network SSIDs list match the current network. Interface Type The rule matches only if the primary network interface hardware matches the specified type. URL to probe The rule matches if the specified URL returns a 200 HTTP status code without redirection.
Configure a Dock Profile
Configure a Dock profile to manage the look and feel of the dock and the applications that will display on it. Configuring Dock settings from the UEM console allows for additional control of the users' devices by determining whether or not the users can adjust their own settings later. For example, removing or adding an app from the Dock.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device User Profile, or the entire device Device Profile.
Configure the profile's General settings.
Select the Dock payload.
Configure Size & Position settings, including:
Setting Description Dock Size Use the scale to determine the desired size for the Dock. Allow user to adjust Dock Size Allow or prevent users from modifying their own Dock Size settings on their devices. Magnification Use the scale to determine the desired magnification for the Dock. Allow user to adjust Magnification Allow or prevent users from modifying their own Magnification settings on their devices. Position Use the drop-down menu to select the position of the Dock on the screen. Allow user to adjust Dock Position Allow or prevent users from modifying their own Dock Position settings on their devices.If you have specified certain Apps, they cannot be removed but they can be rearranged. Configure Items settings, including:
Setting Description Dock Applications Select Add to specify applications to appear on the Dock. Dock Items Select Add to specify files and folders to appear on the Dock. Add Other Folders Configure folder for My Applications, Documents, and Network Home in the Dock. Allow user to adjust Dock Applications and Items Allow or prevent users from modifying their own Dock Applications settings on their devices. Configure Options settings, including:
Setting Description Minimize Using Select either Genie or Scale animation for minimizing the Dock. Allow user to adjust Minimize effect Allow user to adjust Minimize effect. Minimize Window Into Application Icon Select this to create an icon to represent an open window in the Dock when the window is minimized. Allow user to adjust Minimize into Application icon Allow or prevent users from modifying their own Minimize windows settings on their devices. Animate Opening Application Enable animation when launching an application from the Dock. Allow user to adjust Animate Opening Application Allow or prevent users from modifying their own animation settings on their devices. Select Save & Publish when you are finished to push the profile to devices.
Configure an Email Profile
Configure an email profile for macOS devices to configure email settings on the device. The ability to use email profile applies to User Profiles only.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select User Profile, since email settings can only apply to a single user.
Configure the profile's General settings.
Select the Email payload.
Configure Email settings, including:
Settings Description Account Description Enter a brief description of the email account. Account Type Use the drop-down menu to select either IMAP or POP. Path Prefix Enter the name of the root folder for the email account (IMAP only). User Display Name Enter the name of the end user. Email Address Enter the address for the email account. Host Name Enter the name of the email server. Port Enter the number of the port assigned to incoming mail traffic. Username Enter the username for the email account. Authentication Type Use the drop-down menu to select how the email account holder is authenticated. Password Enter the password required to authenticate the end user. Use SSL Select this check box to enable Secure Socket Layer usage for incoming email traffic. Host Name Enter the name of the email server. Port Enter the number of the port assigned to incoming mail traffic. Username Enter the username for the email account. Authentication Type Use the drop-down menu to select how the email account holder is authenticated. Outgoing Password Same As Incoming Select this to auto-populate the password field. Password Enter the password required to authenticate the end user. Select Show Characters if you want users to see characters as they type. Use SSL Select this check box to enable Secure Socket Layer usage for incoming email traffic. Select Save & Publish when you are finished to push the profile to devices.
Configure an Energy Saver Profile
An Energy Saver profile enforces the settings for when the computer should sleep and configure wake options.
Procedure
Navigate to Resources> Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile, since this profile is only applicable to the entire device.
Configure the profile's General settings.
Select the Energy Saver payload.
Configure Energy Saver settings, including:
Setting Description Desktop Sleep Options – Set the length of time for the computer or display to go to sleep.
Wake Options – Set when the computer will wake depending on Ethernet network administrator access, pressing the power button and automatically after a power failure.Laptop Laptop power options are identical to desktop power options. Configure specific configurations when the laptop is using battery power or when connected to a power adapter. Schedule Set the computer to start up or go to sleep at specific times. Also set unique schedules depending on weekday, specific day and any day. Select Save & Publish when you are finished to push the profile to devices. If you push a laptop profile to a desktop device, or vice versa, the profile is ignored by the receiving device.
Configure an Exchange Web Services Profile
An Exchange Web Services profile allows the end user to access corporate email infrastructures and Microsoft Outlook accounts from the device. The ability to use Exchange Web Services applies to User Profiles only
Note: This payload is fully supported on macOS v.10.9 and higher, however, macOS will only configure Contacts when this is installed on v10.7 and v10.8.
Navigate to Resources> Profiles & Baselines> Profiles and select Add. Select Apple macOS, and then select User Profile, since email settings can only apply to a single user.
Configure the profile's General settings.
Select the Exchange Web Services payload.
Configure Exchange Web Services settings including:
Setting Description Email Client Configure the native mail client or Microsoft Outlook on the device. Outlook requires Workspace ONE Intelligent Hub v.1.1.0+ to be installed on the device. Account Name Enter the name for the EWS account. Exchange Host Enter the name of the Exchange host. This option appears when Microsoft Outlook is selected. Exchange Port Enter the port number for the Exchange Host. This option appears when Microsoft Outlook is selected. Use SSL Select to enable Secure Socket Layer usage for communication. This option appears when Microsoft Outlook is selected. Delete all user data when profile is removed Select to erase all user information, mail, settings, and all configured accounts in Outlook, whether the user is managed or unmanaged. This option appears when Microsoft Outlook is selected.
CAUTION: Do not make this selection if deploying to a personal computer. This forces Outlook to quit and deletes all information from the computer's Microsoft User Data folder.Username Enter the username for the email account. Email Address Enter the email address for the email account. Full Name Enter the first and last name associated with the account. This option appears when Microsoft Outlook is selected. Password Enter the password required to authenticate the end user. Payload Certificate Select the certificate upload for EAS use. This option appears when Native Mail Client is selected. Domain Enter the domain for the email account. This option appears when Microsoft Outlook is selected. Configure more options for Native Mail Client:
Setting Description Internal Exchange Host The name of the secure server for EAS use. This option and following appear when Native Mail Client is selected. Port Enter the number of the port assigned for communication with the internal Exchange host. Internal Server Path The location of the secure server for EAS use. Use SSL For Internal Exchange Host Select this check box to enable Secure Socket Layer (SSL) usage for communication with the Internal Exchange Host. External Exchange Host The name of the external server for EAS use. Port Enter the number of the port assigned for communication with the External Exchange Host. External Server Path The location of the external server for EAS use. Use SSL For External Exchange Host Select this check box to enable Secure Socket Layer (SSL) usage for communication with the External Exchange Host. Configure Directory Services for Microsoft Outlook.
Settings Description Directory Server Enter the location of the secure server. Directory Server Port Enter the port number of the secure server. Search Base Enter the search base of the secure server. Directory Server Requires SSL Select this check box if the directory server requires Secure Socket Layer (SSL). Select Save & Publish when you are finished to push the profile to devices.
Configure a File Provider Profile
Use this payload to configure a file provider profile. You can enable this payload to allow managed file providers to have access to requesting process.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile.
Select the File Provider payload and click ADD.
Enable Allow managed file providers access to request attribution to have access to the path of requesting process.
Configure a Finder Profile
A Finder profile controls general settings related to what end users can see on their devices and the actions they are allowed to perform.
Procedure
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device User Profile, or the entire device Device Profile.
Configure the profile's General settings.
Select the Finder payload.
Configure settings on the Preferences, including:
Setting Description Use Regular Finder/Use Simple Finder Allow user to access either Regular Finder or Simple Finder as a default. Hard Disk Show the device's Hard Disk icon on the Desktop. External Disk Show any connected external disk icons on the Desktop. CDs, DVDs, and iPods Show any inserted media icons on the Desktop. Connected Server Show any connected servers icons on the Desktop. Show warning before emptying the Trash Present user with prompt before emptying the Trash. Configure settings on the Commands, including:
Setting Description Connect to server Allow users to open a dialog box and find servers on a network. Eject Allow users to eject removable media and mountable volumes. Burn Disc Allow users to write permanent information to a CD or DVD. Go to Folder Allow users to open files or folders by typing the path name. Restart Allow users to access the restart command from the Apple Menu. Shut Down Allow users to access the shutdown command from the Apple Menu. Select Save & Publish when you are finished to push the profile to devices.
Configure a Firewall Profile
Push a firewall profile with the Workspace ONE Intelligent Hub v2.2+ for macOS to filter unauthorized connections to your enterprise network.
Using the native firewall combined with the Workspace ONE Intelligent Hub, you can monitor firewall settings and revert settings if unauthorized changes occur. Also, use the firewall to control incoming connections and protect computers against probing requests.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile, since this profile is only applicable to the entire device.
Select the Firewall payload.
Select Enable to allow firewall protection.
Configure the following firewall settings:
Description Setting Enable Select this option to enable the macOS firewall. Block all incoming connections Select this to block all incoming connections from sharing services, except for connections required for basic Internet services. Automatically allow signed software to receive incoming connections Select this to automatically allow only software signed by a developer and approved by Apple to provide services accessed from their network. Enable stealth mode Select this to prevent the computer from responding to or acknowledging requests made from test applications. Select Save & Publish to push the profile to the device. All Workspace ONE Intelligent Hub functionality continues including Push Notifications even if Block incoming connections is selected.
Configure a Firewall(Native) Profile
Manage the device firewall using only native MDM settings. You can manage the overall firewall behavior, as well as specify how traffic is handled on a per-application basis.
Using the native firewall combined with the Workspace ONE Intelligent Hub, you can monitor firewall settings and revert settings if unauthorized changes occur. Also, use the firewall to control incoming connections and protect computers against probing requests.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile, since this profile is only applicable to the entire device.
Select the Firewall payload.
Select Enable to allow firewall protection.
Configure the following firewall settings:
Description Setting Enable firewall Select this option to enable the macOS firewall. Block all incoming connections Select this to block all incoming connections from sharing services, except for connections required for basic Internet services. Enable stealth mode Select this to prevent the computer from responding to or acknowledging requests made from test applications. Enable Logging (macOS 12 and later) Select this option to ebable firewall logging. Logging behavior(macOS 12 and later) Specify the type of firewall logging: Throttled, Brief, or Detail. Apps Specify individual applications with connections to be controlled by the firewall. App Bundle ID Specify the bundle ID for each application. Allow connections Specify whether connections should be allowed for this application. Select Save & Publish to push the profile to the device. All Workspace ONE Intelligent Hub functionality continues including Push Notifications even if Block incoming connections is selected.
Configure a Firmware Password Profile
Enforce a firmware password to increase security at the hardware level when allowing macOS v10.10+ to start up using an external drive, partition, or using Recovery Mode.
Prerequisites
The Workspace ONE Intelligent Hub v2.2+ for macOS is required with this profile that provides enhanced security and allows you to determine when end users need to enter firmware passwords.
Important: If a firmware password is already set on the computer, then profile installation will fail.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile, since this profile is only applicable to the entire device.
Configure the profile's General settings.
Configure the Firmware Password:
Setting Description Firmware Password Enter the password for the device. Mode Select the Mode when end users are required to enter the password:
Command Mode – Require the password when attempting to boot to another drive or partition. After the end user enters the password, the computer begins using Command Mode. Then, the macOS Hub prompts the end user to re-start the computer.
Full Mode – Require the password every time the computer starts up. After the end user enters the password, the macOS Hub prompts the end user to re-start the computer. When the computer re-starts, it begins using Full Mode.Once the profile is configured, it cannot be removed remotely.Select Save & Publish to push the profile to the device.
Configure a Kernel Extension Policy Profile
Use a Kernel Extension Policy profile to explicitly allow applications and installers that use kernel extensions to load on your end users' devices.
This profile controls restrictions and settings for User Approved Kernel Extension Loading on macOS v10.13.2 and later.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile.
This profile is not enabled for the User level.
Select the Kernel Extension Policy payload.
Select the Allow User Overrides check box to approve additional kernel extensions not explicitly allowed by configuration profiles.
This option allows any application to install on the end users' devices without approval for a kernel extension. If you select this option, the extension policy settings below provide no additional functionality.
If you choose not to allow users to override kernel extensions, configure the extension policy settings.
Setting Description Allowed Team Identifiers Team identifiers for which all validly signed kernel extensions will be allowed to load.
Use the Add button to add additional identifiers.Allowed Kernel Extentions Signed kernel extensions that will always be allowed to load on the machine. Enter a Team Identifier and a Bundle ID for each app. For unsigned legacy kernel extensions, use an empty key for the team identifier.
Use the Add button to add additional extensions.Allow Non-admin User Approval Select this option to allow standard users to approve additional kernel extensions in the Security and privacy preferences.
Configure an LDAP Profile
An LDAP profile allows end users to access and integrate with your corporate LDAPv3 directory information. The ability to use LDAP applies to User Profiles only.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select User Profile, since these settings can only apply to a single user.
Configure the profile's General settings.
Select the LDAP payload.
Configure LDAP settings:
Setting Description Account Description Enter a brief description of the LDAP account. Account Hostname Enter/view the name of the server for Active Directory use. Account Username Enter the username for the Active Directory account. Account Password Enter the password for the Active Directory account. Use SSL Select this check box to enable Secure Socket Layer usage. Search Settings Select Add and enter settings for Active Directory searches run from the device. Select Save & Publish when you are finished to push the profile to devices.
Configure a Login Items Profile
A Login Items profile enables you to control the behavior of the users' devices when they launch.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device (User Profile), or the entire device (Device Profile).
Configure the profile's General settings.
Select the Login Items payload.
Configure Login Items settings, including:
Setting Description Applications Specify which applications to launch at login. Enter the full path of the application, for example, /Applications/Contacts.app. Files and Folders Specify which files and folders to launch at login. Enter the full path of the file or folder. Authenticated Network Mounts Specify which network mounts to authenticate with the user's login name and password. Use Active Directory (AD) credentials for user login. Enter the full mount path and volume, including protocol, for example, smb://server.example.com/volume. Network Mounts Specify which volumes to mount at login. Use AD credentials for user login. Enter the full mount path and volume including protocol, for example, smb://server.example.com/volume. Add network home SharePoint Select this to enable network home SharePoint configuration on the device. User may press shift to prevent items from opening Select this to allow the user to hold shift upon login to prevent items from opening. Select Save & Publish when you are finished to push the profile to devices.
Configure a Login Window Profile
Configure the Login Window profile to control the look and feel of the login window, including options for logging in, and directory user access to the device.
Procedure
Navigate to Resources> Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile, since this profile is only applicable to the entire device.
Configure the profile's General settings.
Select the Login Window payload.
Configure Login Window settings using the tabs, including:
Tab Description Window Show additional information in the menu bar, including host name, macOS version, and IP address when the menu bar is selected.
Enter custom banner message.
Show local user, mobile accounts, network accounts, device admins and "other" information.
how device power options, including Shut Down, Restart and Sleep.Options Show password hint and set amount of retries before hint is shown, if available.
Enable automatic login, console access, Fast User Switching
Log out users, enable computer admin to refresh or deactivate management.
Set computer name to computer record name, activate external accounts, allow guest user.
Set screen saver to start and set actual screen saver.Access Allow or deny specific user accounts from accessing device.
Allow local-only users to log-in; use available workgroup settings and nesting
Combine available work group settings and always show work group dialog during login
Note: This only works with Directory Users, not local users on the device. The device must be bound to the same directory that Workspace ONE UEM is pulling users from.Scripts Set EnableMCXLoginScripts to TRUE.
Set MCXScriptTrust to match the binding settings used to connect the client computer to the directory domain.Select Save & Publish when you are finished to push the profile to devices.
Configure a Managed Domains Profile
Managed domains are another way Workspace ONE UEM enhances Apple's "open in" security feature on macOS computers. Use the "open in" feature and manage email domains to protect corporate data by helping end users verify which emails are sent to corporate accounts.
Procedure
- Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device (User Profile), or the entire device (Device Profile).
- Configure the profile's General settings.
- Select the Managed Domains payload from the list.
- Enter Managed Emails Domains to specify which email addresses are corporate domains. For example: mdm.company.com. Emails sent to other domains are highlighted in the email application to indicate that the address is not part of the corporate domain.
- Select Save & Publish.
Configure a Messages Profile
You can create a Messages profile to pre-configure end user laptops to use a Jabber or AOL Instant Messenger (AIM) account. Accounts can be authenticated through SSL certificates or Kerberos. The ability to use Messages applies to User Profiles only.
Procedure
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select User Profile to apply enrollment to the user's device.
Configure the profile's General settings.
Select the Messages payload.
Configure Messages settings for Jabber , including:
Settings Description Account Type Allow user to access either a Jabber or AIM account. Account Description Configure a brief description of the profile that indicates its purpose. This option appears if AIM is selected. Account Name Enter the name of the account. User Name Enter the user name for this account. Use lookup values (for example, {EnrollmentUser} to pull data from the UEM console. Password Optionally enter the password required to authenticate the account. Leave it blank to prompt end users to enter their account password. Host Name Enter the name of the account server. Port Enter the number of the port assigned to the account. Use SSL Select this check box to enable Secure Socket Layer (SSL) usage for authentication. Use Kerberos v5 Select this check box to enable Kerberos v5 usage for authentication. Select Save & Publish when you are finished to push the profile to devices.
Configure a Mobility Profile
Mobility profiles allow configuration of portable home directories for network accounts, so users can log into the network even when they are not connected to the network.
With a mobility profile, you can also set home and preference sync settings to optionally sync the home folder with a central server.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device (User Profile), or the entire device (Device Profile).
Configure the profile's General settings.
Select the Mobility payload.
Using the Account Creation tab, set up the mobile account profile. When this account is set up, a local copy of the user's network home folder is created for use when they are not connected to the network.
Settings Description Configure Mobile account Select to configure the account for the user to log into the network. Require Confirmatio Select to send a confirmation message to the end user. Show "Don't ask me again" Select to allow end users to skip the confirmation message after the initial prompt to create the mobile account. Configure Home Using Choose settings to either Network home and default sync settings or Local home template from the drop-down navigation menu. Home folder location Choose either the on startup volume folder, at path and enter the path location on the user's computer where the home folder will reside, or set the location that the user chooses. Encrypt Contents with FileVault Select to encrypt contents with FileVault. If you choose to enable Encryption, select the following settings:
Select the Require computer master password check box to require a master password.
Select Restrict Size to restrict the size of the network home quota. Determine a Fixed Size with megabytes or a Percentage of the home network quota and the Size of the percentage.Delete mobile accounts Select to determine how and when to delete the account.
Select the Delete mobile accounts check box to configure options for deleting the account.
Choose After and select how many hours, days or weeks to delete the account after it expires. Setting the value to 0 causes the account to be deleted as soon as the computer is able to delete it.
Select Delete only after successful sync to delete the device after it syncs with the central server.Choose the Rules tab to configure sync options:
Setting Description Preference Sync Enable syncing for user preferences. Choose when, what folders to sync and items that do not need to be synced.
Select Merge with User Settings check box to add or append the user's sync settings. If this is not selected, the user's settings will be wiped when the new settings are applied.Home Sync Enable syncing for desktop preferences. Choose when, what folders to sync and items that do not need to synced and may be skipped.
Select Merge with User Settings check box to add or append the user's sync settings. If this is not selected, the user's settings will be wiped when the new settings are applied.Select Save & Publish to push the profile to the device.
Configure a Network Profile
A network profile allows devices connect to corporate networks, even if they are hidden, encrypted, or password protected.
This can be useful for end users who travel and use their own unique wireless network or to end users in an office setting where they need to automatically connect their devices to a wireless on-site.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select whether the profile applies to only the enrollment user on the device (User Profile), or the entire device (Device Profile).
Configure the profile's General settings.
Select the Network payload.
Choose to configure Wi-Fi or Ethernet settings.
Setting Description Network Interface Select to connect to network payload using Wi-Fi or Ethernet. If Ethernet is selected, you have multiple ethernet interface payload types available for connection from the drop-down list.
Payloads with 'active' in their name apply to Ethernet interfaces that are working at the time of profile installation. If there is no active Ethernet interface working, the First Active Ethernet interface type gets configured with the highest service order priority.
Payloads without 'active' in the name apply to Ethernet interfaces according to service order regardless of whether the interface is working or not.Service Set Identifier Enter the name of the network to which the device connects. Connectivity Select the type of connectivity.
Hidden – Allows a connection to network that is not open or broadcasting.
Auto-Join – Determines whether the device automatically connects to the network.Security Type Select the method for connection encryption to the wireless network. Use as login window configuration Allows the user to authenticate to the network at login. This option appears when WiFi and Security Typeis Enterprise This option also appears when Ethernet is selected. Protocols Select protocols for network access.
This option appears when WiFi and Security Type is any of the Enterprise choices. This option also appears when Ethernet is selected.Password Enter the password required to join the Wi-Fi network. Configure Authentication settings that vary by protocol including but not limited to:
Setting Description Use as Login Window Configuration (For Device Profiles only) Select this if any enterprise protocols were selected for the network. Allow authentication with the target machine's directory credentials. Username Enter the username for the account. User Per-Connection Password Request the password during the connection and send with authentication. Password Enter the password for the connection. Identity Certificate Select the certificate for authentication. TLS Minimum Version Select the minimum version 1.0, 1.1, and 1.2. If no value is selected, the minimum TLS version defaults to 1.0.
Note: Minimum and Maximum TLS versions can be configured only for TLS , TTLS, EAP-Fast, and PEAP protocol types.TLS Maximum Version Select the maximum TLS version 1.0, 1.1, and 1.2. If no value is selected, the maximum TLS version defaults to 1.2 Inner identity Select the inner identification method. Outer identity Select the external authentication method. Enter the name(s) of server certificates.
Select Allow Trust Exceptions to enable the end user to make trust decisions.
Configure Proxy settings for either Manual or Auto proxy types.
Select Save & Publish when you are finished to push the profile to devices.
Configure a Notification Settings Profile
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device (User Profile), or the entire device (Device Profile).
Configure the profile's General settings.
Select the Notification Settings payload.
Configure Notification Settings settings, including:
Setting Description Bundle Identifier Specify the Bundle Identifier of the app. Allow notifications Specify whether notifications are allowed for this app. Show in Notification Center Specify whether notifications should show in the Notification Center on the device. Show in lock screen Specify whether notifications should show when the device is locked. Allow badging Specify whether badges should be enabled on the app icon. Allow sounds Specify whether sounds should be enabled for app notifications. Allow critical alert notifications This setting allows an app to mark a notification as critical and bypass "Do Not Disturb" settings. Alert Type The type of alert for notifications for this app:
None
Temporary Banner
Persistent BannerSelect Save & Publish when you are finished to push the profile to devices.
Configure a NSExtension Profile
Use this profile to specify the bundleIDs for extensions that are allowed and not allowed to run on the system.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile.
Select the NSExtension payload and click ADD.
Setting Description Allowed extension Specify any bundle IDs for extensions that are allowed to run on the system. Denied extensions Specify any bundle IDs for extensions that are not allowed to run on the system. Denied extension endpoints Specify any extension points for extensions that aren't allowed to run on the system.
Configure a Parental Controls Profile
A parental control profile manages settings that limit profanity, denylist or allowlist specific URLs, time allowances and curfews.
Procedure
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device User Profile, or the entire device Device Profile.
Configure the profile's General settings.
Select the Parental Controls payload.
Configure Content Filter settings , including:
Setting Description Enable use of Dictation Select this check box to allow user access to Dictation feature. Hide Profanity in Dictionary and Dictation Select this check box to remove profane terminology. Limit Access To Websites By Select this check box to enable web restrictions. Then, select the applicable radio button for your desired restriction and add denylisted and allowlisted URLs as needed. Configure Time Limits settings:
Setting Description Enforce Limit Select this check box to enable time limit restrictions. Allowances Select the applicable check boxes to set allowed device usage to either weekdays or weekends and use the drop-down menus to specify time limits for daily device usage. Curfews Select the applicable check boxes to prevent the end user from accessing the device during weekdays or weekends and use the drop-down menus to set specific time frames when device usage is not allowed. Select Save & Publish when you are finished to push the profile to devices.
Configure a Passcode Profile
Device passcode profiles secure macOS devices and their content. Choose strict options for high-profile employees, and more flexible options for other devices or for those part of a BYOD program.
If multiple profiles enforce separate policies on a single device, the most restrictive policy is enforced. If your password policy is being managed by your directory for network users logging into the devices, Workspace ONE UEM does not recommend a passcode policy.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device (User Profile), or the entire device (Device Profile).
Configure the profile's General settings.
Select the Passcode payload.
Configure Passcode settings:
Setting Description Require passcode on device Enable mandatory passcode protection. Allow simple value Allow the end user to apply a simple numeric passcode. Require Alphanumeric Value Restrict the end user from using spaces or non-alphanumeric characters in their passcode. Minimum Passcode Length Select the minimum number of characters required in the passcode. Minimum Number of Complex Characers The minimum number of complex characters that a passcode must contain. A complex character is a character other than a number or a letter, such as & % $ #. Maximum Passcode Age (days) Select the maximum number of days the passcode can be active. Auto-lock (min) Select the amount of time the device can be idle before the screen is locked automatically. Maximum Grace Period The maximum grace period, in minutes, to unlock the phone without entering a passcode. Passcode History Enter the number of passwords to store in order to prevent end users from recycling passwords. Maximum Number of Failed Attempts Select the number of failed attempts allowed. If the end user enters an incorrect passcode for the set number of times, the device locks. Select Save & Publish when you are finished to push the profile to devices.
End users are only prompted to change their password if the Workspace ONE Intelligent Hub is installed and the Enforce Passcode check box is selected in the Workspace ONE Intelligent Hub settings in the UEM console. For more information about configuring the Workspace ONE Intelligent Hub, see Apps for macOS Devices section.
Configure a Printing Profile
By creating a Printing profile you can tell devices which default printer to use and set printer access and footer options.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device (User Profile), or the entire device (Device Profile).
Configure the profile's General settings.
Select the Printing payload.
Select Add Printer. An Add Printer window appears.
Configure the Printer settings including:
Setting Description Name Enter the name of the printer to add. Printer address Enter the printer address. Location Specify the friendly location name. Model/Driver Choose the printer type. Set model/driver to Custom if the printer does not support generic drivers for macOS devices. If using Custom Driver, the driver text must be the exact name, which can be found by locating the configured printer on the computer and copying the Kind listed under the printer description. Lock printer settings Force the user to enter an Admin password to access the printer settings. Advanced Unlock the PPD file location and enter it. Default Printer Select a printer to be the default printer. Allow user to modify printer list Enable end users to modify printers on the device. Allow printers to connect directly to the device Enable printers to connect automatically. If checked, you can also require admin passcode. Only show managed printers Allow end users to view a list of managed printers available to the device. Print page footer Select this to auto-populate the footer with user information and time of print. Include macOS Address Add a macOS address to show the location of the pages that print and specify the font name and size of the footer. Font Name Specify the font name. Font Size Specify the size of the footer. Select Save & Publish when you are finished to push the profile to devices.
Configure a Privacy Preferences Profile
With the release of macOS Catalina 10.15, Apple has added few more security enhancements around user data protection and privacy. With the enhancements, macOS prompts the user's consent for an application or process to access specific data. If users do not consent to the data access, the applications and processes might fail to function.
The Privacy Preferences profile allows you to manage data access consent on behalf of the user on macOS 10.14 and later devices. Through the Privacy Preferences profile, you can allow or disallow the application's request to access various macOS services. For example, if an application requests access to user's Calendar data, you can allow or deny the request.
Note:
The profile can only be delivered to devices that are User Approved MDM Enrolled and macOS 10.14 and later devices. The profile must not be installed on devices before the devices are upgraded else the settings cannot apply. It is required to create a Smart Group for macOS 10.14 and later devices to assign the profile, so that the devices automatically pick up the profile on upgrade.
From macOS 11 and later, a new authorization key AllowStandardUserToSetSystemService is used in the following services:
- Listen Event
- Screen Capture
This key permits Standard Users on macOS to change permissions for apps using these services.
Navigate to Resources > Profiles & Baselines> Profiles and select Add. Select Apple macOS, and then select Device Profile.
Configure the profile's General settings.
Select the Privacy Preferences payload.
Select Add App to define the application or the process and configure the following settings.
Settings Description Identifier Enter the bundle ID or installation path of the application or process. Identifier Type Select the Identifier type either as Bundle ID or Path.Application bundles are identified by bundle ID. Non-bundled applications are identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing application bundle. Code Requirement Enter the designation displayed by running the following command:
codesign --display -r - /path/to/app/binaryStatic Code Validation If enabled, the process or application statically validates the code requirement. Enable this feature only if the process invalidates its dynamic code signature. Comment Enter notes for your own use. This is not used by macOS. Services Following are the services offered by Apple to pre-configure in this profile. If there are conflicting configurations, the most restrictive settings (deny) are used. Address Book Allow or disallow the contact information managed by Contacts.app. Calendar Allow or disallow the calendar information managed by Calendar.app. Reminders Allow or disallow the reminders information managed by Reminders.app. Photos Allow or disallow the pictures managed by Photos.app -/Pictures/.photoslibraryCamera Access to the camera cannot be given in a profile, it can only be denied. Microphone Access to the microphone cannot be given in a profile, it can only be denied. Accessibility Allow or disallow to control the application through the Accessibility subsystem. Post Event Allow or disallow the application to send the CoreGraphics APIs to send CG Events to the system event stream. System Policy All Files Allow or disallow the application access to all protected files. System Policy Sys Admin Files Allow or disallow the application access to some files used in system administration. File Provider Presence (macOS 10.15) Allows the application to access documents and directories that are stored and managed by another application's File Provider extension. Listen Event (macOS 10.15) Disallow the application to monitor events from input devices such as mouse, keyboard, and trackpad. Allows a standard user to set system service (macOS 11+). Media Library (macOS 10.15) User's collection of images, audio, and video from various media sources, such as iTunes or Aperture. Screen Capture (macOS 10.15) Disallow the application to access control for screen capture and recording. Allows a standard user to set system service (macOS 11+). Speech Recognition (macOS 10.15) Allows the application to use speech recognition capabilities. System Policy Desktop Folder (macOS 10.15) Allows the application to access files on the Desktop. System Policy Documents Folder (macOS 10.15) Allows the application to access files in the Documents folder. System Policy Downloads Folder (macOS 10.15) Allows the application to access files in the Downloads folder. System Policy Network Volumes (macOS 10.15) Allows the application to access files on Network Volumes. System Policy Removable Volumes (macOS 10.15) Allows the application to access files on Removable Volumes. Apple Events Allow or disallow the application to send a restricted Apple event to another process. You can add multiple Apple events for an application. Receiver Identifier Enter the receiver identifier of the process or application receiving an Apple Event sent by the Identifier process. It is required only for the Apple Events service and is not valid for other services. Receiver Identifier Type Enter the type of Apple Event Receiver Identifier value. Must be either bundleID or path. It is required only for the Apple Events service and is not valid for other services. Receiver Code Requirement Enter the Code requirement for the receiving application. It is required only for the Apple Events service and is not valid for other services.
Note: Receiver Code Requirement is found using the same method as the Code Requirement for the app or service you are defining in the profile.Select Save.
Navigate back to the Privacy Preferences payload's default page to view the list of applications holding the payload policies.
Configure a Proxies Profile
Direct traffic through a designated proxy server for Wi-Fi connections.
Choose from multiple proxy connections to properly route traffic depending on your organizations needs and add proxy exceptions as needed.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select whether this profile will apply only to the enrollment user on the device (User Profile), or to the entire device (Device Profile).
Configure the profile's General settings.
Select the Proxies payload from the list.
Choose Network Proxies for systems running macOS 10.11, or choose Global HTTP Proxy for legacy support on systems running macOS 10.9 and 10.10.
For Network Proxy settings, choose:
Setting Description Auto Proxy Configuration Choose this and enter the Proxy PAC File URL to automatically configure the device to PAC file settings. Web Proxy (HTTP) Choose to enable this and enter the Host Name and optionally enter the Port used to communicate with the proxy. This tells the device to use this proxy for any HTTP traffic. Secure Web Proxy (HTTPS) Choose to enable this and enter the Host Name and optionally enter the Port used to communicate with the proxy. This tells the device to use this proxy for any HTTPS traffic. FTP Proxy Choose to enable this and enter the Host Name and optionally enter the Port used to communicate with the proxy. This tells the device to use this proxy for any FTP traffic. SOCKS Proxy Choose to enable this and enter the Host Name and optionally enter the Port used to communicate with the proxy. This proxy establishes a TCP traffic connection to a device. Streaming Proxy Choose to enable this and enter the Host Name and optionally enter the Port used to communicate with the proxy. This proxy is configured using a RTSP if needed for applications such as AirPlay. Gopher Proxy Choose to enable this and enter the Host Name and optionally enter the Port used to communicate with the proxy. Gopher proxy enables Gopher-based content. For Global HTTP Proxy settings, choose:
Setting Description Proxy Type Select the type of proxy. Select Manual for proxies that require authentication, or Auto to specify a Proxy PAC URL. Proxy PAC File URL Only required if the proxy type is Auto. This option appears when Auto is selected. Proxy Server Enter the URL of the Proxy Server. This is required if you selected Manual as the proxy type. This option appears when Manual is selected. Proxy Server Port Enter the port used to communicate with the proxy. This is required if you selected Manual as the proxy type. This option appears when Manual is selected Proxy Username/Password If the proxy requires credentials, you can use look-up values to define the authentication method. This is required if you selected Manual as the proxy type. This option appears when Manual is selected.
Enter Proxy Exceptions as needed.
Activate or deactivate Passive FTP Mode (PASV).
Select Save & Publish when you are finished to push the profile to devices.
Configure a Restrictions Profile
Use restrictions to secure the native functionality on macOS devices, protect the corporate information, and enforce the data-loss prevention. Restriction profiles limit how employees can use their macOS devices and provide the control needed for the effective lock down of a device if necessary.
Note: Following tabs are deprecated in newer versions of macOS:
- Configure Widgets (deprecated in macOS 10.15)
- Configure Media (deprecated in macOS 11)
- Configure Sharing (deprecated in macOS 10.12)
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select User Profile or Device Profile to apply the profile only to the device's enrollment user or to the entire device.
Configure the profile's General settings.
Select the Restrictions payload.
Configure Preferences restrictions.
Setting Description Restrict System panes Select to view and edit the system preference restrictions options (such as Accessibility, App store, Bluetooth, CDs and DVDs, Date & Time, Desktop & Screen Saver, Dictation & Speech, Displays, Dock, Energy Saver, Extensions, Fibre Channel, Flash Player, iCloud, Ink, Internet Accounts, Keyboard, Language & Region, Mission Control, MobileMe, Mouse, Network, Notifications, Parent Controls, Printers & Scanners, Profiles, Security & Privacy, Sharing, Software Update, Sound, Spotlight, Startup Disk, Time Machine, Trackpad, Users and Groups, and Xscan). Enable selected items Select to restrict the functionality. Then, make restriction selections for the available items. Disable selected items Select to allow the preferences. Then, make the selections for the available items. Configure Application restrictions
Setting Description Game Center To restrict or allow the use of Game Center, select the option. Safari To prevent autofilling web forms, storing login information, or iCloud Keychain details, restrict or allow the use of AutoFill when using Safari. App Store To install updates, restrict or allow the use of the App Store, app store adoption, and use of passwords. When the Restrict App Store to Software Updates is enabled, prevents third-party app updates from the App Store. Apple Music To permit users to stream music from Apple Music to their devices, selectAllow Music Service. Launch Restrictions Choose to restrict applications from launching. Use the Add buttons to specify allowed applications, allowed folders and disallowed folders.Note: Use the absolute path of the application for the restriction to work. Relative path of the application (with ~ symbol ) does not work. Configure Widgets.
Setting Description Allow only configured widgets Select to allow widgets. To specify the allowed device widgets, click the Add button. Configure Media restrictions.
Setting Description Network Access Allow or restrict the network access for AirDrop. Hard Disk Media Access Determine what media formats are allowed, require authentication and read-only access for the end user. You can also force to auto-eject media at log out. Configure Sharing restrictions.
Setting Description Restrict which sharing services are enabled Select which Sharing services, such as AirDrop, Facebook, and Twitter, are enabled on the device. You can also select the Automatically enable new sharing services check box as a restriction. Configure Functionality restrictions.
Setting Description Lock desktop picture Select to prevent changing of the desktop picture. Desktop picture path Enter the path for the desktop picture. Leaving the path blank locks the current desktop picture and prevents it from being changed. Allow screen capture Restrict or allow capturing of screen recordings and saving screenshots of the display. It also prevents the Classroom application from observing remote screens. Allow Remote Screen Observation Restrict whether to allow screen observation by the Classroom app. Only available is Allow screen capture is enabled. Camera - Allow Use of Built-in Camera Restrict or allow the use of the built-in camera. When restricted, all applications whether the native or the enterprise are unable to access the camera. Allow Universal Control Specify whether to allow the user to enable Universal Control to extend keyboard and pointer to multiple devices iCloud Restrict or allow the use of the iCloud functions.
Allow iCloud documents and data
Allow use of iCloud password for local accounts
Allow backup to My macOS iCloud service
Allow Find My Mac iCloud service
Allow iCloud Bookmark sync
Allow iCloud Mail services
Allow iCloud Calendar services
Allow iCloud Reminder services
Allow iCloud Address Book services
Allow iCloud Notes services
Allow iCloud Keychain sync
Allow iCloud Desktop & Documents ServicesContinuity - Allow Handoff Restrict or allow users to have the capability of Handoff when switching between multiple devices that are all signed in with the same Apple iCloud account (macOS 10.15 and later). Content Caching - Allow Content Caching Select to allow end users to enable Content Caching on their devices (macOS 10.13 and later). Spotlight - Allow Spotlight Suggestions Restrict or allow the use of Spotlight suggestions when using Spotlight for searching. AirPrint Restrict or allow the use of the AirPrint functions:
Force AirPrint to use trusted certificates for the TLS printing communication (macOS 10.13 and higher).
Allow the iBeacon discovery of AirPrint printers. Enabling iBeacon discovery prevents spurious AirPrint Bluetooth beacons from phishing for the network traffic (macOS 10.13 and higher).Passwords Restrict auto filling of passwords on the devices and sharing of Wi-Fi passwords to the nearby devices. Allow Configuration Profiles and Certificate Installation Specify whether to allow the user to manually install configuration profiles and certificates. Allow Rapid Response Security Updates Specify whether to allow the installation of Rapid Response Security Updates. If disabled these updates will be blocked. Allow Removal of Rapid Response Security Updates Specify whether to allow the user to manually remove Rapid Response Security Updates. Allow new USB devices to connect Specify whether to allow new USB devices to connect without authorization. Allow Erase All Contents and Settings (macOS 10.14.4 (Supervised)) If enabled, allows the Erase All Content And Settings option in the Reset UI. Force unprompted screen observation for managed classes (macOS 10.14.4 (Supervised)) If enabled, a student enrolled in a managed course with the Classrom app will automatically grant permission to a teacher's request to observe the student's screen. Allow unprompted app and device lock in unmanaged classes (macOS 10.14.4 (Supervised)) Enable this option to allow the teacher to lock apps or the device without prompting the student. Allow automatic joining of unmanaged classes (macOS 10.14.4 (Supervised)) If enabled, teacher's requests will be automatically granted permission without prompting the student. Force students to request permission to leave unmanaged classes (macOS 10.14.4 (Supervised)) If enabled, a student enrolled in an unmanaged course through the Classroom app requests permission from the teacher when attempting to leave the course. To push the profile to the devices, select Save & Publish. The addition or removal of some Restrictions profile payloads might not take effect until the target application or utility is restarted on the device.
Configure a Security and Privacy Settings Profile
The security and privacy settings profile lets you configure Apple's Gatekeeper functionality settings, which are used for secure application downloads. Gatekeeper also controls specific settings related to user passwords.
Procedure
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device User Profile, or the entire device Device Profile.
Configure the profile's General settings.
Select the Security and Privacy payload.
Choose locations from which apps may be downloaded.
Configure OS Updates settings to perform a force delay in updating OS especially from updates being visible to end user for a specified number of days.
Setting Description Delay Updates (Days) Available if minor or non-OS update delays are enabled. Prior to macOS 11.3, this key specifies the deferral length of both types of updates. Delay major OS updates Specify whether to delay the availability of major macOS updates (ie: macOS 11 to macOS 12). You can delay up to 90 days. Delay minor OS updates Specify whether to delay the availability of minor macOS updates (ie: macOS 12.3 to macOS 12.3.1). You can delay up to 90 days. Delay non-OS updates Specify whether to delay the availability of any non-OS updates. You can delay up to 90 days. Configure Gatekeeper settings.
Setting Description Gatekeeper Choose to restrict which types of applications may be downloaded. The available options are: - Mac App Store
Mac App Store and identified developers
AnywhereDo not allow user to override Gatekeeper setting Select to prevent the user from modifying settings to Gatekeeper. Configure Security settings.
Setting Description Apple Watch to Unlock Select to allow Apple Watch to unlock a paired macOS device (macOS 10.12 and higher). Touch ID to Unlock Select to allow Touch ID to unlock a macOS device (macOS 10.12.4 and higher). Allow user to change Password Select to allow end users to change their passwords (macOS 10.9+). Require password after sleep or screensaver begins Select to require a password after sleep or screen saver begins. Set the grace period to determine when a password should be entered. Allow user to set lock message Select to allow end users to set a lock message on their devices (macOS 10.9+). Configure Privacy settings to automatically send diagnostic and usage data to Apple.
Select Save & Publish when you are finished to push the profile to devices.
Configure Skip Setup Assistant Profile
Use Setup Assistant profile to skip Setup Assistant screens on the device after an OS update.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile.
Select the Skip Setup Assistant payload and click ADD.
Setting Description Choose Your Look Skips the Choose Your Look window. Apple ID Setup Skips the Apple ID setup window. iCloud Storage Skips the iCloud Storage window. Privacy Skips the Privacy consent window. Screen Time Skips the Screen Time window. Siri Skips the Siri setup window. Touch ID Skips the Touch ID setup window. True Tone Skips the True Tone Display window. Unlock with Watch Skips the "Unlock with Watch" screen. Accessibility Skips the "Accessibility" screen.
Configure a Smart Card Profile
The Smart Card profile controls the restrictions and settings for the Smart card pairing on macOS 10.12.4 and later devices.
Procedure
Navigate to Resources> Profiles & Baselines > Profiles and select Add Profile. Select Apple macOS, and then select the type of profile to apply either to the enrollment user on the device User Profile, or to the entire device Device Profile.
Configure the profile's General settings.
Select the SmartCard payload from the list.
Configure the Smart Card settings:
Setting Description Allow Smart Card authentication Activate the option to use the Smart Card for logins, authorizations, and screensaver unlocking. If deactivated, Smart Card cannot be used for logins, authorizations, or screensaver unlocking, but can be still used for signing emails and web access. After assigning the profile, the user must restart the device for the change in the settings to take effect. Require Smart Card for all authentication Enable the option to allow the user to log in or authenticate only with a Smart Card. Show user pairing dialog Enable the option to allow the user to view the pairing dialog box to add new Smart Cards. If deactivated, the user cannot view the pairing dialog box, although existing pairings still work. Restrict one card per user Enable the option to allow the user to pair with only one Smart Card, although existing pairings are allowed if already set up. Certificate trust check validation By default, the Additional revocation check is deactivated. If enabled, the standard certificate trust validity check is performed with the additional revocation check. The available additional revocation check types are:
Soft - If selected, the certificate trust check is turned on with a soft revocation check. The certificate is considered as valid until the CRL/OCSP explicitly rejects it. Soft revocation check implies that unavailable or unreachable CRL/OCSP allows the check to succeed.
Hard - If selected, the certificate trust check is turned on with a hard revocation check. The certificate is considered as invalid unless CRL/OCSP explicitly says this certificate is OK. Hard revocation check is the most secure option.Screen saver on Smart Card removal Enable the option to activate the Screen saver on the Smart Card removal.
Configure a Software Update Profile
A software update profile allows you to specify the update server that will be tied to the device for all versioning and update control.
Use this profile to connect to a macOS server with the Workspace ONE Intelligent Hub and configure schedules that actively check and perform updates much more frequently that the system does. If needed, connect to a corporate server to perform updates. Either way, this profile provides a simple solution for managing software updates, restart options and notification updates for end users.
Note: Software update profile only updates minor software update patches and not major software updates.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile, since this profile is only applicable to the entire device.
Configure the profile's General settings.
Select the Software Update payload.
Configure Software Update settings:
Setting Description Update Source Choose a server to configure communication with the client computers' .plist.If choosing Corporate SUS, enter the hostname of the server (for example, http://server.net:8088/index.sucatalog)
Note: Corporate SUS has been depracted in macOS 10.15.Install macOS updates Select how and when to check for and control updates.
Install Updates Automatically – Downloads and installs all updates; sends notifications to the end user.
Download Updates in Background – Downloads the updates; sends notifications; the end user installs updates when ready.
Check for updates only – Checks for updates and sends notifications to the end user; the user downloads and installs the updates.
Don't Automatically Check for Updates – Turns off the ability to update software; monitors .plist settings to match profile only.Choose Updates Choose updates to send to the computer.
Choose All – Sends all updates including Apple updates.
Recommended only – Sends only security updates.Allow installation of macOS beta releases Select this check box to allow beta releases on the server. This option may be best for testing environments only. This does not require the Workspace ONE Intelligent Hub. Install app updates Select to allow app updates. Notify the user updates are installing Send the end user notifications about receiving updates on the device. Schedule Schedule updates with the Workspace ONE Intelligent Hub,
Configure Update Interval – Choose how often to check for updates in two-hour increments.
Update a Specific Time – Choose specific days and times to check for updates. Choose times to control updates when there are concerns about use during peak business hours or band-width utilizationForce Restart (if required) Automatically restart the computer if required to complete the software update.This setting has no effect on devices with Apple Silicon hardware.
Grace Period– Choose to defer a reboot for a certain period of time. After this time expires, the computer automatically reboots.
Note: Grace Period settings will also be translated to the screensaver settings.This setting will also be translated to the screensaver settings.
Allow user to defer – Enable the user to choose to defer re-starting the computer for a certain period of time.
Defer time – Chose how often to prompt the user to re-start the computer after deferment. After each allowed deferment, a message appears prompting the user to re-start the computer.
Max number of defers – Choose how many times the user can defer from re-starting the computer before it is automatically re-started to complete the update process.Select Save & Publish when you are finished to push the profile to devices.
Configure an SSO Extension Profile
To enable single sign-on for native macOS apps and websites with various authentication methods, configure the SSO Extension profile with the Generic extension type. You can also use the new built-in Kerberos extension on macOS 10.15 to log users into native apps and sync local user passwords with the directory. With the SSO Extension profile, users do not have to provide their user name and password to access specific URLs. This profile is applicable only to macOS 10.15 and later devices.
On macOS 10.15, the SSO Extension profile is only available in Device context. Starting from macOS 11 Big Sur, admins can create either Device or User profile configuration based on their deployment needs. The support of User profile configuration is only available on macOS 11 or later.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple iOS, and then select User Profile or Device Profile to apply the profile only to the device's enrollment user or to the entire device.
Configure the profile's General settings.
Select the SSO Extension payload.
Configure the profile settings.
Setting Description Extension Type Select the type of the SSO extension for the application. If Generic is selected, provide the Bundle ID of the application extension that performs the SSO for the specified URLs in the Extension Identifier text box. If Kerberos is selected, provide the Active Directory Realm and Domains. Type Select the type of SSO, either Credential or Redirect. Use the challenge/response authentication for Credentials extension. Use OpenID Connect, OAuth, and SAML authentication for Redirect extension. Team Identifier Enter the Team Identifier of the application extension that performs the SSO for the specified URLs. Team Identifier is required on macOS and the value must be applefor the Kerberos extension.URLs Enter one or more URL prefixes of identity providers where the application extension performs SSO. Required for Redirect payloads. Ignored for Credential payloads. The URLs must begin with http://orhttps://, the scheme, and host name are matched case-insensitively, query parameters and URL fragments are not allowed, and the URLs of all installed Extensible SSO payloads must be unique.Additional Settings Enter additional settings for the profile in XML code which is added to the ExtensionData node. Active Directory Realm The option appears only if Kerberos is selected as the Extension Type. Enter the name for the Kerberos Realm which is the realm name for Credential payloads. This value should be properly capitalized. The key is ignored for Redirect payloads. If in an Active Directory forest, this is the realm where the user logs in. Domains Enter the host names or the domain names which can be authenticated through the application extension. Host or domain names are matched case-insensitively, and all the host/domain names of all installed Extensible SSO payloads must be unique. Use Site Auto-Discovery Enable the option to make the Kerberos extension to automatically use LDAP and DNS to determine the Active Directory site name. Allow Automatic Login Enable the option to allow passwords to be saved to the keychain. Require User Touch ID or Password Enable the option to require the user to provide Touch ID, FaceID, or passcode to access the keychain entry. Certificate Select the certificate to push down to the device which is in the same MDM profile. Allowed Bundle IDs Enter a list of the application bundle IDs to allow access to the Kerberos Ticket Granting Ticket (TGT). Denied Bundle IDs (macOS 12) Available when Extension Type is set to Generic. Specify the Bundle IDs of any apps that may not use the SSO provided by this extension. Screen Lock Behavior (macOS 12) Available when Extension Type is set to Generic. If set to Cancel, authentication requests are cancelled while the screen is locked. If set to DoNotHandle, the request continues without SSO. Use as default realm Available when Extension Type is set to Kerberos. If enabled, the configured realm will be the default realm if there is more than one Kerberos extension configuration. Delay User Setup (macOS 11) Available when Extension Type is set to Kerberos. If enabled, the user is not prompted to setup the Kerberos extension until either the administrator enables it with the app-sso tool or a Kerberos challenge is received. Credential use mode (macOS 11) This setting defines how the credential will be used. Below are the available options:
Always - The extension credential will always be used if the SPN matches the Kerberos Extension Hosts array. The credential will not be used if the calling app is not in the allowed bundle IDs.
When not specified - The credential will only be used when another credential has not been specified by the caller and the SPN matches the Kerberos Extensions Hosts array. The credential will not be used if the calling app is not in the allowed bundle IDs.
Default Kerberos - The default Kerberos processes for selecting credentials is used which normally uses teh default Kerberos credential. This is the same as turning off this capability.Monitor credential cache (macOS 11) Available when Extension Type is set to Kerberos. If disabled, the credential is requested on the next matching Kerberos challenge or network state change. Require TLS (macOS 11 and later) Available when Extension Type is set to Kerberos. If enabled, LDAP connections will require the use of TLS Principal name (macOS 11 and later) Available when Extension Type is set to Kerberos. This field is the principal name (aka username) to use. You do not need to include the realm. Custom Username Label Available when Extension Type is set to Kerberos. The custom user name label used in the Kerberos extension instead of "Username". For example, this could be "Company ID". Help Text (macOS 11 and later) Available when Extension Type is set to Kerberos. The text to be displayed to the user at the bottom of the Kerberos login window. It can be used to display help information or disclaimer text. Site Code Available when Extension Type is set to Kerberos. The name of the Active Directory site the Kerberos extension should use. This value will likely not need modification as the Kerberos extension can normally find the site automatically. Preferred KDCs Available when Extension Type is set to Kerberos. The ordered list of preferred Key Distribution Centers to use for Kerberos traffic. Use this option if the servers are not discoverable through DNS. If the servers do not respond, then the device falls back to DNS discovery. Each entry is formatted in the same way as it would be in a krb5.conf file. Allow Kerberos to use credential (macOS 12 and later) Available when Extension Type is set to Kerberos. If enabled, the Kerberos extension allows the standard kerberos utilities including TicketViewer and klist to access and use the credential. Require managed apps (macOS 12 and later) Available when Extension Type is set to Kerberos. If enabled, the Kerberos extension allows only managed apps to access and use the credential. Password change URL (macOS 10.15 and later) Available when Extension Type is set to Kerberos. This is the URL will launch in the user's default web browser when they initiate a password change. Configure Password Settings when Kerberos is selected as the Extension type for the application.
Setting Description Allow Password Change Activate or deactivate the option to have the password change. Sync Local Password Activate or deactivate the syncing of local password. Syncing password does not work if the user is logged in with a mobile account on macOS devices. Match AD Password Complexity Activate or deactivate the option for the passwords to meet Active Directory's password complexity. Password Change Message Provide the text for the password requirements to the user. Minimum Password Length (in characters) Enter the value for the minimum number of characters to be used for a user's password. Password History Count (number of passwords) Enter the number to specify the amount of prior passwords that cannot be reused on the domain. Password Minimum Age (in days) Enter the minimum number of days before the user can change their password. Password Expire Notification (in days) Enter the number of days before the user gets notification of their password expiry. Select Save and Publish.
Configure a System Extensions Profile
Use a System Extensions profile to explicitly allow applications and installers that use system extensions to load on your end users' devices. The profile controls restrictions and settings for loading System Extensions on a User Approved MDM enrolled device running macOS v10.15 and later.
Procedure
The System Extensions framework allows an application to provide any of the following capabilities:
- Network extensions (supported network extension apps such as content filters, DNS proxies, and VPN clients can be distributed as system extensions).
- Endpoint security extensions (supported endpoint security clients such as Endpoint Detection and Response software and antivirus software).
- Device driver extensions (supported drivers are those drivers that are developed using the DriverKit framework for USB, Serial, NIC, and HID devices).
- Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select User Profile or Device Profile to apply the profile only to the device's enrollment user or to the entire device.
- Configure the profile's General settings.
- Select the System Extensions payload.
- If you want the users to approve additional extensions that are not specified in the profile, enable Allow User Overrides.
- Configure Allowed System Extension Types settings. Provide the Team Identifier of the application extension and allow all or any of the supported system extension types to load on the device. You can configure multiple System Extension types in the same way. The default top row with the Team Identifier '*' represents global settings. Settings for specific Team Identifiers take precedence over any settings applied to this row.
- Configure Allowed System Extensions by providing the Team Idenfier or Bundle Identifier of the application extension. You can also configure multiple System Extensions.
- Configure any Removable System Extensions by providing the Team Idenfier or Bundle Identifier of the application extension. You can also configure multiple System Extensions.
- Select Save and Publish.
Configure a Time Machine Profile
By creating a Time machine profile you can specify a backup server location used to mount and backup the device.
Procedure
Navigate to Resources >Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile, since this profile is only applicable to the entire device.
Configure the profile's General settings.
Select the Time machine payload.
Configure Time machine settings, including:
Setting Description Backup all volumes Secure all volumes associated with the device. By default, only the startup volume is backed up. Backup system files and folders Secure all system files and folders, which are skipped by default. Enable automatic backup Back up the system automatically at determined intervals. Enable local snapshots (10.8+) Configure local backup snapshots when device is not connected to the network. Backup size limit Set a maximum size allowed to backup the system. Enter 0 (zero) to set unlimited. Paths to backup Choose specific filepaths to backup, in addition to the default startup volume. Paths to skip Choose specific filepaths to skip during backup from the startup volume. Select Save & Publish when you are finished to push the profile to devices.
Once the profile is pushed to the device, the login user's network credentials are used to configure the system keychain for the backup volume defined in the profile. The backup volume will not mount using a local account because network credentials are required at login to authenticate the drive. After the system keychain is configured the first time, all backups from that computer will be associated with the original user's backup volume.
Configure a VPN Profile
Virtual private networks (VPNs) provide devices with a secure and encrypted tunnel to access internal resources. VPN profiles enable each device to function as if it were connected through the on-site network.
Navigate to Resources > Profiles & Baselines > Profiles > Add. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device (User Profile), or the entire device (Device Profile).
Configure the profile's General settings.
Select the VPN payload.
Configure Connection settings.
The following settings vary depending on the type of connection selected.
Settings Description Connection Name Enter the name of the connection name to be displayed on the device. Connection Type Enter the name of the connection name to be displayed on the device. Connection Type Select one of the following network connection method from the drop-down menu. For detailed information on each of the connection methods, refer to the individual pages.
L2TP (default connection)
PPTP
IPSec (Cisco) (applicable for VPN On Demand)
F5 SSL (applicable for VPN On Demand)
Custom SSL (applicable for VPN On Demand)
F5 Access (applicable for VPN On Demand)
Note: VPN on demand is the process of automatically establishing a VPN connection for specific domains. For increased security and ease of use, VPN on demand uses certificates for authentication instead of simple passcodes.Server Enter the hostname or IP address of the server to be connected. Account Enter the user account name for authenticating the VPN connection. Send All Traffic Select this check box to force all traffic through the specified network. Per App VPN Rules For macOS v10.9 devices, use Per-App VPN to choose what apps should connect to what networks. Provider Type Select the type of the VPN service. If the VPN service type is an App proxy, the VPN service tunnels the traffic at the application level. If it is a Packet Tunnel, the VPN service tunnels the traffic at the IP layer. Exclude Local Networks Enable the option to include all networks to route the network traffic outside the VPN. Include All Networks Enable the option to include all networks to route the network traffic through the VPN. Connect Automatically Select this check box to allow the VPN to connect automatically to chosen Safari domains. Enable Safari Domains Enable this setting to set specific domains or hosts that open the secure VPN connection in the Safari browser. Add domains as needed.
If you configure a VMware Tunnel Per-App Tunnel network traffic rule for the Safari app for macOS, Workspace ONE UEM deactivates this setting. The network traffic rules override any configured Safari Domain rules.Enable Mail Domains Enable this setting to set specific domains or hosts that open the secure VPN connection in the Mail client. Add domains as needed. Enable Contact Domains Enable this setting to set specific domains or hosts that open the secure VPN connection in the Contact domain. Add domains as needed. Enable Calendar Domains Enable this setting to set specific domains or hosts that open the secure VPN connection in the Calendar domain. Add domains as needed. App Mapping Enable this setting to allow specific applications to open a secure VPN connection. Add app bundle ID(s) for applications allowed to open a secure VPN connection. Configure Authentication information.
Settings Description User Authentication Select the radio button to indicate how to authenticate end users through the VPN, through either password or RSA SecurID. Password Enter the password for the VPN account. Machine Authentication Select the type of machine authentication to authorize end users for the VPN access. Identity Certificate Enter the credentials to authorize end users for the VPN connection (if Certificate is selected as machine authentication). Shared Secret Select either Manual or Auto as the proxy type to configure with this VPN connection. Server Enter the URL of the proxy server. Port Enter the port used to communicate with the proxy. Username Enter the user name to connect to the proxy server. Proxy Server Auto Config URL Enter the proxy server auto configuration URL. Provider Designated Requirement Use this field only when the VPN provider is implemented as a System extension. Select Save & Publish when you are finished to push the profile to devices.
Configure a VPN Profile
VPN on demand is the process of automatically establishing a VPN connection for specific domains. For increased security and ease of use, VPN on demand uses certificates for authentication instead of simple passcodes.
Ensure your certificate authority and certificate templates in the Workspace ONE UEM are properly configured for certificate distribution.
Make your third-party VPN application of choice available to end users by pushing it to devices or recommending it in your enterprise App Catalog.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device (User Profile), or the entire device (Device Profile).
Configure the profile's General settings.
Select the VPN payload and configure settings as outlined above.
Specify the Connection Info for a connection type that supports certificate authentication: IPSec (Cisco), F5 SSL, SSL, or F5 Access.
Server – Enter the hostname or IP address of the server for connection.
Account – Enter the name of the VPN account.
Authentication – Select a certificate to authenticate the device.
Identity Certificate – Select the appropriate credentials.
Include User PIN – Select this check box to ask the end user to enter a device PIN.
Check the Enable VPN On Demand box. Add the Domains, and choose the On-Demand Action.
- Always Establish– Initiates a VPN connection regardless of whether the page can be accessed directly or not.
- Never Establish– Does not initiate a VPN connection for addresses that match the specified the domain. However, if the VPN is already active, it may be used.
- Establish if Needed– Initiates a VPN connection only if the specified page cannot be reached directly.
Important: For wildcard characters, do not use the asterisk (*) symbol. Instead, use a dot in front of the domain. For example, .air-watch.com.
Select Save and Publish. After the profile installs on a user's device, a VPN connection prompt will automatically display whenever the user navigates to a site that requires it, such as SharePoint.
Configure a Web Clips Profile
Web Clips are web bookmarks that you can push to devices that display as icons and point to commonly used or recommended web resources.The ability to use Web Clips applies to User Profiles only.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select User Profile.
Configure the profile's General settings.
Select the Web Clips payload.
Configure Web Clip settings, including:
Settings Description Label Enter the text displayed beneath the Web Clip icon on an end user's device. For example: "AirWatch Self-Service Portal." URL Enter the URL the Web Clip that will display. Below are some examples for Workspace ONE UEM pages:
For the SSP, use: https://<AirWatchEnvironment > /mydevice/.
For the app catalog, use: https://<Environment > /Catalog/ViewCatalog/{SecureDeviceUdid}/{DevicePlatform}.
For the book catalog, use: https://<Environment > /Catalog/BookCatalog?uid={DeviceUid}Icon Select this option to upload as the Web Clip icon. Upload a custom icon using a .gif, .jpg, or .png format, for the application. For best results, provide a square image no larger than 400 pixels on each side and less than 1 MB in size when uncompressed. The graphic is automatically scaled and cropped to fit, and converted to .png format if necessary. Web Clip icons are 104 x 104 pixels for devices with a Retina display or 57 x 57 pixels for all other devices. Show in App Catalog Select this option to list the application in your App Catalog. Select Save & Publish when you are finished to push the profile to devices.
Configure an Xsan Profile
Apple's Xsan, or storage access network allows macOS with Thunderbolt to Fibre Channel capabilities to quickly access the shared block storage. Configure a payload to manage Xsan directly from the UEM console.
Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select (User Profile) to apply the enrollment to the user's device.
Configure the profile's General settings.
Select the Xsan payload.
Configure Connection Info for Xsan including:
Setting Description XSAN name Enter the name of the storage system. Authentication Secret Enter the authentication key for the server. File System Name Servers Enter the Hostname or IP address of the file system name servers. Use the + button to add additional file system servers as needed. Select Save & Publish when you are finished to push the profile to devices.
Upload a Profile
Administrators can now upload .mobileconfig profiles for macOS into Workspace ONE UEM.
Navigate to Resources > Profiles and Baselines > Add > Select Upload Profile.
On the Upload Profile page, select macOS.
On the Upload File page, click Upload. In the File Upload screen, choose a
.mobileconfigfile from the local click Save and Continue.Note: Only
.mobileconfigfile type is allowed.If a profile with the same PayloadIdentifier already exists in the DB, then the below error is displayed.
"A profile with the same identifier already exists, you must change the identifier before uploading this profile".
On the macOS General page, enter details and click Save and Publish.
