Use restrictions to secure native functionality on macOS devices, protect corporate information and enforce data-loss prevention. Restriction profiles limit how employees can use their macOS devices and provide the control needed to effectively lock down a device if necessary.

To create a restrictions profile:

  1. Navigate to Devices > Profiles & Resources > Profiles and select Add. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device ( User Profile), or the entire device ( Device Profile).
  2. Configure the profile's General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  3. Select the Restrictions payload.
  4. Configure Preferences restrictions:

    Setting Description
    Restrict System Preferences panes Select to view and edit the system preference restrictions options (such as Accessibility, App store, Bluetooth, CDs and DVDs, Date & Time, Desktop & Screen Saver, Dictation & Speech, Displays, Dock, Energy Saver, Extensions, Fibre Channel, Flash Player, iCloud, Ink, Internet Accounts, Keyboard, Language & Region, Mission Control, MobileMe, Mouse, Network, Notifications, Parent Controls, Printers & Scanners, Profiles, Security & Privacy, Sharing, Software Update, Sound, Spotlight, Startup Disk, Time Machine, Trackpad, Users and Groups, and Xscan).
    Enable selected items Select to restrict functionality. Then, make restriction selections below.
    Disable selected items Select to allow the preferences. Then, make the selections below.
  5. Configure Application restrictions:

    Setting Description
    Game Center Select options to restrict or allow the use of Game Center.
    Safari Restrict or allow the use of AutoFill when using Safari to prevent autofilling web forms or storing login information or iCloud Keychain details.
    App Store Restrict or allow the use of the App Store, app store adoption, and use of passwords to install updates. When the Restrict App Store to Software Updates is enabled, this prevents third-party app updates from the App Store
    Apple Music Select Allow Music Service to permit users to stream music from Apple Music to their devices.
    Launch Restrictions Choose to restrict applications from launching. Use the Add buttons to specify allowed applications, allowed folders and disallowed folders.
  6. Configure Widgets restrictions:

    Setting Description
    Allow only configured widgets Select to allow widgets. Click the Add button to specify allowed device widgets.
  7. Configure Media restrictions:

    Setting Description
    Network Access Allow or restrict network access for AirDrop.
    Hard Disk Media Access

    Determine what media formats are allowed, require authentication and read-only access for the end user. You can also force to auto-eject media at log out.

  8. Configure Sharing restrictions:

    Setting Description
    Restrict which sharing services are enabled Select which Sharing services, such as AirDrop, Facebook, and Twitter, are enabled on the device. You can also select the Automatically enable new sharing services check box as a restriction.
  9. Configure Functionality restrictions:

    Setting Description
    Lock desktop picture Select to prevent changing the desktop picture.
    Desktop picture path Enter the path for the desktop picture. Leaving the path blank will lock the current desktop picture and prevent it from being changed.
    Camera Restrict or allow the use of the built-in camera. When this is restricted all applications, whether native or enterprise, are unable to access the camera.
    iCloud

    Restrict or allow the use of iCloud functions.

    • Allow iCloud documents and data
    • Allow use of iCloud password for local accounts
    • Allow backup to My macOS iCloud service
    • Allow Find My Mac iCloud service
    • Allow iCloud Bookmark sync
    • Allow iCloud Mail services
    • Allow iCloud Calendar services
    • Allow iCloud Reminder services
    • Allow iCloud Address Book services
    • Allow iCloud Notes services
    • Allow iCloud Keychain sync
    • Allow iCloud Desktop & Documents Services
    Content Caching Select to allow end users to enable Content Caching on their devices (macOS 10.13 and higher).
    Spotlight Restrict or allow the use of Spotlight suggestions when using Spotlight for searching.
  10. Select Save & Publish to push the profile to devices. The addition or removal of some Restrictions profile payloads may not take effect until the target application or utility is restarted on the device.