The security and privacy settings profile lets you configure Apple's Gatekeeper functionality settings, which are used for secure application downloads. Gatekeeper also controls specific settings related to user passwords.

To create a security and privacy profile: 

  1. Navigate to Devices > Profiles & Resources > Profiles and select Add. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device ( User Profile), or the entire device ( Device Profile).
  2. Configure the profile's General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  3. Select the Security and Privacy payload.
  4. Choose locations from which apps may be downloaded.
  5. Configure OS Updates settings to perform a force delay in updating OS especially from updates being visible to end user for a specified number of days.
    Setting Description
    Delay Updates (Days)

    Enable this option and specify the number of days to delay the software update. Number of days range from 1 to 90. (macOS 10.13.4+ devices). The number of days dictate the length of time after the release of the software update and not after the time of installation of the profile.

  6. Configure Gatekeeper settings.
    Setting Description
    Gatekeeper

    Choose to restrict which types of applications may be downloaded. The available options are:

    • Mac App Store
    • Mac App Store and identified developers
    • Anywhere

    Do not allow user to override Gatekeeper setting

    Select to prevent the user from modifying settings to Gatekeeper.
  7. Configure Security settings.

    Setting Description
    Allow Apple Watch to Unlock

    Select to allow Apple Watch to unlock a paired macOS device (macOS 10.12 and higher).

    Allow Touch ID to Unlock Select to allow Touch ID to unlock a macOS device (macOS 10.12.4 and higher).
    Allow user to change Password Select to allow end users to change their passwords (macOS 10.9+).
    Require password after sleep or screensaver begins Select to require a password after sleep or screen saver begins. Set the grace period to determine when a password should be entered.
    Allow user to set lock message Select to allow end users to set a lock message on their devices (macOS 10.9+).
  8. Configure Privacy settings to automatically send diagnostic and usage data to Apple.
  9. Select Save & Publish when you are finished to push the profile to devices.