Security & Privacy MDM payload settings for Apple devices
You can configure Security & Privacy settings for Mac computers enrolled in a mobile device management (MDM) solution. Use the Security & Privacy payload to set various Gatekeeper options, manage FileVault in macOS, determine whether diagnostic information is reported back to Apple, and set which apps can be opened.
OS and channel | Supported enrollment types | Interaction | Duplicates |
|---|---|---|---|
macOS device macOS user | Device Automated Device | Some | Single |
General settings
Setting | Description | Required |
|---|---|---|
Configure Gatekeeper settings | Set which apps are allowed to launch on the Mac:
| No |
Do not allow user to override Gatekeeper setting | Prevent users from using Control-click to open an unidentified app or from installing an app using the Installer app. | No |
Allow user to change password | Specify whether users are permitted to change their password. | No |
Require password after sleep or screen saver begins | Specify whether a password is required upon waking or when a screen saver ends as a result of mouse, trackpad, or keyboard movement. | No |
Allow user to set lock message | Specify whether users can set a short message that appears at the bottom of the lock screen. | No |
Allow user to unlock the Mac using Apple Watch. | Specify whether users can unlock their Mac with Apple Watch. | No |
FileVault settings
FileVault settings require user approval.
Setting | Description | Required |
|---|---|---|
Require FileVault | FileVault becomes enabled the next time a user logs out. One of the next three options is required. | Yes |
Use an institutional recovery key | If an institutional recovery key is selected, a certificate must be selected. | No |
Create a personal FileVault recovery key | After FileVault is enabled, users can choose their own recovery key. | No |
Use an institutional recovery key and create a personal FileVault recovery key | Both an institutional and a personal recovery key are used. For example, an organization may want to keep control of a known recovery key but still let a user create and use their own personal recovery key. | No |
Certificates payload | A Certificates payload can be selected from the list. | Yes |
Escrow personal recovery key | The Mac can encrypt the personal recovery key with the provided certificate and reports it to your MDM solution. | No |
Require user to unlock FileVault after hibernation | Specifies whether a user must enter their password when the Mac wakes from hibernation. | No |
Firewall
Setting | Description | Required |
|---|---|---|
Enable Firewall | Enables the firewall on managed Mac computers. | Yes |
Block all incoming connections | Select to prevent incoming connections to nonessential apps. | No |
Add specific incoming connection settings | Add apps to either allow or block them from connecting to your network and the internet. | No |
Enable stealth mode | Select to prevent managed Mac computers from responding to probing requests that can be used to reveal their existence. The Mac still answers requests from authorized apps, but unauthorized requests such as ICMP (ping) get no response. | No |
Privacy
Setting | Description | Required |
|---|---|---|
Send diagnostic and usage data | Diagnostic and usage data can be sent to Apple. | No |