MDM restrictions for Mac computers
You can set restrictions for Mac computers enrolled in a mobile device management (MDM) solution. The default state for all restrictions listed below is on unless the term “Default is off” is in the Restriction Functionality column. Note that some restrictions have been deprecated.
Note: Not all restrictions are available in all MDM solutions and they have the ability to change the default state for any restriction. To learn more about MDM restrictions availability for your devices, consult your MDM vendor’s documentation.
Setting | Minimum supported operating system | Supervised | Restriction functionality | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Allow a configuration profile to be installed | macOS 13 | No | Users can’t manually install configuration profiles in System Settings. | ||||||||
Allow accessory connections | macOS 13 | No | The device can always connect to specific accessories while locked. Allows new accessories to connect without authorization. | ||||||||
Universal Control | macOS 13 | No | Prevents the user from using Universal Control. | ||||||||
AirPlay security | macOS 12.3 | No | Users can’t use AirPlay to stream content to the Mac. | ||||||||
Erase All Content and Settings | macOS 12.0.1 | No | Users can’t erase their device and reset it to factory defaults. | ||||||||
iCloud Private Relay | macOS 12.0.1 | No | Prevents the user from turning on iCloud Private Relay. | ||||||||
Allow personalized ads delivered by Apple | macOS 12.0.1 | No | Users’ data won’t be used by the Apple advertising platform to deliver personalized ads. | ||||||||
Enforce Face ID or Touch ID timeout | macOS 12.0.1 (Touch ID) | No | The value, in seconds, after which the biometric unlock requires a password to authenticate. The default value is 48 hours. | ||||||||
AirPlay, View Screen by Classroom, and screen sharing | macOS 11 | No | Teachers using Classroom can’t use AirPlay with students’ screens, view students’ screens, or share students’ screens. | ||||||||
Screenshots and screen recordings | macOS 11 | No | Users can’t save a screenshot or recording of the screen. | ||||||||
Modify diagnostic settings | macOS 10.15 | No | Modifying diagnostic data settings isn’t permitted. | ||||||||
Handoff | macOS 10.15 | No | Users can’t use Handoff with their Apple devices. | ||||||||
Screen sharing | macOS 10.14.4 | No | Users can’t enable screen sharing. | ||||||||
AirPlay, View Screen by Classroom, and screen sharing | macOS 10.14.4 | No | Teachers using Classroom can’t use AirPlay with students’ screens, view students’ screens, or share students’ screens. | ||||||||
Classroom to perform AirPlay and View Screen without prompting | macOS 10.14.4 | Yes | Students in managed classes aren’t prompted when the teacher uses AirPlay or View Screen. Default is off. | ||||||||
Classroom can focus students on a single app and lock the device without prompting | macOS 10.14.4 | Yes | Teachers can lock an app open or lock the device without first prompting the user. Default is off. | ||||||||
Automatic joining Classroom classes without prompting | macOS 10.14.4 | Yes | Students can join a class without prompting the teacher. Default is off. | ||||||||
Require teacher permission to leave Classroom teacher-created classes | macOS 10.14.4 | Yes | Students must request permission before they can leave a teacher-created class. Default is off. | ||||||||
Password AutoFill | macOS 10.14 | No | Users can’t use AutoFill Passwords, and no prompt is shown to pick a saved password from iCloud Keychain or third-party password managers. | ||||||||
Proximity AutoFill | macOS 10.14 | No | Users’ devices won’t advertise themselves to nearby devices for passwords by use of Proximity AutoFill. In iOS, iPadOS, and macOS this feature restricts only Wi-Fi Password requests. | ||||||||
Share passwords over AirDrop | macOS 10.14 | No | Users can’t share their passwords over AirDrop. | ||||||||
Defer software updates | macOS 10.13.4 | No | For more information, see Test and defer software updates. Default is off. | ||||||||
Dictation | macOS 10.13 | Yes | Users can’t use dictation on their device. | ||||||||
Content caching | macOS 10.13 | No | Content caching isn’t permitted. | ||||||||
Siri profanity filter | macOS 10.13 | No | The profanity filter in Siri can be disabled. Default is off. | ||||||||
Modify password | macOS 10.13 | No | Users can’t change the set password. | ||||||||
Use Touch ID to unlock device | macOS 10.12.4 | No | Users must use a password to unlock the device. | ||||||||
iCloud Photos | macOS 10.12 | No | Users can’t use their iCloud Photos. | ||||||||
Safari AutoFill | macOS 10.13 | No | Safari doesn’t remember what users enter in web forms. | ||||||||
Game Center | macOS 10.13 | No | The Game Center app and its icon are removed. | ||||||||
Add Game Center friends | macOS 10.13 | No | Users can’t find or add friends in Game Center. | ||||||||
Multiplayer gaming | macOS 10.13 | No | Users can’t play multiplayer games in Game Center. | ||||||||
AirDrop | macOS 10.13 | No | Users can’t use AirDrop. | ||||||||
User unlocks Mac using Apple Watch | macOS 10.13 | No | Users can’t unlock their Mac with Apple Watch. | ||||||||
Apple Music | macOS 10.12 | No | Users can’t use Apple Music. | ||||||||
iCloud Mail | macOS 10.12 | No | Mail isn’t uploaded to iCloud. | ||||||||
iCloud Contacts | macOS 10.12 | No | Contacts aren’t uploaded to iCloud. | ||||||||
iCloud Calendars | macOS 10.12 | No | Calendars aren’t uploaded to iCloud. | ||||||||
iCloud Reminders | macOS 10.12 | No | Reminders aren’t uploaded to iCloud. | ||||||||
iCloud Bookmarks | macOS 10.12 | No | Safari bookmarks aren’t uploaded to iCloud. | ||||||||
iCloud Keychain | macOS 10.12 | No | iCloud Keychain can’t be used. | ||||||||
Define and Look Up | macOS 11 | No | Users can’t Control-click a selection and use Look Up to locate any information about the selection. | ||||||||
iCloud Documents and Data | OS X 10.11 | No | Documents and data aren’t added to iCloud. | ||||||||
Use of cameras | OS X 10.11 | No | Cameras are disabled and the Camera icon is removed from the Home Screen in iOS and iPadOS. Users can’t take photographs or videos. | ||||||||
App Store app adoption | OS X 10.10 | No | iLife and iWork apps that shipped with macOS can’t be adopted by the App Store. | ||||||||
Require administrator password to install or update apps | OS X 10.9 | No | An administrator password is required in order to update any apps. | ||||||||
Modify Wallpaper | OS X 10.9 | No | Users can’t modify the wallpaper for the desktop. | ||||||||
Add to Photos Deprecated in macOS 10.12 | OS X 10.9 | No | Items can’t be sent to Photos. | ||||||||
Add to Reading List Deprecated in macOS 10.12 | OS X 10.9 | No | Items can’t be sent to the Reading List in Safari. | ||||||||
Deprecated in macOS 10.12 | OS X 10.9 | No | Items can’t be posted to Facebook. | ||||||||
Deprecated in macOS 10.12 | OS X 10.9 | No | Items can’t be posted to LinkedIn. | ||||||||
Deprecated in macOS 10.12 | OS X 10.9 | No | Items can’t be attached to a Mail message. | ||||||||
Messages Deprecated in macOS 10.12 | OS X 10.9 | No | Users see only specific services offered from the share sheet. | ||||||||
Notes Deprecated in macOS 10.12 | OS X 10.9 | No | Items can’t be shared using Notes. | ||||||||
Reminders Deprecated in macOS 10.12 | OS X 10.9 | No | Items can’t be shared using Reminders. | ||||||||
Sina Weibo Deprecated in macOS 10.12 | OS X 10.9 | No | Items can’t be posted to Sina Weibo. | ||||||||
Deprecated in macOS 10.12 | OS X 10.9 | No | Items can’t be posted to Twitter. | ||||||||
Video services | OS X 10.9 | No | Items can’t be posted to Flickr, Vimeo, Tudou, and Youku. | ||||||||
Automatically enable new sharing services Deprecated in macOS 10.12 | OS X 10.9 | No | Any new sharing services are available to the user. | ||||||||
Set Finder type | OS X 10.7 | No | Regular or Simple Finder | ||||||||
Show on Desktop | OS X 10.7 | No | Internal storage devices External storage devices CDs, DVDs, and iPod devices Connected servers | ||||||||
Show warning before emptying trash | OS X 10.7 | No | Allow or deny | ||||||||
Connect to a server | OS X 10.7 | No | Allow or deny | ||||||||
Eject | OS X 10.7 | No | Allow or deny | ||||||||
Burn disc | OS X 10.7 | No | Allow or deny | ||||||||
Go to folder | OS X 10.7 | No | Allow or deny | ||||||||
Restart | OS X 10.7 | No | Allow or deny | ||||||||
Shut Down | OS X 10.7 | No | Allow or deny | ||||||||
Log out | OS X 10.7 | No | Allow or deny | ||||||||
Internal storage devices Deprecated in macOS 11 | OS X 10.7 | No | Allow Require authentication Read-only | ||||||||
External storage devices Deprecated in macOS 11 | OS X 10.7 | No | Allow Require authentication Read-only | ||||||||
Disk images Deprecated in macOS 11 | OS X 10.7 | No | Allow Require authentication Read-only | ||||||||
DVD-RAM Deprecated in macOS 11 | OS X 10.7 | No | Allow Require authentication Read-only | ||||||||
CDs and CD-ROMs Deprecated in macOS 11 | OS X 10.7 | No | Allow Require authentication | ||||||||
DVDs Deprecated in macOS 11 | OS X 10.7 | No | Allow Require authentication | ||||||||
Recordable discs Deprecated in macOS 11 | OS X 10.7 | No | Allow Require authentication | ||||||||
Eject the media when the user logs out Deprecated in macOS 11 | OS X 10.7 | No | Allow or deny | ||||||||