Profile properties for MAC OS X devices

To enforce security compliance on your MAC OS X devices, create one or more profiles with the required settings. To complete this task, you must have the correct authorizations. See Operator permissions and associated profile actions.

  1. Specify a Profile Name , a Description and select the Site where the profile is created. The sites that are available are those that your operator login is authorized to. These fields are mandatory. You can enforce security policies for the categories that are displayed in the left pane. To change or specify attributes in a category you must first enable it by clicking On. If you enable a category without changing any settings, the greyed values are not enforced on the devices when the profile is deployed. You must enable at least one category to save the profile.
    Note: You cannot specify double quotation marks " in the Profile Name and Description fields.

  2. Select the Passcode Settings tab to set or change the following properties:

    Allow simple values
    The passcode can contain sequential or repeated characters, such as AAAA, or 1234. This option is selected by default.
    Minimum passcode length is [0] characters
    Specify the minimum length of the passcode. Allowed values are in the range 0-50. The default value of 0 indicates that passcode length is not checked. The most restrictive value is 50.
    Password requires at least [0] complex characters
    Specifies the number of non-alphanumeric characters (such as $ and ! ) that the passcode must contain. Allowed Values are in the range 0-50, where 50 is the most restrictive value.
    Passcode expires after [0] days
    Allowed values are in the range 0-730, where 0 means that the passcode never expires. The default is 730. The most restrictive value is 1.
    Enforce passcode history for the last [0] passwords
    Specify the number of previous passwords that cannot be reused. Allowed values are in the range 0-50 , where the value 0 indicates that this check is not enabled. When you enter a new passcode, it is compared against the specified number of previous passcodes. If a match is found, the passcode is refused. The most restrictive value is 50.
    Lock screen after [0] minutes of inactivity.
    Allowed values are in the range 0-5. The default value of zero means that the screen never locks. The most restrictive value is 1.
    Lock device after [10] failed login attempts .
    The device is locked after the specified failed login attempts. Allowed values are in the range 0-11. The default value 0 indicates that the device is never locked. The most restrictive value is 1.
    Set a Delay of [0] minutes before the login window is re-displayed
    When the device is locked because after the defined number of failed login attempts was reached, the device waits the specified number of minutes before displaying the login window again. The default value of zero means no delay. If the value specified in the Lock Device parameter is 0 or 1, this option is greyed out and cannot be changed.
    Set a Grace period of [730] minutes before requiring a passcode when the device is locked
    Valid values are in the range 0-730, where 0 means no grace period, and a passcode must be entered immediately. This is the most restrictive value.

  3. Select the Device Security tab to change the following settings:

    Allow use of external disks
    You can use external disks (for example USB keys) on the device. This option is enabled by default. If you select to disable this option, and the target system already has a mounted external disk, for the restriction to take effect you must reboot the system after you deploy the profile.
    Allow use of removable media
    You can use any type of removable media (such as CD or DVD) on the device. This option is enabled by default. If you select to disable this option, and the target system already has a mounted CD/DVD, for the restriction to take effect you must reboot the system after you deploy the profile.
    Eject media at logout
    Select this option to eject all removable media when the user logs out. By default this option is not selected.
    Enable AirDrop
    You can use AirDrop on the device to share items. This option is enabled by default.

  4. Select the App Security tab to change the following settings:

    Enable Game Center
    Specifies whether you can use Game Center on the device. This setting is enabled by default. You can disable one or more of the following Game Center options:
    Allow multiplayer gaming
    Allow multiple players
    Allow adding Friends
    You can add friends to your player list
    Allow modification of account credentials
    You can modify the user id and passcode for accessing Game Center
    Restrict adoption of preinstalled apps by App Store
    When this option is selected, any free application included in the installed operating system on the device cannot be updated through App Store.
    Restrict App Store usage
    Select this option to use App Store only for updating applications installed by MDM and Apple software.
    Require Administrator password to manage apps
    If you enable this option, you must always specify the Administrator password every time you install or update any application on the device.
    Enable Gatekeeper
    Gatekeeper protects devices by checking for malware before apps are installed.
    Allow sending diagnostic data to Apple
    Sends diagnostic and usage data to Apple. This option is enabled by default.
  5. Select the Restrictions tab to disable user access to specific resources in "System and Preferences" on the device. All preferences are enabled by default. Select one or more resources that you want to disable or click the Select All button to disable all resources. The panes for the options you select will be greyed out on the device. Resources are divided in two categories:

    • System Preferences:

      App Store
      Bluetooth
      CDs and DVDs
      Desktop and Screen Saver
      Extensions
      iCloud
      Internet Accounts
      Network
      Printers and Scanners
      Profiles
      Security & Privacy
      Sharing
      Sound
      Spotlight
      Startup Disk
      Time Machine
      Users and Groups

    • Miscellaneous

      Camera
      Disables the use of the built-in camera, a built-in camera of a connected display, or a USB camera
      iCloud documents & data
      Disables the possibility to store presentations, spreadsheets, images, and other documents on devices that are set up for iCloud Drive.
      iCloud keychain
      Prevents iCloud Keychain from storing Safari website username and passwords, credit card information, and from keeping Wi-Fi network information up to date. This setting is found in Safari > Preferences > Passwords
      iCloud password for local accounts
      Prevents the use of an iCloud ID and password to unlock A MAC OS X device. This setting is found in OS X "System and Preferences" under "Users and Groups".
      Spotlight internet suggestions
      Disables the use of Spotlight to search fro apps, documents, images and other files.