MDM restrictions for Mac computers
You can set restrictions for Mac computers enrolled in a mobile device management (MDM) solution. The default state for all restrictions listed below is on unless the term “Default is off” is in the Restriction Functionality column.
Note: Not all restrictions are available in all MDM solutions and they have the ability to change the default state for any restriction. To learn more about MDM restrictions availability for your devices, consult your MDM vendor’s documentation.
Setting | Minimum supported operating system | Supervised | Restriction functionality | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Allow external intelligence integrations | macOS 15.2 | Yes | Prevents the use of external, cloud-based intelligence services with Siri. This currently includes ChatGPT and Google Lens (visual intelligence). | ||||||||
Allow signing in to external intelligence integrations | macOS 15.2 | Yes | Forces external intelligence providers into anonymous mode. If a user is already signed in to an external intelligence provider, applying this restriction signs them out. | ||||||||
Allow Mail summary | macOS 15.1 | Yes | Prevents the ability to create summaries of email messages manually. This doesn’t affect automatic summary generation. | ||||||||
Allow media sharing | macOS 15.1 | Yes | Prevents modification of Media Sharing settings. | ||||||||
Force bypass screen capture alert | macOS 15.1 | Yes | Prevents showing the screen capture alert dialog. Default is off. | ||||||||
Allow writing tools | macOS 15 | Yes | Prevents Apple Intelligence writing tools. | ||||||||
Allow Image Playground | macOS 15 | Yes | Prevents users from using Image Playground. | ||||||||
Allow Genmoji | macOS 15 | Yes | Prevents users from creating a Genmoji. | ||||||||
Allow iPhone mirroring | macOS 15 | Yes | On iPhone, prevents an iPhone from mirroring to a Mac. On Mac, prevents a Mac from mirroring an iPhone. | ||||||||
Force on-device-only dictation | macOS 14 | No | Prevents dictated content from being sent to Siri servers for processing. Supported on Mac computers with Apple silicon. Default is off. | ||||||||
Modify device name | macOS 14 | No | Users can’t change the name of the device as shown in Settings > General > About. | ||||||||
Modify account settings | macOS 14 | No | Users can’t create new accounts or change their user name, password, or other settings associated with their account. | ||||||||
Modify Touch ID fingerprints | macOS 14 | No | Users can’t add or remove existing Touch ID information. | ||||||||
Siri | macOS 14 | No | Siri can’t be used. | ||||||||
Remote Desktop management modification | macOS 14 | No | Prevents the user from modifying Remote Desktop management settings. | ||||||||
File Sharing modification | macOS 14 | No | Prevents the user from modifying file sharing settings. | ||||||||
Allow Bluetooth modification | macOS 14 | No | Prevents the user from modifying Bluetooth® settings. | ||||||||
Printer sharing modification | macOS 14 | No | Prevents the user from modifying printer sharing settings. | ||||||||
Allow Internet sharing modification | macOS 14 | No | Prevents the user from modifying Internet sharing settings. | ||||||||
Remote Apple events modification | macOS 14 | No | Prevents the user from modifying remote Apple events settings. | ||||||||
Local user account creation | macOS 14 | No | Prevents a user with the role of administrator from creating new users in Users & Groups. | ||||||||
Freeform in iCloud | macOS 14 | No | Prevents the user from storing Freeform files in iCloud. | ||||||||
Startup Disk modification | macOS 14 | No | Prevents the user from selecting a different startup disk. | ||||||||
Time Machine backups | macOS 14 | No | Prevents the user from setting up and using a Time Machine backup. | ||||||||
Universal Control | macOS 13 | No | Prevents the user from using Universal Control. | ||||||||
Install a configuration profile | macOS 13 | No | Users can’t manually install configuration profiles in System Settings. | ||||||||
Allow accessory connections | macOS 13 | No | The device can always connect to specific accessories while locked. Allows new accessories to connect without authorization. | ||||||||
AirPlay security | macOS 12.3 | No | Users can’t use AirPlay to stream content to the Mac. | ||||||||
Erase All Content and Settings | macOS 12.0.1 | No | Users can’t erase their device and reset it to factory defaults. | ||||||||
iCloud Private Relay | macOS 12.0.1 | No | Prevents the user from turning on iCloud Private Relay. | ||||||||
Allow personalized ads delivered by Apple | macOS 12.0.1 | No | Users’ data won’t be used by the Apple advertising platform to deliver personalized ads. | ||||||||
Enforce Face ID or Touch ID timeout | macOS 12.0.1 (Touch ID) | No | The value, in seconds, after which the biometric unlock requires a password to authenticate. The default value is 48 hours. | ||||||||
Screenshots and screen recordings | macOS 10.14.4 | No | Users can’t save a screenshot or recording of the screen. | ||||||||
Handoff | macOS 10.15 | No | Users can’t use Handoff with their Apple devices. | ||||||||
Screen sharing | macOS 10.14.4 | No | Users can’t enable screen sharing. | ||||||||
AirPlay, View Screen by Classroom, and screen sharing | macOS 10.14.4 | No | Teachers using Classroom can’t use AirPlay with students’ screens, view students’ screens, or share students’ screens. | ||||||||
Classroom to perform AirPlay and View Screen without prompting | macOS 10.14.4 | Yes | Students in managed classes aren’t prompted when the teacher uses AirPlay or View Screen. Default is off. | ||||||||
Classroom can focus students on a single app and lock the device without prompting | macOS 10.14.4 | Yes | Teachers can lock an app open or lock the device without first prompting the user. Default is off. | ||||||||
Automatic joining Classroom classes without prompting | macOS 10.14.4 | Yes | Students can join a class without prompting the teacher. Default is off. | ||||||||
Require teacher permission to leave Classroom teacher-created classes | macOS 10.14.4 | Yes | Students must request permission before they can leave a teacher-created class. Default is off. | ||||||||
Password AutoFill | macOS 10.14 | No | Users can’t use AutoFill Passwords, and no prompt is shown to pick a saved password from iCloud Keychain or third-party password managers. | ||||||||
Proximity AutoFill | macOS 10.14 | No | Users’ devices won’t advertise themselves to nearby devices for passwords by use of Proximity AutoFill. For devices with iOS, iPadOS, and macOS this feature restricts only Wi-Fi password requests. | ||||||||
Share passwords over AirDrop | macOS 10.14 | No | Users can’t share their passwords over AirDrop. | ||||||||
Defer software updates | macOS 11.3 | No | For more information, see Test and defer software updates. Default is off. | ||||||||
Modify Dictation | macOS 10.13 | Yes | Users can’t use dictation on their device. | ||||||||
Content caching | macOS 10.13 | No | Content caching isn’t permitted. | ||||||||
Siri profanity filter | macOS 10.13 | No | The profanity filter in Siri can be disabled. Default is off. | ||||||||
Modify password | macOS 10.13 | No | Users can’t change the set password. | ||||||||
Safari AutoFill | macOS 10.13 | No | Safari doesn’t keep track of what users enter in web forms. | ||||||||
Send diagnostic and usage data to Apple | macOS 10.13 | No | Users can’t choose to send diagnostic information to Apple. | ||||||||
Game Center | macOS 10.13 | No | The Game Center app and its icon are removed. | ||||||||
Add Game Center friends | macOS 10.13 | No | Users can’t find or add friends in Game Center. | ||||||||
Multiplayer gaming | macOS 10.13 | No | Users can’t play multiplayer games in Game Center. | ||||||||
AirDrop | macOS 10.13 | No | Users can’t use AirDrop. | ||||||||
User unlocks Mac using Apple Watch | macOS 10.13 | No | Users can’t unlock their Mac with Apple Watch. | ||||||||
Modify Wallpaper | macOS 10.13 | No | Users can’t modify the wallpaper for the desktop. | ||||||||
Use Touch ID to unlock device | macOS 10.12.4 | No | Users must use a password to unlock the device. | ||||||||
iCloud Photos | macOS 10.12 | No | Users can’t use their iCloud Photos. | ||||||||
Apple Music | macOS 10.12 | No | Users can’t use Apple Music. | ||||||||
iCloud Mail | macOS 10.12 | No | Mail isn’t uploaded to iCloud. | ||||||||
iCloud Contacts | macOS 10.12 | No | Contacts aren’t uploaded to iCloud. | ||||||||
iCloud Calendars | macOS 10.12 | No | Calendars aren’t uploaded to iCloud. | ||||||||
iCloud Reminders | macOS 10.12 | No | Reminders aren’t uploaded to iCloud. | ||||||||
iCloud Bookmarks | macOS 10.12 | No | Safari bookmarks aren’t uploaded to iCloud. | ||||||||
iCloud Keychain | macOS 10.12 | No | iCloud Keychain can’t be used. | ||||||||
Define and Look Up | OS X 10.11 | No | Users can’t Control-click a selection and use Look Up to locate any information about the selection. | ||||||||
Siri Suggestions | OS X 10.11 | No | During search, Siri can’t offer suggestions for apps, people, locations, and more. | ||||||||
iCloud Documents and Data | OS X 10.11 | No | Documents and data aren’t added to iCloud. | ||||||||
Use of cameras | OS X 10.11 | No | Cameras are disabled and the Camera icon is removed from the Home Screen in iOS and iPadOS. Users can’t take photographs or videos. | ||||||||
App Store app adoption | OS X 10.10 | No | iLife and iWork apps that shipped with macOS can’t be adopted by the App Store. | ||||||||
Require administrator password to install or update apps | OS X 10.9 | No | An administrator password is required in order to update any apps. | ||||||||
Show on Desktop | OS X 10.7 | No | Internal storage devices. External storage devices. CDs, DVDs, and iPod devices. Connected servers. | ||||||||
Show warning before emptying trash | OS X 10.7 | No | Allow or deny. | ||||||||
Connect to a server | OS X 10.7 | No | Allow or deny. | ||||||||
Eject | OS X 10.7 | No | Allow or deny. | ||||||||
Burn disc | OS X 10.7 | No | Allow or deny. | ||||||||
Go to folder | OS X 10.7 | No | Allow or deny. | ||||||||
Restart | OS X 10.7 | No | Allow or deny. | ||||||||
Shut Down | OS X 10.7 | No | Allow or deny. | ||||||||
Log out | OS X 10.7 | No | Allow or deny. |