Core set of policy domains and the bundle of settings they configure are:
Allow user access to Accessibility, Date & Time, Energy Saver, Network, Print & Scan, and Time Machine
Allows users to modify settings in the Accessibility, Date and Time, Energy Saver, Network, Print & Scan, Time Machine system preference panes without unlocking or requiring an administrator account. In addition, users can create network configurations ("locations") and can set a DVD player's region code the first time it is used.
Apple limits DVD player region resets to a small number - around 5 - so changing the DVD region code is not enabled by this. Instead, this allows people to play a DVD for the first time when away from IT support.
App Updates and First Launch Config
Disables in-app updates and sets initial configurations - however, these options may not work depending on the app and if the user is migrated on or is a new user.
| App | Method | Settings |
|---|---|---|
| Adobe Acrobat Pro | /Library/Preferences/com.adobe.Acrobat.Pro.plist | Disable auto-updates |
| Adobe Reader | /Library/Preferences/com.adobe.Reader.plist /System/Library/User Template/Non_localized/Library/Preferences/com.adobe.Reader.plist | Disable auto-updates |
| Adobe Flash Player | /Library/Application Support/Macromedia/mms.cfg file | Disable auto-updates |
| Apple Software Updates | /Library/LaunchDaemons/edu.umich.izzy.DisableASU.plist com.apple.SoftwareUpdate • AllowPreReleaseInstallation | Disable Apple's software update engine Block pre-release OS X installs (public beta) |
| Chrome | /Library/Google/Google Chrome Master Preferences com.google.Keystone.Agent • checkInterval | Sets default homepage to umich.edu, disable sync initial promotion Attempt to disable Chrome's updater |
| Microsoft Excel 2011 | com.microsoft.Excel • 14\Microsoft Excel\Hide Welcome Window | Disable first-launch screen |
| Microsoft Outlook 2011 | com.microsoft.Outlook • FirstRunExperienceCompleted | Disable first-launch screen |
| Microsoft PowerPoint 2011 | com.microsoft.PowerPoint • 14\Options\Options\Hide Welcome Dialog | Disable first-launch screen |
| Microsoft Word 2011 | com.microsoft.Word • 14\Options\Hide Welcome Dialog | Disable first-launch screen |
| Microsoft Auto-Update 2011 | com.microsoft.autoupdate2 • HowToCheck | Disable automatic Microsoft software updates prompting (Office 2011) |
| Microsoft Error Reporting | com.microsoft.error_reporting • SQMReportsEnabled | Disable error reporting for Office 2011 |
| Microsoft Office 2011 | com.microsoft.office • 14\FirstRun\SetupComplete com.microsoft.office • 14\UserInfo\UserOrganization | Disable first-launch screen |
MiWorkspace Login Window Banner
Sets "Welcome to MiWorkspace" on the OS X login screen.
Personal & Private Directory Creation
When a user logs in, create the folder "Personal and Private" in their home directory, and make it mode 700. Additionally, tell the Finder to label it red.
Screensaver End User Settings
Require a user to enter a password to unlock the screensaver (or when returning from sleep).
Security Settings
| Setting | Description |
|---|---|
| Disable Guest Account | Prevent users from logging in as Guest |
| Disable Internet Sharing | Cannot use Internet sharing to set up a personal WiFi network from e.g. Ethernet |
| Use network time server | Forced to time.apple.com |
| Enable Application Firewall | Turn on the "Firewall" in Security Preferences. This setting does not appear to work reliably, but it is the only setting Apple provides. |
| Apple IR Controller | Disable IR Controller |
| Disable >console logins | Turn off text-mode console login |
| Disable password hints | Turn off password hints after successive mistakes |
| Use username & password fields | Login screen should be username and password, not portraits of usernames. |
| Automatic timezone | Set system to automatically set its timezone |
| Home directory mode 700 | Make user home directories mode 700 (no group/other read/write access) |
Standard User Experience
- Configures the URL for Managed Software Center to get package icons
- Disable the iCloud setup assistant page, when possible
- Disable the trackpad 'reverse gesture' setup assistant page
- Disable the meaningless 'optimizing your Mac' setup assistant page
- Disable Spotlight on external volumes
- We discovered Spotlight might try to walk network volumes, which causes significant performance problems
- Disable .DS_Store (Finder preference files) on network volumes
- Shorten the AD at-login binding timeout, which speeds up initial boot significantly
IronIzzy (FileVault) Enabler
Triggers Izzy to enable FileVault encryption, recovery key escrow, and the disk password mechanism.
Bluetooth Discoverable OFF
Turn off Bluetooth discoverability at login. Users can turn this back on.
Bluetooth Sharing OFF
Turn off sharing of items through Bluetooth at login. Users can turn this back on.
Disable Bonjour Advertising
Turn off advertising this Mac on Bonjour (multicast DNS)
Disable Memory Core Dumps
Prevent app crashes from creating a core file.
Terminal Secure Keyboard Entry
Enables the "Secure Keyboard Entry" by default in Terminal. Secure Entry prevents other apps from listening in on keydown events, which means that other apps can't read passwords into the Terminal window. Note that this will break apps like TextExpander. Also note that recent versions of OS X will automatically enable Secure Entry at common password prompts, which is indicated by a 'key' icon in the cursor.