Core set of policy domains and the bundle of settings they configure are:
Allows users to modify settings in the Accessibility, Date and Time, Energy Saver, Network, Print & Scan, Time Machine system preference panes without unlocking or requiring an administrator account. In addition, users can create network configurations ("locations") and can set a DVD player's region code the first time it is used.
Apple limits DVD player region resets to a small number - around 5 - so changing the DVD region code is not enabled by this. Instead, this allows people to play a DVD for the first time when away from IT support.
Disables in-app updates and sets initial configurations - however, these options may not work depending on the app and if the user is migrated on or is a new user.
App | Method | Settings |
---|---|---|
Chrome | /Library/Google/Google Chrome Master Preferences | Sets default homepage to umich.edu, disable sync initial promotion |
Sets "Welcome to MiWorkspace" on the OS X login screen.
When a user logs in, create the folder "Personal and Private" in their home directory, and make it mode 700. Additionally, tell the Finder to label it red.
Require a user to enter a password to unlock the screensaver (or when returning from sleep).
Setting | Description |
---|---|
Disable Guest Account | Prevent users from logging in as Guest |
Disable Internet Sharing | Cannot use Internet sharing to set up a personal WiFi network from e.g. Ethernet |
Use network time server | Forced to time.apple.com |
Enable Application Firewall | Turn on the "Firewall" in Security Preferences. This setting does not appear to work reliably, but it is the only setting Apple provides. |
Apple IR Controller | Disable IR Controller |
Disable >console logins | Turn off text-mode console login |
Disable password hints | Turn off password hints after successive mistakes |
Use username & password fields | Login screen should be username and password, not portraits of usernames. |
Automatic timezone | Set system to automatically set its timezone |
Home directory mode 700 | Make user home directories mode 700 (no group/other read/write access) |
Triggers Izzy to enable FileVault encryption, recovery key escrow, and the disk password mechanism.
Turn off Bluetooth discoverability at login. Users can turn this back on.
Turn off sharing of items through Bluetooth at login. Users can turn this back on.
Turn off advertising this Mac on Bonjour (multicast DNS)
Prevent app crashes from creating a core file.
Enables the "Secure Keyboard Entry" by default in Terminal. Secure Entry prevents other apps from listening in on keydown events, which means that other apps can't read passwords into the Terminal window. Note that this will break apps like TextExpander. Also note that recent versions of macOS automatically enable Secure Entry at common password prompts, which is indicated by a 'key' icon in the cursor.