Policy Domains

Core set of policy domains and the bundle of settings they configure are:


Allow user access to Accessibility, Date & Time, Energy Saver, Network, Print & Scan, and Time Machine

Allows users to modify settings in the Accessibility, Date and Time, Energy Saver, Network, Print & Scan, Time Machine system preference panes without unlocking or requiring an administrator account.  In addition, users can create network configurations ("locations") and can set a DVD player's region code the first time it is used.

Apple limits DVD player region resets to a small number - around 5 - so changing the DVD region code is not enabled by this.  Instead, this allows people to play a DVD for the first time when away from IT support.

App Updates and First Launch Config

Disables in-app updates and sets initial configurations - however, these options may not work depending on the app and if the user is migrated on or is a new user.


AppMethodSettings
Chrome

/Library/Google/Google Chrome Master Preferences

Sets default homepage to umich.edu, disable sync initial promotion


MiWorkspace Login Window Banner

Sets "Welcome to MiWorkspace" on the OS X login screen.

Personal & Private Directory Creation

When a user logs in, create the folder "Personal and Private" in their home directory, and make it mode 700.  Additionally, tell the Finder to label it red.

Screensaver End User Settings

Require a user to enter a password to unlock the screensaver (or when returning from sleep).

Security Settings

SettingDescription
Disable Guest AccountPrevent users from logging in as Guest
Disable Internet SharingCannot use Internet sharing to set up a personal WiFi network from e.g. Ethernet
Use network time serverForced to time.apple.com
Enable Application FirewallTurn on the "Firewall" in Security Preferences. This setting does not appear to work reliably, but it is the only setting Apple provides.
Apple IR Controller

Disable IR Controller

Disable >console loginsTurn off text-mode console login
Disable password hintsTurn off password hints after successive mistakes
Use username & password fieldsLogin screen should be username and password, not portraits of usernames.
Automatic timezoneSet system to automatically set its timezone
Home directory mode 700Make user home directories mode 700 (no group/other read/write access)


Standard User Experience

  • Configures the URL for Managed Software Center to get package icons
  • Disable Spotlight on external volumes
    • We discovered Spotlight might try to walk network volumes, which causes significant performance problems
  • Disable .DS_Store (Finder preference files) on network volumes

IronIzzy (FileVault) Enabler

Triggers Izzy to enable FileVault encryption, recovery key escrow, and the disk password mechanism.

Bluetooth Discoverable OFF

Turn off Bluetooth discoverability at login.  Users can turn this back on.

Bluetooth Sharing OFF

Turn off sharing of items through Bluetooth at login.  Users can turn this back on.

Disable Bonjour Advertising

Turn off advertising this Mac on Bonjour (multicast DNS)

Disable Memory Core Dumps

Prevent app crashes from creating a core file.

Terminal Secure Keyboard Entry  

Enables the "Secure Keyboard Entry" by default in Terminal.  Secure Entry prevents other apps from listening in on keydown events, which means that other apps can't read passwords into the Terminal window.  Note that this will break apps like TextExpander.  Also note that recent versions of macOS automatically enable Secure Entry at common password prompts, which is indicated by a 'key' icon in the cursor.