Policy Domains
- Jim Zajkowski
- Ed Bobak
- Reid Paxton
Core set of policy domains and the bundle of settings they configure are:
Allow user access to Accessibility, Date & Time, Energy Saver, Network, Print & Scan, and Time Machine
Allows users to modify settings in the Accessibility, Date and Time, Energy Saver, Network, Print & Scan, Time Machine system preference panes without unlocking or requiring an administrator account. In addition, users can create network configurations ("locations") and can set a DVD player's region code the first time it is used.
Apple limits DVD player region resets to a small number - around 5 - so changing the DVD region code is not enabled by this. Instead, this allows people to play a DVD for the first time when away from IT support.
App Updates and First Launch Config
Disables in-app updates and sets initial configurations - however, these options may not work depending on the app and if the user is migrated on or is a new user.
| App | Method | Settings |
|---|---|---|
| Chrome | /Library/Google/Google Chrome Master Preferences | Sets default homepage to umich.edu, disable sync initial promotion |
MiWorkspace Login Window Banner
Sets "Welcome to MiWorkspace" on the OS X login screen.
Personal & Private Directory Creation
When a user logs in, create the folder "Personal and Private" in their home directory, and make it mode 700. Additionally, tell the Finder to label it red.
Screensaver End User Settings
Require a user to enter a password to unlock the screensaver (or when returning from sleep).
Security Settings
| Setting | Description |
|---|---|
| Disable Guest Account | Prevent users from logging in as Guest |
| Disable Internet Sharing | Cannot use Internet sharing to set up a personal WiFi network from e.g. Ethernet |
| Use network time server | Forced to time.apple.com |
| Enable Application Firewall | Turn on the "Firewall" in Security Preferences. This setting does not appear to work reliably, but it is the only setting Apple provides. |
| Apple IR Controller | Disable IR Controller |
| Disable >console logins | Turn off text-mode console login |
| Disable password hints | Turn off password hints after successive mistakes |
| Use username & password fields | Login screen should be username and password, not portraits of usernames. |
| Automatic timezone | Set system to automatically set its timezone |
| Home directory mode 700 | Make user home directories mode 700 (no group/other read/write access) |
Standard User Experience
- Configures the URL for Managed Software Center to get package icons
- Disable Spotlight on external volumes
- We discovered Spotlight might try to walk network volumes, which causes significant performance problems
- Disable .DS_Store (Finder preference files) on network volumes
IronIzzy (FileVault) Enabler
Triggers Izzy to enable FileVault encryption, recovery key escrow, and the disk password mechanism.
Bluetooth Discoverable OFF
Turn off Bluetooth discoverability at login. Users can turn this back on.
Bluetooth Sharing OFF
Turn off sharing of items through Bluetooth at login. Users can turn this back on.
Disable Bonjour Advertising
Turn off advertising this Mac on Bonjour (multicast DNS)
Disable Memory Core Dumps
Prevent app crashes from creating a core file.
Terminal Secure Keyboard Entry
Enables the "Secure Keyboard Entry" by default in Terminal. Secure Entry prevents other apps from listening in on keydown events, which means that other apps can't read passwords into the Terminal window. Note that this will break apps like TextExpander. Also note that recent versions of macOS automatically enable Secure Entry at common password prompts, which is indicated by a 'key' icon in the cursor.