Create a Mac Restrictions Policy

This policy allows administrators to manage and enforce specific device limitations on Mac computers to enhance organizational security and minimize distractions. By standardizing device capabilities, organizations can ensure a more productive work environment and protect sensitive data from unauthorized access or accidental exposure.

Prerequisites

• macOS devices must be enrolled in Apple MDM with the following enrollment type:
  • Device-Enrolled Devices - These devices are owned by the corporation, and enrolled by the admin or by the user.
  • User-Enrolled Devices - These are personal devices used for work where the user enrolls the device to securely access corporate data while maintaining personal privacy.
  • Auto-Enrolled Devices - These devices are owned and enrolled by the corporation through Automated Device Enrollment.
    For more information, see MDM Enrollment Method.
• Target devices must be running macOS 11 or later.

Creating the Policy

To create the policy:

1. Log in to the JumpCloud Admin Portal.

2. Go to Device Management > Policy Management and click (+).
3. On the New Policy panel, select the Mac tab.
4. Search and select Restrictions from the list, then click configure.
5. (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
6. (Optional) In the Policy Notes field, enter details such as creation date of the policy, and information on testing and deployment of the policy.

Configuring the Policy

To configure the Restrictions policy settings, the options are available:

Apple Intelligence & AI Writing Tools

• Allow Apple Intelligence Report – Enable this to allow the system to generate reports on Apple Intelligence activity.
• Allow Apple Personalized Advertising – Enable this on to receive relevant ads based on your interests; Enabling it limits personalized ad tracking.
• Allow Genmoji – Enable this to allow the creation of custom Genmoji. (Requires a supervised device.)
• Allow Image Playground – Toggle this on to allow the use of AI image generation features. (Requires a supervised device.)
• Allow Writing Tools – Enable this to use AI-powered writing assistance. (Requires iOS 18+, macOS 15+, or visionOS 2.4+ on supervised devices.)
• Allow Smart Replies in Mail – Enable this on to allow the Mail app to suggest quick, context-aware replies.
• Allow Manual Mail Summaries – Enable this to let users manually summarize email messages. (Note: This does not affect automatic summary generation.)
• Allow Transcription in Notes – Toggle this on to transcribe audio recordings within the Notes app. (Requires a supervised device on iOS 18.3+ or macOS 15.3+.)
• Allow Transcription Summarization in Notes – Enable this to generate summaries of audio transcriptions in the Notes app. (Requires a supervised device on iOS 18.3+ or macOS 15.3+.)
• Allow Safari Summary – Enable this on to allow Safari to summarize web content. (Requires a supervised device.)
• Allow External Intelligence Integrations – Enable this to allow Siri to connect with external, cloud-based AI services.
• Allow Sign-In to External Intelligence Integrations – Toggle this on to allow users to sign in to external AI accounts; if disabled, all requests are handled anonymously and active users are signed out.
• Allowed External Intelligence Workspace IDs – Enter specific Workspace IDs here to restrict AI access to approved corporate accounts and require a user sign-in.

iCloud & Cloud Services

• Allow iCloud Contacts – Enable this to allow the system to sync and access iCloud Contacts on macOS.
• Allow iCloud Bookmark Sync – Toggle this on to keep your Safari bookmarks updated across devices. (Available on macOS 10.12+.)
• Allow iCloud Calendar – Enable this to sync and manage iCloud Calendar events on your system. (Available on macOS 10.12+.)
• Allow iCloud Desktop and Documents – Enable this on to automatically store and sync files from your Desktop and Documents folders to iCloud. (Available on macOS 10.12.4+.)
• Allow iCloud Document Sync – Enable this to allow document and key-value syncing to iCloud. (Requires a supervised device on iOS 13+; also available on iOS 5.0+, macOS 10.11+, and visionOS 2.0+.)
• Allow iCloud Freeform – Toggle this on to allow syncing of Freeform boards to iCloud. (Available on macOS 14.0+.)
• Allow iCloud Keychain Sync – Enable this to securely synchronize your passwords and credit card info across devices. (Note: Support for unsupervised devices and Managed Apple Accounts is deprecated.)
• Allow iCloud Mail – Enable this on to enable iCloud Mail services on macOS.
• Allow iCloud Notes – Enable this to sync and access your iCloud Notes on macOS.
• Allow iCloud Photo Library – Toggle this on to sync your photos with iCloud; if disabled, any photos not fully downloaded will be removed from local storage. (Note: Support for unsupervised devices and Managed Apple Accounts is deprecated.)
• Allow iCloud Reminders – Enable this to sync and manage your iCloud Reminders. (Available on macOS 10.12+.)
• Allow iCloud Private Relay – Enable this to hide your IP address and browsing activity in Safari. (Note: Support for unsupervised devices and Managed Apple Accounts is deprecated.)

Hardware & Connectivity Restrictions

• Allow Camera Use – Enable this to allow the use of the camera; if disabled, the camera is deactivated and its icon is removed from the Home Screen.
• Allow Screenshots and Screen Recording – Enable this on to let users capture or record their screens; if disabled, this also prevents the Classroom app from observing remote screens.
• Allow AirDrop – Toggle this on to allow wireless file sharing via AirPlay. (Requires supervision on iOS and visionOS.)
• Allow Incoming AirPlay Requests – Enable this to allow the device to receive content via AirPlay. (Requires supervision on tvOS.)
• Allow Modifying Bluetooth Settings – Enable this on to let users change Bluetooth configurations; if disabled, these settings are locked. (Requires a supervised device on iOS 11.0+ or macOS 13.0+.)
• Allow Modifying Bluetooth Sharing Setting – Toggle this on to allow changes to Bluetooth Sharing in System Settings. (Available on macOS 14.0+.)
• Allow Modifying Internet Sharing – Enable this to allow users to change Internet Sharing settings. (Available on macOS 14.0+.)
• Allow Modifying Printer Sharing Settings – Enable this on to permit changes to Printer Sharing configurations. (Available on macOS 14.0+.)
• Allow Modifying File Sharing Setting – Toggle this on to allow users to adjust File Sharing settings in System Settings on macOS.
• Allow Modifying Media Sharing Settings – Enable this to allow users to change Media Sharing configurations. (Available on macOS 15.1+.)
• Allow Modifying Remote Management Sharing Setting – Enable this on to permit changes to the Remote Management Sharing setting. (Available on macOS 14.0+.)
• Allow Modifying Remote Apple Events Sharing – Toggle this on to allow users to adjust Remote Apple Events Sharing in System Settings.
• Allow Remote Screen Observation – Enable this to allow the Classroom app to observe the screen remotely. (Requires a supervised device for iOS versions before 13 and macOS versions before 10.15.)
• Bypass Screen Capture Alert – Enable this on to stop the system from showing an alert when the screen is being captured. (Available on macOS 15.1+.)
• Allow Auto Unlock – Toggle this on to let users unlock their Mac with an Apple Watch or one iPhone with another.
• Allow Universal Control – Enable this to use a single keyboard and mouse across multiple Apple devices. (Available on macOS 13+.)
• Allow iPhone Mirroring – Enable this on to permit mirroring between an iPhone and a Mac; if disabled, mirroring is blocked for both devices. (Available on supervised iOS 18+ and macOS 15.0+.)

Security, Passcodes & Biometrics

• Allow Modifying Passcode – Enable this to let users add, change, or remove their device passcode. (Note: This is ignored on the Shared iPad and requires a supervised device.)
• Allow Password AutoFill – Toggle this on to enable automatic password entry, strong password generation, and suggestions. (Does not affect contact or credit card AutoFill.)
• Allow Password Proximity Requests – Enable this on to allow the system to request passwords from nearby trusted devices.
• Allow Password Sharing – Enable this to allow users to share passwords with others via AirDrop or the Passwords app.
• Allow Biometric Modification – Toggle this on to let users set up or change Touch ID, Face ID, or Optic ID. (Requires a supervised device.)
• Allow Biometrics to Unlock Device – Enable this to allow the use of Touch ID, Face ID, or Optic ID to unlock the device.
• Enforced Fingerprint Timeout (Seconds) – Set the number of seconds before the device requires a passcode instead of a fingerprint for authentication. (Default is 172800 seconds / 48 hours.)
• Allow Find My Device – Enable this on to allow users to locate their device using the Find My app. (Requires a supervised device.)
• Allow Find My Friends – Enable this to allow users to share their location and find friends in the Find My app. (Requires a supervised device.)
• Allow Erase All Content and Settings – Toggle this on to allow the "Erase All Content and Settings" option in the device reset menu. (Requires a supervised device.)

System Settings & Device Management

• Allow Account Modification – Enable this to let users add, remove, or modify accounts like Apple Accounts, Mail, Contacts, and Calendars. (Requires supervision on iOS, visionOS, and watchOS.)
• Allow Modifying Device Name – Toggle this on to allow users to change the name of the device. (Available for supervised iOS 9.0+, macOS 14.0+, and supervised tvOS 11.0+.)
• Allow Modifying Wallpaper – Enable this on to permit users to change their background image. (On iOS, this requires a supervised device.)
• Allow Manual Profile Installation – Enable this to allow users to manually install configuration profiles and certificates. (Requires a supervised device.)
• Allow Modifying Startup Disk Settings – Toggle this on to allow users to change the designated startup disk in System Settings. (Available on macOS 14.0+.)
• Allow Modifying Time Machine Settings – Enable this on to let users configure or change Time Machine backup settings. (Available on macOS 14.0+.)
• Allow Creating Users in System Settings – Enable this to allow the creation of new user accounts via System Settings. (Available on macOS 14.0+.)
• Allow Diagnostic Submission – Toggle this on to allow the device to automatically send diagnostic and usage reports to Apple to help improve services. (Available for iOS 6.0+ and macOS 10.13+.)
• Allow Content Caching – Enable this to allow the system to store and speed up the download of software and data from Apple's servers. (Available on macOS 10.13+.)

Siri, Dictation & Accessibility

• Allow Siri – Enable this to allow the use of Siri. (Available on iOS 5.0+, macOS 14.0+, and visionOS 2.0+.)
• Enable Siri Profanity Filter – Enable this on to force the use of a profanity filter for both Siri and dictation. (Requires supervised iOS 5.0+ or macOS 10.13+.)
• Allow Dictation – Toggle this on to permit the use of dictation for voice-to-text input.
• Force On-Device Only Dictation – Enable this to ensure all dictation is processed locally on the device; this prevents the system from connecting to Siri servers for dictation.
• Allow Definition Lookup – Enable this on to allow users to look up word definitions. (Available for supervised iOS 8.1.3+ and macOS 10.11+.)
• Allow Handoff – Enable this to allow users to start a task on one Apple device and pick it up on another.
• Allow Live Voicemail – Toggle this on to allow the device to show real-time transcriptions of incoming voicemails. (Requires a supervised device on iOS 17.2+ or macOS 26.0+.)

Apps, Content & Media Ratings

• Allow Bookstore – Enable this to allow access to the Book Store tab within the Books app. (Requires a supervised device on iOS 6.0+ or macOS 15.0+.)
• Allow Bookstore Erotica – Toggle this on to allow users to download Apple Books media tagged as erotica. (Note: Support for this restriction on unsupervised devices is deprecated.)
• Allow Explicit Content – Enable this on to permit access to explicit music, video, News, and Podcast content; if disabled, this content is hidden. (Requires a supervised device.)
• Maximum App Rating – Set the highest allowed age rating for apps. (Note: Preinstalled apps ignore this limit. Examples: 600 for 17+, 300 for 12+, 100 for 4+.)
• Maximum Movie Rating – Set the highest allowed age rating for movies. (Examples: 500 for NC-17, 400 for R, 200 for PG, 100 for G.)
• TV Shows Rating – Set the maximum allowed maturity level for TV content on the device. (Note: Support for this restriction on unsupervised devices is deprecated.)
• Ratings Region – Enter a two-letter region code to ensure the device displays the correct local age ratings for apps and movies.
• Allow Apple Music Service – Enable this to allow the full Apple Music service; if disabled, the Music app reverts to a basic, local-only mode. (Available on iOS 9.3+ and macOS 10.12+; requires supervision on iOS.)

Safari Settings

• Allow AutoFill in Safari – Enable this to allow Safari to automatically fill in passwords, contact details, and credit card information. (Requires a supervised device on iOS 13 and later.)
• Allow Clearing Safari History – Toggle this on to let users delete their browsing history; if disabled, the option to clear history is removed.
• Allow Safari Private Browsing – Enable this on to permit the use of Private Browsing windows; if disabled, users can only browse in standard mode.

Game Center & Social

• Allow Game Center – Enable this to allow the use of Game Center; if disabled, the service is deactivated and its icon is removed from the Home Screen. (Requires a supervised device.)
• Allow Adding Game Center Friends – Toggle this on to let users add friends in Game Center. (Requires a supervised device on iOS 13 and later.)
• Allow Multiplayer Gaming – Enable this on to permit multiplayer features in games. (Available on iOS 4.1+ and macOS 10.13+; requires supervision on iOS.)

Education & Classroom

• Automatically Join Classroom Classes – Enable this to allow the system to accept teacher requests automatically without prompting the student. (Requires a supervised device.)
• Require Permission to Leave Classroom Classes – Enable this on to require students in unmanaged courses to get teacher approval before leaving the class. (Requires a supervised device.)
• Allow Unprompted App and Device Lock in Classroom – Toggle this on to allow teachers to lock a student's apps or device without sending a prompt first. (Requires a supervised device.)
• Allow Unprompted Screen Observation in Classroom – Enable this to allow teachers in managed courses to view a student's screen without requesting permission each time. (Requires a supervised device.)

Search & Utilities

• Allow Siri Suggestions – Enable this to receive Spotlight internet search results within Siri Suggestions; if disabled, these search results are hidden.
• Allow Call Recording – Toggle this on to permit the recording of phone calls. (Requires a supervised device on iOS 18.1+.)

Assigning and Applying the Policy

1. (Optional) Select the Device Groups tab. Select one or more device groups where you want to apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
2. (Optional) Select the Devices tab. Select one or more devices where you want to apply this policy.
3. Click Save. If prompted, click Save again. The policy configuration settings are applied automatically and do not require a system restart.