Profile Manager Security & Privacy settings
Use this payload to set various Gatekeeper options, manage FileVault in OS X, determine if diagnostic information is reported back to Apple, and set which apps can be opened.
General settings (OS X only)
Note: Use the security & privacy payload for all configuration profiles. For more information, see About profiles and payloads and Payload best practices.
These settings do the following:
Protect a Mac from malware by only allowing apps from identified developers.
Manage Gatekeeper overrides.
Specify password and login options.
Setting | Category | Description |
|---|---|---|
App Store | Device and device group | If this option is selected, only apps downloaded from the App Store can be opened by double-clicking the app’s icon. |
App Store and identified developers | Device and device group | If this option is selected, only apps downloaded from the App Store and developers identified by Apple can be opened by double-clicking the app’s icon. |
Anywhere | Device and device group | If this option is selected, it lets any app be opened, regardless of where it came from, by double-clicking the app’s icon. |
Do not allow user to override Gatekeeper setting | Device, device group, user, and user group | When this option is on, it prevents the user from using Control-click to open an unidentified app or from installing an app using the Installer app. |
Allow user to change password | Device, device group, user, and user group | When this option is off, users aren’t permitted to change their password. |
Require password after sleep or screen saver begins | Device, device group, user, and user group | When this option is off, a password isn’t required upon waking or when a screen saver ends as a result of mouse, trackpad, or keyboard movement. |
Allow user to set lock message | Device, device group, user, and user group | When this option is off, users can’t set a short message that appears at the bottom of the lock screen. |
FileVault settings for devices and device groups (OS X only)
Use these setting to require FileVault and to specify the type of recovery keys.
Setting | Description |
|---|---|
Require FileVault | FileVault becomes enabled the next time a user logs out. |
Use an institutional recovery key | If an institutional recovery key is selected, a certificate must be selected (see below). |
Create a personal FileVault recovery key | After FileVault is enabled, the user can choose his or her own recovery key. |
Use an institutional recovery key and create a personal FileVault recovery key | Both an institutional and personal recovery key are used. For example, an organization may want to keep control of a known recovery key but still let a user create and use their own personal recovery key. |
Certificate | A certificate can be selected from the list. |
Require user to unlock FileVault after hibernation | When this option is on, a user must enter his or her password when the Mac wakes from hibernation. |
Privacy
When this option is off, diagnostic and usage data isn’t sent to Apple.