Profile policy settings are divided into two categories: Workgroup Manager Settings and Preference Manifest Settings.
The Workgroup Manager settings are designed to look and feel like the Workgroup Manager application. If you are familiar with Workgroup Manager from macOS server, it should be easy to transition to Group Policy. Settings for Applications, Classic, Dock, Energy Saver, Finder, Login, Media Access, Network, Parental Controls, Printing, Software Update, System Preferences, Time Machine and Universal Access are included. Safeguard Authentication Services supports the Never, Always and Once policy application options. You can apply settings to users or computers. With standard Group Policy security filtering, you can restrict settings to specific groups of users or computers.
Safeguard Authentication Services also includes support for Preference Manifest files. Preference Manifest files describe application settings you can manage centrally. Many standard macOS Preference Manifest files are included by default such as iChat, Mail, Sidebar, Time Zone and iTunes. You can import additional Preference Manifest files at any time, increasing the number of applications and features that you can manage.
On the macOS agent, Group Policy integrates with the Configuration Profile subsystem according to macOS best practices. This ensures that policy settings are applied correctly and appropriately to each new release of macOS.
The following management modes exist for macOS policy settings:
Table 1: macOS: Management modes
Never |
This mode means that the settings do not apply. This is equivalent to disabling the policy. This is the default mode. |
Once |
In this mode, policy settings are applied one time. Users can remove the Configuration Profile. This mode functions as a default value. |
Always |
In this mode, policy settings will always apply. Users cannot remove the Configuration Profile. |
Safeguard Authentication Services for macOS relies on the /usr/bin/profiles command to install configuration profiles. Starting in macOS version 11.0, this command can no longer be used to add profiles. To create a profile on macOS 11.0, use the System Preferences pane.
When installing profiles with system preferences, the agent installs both Device (also known as Machine profiles in the Group Policy plugin) and user profiles.
To install a profile on macOS 11.0 (and later):
- Log in to a macOS system.
A prompt appears, asking you to install a new profile.
- Open System Preferences and click Profiles.
- In the Profiles pane that appears, click Install.
- Device profiles only. In the dialog box that appears, type the user name and password of the device administrator account.
Note: You must specify administrative credentials when creating Device profiles. Any standard user can create a User profile without providing administrative credentials. An Always profile must have a password unique to that profile in order to remove it. A Once profile can be removed at any time.
The new profile is successfully installed and it appears available for selection.
Safeguard Authentication Services provides Group Policy extensions that mirror the functionality available in Apple Workgroup Manager console. Workgroup Manager Settings are located in the Mac OS X Settings folder (or in the Policies folder, if you are using the new Group Policy Management Editor.)
To open the properties of the Workgroup Manager settings
- Start the Group Policy Management Editor.
- Navigate to Computer Configuration | Mac OS X Settings or User Configuration | Mac OS X Settings.
- Double-click the Workgroup Manager Settings to open its properties.