The Application settings control which applications are allowed to execute on macOS.
- Select the Manage mode: Never, Once, or Always.
- Select Restrict which applications are allowed to launch if you want to disallow applications thus restricting the applications the user can access.
- Application restrictions are controlled by means of folder paths. Group Policy does not currently support application management using digital signatures, therefore to allow or prevent users from launching an application, add the application or the path to the application to one of two lists:
If an application does not appear in either of these lists, the user can not launch the application.
- Click Add to open the New Application Item dialog. You can type the absolute Unix path or you can click Remote Browse to log into a remote macOS machine (by means of SSH) and browse for the target folder. It displays recently specified paths. To reuse a recently specified path, double-click the item in the list.
Note: Both disallow and allow paths support the %HOME% macro-expansion to the user's Unix home directory. For example, to restrict a user from running applications in their home directory, specify %HOME%. This macros is only supported by user policies; machine policies do not support this macro type.
The Options settings control macOS server settings. For example, you can choose whether to allow a user to use the App Store. If set to false, a user that attempts to use the app store will receive a message like the following: You don't have permissions to use the App Store.
- Select the Manage mode: Never, Once, or Always.
- Select the check boxes to enable the features you want to enable.
- Allow use of Game Center
- Allow multiplayer gaming
- Allow adding Game Center friends
- Allow Game Center account modifications
- Allow App Store app adoption
- Allow Safari AutoFill
- Allow software update notifications
- Require admin password to install or update apps
- Restrict App Store to MDM installed apps and software updates
On macOS, the Dock is similar to a tool bar on other operating systems. In addition to showing which applications are running, the dock provides quick shortcuts to applications, folders and documents as well as system controls. Dock settings allow you to adjust the behavior of the user’s Dock and specify which items appear in it.
You can apply Dock Properties settings under both Computer Configuration and User Configuration.
Dock Items tab settings control the applications, files and folders that are displayed on the user's Dock and support the following management modes: Never, Once, Always.
You can insert three types of items into the user's Dock: Applications, Documents and Folders. The Applications list controls which applications are inserted. The Documents and Folders list controls documents and folders that are inserted into the user's Dock. Click Add to select the items to insert in the Dock. You can drag the items within the list to change the order in which they appear on the Dock.
In addition to standard Unix paths, you can specify a network share by using the following syntax:
cifs://<server hostname>/<share name>
Folder paths support two types of macro-expansions. First, the %@ macro expands to the user's Unix name. Additionally, you can expand any active directory attribute using the %<attributename>% macro. For example, to add the user’s network home directory to the dock, specify %homeDirectory%. You can get the value for any user attribute using the %<attributename>% macro. These macros are only supported by user policies; machine policies do not support either of these macro types.
The following options are also supported:
- Merge with the user's Dock
Select to merge the specified items into the user's Dock. If you do not select this option, the specified items replace the user's Dock.
- Add other folders:
Select to add predefined folders to the user's Dock. Safeguard Authentication Services supports My Applications and Documents.
