The following management modes exist for macOS policy settings:
Table 1: macOS: Management modes
Never |
This mode means that the settings do not apply. This is equivalent to disabling the policy. This is the default mode. |
Once |
In this mode, policy settings are applied one time. Users can remove the Configuration Profile. This mode functions as a default value. |
Always |
In this mode, policy settings will always apply. Users cannot remove the Configuration Profile. |
Safeguard Authentication Services for macOS relies on the /usr/bin/profiles command to install configuration profiles. Starting in macOS version 11.0, this command can no longer be used to add profiles. To create a profile on macOS 11.0, use the System Preferences pane.
When installing profiles with system preferences, the agent installs both Device (also known as Machine profiles in the Group Policy plugin) and user profiles.
To install a profile on macOS 11.0 (and later):
- Log in to a macOS system.
A prompt appears, asking you to install a new profile.
- Open System Preferences and click Profiles.
- In the Profiles pane that appears, click Install.
- Device profiles only. In the dialog box that appears, type the user name and password of the device administrator account.
Note: You must specify administrative credentials when creating Device profiles. Any standard user can create a User profile without providing administrative credentials. An Always profile must have a password unique to that profile in order to remove it. A Once profile can be removed at any time.
The new profile is successfully installed and it appears available for selection.
Safeguard Authentication Services provides Group Policy extensions that mirror the functionality available in Apple Workgroup Manager console. Workgroup Manager Settings are located in the Mac OS X Settings folder (or in the Policies folder, if you are using the new Group Policy Management Editor.)
To open the properties of the Workgroup Manager settings
- Start the Group Policy Management Editor.
- Navigate to Computer Configuration | Mac OS X Settings or User Configuration | Mac OS X Settings.
- Double-click the Workgroup Manager Settings to open its properties.
The Applications Properties settings allow you to control access to specific applications and paths to applications using digital signatures.
You can apply Application Properties settings under both Computer Configuration and User Configuration.
There are two tabs: