macOS-Specific Configuration
Login Window
The login window is the first screen a user sees on macOS. MDM can customize its appearance and behavior.
Show / Hide Users
Controls which users appear on the login screen. Hidden users must type their username to log in.
| Key | Type | Description |
|---|---|---|
HideAdminUsers | Boolean | Hides administrator accounts from the login window |
HideLocalUsers | Boolean | Hides local (non-network) user accounts |
HideMobileAccounts | Boolean | Hides mobile account users |
IncludeAllNetworkUsers | Boolean | Shows all network users on the login screen |
ShowFullName | Boolean | Displays the full name instead of short name |
ShowOtherUsers | Boolean | Shows "Other" option for manual username entry |
Login Banner
Displays a custom message on the login window, typically used for legal notices or acceptable-use policies.
| Key | Type | Description |
|---|---|---|
BannerText | String | Custom text displayed above the login prompt |
Login Window Behavior
| Key | Type | Description |
|---|---|---|
DisableScreenLockImmediate | Boolean | Prevents immediate screen lock from the login window |
DisableAutomaticLogin | Boolean | Disables automatic login (recommended for security) |
LoginWindowText | String | Footer text displayed at the bottom of the login window |
ShutDownDisabled | Boolean | Hides the Shut Down button |
RestartDisabled | Boolean | Hides the Restart button |
SleepDisabled | Boolean | Hides the Sleep button |
Example
<dict>
<key>HideAdminUsers</key>
<false/>
<key>HideLocalUsers</key>
<false/>
<key>HideMobileAccounts</key>
<true/>
<key>BannerText</key>
<string>This system is for authorized use only.</string>
<key>ShutDownDisabled</key>
<false/>
<key>RestartDisabled</key>
<false/>
</dict>Dock
The Dock configuration controls the macOS Dock appearance, behavior, and pinned applications.
Dock Items
Specifies which applications and folders appear in the Dock. Items are defined by bundle identifier or path.
| Key | Type | Description |
|---|---|---|
static-apps | Array | List of applications pinned to the Dock |
static-others | Array | List of folders or file paths pinned to the Dock |
static-only | Boolean | Prevents users from adding or removing Dock items |
Dock Size and Position
| Key | Type | Description |
|---|---|---|
tilesize | Integer | Size of Dock icons in pixels (1–128) |
magnification | Boolean | Enables icon magnification on hover |
largesize | Integer | Magnified icon size in pixels |
orientation | String | Dock position: left, bottom, or right |
mineffect | String | Minimize animation: genie or scale |
minimize-to-application | Boolean | Minimizes windows into the application icon instead of the Dock |
Auto-Hide
| Key | Type | Description |
|---|---|---|
autohide | Boolean | Automatically hides and shows the Dock |
autohide-delay | Float | Delay in seconds before the Dock auto-hides |
autohide-modifier | String | Modifier key that reveals the Dock when auto-hide is enabled |
Example
<dict>
<key>static-apps</key>
<array>
<string>/Applications/Safari.app</string>
<string>/Applications/Mail.app</string>
<string>/Applications/Calendar.app</string>
<string>/Applications/Microsoft Teams.app</string>
</array>
<key>static-others</key>
<array>
<string>/Applications</string>
<string>~/Downloads</string>
</array>
<key>static-only</key>
<false/>
<key>tilesize</key>
<integer>48</integer>
<key>orientation</key>
<string>bottom</string>
<key>autohide</key>
<true/>
</dict>Energy Saver
Power management settings control when the display sleeps, when the computer sleeps, and wake behavior.
Power Settings
| Key | Type | Description |
|---|---|---|
Desktop | Dictionary | Power settings when the device is plugged into AC power |
Portable | Dictionary | Power settings when the device is on battery power |
DestroyFVKeyOnStandby | Boolean | Destroys the FileVault key on standby for enhanced security |
Desktop (AC Power)
| Key | Type | Description |
|---|---|---|
DisplaySleepTimer | Integer | Minutes before the display sleeps (0 = never) |
DiskSleepTimer | Integer | Minutes before the disk sleeps (0 = never) |
SleepDisabled | Boolean | Prevents the computer from sleeping |
PowerNap | Boolean | Enables Power Nap (background updates while sleeping) |
WakeOnLAN | Boolean | Wakes the device on network activity |
AutomaticRestartOnPowerLoss | Boolean | Automatically restarts after a power failure |
Portable (Battery Power)
Same keys as Desktop, applied when the device is running on battery.
Example
<dict>
<key>Desktop</key>
<dict>
<key>DisplaySleepTimer</key>
<integer>15</integer>
<key>DiskSleepTimer</key>
<integer>30</integer>
<key>SleepDisabled</key>
<false/>
<key>WakeOnLAN</key>
<true/>
</dict>
<key>Portable</key>
<dict>
<key>DisplaySleepTimer</key>
<integer>5</integer>
<key>DiskSleepTimer</key>
<integer>15</integer>
<key>SleepDisabled</key>
<false/>
</dict>
</dict>Software Update
Controls how macOS checks for, downloads, and installs software updates.
Update Behavior
| Key | Type | Description |
|---|---|---|
AllowPreReleaseInstallation | Integer | Controls beta software installation: 0 = not allowed, 1 = allowed, 2 = allowed for production only |
AutomaticCheckEnabled | Boolean | Enables automatic update checks |
AutomaticDownload | Boolean | Downloads updates automatically (requires user approval to install) |
ConfigDataInstall | Boolean | Installs configuration data updates automatically |
CriticalUpdateInstall | Boolean | Installs security updates and system data files automatically |
AutomaticallyInstallMacOSUpdates | Boolean | Installs major macOS updates automatically |
AutomaticallyInstallAppUpdates | Boolean | Installs App Store app updates automatically |
DeferUpdates | Boolean | Defers update visibility to users for a configurable period |
DeferPeriod | Integer | Number of days to defer updates (1–90) |
Deferral Policy
Deferral allows IT to delay updates for testing before they reach end users. The deferral period applies after Apple releases the update.
| Key | Type | Description |
|---|---|---|
DeferMajorPeriod | Integer | Days to defer major macOS updates |
DeferMinorPeriod | Integer | Days to defer minor macOS updates |
DeferNonOSPeriod | Integer | Days to defer non-OS updates (Safari, XProtect, etc.) |
Example
<dict>
<key>AutomaticCheckEnabled</key>
<true/>
<key>AutomaticDownload</key>
<true/>
<key>ConfigDataInstall</key>
<true/>
<key>CriticalUpdateInstall</key>
<true/>
<key>AutomaticallyInstallMacOSUpdates</key>
<false/>
<key>DeferUpdates</key>
<true/>
<key>DeferPeriod</key>
<integer>30</integer>
</dict>System Extensions
System Extensions are the modern replacement for kernel extensions. They run in user space and provide network, endpoint security, and driver functionality without loading code into the kernel.
Allowing System Extensions
System extensions must be explicitly allowed by the user or pre-approved via MDM. Each extension is identified by its bundle identifier and team identifier.
| Key | Type | Description |
|---|---|---|
AllowedSystemExtensions | Dictionary | Map of team identifiers to arrays of allowed extension bundle identifiers |
AllowedTeamIdentifier | String | Apple Developer Team ID of the extension developer |
AllowedBundleIdentifier | String | Bundle identifier of the system extension |
System Extension Types
| Type | Description |
|---|---|
Network Extension | VPN, content filtering, DNS proxy, network proxy |
Endpoint Security Extension | File, process, and network event monitoring |
DriverKit Extension | Hardware driver running in user space |
Serial Extension | Serial device access |
Example
<dict>
<key>AllowedSystemExtensions</key>
<dict>
<key>ABC123DEFG</key>
<array>
<string>com.example.vpn.networkextension</string>
<string>com.example.security.endpoint</string>
</array>
</dict>
</dict>Kernel Extensions
Legacy kernel extensions (kexts) run in kernel space. Apple has deprecated kernel extensions in favor of system extensions, but some third-party software still requires them.
Allowing Kernel Extensions
Kernel extensions must be explicitly allowed by team identifier or bundle identifier.
| Key | Type | Description |
|---|---|---|
AllowUserOverrides | Boolean | Allows users to approve additional kernel extensions |
AllowedTeamIdentifiers | Array | List of Apple Developer Team IDs whose kexts are allowed |
AllowedKernelExtensions | Dictionary | Map of team identifiers to arrays of allowed kext bundle identifiers |
Example
<dict>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedTeamIdentifiers</key>
<array>
<string>ABC123DEFG</string>
</array>
<key>AllowedKernelExtensions</key>
<dict>
<key>ABC123DEFG</key>
<array>
<string>com.example.legacy.driver</string>
</array>
</dict>
</dict>Login Items
Login items are applications, background services, and scripts that launch automatically when a user logs in.
Managed Login Items
MDM can add, remove, or enforce login items on managed macOS devices.
| Key | Type | Description |
|---|---|---|
AutoLaunchedApplicationDictionary | Array | List of applications to launch at user login |
Hide | Boolean | Hides the application window on launch |
Path | String | Full file system path to the application |
BundleIdentifier | String | Bundle identifier of the application |
Background Login Items
macOS also supports background login items (launch agents) that run without a visible UI.
| Key | Type | Description |
|---|---|---|
BackgroundLoginItems | Array | List of background services to start at login |
BundleIdentifier | String | Bundle identifier of the background service |
Hide | Boolean | Hides the service from the user |
Example
<dict>
<key>AutoLaunchedApplicationDictionary</key>
<array>
<dict>
<key>Hide</key>
<false/>
<key>Path</key>
<string>/Applications/Microsoft Teams.app</string>
</dict>
<dict>
<key>Hide</key>
<true/>
<key>Path</key>
<string>/Applications/CompanyPortal.app</string>
</dict>
</array>
</dict>