Skip to content

macOS-Specific Configuration

Login Window

The login window is the first screen a user sees on macOS. MDM can customize its appearance and behavior.

Show / Hide Users

Controls which users appear on the login screen. Hidden users must type their username to log in.

KeyTypeDescription
HideAdminUsersBooleanHides administrator accounts from the login window
HideLocalUsersBooleanHides local (non-network) user accounts
HideMobileAccountsBooleanHides mobile account users
IncludeAllNetworkUsersBooleanShows all network users on the login screen
ShowFullNameBooleanDisplays the full name instead of short name
ShowOtherUsersBooleanShows "Other" option for manual username entry

Login Banner

Displays a custom message on the login window, typically used for legal notices or acceptable-use policies.

KeyTypeDescription
BannerTextStringCustom text displayed above the login prompt

Login Window Behavior

KeyTypeDescription
DisableScreenLockImmediateBooleanPrevents immediate screen lock from the login window
DisableAutomaticLoginBooleanDisables automatic login (recommended for security)
LoginWindowTextStringFooter text displayed at the bottom of the login window
ShutDownDisabledBooleanHides the Shut Down button
RestartDisabledBooleanHides the Restart button
SleepDisabledBooleanHides the Sleep button

Example

xml
<dict>
    <key>HideAdminUsers</key>
    <false/>
    <key>HideLocalUsers</key>
    <false/>
    <key>HideMobileAccounts</key>
    <true/>
    <key>BannerText</key>
    <string>This system is for authorized use only.</string>
    <key>ShutDownDisabled</key>
    <false/>
    <key>RestartDisabled</key>
    <false/>
</dict>

Dock

The Dock configuration controls the macOS Dock appearance, behavior, and pinned applications.

Dock Items

Specifies which applications and folders appear in the Dock. Items are defined by bundle identifier or path.

KeyTypeDescription
static-appsArrayList of applications pinned to the Dock
static-othersArrayList of folders or file paths pinned to the Dock
static-onlyBooleanPrevents users from adding or removing Dock items

Dock Size and Position

KeyTypeDescription
tilesizeIntegerSize of Dock icons in pixels (1–128)
magnificationBooleanEnables icon magnification on hover
largesizeIntegerMagnified icon size in pixels
orientationStringDock position: left, bottom, or right
mineffectStringMinimize animation: genie or scale
minimize-to-applicationBooleanMinimizes windows into the application icon instead of the Dock

Auto-Hide

KeyTypeDescription
autohideBooleanAutomatically hides and shows the Dock
autohide-delayFloatDelay in seconds before the Dock auto-hides
autohide-modifierStringModifier key that reveals the Dock when auto-hide is enabled

Example

xml
<dict>
    <key>static-apps</key>
    <array>
        <string>/Applications/Safari.app</string>
        <string>/Applications/Mail.app</string>
        <string>/Applications/Calendar.app</string>
        <string>/Applications/Microsoft Teams.app</string>
    </array>
    <key>static-others</key>
    <array>
        <string>/Applications</string>
        <string>~/Downloads</string>
    </array>
    <key>static-only</key>
    <false/>
    <key>tilesize</key>
    <integer>48</integer>
    <key>orientation</key>
    <string>bottom</string>
    <key>autohide</key>
    <true/>
</dict>

Energy Saver

Power management settings control when the display sleeps, when the computer sleeps, and wake behavior.

Power Settings

KeyTypeDescription
DesktopDictionaryPower settings when the device is plugged into AC power
PortableDictionaryPower settings when the device is on battery power
DestroyFVKeyOnStandbyBooleanDestroys the FileVault key on standby for enhanced security

Desktop (AC Power)

KeyTypeDescription
DisplaySleepTimerIntegerMinutes before the display sleeps (0 = never)
DiskSleepTimerIntegerMinutes before the disk sleeps (0 = never)
SleepDisabledBooleanPrevents the computer from sleeping
PowerNapBooleanEnables Power Nap (background updates while sleeping)
WakeOnLANBooleanWakes the device on network activity
AutomaticRestartOnPowerLossBooleanAutomatically restarts after a power failure

Portable (Battery Power)

Same keys as Desktop, applied when the device is running on battery.

Example

xml
<dict>
    <key>Desktop</key>
    <dict>
        <key>DisplaySleepTimer</key>
        <integer>15</integer>
        <key>DiskSleepTimer</key>
        <integer>30</integer>
        <key>SleepDisabled</key>
        <false/>
        <key>WakeOnLAN</key>
        <true/>
    </dict>
    <key>Portable</key>
    <dict>
        <key>DisplaySleepTimer</key>
        <integer>5</integer>
        <key>DiskSleepTimer</key>
        <integer>15</integer>
        <key>SleepDisabled</key>
        <false/>
    </dict>
</dict>

Software Update

Controls how macOS checks for, downloads, and installs software updates.

Update Behavior

KeyTypeDescription
AllowPreReleaseInstallationIntegerControls beta software installation: 0 = not allowed, 1 = allowed, 2 = allowed for production only
AutomaticCheckEnabledBooleanEnables automatic update checks
AutomaticDownloadBooleanDownloads updates automatically (requires user approval to install)
ConfigDataInstallBooleanInstalls configuration data updates automatically
CriticalUpdateInstallBooleanInstalls security updates and system data files automatically
AutomaticallyInstallMacOSUpdatesBooleanInstalls major macOS updates automatically
AutomaticallyInstallAppUpdatesBooleanInstalls App Store app updates automatically
DeferUpdatesBooleanDefers update visibility to users for a configurable period
DeferPeriodIntegerNumber of days to defer updates (1–90)

Deferral Policy

Deferral allows IT to delay updates for testing before they reach end users. The deferral period applies after Apple releases the update.

KeyTypeDescription
DeferMajorPeriodIntegerDays to defer major macOS updates
DeferMinorPeriodIntegerDays to defer minor macOS updates
DeferNonOSPeriodIntegerDays to defer non-OS updates (Safari, XProtect, etc.)

Example

xml
<dict>
    <key>AutomaticCheckEnabled</key>
    <true/>
    <key>AutomaticDownload</key>
    <true/>
    <key>ConfigDataInstall</key>
    <true/>
    <key>CriticalUpdateInstall</key>
    <true/>
    <key>AutomaticallyInstallMacOSUpdates</key>
    <false/>
    <key>DeferUpdates</key>
    <true/>
    <key>DeferPeriod</key>
    <integer>30</integer>
</dict>

System Extensions

System Extensions are the modern replacement for kernel extensions. They run in user space and provide network, endpoint security, and driver functionality without loading code into the kernel.

Allowing System Extensions

System extensions must be explicitly allowed by the user or pre-approved via MDM. Each extension is identified by its bundle identifier and team identifier.

KeyTypeDescription
AllowedSystemExtensionsDictionaryMap of team identifiers to arrays of allowed extension bundle identifiers
AllowedTeamIdentifierStringApple Developer Team ID of the extension developer
AllowedBundleIdentifierStringBundle identifier of the system extension

System Extension Types

TypeDescription
Network ExtensionVPN, content filtering, DNS proxy, network proxy
Endpoint Security ExtensionFile, process, and network event monitoring
DriverKit ExtensionHardware driver running in user space
Serial ExtensionSerial device access

Example

xml
<dict>
    <key>AllowedSystemExtensions</key>
    <dict>
        <key>ABC123DEFG</key>
        <array>
            <string>com.example.vpn.networkextension</string>
            <string>com.example.security.endpoint</string>
        </array>
    </dict>
</dict>

Kernel Extensions

Legacy kernel extensions (kexts) run in kernel space. Apple has deprecated kernel extensions in favor of system extensions, but some third-party software still requires them.

Allowing Kernel Extensions

Kernel extensions must be explicitly allowed by team identifier or bundle identifier.

KeyTypeDescription
AllowUserOverridesBooleanAllows users to approve additional kernel extensions
AllowedTeamIdentifiersArrayList of Apple Developer Team IDs whose kexts are allowed
AllowedKernelExtensionsDictionaryMap of team identifiers to arrays of allowed kext bundle identifiers

Example

xml
<dict>
    <key>AllowUserOverrides</key>
    <true/>
    <key>AllowedTeamIdentifiers</key>
    <array>
        <string>ABC123DEFG</string>
    </array>
    <key>AllowedKernelExtensions</key>
    <dict>
        <key>ABC123DEFG</key>
        <array>
            <string>com.example.legacy.driver</string>
        </array>
    </dict>
</dict>

Login Items

Login items are applications, background services, and scripts that launch automatically when a user logs in.

Managed Login Items

MDM can add, remove, or enforce login items on managed macOS devices.

KeyTypeDescription
AutoLaunchedApplicationDictionaryArrayList of applications to launch at user login
HideBooleanHides the application window on launch
PathStringFull file system path to the application
BundleIdentifierStringBundle identifier of the application

Background Login Items

macOS also supports background login items (launch agents) that run without a visible UI.

KeyTypeDescription
BackgroundLoginItemsArrayList of background services to start at login
BundleIdentifierStringBundle identifier of the background service
HideBooleanHides the service from the user

Example

xml
<dict>
    <key>AutoLaunchedApplicationDictionary</key>
    <array>
        <dict>
            <key>Hide</key>
            <false/>
            <key>Path</key>
            <string>/Applications/Microsoft Teams.app</string>
        </dict>
        <dict>
            <key>Hide</key>
            <true/>
            <key>Path</key>
            <string>/Applications/CompanyPortal.app</string>
        </dict>
    </array>
</dict>

Released under the MIT License