Help

MacBook Restrictions Profile

IPASupport
New Contributor II

yesterday

Would anyone be willing to share any profiles you've customized to restrict student devices from accessing certain areas of their MacBooks? We're hoping to see if there's anything specific we should be blocking and to hopefully make improvements to our management approach. 

Backstory:

The school did not have profiles in place, which allowed students unrestricted access to their devices for years. A few months ago, I implemented a profile with restrictions, and it has helped prevent students from altering several settings. However, we are still in the early stages (still learning Jamf) and are allowing access to certain features, such as: 

  1. Downloading Apps from anywhere (music department has an app that won't download if we restrict this to Apple and trusted developers) - potential workaround is to package the app and deploy via Jamf as an in-house app and then restrict app downloads again at the end of the school year. 
  2. Allowing all iCloud settings for managed Apple ID access (our Ed Tech is pushing for more collaborative work with Apple Apps and Cloud access). Issue: The students sometimes log in to their personal Apple IDs and don't log out when we collect the devices, so we're spending an extra few seconds resetting the device if it's a non-returning student. 

I would love to hear any ideas and methods others have implemented regarding restrictions at your school. I've attached some photos of the profile we are currently working to deploy with additional restrictions. Any advice is greatly appreciated!

Image 3-12-25 at 12.04 PM.jpegImage 3-12-25 at 12.04 PM (1).jpegImage 3-12-25 at 12.04 PM (2).jpegImage 3-12-25 at 12.04 PM (3).jpegImage 3-12-25 at 12.05 PM.jpegImage 3-12-25 at 12.05 PM (1).jpeg

 

 

 

 

 

 

0 Kudos
3 REPLIES 3

CurtisA
New Contributor II
New Contributor II

yesterday

Aloha! Best practices can always be a challenge as one school’s needs may differ drastically from another. But I think you are off to a very good start with the settings you have in place, but do see one minor change you can make:

Content Caching under Restrictions > Functionality. I'm going to assume (I know…dangerous) your users are Standard and not Admin, but even for Macs you may have in the field that do run as admin, I recommend disabling this (unchecking it). This will prevent users from enabling their device as a content caching server on your network. A content caching device caches Apple App Store and Software updates to be able to serve them to local devices also requesting that same content. And while I do recommend the use of a Content Caching device (at least one) on your network, your portable devices should not be one of those.

On your comment about Apple IDs (now referred to Apple Accounts), there are many compelling reasons to use Managed Apple accounts (Federation is the way to go here), but there currently is no way to enforce signing in with only a Managed Apple Account and therefore it’s either allow any Apple account, or no Apple Account.

I would ask a favor of you to provide that feedback to Apple, ideally through the Appleseed for IT program since that associates it to your organization and has the most impact.

There is a way, using some Smart Group logic, to lock a device into a signed-in Apple Account, so they can’t sign out later and then sign in a personal account. Many schools help students get logged in with their Managed Apple Account, then lock the setting by unchecking the restriction profile “Allow Modifying Account Settings based on a smart group criteria of “iTunes Account signed in”.

I'm sure others here can provide some more suggestions. One last thing, Jamf School supports Bash scripts (without variables), so if there is something that isn’t readily apparent via a restriction profile, I’d poke around JamfNation to see if others have been able to achieve the end goal. An example of this may be allowing standard users to add printers (like one at their home).

0 Kudos

IPASupport
New Contributor II
In response to CurtisA

yesterday

Hi Curtis,

Thank you so much for the profile tips! Also, thanks for sharing the Compliance Editor link, we are very interested in exploring configurations based on compliances, so I appreciate you sharing this information with us. 

We've learned (from past experiences) to have at least four to five test devices in our IT playground, so we will definitely exercise caution on applying all vs piloting. 

I'll look into the Appleseed for IT and submit some feedback for the Managed Apple Accounts. We're not opposed to having them at our school, but would love for there to be an easy option (managed accounts only) we can "check" off before device distribution. I love the workaround you and others have suggested - that may be the best approach for next school year. 

0 Kudos

CurtisA
New Contributor II
New Contributor II

yesterday

I forgot to add one more thing...if you really want to dive down the rabbit hole, check out Jamf Compliance Editor. This is a free tool you can use to achieve CIS level compliance on Macs (and iPad too). This is what large corporate and government organizations use to build custom profiles and scripts (many of which will work just fine in Jamf School) to bring their devices into compliance against a known set of industry recognized benchmarks.

Now I'm NOT saying just go forth and apply all of it, as your users may actually revolt! But it can help you to get a sense of what it means from an organizational perspective to be "compliant". and you may find a few nuggets that you can add to your deployment.