macOS Restrictions Configuration Profiles Best Practices

New Contributor II

Hello All,

Im currently tweaking our company restrictions on macOS devices and was curious how others were going about this. I find the restrictions on the macOS side more difficult to sort out because of how its set up as opposed to the IOS side that just lets you turn on one item for a restriction. Specifically iCloud restrictions which in some cases I only want to restrict certain items for a some and completely restrict it for others. Same for software deferrals, since all these live in the functionality tab it makes more difficult to separate. Unless i'm going about this the wrong way Id love to see if anyone has some suggestions or a workflow that has been working good for them. Thanks in advance and please excuse this if it seems like a low level inquiry.


Esteemed Contributor II

@JalteredM Until Jamf finally gets around to updating the GUI for creating a Restrictions payload you'd be better off looking at a tool like the iMazing Profile Editor which will generate profiles that only add the settings necessary for when you've modified a default. If you sign the profiles created by this tool before uploading to Jamf Pro it will ensure that the settings don't get modified to include ones you don't want configured.

Honored Contributor III

I make several Restrictions Configuration Profiles based on our needs. I set up smart groups to funnel devices in to the correct Restrictions. Generally I have Three, Low, Medium, and High (default). By and large all devices will fall in to High unless something tells JAMF to do otherwise. There are a few one offs for custom restrictions when needed by a specific business unit.


I do everything for restrictions in the JAMF Pro GUI.

The Restrictions Configuration Profiles I use.

  • Low - Used only for environment and business unit testing, highly restricted in terms of how can get it
    • iCloud not restricted, AppleID's allowed
    • Only Apple Pay is blocked in System Preferences to confirm that function is working
    • Erase all contents and settings allowed
    • Software updates no deferral 
  • Medium - Used only for troubleshooting, and all users have a SS policy that will drop them to this configuration for 1hr.
    • iCloud restricted, AppleID's allowed
    • Very few System Preference panes are blocked
    • Erase all contents and settings blocked so people cant wipe their devices
    • Software updates Defer 7 days and upgrades 30 days
  • High - The Production Environment as a whole
    • iCloud totally restricted, No Apples ID's nothing
    • Many System Preference panes blocked that we don't want people in
    • Erase all contents and settings blocked so people cant wipe their devices
    • Software updates Defer 30 days and upgrades 90 days
  • There are of course a few one off special restrictions for special use cases. 

Beyond what I mentioned there are general restriction differences, but they are not really noteworthy. 



How I scope everything.

  • Every device is targeted by the High Restriction. Unless one of the following are met
  • If a device has a specific flag which a policy sets by creating a file and an EA sees it will be targeted by the Medium restriction
    • There is a follow up policy that checks for the existence of the flag and removes it, which will retarget the device for High
  • Due to the nature of Low, I have that setup with an Extension Attribute and a Smart group so it must be set within JAMF. 
  • The one offs are setup with usually off department and excluded from the other restriction's.
  • Devices targeted by one set of restrictions are excluded from all other restrictions so there are not any conflicts

Once all this is setup its really no maintenance. Let smart groups do all the scoping and everything happens automatically.




Every one of these exemptions would funnel you in to the scope of a different restriction.



New Contributor II

@AJPinto and @sdagley 

Thanks for the info! This is great information. I also have a few levels set up for restrictions that are linked to smart groups but i just haven't been happy with the workflow so some of these suggestions will be really helpful. I also set up some extension attributes if i want to move a user to another level. The software update differal was the one thing that has been a pain because I have a lot of power users and If i need to run an update for a specific user while im on their machine troubleshooting I then have to move their restriction level to do so. It would be great if the software update differal was separate and I have been to lazy to build a script for just that (lol). Im going to check out iMazing as well as I re assess our restrictions.