Allowed/Blocked Apps

  • Block Safari if you want to force Chrome

Apple Remote Desktop (Sharing preference permissions)

  • Allow Remote Management for
    • Specific local users: your admin
  • All privileges
  • Uncheck Show status
  • Check Enable Remote Login


  • Could be useful to have opt-in calendars, but may need individual accounts

Chrome Management

  • Install, allow, block extensions
  • Recommend making an extensions whitelist so they can’t find VPNs

Chrome settings

  • Set as default
  • Force safe browsing doesn't seem to work
  • Disable guest mode, force sign-in
  • Can restrict to school-only accounts
  • Add managed bookmarks
  • YouTube: can filter down to specific channels or video (haven't tested)

Content Caching

  • Check it out for servers

Custom Commands

  • Might want to clean out what you have!


  • Can make a default dock
  • Merge with User’s Dock
  • Set restrictions as you like
  • Do not reinstall during assignment/login
  • Do not remove when assignment removed or during logout

Energy saver

  • For servers, enable wake on LAN and Start up on power failure
  • Choose the rest as you like

Firmware password

  • Might be useful to prevent students from changing admin password if they’re tricky enough

Kernel Extensions

  • Used to use these to allow app permissions but now it’s in Privacy

Local user

  • We had discussed at one point, but now I’d use enrollment profile

Login items

  • Can be used for network shares if you’re still using those (why?)
  • Alma QNAP for yearbook kids?
  • Apps too, if something is needed that’s not default

Login window

  • Show additional info (especially if you name your devices by user name like “Alex Wyatt’s MacBook”)
  • Message for support maybe
  • Show Other, remove admins (maybe)
  • Check out other options, I’d uncheck Log users out” and check Set computer name at least, maybe disable auto-login
  • Login/logout scripts
  • Options
    • Disable the pop-ups that happen the first login
    • Log out with inactivity
    • Guest user!!!


  • Does anyone set this up for users?
  • You can set everything, but I would skip password because everyone should be different

Multi-cert WiFi

  • Not recommended

Password policy

  • Not a bad idea, especially for older students

Rename devices

  • If you set the name at activation and prevent sharing, you don’t need too. otherwise, a good idea to set this and apply every day


  • Make sure to check every tab and decide if you want it applied, otherwise you may have defaults
  • Disabling Sharing prevents them from changing name, as well as settings like remote management (ARD/SSH) to prevent kids from hijacking each other)
  • Definitely check out Preferences and Functionality at least
  • I can help you make a forced desktop if you want

Security & Privacy

  • Security: your choice
  • Privacy: can only have a single profile per device, load it with Zoom, NWEA, Chrome, GDFS, and others as appropriate

Time Server

  • Seems to work now
  • Set timezone (prevents it from changing if the user travels, if that matters)

WiFi Authentication

  • Show advanced options> Set priority to 0, this should prevent "Public" even if they get it somehow


Install App

  • I recommend assigning by groups of users, not by app...otherwise you'll have TONS of separate profiles
  • Remember, you need VPP licenses even for free apps

Install Book

  • Not recommended, as book licenses cannot be recovered as app licenses can


  • Can lock down AirPlay to managed AppleTV devices
  • Can also require codes for those AppleTVs

Allowed/Blocked Apps

  • Whitelist/Blacklist
  • Blocked apps are still installed, just invisible


  • Could experiment with pushing school calendars

Google Account

  • If you capture the email properly, you can assign the usernames and prompt for password
  • Works for and other Google-authenticating apps

Home Layout

  • You can push some things to the front, everything else will fall behind
  • If you make an Allowed Apps profile, make sure to place every app you want!

Kiosk Mode

  • Useful if you have extra iPads you use for library catalogs or other single-use tasks
  • Maybe time clocks?
  • Ehall Pass?


  • Haven't tested but I think if you use Google Account you don't need this

Multi-Cert WiFi

  • Not recommended

Passcode Policies

  • Could be useful for older students

Rename Devices

  • You can set it to automatically reset every day...or just Restrict and make sure to set name on Activation


  • Go through the whole list
  • Ask Alex if you have questions

Web Clip

  • I do not recommend allowing users to set up their own...because then someone will need you to set it up and everyone will have duplicates, Restrictions will be set to prevent's a mess
  • Setting a Web Clip also means you can give it an icon if it doesn't have a special one, so it's easier to identify later
  • Web Clips are part of the Home Layout profile as well

Web filter

  • The built-in filter is not recommended
  • Used to set up Global Proxy like Securly

WiFi Authentication

  • Lock WiFi prevents users from using all other don't do it, because the devices won't connect anywhere but at school
  • Cannot set priority like Macs