Quick look: using Application & Custom Settings to restrict 2024 fall release features with Jamf Pro
Using a lighter touch to deploy restrictions for new OS features if your organization isn't ready for them yet.
Happy Septober, folks! macOS 15 and iOS 18 are right around the corner. I thought I'd very quickly show how you can use the Application & Custom Settings payload in Jamf Pro to deploy restrictions for some of the new functionality shipping with the new operating systems from Apple.
I spend quite a bit of summer prerelease season keeping up with new controls Apple makes available when new consumer features are made available in their platforms. I never want to prescribe how any organization should approach the support of new platform features; ideally, the technology arm of any organization will vet prerelease software and determine policy for supporting those features. Ensuring basic familiarity of what's coming, and what options there are to best mitigate potential risks around consumer features in an enterprise setting, involves an understanding of how to implement limitations or restrictions to control those features. If an org needs to pull that lever, you want to know where the lever is and proof how of well that lever works.
Take, for example, iPhone Mirroring. Again, while I'm not here to tell anyone that it should automatically be restricted at an organization, I do think it's help to know how best to restrict that feature based on controls Apple has provided. Ahead of the release of macOS Sequoia and iOS 18, Apple's mdm spec has been updated to include a handful of controls including:
- allowGenmoji
- allowImagePlayground
- allowiPhoneMirroring
- allowPersonalizedHandwritingResults
- allowVideoConferencingRemoteControl
- allowWritingTools
As of Jamf Pro version 11.9, most of these controls are available as Restriction payloads in configuration profile deployments. On macOS, that Restrictions payload is a place to tread lightly, because that payload contains a massive amount of controls and anything unspecified is applied in the restricted state and is unable to be modified by the end user. So for something like, say, allowiPhoneMirroring, you may want to use an Application & Custom Settings payload for macOS to deploy the setting rather than touching the Restrictions payload.
To do this, create a new macOS configuration profile and enter the following into an Application & Custom Settings upload tab:
Preference domain: com.apple.applicationaccess
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>allowiPhoneMirroring</key>
<false/>
</dict>
</plist>
Ensure the scope is to computers running macOS 15 or greater.
On the iOS side of the house the restriction is a bit simpler to work with, just create a new configuration profile with the iPhone Mirroring restriction enabled in the Restricted setting and deploy to iOS devices running iOS 18 or greater.
On macOS 15 the restriction message is the same regardless of whether the restriction itself is applied on the managed device or managed computer. Once the operating systems are general release, I'll update this post with a screenshot of what that notification message looks like.
Applying the other available restrictions should be comparable to the methods above. Ensure that you test thoroughly before making any deployments.
Happy release day!
Write a comment
Post a Comment