Issue/Question
What Profiles have been configured by ITS on my WKU-owned Mac?
Resolution
Settings Listed in the Profiles Pane
To see what profiles are assigned to a Mac:
macOS 13 Ventura
- Click (Apple menu).
- Select System Settings ... .
- Click Privacy & Security.
- Click Profiles.
macOS 12 Monterey and Prior
- Click (Apple menu).
- Select System Preferences ... .
- Click Profiles.
The default setup for WKU Employee Macs contain these Profiles:
The Sharing section allows for multiple settings that make your Mac accessible from another computer. Though convenient in a personal environment, enabling any of the features in an enterprise environment increases the risk of a malicious attack. It is an enterprise security best practice to disable these settings.
This feature allows a user the convenience of using their WKU account password for logging into their computer, or to set a separate password.
macOS Ventura introduced a feature that gives users more control over what apps load at startup, which can be found in System Preferences > General > Login Items. There are a few items WKU ITS requires to be loaded to ensure the computer interacts with our environment properly:
- com.github.grahampugh: script that displays a message when a system update needs to install
- com.github.munkireport.runner: connection to WKU's Mac inventory database, ensuring the computer's hardware information is accurate and operating properly
- com.google: Chrome browser
- com.secondsonconulting.renew: script that displays a reminder to restart periodically
- Cisco AnyConnect Secure Mobility Client (Team Identifier: DE8Y96K9QP): VPN connection to WKU's network when working remotely
- Microsoft products (Team Identifier: UBF8T346G9; com.microsoft): OneDrive for cloud storage
- Mosyle: connection to WKU's device management (MDM) provider, ensuring the computer can communicate to the MDM
- SAP (Team Identifier: 7R5ZEU67FQ; corp.sap.privileges.helper): ensures the Privileges app can elevate a standard user to admin when requested
- Support (Team Identifier: 98LJ4XBGYK): an app that loads at login in the Apple bar that provides computer information and links to WKU ITS services
This will display a reminder to restart the computer, if it has not been restarted/shutdown for 15 days.
This customizes the Support app in the Apple bar to link to WKU ITS support.
In the event any Adobe product is installed, or gets installed, this ensures that they can access any needed files and folders to work properly.
BeyondTrust is the software leveraged for Remote Assistance when contacting WKU ITS. This setting ensures it will allow the support technician to see, share, and interact with your computer.
This ensures that the Chrome browser can access any needed files and folders to work properly.
In the event the DropBox app is installed, this ensures that it can access any needed files and folders to work properly.
This grants the OneDrive app access to all files on the computer.
This setting:
- allows apps to be installed from the Mac App Store, as well as apps downloaded from the internet--as long as the app was created by a developer verified by Apple.
- requires authentication to unlock/wake the computer.
- allows unlocking the computer with an Apple watch
- allows you to change the computer account password
- enables FileVault for disk encryption
- enabled the built-in Firewall
This customizes the Login Window to display information about the computer and lets you click your computer account instead of typing in the account username.
This ensures our device management system can perform background tasks, e.g. syncing information/settings between it and the computer.
This allows the SwiftDialog app to use system notifications for displaying messages.
Cisco AnyConnect is the software used for connecting to WKU's network while working remotely. This setting ensures it can access any needed files and folders to work properly.
This setting makes internal, external, and connected network drives appear on the desktop by default.
Other Profiles
These items may appear in the Profiles pane, depending on how and when the computer was setup:
Binds macOS devices to our local Active Directory server, allowing users with a NetID to log into the machine without an account being created for them beforehand. Requires the machine to be on a wired connection on WKU’s network. Intended for multi-user scenarios, as binding is no longer recommended by Apple for 1:1 assignments.
Defines that apps can be installed from the Mac App Store and from internet sources; requires password prompt once the computer sleeps or starts the screen save; enables the computer’s firewall; intended for scenarios where a machine is used by multiple people.
The login screen includes a “Guest User” option; intended for computers used by departments that provide temporary computer access.
The login screen shows text field prompts for username and password; if the computer is on WKU’s network with a wired connection, a person can enter their NetID and password to gain access to the computer; intended for student worker computers and other scenarios where a machine is used by multiple people.
Prevents accessing multiple sections of System Preferences/System Settings on TopperTech Loaner machines.
Other Settings Configured by WKU ITS
These items do not appear in the Profiles pane, but are enforced on WKU-owned Macs:
Prevents accessing Recovery Mode on Apple Silicon Macs without approval from ITS.
Prevents accessing the Erase All Content and Settings function in System Preferences/System Settings without approval from ITS.
Macs that have not been recently setup by WKU ITS may have different profiles, if any, than what is listed above. If you are uncertain of the authenticity of a profile or would like information on what settings it controls, please contact the
ITS Service Desk.