Issue/Question
What Profiles have been configured by ITS on my WKU-owned Mac?
Resolution
Settings Listed in the Profiles Pane
To see what profiles are assigned to a Mac:
macOS 15 Sequoia and newer
- Click (Apple menu).
- Select General.
- Click Device Management.
macOS 13 Ventura and macOS 14 Sonoma
- Click (Apple menu).
- Select System Settings ... .
- Click Privacy & Security.
- Click Profiles.
The default setup for WKU Employee Macs contain these Profiles:
The Migration Assistant app is pre-loaded by Apple and intended for personal setups, allowing a user to copy content, including system settings, from an old Mac to a new one. In an Enterprise environment, this can cause unexpected and undesired behavior. As such, managed Macs have been configured to prevent the app from opening.
The Sharing section allows for multiple settings that make your Mac accessible from another computer. Though convenient in a personal environment, enabling any of the features in an enterprise environment increases the risk of a malicious attack. It is an enterprise security best practice to disable these settings.
This feature allows a user the convenience of using their WKU account password for logging into their computer, or to set a separate password.
macOS Ventura introduced a feature that gives users more control over what apps load at startup, which can be found in System Preferences > General > Login Items. There are a few items WKU ITS requires to be loaded to ensure the computer interacts with our environment properly:
- Addigy, Inc: utility that ensures a Mac stays in contact with our MDM
- bash (com.github.grahampugh): script that displays a message when a system update needs to install
- Cisco, Cisco Secure Client (Team Identifier: DE8Y96K9QP): VPN connection to WKU's network when working remotely
- Google Updater: utility that ensures the Chrome browser stays up-to-date
- Microsoft AutoUpdate, Microsoft Corporation, Microsoft Office Licensing, Microsoft OneDrive, Microsoft Teams (Team Identifier: UBF8T346G9; com.microsoft): ensure the Office suite, OneDrive, and Edge browser stay up-to-date
- Mosyle Corporation: connection to WKU's device management (MDM) provider, ensuring the computer can communicate to the MDM
- Renew.sh: script that displays a reminder to restart periodically
- SAP SE (Team Identifier: 7R5ZEU67FQ; corp.sap.privileges.helper): ensures the Privileges app can elevate a standard user to admin when requested
- Support (Team Identifier: 98LJ4XBGYK): an app that loads at login in the Apple bar that provides computer information and links to WKU ITS services
- zsh (edu.wku.aap): script that checks for and applies updates for apps installed on the computer
Prevents accessing the Erase All Content and Settings function in System Preferences/System Settings without approval from ITS.
This will display a reminder to restart the computer, if it has not been restarted/shutdown for 15 days.
This customizes the Support app in the Apple bar to link to WKU ITS support.
In the event any Adobe product is installed, or gets installed, this ensures that they can access any needed files and folders to work properly.
BeyondTrust is the software leveraged for Remote Assistance when contacting WKU ITS. This setting ensures it will allow the support technician to see, share, and interact with your computer.
This ensures that the Chrome browser can access any needed files and folders to work properly.
In the event the DropBox app is installed, this ensures that it can access any needed files and folders to work properly.
This grants the OneDrive app access to all files on the computer.
This setting:
- allows apps to be installed from the Mac App Store, as well as apps downloaded from the internet--as long as the app was created by a developer verified by Apple.
- requires authentication to unlock/wake the computer.
- allows unlocking the computer with an Apple watch
- allows you to change the computer account password
- enables FileVault for disk encryption
- enabled the built-in Firewall
This customizes the Login Window to display information about the computer and lets you click your computer account instead of typing in the account username.
These ensure our device management system can perform background tasks, e.g. syncing information/settings between it and the computer, and display messages when interaction is needed.
Displays a periodic reminder when an account has administrator rights to return to standard rights.
This allows the SwiftDialog app to use system notifications for displaying messages.
This periodically runs the AppAutoPatch script that checks for and applies updates to apps installed on the computer.
Cisco Secure Client is the software used for connecting to WKU's network while working remotely. This setting ensures it can access any needed files and folders to work properly.
This setting makes internal, external, and connected network drives appear on the desktop by default.
Ensures our management system is able to interact properly with devices.
These settings ensure the computer's firewall is turned on, GateKeeper is enabled, and XProtect stays updated.
Other Profiles
These items may appear in the Profiles pane, depending on how and when the computer was setup:
Binds macOS devices to our local Active Directory server, allowing users with a NetID to log into the machine without an account being created for them beforehand. Requires the machine to be on a wired connection on WKU’s network. Intended for multi-user scenarios, as binding is no longer recommended by Apple for 1:1 assignments.
Defines that apps can be installed from the Mac App Store and from internet sources; requires password prompt once the computer sleeps or starts the screen save; enables the computer’s firewall; intended for scenarios where a machine is used by multiple people.
The login screen includes a “Guest User” option; intended for computers used by departments that provide temporary computer access.
The login screen shows text field prompts for username and password; if the computer is on WKU’s network with a wired connection, a person can enter their NetID and password to gain access to the computer; intended for student worker computers and other scenarios where a machine is used by multiple people.
Prevents accessing multiple sections of System Preferences/System Settings on TopperTech Loaner machines.
Other Settings Configured by WKU ITS
These items do not appear in the Profiles pane, but are enforced on WKU-owned Macs:
Prevents accessing Recovery Mode on Apple Silicon Macs without approval from ITS.
Macs that have not been recently setup by WKU ITS may have different profiles, if any, than what is listed above. If you are uncertain of the authenticity of a profile or would like information on what settings it controls, please contact the
ITS Service Desk.